Italy’s digital bureaucracy just got a backdoor, and nobody’s quite sure who holds the keys. The Garante per la Protezione dei Dati Personali (Data Protection Authority) has greenlit a system allowing citizens to delegate their SPID (Public Digital Identity System) access to up to two trusted persons. On paper, this solves a genuine problem: your 85-year-old nonna (grandmother) can finally get her pension paperwork sorted without wrestling with two-factor authentication. In practice, we’ve just built a fraud infrastructure with legal cover.

The two-person limit isn’t arbitrary. It reflects a bureaucratic compromise between accessibility and control. But it also creates a structural vulnerability: multiple access vectors for the same identity.

Consider the threat model. Previously, compromising an elderly person’s digital identity required either technical sophistication (phishing, malware) or physical access (stealing their phone, coercing their PIN). The new system adds social engineering at the relationship level. Convince someone to delegate you, and you gain legitimate, logged, auditable access that bypasses most fraud detection systems.

The real-world phishing examples we’ve documented show how attackers already exploit trust relationships. A caller impersonating a bank security officer extracts credentials through urgency and authority. Now imagine that same approach applied to delegation: “Signora, I’m from the Comune (Municipality), your daughter asked me to help set up her delegation for your pension, but we need to verify your SPID first…”

The impersonation fraud risks targeting retirement savings demonstrate how effectively criminals exploit generational digital divides. The delegation system, designed to bridge that divide, may inadvertently professionalize the exploitation.

Defenders of the system point to genuine necessity. Italy’s population is aging rapidly, and digital exclusion creates real hardship. An 80-year-old with mobility issues faces impossible choices: drag themselves to government offices, surrender their credentials to family members (currently the common, opaque practice), or simply abandon claims to benefits they’re entitled to receive.

The delegation system formalizes what already happens informally. It creates audit trails. It establishes clear scope limitations. From this perspective, the privacy authority’s approval represents not recklessness but pragmatic recognition of lived reality.

Yet this argument concedes the core problem: Italy’s digital infrastructure remains inaccessible to the very population most dependent on public services. Rather than fixing the accessibility failure, simplified interfaces, phone-based authentication, human support, the solution outsources the burden to informal caregivers, with all the relationship dynamics and power imbalances that entails.

One informed observer characterized the delegation mechanism as “the famous quick fix that creates technical debt and vulnerabilities.” The architecture delegates identity itself rather than delegating within specific institutional contexts.

Compare with existing systems. The Agenzia delle Entrate (Revenue Agency) and INPS (National Social Security Institute) already offer internal delegation mechanisms. You authenticate as yourself, with delegated authority for a specific account. The new platform inverts this: the delegate authenticates as themselves, then switches context to operate on another’s behalf.

This distinction has security implications. Institutional delegations maintain clear identity boundaries. The new system blurs them, creating sessions where actions are technically attributable to the delegate but legally consequential for the delegator. Dispute resolution becomes complex: “My son made that transfer” versus “Your authenticated session authorized that transfer.”

The delegation platform must be operational by June 2026 under PNRR commitments. IT Wallet integration follows, with full digital document deployment by February 2027. These deadlines create implementation pressure that typically correlates with security shortcuts.

The Garante Privacy’s favorable opinion includes a crucial reservation: the authority retains right to assess concrete data processing once the platform is operational. This is regulatory hedging. The approval covers design principles, not operational reality. If fraud materializes at scale, the authority can retrospectively impose conditions or sanctions.

But retrospective protection offers cold comfort to victims. The Aldilapp precedent, where the same authority sanctioned a cemetery management app €6,000 for automatically creating digital profiles of deceased persons from municipal databases, shows how innovation outpaces privacy protection. The delegation platform operates at vastly greater scale and sensitivity.

Skeptics of fraud concerns sometimes argue that malicious family members will find ways to exploit elderly relatives regardless of formal systems. This misses the structural change: legitimization. Previously, a family member accessing a parent’s account required credential sharing, clearly problematic and often detectable. Delegation creates socially approved, technically supported access that normalizes what might otherwise trigger security alerts.

The “nothing to hide” framing also ignores power dynamics within families. Financial abuse of elderly persons frequently involves trusted relatives. Delegation creates no mechanisms for detecting coercion, no requirements for independent verification of the delegator’s understanding, no cooling-off periods for high-risk authorizations.

The system’s defenders counter that alternatives, continued credential sharing, or complete digital exclusion, are worse. This may be true. But it frames the debate incorrectly, as a choice between bad options rather than a demand for better design.

Missing from public discussion: why two delegates? The number appears designed for household coverage, perhaps a spouse and adult child, or two children sharing care responsibilities. But it also enables coordination risks. Two delegates with shared access can collude, or be separately compromised, or create confusion about who authorized what action.

More fundamentally, the two-delegate limit assumes stable, trustworthy relationships. It doesn’t accommodate delegated access for specific purposes (tax season only), temporary delegations (during hospitalization), or revocable mandates with automatic expiration. The system appears designed for permanent, comprehensive delegation, precisely the pattern most vulnerable to abuse.

If you or family members might use this system, several protective measures deserve consideration:

• Scope limitation by default. Delegations should specify narrow purposes where possible, though current technical specifications suggest this granularity may not be implemented initially.
• Regular audit of delegate activity. The platform promises activity logging, delegators must actually review these logs, a behavioral challenge given the system’s target demographic.
• Separation of delegates. Where possible, avoid delegating to household members who might face common pressures or coercion.
• Parallel institutional notification. For significant delegations, consider informing relevant institutions (bank, pension provider) of the arrangement, creating external monitoring.

Most importantly: treat delegation as seriously as power of attorney, because functionally it approaches equivalent access to government and financial systems.

Italy’s delegation experiment reflects a global challenge. Digital identity systems designed for capable, autonomous users must accommodate populations that don’t fit that model, through age, disability, or circumstance. Every solution involves tradeoffs between autonomy and protection, accessibility and security.

The SPID delegation system tilts toward accessibility, perhaps excessively. The two-delegate provision, the exclusion of professional intermediaries, the compressed implementation timeline, all suggest prioritization of inclusion metrics over risk mitigation.

Whether this balance proves sustainable depends on fraud incidence in early deployment. The Garante Privacy’s reserved assessment rights create regulatory flexibility. But flexibility after harm is cold comfort. The test will come when, not if, the first major delegation-related fraud case emerges, and whether institutional response preserves system viability or triggers restrictive overcorrection.

For now, Italian families face a familiar digital-age dilemma: adopting convenience that carries poorly understood risks, or maintaining exclusion that carries certain costs. The delegation platform doesn’t resolve this tension. It merely relocates it, from the interface design to the family dinner table, where trust decisions carry new technical consequences.