e-Government Europe 2004 Noordwijk aan Zee, NL , 1-3 March

1. Identity Management Systems (IMS) Challenges and Opportunities for e-Government e-Government Europe 2004 Noordwijk aan Zee, NL, 1-3 March Institute for Prospective Technological Studies (IPTS) Seville, Spain http://www.jrc.es http://www.jrc.cec.eu.int JRC – IPTS Seville

2. CONTENTS • E-Government services: a new paradigm • A ‘trusted’ environment for e-Government services • Identity, Identity Management and applications • Identity Management requirements • e-Identification and the Public Sector • Discussion Topics JRC – IPTS Seville

3. E-Government services: a new paradigm • ICTs increasingly used to reduce cost, improve efficiency of e-Government services through: (a) back-office re-engineering; (b) one-stop-shop approach; (c) interoperable systems & interfaces. • However, important social and technological developments act as drivers for change: e.g. (a) enlarged and aging population in need of personalised services; (b) increased socio-cultural & religious diversity; (c) flexible, mobile living + working + consumption patterns; (e) pervasive computing, ubiquitous communication, intelligent interfaces (Ambient Intelligence environment). • In addition, renewed interest in the role of the public sector in encouraging demand and the part that e-services can play. • The issue of e-Government wider-adoption sets new requirements on public e-services (from supply-side issues to demand-side and societal factors). Future Challenge: From more efficient e-Administration to personalised e-Government services to e-Governance based on Knowledge Management in an AmI environment JRC – IPTS Seville

4. A ‘trusted’ environment for e-Gov. services • Rising crime, lack of security, trust and privacy protection impacts, inherent computer interface complexity, and cost of solutions seem to be the main barriers to the wider adoption of ‘trusted’ physical and knowledge networks, required to transform Europe into a Knowledge Society (Lisbon objectives). • The deployment of identification technologies as a panacea for ‘trust’ problems raise some concern since emerging technology and other social and financial factors, affect their application in ways that requires further understanding. • Also e-Governance in an AmI environment requires that new risks be assessed and managed, especially regarding the public/private sphere boundaries. • Solutions related to identification and authentication need be devised so as to efficiently secure the e-services and promote citizens’ confidence in them. Future Challenge: Identification, Authentication, Identity management, Liability, Security, Privacy, legal aspects and social implications ought to be carefully addressed. JRC – IPTS Seville

5. Identity, Identity management and applications • People are skilful in mastering identity, which is a complex social concept, in the real world, but not yet in the virtual world • Technologically supported Identity Management gives users control over the amount and nature of their personal data that should be released. • IM is driven by security/access management needs, but also seen as a tool to enforce security and privacy protection. • IM is a layered problem that needs a comprehensive solution dealing with all layers at once. • IM needs a flexible, cost-aware, public-lead & market-driven evolution path JRC – IPTS Seville

6. Specific Functionality (depending on the scenario) • Basic Usability • Security • Privacy • Specific Law Enforcement - legal regulations • Objective Trustworthiness • Affordability • Interoperability Identity Management - Requirements Technology & identity-attribute independent requirements “ IMS Identification and Comparison Study ” Hansen, M., ICPP Schleswig-Holstein, DE, Sep.03 JRC – IPTS Seville

7. e-Identification and the Public Sector • Identification used in the physical world varies as to: (a) the medium/support type; (b) geographic and sectorial scope; (c) the process to issue, re-new, authenticate; and (d) the security and data protection mechanisms. • Various e-identification processes exist at local and national level with significant variation as to the scope, purpose and mechanisms. • Secondary use of the result of the process, extended use beyond sector and geographical borders and the security and privacy risks involved indicate that problem is thornier than technical or legal interoperability alone. • IMS with the following min functionality: usability, multi-lateral & multi-channel security and law enforcement limitations, privacy protection, offering users transparency and control over their data, can help enhance trust and thus acceptance of such an environment. • However users will be expected to develop new skills related to the online world and be prepared to upgrade them as time and technology progresses. Future Challenge: For the Public sector policy and governance issues are thornier than the technical e-identification capability. JRC – IPTS Seville

8. Policy questions for further discussion (1) Cooperation among all levels of Government (cross-country + intra-country) especially when considering legal impacts of standardisation of both data and processes of issuing, verifying, revoking source identity documents leading to data + function interoperability. Cooperation among public/private actors on authentication issues related to security, privacy protection, liability, non-repudiation, centralised vs. distributed/federated IMS, etc. • How to develop interoperable IMS from the heterogeneous, autonomous, authentication systems that exist and operate today? • CONVERGENCE questions: ? Geographical and sectorial convergence will bear new problems such as: increased inter-dependence as a result of single sign-on, technical & legal interoperability needs, increased security and privacy risks (Identity theft, data aggregation/profiling). • PARTNERSHIP questions: ? Private sector, mainly banks, which have experience on secure e-identification solutions over a variety of remote channels (phone & mobile, PC & Internet banking, Interactive TV and payment cards) need to share experience in assessing risk and developing and deploying security/privacy compliant IMS. This may result in sharing of costs and an easier learning process leading to widespread adoption of services. JRC – IPTS Seville

9. Governments’ role in identity management is to properly balance the competing interests of legitimate public and private business activities, law enforcement and state intelligence while protecting citizens and consumers’ privacy. How can they play this role effectively? Policy questions for further discussion (2) ICT can play an important role in this by aiding in the managed transfer of control from the hands of an unaccountable central administration to the hands of appropriately skilled citizens, through the wider adoption of Identity Management Systems. Also, an appropriate e-governance structure will have to be developed / implemented. • Is it desirable to require a single national ID for all citizens? Is it necessary to avoid such a scheme so as to prevent inevitable misuse and abuse? The essence of the question relates to who will have control over what data and what processes will be in place to aid in the implementation of the IMS to be used. • The role of biometric and DRM technologies? Who will pay for/control them? Depending on the specific application and thus the need for weak or strong identification the role of such technologies in authentication processes and in protecting identity information should be better understood. JRC – IPTS Seville

10. Thank you !Any Questions ? Contact Details Ioannis Maghiros Cyber-Security Project Officer EC – DG JRC – IPTS – Seville ioannis.maghiros@jrc.es JRC – IPTS Seville