Comparative eID

From IIW

Session Topic: Identity & Government

Tuesday 5D

Convener: Kaliya Hamlin, Elisabeth Mouchy

Notes-taker(s): Scott Fehrman

European workshop for identity workshop, how diff countries are doing it

  • Who uses eID, Nordic countries: 1/3 people
  • Who uses smartcard
  • England pulled out of identity program

France:

  • Mapping digital identity to Physical (name, address, etc.)
  • Use of postal service to process the identity, (like facebook connect model)
  • User can manage their own account

United States:

  • What does the US do?
  • Gov employees have internal processes
  • looking at USPS for citizens

Identity Lifecycle Flows:

  • Id Proofing
  • Enrolling

Countries:

  • United States
  • France
  • South Africa
  • Finland
  • Sweden
  • Canada
  • Belgium
  • Italian
  • Spanish
  • Norway
  • England
  • Germany
  • Japan
  • India
  • New Zeland

Two perspectives:

  • (Common Law) Person: your who you say you are
  • (Napoleonic Law) Agency: you are what we say you are

Issues:

  • How do you identify a new user
  • Authoritative sources
  • What problem are you trying to solve (what is in/out of scope), mandatory, optional, prohibited
  • What is benefit to the citizen
  • Government is suppose to provide services to citizens
  • Authentication mechanisms
  • What are peoples "legal rights" in myself as human being
  • Gov data aggregation practices
  • Liability, responsibility
  • Who can / should be an identity provider (should a federal gov. be an identity provider)
  • What used for health / tax, public / private
  • France postal: digital verified mail, banking (soon), digital safe vault, authen to website
  • Adoption rates, what is optional / mandatory
  • What services can be actualized with an "in place" infrastructure
  • Precursor: document authority (trust level)
  • What has been tried ... (and failed)
  • Data protection privacy regulations
  • Risk level schemas for countries
  • Range of attributes (schema alignment / mismatch)
  • What "is issued" as credential
  • User consent, flow requirements
  • Who (agency) is authoritative or not
  • Age of issue
  • Proxying / delegation (youth / elder) eTrusteeship
  • Vertical integration
  • Phase of lifecycle ... continuity
  • Biometrics
  • How is it "monetized", make money, save money, just because we are government

Revised Comparative eID list:

Big Picture

  • What has been tried but failed?
  • What problem are they trying to solve?
  • What is the benefit to the citizen/user?

ID Proofing

  • How is ID Proofing done?
  • Are there document validation/verification services?
  • What authoritative sources outside the system/country are accepted?

Enrollment

  • How does enrollment happen?
  • What entities (who) issues precursor identities?
    • How does enrollment happen for them?
  • What age/life event are identities issued?
    • How often does re-identification over time?

Attributes

  • What biometrics are captured?
    • How are they stored?
    • How are they used?
  • What are the attributes captured?
    • How are attributes shared?

Credentials

  • What is issued as the credential?
    • How much does it cost for 1st issue?
    • How much does re-issue cost?
  • Is an digital identifier issued?
  • What other identifiers are issued by the government for what purposes?
  • What is the per-capita issuance rate?
  • What is the incidence of duplication? (same number issued to two different people)
    • Has it been cracked? How?

Uses

  • What are the mechanism of authentication?
    • Does the authentication "phone home"?
  • Does the eID issued support e-signatures, signing as distinct from authentication?
  • Can secondary credentials be generated?
  • What is the per-capita usage volume?
  • What is the value of transactions?
  • How is it "monetized" by the issuing institution
  • What can the eID be used for:
    • in the Public Sector?
    • in the Private Sector?
  • What uses are
    • Mandatory?
    • Optional?
    • Prohibited?
  • What are the user-consent flow requirements?

Governance

  • Is delegation / proxying enabled?
  • Who does the eID belong to? Who's property is is?
  • What are the data protection/privacy regulations?
    • in the public sector? [are records across gov department seprate?]
    • in the private sector? [what right do people have to manage pii]

Architecture

  • What standards are used?
  • How is exchange (trust) managed between entities participating?
  • What are the trust models are used? [drawing on Field Model of Internet Trust]

Law Policy Culture

  • What are people's rights to themselves?
  • What is the liability responsibility?