Table of Links
IV. National Digital Identity Implementations
IV. NATIONAL DIGITAL IDENTITY IMPLEMENTATIONS
In recent years, worldwide there have been multiple attempts to create a national digital identity for its citizens sometimes expanding to inter-state agreements and continental recognition such as the eID. The majority of these attempts incorporated the PKI and blockchain ecosystem and tried to strengthen security with interviews(Estonia) or biometric data. PKI in e-Gov is not a new idea, being present since 2000 [16], facilitating social security and economic growth. However, even the latest implementations acknowledge the shortcomings of the PKI. For example, the UAE digital ID project was started based on such an infrastructure and even after its release and years of research the vulnerabilities presented in section II still persist [32] with the focus being on a lack of business value, business requirements and business integration issues alongside ”much confusion about the full scope of this project” [5]. The risk in such systems may also explain the decrease in rapid adoption of digital identity solutions that started ’promising’ like the EU nordic common eID [33] project started in 2015 with a set timeline that was not continued until 2023 yet. But these failures did not stop other countries from fully embracing forms of digital identity and the benefits of such adoptions have been studied more in recent years ( [61], [59], [65]) to determine the financial impact. Switzerland represents a specific case where the eID project started in 2020 was discontinued because of a referendum in which citizens were more afraid of their private information in the digital world. Controlled by the state but provided mainly by private companies, the project is redesigned to be more user-centered(self-sovereign identity) and to be adopted from 2023 onward. Moreover, this showed that not all countries are ready to be eIDAS compliant within Europe, with Switzerland opting for the Swiss Federal Law on Electronic Signatures. Here we present some cases in the world of a national electronic ID.
A. India
The Indian digital ID scheme, ‘Aadhaar’ [62], was first introduced in 2010 and has been linked to almost all states within the country [12]. The project aims to provide a single, unique identifier that captures all the demographic and biometric details of every resident of India and is close to issuing Aadhaar digital ID cards at the same time as birth certificates. Even though the system tried to pass the risks and problems of the PKI, the biometric implementation of Aadhaar raised privacy concerns from the start and is regarded as a failure in the citizen-government relationship [25]. This example shows that implementing a biometric ID scheme can be very delicate and comes with its risks as well that may balance the benefits, reported to be in 2018 at almost 10 million euros [54]. In this type of ID scheme, privacy and integrity of the data is critical, a weakness that the indian system encountered in leakage of critical information [57]. Aadhaar is the world’s largest biometric identity database in the world, so it is vital that the privacy of individuals is not breached and the data is used only for the purpose for which it has been approved. Even after years of use the problem and skepticism still exists [3], with a big accent on availing welfare benefits, governmentalism, authentication without consent and dependency on connectivity. This proved that a pure biometric system is not viable for a national digital identity and relying on hardware security is fragile.
B. Canada
In contrast to the Aadhaar, Canada had a different strategy in adopting a general digital identity scheme. Rather like countries where there is a single centralized government agency that assumes the role of identity authority, Canada opted that no single federal government organization can provide digital identity for all persons within the jurisdiction but there are 14 different “roots of identity” [4] through which persons can establish who they are. In the paper ”Building Trust: Lessons from Canada’s Approach to digital identity”, the Canadian approach is described as being bold in terms of making friendly overtures to technological implementations of the latest development in solutions—self-sovereign identity, where there might not be a need for Web PKI but a more decentralized infrastructure. While self-sovereign identity has not been taken seriously by many other governments, two standards are being considered components: Verifiable Credentials and Decentralized Identifiers. The scheme for the national Canadian ID is seen as an improvement for the public and private sectors and has well-defined principles such as No Centralized Authority, Secured Blinded Infrastructure, Decentralized, Secured, and Private Data Architecture, Privacy and Controls and Book Keeping, Audit, and Billing [11]. The development of a modern digital ID system is accelerated by the use case on the financial side, like open banking, with an estimation of a profit of 3 billion euros [41] in its first year. The attempts to create such as system have already been made in the country with the Verified.me application by SecureKey Technologies Inc which is set to expand its use to multiple public/private institutions [15]. This slow development determined certain states within Canada to implement their own digital identity, one example being the British Columbia Wallet [63], an idea whose requirements were formulated as early as 2007. The BCeID Wallet is described as ”a single credential (username/password), issued in person at a government Point of Service location, to be used across a range of online services” [44]. This aimed to solve the stalemate situation and ”a mess that the government did not want to experience” [63]. However, this individual development of an identity system creates a gap between the national movement toward eID and regional developments. The BCeID can not be used outside the British Columbia state and in the latest version, the accounts
have an associated type(Business, Personal, Basic) to be used depending on the institution and criticality of information provided.
