.

The interoperability challenges at the heart of cross-border ID discussions - Published at SDW in London - June 2015

As the appetite for developing identity-based e-government services grows, Jacques van Zijp, Board Member from Secure Identity Alliance discusses the interoperability challenges now at the heart of cross-border ID discussions.

 

 

Digital government, smart city initiatives, and ever-expanding e-service provision will revolutionize interactions between the state and its citizens. This is not in question. Neither is there any doubt that the key to unlocking this brave new digital world is secure, trusted identity.

What is less clear, however, is what will happen when the citizen decides to leave their home state to travel to, or to live in, another.

What happens, for example, if a British citizen moves to Germany? Or a German citizen crosses the Atlantic to North America? Will they, and their identities, be seamlessly integrated into the digital life of their new state – free to access healthcare, social services and pay taxes online? Or will they be locked out?

And what about businesses signing digital contracts and transacting online across borders? Will their sovereign-derived or commercial identities be compatible with the laws, regulations and technologies of their trading block partners? Or will business relationships, contracts and transactions be forced to step offline, and back into the 20th century?

The answer is that we all hope not, but right now, no one really knows. And this is a problem. In the European Union freedom of movement is a right for all citizens of member states. Should they want to go to another country to work, they can do so, freely and without restriction.

But while citizens can move unrestricted across borders, their identities don’t always travel so well. The natural result therefore is that e-government investments made by one country are (today at least) out of reach of citizens from another.

Imagine waiting in line at border control only to be told your passport isn’t accepted as a valid travel document. Or that the trade you make in Frankfurt is stopped on Wall Street because the Euro isn’t accepted.

These scenarios are, of course, unthinkable. However, in the e-services context, because of the differing design of identity systems around the world, this is exactly what is happening.

And while this isn’t an issue right now, as e-government provision becomes more sophisticated, and more services move online, the potential to ‘lock out’ migrant groups, for example, becomes a very real issue should national electronic identity (eID) systems lack legal and/or technical interoperability.

For sure, there are considerable ongoing efforts to remedy this situation - eIDAS in the European Union is a good example – but we’re not there yet. And while eIDAS may be developing a high level of trusted identity throughout Europe, what about North America? Will eIDAS be interoperable with its OIX system?

The simple fact is that identity needs to travel beyond continents. The ‘free trade’ concept of the Transatlantic Trader and Investment Partnership (TTIP) currently being negotiated between the United States and the EU requires that countries not only trust, but can integrate and authenticate, the identities of business entities and individuals.

The point is, just like passports and wire transfers, the identity systems that sit at the very heart of digital transformation for both the public and private sectors, must be secure, effective and above all interoperable.

The trouble with interoperability

Of course, efforts have (and are) being made to address this fundamental issue of interoperability. We’ve referred to eIDAS already. This is certainly a positive step forward, and with the regulation having come into force last September, the direction is set to deliver a single digital market (between EU members states, at least).

However, while eIDAS looks set to solve some of the identity-based public and private sector issues – including the lack of legal recognition for electronic signatures across the EU, and the lack of legal certainty of cross border trust services – it only does so in Europe.

And even in the EU there are differences of opinion – not least in terms of a clash of cultures between states. Identity, ideologies, as well as the ecosystems, differ from one country to another. Authentication methods are not uniform, and levels of maturity change as we move from state to state.

How then do we achieve that much-needed interoperability across borders, particularly when doing so must address a disparate range of elements - from assurance levels, through security and privacy to policy, implementation and adoption. And how can the global community do it all while assuring the highest levels of trust?

The international imperative

The first step is to understand the ultimate objective – what are e-government services for, and what role does identity play? There’s already a wealth of insight, not least from the SIA, available on this subject, so rather than cover this in detail here, let’s simply say that digital services are widely accepted as being able to deliver a more cost effective, more efficient, more secure and more inclusive social and economic foundation for nation states. Not only this, by building trusted frameworks between sovereign states, these benefits can be shared for the wider economic and social good across the globe.

The next stage is to define and create those trusted frameworks: what constitutes ‘trust’, how can it be assured, and how can it be shared? Perhaps more than this, who is responsible for the creation, management and aggregation of individual identities. For some it’s sovereign states, for others it’s the free market. But as we see from the below example, a trusted digital identity will be imperative for everyday life within the next five years.

