research-article

Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation

Authors:

Niko Tsakalakis,

Sophie Stalla-BourdillonAuthors Info & Claims

WebSci '16: Proceedings of the 8th ACM Conference on Web Science

Pages 55 - 65

https://doi.org/10.1145/2908131.2908152

Published: 22 May 2016 Publication History

Abstract

The UK Government has been designing a new Electronic Identity Management (eIDM) system that, once rolled--out, will take over how citizens authenticate against online public services. This system, Gov.UK Verify, has been promoted as a state--of--the--art privacy--preserving system, tailored to meet the requirements of UK citizens and is the first eIDM interoperability in which the government does not act as an identity provider itself, delegating the provision of identity to competing third parties. According to the recently enacted EU eIDAS Regulation, member states can allow their citizens to transact with foreign services by notifying their national eID scheme. Once a scheme is notified, all other member states are obligated to incorporate it into their electronic identification procedures. The UK Government is contemplating at the moment whether it would be beneficial to notify. This article examines Gov.UK Verify 's compliance with the requirements set forth by the Regulation and the impact on privacy and data protection. It then explores potential interoperability issues with other national eID schemes, using the German nPA, an eIDM based on national identity cards, as a reference point. The article highlights areas of attention, should the UK decide to notify Gov.UK Verify. It also contributes to relevant literature of privacy--preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture.

References

[1]

Article 29 Data Protection Working Party. Opinion 15/2011 on the definition of consent. WP187. 2011.

[2]

P. Beynon-Davies. The uk national identity card. Journal of Information Technology Teaching Cases, 1(1):12--21, 2011.

[3]

Bitkom. Position paper on the proposal for an eu regulation on electronic identification and trust services for electronic transactions in the internal market. 2013. Available at: https://ameliaandersdotter.eu/sites/default/files/wp-content/uploads/2013/04/20130408-BITKOM-Position-on-eID-regulation1.pdf?language=en {Accessed: 14 June 2015}.

[4]

L. Brandao, N. Christin, G. Danezis, and Anonymous. Toward mending two nation-scale brokered identification systems. Proceedings on Privacy Enhancing Technologies, 2015(2), 2015.

[5]

BSI. Technical guideline tr-03110-1 advanced security mechanisms for machine readable travel documents part 1 v 2.20. 2015. Available at: https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110.html {Accessed: 15 October 2015}.

[6]

BSI. Technical guideline tr-03127 architecture electronic identity card and electronic resident permit. 2011. Available at: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03127/BSI-TR-03127en.pdf?_blob=publicationFile {Accessed: 15 October 2015}.

[7]

H. Burkert. Balancing informational power by informational power or Rereading Montesquieu in the internet age. Cambridge University Press, 2012.

[8]

C. Burton, L. De Boel, C. Kuner, A. Pateraki, S. Cadiot, and S. G. Hoffman. The final european union general data protection regulation. BNA Privacy & Security Law Report, 15:153, 2016.

[9]

Cabinet Office. Good practice guide no. 45 identity proofing and verification of an individual. 2014. Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/370033/GPG_45_identity_proofing_v2_3_July_2014.pdf {Accessed: 8 August 2015}.

[10]

Cabinet Office. Identity assurance hub service saml 2.0 profile v1.1a. 2013. Available at: https://www.gov.uk/government/publications/identity-assurance-hub-service-saml-20-profile {Accessed: 3 September 2015}.

[11]

A. Cavoukian. 7 laws of identity: The case for privacy-embedded laws of identity. 2006. Available at: https://www.gradbook.soton.ac.uk/?link=registration.php {Accessed: 14 July 2015}.

[12]

T. Chatfield. Digital government review. 2014. Available at: http://digitalgovernmentreview.readandcomment.com/ {Accessed: 15 June 2015}.

[13]

J. Crosby. Challenges and opportunities in identity assurance. London:HMSO. 2008.

[14]

C. Cuijpers and J. Schroers. eIDAS as guideline for the development of a pan European eID framework in FutureID. Open Identity Summit, 2014(237):23--38, 2014.

