European Electronic Identity Practices

Country Update of Sweden

Dag Osterman, SAMSET project, Swedish National Tax Agency, Head OfficeDate: May 26, 2005

Goal 24/7 Government e-services

”One-Stop-Service”

SHS

Private Private companiescompanies

• eID (standardized)eID (standardized)• yellow pagesyellow pages

Internet

CA organisation

• Responsible CA organisation: Swedish banks and TeliaSonera

• The background of the organisation (private/public): The government has signed frame agreements with the banks and TeliaSonera regarding ID-services (checking of certificates, support to end users..)

• Description of the existing CA infrastructure (e.g. registration authority, card factory etc):

Bank customers:• citizens• companies

Bank

Internet

0. The customer connects to the web services of his bank. The bank offers him an eID free of charge.

Ida Svensson8237

Bank customers:• citizens• companies

Bank

Internet

elD

1. The customer downloads the eID from the bank

Bank customers:• citizens• companies

Bank

Internet

2. The customer connects to an e-service of:• a government agency• a private company

elD

Bank customers:• citizens• companies

Bank

Internet

3. The service provider asks: valid/not valid?

revocation list

elD

Bank customers:• citizens• companies

Bank

Internet

4. The bank responds: valid (not valid)

revocation list

elD

Status of National legislation on eID

• Are eID specific regulations enacted and in place? Yes

• Name and date of the regulation(s):The law on qualified electronic signatures (2000:832). But there are no CAs registered to issue qualified electronic signatures. Today there are no business demand for them.

Status of National deployment of eID

• Name of the project: SAMSET-project, the Government Interoperability Board (e-nämnden) and the 24/7 Delegation.

• Plans, piloting or implementation?• legal Guidelines are implemented• test and ”standardization” of user interface - ongoing• use of an eID for government agencies information exchange

– a project is ongoing to produce a Guideline• use of XML for government e-services………..

• Is the card obligatory? No• Starting date of issuance: 2002 (2001 for companies)

Status of National deployment of eID

• Envisioned total number of holders of eID :• 700 000 (about 100 000 on card)Number of inhabitants: 7.1 miljons ”taxpayers”.• 2 134 000 used one electronic channel (of 6.5 millions who

could use prefilled tax forms) for income tax return.– 428 000 used eID (they could make changes in the tax form)– 902 000 used Internet + security code (accept the tax form)– 567.000 used telephone + security code ( -”- )– 237 000 used SMS ( -”- )– Tax board saved $2 for one electronic tax return form

• Expected number of cards/eID certs by end of 2007: 3 – 4 miljons

0

50 000

100 000

150 000

200 000

250 000

300 000

350 000

400 000

450 000

2003 2004 2005

Number of eIDs used forincome tax return

Status of national deployment of eID

• Basic functionalities of the eID :- official ID document: No – but there will bea national eID card issued by the police (October 2005)- European travel document: No – but the nationai eID card will be a Shengen passport - support of on-line access to e-Services: Yes – but whether the national card will contain the eID is currently beeing discussed with the banks

• Validity period of the card/certificates: soft 1-2 years, card 3-5 years

Status of national deployment of eID

• Price in Euros of the eID:- for the citizen:Free of charge- price for the national eID-card :Euro 45.- any additonal costs for the relying party:For the user no. The e-service provider pays for the ID-service (checking of cerificates aso.)

• From whom and how may the citizen obtain the end/user packages: From the banks and TeliaSonera over the Internet. For the national eID-card not yet decided.

Basic ID function

• What data is electronically stored in the eID: - national identifier - personal number – used by all government

agencies and many private companies - includes:

– date of birth– sex– a four digit number

- family name, given name

Basic ID function

• Are these data elements in a dedicated data file? Yes - How is the file protected? PIN - Does the data file comply with the ICAO LDS? No – but the national eID-card will.

• Is the personal data (also) held in a certificate? Yes

Basic Authentication function

• What Verification mechanism is used: - PIN? Yes - Biometrics? No- If No, is introduction of biometrics envisioned? No

• Is there a PKI supported authentication mechanism? Yes but weak

Basic Signing function

• Is a PKI supported signing mechanism (certificate and keypair) present for e-transaction services (non –repudiation)?