C. Germany
Germany had one of the first [49] officially declared eID schemes for eIDAS, following the User-centric model. It is based on the German national identity card and electronic residence permit. Due to the use of Extended Access Control (EAC), each SP requires an authorization certificate and either an own eID server or a corresponding eID service. In order to obtain such an authorization certificate, SPs usually need to apply first, including a substantial service fee. Public bodies are excluded from this rule, since every municipality is required to provide its services online by law. To make things more complicated, every federal state can have its own digital identity system, leading to a rather complex mostly SAML-based federation. For this, multiple projects have been proposed to experiment [60] like project OPTIMOS 2.0 which provides the ecosystem for the mobile eID, while the project Digital Identities tries to optimize the app. The mobile app AusweisApp2 can be used as long as the smartphone is equipped with near-field communication (NFC) capabilities and runs on either iOS or Android [52]. In the end, after the experiments, German citizens are able to securely store their national ID on a SIM card in their smartphone and the mobile eID could be used to open a bank account, use eGovernment services and other online services. As such, the need for a card reader or a physical card to identify and authenticate citizens online was removed [1]. However, one problem identified within the country was the very low usage of the eID in transactions and interactions even with a high adoption rate of the population [42] some inhibitors being other identification and authentication methods, and involvement of the private sector. One important use will no longer be possible with the new ID card because the holder can no longer be forced to deposit the ID card or give up custody of it. With the new card entailing both the electronic proof of identity and a private cryptographic key for the generation of qualified electronic signatures, the sole ownership of it represents indispensable security. Thus, to prevent abuse, ”it is no longer allowed to demand the ID card to be handed over at the front desk or gate of a building or used as a deposit when borrowing an object” [35].
D. Estonia
The Estonian digital identity scheme is one of the only ones that distance itself from the original PKI infrastructure. It uses the Keyless Signatures Infrastructure (KSI) a globally distributed system for providing time-stamping and server-supported digital signature services that have a different architecture from PKI, incorporating an Aggregation Network, Core Cluster and Gateway [20]. Started as a project for electronic access to healthcare and residency systems, the case expanded to a full digital ID infrastructure, with the main reasons for implementing the Digital Signature Act and provide means for digital signing for Estonian residents [45]. Since its introduction, the Estonian eID scheme has been praised ( [9], [34]) for its adoption rate within both private and public sectors, but Estonia’s digital success is not about other ”digital offerings such as digital democracy, citizen engagement, or digitally transforming public services such as the welfare state” [39] and disconnect between technological infrastructure and degree of digital penetration alongside the small size of the population(and of the data) are often overlooked. Also from the policymaker perspective, there are identified challenges related to issues like implementation, (national) legislation, interpretation, compliance and communication. A crucial eIDAS implementation barrier is the lack of the EU common identifier and Estonia’s scheme seems to further away even more [43]. Estonia is one of the first countries that enabled E-Voting with the help of the digital ID [30] with data stored in a decentralized fashion in over 360 databases in which all information from local hosts is linked through a specific infrastructure, X-Road, that, however, presents a single point of failure for the whole eGov data transfer to stop. At the same time, Estonia decided to put a commercial entity in control of its critical infrastructure with few opportunities of change in the system. Moreover, the custom blockchain used is patented, without any open-source material, and can manifest hidden vulnerabilities like the crisis from 2017 [51] in which almost all cards (800.000) were affected.
E. Peru
The National Electronic ID Card (DNIe) of Peru, issued by the National Registry of Identification and Civil Status (RENIEC), was recognized as the top ID card in Latin America at the 2015 High Security Printing Latin American Conference held in Lima. RENIEC, functioning autonomously and responsible for civil registration, identification, and digital signatures, has distributed 30 million eIDs, covering nearly the entire population of the country. The DNIe grants Peruvian citizens a digital identity that can be verified both physically and virtually. It incorporates two digital certificates, enabling the cardholder to electronically sign documents with the same legal weight as a handwritten signature. Peru’s eID adheres to the ISO/IEC-7816 standard, and its biometrics system aligns with ISO/IEC 19794 [31]. It implements the cryptographic methods and X.509 digital certificates defined by the Public Key Infrastructure (PKI) and comes with its known risks. First introduced in 2013, the specifications are being analyzed for a new form in terms of the card, hardware (subdivided into the antenna, chip, and memory), and software (subdivided into the operating system, applications, middleware, and complements [53]. Similar to the Indian scheme, Peru’s digital ID can be used for biometric identification but in this case is not a requirement and not used at large and even though the adoption rate for the population is almost 99% there is still lack of a remote access of the e-ID [29]. In the analysis, there are also presented possible risks for the future of the Peruvian digital car, such as making ID enrollment a prerequisite in areas with low coverage.