Vision 2020: Trusted digital identity is a key enabler of everyday life

This ability to prove who we are as citizens is only the start. Whereas eID is best described as the provision of data that uniquely defines and identifies a particular individual, how that data (and individual) is authenticated is a subject of greater debate.

Authentication can be light, strong or anywhere in between. It can be made using a single or multiple factors depending on the sensitivity, security and privacy requirements of the particular use case. It may require a biometric factor, a PIN code, secure element and others. Fundamentally, it must be able to prove the person (or the attribute) is who or what it says it is.

So while identity is the ‘system’, authentication is the mechanism that requires the proof.

This is an important distinction because, certainly within the emerging eIDAS Regulation , sovereign states are able to choose between three levels of assurance for particular services – low, substantial and high. This is fine until one EU state rates a service at one level, and another chooses to require a higher level of assurance for access. The citizen from the first country will therefore be unable to access the same service in the second country as their lower level won’t allow it. Not only that, the definition of each eIDAS level lacks a certain clarity, and therefore poses additional issues when thoughts turn to cross-border interoperability.

Certainly it is the SIA’s view that assurance levels should be more clearly defined, and indeed that the high level of assurance be utilized whenever possible – protecting both citizen and entity.

The SIA believes that the lack of definition around the three levels of assurance poses a very real threat to the security and integrity of digital identity services across the EU.

While the ill-defined “substantial” level provide a lower than required level of assurance, the inconsistencies in eIDAS planning and deployment between member states also threatens cross-border interoperability. Ultimately this may impact the success of the single digital economy in Europe.

In response the SIA calls for more robust definitions of assurance levels that go beyond the technical requirements – which are perceived as adding further constraints and costs. Moreover, it should be made clear that higher assurance levels provide greater benefits – and those benefits should be clearly communicated.

SIA is also deeply concerned about the privacy and personal data of EU citizens. It is imperative to implement appropriate security measures in the legislation when it comes to digital identities, in order to provide the necessary trust and allow the development of the digital services related to electronic identification schemes. SIA is convinced that the highest level of security technologically available for digital transactions must be made legally accessible, and thus properly reflected in the eIDAS Regulation. This will be achieved by adopting a proper definition of the “high” Level of Assurance (LoA), which would explicitly refer to common criteria security certification EAL4+. Certified solutions have been successfully deployed in the European Union and worldwide for a good reason: only these solutions can provide a maximal resistance to high level attacks and security breaches.

It is important to bear in mind that Member States and the digital security ecosystem have already invested a lot in the STORK pilot project, where the highest LoA directly refers to the abovementioned security certification standard.

Exploring the models

Issues of definition are also important when it comes to identity systems themselves. eIDAS, for example, goes to great lengths not to define a particular ID system. Architects within the EU clearly believe this is for the sovereign state to decide.

In the UK, for example, the British government has taken a less centralized view of identity – developing a structured identity framework under a federation of endorsed identity providers.

The service, called GOV.UK Verify, allows citizens to use a federated identity model to prove they are who they say they are when they sign-in to government services. Citizens are able to choose an identity assurance provider from a range of certified suppliers, including Digidentity, Experian, MyDex, The Post Office and Verizon.

Sweden, Italy and others have taken a similar approach.

In other parts of Europe, including Germany and Estonia, the state plays a greater role through the provision of a centralize identity trust framework using the national eID as the root identity.

Elsewhere, most notably in the US, an open identity model operates.

The natural result is proliferation…of models, concepts and ecosystems. This further complicates an already complex environment. But it’s not all bad news, and the development of wider ecosystems is to be supported.

While the United States and its OIX Exchange system may not recognize an eIDAS-type scheme, chances are a global service provider in the country would - based on a minimum level of identifying data. Authentication of, for example, the digital signature confirming a merger, would then be possible between the US and Italy.

It’s here that the role of ‘system–agnostic’ identity service providers have a key role to play. In the converse of the above example, should EU member states recognize a US-based or global service provider, and the levels of assurance are deemed compliant, then the identity of the US business or individual coming through that provider will be likewise accepted.

Undoubtably, the striking economic benefits of a globally interoperable identity system outweigh the challenges of the journey to get there. But at the same time, the scale of the challenge – both technical and philosophical – shouldn’t be underestimated.

Assurance levels, tighter definitions and a commitment to create a connected ecosystem able to deliver outside of the sovereign state is crucial. And while it’s happening, increasing focus on interoperability without jeopardizing security and privacy in the short-term will certainly accelerate the mid to long-term returns for both citizens and states.