Title: ISSUANCE PROCEDURES OF AN EID

How to prove the identity of the eID holder? 

For a third party to trust an eID and subsequently accept it as a valid eID, it is of vital importance to ensure the link between the natural person holding the eID and the information contained in it.

This issue has bean dealt with in annex II and article 6.1 of the e-Signature Directive. These rules heavily rely on corroboration of the identity of the holder of the eID done by the certification service provider (CSP).

The issue that Myhr addresses in the report is that the Directive does not state how the identity has to be proven to the CSP: Is personal appearance mandatory? Is checking against a national population register needed? Could any other evidential documents serve to prove the identity of the holder?

The ETSI standard on Policy Requirements for Certification Authorities issuing qualified certificates (TS 101 456) answers one of these questions, as it states that the identity of the person to which the qualified certificate is issued shall be checked against a physical person, either directly or indirectly using means which provides equivalent assurance to physical presence. Submitted evidence may be in the form of either paper or electronic documentation.

Still, this standard does not clarify which documents are needed to prove the identity of the eID holder, presumably because it is very difficult to find a compromise at the European level (either in regulation or in standardisation work) which is acceptable for all Member States. 

Applying the same rules to both eID and visual ID  

If an eID shall be given the same legal validity and be used in the same types of transactions as a national accepted visual ID, the requirements on the issuance of the eID should be the same as for the visual ID. Myhr explains that if it were easier to obtain an eID, this would facilitate circumvention of existing rules and regulation and build down existing trust in the ID system. 

Today, EU Member States usually have very precise regulations, procedures and document requirements for issuing an ID, but these requirements usually only apply to visual ID’s.

Content and Verification of the eID

The use of unique identifiers  

It is imperative that the information in the eID distinguishes holders from each other. There are several (equally good) ways to do this, but when one wants to have a pan European eID, one of these solutions will probably have to be chosen. 

According to Myhr, the chosen identifier should have the following features: (1) universality of coverage, (2) uniqueness, (3) permanence, (4) exclusivity and (5) precision. 

He raises the question how to make sure that a foreign entity can verify the identifier, if it is not used to handle a specific type of identifiers used in foreign eIDs?

One external comment on the report was that the report should be complemented with the concept of “certificates”, which is the basis for the authentication aspect in eID. These certificates do not need to include the identifiers of the eID holder. Linking to these identifiers is (technically) possible without including them in the certificate.

Control of information disclosure 

Another issue addressed in the report is how to make it possible for the eID holder to control which information from the eID or certificate is presented to a third party?  

It is clear that the need for information that has to be ascertained with information from the eID is different from situation to situation. A hospital for instance, probably needs to know the eID holder’s real address, but a company selling widgets over the internet, does only need to know that it will receive due payment for the delivered goods. 

Not dealt with in this report, is the relating issue, that a large number of people on the one side declare quite some sensitivity to their personal information being leaked, but on the other side:  

• are not very much prepared to accept the overhead or cost of privacy enabled technologies, and 

• give large quantities of their (identity) data away to e.g. CRM, profiling programs and questionnaires, where they often cannot control what is done with these data. 

Additional research is needed to examine and understand this contradiction.

The use of pseudonyms 

The European Union and its Member States have enacted a legal framework to facilitate the exchange of personal data and to provide guidance on processing of personal data while restoring individuals’ control over their data.  

One of the rules which are relevant in this context is contained in annex I of the e-Signature Directive: the qualified certificate should contain the name or the pseudonym of the signatory (under the condition that it can be identified as a pseudonym).

A pseudonym is an arbitrary identifier of an identifiable entity, by which a certain action can be linked to this specific entity. The entity that may be identified by the pseudonym is the holder of the pseudonym.

A pseudonym is typically a fictitious name that can refer to an entity without using any of the entity’s identifiers. In effect, the pseudonym is an additional attribute of a given entity’s identity, which allows it to form a set of partial identities which can not necessarily be easily traced to the originating entity.

Myhr doubts that there are any visual ID’s today issued with a pseudonym instead of a real name, and he assumes that an eID with a pseudonym would most probably have a limited legal and practical value.

He is convinced that when building a legal framework for entity authentication, the right or possibility to use a pseudonym for identification purposes, will need to be addressed. 

In this context it is useful to mention an R&D initiative in the field of Identity Management sponsored by the European Commission and the Swiss Government: the PRIME project. 