F. Italy
Italy presents an interesting case with the fact that it currently has 2 different digital identification systems online. SPID(Public Digital Identity System) is an identity management framework that was launched in 2016, that facilitates accessing public administration online services through onceonly digital identity (user & password) generated by private Identity Providers. This is an example of a classic centralized PKI system that comes with the problems and risks presented in previous chapters alongside being launched by Private Identity Providers. Even before its public introduction, the scheme used by SPID has been criticized for information leakage about customers of identity providers [19] and not relying on the Italian public system [18], creating a complex ecosystem. The CIE(Electronic Identity Card) is a system launched in late 2016 by the government and managed by the Italian Ministry of Interior, the institution that represents the only Certificate Authority in the infrastructure. It has Single Sign-On features and has been updated to support NFC in accordance with the eIDAS. Being launched after SPID, the CIE is less used in public institutions and this competition determined the government to start a merging process between the 2 systems.
V. CONCLUSION
No mass deployment exists, more than 53 years after the discovery of the possibility of public key encryption [27]. PKI still presents problems and risks in complexity, legal framework, lack of investment and social awareness. These issues should not shadow the importance of the infrastructure providing authentication, encryption, and digital signatures, ensuring secure communication, data integrity, and trust in online transactions. During these decades, the infrastructure evolved with different perspectives trying to change its design from a centralized view to a decentralized one. Even so, improvements are still being developed and studied [36] to cover as many vulnerabilities as possible, especially in the context of using PKI in national digital identity systems. These programs can unlock as much as 6% of GDP in certain countries [65], with Europe trying to achieve full digital coverage by 2030. Unfortunately, developing such critical infrastructure is prone to mistakes in different maturity levels [10]. We created an overview of eID projects in different parts of the world I and listed mistakes to avoid in implementing digital identity in the future path of the EU.
REFERENCES
[1] Overview of the german identity card project and lessons learned, 2020.
[2] Pacing europe’s progress towards the digital decade targets: Jrc reports help to shape our way forward, 2023.
[3] K Abhijeet. Decrypting aadhaar. 2021.
[4] Sunil Abraham. Building trust: Lessons from canada’s approach to digital identity. ORF Issue Brief No. 367, Observer Research Foundation, 2020.
[5] Ali M Al-Khouri. Pki in government digital identity management systems. European Journal of ePractice, 4(4), 2012.
[6] Gergely Alp´ar and Bart Jacobs. Towards practical attribute-based identity management: The irma trajectory. In Policies and Research in Identity Management: Third IFIP WG 11.6 Working Conference, IDMAN 2013, London, UK, April 8-9, 2013. Proceedings 3, pages 1–3. Springer, 2013.
[7] Gergely Alp´ar and BPF Jacobs. Credential design in attribute-based identity management. 2013.
[8] Gergely Alp´ar, Fabian Van Den Broek, Brinda Hampiholi, Bart Jacobs, Wouter Lueks, and Sietse Ringers. Irma: practical, decentralized and privacy-friendly identity management using smartphones. In 10th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2017), pages 1–2, 2017.
[9] Gary Anthes. Estonia: a model for e-government. Communications of the ACM, 58(6):18–20, 2015.
[10] Siddhartha Arora. National e-id card schemes: A european overview. Information Security Technical Report, 13(2):46–53, 2008.
[11] Canadian Bankers Association et al. Canada’s digital id future-a federated approach. Canadian Bankers Association, Tech. Rep, 2018.
[12] Shweta Banerjee. Aadhaar: Digital inclusion and public services in india. World Development Report, pages 81–92, 2016.
[13] Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos Keromytis. The keynote trust-management system version 2. Technical report, 1999.
[14] Dan Boneh et al. Twenty years of attacks on the rsa cryptosystem. Notices of the AMS, 46(2):203–213, 1999.
[15] Andre Boysen. Decentralized, self-sovereign, consortium: The future of digital identity in canada. Frontiers in Blockchain, page 11, 2021.
[16] Stefan Brands. Rethinking public key infrastructures and digital certificates: building in privacy. Mit Press, 2000.
[17] Garrison Breckenridge. A brief history of digital identity, June 2018.
