Identity Assurance in the UK: technical implementation and legal implications under the eIDAS Regulation

Niko Tsakalakis, Sophie Stalla-Bourdillon, Kieron O'Hara

Abstract


Gov.UK Verify, the new Electronic Identity Management

(eIDM) system of the UK Government, has been promoted

as a state-of-the-art privacy-preserving system, tailored to

meet the requirements of UK citizens and is the first eIDM

in which the government delegates the provision of identity

to competing third parties. According to the recently

enacted EU eIDAS Regulation, Member States can allow

their citizens to transact with foreign services by notifying

their national eID scheme. Once a scheme is notified, all

other Member States are obligated to incorporate it into

their electronic identication procedures. This article examines

Gov.UK Verify's compliance with the requirements set

forth by the Regulation and the impact on privacy and data

protection. It then explores potential interoperability issues

with other national eID schemes, using the German nPA,

an eIDM based on national identity cards, as a reference

point. It concludes with a general overview of legal equivalence

of third country legal frameworks compared with that

of eIDAS. The article contributes to relevant literature of

privacy-preserving eID management by offering policy and

technical recommendations for compliance with the new Regulation

and an evaluation of interoperability under eIDAS

between systems of different architecture. It is also, to our

knowledge, the first exploration of the future of eID management

in the UK after a potential exit from the European

Union.


Full Text:

PREPRINT

References


Article 29 Data Protection Working Party. Opinion 15/2011 on the definition of consent. WP187. 2011.

P. Beynon-Davies. The uk national identity card. Journal of Information Technology Teaching Cases, 1(1):12–21, 2011.

Bitkom. Position paper on the proposal for an eu regulation on electronic identification and trust services for electronic transactions in the internal market. 2013. Available at: https://ameliaandersdotter. eu/sites/default/files/wp-content/uploads/2013/04/ 20130408-BITKOM-Position-on-eID-regulation1.pdf?language= en [Accessed: 14 June 2015].

L. Brandão, N. Christin, G. Danezis, and Anonymous. Toward mending two nation-scale brokered identification systems. Proceedings on Privacy Enhancing Technologies, 2015(2), 2015.

BSI. Technical guideline tr-03110-1 advanced security mechanisms for machine readable travel documents part 1 v 2.20. 2015. Available at: https://www.bsi.bund.de/EN/Publications/ TechnicalGuidelines/TR03110/BSITR03110.html [Accessed: 15 October 2015].

BSI. Technical guideline tr-03127 architecture electronic identity card and electronic resident permit. 2011. Available at: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ Publications/TechGuidelines/TR03127/BSI-TR-03127_en.pdf?

blob=publicationFile [Accessed: 15 October 2015].

H. Burkert. Balancing informational power by informational power or Rereading Montesquieu in the internet age. Cambridge University Press, 2012.

C. Burton, L. De Boel, C. Kuner, A. Pateraki, S. Cadiot, and S. G. Hoffman. The final european union general data protection regulation. BNA Privacy & Security Law Report, 15:153, 2016.

Cabinet Office. Good practice guide no. 45 identity proofing and verification of an individual. 2014. Available at: https://www.gov. uk/government/uploads/system/uploads/attachment_data/file/ 370033/GPG_45_identity_proofing_v2_3_July_2014.pdf [Accessed: 8 August 2015].

Cabinet Office. Identity assurance hub service saml 2.0 profile v1.1a. 2013. Available at: https://www.gov.uk/government/publications/ identity-assurance-hub-service-saml-20-profile [Accessed: 3 September 2015].

A. Cavoukian. 7 laws of identity: The case for privacy-embedded laws of identity. 2006. Available at: https://www.gradbook.soton.ac.uk/?link=registration.php [Accessed: 14 July 2015].

T. Chatfield. Digital government review. 2014. Available at: http:// digitalgovernmentreview.readandcomment.com/ [Accessed: 15 June 2015].

J. Crosby. Challenges and opportunities in Identity Assurance. 06 May 2008. Available at: http://www.statewatch.org/news/2008/ mar/uk-nat-identity-crosby-report.pdf [Accessed: 20 June 2015].

C. Cuijpers and J. Schroers. eIDAS as guideline for the development of a pan European eID framework in FutureID. Open Identity Summit, 2014(237):23–38, 2014.

J. Dumortier and N. G. Vandezande. Critical observations on the pro- posed eu regulation for electronic identification and trust services for electronic transactions in the internal market. ICRI Research Paper 9. 2012. Available at SSRN: http://ssrn.com/abstract=2152583 [Ac- cessed: 5 July 20154].

