It was quite well-attended (there must have been more than 40 people there) and while there were a few familiar faces, I enjoyed the opportunity to listen to some new(to me) perspectives. One of the points made at the beginning was, I think, key not only at the international level but at the national level too. It was that the focus should be on interoperability rather than harmonisation. There is no need for everyone to use the same identity management scheme, identity cards, identifiers and all the rest of it. Hence one of the ways forward is to imagine a set of technology-neutral national gateways and interconnect through those gateways.
In the afternoon I went into the breakout to discuss mobile e-identity, which I’m becoming increasingly enthusiastic about. The reasoning is that in order to make some form of electronic identity useful to citizens, it has to do some interesting things. But a card can’t do anything interesting things, whereas mobile phones can and — and I think this is central to the discussion looking forward two or three years — what’s the point in issuing another smart card when the entire population has a mobile phone already.
Three case studies were presented: Spain, Belgium and Estonia.
Miguel Alvarez Rodriguez presented a case study from Spain on the PKI platform for electronic identity and digital signature services. Spain had digital signature laws in place fairly early on, and quite a few CAs popped up. But the interconnection of CAs, relying parties and individuals was so complex that no working infrastructure grew up. Then along came the ID card. The Spain smart ID card (which is run by the police, essentially) has two digital certificates on board, one for authentication and one for signing. The roll-out begin March 2006 and so far more than three million people have obtained the smart cards. There are also two million digital certificates issued to both individuals and businesses, although usage is still quite low. The Ministry of Public Administration has set up a multi-PKI Validation Platform (MPVP) that provides free services for e-government applications that use either the ID card certificates or the other certificates: in particular, it provides verification of digital signatues. There’s apparently an e-government law in Spain that says that by 2010, citizens should be able to access all public services online and this is quite a driver for the MPVP. It did sound to me as if the MPVP might be something of a weak link in the national infrastructure but, of course, I was too polite to say this. Anyway, there are 150 e-government applications online and there have been six million verifications to date. The first private sector applications (using the combination of the ID card and the MPVP) are now emerging and apparently one bank now allows citizens to use their ID card in the bank’s ATMs.
Jonathan Soldati presented a case study from Belgium on accessing personal data in a national identity register. The Ministry of Home Affairs has developed an application called “My File” which allows citizens to access their personal data stored in the Belgian National Register over the Internet using their PCs with attached smart card readers. Interestingly, it also allows citizens to see who has accessed their data for the last six months. One of the important lessons was that providing a mechanism for citizens to correct data increased trust in the system overall. Now, I’m against storing any data in this kind of national register, but if you are going to do it, then delivering transparency by providing for citizens to manage that data themselves (albeit it in a limited way) is critical in obtaining public acceptance, which is why I’m sure the Home Office and their management consultants have developed a similar system in the U.K. In Belgium, about 80,000 people per month access their register entry online through this service.
Forum friend Tarvi Martens presented a case study from Estonia on population-scale identity cards. This had been updated from the original case study that Tarvi kindly contributed to both the Digital Identity Forum and Digital Identity Management. The first card was issued back in 2002 and by October 2006 there were a million cards in circulation. Estonia has been an interesting case study for a while, and the trajectory of their scheme delivers a number of useful lessons. Unusually amongst ID card, the principal use of the Estonian card is an a transit card in Tallin (120,000 people every day use their card for this) and as a travel document. The big change since I spoke to Tarvi last time is that the largest GSM operator (EMT) began adding the national PKI application to SIM cards back in March 2007. Usage is still low, as there’s a lot of customer education to do, but it may be that the mobile eID is the way forward. I have to say there’s a lot in their approach: as Ian Grigg noted
In other words, Estonia issued a zero-application smart card, and banks can use the basic tools as well as your local public transport system.[From Financial Cryptography: Rights Archives]
Tarvi showed us the statistics for December 2007: there were 100,000 public sector transactions and a million private sector transactions (in a country of 1.3 million people). The barriers to greater usage included the usual (the need for a smart reader and the right software) but one is specific to Scandinavia and the Baltics. This is that there is a tradition of using bank-issued passwords for access to online services.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]