[18] Francesco Buccafurri, Lidia Fotia, and Gianluca Lax. Implementing advanced electronic signature by public digital identity system (spid). In Electronic Government and the Information Systems Perspective: 5th International Conference, EGOVIS 2016, Porto, Portugal, September 5- 8, 2016, Proceedings 5, pages 289–303. Springer, 2016.
[19] Francesco Buccafurri, Lidia Fotia, Gianluca Lax, and Rocco Mammoliti. Enhancing public digital identity system (spid) to prevent information leakage. In Electronic Government and the Information Systems Perspective: 4th International Conference, EGOVIS 2015, Valencia, Spain, September 1–3, 2015, Proceedings 4, pages 57–70. Springer, 2015.
[20] Ahto Buldas, Andres Kroonmaa, and Risto Laanoja. Keyless signatures’ infrastructure: How to build global distributed hash-trees. In Nordic Conference on Secure IT Systems, pages 313–320. Springer, 2013.
[21] Bruce Schneier Carl Ellison. Ten risks of pki: What you’re not being told about public key infrastructure. Computer Security Journal, 16(1):1–7, 2000.
[22] THE EUROPEAN COMMISSION. Commission recommendation (eu) on a common union toolbox for a coordinated approach towards a european digital identity framework. Official Journal of the European Union, June 2021.
[23] Ivar Derksen, Bart Jacobs, Hanna Schraffenberger, and Timen Olthof. Backup and Recovery of IRMA Credentials. PhD thesis, Master’s thesis, Radboud University Nijmegen, 2019. [24] Whitfield Diffie and Martin E Hellman. New directions in cryptography. In Democratizing Cryptography: The Work of Whitfield Diffie and Martin Hellman, pages 365–390. 2022.
[25] Pam Dixon. A failure to “do no harm”–india’s aadhaar biometric id program and its inability to protect privacy in relation to measures in europe and the us. Health and technology, 7(4):539–567, 2017.
[26] William Echikson. Europe’s digital identification opportunity, 2020.
[27] James H Ellis. The possibility of secure non-secret digital encryption. UK Communications Electronics Security Group, 8, 1970.
[28] Matthew Henry Fredette. An implementation of SDSI: the simple distributed security infrastructure. PhD thesis, Massachusetts Institute of Technology, 1997.
[29] Alan Gelb and Anna Diofasi Metz. Identification revolution: Can digital ID be harnessed for development? Brookings Institution Press, 2018.
[30] Miguel Goede. E-estonia: The e-government cases of estonia, singapore, and curacao. Archives of Business Research, 7(2), 2019.
[31] Paul A Grassi, Michael E Garcia, and James L Fenton. Draft nist special publication 800-63-3 digital identity guidelines. World Bank, 2017.
[32] Eman Hableel, Young-Ji Byon, and Joonsang Beak. Public key infrastructure for uae: A case study. In Proceedings of the 6th international conference on security of information and networks, pages 336–340, 2013.
[33] Kjell Hansteen, Jon Ølnes, and Tor Alvik. Nordic digital identification (eID). Nordic Council of Ministers, 2016.
[34] Nathan Heller. Estonia, the digital republic. The New Yorker, 18, 2017.
[35] Gerrit Hornung and Alexander Roßnagel. An id card for the internet–the new german id card with “electronic proof of identity”. Computer Law & Security Review, 26(2):151–157, 2010.
[36] Russ Housley and Karen O’Donoghue. Improving the Public Key Infrastructure (PKI) for the World Wide Web. Internet-Draft draft-iabweb-pki-problems-05, Internet Engineering Task Force, October 2016. Work in Progress.
[37] Sanja Ivic and David Ramiro Troitino. Digital sovereignty and identity in the european union: A challenge for building europe. European Studies, 9(2):80–109, 2022.
[38] Gunther Pernul Javier Lopez, Rolf Oppliger. Why have public key infrastructures failed so far? Internet Research, 15(5):544–556, 2005.
[39] Rainer Kattel and Ines Mergel. Estonia’s digital transformation: Mission mystique and the hiding hand, 2019.
[40] Dmitry Khovratovich and Jason Law. Sovrin: digital identities in the blockchain era. Github Commit by jasonalaw October, 17:38–99, 2017.
[41] Thorsten V Koeppl and Jeremy Kronick. Open banking in canada–the path to implementation. CD Howe Institute Commentary, 579, 2020.
[42] Philipp Liesbrock. The giant is lagging behind how the german electronic id fails to reap its potential. Degree project at the master’s level, Stockholm University, November 2022.
