Article

Privacy in Digital Identity Systems: Models, Assessment, and User Adoption

Authors:

Armen Khatchatourov,

Maryline Laurent,

Claire Levallois-BarthAuthors Info & Claims

Electronic Government

Pages 273 - 290

https://doi.org/10.1007/978-3-319-22479-4_21

Published: 30 August 2015 Publication History

Abstract

The use of privacy protection measures is of particular importance for existing and upcoming users’ digital identities. Thus, the recently adopted EU Regulation on Electronic identification and trust services (eIDAS) explicitly allows the use of pseudonyms in the context of eID systems, without specifying how they should be implemented. The paper contributes to the discussion on pseudonyms and multiple identities, by (1) providing an original analysis grid that can be applied for privacy evaluation in any eID architecture, and (2) introducing the concept of eID deployer allowing virtually any case of the relationship between the user, the eID implementation and the user’s digital identities to be modelled. Based on these inputs, a comparative analysis of four exemplary eID architectures deployed in European countries is conducted. The paper also discusses how sensitive citizens of these countries are to the privacy argument while adopting these systems, and presents the “privacy adoption paradox”.

References

[1]

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Official Journal L 257 57, 73–115, Aug 28 2014

[2]

Laurent, M., Bouzefrane, S. (eds.): Digital Identity Management. ISTE Press, London (2015)

[3]

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 0031–0050. Nov 23 1995

[4]

Levallois-Barth, C.: Legal challenges facing global privacy governance. In: Dartiguepeyrou, C. (ed.) The Futures of Privacy. Fondation Télécom, Paris (2014). ISBN 978-2-915618-25-9

[5]

Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (2012). https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2012/12-09-27_Electronic_Trust_Services_EN.pdf

[6]

Jøsang, A. Fabre, J., Hay, B., Dalziel J., Pope, S.: Trust requirements in identity management. In: Proceedings of the Australasian Information Security Workshop (AISW 2005), Newcastle, Australia (2005)

[7]

Benantar, M. (ed.): Access Control Systems: Security, Identity Management and Trust Models. Springer, Berlin (2006)

Digital Library

[8]

Strauß, S., Aichholzer, G.: National electronic identity management: the challenge of a citizen-centric approach beyond technical design. Int. J. Adv. Intell. Syst. 3(1&2), 2010 (2010)

[9]

Corella, F., Lewison, K.: Privacy postures of authentication technologies. In: The Internet Identity Workshop (IIW), Mountain View, CA (2013)

[10]

Martens, T.: Electronic identity management in Estonia between market and state governance. Identity Inf. Soc. 3(1), 213–233 (2010). (Springer)

[11]

AS Sertifitseerimiskeskus: The estonian ID card and digital signature concept. http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf. Accessed Oct 2014

[12]

Leitold, H., Hollosi, A., Posch, R.: Security architecture of the Austrian citizen card concept. In: Proceedings of ACSAC 2002, pp. 391–400 (2000). ISBN 0-7695-1828-1

[13]

Federal Act on Electronic Signatures 2001 (Signature law). Austrian Federal Law Gazette, part I, Nr. 190/1999, 137/2000, 32/2001

[14]

BSI: Technical guidelines eID-server. part 1: functional specification, BSI (2014). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03130/TR-03130_TR-eID-Server_Part1_pdf.pdf?_blob=publicationFile

[15]

Poller, A., Waldmann, U., Vowe, S., Turpe, S.: Electronic identity cards for user authentication - promise and practice. IEEE Secur. Priv. 10(1), 46–54 (2012). 10.1109/MSP.2011.148

Digital Library

[16]

BSI: Innovations for an eID architecture in Germany (2010). http://www.personalausweisportal.de/SharedDocs/Downloads/EN/Flyers-and-Brochures/Broschuere_BSI_innovations_eID_architecture.pdf?_blob=publicationFile. Accessed Oct 2014

[17]

Hemmer, P.: La SuisseID, qu’est-ce que c’est? (2010). http://www.ari-web.ch/docs/ARI_2010_06_18_SUISSE_ID_020_PROJET_EXPOSE.pdf. Accessed Oct 2014

[18]

Doujak, M. (ed.): SuisseID specification, eCH-0113 (2011). http://www.suisseid.ch/endkunden/suisseid/news/update_spezifikationen/

[19]

Pfitzmann, A., Hansen M.: A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management. TU Dresden (2010). http://dud.inf.tu-dresden.de/Anon_Terminology.shtml

[20]

International Standard: Information technology - Security techniques - Privacy framework, ISO/IEC29100, 1st edn., Dec 2011

[21]

The Estonian Data Protection Inspectorate Annual report (2012)

[22]

Marvet, P. (Reteep Tevram @petskratt) 2013, Comment to Government as a data model. https://gds.blog.gov.uk/2013/10/31/government-as-a-data-model-what-i-learned-in-estonia/#comment-3776. Accessed Oct 2014

[23]

Slamanig, D., Stranacher, K., Zwattendorfer, B.: User-centric identity as a service-architecture for eIDs with selective attribute disclosure. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies SACMAT 2014. ACM (2014)

[24]

Rogers, E.: Diffusion of Innovations. Simon & Schuster, New York (2003)

[25]

Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of federated identity management. In: Freiling, F.C. (ed.) Sicherheit, pp. 25–36. Köllen Druck + Verlag GmbH, Bonn (2010)

[26]

GSMA: Estonia’s mobile-ID: driving today’s e-services economy (2013). http://www.gsma.com/personaldata/wp-content/uploads/2013/07/GSMA-Mobile-Identity_Estonia_Case_Study_June-2013.pdf. Accessed Oct 2014

[27]

