Jusletter IT

In the past years most EU Member States and other states like Switzerland have designed and deployed national electronic identities (eIDs). In addition, many commercial eIDs emerged. Unfortunately the use of all these solutions is limited to the systems themselves and none of these systems has gained global acceptance. This is the starting point for the following considerations.

Non-repudiation is a critical requirement for electronic business. It helps to safeguard the rights of participants in an electronic business transaction and it is a critical precondition for compliance, because otherwise, reconstructed transactions could be repudiated. Non-repudiation is created through an identification and authentication of involved actors plus the recording of their actions. In many cases this is enough, although in some cases additional digital signatures of contracts are mandatory. Digital signatures further help to anchor business interactions and to pinpoint contractual commitments. And of course, they can be used for implicit authentication. But in any case, identification and authentication are the core foundations of compliant electronic business.

The above observation is independent of the fact whether electronic business is local, regional, national, or cross-border international. However, a limitation of the validity of authentication to a single country implies severe handicaps for cross-border electronic business. This is of particular importance for small countries and it is thus a big issue for Europe. Therefore, the vision of a unified European identification and authentication space emerged and led to a CIP PSP call for a corresponding pilot A project in 2011¹ . Such a “space” would help to create a unified electronic business space for Europe and it would help to increase the compliance therein.

A unified, single identification and authentication universe requires that each high quality authentication device can eventually be used for authentication. Otherwise it would make no sense to call it unified or single. It must be possible to certify and accredit any high quality authentication system and to connect the system to an arbitrary other certified and accredited high value authentication system. In order to have a true practical impact it is necessary that all this accrediting and linking can be done at affordable costs. Eventually, online identification and authentication with your preferred authentication system and device to arbitrary electronic services results should be easily possible. In the following, we shall assume a European perspective.

The STORK project – https://www.eid-stork.eu/ – has created a four-level quality model for authentication. It has provided two software interoperability solutions – a proxy solution and middleware solution – for the linking of national eIDs providing identification and authentication. These two solutions were tested in six cross-border pilots. Therefore, it seems reasonable to rely on the STORK solutions for building the unified space depicted above. It must for sure include the national eIDs. Additionally, it should be possible to include major commercial eIDs.

There are multiple concrete requirements for such a unified space. We suggest embedding its design into a logical space with three perspectives, or dimensions, respectively: time and implementation scale, stakeholders, and concerned disciplines.

Looking into the far future, the scale is clear. The solution shall include at least all major eIDs in Europe (due to our European perspective), but preferably it should include other non-European eIDs as well. Looking into the near future, the scale is the inclusion of the existing STORK system plus a few “ready” national eIDs added, like SuisseID from Switzerland. The evolvement of the scale in the course of time is hard to predict right now. The key issue is that the unified space manages to reach critical mass in order to attract both new users of its authentication devices and new providers of electronic services upon authentication. It is well known that so far, the up-take of national eIDs by European citizens has not been very enthusiastic, neither has been the up-take by service providers. Citizens hesitate to use national eIDs because of a lack of services, and service providers hesitate because of a lack of citizens with national eIDs. Linking solutions can potentially break that blockade because it increases the numbers on both sides.

This observation already involves two key stakeholders: citizens and service providers. Other stakeholders are companies or organizations, whose employees or members may act on behalf of them, as well as all providers of eIDs (whether from government, industry, or civil society), government bodies (concerned with electronic business or electronic government) and civil rights organizations. Seen from a European political perspective, eIDs are primarily in potential conflict with privacy protections rights and thus with data protection laws. However, seen from a broader political perspective, the design of a single identification and authentication space also touches the so far hardly discussed eventual right for being recognized by electronic services. In an every virtualizing world, this right becomes crucial for a fair society, as without this right being guaranteed those without the possibility to obtain globally usable eIDs will be excluded from many forms of social, economical and political interaction.

This indicates that we should consider several disciplines when designing such a single space: engineering (including security and usability engineering), law and ethics, social issues, and economics, as a minimum. Since the use of eIDs depends on both trust and behavior issues, both rooted in cultural traditions, aspects of cultural anthropology should be considered as well.

We have argued that the scale should involve all major eIDs. But this will most probably be not good enough. On the one hand, in some cases it may be neither desirable to authenticate yourself with your full name nor necessary. Instead a trustworthy proof of several attributes may be sufficient to carry out the business. According to the principles of privacy protection, required data for business transactions should be limited to necessary data, but these data must be of the quality needed for the transaction case. On the other hand, in other cases authentication based on your name and a few core personal attributes may not suffice. It may be necessary that other non-standard attributes, such a academic and/or professional qualification and legal role in a particular context, are proven to the electronic transaction partner. Indeed, it is easy to construct regular electronic business cases, where even less standard attributes have to be proven by one of the business partners. Therefore, the design of the single identification and authentication space should include the possibility to use attribute certificates from your local authentication system throughout the system.

This does neither imply that all attributes are understood everywhere, nor that we need a huge fixed set of semantically standardized attributes. Such a standardization is practically not achievable and it would imply a degree of either centralization or consensus, which is politically very doubtful and which would practically block a sound deployment of the system. Rather it is desirable that attributes can be traced and validated according to their trustworthiness. At the same time the system should stay open for a flexible inclusion of new attribute providers, as long as those can be clearly identified as individuals, companies, government bodies, or other organizations.

