There is nothing intrinsically new about using a passport or some other form of ID document to interact with state officials, but the past couple of decades have seen a sea-change in what citizens – and governments – expect such documents to deliver. Fast forward to 2011 and digital identity technologies such as smart cards and biometrics have come of age, with an estimated 90 countries now deploying ePassports incorporating these highly secure features.
ID documents have undergone a similar transformation; simple paper documents designed for single identification applications have given way to smarter documents – or eID cards. These enable governments to implement systems and processes that give citizens access to public services with the assurance that that this is backed by robust security. Furthermore, the development of these smart documents means a single card can offer a host of applications and act as a driving licence, enable the user to file their taxes and give them access to state benefits.
A force for good
The case for eID cards and ePassports is quite straightforward for most people in the eID industry. In the business world, they play a key role in enabling financial services firms and telecoms companies to fulfil Know Your Customer (KYC) regulatory requirements and carry out Know Your Employee checks. They allow government departments to interact with their citizens more effectively, around the clock.
In the border control environment, they boost security and improve passenger throughput, giving border authorities the confidence that the person standing in front of them is who he or she claims to be.
Emerging economies see the value of eID credentials in general, because they promote economic empowerment, drive democracy and aid economic development. They show the rest of the world that they are modern, secure and trustworthy states, able to implement new technologies and standards – and very much open for business. Furthermore, secure ID technology that can be used cross-border is important as it promotes regional integration and stability and makes economic development more likely.
The UK case
But not every nation is so positive. The incumbent (UK) Labour Government supported an ID scheme. But the card – and its accompanying database – was never widely supported by the UK population. It faced strong opposition from pressure groups such as No2ID and the TaxPayers’ Alliance. The British press came out against it in force. Allegations were that the technology was costly, overcomplicated and unproven, and that the project signalled a loss of liberty, and meant lifelong surveillance and the introduction of a meta-database. The 2010 UK general election, which saw Labour lose power to a coalition of Conservative and Liberal Democrats, signalled the final nail in the coffin of ID cards. The new government wasted no time in consigning the project to history.
One of the problems with the UK scheme was that the government never made clear the card’s purpose. Was it an entitlement card? Or was it an ID card? Was it to keep out unauthorised immigrants? Or was it about promoting inclusion? There was heated debate in the lead-up to the rollout, with the chairman of the Bar Council going as far as asking: “Is there not a great risk that those who feel at the margins of society – the somewhat disaffected – will be driven into the arms of extremists?”
82 countries to use electronic National IDs by 2015
But while the UK has been reticent in adopting the technology, other countries have been far more bullish. Implementations in the massive BRIC (Brazil, Russia, India, China) economies, across large parts of Europe, in the Gulf and in parts of Latin America and Africa provide interesting examples of its potential to affect millions of ordinary lives throughout developed and emerging economies.
According to research company Acuity Market Intelligence, the number of electronic National IDs issued annually will grow by 54% from 424 million in 2010 to 655 million in 2015. The numbers of countries issuing such eIDs will move from 29 to 82 in the same time frame.
According to the company, global circulation for all national IDs will climb from 2.6 billion in 2010 to 3.2 billion in 2015, while the global circulation of eIDs rises from 1.5 to 2.6 billion during the same period. These projections and analyses were revealed by Acuity market in London in April 2011 during the Secure Document World event.
eID in India
The official start of the project, operated by the Unique Identification Authority of India (UIDAI), which will see all 1.2 billion Indian residents issued with a UID number, represents a fundamental shift in the way the state interacts with its citizens.
Each ID record will include the personal and demographic details of the resident and will be associated with their iris and fingerprint biometric information. The Congress-led coalition that won the country’s general election in 2009 says the aim of the single national ID card is to ensure the efficient delivery of public services, allow each citizen to identify themselves so they can use other services such as bank accounts, and enable the government to detect illegal immigrants more easily.
One of the key features of the UID system is ensuring that a unique UID number is issued. This is enabled by the use of bio metric identifiers which ensure that each resident gets only one UID number and that the UID number can be used by one resident alone.
When a resident applies for a UID using their biometric, these details have to be compared against the entire UID database using a 1:N biometric comparison process to ensure that the new applicant is unique and has not already been allotted a number – under a different name or address, for example.
For authentication, residents need to provide their UID number and biometric. The UID authentication system then pulls up the person’s record using the UID number as the key and matches the live fingerprint with the stored template. To strengthen the authentication level other factors can be added such as a static PIN – known and changeable by the resident only – much like a 4-digit PIN used with ATM cards. If a person is making a high-value banking transaction, they could be asked for a biometric plus PIN for authentication. If an even higher level of assurance is sought, then a 4-digit dynamic PIN can be generated by the UID system and sent to the resident’s mobile phone via SMS. This dynamic PIN needs to be entered into the authentication device in addition to the UID number and fingerprints.
