eID – What is the role of the state? Lessons from around the world
Across countries, there is an increasingly unanimous recognition of the potential benefits that a legally recognised electronic identity (eID) can bring to its citizens, businesses and the government. A number of pioneering countries have launched their national eID programs over the last two decades, bringing unprecedented convenience to citizens and efficiency gains in governmental & business processes.
However, experiences from around the world have shown that the road to rolling out a successful eID can be a challenging one, with Switzerland being no exception. The Federal Act on Electronic Identification Services (BGEID) which passed through Swiss parliament last year after much debate, has raised questions on the separation of duties between the state and private actors in the administration of the identity. The upcoming referendum, tentatively slated for the end of 2020, will decide if private actors will be permitted to participate in the identity ecosystem as identity providers (IdPs).
In the build-up to the referendum, we seek to leverage our expertise in the realm of digital identity to inform the public discourse. In this blogpost, we look towards experiences of successful eID program in other countries, specifically with regards to the separation of duties between the state and private entities. We seek to compare the experiences of Estonia & India where the state played an active role in the administration of the eID and those of Norway and Denmark which saw greater private sector involvement.
The state as a regulator vs the state as an IdPi
On a high-level, the role of the state in providing a legal electronic identity to its residents can be that of; 1. Regulator or 2. regulator + IdP. The regulatory function would involve providing technical guidelines, establishing the necessary legislation to permit the use of the eID as a legal means of identification and regulatory oversight to ensure compliance with the relevant laws. In this context, we define the role of the IdP to include every other function, starting from the verification of the identity to the provision of authentication and signing services to relying parties. While the regulatory function is performed by the state across the world, it is in the IdP function that we find diverse models in different countries. In addition, the eIDs, be it private-sector issued or state-issued rely on a foundational state-issued identity for the verification and issuance of the eID. Typically, most eIDs also have the same core features, permitting citizens to authenticate themselves and sign documents in the digital realm. These two core features form the foundation for the provision of a host of private and public sector services in all countries.
Table 1 – Comparison of eID programs: state as a regulator vs the state as an IdP
1. Responsiveness to public opinion is necessary
As seen in the Indian case, the Aadhaar program faced several setbacks in the years following its roll-out, even facing an existential threat from petitioners challenging the constitutional legitimacy of the Aadhaar Act in the country’s Supreme Court. The Supreme Court judgement of 2018 mandated a number of reforms most notably instructing the government to pass a robust data protection law, establish an independent data protection authority, striking down provisions enabling the government to access citizen data on grounds of national security and upholding voluntary enrolment to the program.  The government further responded by introducing a number of privacy-enhancing technologies to assuage citizen’s concerns about the program. While the data protection act is yet to come into force, the program seems to have won over public approval, with a 2019 survey of 147,868 households in the country, indicating that 92% of people were satisfied with Aadhaar and 90% trusted that their data was safe . Thus, in democracies, it is of paramount importance that governments are responsive to public concerns and also effective in communicating their response to these concerns. The upcoming referendum in Switzerland may be seen as a step in this direction.
2. Independent regulatory oversight
The roll-out of an eID brings with it a number of privacy risks which need to be mitigated for with a robust data protection law and an independent regulator to ensure compliance. All of the analysed cases (barring India, where it is on the horizon), have an independent data protection regulator. While the analysed countries have not reported fines related to eIDs, the Norwegian Data Protection Authority imposed fines on two different municipalities in the country for improper handling of citizen data in 2019. The BGEID in Switzerland mandates the establishment of a Federal eID Commission (EIDCOM) which reports to the country’s Federal Data Protection and Information Commissioner.
3. Data minimization and granular data sharing
The eID scheme must permit citizens to present key identity attributes in a granular fashion. The regulation must clearly define the necessary identity attributes to be shared with a relying party to access different services. For instance, the list of necessary attributes to be shared in India’s Aadhaar system varies depending on whether a resident wants to access subsidised rations or to open a new bank account. In practice however, it is also necessary that citizens and service providers are educated so as to share identity data on a purely need to know basis to minimise the amount of personal information that is revealed in the process of accessing a service. Furthermore, the technical infrastructure must permit audits by the regulator to ensure compliance with data minimization guidelines and allow provisions for penalties in the case of breaches.
4. Open standards to permit easy integration by relying parties
In all of the cases, irrespective of the role of the state, transaction volumes are predominantly driven by private sector use cases. For instance, in Denmark out of the 70 million monthly transactions, 40 million were used for banking transactions. The use of open authentication and signing protocols would permit easy integration by relying parties. Furthermore, given the possibility that a number of new cross-border eID use cases will begin to emerge, the usage of open standards would permit interoperability between the eID programs of multiple countries.
5. Smartphone app-based solutions can increase adoption
Estonia saw the launch of the SIM card based Mobile ID solution in 2007 and later the app-based Smart ID in 2017. Since its launch, Smart ID has seen rapid adoption with 496,270 active users in comparison to the 232,974 users of Mobile ID . This may be attributable to the fact that the Smart ID doesn’t require an additional piece of hardware such as a SIM card and the improved user-experience offered on the app. Denmark too introduced a NemID app in May 2018 to complement its paper-based code cards. The next generation of the Danish eID, MitID will do away with the code cards of the past and introduce a MitID app for authentication and signing. However, the solution would also provide physical authentication factors to complement the app  .
i The role of IdP is played by diverse ministries within the government in different countries. Furthermore, the roles of regulator and IdP tend to be far more nuanced and context dependent. The roles have been defined as above to aid comprehension. Additionally, the role of developing technologies including smart cards, SIM cards, authentication and signing software is contracted to the private sector in all countries.
ii Estonia offers two other solutions – Smart ID and Mobile ID both of which rely on the ID card as the foundational identity for proofing and issuance. The Mobile ID leverages the country’s telecommunications sector for the issuance of SIM cards which permits the authentication and signing functions. The Smart ID may also be issued by banks. However, the state remains the IdP in all cases, with all transactions relying on the state’s ID databases for authentication. While the ID card and Mobile ID can be used as an authentication mechanism for i-Voting, Smart ID does not yet support this.
iii India has launched a number of privacy enhancing solutions layered upon Aadhaar including – mAadhaar, virtual Aadhaar number, masked Aadhaar number, among others. They have been excluded since the solutions are relatively new and conclusive results are yet to emerge.
iv Norway’s BankID solution operates alongside other competing eID solutions, offered by both private and government entities. However, the government issued MinID, only corresponds to a security clearance level 3, which is one level short of the highest level 4 offered by the private sector solutions – BankID, Commfides and Buypass ID.
v Denmark’s NemID is set to be replaced by MitID in mid-2021, which will again be offered through a partnership between the Danish Agency for Digitisation and a consortium of Danish banks.