Estonian Ministry of Economic Affairs and Communications: Digital agenda 2020 for Estonia (Source: AS Sertifitseerimiskeskus) (2014). http://e-estonia.com/wp-content/uploads/2014/04/Digital-Agenda-2020_Estonia_ENG.pdf. Accessed Oct 2014

[28]

eID Interoperability for PEGS: Austrian country profile: IDABC - European e-Government Services (2009). http://ec.europa.eu/idabc/en/document/6484.html. Accessed Oct 2014

[29]

Institute for Public Information Management: eGovernment Monitor 2014 (2014). http://www.initiatived21.de/wp-content/uploads/2014/09/eGovMon2014_web.pdf

[30]

Newsletter E-Government Suisse (2011). http://www.egovernment.ch/dokumente/newsletter/Newsletter-E-Gov-02-2011-f.htm Accessed Oct 2014

[31]

ATS: Les entreprises suisses satisfaites des prestations internet des administrations (source ATS) (2013). http://www.lenouvelliste.ch/fr/societe/multimedia/les-entreprises-suisses-satisfaites-des-prestations-internet-des-administrations-476-1239889. Accessed Oct 2014

[32]

Hofman, S., Räckers. M, Becker, J.: Identifying factors of e-government acceptance – a literature review. In: Thirty Third International Conference on Information Systems, Orlando (2012)

[33]

Fromm, J. Hoepner, P., Pattberg, J., Welzel, C.: 3 Jahre Onlineausweisfunktion - Lessons Learned. Fraunhofer Fokus (2013). www.fokus.fraunhofer.de

[34]

Harbach, M., Fahl, S., Rieger, M., Smith, M.: On the acceptance of privacy-preserving authentication technology: the curious case of national identity cards. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 245–264. Springer, Heidelberg (2013)

[35]

Brandimarte, L., Acquisti, A., Loewenstein, G.: Misplaced confidences: privacy and the control paradox. In: Ninth Annual Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge, MA (2010), 7–8 June 2010

[36]

Miltgen, C., Peyrat-Guillard, D.: Cultural and generational influences on privacy concerns: a qualitative study in seven European countries. Eur. J. Inf. Syst. 23, 103–125 (2014)

[37]

Lusoli, W., and Miltgen, C.: Young people and emerging digital services. An exploratory survey on motivations, perceptions and acceptance of risks. EC JRC-IPTS report (2009)

[38]

Proposal for Regulation of The European Parliament and of The Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)/COM/2012/011 final -2012/0011 (COD). Accessed May 2015

Cited By

Lips SVinogradova NKrimmer RDraheim D(2022)Re-Shaping the EU Digital Identity FrameworkProceedings of the 23rd Annual International Conference on Digital Government Research10.1145/3543434.3543652(13-21)Online publication date: 15-Jun-2022
https://dl.acm.org/doi/10.1145/3543434.3543652
Hanzlik LSlamanig DKim YKim JVigna GShi E(2021)With a Little Help from My FriendsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484582(2004-2023)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484582
Tsap VLips SDraheim D(2020)Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in EstoniaElectronic Government and the Information Systems Perspective10.1007/978-3-030-58957-8_12(159-173)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58957-8_12

Index Terms

Privacy in Digital Identity Systems: Models, Assessment, and User Adoption
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Security services
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
    2. Privacy policies

Index terms have been assigned to the content through auto-classification.

Recommendations

Supporting privacy impact assessment by model-based privacy analysis
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

According to Article 35 of the General Data Protection Regulation (GDPR), data controllers are obligated to conduct a privacy impact assessment (PIA) to ensure the protection of sensitive data. Failure to properly protect sensitive data may affect data ...
Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation
WebSci '16: Proceedings of the 8th ACM Conference on Web Science

The UK Government has been designing a new Electronic Identity Management (eIDM) system that, once rolled--out, will take over how citizens authenticate against online public services. This system, Gov.UK Verify, has been promoted as a state--of--the--...
User privacy-preserving identity data dependencies
DIM '06: Proceedings of the second ACM workshop on Digital identity management

Identity Federation technologies have enabled users to leverage their relationships with an Identity Provider (IdP) into a Service Provider's (SP) domain. They allow user-initiated and IdP-controlled sharing of authentication information, attributes and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

Electronic Government

355 pages

ISBN:978-3-319-22478-7

DOI:10.1007/978-3-319-22479-4

Editors:
Efthimios Tambouris
University of Macedonia, Thessaloniki, Greece
,
Marijn Janssen
Delft University of Technology, Delft, The Netherlands
,
Hans Jochen Scholl
University of Washington, Seattle, USA
,
Maria A. Wimmer
Universität Koblenz-Landau, Koblenz, Germany
,
Konstantinos Tarabanis
University of Macedonia, Thessaloniki, Greece
,
Mila Gascó
ESADE, Barcelona, Spain
,
Bram Klievink
Delft University of Technology, Delft, The Netherlands
,
Ida Lindgren
Linköping University, Linköping, Sweden
,
Peter Parycek
Donau-Universität Krems, Krems, Austria

Copyright © 2015 IFIP International Federation for Information Processing.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 30 August 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lips SVinogradova NKrimmer RDraheim D(2022)Re-Shaping the EU Digital Identity FrameworkProceedings of the 23rd Annual International Conference on Digital Government Research10.1145/3543434.3543652(13-21)Online publication date: 15-Jun-2022
https://dl.acm.org/doi/10.1145/3543434.3543652
Hanzlik LSlamanig DKim YKim JVigna GShi E(2021)With a Little Help from My FriendsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484582(2004-2023)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484582
Tsap VLips SDraheim D(2020)Analyzing eID Public Acceptance and User Preferences for Current Authentication Options in EstoniaElectronic Government and the Information Systems Perspective10.1007/978-3-030-58957-8_12(159-173)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58957-8_12

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents