EIC 2010: On national electronic ID cards, Interoperability and Trust Frameworks - mrtopf.demrtopf.de

EIC 2010: On national electronic ID cards, Interoperability and Trust Frameworks

One topic of the European Identity Conference last week in Munich was definitely how to identify citizens on the net. How to do that in general is a problem being worked on for some years and it’s still not solved. And the question at one panel on when this problem will be solved also stayed more or less unanswered.

So lets see what we actually have.

Germany

Andreas Reisen of the Ministry of the Interior presented the new german national electronic ID card being issued starting the end of this year (my session notes). As he states it implements privacy by design and indeed it sounded quite well done. You can not only use it to identify against government agencies but also to use it for online shopping and more. All those service providers need isn Authorization Certficate which they can obtain from the government and which states which data is allowed for them to be received (has somebody a link with details on how to apply etc.?).

It has some problems though like that you need to buy a certificate for all the addons separately. Adding the burden on also buying a card reader with it the real question is how adoption will look like. As Kim Cameron said on one panel: Belgium has an electronic ID card but there does not seem to be a rush to buy card readers.

And there is another problem with it: It’s proprietary, Germany only.

Europe

Now if we look at Europe, we see lots of national ID cards and some are even electronic. The only problem is that every country uses a different technology. Hence there is the need to implement an interoperability layer which the STORK project tries to accomplish. Marc Sel was given a talk on this. It seemed a bit disappointing though that not even the attempt on being interoperable in the first place is being made. Moreover it seems unclear  what the future of STORK is after the funding ends (at least according to some coffee break conversations).

The US

Now in Europe the idea of a national ID card is well established and while there is some protest against electronic versions there is no doubt that it will happen (or has already).

In the US things look a bit different in that there is no national ID card. Compared to Europe this makes things harder because there is no one central authority (e.g. government) which can issue those identities. Thus there is a somewhat more complicated solution in the US involving OpenID, Information Cards and something called the Open Identity Exchange. The latter builds so-called trust frameworks which make sure that Identity Providers and Relying Parties both adhere to certain standards (more specific Level of Assurance). The initial trust framework they developed was the one for the US Government.

Adoption?

Now all of this depends on adoption. And adoption again might be influenced by the following factors:

  • How easy is it to use?
  • How easy it is to understand?
  • How well is my data protected?
  • How much do I believe it?
  • How many place where I can use my identity will exist?

and probably more.

The main problem with adoption might start directly in the beginning though: In order to use my eID card in Germany I need a certificate and a card reader. In the US I might have an OpenID but those can only get assurance level 1 with is not much. For more I’d need Information Cards and probably need to pass through some assurance process. Now which citizen does know InfoCards? Probably close to 0%.

Then what about the mobile use case? I won’t have my card reader with me all the time and probably it cannot connect to an iPhone. As we get more and more mobile this will be a problem, too. There was an interesting project by Deutsche Telekom though which used next generation SIM cards, Near Field Communication (NFC) and InfoCard selectors on mobile phone to make secure identification possible. This is far in the future though and might also not happen at all.

Then I need to trust this thing. If the government says that service providers can only access data I allow them to get, do I trust it? Isn’t this the same problems as with electronic voting where voters would have to trust TÜV or similar agencies in that the voting machine will work correcetly? There are systems where I can even check if my vote has been counted but these involve lots of crypto and thus mathematics and only experts understand it (and not even they do completely).

Keeping control is another problem: If the system involves too many settings, people won’t understand it. It needs to be seen how user interfaces will actually look like. Just look at Facebook and their ongoing refactoring of privacy settings and screens to see how difficult that is. And yet probably most people just click „ok“.

And then of course it depends on the places I can actually use it. This will be the chicken-egg problem. Here in Germany there are at least various companies testing the technology while I heard that in the US there is not yet one RP (is that correct?).

Conclusion

If we look at the landscape what we see looks like a very fragmented world of (centralized) online identity. If it will be a success will be seen. It would be great though if people would get together more and develop common standards being used at least EU wide. The complex system now available does not really sound as if it’s becoming successful anytime soon.

Add to that that people already have various identities on the net. The problem with these is though that they are not really strong identities and vulnerable to phishing or other attacks (unlike Information Cards but this actually needs to be seen should they ever be more widespread so that the bad guys have incentive to find ways to do it).

And there is of course the question on what’s better: A more decentralized structure like in the US or a government issued identity (which changes with each new card though, at least in Germany)? Or neither?

I guess we will find out.