Saturday, May 9th, 2020

Stranger, Who Are You? Really. On eIDAS and Identity.

Who are you? It could be the topic of a philosophy class but we will examine eIDAS, an EU Regulation… on electronic identification and trust services…. The impressive title does not stop us from fearlessly digging into its legalities to see what it has to say about identity.

The reason we examine identity in a post on digital signatures is that identity and identification are the very foundation of signatures.

eIDAS is a heavyweight in anything that relates to online services, especially in the public sector. It was enacted by the European Parliament in 2014 and subsequently by EU member states where it became national law.

Cross-Border Identification

The main thrust of the eIDAS regulation is cross-border identification. We will focus on identification of natural persons, i.e. people like you and me.

Cross-border identification is interesting because of cross-border transactions. The idea is that anyone in any EU country should be able to use public sector services online in any other EU country. Services should not reject requests just because they originate from a different country.

Free flow of people, goods and services across borders is a key concept of the EU after all.

No service accepts unknown users, of course. Users must be identified. This leads up to the title question: Stranger calling in, who are you?

Identity and Scope Defined

Before going further we have to define identity for the limited purposes of this post. In order to avoid philosophy and too much abstract thinking, here is our definition,

An identity is a symbolic placeholder for a person.

When a baby is born into a family it won’t be long until it gets its first identity, a first name, Edward. This simple identity is enough for several years to come.

At school Edward begins to need his last name from time to time, Edward Nordstrom, but he also has to get used to a nickname granted to him by his classmates, Ed.

Many years later we find Edward filling out his tax return, using his Swedish personal id number, while his wife calls out, Honey, have you finished yet?

From this very simple example we learn that,

  • Every person has more than one identity, and
  • each identity has a scope.

An identity is relevant and valid within its scope. Using an identity out of scope is either meaningless or causes problems. Imagine someone at the National Tax Agency calling, addressing Edward as Honey. It won’t happen. On the other hand, if his wife opens up a conversation with Edward Nordstrom he knows that trouble looms.

Identity According To eIDAS

Let’s see how EU lawmakers perceive the problem. Item 9 of the recital (legalese for background) says,

In most cases, citizens cannot use their electronic identification to authenticate themselves in another Member State because the national electronic identification schemes in their country are not recognised in other Member States. That electronic barrier excludes service providers from enjoying the full benefits of the internal market…

Note the phrase electronic barrier. It suggests that the problem is a matter of technology.

We must consider two key definitions provided by eIDAS. We quote:

  • electronic identification means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;
  • person identification data means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established;

(Comment: In EU legalese a natural person is a human, a legal person is an organisational entity like an enterprise or a government agency.)

The definition of person identification data says that it establishes the identity of a person. In other words,

  • A person has a single identity, and
  • person identification data is not that identity but helps find it.

As for what constitutes a person’s identity, eIDAS is quiet. It is also quiet about the concept of scope as related to identities.

In my opinion eIDAS does not offer a realistic view of identity. Rather, in the light of the exposition above, I propose that,

  • Person identification data is an identity, and
  • a person typically has multiple identities, and
  • each identity has a scope within which it is relevant.

Scope Illustrated

Assume we sell our car to Alice, a person we never met before. She asks to pay all except EUR 500 right away, the remaining EUR 500 next Monday, her pay day.

It’s a short-term credit but we get uneasy about those EUR 500. Who is this Alice really? When asked she says she is Ericsson employee no 111306. By a lucky chance our longtime golf buddy, Bob, happens to pass by. It turns out he is also Alice’s boss. Bob assures us that Alice really is Ericsson employee no 111306.

We are now in possession of Alice’s confirmed person identification data (the eIDAS term). An employee number singles out a person uniquely and precisely. However, as outsiders to Ericsson, what can we do with an employee number? We are out of scope with respect to that identification system.

The lesson is: If you need an enforceable commitment from an otherwise unknown person you have to be in scope.

Cross-Border Identification According to eIDAS

eIDAS prescribes a trust infrastructure not unlike our example with Alice. Alice provided her person identification data which was confirmed by her boss. The eIDAS infrastructure (which is operational) works in a similar way. Each EU country has (or will have) a trusted authority that may confirm an identity on request from another country.

Does this solve the problem of being out of scope?

For example, assume that we set up an online service based in Sweden. A user claims she is Irina Cluj of Romania with id number 2800101221146. This is confirmed by the Romanian eIDAS service.

On one hand, we don’t doubt this information. On the other, being out of scope with respect to Romania, it doesn’t help us a lot.

National Id Numbers

Something surfaced in the previous paragraphs: A national id number. Historically governments of the world have worked hard to identify its citizens to be able to collect taxes and to conscript armies.

This means that many countries have already dealt with the problem of multiple identities. My example is Sweden.

A Swedish national id number was introduced 70 years ago as a permanent identity of every Swedish subject. It has become an indisputable all-round identity used in all formal situations, public and private sectors alike.

Even though most Swedes see national id numbers as universal they do have a limited scope: Swedish jurisdiction.

Identities in Wide Use

In spite of what eIDAS says about barriers, a great number of online services are operating across national borders. Goods and services flow steadily to ordinary consumers. Some of the personal identities used in this trade are,

  • email address,
  • mobile phone number,
  • credit card number.

Mobile phone number is the primary identity used by several social media. Note also that the list does not contain national id numbers because their scope is too limited for cross-border use.

Conclusion

It seems that eIDAS neglects important aspects of personal identity. Firstly,

  • Every person has several identities

while eIDAS seems to imply that a person has a single identity.

One might solve the problem of multiple identities by providing enough personal identity data to cover multiple scopes. However, this runs contrary to GDPR, another important EU regulation. eIDAS itself notes this fact in recital item 11:

…authentication for an online service should concern processing of only those identification data that are adequate, relevant and not excessive to grant access to that service online…

Secondly,

  • An identity has a limited scope; it is valid and relevant within that scope.

The fundamental issue of scope is never touched upon by eIDAS.

For the moment I’m inclined to conclude that eIDAS has not solved the problem of cross-border identification. The barrier mentioned by eIDAS is neither electronic nor digital. It’s inherent in the nature of identities.

Add to this the inability of lawmakers to see the difference between electronic and digital 357 times over. It does not instill confidence.

Give me some good reasons to help me change my mind.

Even if found faulty, eIDAS is the law of the land and has far-reaching ramifications. Some of those will be treated in upcoming posts.

Acknowledgement: Many thanks to Roland Hedayat for constructive comments on an early draft of this post.


The full title of eIDAS is: REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.


Comments are closed due to spam overload, but you may email blog AT soderstrom DOT se

Leave a Reply