N. Duncan and T. Hutchinson. Defining and describing what we do: Doctrinal legal research. Deakin Law Review, 17(1):83–119, 2012.

eIDAS Technical Subgroup. eidas technical specifications v0.90. 2015. Available at: https://joinup.ec.europa.eu/software/cefeid/ document/eidas-technical-specifications-v090 [Accessed: 7 November 2015].

A. Fiat and A. Shamir. How To Prove Yourself: Practical Solutions to Identification and Signature Problems, volume 263 of Lecture Notes in Computer Science, book section 12, pages 186–194. Springer Berlin Heidelberg, 1987.

E. Hannesson. Implementation of internal market legislation relevant to the information society: A snapshot of the current regime in the efta-eea states. Journal of International Commercial Law and Technology, 1(1), 2009.

M. Hansen. Marrying Transparency Tools with User-Controlled Identity Management. Springer US, 1 edition, 2008.

Y. Honcharova and A. Eryomenko. Stork - promising project of european transnational electronic identification. First International Scientific- Practical Conference Problems of Infocommunications Science and Technology, 2014.

G. Hornung and C. Schnabel. Data protection in germany i: The population census decision and the right to informational self-determination. Computer Law & Security Review, 25(1):84–88, 2009.

A. Jøsang. Assurance requirements for mutual user and service provider authentication. Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, pages 26–44, 2015.

C. Kuner. Extraterritoriality and regulation of international data transfers in eu data protection law. International Data Privacy Law, 5(4):235– 245, 2015.

E. Maler and D. Reed. The venn of identity: Options and issues in federated identity management. IEEE Security & Privacy Magazine, 6(2):16–23, 2008.

T. Martens. Electronic identity management in estonia between market and state governance. Identity in the Information Society, 3(1):213–233, 2010.

H. Masatoshi, F. Yuri, O. Sakura, K. Takeaki, S. Natsuhiko, and S. Hi- royuki. A Practical Trust Framework: Assurance Levels Repackaged Through Analysis of Business Scenarios and Related Risks. Springer International Publishing, 1 edition, 2015.

F. Massacci and O. Gadyatskaya. How to get better eid and trust services by leveraging eidas legislation on eu funded research results. 2013. Available at: http://www.cspforum.eu/Seccord_eidas_whitepaper_ 2013.pdf [Accessed: 15 December 2015].

A. Poller, U. Waldmann, S. Vowe, and S. Turpe. Electronic identity cards for user authentication - promise and practice. IEEE Security & Privacy Magazine, 10(1):46–54, 2012.

G. L. Rosner. Identity management policy and unlinkability: a comparative case study of the US and Germany. PhD thesis, University of Nottingham, 2016.

H. Roßnagel, J. Camenisch, L. Fritsch, D. Houdeau, D. Hühnlein, A. Lehmann, P. S. Rodriguez, and J. Shamah. Futureid - shaping the fu- ture of electronic identity. Datenschutz und Datensicherheit, 36(3):189– 194, 2012.

M. C. Rundle and B. Laurie. Identity management as a cybersecurity case study. OII Conference on Safety and Security in a Networked World: Balancing Cyber-Rights and Responsibilities, Research Publica- tion No. 2006-01, 2005.

J. Schroers and P. Tsormatzoudi. Identity-theft through e-government services – government to pay the bill? CiTiP Working Paper 27/2016, 2016. Available at: https://ssrn.com/abstract=2768877 [Accessed: 19 October 2016].

C. Sullivan. Digital identity, an emergent legal concept: the role and legal nature of digital identity in commercial transactions. University of Adelaide Press, 2011.

C. Sullivan and S. Stalla-Bourdillon. Digital identity and french personality rights — a way forward in recognizing and protecting an in- dividual’s rights in his/her digital identity. Computer Law & Security Review, 31(2):268–279, 2015.

D. J. B. Svantesson. A “layered approach” to the extraterritoriality of data privacy laws. International Data Privacy Law, 3(4):278–286, 2013.

E. A. Whitley. On technology neutral policies for e–identity: a critical reflection based on uk identity policy. Journal of International Commercial Law and Technology, 8(2):134–147, 2016.

H. Zwingelberg. Necessary Processing of Personal Data: The Need-to- Know Principle and Processing Data from the New German Identity Card. IFIP Advances in Information and Communication Technology. Springer Berlin Heidelberg, 2011.

H. Zwingelberg and M. Hansen. Privacy Protection Goals and Their Implications for eID Systems. Springer Berlin Heidelberg, 2012.


Refbacks

  • There are currently no refbacks.