[15]

J. Dumortier and N. G. Vandezande. Critical observations on the proposed eu regulation for electronic identification and trust services for electronic transactions in the internal market. ICRI Research Paper 9. 2012. Available at SSRN: http://ssrn.com/abstract=2152583 {Accessed: 5 July 20154}.

[16]

N. Duncan and T. Hutchinson. Defining and describing what we do: Doctrinal legal research. Deakin Law Review, 17(1):83--119, 2012.

[17]

eIDAS Technical Subgroup. eidas technical specifications v0.90. 2015. Available at: https://joinup.ec.europa.eu/software/cefeid/document/eidas-technical-specifications-v090 {Accessed: 7 November 2015}.

[18]

M. Hansen. Marrying Transparency Tools with User-Controlled Identity Management. Springer US, 1 edition, 2008.

[19]

Y. Honcharova and A. Eryomenko. Stork - promising project of european transnational electronic identification. First International Scientific-Practical Conference Problems of Infocommunications Science and Technology, 2014.

[20]

G. Hornung and C. Schnabel. Data protection in germany i: The population census decision and the right to informational self-determination. Computer Law & Security Review, 25(1):84--88, 2009.

[21]

A. Jøsang. Assurance requirements for mutual user and service provider authentication. Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, pages 26--44, 2015.

[22]

E. Maler and D. Reed. The venn of identity: Options and issues in federated identity management. IEEE Security & Privacy Magazine, 6(2):16--23, 2008.

Digital Library

[23]

H. Masatoshi, F. Yuri, O. Sakura, K. Takeaki, S. Natsuhiko, and S. Hiroyuki. A Practical Trust Framework: Assurance Levels Repackaged Through Analysis of Business Scenarios and Related Risks. Springer International Publishing, 1 edition, 2015.

[24]

F. Massacci and O. Gadyatskaya. How to get better eid and trust services by leveraging eidas legislation on eu funded research results. 2013. Available at: http://www.cspforum.eu/Seccord_eidas_whitepaper_2013.pdf {Accessed: 15 December 2015}.

[25]

A. Poller, U. Waldmann, S. Vowe, and S. Turpe. Electronic identity cards for user authentication - promise and practice. IEEE Security & Privacy Magazine, 10(1):46--54, 2012.

Digital Library

[26]

G. L. Rosner. Identity management policy and unlinkability: a comparative case study of the US and Germany. PhD thesis, University of Nottingham, 2016.

[27]

H. Roßnagel, J. Camenisch, L. Fritsch, D. Houdeau, D. Hühnlein, A. Lehmann, P. S. Rodriguez, and J. Shamah. Futureid - shaping the future of electronic identity. Datenschutz und Datensicherheit, 36(3):189--194, 2012.

[28]

M. C. Rundle and B. Laurie. Identity management as a cybersecurity case study. OII Conference on Safety and Security in a Networked World: Balancing Cyber-Rights and Responsibilities, Research Publication No. 2006-01, 2005.

[29]

C. Sullivan. Digital identity, an emergent legal concept: the role and legal nature of digital identity in commercial transactions. University of Adelaide Press, 2011.

[30]

C. Sullivan and S. Stalla-Bourdillon. Digital identity and french personality rights --- a way forward in recognising and protecting an individual's rights in his/her digital identity. Computer Law & Security Review, 31(2):268--279, 2015.

[31]

E. A. Whitley. On technology neutral policies for e--identity: a critical reflection based on uk identity policy. Journal of International Commercial Law and Technology, 8(2):134--147, 2016.

[32]

H. Zwingelberg. Necessary Processing of Personal Data: The Need-to-Know Principle and Processing Data from the New German Identity Card. IFIP Advances in Information and Communication Technology. Springer Berlin Heidelberg, 2011.

[33]

H. Zwingelberg and M. Hansen. Privacy Protection Goals and Their Implications for eID Systems. Springer Berlin Heidelberg, 2012.

