The increasing diversity and presence of online services reinforces the need for online, secure and trusted identities. The European e-identity landscape has grown historically and has been shaped by a variety of initiatives. The change in the legal framework in Europe acts as a catalyst for the implementation of new technologies and new offers – an overview of the history and the current status.
Game changer PSD2 – not only in the payments sector
The payment service directive 2 (PSD2) was one of the hot topics in banking discussions in the last year. The picture of the game changer for the banking industry has been drawn frequently. The directive is in force since 13.01.2018. However, its full effect will unfold with a time lag: The 13.01.2018 initially marks the beginning of the “transitional periods”. Almost unnoticed, PSD2 along with some other European legislative initiatives has opened the door to another topic, the topic e-identity.
The Account Information Service (AIS) anchored within the PSD2 enables third-party providers, with the consent of the account holder, to retrieve information from the online banking account. Both the data about the account holder and the transaction data can be retrieved. Banks are required to check the identity of their customers prior to establishing a client relationship. That’s why the customer databases of banks are considered to be high-quality. In addition, transaction data provides valuable information about the account holder. Both the information about the account holder and the transaction data are of great interest to many business models and to many players in the market.
Thus, along with the realization of the PSD2-AIS focus shifts to the topic of setting up and designing e-identity systems, closely linked with the question, which role banks should play within these systems in the future. First, however, an introduction to e-identity in general and to the e-identity landscape currently existing in Europe.
E-identity – some key points for definition
In simplified form identity can be explained as the totality of features that make up an individual and distinguish it from others. An identity determination in the legal sense here means the assignment of officially registered personal data to a natural person and is based on the officially defined characteristics for determining a person such as name, date of birth and gender. State-issued identification documents serve as means for identifying persons in this understanding of identity. The identification takes place in presence by visual inspection, electronic id means and methods for remote identification have been developed in recent years.
Besides identity in the official sense, there are other identities in the sense of unambiguous characterization in a very context that is used online and offline. Like introducing oneself amongst friends, the identities in social networks are often based on self-declared data of the user. And ultimately, users in the network can be identified with sufficient accuracy due to movement, behavior and device usage, which in turn is used, among other things, for fraud and risk scoring and personalized content distribution (mainly for personalized advertising).
Besides the initial identification, another relevant task is authentication, i.e. the recognition of users. Successful authentication is a prerequisite for gaining access to secure areas, i.e. authorization, if access rights have been granted in advance. In addition to this triad of identifying, authenticating and authorizing, the topics digital signature (persons) and digital seal (companies) play a role in ensuring the declaration of intent from a clearly identifiable entity, especially for business processes.
E-identity – history and characteristics
In the past, the establishment of digital identities has already been focused by various initiatives with different motivations. In doing so, the improvements of the safety level and the acceleration of processes was as important as the reduction of costs and the promotion of innovation. As varied these motivations are, just as multifaceted are the discussion on the topic.
The publication of machine-readable identity documents was a first step on the way to digitized official identity means. It has already been the focus of a series of national initiatives more than 10 years ago. The legal basis for this in Europe was an EU regulation (EG) No. 2252 dating from 2004, which was issued in response to the US authorities’ demands for entry into the US following the terrorist attacks of 9 November. The technical blueprint was provided by the International Civil Aviation Authority (ICAO) with the standard 9303. With the aim of speeding up the handling of passengers at airport passport controls, the standard is continually being developed further.
However, with the increasing dominance of the digital world, the desire for a digital identity that can be used on the internet, similar to identifying on site, is logical. Technically, this possibility was implemented in Germany with the electronic identity card issued as of 2010. The electronic identity card can be used for identifying online using a reader or app and PIN. However, the use of the electronic ID card fell far short of expectations. Both the necessary additional hardware and the small number of use cases have been criticized by users.