Yes - but we don´t use the word ”non-repudiation” because our courts have ”free handling of proof”

eID based services

• Swedish Tax Agency services are accessible to holders based on acceptance of the eID Certificates:– income tax return– monthly corporate tax return– tax account– preliminary income tax return– population registration certificate– registration of a business– report qualified person

eID based services

• Example of other e-services which are accessible to holders based on acceptance of the eID Certificates:– applications for temporary parental benefits (National Social Insurance board)– calculation of a persons retirement pension (co-operation between National

Social Insurance board, Premium Pension authority and different private insurance companies)

– selection of school for your children – registration of a new address– permission to start a lorry/taxi/other vehicle corporation– the Swedish Farmers Supply and Crop Marketing Association (52 000

farmers) will use the eID for contracts beetwen the farmers and the Association

– identification for on-line shopping (some web shops)– renewel of bank loans – a large number of local government e-services

eAuthentication Business models;

• What are the Charging/Revenue mechanisms? The service provider pays for checking of the eID

• What charges are levied for use of the eID? None• Is there a charge for checking certificates and if so

who pays for this? The service provider• Has a cost benefit analysis been compiled for the

eID scheme? If yes what are the main conclusions? No – but for some e-services

• Is there a study report available? N/A

eAuthentication Business models; public/private partnership

• Are non government bodies allowed to use the eID in support of their services? Yes

• Is the card a multi-application smart card? Yes some of the eID-cards issued by banks are. In one or two years the banks will support EMV and include our eID on the card, too. The national eID-card will probably (?) support our eID.

eAuthentication Business models; public/private partnership

• What is the approach to and experience with card branding? The Swedish banks will support the EMV card, but they will also include our eID on the card. If the banks also will include our eID on the national eID-card is under discussion

eAuthentication Business models; cross border usage

• Are there agreements with other national eID issuers for mutual recognition of eIDs? (Status of Memorandum of Understanding (MOU) with other CAs)

No

Other Interoperability issues

• What is the level of Current Compliance with each of the following international standards or group activities (Planned): the answers are for the national eID-card

– CWA eAuthentication (under development): Yes

– CWA 14890 Secure Signature creation device: Yes if/when we will see a demand for qualfied signatures arising

– CEN 224 –15 European Citizen Card (under development): Yes

– ISO/IEC JTC1 SC 37 biometric standards: N/A

– ISO/IEC JTC1 SC 17 IS 24727 (under developmment): Yes

– ICAO recommendations: Yes

Current use and plansin Biometrics (the national eID-card)

• Technical solution(s): – The national eID card will use face recognition, in 2006 it will

probably also support fingerprint recognition (a law must be changed)

• Type of project(s):– Pilot on its way and deployment to the public October 2005.

• Application areas:– Border Control, immigration – National ID– Computer log on– Central, regional and local government services (if our eID is

supported)

Next plans

• The necessary support is now existing:– the eID standard– 700 000 end users– the infrastructure and the business model– roadmaps– most laws

• Now it is upp to the agencies!

Lessons learned so far

• The costs for the citizen must be zero till the ”market” can offer more e-services

• The market (esp. government) will not develop e-services if the citizens do not have eIDs

• This is the reason why the Swedish government has started with:– the customer base of the Internet Banks (5 miljons

customers)– ”soft eID” (and ”hard” eID at the same time)

but we will migrate with the Banks towards ”hard eIDs”

Porvoo Group cooperation issues

• List of issues to be overcome and recommended Porvoo Group members actions that would support accelerated deployments:

• Joint co-op letter to encourage PC manufacturers to include card readers as a standard component in PCs.

• Cooperation with Microsoft and other software vendors to get an acceptable ”user interface” for the PKI-related functions. The PKI ”language” must be hidden for the users.

More information

• Web-pages for the project/eID issues:www.e-namnden.se (here you can find some of the SAMSET

project Guidelines) and www.24sju.se

The SAMSET project:• email: dag.osterman@skatteverket.se• email legal questions: johan.balman@skatteverket.se

Thank You!