[43] Silvia Lips, Nitesh Bharosa, and Dirk Draheim. eidas implementation challenges: the case of estonia and the netherlands. In International conference on electronic governance and open society: challenges in Eurasia, pages 75–89. Springer, 2020.
[44] Vance Michael Lockton. e-government and identity management in british columbia: implementation of the bceid. 2009.
[45] Tarvi Martens. Electronic identity management in estonia between market and state governance. Identity in the Information Society, 3(1):213–233, 2010.
[46] Andrew Maywah, L. Rivest, and J. Maywah. An implementation of a secure web client using spki/sdsi certificates. 07 2000.
[47] Alexander Morcos. A java implementation of simple distributed security infrastructure. PhD thesis, Massachusetts Institute of Technology, 1998.
[48] Jelle C Nauta and Rieks Joosten. Self-sovereign identity: A comparison of irma and sovrin. Technical Report TNO2019R11011, Tech. Rep, 2019.
[49] Torsten Noack and Herbert Kubicek. The introduction of online authentication as part of the new electronic national identity card in germany. Identity in the Information Society, 3:87–110, 2010.
[50] Om Pal, Bashir Alam, Vinay Thakur, and Surendra Singh. Key management for blockchain technology. ICT express, 7(1):76–80, 2021.
[51] Arnis Parsovs. Solving the estonian id card crisis: The legal issues. In ISCRAM 2020 Conference Proceedings-17th International Conference on Information Systems for Crisis Response and Management, pages 459–471, 2020.
[52] Daniela P ¨ohn, Michael Grabatin, and Wolfgang Hommel. eid and selfsovereign identity usage: an overview. Electronics, 10(22):2811, 2021.
[53] Erik Papa Quiroz, Alvaro Cuno, Edgar Sarmiento, and Ever Cruzado. Requirements for a new peruvian electronic identity card. In 2020 IEEE XXVII International Conference on Electronics, Electrical Engineering and Computing (INTERCON), pages 1–4. IEEE, 2020.
[54] Ursula Rao and Vijayanka Nair. Aadhaar: governing with biometrics, 2019.
[55] Drummond Reed, Jason Law, and Daniel Hardman. The technical foundations of sovrin. The Technical Foundations of Sovrin, 2016.
[56] Ronald Rivest and Butler Lampson. Sdsi – a simple distributed security infrastructure. See the SDSI web page at http://theory.lcs.mit.edu/ cis/sdsi.html, 08 1996.
[57] Srijoni Sen. A decade of aadhaar: Lessons in implementing a foundational id system. ORF Issue Brief No, 292, 2019.
[58] Digital Welfare State and Human Rights Project. Paving a Digital Road to Hell? A Primer on the Role of the World Bank and Global Networks in Promoting Digital ID. Center for Human Rights and Global Justice, June 2022.
[59] Clare Sullivan and Eric Burger. Blockchain, digital identity, egovernment. Business Transformation through Blockchain: Volume II, pages 233–258, 2019.
[60] Digital Technologies. Showcase programme “secure digital identities”, 2023.
[61] Allan Third, Kevin Quick, M Bachler, and John Domingue. Government services and digital identity. Knowledge Media Institute of the Open University, 2018.
[62] Amit Kumar Tyagi, Terrance Frederick Fernandez, and SU Aswathy. Blockchain and aadhaar based electronic voting system. In 2020 4th International Conference on Electronics, Communication and Aerospace Technology (ICECA), pages 498–504. IEEE, 2020.
[63] Peter Watkins. Trust and identity management. 2007.
[64] Dan Wendlandt and Adrian Perrig. Perspectives: Improving {SSH-style} host authentication with {Multi-Path} probing. In 2008 USENIX Annual Technical Conference (USENIX ATC 08), 2008.
[65] Olivia White, Anu Madgavkar, James Manyika, Deepa Mahajan, Jacques Bughin, Michael McCarthy, and Owen Sperling. Digital identification: A key to inclusive growth. McKinsey Global Institute, April 2019.
[66] Phillip Windley. How sovrin works. Sovrin Foundation, pages 1–10, 2016.
[67] Phillip J Windley. Sovrin: An identity metasystem for self-sovereign identity. Frontiers in Blockchain, 4:626726, 2021.
Authors:
(1) Adrian-Tudor Dumitrescu, Delft University of Technology, Delft, The Netherlands ([email protected]);
(2) Johan Pouwelse (thesis supervisor), Delft University of Technology, Delft, The Netherlands ([email protected]).
This paper is