Comparative eID
From IIW
Session Topic: Identity & Government
Tuesday 5D
Convener: Kaliya Hamlin, Elisabeth Mouchy
Notes-taker(s): Scott Fehrman
European workshop for identity workshop, how diff countries are doing it
- Who uses eID, Nordic countries: 1/3 people
- Who uses smartcard
- England pulled out of identity program
France:
- Mapping digital identity to Physical (name, address, etc.)
- Use of postal service to process the identity, (like facebook connect model)
- User can manage their own account
United States:
- What does the US do?
- Gov employees have internal processes
- looking at USPS for citizens
Identity Lifecycle Flows:
- Id Proofing
- Enrolling
Countries:
- United States
- France
- South Africa
- Finland
- Sweden
- Canada
- Belgium
- Italian
- Spanish
- Norway
- England
- Germany
- Japan
- India
- New Zeland
Two perspectives:
- (Common Law) Person: your who you say you are
- (Napoleonic Law) Agency: you are what we say you are
Issues:
- How do you identify a new user
- Authoritative sources
- What problem are you trying to solve (what is in/out of scope), mandatory, optional, prohibited
- What is benefit to the citizen
- Government is suppose to provide services to citizens
- Authentication mechanisms
- What are peoples "legal rights" in myself as human being
- Gov data aggregation practices
- Liability, responsibility
- Who can / should be an identity provider (should a federal gov. be an identity provider)
- What used for health / tax, public / private
- France postal: digital verified mail, banking (soon), digital safe vault, authen to website
- Adoption rates, what is optional / mandatory
- What services can be actualized with an "in place" infrastructure
- Precursor: document authority (trust level)
- What has been tried ... (and failed)
- Data protection privacy regulations
- Risk level schemas for countries
- Range of attributes (schema alignment / mismatch)
- What "is issued" as credential
- User consent, flow requirements
- Who (agency) is authoritative or not
- Age of issue
- Proxying / delegation (youth / elder) eTrusteeship
- Vertical integration
- Phase of lifecycle ... continuity
- Biometrics
- How is it "monetized", make money, save money, just because we are government
Revised Comparative eID list:
Big Picture
- What has been tried but failed?
- What problem are they trying to solve?
- What is the benefit to the citizen/user?
ID Proofing
- How is ID Proofing done?
- Are there document validation/verification services?
- What authoritative sources outside the system/country are accepted?
Enrollment
- How does enrollment happen?
- What entities (who) issues precursor identities?
- How does enrollment happen for them?
- What age/life event are identities issued?
- How often does re-identification over time?
Attributes
- What biometrics are captured?
- How are they stored?
- How are they used?
- What are the attributes captured?
- How are attributes shared?
Credentials
- What is issued as the credential?
- How much does it cost for 1st issue?
- How much does re-issue cost?
- Is an digital identifier issued?
- What other identifiers are issued by the government for what purposes?
- What is the per-capita issuance rate?
- What is the incidence of duplication? (same number issued to two different people)
- Has it been cracked? How?
Uses
- What are the mechanism of authentication?
- Does the authentication "phone home"?
- Does the eID issued support e-signatures, signing as distinct from authentication?
- Can secondary credentials be generated?
- What is the per-capita usage volume?
- What is the value of transactions?
- How is it "monetized" by the issuing institution
- What can the eID be used for:
- in the Public Sector?
- in the Private Sector?
- What uses are
- Mandatory?
- Optional?
- Prohibited?
- What are the user-consent flow requirements?
Governance
- Is delegation / proxying enabled?
- Who does the eID belong to? Who's property is is?
- What are the data protection/privacy regulations?
- in the public sector? [are records across gov department seprate?]
- in the private sector? [what right do people have to manage pii]
Architecture
- What standards are used?
- How is exchange (trust) managed between entities participating?
- What are the trust models are used? [drawing on Field Model of Internet Trust]
Law Policy Culture
- What are people's rights to themselves?
- What is the liability responsibility?