Comparative eID

Session Topic: Identity & Government

Tuesday 5D

Convener: Kaliya Hamlin, Elisabeth Mouchy

Notes-taker(s): Scott Fehrman

European workshop for identity workshop, how diff countries are doing it
 * Who uses eID, Nordic countries: 1/3 people
 * Who uses smartcard
 * England pulled out of identity program

France:
 * Mapping digital identity to Physical (name, address, etc.)
 * Use of postal service to process the identity, (like facebook connect model)
 * User can manage their own account

United States:
 * What does the US do?
 * Gov employees have internal processes
 * looking at USPS for citizens

Identity Lifecycle Flows:
 * Id Proofing
 * Enrolling

Countries:
 * United States
 * France
 * South Africa
 * Finland
 * Sweden
 * Canada
 * Belgium
 * Italian
 * Spanish
 * Norway
 * England
 * Germany
 * Japan
 * India
 * New Zeland

Two perspectives:
 * (Common Law) Person: your who you say you are


 * (Napoleonic Law) Agency: you are what we say you are

Issues:
 * How do you identify a new user
 * Authoritative sources
 * What problem are you trying to solve (what is in/out of scope), mandatory, optional, prohibited
 * What is benefit to the citizen
 * Government is suppose to provide services to citizens
 * Authentication mechanisms
 * What are peoples "legal rights" in myself as human being
 * Gov data aggregation practices
 * Liability, responsibility
 * Who can / should be an identity provider (should a federal gov. be an identity provider)
 * What used for health / tax, public / private
 * France postal: digital verified mail, banking (soon), digital safe vault, authen to website
 * Adoption rates, what is optional / mandatory
 * What services can be actualized with an "in place" infrastructure
 * Precursor: document authority (trust level)
 * What has been tried ... (and failed)
 * Data protection privacy regulations
 * Risk level schemas for countries
 * Range of attributes (schema alignment / mismatch)
 * What "is issued" as credential
 * User consent, flow requirements
 * Who (agency) is authoritative or not
 * Age of issue
 * Proxying / delegation (youth / elder) eTrusteeship
 * Vertical integration
 * Phase of lifecycle ... continuity
 * Biometrics
 * How is it "monetized", make money, save money, just because we are government

= Revised Comparative eID list: =

Big Picture
 * What has been tried but failed?
 * What problem are they trying to solve?
 * What is the benefit to the citizen/user?

ID Proofing
 * How is ID Proofing done?
 * Are there document validation/verification services?
 * What authoritative sources outside the system/country are accepted?

Enrollment
 * How does enrollment happen?
 * What entities (who) issues precursor identities?
 * How does enrollment happen for them?
 * What age/life event are identities issued?
 * How often does re-identification over time?

Attributes
 * What biometrics are captured?
 * How are they stored?
 * How are they used?


 * What are the attributes captured?
 * How are attributes shared?

Credentials
 * What is issued as the credential?
 * How much does it cost for 1st issue?
 * How much does re-issue cost?


 * Is an digital identifier issued?
 * What other identifiers are issued by the government for what purposes?
 * What is the per-capita issuance rate?
 * What is the incidence of duplication? (same number issued to two different people)
 * Has it been cracked? How?

Uses
 * What are the mechanism of authentication?
 * Does the authentication "phone home"?
 * Does the eID issued support e-signatures, signing as distinct from authentication?
 * Can secondary credentials be generated?
 * What is the per-capita usage volume?
 * What is the value of transactions?
 * How is it "monetized" by the issuing institution
 * What can the eID be used for:
 * in the Public Sector?
 * in the Private Sector?
 * What uses are
 * Mandatory?
 * Optional?
 * Prohibited?
 * What are the user-consent flow requirements?

Governance
 * Is delegation / proxying enabled?
 * Who does the eID belong to? Who's property is is?
 * What are the data protection/privacy regulations?
 * in the public sector? [are records across gov department seprate?]
 * in the private sector? [what right do people have to manage pii]

Architecture
 * What standards are used?
 * How is exchange (trust) managed between entities participating?
 * What are the trust models are used? [drawing on Field Model of Internet Trust]

Law Policy Culture
 * What are people's rights to themselves?
 * What is the liability responsibility?