Electronic IDs are a key element of secure and accessible service delivery in the 21 st century

International Experiences With Electronic IDs

Bill NagelAnalystForrester ResearchMay 7, 2009

2Entire contents © 2009 Forrester Research, Inc. All rights reserved.

Electronic IDs are a key element of secure and

accessible service delivery in the 21st century


Agenda

• Problems of security and service delivery that eIDs solve, create, and expose

• Principal forms of eID

• Service delivery using eID to authenticate identity

• Issues arising around eID implementation

• Results of some existing eID programs and lessons learned

• Different worlds, different routes to success


Electronic identity, security, service delivery

• Preventing identity fraud• Delivering government and commercial services to citizens

– Disconnect between the needs and behaviors of people as citizens and as consumers

– Disconnect between the desire to protect citizen privacy but offer them a range of commercial options

• Privacy and civil liberties concerns– Linked databases

• The combination of technology and compulsory identification raises significant emotional issues


Electronic ID technologies

• Security is based on PKI certificates– Authenticity, integrity, confidentiality, non-repudiation

– Important to use standards-compliant encryption algorithms

• Primary means of delivering eIDs– ISO 7816 plastic cards with

integrated circuit chips

•Contact or contactless

– Wireless PKI: certificates reside on the SIM card of a mobile phone or in the phone OS


Enhanced G2C service delivery

• Delivery/signature of government documents• Health care

– Access to medical records, filling prescriptions

• Social security, pension• Voting• Tax declarations (VAT, annual return)• Other government payments (G2C, C2G)• School or work ID• Child safety, student benefits• Public transport


Enhanced B2C and P2P service delivery

• eBanking and mBanking

• eCommerce and mCommerce

• Peer-to-peer payments

• Secure email

• eSignatures (contracts etc.)

• Age-proofing

• Ticketing


Development impact of eID

• Improved quality of service delivery– Freedom from onerous identity verification processes

allows more resources for service delivery– Greater automation improves speed

• Improved stance regarding corruption– Reduced opportunity for identity fraud shifts the

corruption landscape to the “endpoints”– Exposure in countries with historical documentation

challenges– Principal remaining threats

•ID proofing and credential issuance•Social engineering (credential bypass)


Concerns about eID: General

• Tendency to focus on the technology

• The technology problem is largely solved — implementing an effective eID program is fundamentally a process problem

• Primary success factors: ease of use and frequency of use

– Security technology is worthless unless easy to use

– Service delivery methods that can’t be used frequently have a far higher cost:benefit ratio


Concerns about eID: Privacy

• All countries use some form of unique general identifier

– “Meaningful” or “meaningless” (MBUN)

• Government-controlled, non-siloed databases of PII raise civil liberties concerns in some regions

– “Match on card” has limited applicability

• Private-sector use of public-sector issued identifiers– Easier to link data without permission– A privacy risk many governments won’t take on– Cross-correlation of identity information– AT solution harder, more costly, doesn’t scale well


Concerns about eID: Interoperability

• Lack of ICAO-like consensus on identity attributes, credentials, authentication mechanisms

– Practical restrictions and policy preferences have won out over objective, universal criteria

• Public sector identifiers useful for internal country use, but are limited in the international context

• Cross-border applications are quite important, but:– Foreign govts ultimately won’t be able to verify (thus

trust) the authenticity of the identity information

– Private sector identifiers improve interoperability but take control out of public sector hands

12Entire contents © 2009 Forrester Research, Inc. All rights reserved. 12

Belgium

• Began 2003, complete (>8m) early 2009

• Basic personal info + certificates

• Linked to the national register; cert contains UIN

• National, regional, local public sector applications– National register, health care, tax filing

• Private sector can adopt the government mechanism gratis

– Little uptake; few commercial applications to date aside from a few eBanking initiatives


Estonia

•Began 2001, >1 million issued

•80% filed eTax in 2006 (2001: 9%)

•Public services: eVoting, Tallinn public transport

•Any organization can “eID-enable” its service, handle customers online

•Few Estonians actually using the cards (ca. 55k)

•Little reason to switch to eID


Austria

• No single, universal identity token– Any smart card or other PKI-capable token meeting

minimum reqts

– Token can be issued by the public or private sector: every bank card issued since 2005, every health insurance card, any mobile phone

• More flexible than relying solely on govt-issued card

•No increased use of citizen eIDs for commerce– 55k of 6.5m bank cards in use activated as citizen IDs;

13k of the 9m health insurance cards


Spain

• Began 2006, expected 8m by end 2008

• 300 eGovernment apps

• 13 public and private CAs

• Biometric data: ID photo + 2 fingerprint scans

• Success in attracting the private sector? Too early to tell– Banks must accept eID on the same footing as bank cards +

for electronically signing banking operations

– Some other parts of the private sector must accept the eID

– Some banks adapting, but eID will coexist with bank cards rather than replacing them


What’s the common thread?

• Make government service delivery more efficient

• Enable the private sector to lower its security- and identity-related costs

• Allow citizens to use a single credential for a number of valuable services

• An almost complete lack of commercial applications exploiting the existence of the eID

• We have to turn to a 5th country:


Sweden: an encouraging counterpoint?• Centralized PKI in place for use of all banks, cooperatively owned/operated

• BankID in place for 5 years, covers 5.6m citizens (1.5m active)

• Early 2000s: Govt. decided to use Internet to improve G2C access

– Considered implementing its own PKI– Asked banks to supply BankIDs that could also be used on govt.

sites (hard work already done)– Now one of more than 300 parties using the BankID PKI

• eID-based eGovernment services available since 2004– Much higher usage despite lack of legislative eID requirement– 1.5m adults voluntarily added eID functionality to BankIDs; >2.5

transactions per eID holder per month


eID can find success in different worlds

• The European experience is that of rich, “wired” societies . . .

• . . . But eID can be just as important (if not more so) to other countries

– Mobile is changing the game (“leapfrog” countries)– Enhances service delivery to more remote areas– Service delivery to all, regardless of material condition

•Better banking and (micro)lending services•Improved access to the ballot box•More access to govt services => improved public participation


Thank you

Bill Nagel

+31 (0) 20 305 4381

[email protected]

www.forrester.com

Electronic IDs are a key element of secure and accessible service delivery in the 21 st century

Documents

Transcript of Electronic IDs are a key element of secure and accessible service delivery in the 21 st century