by Markus Hartmann, HJP Consulting
The five most common misconceptions when implementing an eID project. Across the globe, electronic ID projects are out for tender, being implemented or being piloted. But what are the pitfalls for governments when faced with choosing an eID system? And who can help?
Misconception Nr. 1: Technology is the most important element
A government’s approach to identification projects is often very technologically driven instead of requirements driven. Governments are often influenced by strong industry lobbyists who recommend, of course, their own technologies. But a government, at the end of the day, has to solve their problems in terms of identity management and fraud. What we recommend to governments is to take the time to think about their own requirements, and then write their own tender describing their requirements and processes. Let the industry bid for it, to basically provide the solutions matching these requirements.
Misconception Nr. 2: ICAO standards cover all aspects of MRTD solutions
A lot of governments know about ICAO, the International Civil Aviation Organization, and they believe that DOC 9303 is specifying all their needs for ePassports or eID documents. But that’s not true. ICAO is an organization that is taking care of the interoperability of ePassports and terminals at border control. But ICAO does not care about how to personalize a card or a passport; how to organize the processes at enrolment or how to organize the security that you need. So, there are a lot of internal work packages that need to be done and, again, scenarios where governments need to spend some time to analyze their own situation.
Misconception Nr. 3: ePassport interoperability tests are a final proof of ePassport quality
Passports and passport readers are commonly tested during international Interoperability Test Events – the last one took place in Prague in 2008. These so called Crossover Tests are only testing one passport, read by one reader, at that moment – but this is not a quality check that can assure that all these passports will work. For this, ICAO, together with the German BSI, have created conformity tests. We strongly recommend that passports and terminals be tested according to these test specifications. This is the only way to prove that the products you have bought are actually working and that, at the end of the day, your passport can be read at any border in the world.
Misconception Nr. 4: Identity management is a contractor’s responsibility
A lot of governments have too much reverence when faced with an eID project and the only solution they have is to engage a prime contractor – like a big system integrator or solution provider – and basically let them do the whole job. But, the issue of identity management and protecting people’s identities is one of the core responsibilities that a government has, and they have to do a lot of these things on their own. And, due to open technology standards that are now available, they can actually do a lot – such as key management, passport management or cart management processes, etc. – on their own.
Misconception Nr. 5: ICAO is not supportive in the implementation of eID projects
My fifth point actually supports the efforts of ICAO. A lot of countries feel that they are not very well supported on a government level. This, however, is one of the services that ICAO is offering, especially the Working Groups within ICAO. The new technology Working Group, headed by Gary McDonald, is specifying passports and solutions. There is also a new Infrastructure Capacity Building Working Group, and this group has the objective to help governments to install their new eID projects – with the help of other governments. So I would really recommend that people within governments who are seeking for any help should contact this new Working Group and they will be supported.