Various measures are intended to remedy this situation: The federal and state governments have launched several initiatives in recent years to improve supply side and implement e-government services. Organizational issues often prove to be the main obstacle. Problems in the internal communication, the coordination of the authorities among each other and the acceptance of the employees were mentioned as main obstacles for the implementation of e-government projects by the participants of the pilot project “model commune e-government”. Despite numerous initiatives, the eGovernment Monitor in December 2017 shows a decline in the use of e-government services for Germany. To reverse this trend, the creation of convenient and consistent services by public administrations is imperative. For a win-win situation to arise for citizens and authorities, digitization of processes and offers are necessary, that go beyond the electrification of existing ones.
On the user side, to increase the number of usable ID documents, the legal framework has been changed in the past year so that the online ID function is always activated when issuing new identity cards. To overcome the hurdle of requiring additional hardware in the form of a reader, by using the AusweisApp, the opportunity has been created to use a compatible smartphone as a reader.
Until then, providers of video-identification processes that close the gap to the online world are the profiteers of the low acceptance of the online ID function. Banks, insurance companies, telecommunications and mobility services have integrated video-identification processes into their new customer onboarding processes.
Not every interaction on the Internet requires the verification of an identity in accordance with the officially registered personal data. The digital identities with the highest prevalence in the online world are based on user-declared attributes such as name, address and date of birth. These identities are used for social networks, information portals, eCommerce, booking tickets online and much more. For companies, they have become a focal point of customer interaction. Essential from the company’s point of view is the preservation of the customer contact point to develop and implement customer-centered new products and services. For this reason, companies have started setting up their own customer loyalty programs and portals some time ago. For the customers, this resulted in a large number of Online-IDs and loyalty cards, while the companies were fighting for the attention of and the knowledge about their customers. The primary goal of those companies is to build digital ecosystems.
The providers with the highest number of users are international technology companies. They reach user numbers and interaction frequencies that are many times higher than those of other offerings and have developed into super nodes in the online world. Their business models are domiciled in the data economy, the value for the operators arises from the interaction of the users and the data obtained. After a long time of dominance of US-based GAFA’s, Chinese suppliers have caught up. The Chinese search engine Baidu, which stands for the B in the acronym BAT reaches number 4 in the Alexa website statistics of the most popular websites worldwide. In the number of linked websites, however, a clear distance to the GAFA’s is still visible. A European company with comparable user statistics is not currently available. The business models within the data economy are currently being widely discussed. Part of the discussion revolves around the EU GDPR. It aims to strengthen users’ rights and increase information requirements for businesses.
The European e-identity landscape
Many initiatives have been taken in European countries to establish an e-identity system for the digital world. The infographic below gives an overview of the variety of existing initiatives in Europe.
As varied the motivation of the initiators and the national conditions in Europe are, as diverse the map of the European ID initiatives can be seen. Predominantly, the initiatives are oriented nationally. As an area of application, they primarily focus on public services and selected sectors such as banking or telecommunications. Thus, these solutions are based on identities with a high level of assurance, i.e. the identities of the digital identity correspond to the officially registered features. However, they differ in terms of initiators, architecture, and user experience. Hereinafter some short highlights on some initiatives:
- Germany: Germany was the first EU member state to finalize the eIDAS notification last year. From September 2018, the online ID function will be recognized throughout Europe for electronic identification in the digital administrative procedure. This is the first state system in Europe that has been notified within the framework of eIDAS. In addition, with the Login-Alliance, verimi and YES, there are three exemplary private initiatives active in Germany, who want to place an e-identity solution on the German market. Blockchain offers are also available, the Frankfurt-based company Blockchain HELIX for instance has put a demo version to live with HELIX Alpha at the end of 2017.
- Sweden: Sweden has had an e-identity solution known since 2003 under the name BankID. The administrator of this e-identity system is an association of Swedish banks. The system offers software-based and card-based solutions for the use of web services and electronic signing. The BankID enables users to access government portals and e-commerce shops.