Such an open system design is possible. The Swiss SuisseID has designed an open attribute system by way of a claim assertion infrastructure (CAI), see http://www.suisseid.ch. However, it has not been achieved on a larger scale in practice yet. We are currently pursuing research on the potential effects of a system design for e-government, where the citizen is managing his attributes originating from an open CAI. In the non-digital government practice, this is partly reality. Citizens usually have to provide certifications of critical attributes, part of which has been created by government bodies and part of which is from other sources, such as power bills to certify the living place in UK. However, corresponding models for the digitalized government-to-citizen interaction are still missing.

Note finally, that attributes can be understood as roles. Using attributes on a larger or even global scale implies the necessity for a definition of roles with a large (or even global) domain of validity. In fact, the national eID may be considered as the basic global role and attributes as additional specialized roles. An implementation of role based access in replacement of access lists based access significantly increases the IT maturity of systems, as it enables a modularized identity and access management and it supports easier dynamic venturing. However, such an improvement of IT maturity cannot be achieved for free, as it involves a fundamental structural change. Indeed, looking at the unified identification and authentication perspective from that particular perspectives, explains very clearly, that it will be very hard to implement.

The consortium STORK 2.0 has submitted a proposal to the European Commission for a pilot A project towards the unified identification and authentication space. At the time of writing, the signature process for a project based on this proposal is running. The project faces several hard challenges, which we shall shortly indicate.

National eIDs are both rooted in national law and in national or even local trust and confidence culture. Requirements for trust may vary among countries. Kubicek and Noack² have shown that user acceptance of eIDs does rather depend on the ease of understanding the particular eID concept and the ease of use the particular eID devices than on the technical trustworthiness. This questions the often assumed high relevance of objective trustworthiness of the solutions.

However, apart from rather (though not fully) universal factors like high usability, also national traditions play an important role for user take-up. In addition, legal foundations for eIDs vary throughout Europe. Austria has declared the equality of several foreign eIDs to the Austrian eID called Bürgerkarte, but in most European countries only the own national eID are valid within their borders. This limitation creates a very severe hindrance for the implementation of a single European identification and authentication space. Therefore, a whole work-package within STORK 2.0 will be dedicated to describing and analyzing the trust and legal challenges and to proposing possible solutions.

Unfortunately, so far most countries themselves impose hard restrictions on the use of eIDs for electronic business. For example, opening a bank account up to the point that it becomes operational is not admissible with a SuisseID in Switzerland. This holds despite of the fact that the process for obtaining a SuisseID and for opening a bank account are more or less identical. In both cases, identity has to be proven by personal appearance and through showing a passport or an identity card. However, a reuse of the proof of identity in the SuisseID issuing process for the bank account opening process is not allowed so far. The example demonstrates that it is not only cross-border issues which have to be solved, but there are lots of open issues concerning the principal use of national eIDs in electronic business.

The existing STORK solution – that is the quality model for authentication and the interoperability architecture – has to be extended, in order to support the cross-border use of attributes. This extension is not fully straightforward, as there are several options. They key design question is whether to focus on a centralized semantic standardization or to fully open the system. The latter creates questions concerning the practical use of an open system – as we have indicated above – which seem to prompt the design of a new trust model for the processing of claim assertions.

The STORK solution extended with cross-border usable attributes pioneers a future outsourcing of role-based IAM (identity and access management). This would be a great step towards higher IT maturity, but as we have argued above, such a step implies a fundamental structural change and is thus most unrealistic for most current IT systems.

So far, STORK has provided a conceptual and a technical solution, including a prototypical implementation and its piloting. What we need is an interoperability service based on an open standard (including and extending the STORK specification), which can be easily used by service providers for entering the single identification and authentication space. In order to avoid that such a service will depend forever on national funding, marketing concepts and business models for running the service are further needed. Pricing is an important aspect thereby, but not the only one.

Since we strive for the inclusion of many non-national eIDs into the single space and since we need enough providers of interoperability services, a certification and accreditation process and organizational body both for eIDs plus their issuers and for interoperability service providers have to be designed as well. And eventually, they will have to be set up. Aside from others, this creates institutional design choices.

It is a key success factor that the whole design is easy to understand for all involved actors throughout Europe. In addition, the promotion of the emerging single space must be set up with a clear focus on pushing the take-up. Public relations work should be targeted both on common eID owners and on providers of electronic business services. Thereby, the focus should be equally on the benefits of the solutions and on the limitations of the technology in behind. Neither eIDs nor their linking through STORK or the extension of STORK to be implemented in STORK 2.0 will ever provide full security. They just significantly improve the security. This has to be communicated proactively. For example, the abdication of the communication of the remaining risks of the SuisseID solution has been detrimental for the take-up of SuisseID in the first months after it has been issued.

So far, many projects of the CIP PSP have focused their communication on the expert communities, partly even on the scientific communities. However, the success or failure of a single identification and authentication space rather depends on the opinion of the masses, that is the users of eIDs and the service providers which are interested to check the identity of their customers based on eIDs. Both communities should be accessed with a profound marketing strategy.

As we have explained above there is a mutual dependence between limited take-up by both common eID users and service providers, which are the major target groups of PR and marketing. This leads to the following conjecture or wish: What we would need is a small set of killer applications!

We have decided to investigate on the possibility to use e-banking as a killer application for the emergence of a single European identity space. We have thus suggested cross-border e-banking for citizens and for companies as one of the four pilots of STORK 2.0. The idea was accepted by the STORK 2.0 consortium. So far, four banks and ten countries have joined the e-banking pilot. Due to the nature of the business, it will be very challenging to implement it. But we think it is worth the effort because of its high potential for broad take-up.