- Количество слайдов: 19
International Experiences With Electronic IDs Bill Nagel Analyst Forrester Research May 7, 2009
Electronic IDs are a key element of secure and accessible service delivery in the 21 st century 2 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Agenda • Problems of security and service delivery that e. IDs solve, create, and expose • Principal forms of e. ID • Service delivery using e. ID to authenticate identity • Issues arising around e. ID implementation • Results of some existing e. ID programs and lessons learned • Different worlds, different routes to success 3 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Electronic identity, security, service delivery • Preventing identity fraud • Delivering government and commercial services to citizens – Disconnect between the needs and behaviors of people as citizens and as consumers – Disconnect between the desire to protect citizen privacy but offer them a range of commercial options • Privacy and civil liberties concerns – Linked databases • The combination of technology and compulsory identification raises significant emotional issues 4 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Electronic ID technologies • Security is based on PKI certificates – Authenticity, integrity, confidentiality, non-repudiation – Important to use standards-compliant encryption algorithms • Primary means of delivering e. IDs – ISO 7816 plastic cards with integrated circuit chips • Contact or contactless – Wireless PKI: certificates reside on the SIM card of a mobile phone or in the phone OS 5 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Enhanced G 2 C service delivery • Delivery/signature of government documents • Health care – Access to medical records, filling prescriptions • Social security, pension • Voting • Tax declarations (VAT, annual return) • Other government payments (G 2 C, C 2 G) • School or work ID • Child safety, student benefits • Public transport 6 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Enhanced B 2 C and P 2 P service delivery • e. Banking and m. Banking • e. Commerce and m. Commerce • Peer-to-peer payments • Secure email • e. Signatures (contracts etc. ) • Age-proofing • Ticketing 7 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Development impact of e. ID • Improved quality of service delivery – Freedom from onerous identity verification processes allows more resources for service delivery – Greater automation improves speed • Improved stance regarding corruption – Reduced opportunity for identity fraud shifts the corruption landscape to the “endpoints” – Exposure in countries with historical documentation challenges – Principal remaining threats • ID proofing and credential issuance 8 • Social engineering (credential bypass) Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Concerns about e. ID: General • Tendency to focus on the technology • The technology problem is largely solved — implementing an effective e. ID program is fundamentally a process problem • Primary success factors: ease of use and frequency of use – Security technology is worthless unless easy to use – Service delivery methods that can’t be used frequently have a far higher cost: benefit ratio 9 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Concerns about e. ID: Privacy • All countries use some form of unique general identifier – “Meaningful” or “meaningless” (MBUN) • Government-controlled, non-siloed databases of PII raise civil liberties concerns in some regions – “Match on card” has limited applicability • Private-sector use of public-sector issued identifiers – Easier to link data without permission – A privacy risk many governments won’t take on – Cross-correlation of identity information – AT solution harder, more costly, doesn’t scale well 10 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Concerns about e. ID: Interoperability • Lack of ICAO-like consensus on identity attributes, credentials, authentication mechanisms – Practical restrictions and policy preferences have won out over objective, universal criteria • Public sector identifiers useful for internal country use, but are limited in the international context • Cross-border applications are quite important, but: – Foreign govts ultimately won’t be able to verify (thus trust) the authenticity of the identity information – Private sector identifiers improve interoperability but take control out of public sector hands 11 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Belgium • Began 2003, complete (>8 m) early 2009 • Basic personal info + certificates • Linked to the national register; cert contains UIN • National, regional, local public sector applications – National register, health care, tax filing • Private sector can adopt the government mechanism gratis – Little uptake; few commercial applications to date aside from a few e. Banking initiatives 12 12 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Estonia • Began 2001, >1 million issued • 80% filed e. Tax in 2006 (2001: 9%) • Public services: e. Voting, Tallinn public transport • Any organization can “e. ID-enable” its service, handle customers online • Few Estonians actually using the cards (ca. 55 k) • Little reason to switch to e. ID 13 13 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Austria • No single, universal identity token – Any smart card or other PKI-capable token meeting minimum reqts – Token can be issued by the public or private sector: every bank card issued since 2005, every health insurance card, any mobile phone • More flexible than relying solely on govt-issued card • No increased use of citizen e. IDs for commerce – 55 k of 6. 5 m bank cards in use activated as citizen IDs; 13 k of the 9 m health insurance cards 14 14 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Spain • Began 2006, expected 8 m by end 2008 • 300 e. Government apps • 13 public and private CAs • Biometric data: ID photo + 2 fingerprint scans • Success in attracting the private sector? Too early to tell – Banks must accept e. ID on the same footing as bank cards + for electronically signing banking operations – Some other parts of the private sector must accept the e. ID – Some banks adapting, but e. ID will coexist with bank cards rather than replacing them 15 15 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
What’s the common thread? • Make government service delivery more efficient • Enable the private sector to lower its security- and identity-related costs • Allow citizens to use a single credential for a number of valuable services • An almost complete lack of commercial applications exploiting the existence of the e. ID • We have to turn to a 5 th country: 16 16 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Sweden: an encouraging counterpoint? • Centralized PKI in place for use of all banks, cooperatively owned/operated • Bank. ID in place for 5 years, covers 5. 6 m citizens (1. 5 m active) • Early 2000 s: Govt. decided to use Internet to improve G 2 C access – Considered implementing its own PKI – Asked banks to supply Bank. IDs that could also be used on govt. sites (hard work already done) – Now one of more than 300 parties using the Bank. ID PKI • e. ID-based e. Government services available since 2004 – Much higher usage despite lack of legislative e. ID requirement – 1. 5 m adults voluntarily added e. ID functionality to Bank. IDs; >2. 5 transactions per e. ID holder per month 17 Entire contents © 2009 Forrester Research, Inc. All rights reserved. 17
e. ID can find success in different worlds • The European experience is that of rich, “wired” societies. . . • . . . But e. ID can be just as important (if not more so) to other countries – Mobile is changing the game (“leapfrog” countries) – Enhances service delivery to more remote areas – Service delivery to all, regardless of material condition • Better banking and (micro)lending services • Improved access to the ballot box • More access to govt services => improved public participation 18 Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Thank you Bill Nagel +31 (0) 20 305 4381 [email protected] com www. forrester. com 19 Entire contents © 2009 Forrester Research, Inc. All rights reserved.