About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Of course, the camera adds 110lbs | Main | Bringing privacy into the equation »

Still practising

By Dave Birch posted Feb 15 2008 at 9:13 AM

[Dave Birch] I went to a European Commission "epractice" seminar to share best practice about electronic identity -- and in particular the interoperability thereof -- in Europe. Consult Hyperion have been doing a lot of work in this area -- we were commissioned by the EU to study identity interoperability last year -- and so I thought it would be very useful to come along and exchange ideas. It was gratifying to discover that the conclusion of our work for the Commissin was congruent with the findings of all of the other studies for the Commission: not only is there no interoperability whatsoever at a European level, there's precious little of it at the local level either (ie, you can't use your HMRC login to log on to DVLA and so on). There were some studies that have gone down another level, and they discovered that one of the reasons for the lack of interoperability is that none of the European identity schemes are using a standard-based approach (with the except of SAML that is being used in a small number of schemes).

It was quite well-attended (there must have been more than 40 people there) and while there were a few familiar faces, I enjoyed the opportunity to listen to some new(to me) perspectives. One of the points made at the beginning was, I think, key not only at the international level but at the national level too. It was that the focus should be on interoperability rather than harmonisation. There is no need for everyone to use the same identity management scheme, identity cards, identifiers and all the rest of it. Hence one of the ways forward is to imagine a set of technology-neutral national gateways and interconnect through those gateways.

In the afternoon I went into the breakout to discuss mobile e-identity, which I'm becoming increasingly enthusiastic about. The reasoning is that in order to make some form of electronic identity useful to citizens, it has to do some interesting things. But a card can't do anything interesting things, whereas mobile phones can and --- and I think this is central to the discussion looking forward two or three years -- what's the point in issuing another smart card when the entire population has a mobile phone already.

Three case studies were presented: Spain, Belgium and Estonia.

Miguel Alvarez Rodriguez presented a case study from Spain on the PKI platform for electronic identity and digital signature services. Spain had digital signature laws in place fairly early on, and quite a few CAs popped up. But the interconnection of CAs, relying parties and individuals was so complex that no working infrastructure grew up. Then along came the ID card. The Spain smart ID card (which is run by the police, essentially) has two digital certificates on board, one for authentication and one for signing. The roll-out begin March 2006 and so far more than three million people have obtained the smart cards. There are also two million digital certificates issued to both individuals and businesses, although usage is still quite low. The Ministry of Public Administration has set up a multi-PKI Validation Platform (MPVP) that provides free services for e-government applications that use either the ID card certificates or the other certificates: in particular, it provides verification of digital signatues. There's apparently an e-government law in Spain that says that by 2010, citizens should be able to access all public services online and this is quite a driver for the MPVP. It did sound to me as if the MPVP might be something of a weak link in the national infrastructure but, of course, I was too polite to say this. Anyway, there are 150 e-government applications online and there have been six million verifications to date. The first private sector applications (using the combination of the ID card and the MPVP) are now emerging and apparently one bank now allows citizens to use their ID card in the bank's ATMs.

Jonathan Soldati presented a case study from Belgium on accessing personal data in a national identity register. The Ministry of Home Affairs has developed an application called "My File" which allows citizens to access their personal data stored in the Belgian National Register over the Internet using their PCs with attached smart card readers. Interestingly, it also allows citizens to see who has accessed their data for the last six months. One of the important lessons was that providing a mechanism for citizens to correct data increased trust in the system overall. Now, I'm against storing any data in this kind of national register, but if you are going to do it, then delivering transparency by providing for citizens to manage that data themselves (albeit it in a limited way) is critical in obtaining public acceptance, which is why I'm sure the Home Office and their management consultants have developed a similar system in the U.K. In Belgium, about 80,000 people per month access their register entry online through this service.

Forum friend Tarvi Martens presented a case study from Estonia on population-scale identity cards. This had been updated from the original case study that Tarvi kindly contributed to both the Digital Identity Forum and Digital Identity Management. The first card was issued back in 2002 and by October 2006 there were a million cards in circulation. Estonia has been an interesting case study for a while, and the trajectory of their scheme delivers a number of useful lessons. Unusually amongst ID card, the principal use of the Estonian card is an a transit card in Tallin (120,000 people every day use their card for this) and as a travel document. The big change since I spoke to Tarvi last time is that the largest GSM operator (EMT) began adding the national PKI application to SIM cards back in March 2007. Usage is still low, as there's a lot of customer education to do, but it may be that the mobile eID is the way forward. I have to say there's a lot in their approach: as Ian Grigg noted

In other words, Estonia issued a zero-application smart card, and banks can use the basic tools as well as your local public transport system.

[From Financial Cryptography: Rights Archives]

Tarvi showed us the statistics for December 2007: there were 100,000 public sector transactions and a million private sector transactions (in a country of 1.3 million people). The barriers to greater usage included the usual (the need for a smart reader and the right software) but one is specific to Scandinavia and the Baltics. This is that there is a tradition of using bank-issued passwords for access to online services.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


The comments to this entry are closed.