This project proposes building a user-controlled system for managing identities. Their vision is to give individuals sovereignty over their personal data, and enable them to negotiate with service providers the disclosure of personal data and conditions defined by their preferences and privacy policy.  

Hence, to a range of risks, there is a corresponding range of responses about disclosing personal data, from full anonymity, to partial anonymity (“pseudonymity”) and third-party certified identity. Thanks to the technology, even when anonymous (or pseudonymous), people can still be accountable for their actions.

Data Protection

Selective disclosure of data from the qualified certificate 

Pursuant to Annex II of the e-Signature Directive, a qualified certificate should not be made public unless the signer/holder has given his approval.  

According to Myhr, this rule is insufficient, as it says nothing on the possibility to selectively disclose information, depending on the context in which the eID holder is communicating. However, he believes that the issue could be solved via standardisation work. 

Separating authentication and identification data 

One of the comments received on the report, was that it should be complemented with the idea of separating authentication and identification data held in the eID.  

It is indeed surprising that the report puts entity authentication on a par with identification, but makes no further reference to the different kinds of data to be included in the eID. By application of the general Data Protection rules and the e-Signature Directive, it is clear that:

• data contained in the (qualified) authentication certificate should be limited to what is needed and legally required for authentication purposes; 

• data contained in an eID for identification purposes should only be communicated on a need to basis (which mainly follows out of Member State regulation in this regard)  

This is particularly relevant when the eID replaces the visual ID, and also contains identification data which previously was available on the visual ID (such as the address, national Registry Number, date of birth or the marital status of the eID holder).  

Liability, Revocation and Biometry

Myhr mentioned liability, revocation and biometric issues without investigating them in detail. This led to the following conclusions of Myhr that: 

• it could be useful to have the same type of reversed burden of proof for issuers of eID in all Member States, akin to the existing rule for certification service providers (article 6.1 e-Signature Directive) 

• one could facilitate an enhanced revocation service, via a central European revocation point for the revocation of (all) pan European eIDs 

• it should currently not be possible to use the eID as the only “seed document” to apply for a new eID from another issuer, because this would raise additional issues in regard to chain-revocation of eIDs. 

• a better way to ensure that the declared holder of the eID is the user of it, could be achieved by adding biometrics. 

Interoperability

Myhr also raised the question how one could stimulate the eID market to take open industry standards into use? His main finding is that neither the EU nor the Member States can force the market actors to apply such standards, unless these actors deem it beneficial from a commercial point of view. 

Although Myhr describes several “interoperability schemes” to implement interoperability in the eID domain, he believes only one of them is realistic: the authority should have an agreement with one trusted intermediary party, and the intermediary should in its turn have agreements with all certification service providers issuing pan European eIDs.

Porvoo / Myhr’s Suggestions

Myhr’s study has been accepted at the seminar which took place in Brussels in October 2005, after having discussed the comments the group received.

One of the resolutions of the seminar is that the study will be included (as is) in the Porvoo eID requirements.

Their main suggestions in regard to a framework for entity authentication and a pan European eID, are: 

• to use the e-Signature Directive as far as possible, 

• to promote the development and take up of standards for entity authentication, to support the use of eID, and

• to conduct legal research to evaluate what the possibilities and limits are of using the existing regulation on passports as a building brick for a legal framework for a pan European eID.  

The regulation on passports will take effect in all the EU Member States, which is a non-negligible asset, given the limitations of article 18.3 of the EC Treaty.

Problematic though, is that trust requirements of passport rules require that the eIDs are issued by a public entity, which could hamper the emerging of a market driven solution in the Member States. 

Conclusion

Myhr concluded that many of the issues he raised are already regulated by the Member States, via legislation for the handling of visual IDs, or explicitly for the handling of eIDs. Given the limitations of article 18.3 EC Treaty, he admits that it might be difficult to find a common understanding on (legal) requirements for a pan European eID.

The Porvoo Group probably made the same consideration, but unfortunately decided to not conduct further legal research within the group.

In this context one could make the general remark that, even if Europe would be politically ready for additional regulation in the field of electronic authentication, it would be strongly advisable to first conduct sufficient research on the topic, to have a clear view on: 

• what regulation exists about visual and electronic ID documents in the EU Member States and which “common umbrella” can be found in these regulations, 

• what the remaining issues are, and how they can be solved, 

• which the limits are for EU regulation and/if the issues can be solved without regulation (e.g. via standardisation). 

The Myhr study is a very valuable starting point for research in this domain.