Brussels wants e-identities for EU citizens
The European Commission is set to launch a substantial review of rules governing personal documents with the aim of making electronic identities take off across the EU. But the proposal faces likely opposition from civil rights groups and member states where identity cards do not exist.
Neelie Kroes, the EU's Digital Agenda Commissioner, will present by the beginning of June a new legislative proposal which aims “to facilitate cross-border electronic transactions” through the adoption of harmonised e-signatures, e-identities and electronic authentication services (eIAS) across EU member states, according to an internal document seen by EurActiv.
“A clear regulatory environment for eIAS would boost user convenience, trust and confidence in the digital world,” reads the paper. “This will increase the availability of cross-border and cross-sector eIAS and stimulate the take up of cross-border electronic transactions in all sectors.”
Brussels has long been trying to facilitate the emergence of a parallel system of electronic identification, on top of the the real-world existing documents. This has mainly been linked to the struggle for establishing a truly functioning single market, rather than on security grounds.
A directive was adopted in 1999 establishing a common framework for electronic signatures. The rationale for the legal text is that if EU citizens feel comfortable in signing documents online, they will increasingly move to the immaterial world of the e-commerce to do business and shopping, regardless of national borders.
Resistance expected at national level
Despite the EU's efforts to increase the security of e-signatures and the confidence in the emergence of virtual identities, citizens and governments have been slow to adopt electronic IDs.
Indeed, e-signatures are still confined to a few sectors, such as universities, while most EU nations have not yet introduced electronic identity cards.
Even if chip-embedded passports are becoming the norm across Europe, e-ID cards have been adopted in only in a handful of countries – Belgium, Estonia, Germany, Italy and the Netherlands. But there is no common system of mutual recognition among states using electronic IDs.
Perhaps more frustrating for the European Commission is that some member states like the United Kingdom do not even have paper identity cards, and the idea of adopting them causes widespread public opposition.
The UK briefly introduced ID cards during the second world war but abolished them afterwards. The use that the Nazi regime made of identity documents to single out Jewish people and send them into concentration camps has been a powerful argument against introducing ID documents across the Channel.
When Tony Blair's Labour government discussed the idea of ID cards, a citizen movement sprang up overnight to block the plans.
ID cards are also not used in Denmark and Ireland.
A bolder plan beyond e-signatures
Despite those cultural differences, Brussels still has the intention of moving ahead and a draft regulation is being examined in the Commission's several departments in so-called inter-service consultation.
The plan, to be unveiled in the coming days, is even more ambitious than the Commission's previous legislative attempt, as Brussels now wants to extend the electronic authentication to a number of services, beyond e-signatures.
Kroes plans to “widen the scope of the current Directive by including also ancillary authentication services that complement e-signatures, like electronic seals, time/date stamps, etc,” reads an internal paper prepared by her cabinet.
To address the lack of mutual recognition of electronic certificates, Brussels wants to make it compulsory. “It is proposed that all member states recognise and accept all formally notified e-IDs from other EU member states,” underlines the paper.
The proposal does not go as far as proposing the introduction of electronic documents where they do not exist, but the obvious aim is to create an incentive for countries to do it.
Kroes’ success is far from guaranteed. The concept of an electronic identity has in recent years been mainly associated with risks of identity theft and virtual fraud.
Officials say it is paramount that robust security mechanisms are put in place to guarantee the adoption of new electronic services. Justice Commissioner Viviane Reding has already suggested amending Kroes’ proposal to strengthen its data-protection obligations.
Among other things, Reding wants a 24-hour data breach notification to be part of the new regulation. If electronic identities are stolen or risk being wrongly used by non-authorised parties, the owners should be made aware of the data breach within 24 hours, argues the commissioner’s cabinet in an internal document seen by EurActiv.
The 24-hour reporting obligation is part of the overhaul of the entire legislative framework for EU data protection, which was launched by Reding in January and is now under scrutiny by the European Parliament and member states. Kroes intervened in that debate by softening the security requirements imposed on companies.
The new text on electronic identities will also likely face opposition in the European Parliament. The issue “will require the sensitivities of civil liberty groups, with likely echoes in the European Parliament, to be carefully addressed,” warns Kroes’ internal paper.
The backing of most member states seems guaranteed by prior behind-the-scene negotiations, the paper notes, but the Commission also expects vigorous debate at the EU Council of Ministers.
“Close Council scrutiny of detailed provisions should be expected, as not all member states have e-IDs and the subject is linked to core national sovereignty (state-citizen relationship, security), as well as e-Government organisation,” Kroes’ cabinet wrote.
An electronic identity can be confirmed through certificates and e-signatures. In general terms, an electronic signature is any identification or signature in electronic form. This can range from a scanned signature to a Personal Identification Number (PIN).
The e-signatures Directive merely states that an advanced electronic signature “uniquely links the signature to the signatory”. But so far, only certain digital signatures meet these requirements.
A digital signature consists of the use of a pair of two different but linked keys, a private and a public key. The private key (only known to the owner of the signature) is used to ‘sign’ a message. A recipient can verify the signature by using the sender’s public key (available to all). A certificate links the signature and the signatory and identifies the signatory. Certificates are issued by recognised certification authorities.