Title: VULNERABILITIES IN THE INFRASTRUCTURE

Vulnerabilities in the infrastructure

Identification Processes

Off-line identification

As mentioned above, there is a relative freedom in the proof of one’s identity. No specific document is given legal value for identification by the law. Article 78-2 of the Code of Penal Procedure allows individuals to prove their identity by any means, i.e. according to a Ministerial circular of 11 December 1985, by any official document including a photograph, i.e. national identification card, passport or driver’s license, any other document or through testimony of a third party provided they prove their identity. For foreigners residing in France, the stay/work permit is considered a valid form of identification.

In that sense, article L.131-15 of the Monetary and Financial Code states that individuals should prove their identity by demonstrating an official document which contains their photograph. The document most often used in commercial transactions remains the driver’s license, while the national identification card is largely used in relations with public authorities.

This system provides great flexibility. However, as a consequence of some failures in the handout and issuance

It is worth noting that there is no obligation to formally change the address on official documents such as the identification card or passport. If citizens want these documents to be updated, they have to require a new document and follow the relevant procedure of request, submitting new documents which justify their right to handle this kind of documentation (“justificatif d’état civil”, proof of residence, etc.).  

Online identification

The issue of identification in the on-line environment has mainly arisen in the field of e-government. The French Data Protection Authority, the CNIL [Commission Nationale de l’Informatique et des Libertés], advocated for the protection of the anonymity of the user whenever it appears a valid alternative. To that effect, in the opinion on the Electronic Administration Plan, this body defended the implementation of a ‘graduate security principle’ where anonymity should be the rule whenever authentication is not required for the provision of the public service. Where it is required, authentication means should pass a strict proportionality test: security exigencies should be adapted to each e-process. Even the use of electronic signatures is recommended not to be systematic and, according to the CNIL, should not constitute a condition for the implementation of any e-processes.

Actually, most of the existing e-processes use authentication systems based on identification codes attributed by public agencies and a password chosen by the user. Electronic signatures are not intended to be generalised but only to allow the dematerialisation of services which require a high level of security. They are currently used for VAT e-payment, medical acts with health professional cards, income e-declaration and for certain services provided through Daily Life Cards.

Finally, a project is worth mentioning with a central portal providing access to most public services, www.monservicepublic.fr. The objective is to implement a Single-Sign-on mechanism where the user is automatically recognised by all public services after a unique authentication. This mechanism will simplify the current procedures which require the user to authenticate to every public service, according to the mechanism installed by each public agency. This space will enable the user to store any relevant documents to his relation with the administration. It will enable the citizen to transfer these documents directly to the public authorities which require it. However, this space is strictly personal and can not be accessed by public authorities. It is acknowledged as a safe whose key is handled by the user, who can open it on a case-by-case basis in his relationships with the administration. 

The use of a central identification number

Every individual born in the French territory or who becomes a beneficiary of the French Social Security is attributed a registration number (NIR - numéro national d’inscription au répertoire des personnes physiques), commonly known as a “social security number”. The sole purpose of the Directory, RNIPP (National Directory of Identification of natural persons, Répertoire National d’Identification des Personnes Physiques), is to prevent confusion on names (homonymy) and mistakes on the identity of individuals.

The number is largely used by public and private bodies linked to the health sector or finance sector. In other public sectors, the CNIL has always advocated the use of sector-based identifiers. With regard to the identifiers used for authentication functions, the French government expressly opted for adopting sector-based identifiers in accordance with the position of the CNIL. The General Directorate of State Modernisation [Direction générale de la modernisation de l’État] is a governmental partner of Liberty Alliance and has opted for the use of federated identities. This option is presented to allow every public service provider to use its sector-based identifier but to prevent any link between public databases and separate identifiers. Furthermore, the authentication is facilitated for the user,who does not have to repeat the action several times.

In the private sector, stringent requirements surround its use. The use of the national number, the NIR, and the mere access to the national directory of natural persons, the RNIPP, are subject to prior authorisation of the CNIL (Article 25.6 Data Protection Act). It should be proportionate to the purpose of the processing and should be founded on a public interest. On these grounds, the CNIL rejected the request of credit and debt recovery and insurance companies. It stated that even if the fight against homonymy was legitimate, it was not sufficient by itself to justify the use of the NIR in the field of management of saving products, credits or debt recovery. It appears from these decisions that the CNIL will judge the existence of a public interest on the possibility to base the use of the NIR on a legal provision. However, the mere fact that some entities, due to their collaboration with health public agencies are allowed to use the NIR for certain activities, does not entitle them to extend such use to other activities, in particular to improve their commercial relations with customers. The CNIL considered that the legal provision that based the use of the NIR in the first place could not warrant other uses of the NIR. The same reasoning is applied to public bodies authorised to use the NIR for their public activities which can not use it for the management of a commercial relation with the user. These entities should use a specific identifier for their commercial relations.