- Switzerland: Switzerland made a name for itself last year with a series of blockchain projects. Consequently, not only in the Crypto Valley Zug, but also in Schaffhausen blockchain-based e-identity solutions are in municipal use. On the other hand, in May 2017 SwissID was announced as a product of a joint venture between Post and SBB for the nationwide use of a digital identity by authorities and companies. The naming rights of the system SuisseID, which has existed since 2010, were taken over by the joint venture. The circle of investors has been expanded by banks, insurance companies and telecommunications providers in late 2017, the initiative wants to work with the state in terms of the exchange of identity data.
Legal framework – Europe-wide harmonization
Numerous laws and regulations that influence the design of e-identity systems are currently in state of flux in Europe. An important piece of the puzzle on the way to a single digital single market is set by EIDAS. It includes rules on electronic identification and electronic trust services with the aim of establishing the interoperability of the identification systems in Europe.
By the possibility of accessing data from the online banking systems the PSD2 will provide a boost for new services. Since banks fundamentally are trustworthy and host data that they make available to third-party service providers on behalf of their customers, they play a special role in the design of the systems.
The European Data Protection Regulation (EU-GDPR), which will enter into force on 25 May 2018, regulates the processing of personal data by companies and administrations and is therefore relevant to the topic of e-identity and for almost all companies and administrations. By applying the market place principle, the rules of the EU-GDPR also apply to non-European companies if they offer the services in question in Europe.
The special case of processing data that occurs during electronic communication is governed by the e-privacy regulation. This regulation was the subject of numerous discussions last year, partly due to the regulations on online and offline tracking and the obligation to consent to the processing of data. Originally, e-privacy should enter into force on 25 May 2018, like the EU-GDPR. An adoption in 2018 with a transitional phase for the implementation of the regulations has been notified.
Outlook
Currently, the provider landscape for e-identity systems in Europe is characterized by a large number and range of providers. Initiators, business models and technical base differ. There are different concepts for the role of state institutions, as well as for the role and involvement of potential private-sector trust providers, such as banks. In addition, internationally there are several initiatives and players that have the potential to influence the development of the e-identity landscape in Europe, indirectly through their example or directly through their engagement in the European market.
To what extent and how quickly a consolidation of the European supplier landscape will take place cannot be stated with certainty at this time. However, one thing is for certain: There will be major changes in this market this year.
Sources
- Alexa Website Ranking global, downloaded on 21.01.2018, Link
- Amtsblatt der Europäischen Union, Verordnung (EU) Nr. 910/2014 des Europäischen Parlaments und des Rates vom 23. Juli 2014 über elektronische Identifizierung und Vertrauensdienste für elektronische Transaktionen im Binnenmarkt, Link
- Amtsblatt der Europäischen Union, Verordnung (EG) Nr. 2252/2004 des Rates vom 13. Dezember 2004 über Normen für Sicherheitsmerkmale und biometrische Daten in von den Mitgliedstaaten ausgestellten Pässen und Reisedokumenten, Link
- BankID Website, Link
- Die Bundesregierung, Digitale Verwaltung 2020, Pilotvorhaben “Modellkommune E-Government” 2014 – 2016, Link
- Europäische Kommission, Abschluss der Notifizierung des elektronischen Identitätsnachweises durch Deutschland als erstes EU Mitgliedsland, 27.09.2017 Link
- European Banking Authority (EBA), EBA opinion addressed to competent authorities on the transition from the existing Payment Services Directive (PSD1) to the revised Directive (PSD2), 19th December 2017, Link
- Helix Alpha Website, downloaded on 21.01.2018, Link
- ICAO, Standard 9303 der ICAO – machine readable travel documents, 2009, Link
- Initiative D21 e. V., fortiss GmbH, eGovernment Monitor 2017, Link
- Kanton Schaffhausen, Schaffhauser eID+ Website, downloaded on 21.01.2018, Link
- Swiss ID Website, downloaded on 21.01.2018, Link
- uport, Zug ID: Exploring the First Publicly Verified Blockchain Identity, downloaded on 21.01.2018, Link
- verimi Website, downloaded on 21.01.2018, Link
- YES Website, downloaded on 21.01.2018, Link
Comment