Cited By

Hansen MBüttner A(2024)Secure and Privacy-Preserving Authentication for Data Subject Rights EnforcementPrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_12(175-191)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_12
Gregušová DHalásová ZPeráček T(2022)eIDAS Regulation and Its Impact on National Legislation: The Case of the Slovak RepublicAdministrative Sciences10.3390/admsci1204018712:4(187)Online publication date: 6-Dec-2022
https://doi.org/10.3390/admsci12040187
Lips SBharosa NDraheim D(2021)eIDAS Implementation Challenges: The Case of Estonia and the NetherlandsElectronic Governance and Open Society: Challenges in Eurasia10.1007/978-3-030-67238-6_6(75-89)Online publication date: 7-Jan-2021
https://doi.org/10.1007/978-3-030-67238-6_6
Show More Cited By

Index Terms

Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation

Recommendations

SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

The eIDAS Regulation aims to provide an interoperable European framework to enable EU citizens to authenticate and communicate with services of other Member States by using their national electronic identity. While a set of high-level requirements (e.g.,...
Re-Shaping the EU Digital Identity Framework
dg.o '22: Proceedings of the 23rd Annual International Conference on Digital Government Research

Electronic authentication and digital signature are the base components of the European Union (EU) Digital Single Market. The area is regulated by the eIDAS (electronic identification and trust services for electronic transactions in the internal market)...
Privacy in Digital Identity Systems: Models, Assessment, and User Adoption
Electronic Government
Abstract
The use of privacy protection measures is of particular importance for existing and upcoming users’ digital identities. Thus, the recently adopted EU Regulation on Electronic identification and trust services (eIDAS) explicitly allows the use of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WebSci '16: Proceedings of the 8th ACM Conference on Web Science

May 2016

392 pages

ISBN:9781450342087

DOI:10.1145/2908131

General Chairs:
Wolfgang Nejdl
Leibniz University Hannover & L3S Research Center, Germany
,
Wendy Hall
University of Southampton, UK
,
Program Chairs:
Paolo Parigi
Stanford University
,
Steffen Staab
University of Koblenz, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Funding Sources

Research Councils UK

Conference

WebSci '16

Sponsor:

SIGWEB

WebSci '16: ACM Web Science Conference

May 22 - 25, 2016

Hannover, Germany

Acceptance Rates

WebSci '16 Paper Acceptance Rate 13 of 70 submissions, 19%;

Overall Acceptance Rate 245 of 933 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
362
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hansen MBüttner A(2024)Secure and Privacy-Preserving Authentication for Data Subject Rights EnforcementPrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_12(175-191)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_12
Gregušová DHalásová ZPeráček T(2022)eIDAS Regulation and Its Impact on National Legislation: The Case of the Slovak RepublicAdministrative Sciences10.3390/admsci1204018712:4(187)Online publication date: 6-Dec-2022
https://doi.org/10.3390/admsci12040187
Lips SBharosa NDraheim D(2021)eIDAS Implementation Challenges: The Case of Estonia and the NetherlandsElectronic Governance and Open Society: Challenges in Eurasia10.1007/978-3-030-67238-6_6(75-89)Online publication date: 7-Jan-2021
https://doi.org/10.1007/978-3-030-67238-6_6
Tsakalakis NStalla-Bourdillon SO’Hara K(2019)Data Protection by Design for Cross-Border Electronic Identification: Does the eIDAS Interoperability Framework Need to Be Modernised?Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data10.1007/978-3-030-16744-8_17(255-274)Online publication date: 16-Apr-2019
https://doi.org/10.1007/978-3-030-16744-8_17
Jäschke R(2016)The 8th ACM Web Science Conference 2016ACM SIGWEB Newsletter10.1145/2956573.29565742016:Summer(1-7)Online publication date: 6-Jul-2016
https://dl.acm.org/doi/10.1145/2956573.2956574

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents