New Challenges and Possible Policy Options for the Regulation of Electronic Identity

• Author: Anssi Hoikkanen; Margherita Bacigalupo; Ramón Compañó; Wainer Lusoli; Ioannis Maghiros
• Position: European Commission's Joint Research Center-IPTS Anssi.HOIKKANEN@ec.europa.eu
• Pages: 1-10

This paper won the 2009 JICLT Best Academic Paper Award at the 4 International Conference on Legal Security and Privacy Issues in IT held on November 3-5, 2009 at Malta. Originally published in Kierkegaard, S. (2009) Legal Discourse in Cyberlaw and Trade.IAITL.

Page 1

1. Introduction

The increasing reliance of governments, companies and individuals on technology to manage identity raises a new set of challenges for policy-makers. With the growth of content and services over digital infrastructure, people increasingly lead quasi-digital lives, moving in and out of analogue and digital spaces. Policy makers are increasingly aware that digital identities are vital to the way Internet services are provided and to citizens' everyday life. They have a crucial role to play in setting the framework conditions so as to sustain this shift while maximising the benefits for economy and society.¹

Identity, considered as an enabler of the digital economy, is likely to become a key component of DG Information Society and the Media new Commissioner and portfolio.² But there is also a consensus that only when European citizens will be aware of, understand and fully enjoy the 'digital rights' granted to them by current EU regulation, will consumer confidence and the single market for businesses blossom, hence fulfilling the promise of the European digital market.³ Members of the European Parliament⁴, the Council of Europe and EU Commissioners Reding and Kuneva have repeatedly expressed the importance of regulation in addressing the risks associated with these developments.⁵ Page 2

On the one hand, there is a perceived need to revise and update current EU regulation to take into account the challenges to people's privacy and personal data introduced by new technologies. The Data Protection Directive, the ePrivacy Directive and a range of related legislation (eSignatures, Services Directive, etc) are being scrutinised as to their adequacy and efficiency in regulating an increasing range of online and offline transactions based on identity.⁶

On the other hand, policy-oriented literature often addresses this challenge by focusing on technological solutions. Although the interest in technical solutions is warranted, much less has been said on the regulatory challenges and solutions arising directly from electronic identity (eIdentity).⁷ We argue that the current debate in policy circles may underestimate the implications of the digitalisation of identity and the centrality of 'identity' to the legal architecture protecting citizens' personal data, privacy and common wealth in the digital age. Hence, the distinction is between technical systems and citizen choice; while both are necessary, the rights of citizens should have pride of place in the debate taking place.

This paper addresses a number of regulatory challenges arising from recent eIdentity developments and proposes some instruments available to address these challenges. The focus is on regulatory and legal issues, not technical ones, by identifying legal gaps and exploring the relative merits of a coordinated approach to the regulation of identity in the digital age, one that speaks directly to policy agenda.

2. Developments in Electronic Identity

With informatisation, nation states have long lost the near monopoly they enjoyed on their citizens' identities. Providers of internet services, ICT companies and identity assurance providers have all but supplanted public authorities as the largest controllers of people's identity - provision of credentials, identification, authentication and authorisation. But old dogs also learnt new tricks, casting an increasingly wider net of electronic surveillance on the activities of their proteges.⁸

These relatively new identity info-mediaries and practices are today indispensable to ensure access to public and private services - including health, education and security. Increasingly, more of the personal sphere is recorded, stored and analysed (as in the case of nominal e-ticketing, in which identity tags are attached to transactions that were previously anonymous). Yet, identity transactions via such mediators are based on an increasing number and variety of identity systems. Neither Internet, mobile nor other electronic transactions are based on a single, interoperable let alone open-standard identity layer. There is today a plethora of sector specific solutions (based on e.g. SSL encryption, PIN, tokens) and e-services (e.g. based on a PKI infrastructure with either strong or weak authentication). We can also see a new trend from circles of trust to open and/or federated systems; this is part of the development away from centrally controlled systems towards more open identity infrastructures.⁹

At this stage, it is too early to adjudicate whether the trends described go in a direction of increasing fragmentation, decentralisation and user-chosen identity, or toward increased centralisation and more state and business control on people's identities. Regardless, novel possibilities for the qualification of human identity are emerging. These developments raise concerns about the stepping over European citizens' human rights, including privacy, in an ever expanding surveillance society, perpetrated by business¹⁰ and public authorities alike.¹¹ How much freedom ought to remain for individuals and businesses to opt out from the provision of existing or forthcoming regulation needs scrutiny. Whether it is better to opt out of general rules or from specific transactions Page 3 (e.g. repudiation) requires examination. In general, there is today a very cautious attitude towards collection of citizen information, whether by governments or private companies.

Consumers increasingly have to take legal responsibility for their actions online as well as offline. For example, legal responsibility can derive from lack of diligence. It is complex to distinguish, technically and de jure, awareness from diligence. The point is similar to the one raised by the need to safeguard one's online, digital personae, whether a requirement exists to maintain a correct digital identity at all times, and whether there is a requirement to maintain it safe at all times, to prevent misuse.

Furthermore, problems originate at the intersection of personal, group, space and infrastructure (as in the case of: who has legal responsibility of in-links and out-links in a person's Facebook profile? Who has ownership?). For example, the question may be raised of whether links and relations are part of the self, or whether they belong to the context where these are generated (so-called data portability).In this framework, one cannot overemphasise the importance of technical-legal literacy for citizens, developers, legislators, judges. This can be a problem even for those who are called to develop new technologies, information systems and architectures. Software developers, for example, are sometimes unaware of legal consequences of some functionality implicit in the product; law is seen as a marginal element, entering the design equation very late in the design process.

Finally, from an economic perspective there are concerns about the monetisation of any of the possible identity architectures (centralised, federated, standardised, etc.) currently advanced by competing stakeholders, the benefits / risks balance in terms of European internal market, as well as fairness and competition of any such arrangements.

3. eIdentity Regulatory Challenges

We distinguish five main challenges and discuss each of them from a policymaker's perspective.

1) Challenge 1: eIdentity as a new legal category

The initial issue with the regulation of identity is, naturally, one of definitions. While this paper does not aim to contribute to this vigorous ongoing debate, we will note three key points.

First, identity and related concepts - entities, partial identities, identifiers, virtual identities, profiles - are currently not well enough understood in policy circles. The lack of clear and shared definitions of eIdentity precludes a correct representation of the challenges and as a result hampers building a consensus of a legal definition of the issue. In addition, there is no common terminology in different contexts. Conceptual work is required regarding the eIdentity transactions: the provider, the nature of the identified thing (person vs. object), the way by which persons are identified (name, serial number, body), the purpose of the identifier (traceability, authentication), the resource to which the person gains access (commercial, social, public). The creation of one must precede any structured attempt at assessing the legal consequences of eIdentity. In this context, the policymaker should become much more aware of and engage in accepting available identity related terminology and definitions.

Second, the relation between eIdentity and data protection (DP) should be clarified. Often, as we noted in the introduction, the two are conflated in policy discussion regarding privacy and data protection. But eIdentity encompasses a much wider field than DP. DP rules qualify identity only in relation to controllers' behaviour with respect to personally identifiable information (identifiers and partial identities). Partly, this depends on the fact that DP deals hierarchically...