The choice of assurance levels and factors used in authentication is specified by the registrar or authentication user – typically the service delivering agency and not the UID authority. India’s is an ambitious project, with 100 million cards expected to be issued within the next three years. But with it come huge benefits. For example, successful deployment could reduce corruption and plug the leak in social benefit distribution systems for the poor. Furthermore, it could allow portability of health insurance and pension accounts between employers, essential in a country where opportunities and jobs – especially for the poor – are changeable and often located outside the home towns or villages. The Aadhaar number, therefore, gives Indians their first mobile identification credentials, which they can use anywhere in the country, with any agency, to prove their identity. And it could help bring masses of India‘s poor into the formal economy, where they can gain access to financial and social services.
Progress has already been made in aiding the unbanked. At the end of 2010, MasterCard Worldwide announced its payment solution for the project. This will enable citizens to make payment transactions using their UID numbers plus biometric authentication. The scheme is based on the UIDAI platform and MasterCard’s payment network and family of brands. It will promote financial inclusion by enabling Aadhaar account holders to move away from cash and towards electronic transactions. The technology supports prepaid, debit and credit payment products. It will enable participating banks to issue a 16-digit Primary Account Number (PAN) to individuals enrolled into Aadhaar.
The impact of the UID scheme on Indian security and identification has been massive, according to research from Frost & Sullivan. In its Indian Biometric Market report (2010), the firm found that biometrics are increasingly gaining traction in various government and non-government applications such as driving licences, ePassports and land records, as well as time and attendance. It also said biometrics are gradually gaining ground at the expense of conventional methods of identification and security monitoring such as physical checks, photo IDs, tokens and passwords.
The Facebook factor
But while the industry is busy devising standards that enable ID technology to be rolled out and scaled up, the digital world is also evolving. Social media has swept across the online world – and Facebook has become a central part of many people’s lives, influencing their daily actions and encouraging them to share their experiences with members of their network and the wider digital world. Google has also taken the online world by storm, extending its offerings from basic search functions to maps, news, pictures, email and beyond.
Inevitably, there is much discussion about how the likes of Google and Facebook can encroach further into our day-to-day lives. The sheer amount of data that such sites capture on all of us could make them even more useful – or they could threaten a real invasion of privacy. Mr Schmidt, CEO of Google, believes that most people don’t want Google to answer their questions. They want it to tell them what they should be doing next. As he puts it: because Google would know “roughly who you are, roughly what you care about, roughly who your friends are, it could remind users what groceries they needed to buy when passing a shop”.
Mr Schmidt has also said that the availability of information increases convenience and enables society to combat anti-social and criminal behavior more effectively. But to address issues such as identity theft requires true transparency and no anonymity.
“In a world of asynchronous threats,” he says, “it is too dangerous for there not to be some way to identify you. We need a name service for people. Governments will demand it.” Mr Schmidt’s comments about true transparency and no anonymity are interesting. But people still want to maintain their privacy. ID credentials have the power to provide partial anonymity, giving citizens a reasonable level of privacy. And eID delivered by the state can bring this type of anonymity. For example, a credential that allows an individual to provide personal data on a ‘need to know’ basis – such as an eID card that allows an individual to access age-restricted services without providing lots of additional information – is a powerful tool.
Digital security is an issue that the whole digital sector is grappling with. According to a 2010 report from the US Department of Justice, it takes 130 person-hours to rebuild a digital identity after it has been compromised.
The national strategy for trusted identities in cyberspace
Work is taking place in this area. In the US, for example, the National Strategy for Trusted Identities in Cyberspace has been established to create options for online security and privacy. It recognizes that individuals face increasing complexity and inconvenience associated with managing the large number of user accounts, passwords, and other identity credentials required to conduct services online with disparate organizations.
The strategy does not advocate the establishment of a national identification card. Instead, it seeks to create an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions. It believes individuals should be able to choose to obtain identity credentials either from public or private sector identity providers, and able to use them for transactions requiring different levels of assurance across different sectors, such as health care, financial and social transactions. It states that many existing infrastructure components in use today, such as mobile phones, smart cards and PCs should be used to facilitate ease of use, accessibility and availability.
Bonuses of eID
What has become clear is that a password is simply not secure enough in the online world. Consumers now need to remember too many passwords and PINs, and if the password is complex – and therefore difficult to guess – there is a strong likelihood that they will keep a record of it, thereby making it much less secure. As a result, two-factor authentication is becoming more popular. Many retail banks now give their online customers a one-off password device to enable them to make secure transactions. And of course, a combination of a smart card and biometric such as an eID card has the bonus of ensuring security and privacy requirements are met while maintaining trust in a system. There are real opportunities for governments to get involved.