User convenience is the driving factor. Clients only need to create an account or log in to their account and they can do business. This is a great way for companies to do business. The only down-side is that clients need to create and keep control of many accounts, and – assuming that they do this safely – to use a different password for each account, which they have to remember.
The average person in the Netherlands has a hundred accounts that are used regularly, plus a hundred accounts, which were once made, but used less frequently.
The end result is that members of the public have a range of accounts, which are easy to access, as they tend to have an e-mail address as the user name and a password that is often used for several, if not all, accounts.
Most e-commerce accounts require the name, e-mail address and place of residence. These accounts thus contain highly vulnerable information. Some sites that are subject to a legal age limit even require a date of birth. Few people realize that if their name, date of birth and bank account number fall into the wrong hands, this could lead to major problems.
In many cases, online shops ask for too much information. They do this in order to get to know their clients better, and thus target their special offers more effectively. The clients themselves have little say in the matter, as they are unable to make their purchase if they do not provide the information.
The government’s proposed eID Scheme can change this dramatically. If the bill is passed, the public will have access to their ‘digital passport’ that is comparable to a more modern and safer version of the current DigiD.
In the Netherlands, DigiD is the acronym for Digitale Identiteit (digital identity) and is a personal combination of a user name and a password issued by the Dutch government. DigiD is used to identify yourself online for municipal services, such as the tax authority, child benefit and so on. DigiD can also be used for other government and semi-government entities in the Netherlands.
What is the eID Scheme?
The Dutch government is collaborating with industry to create a standard for access to online services. The popular name for this is the eID Scheme. This scheme will enable citizens, consumers and business people to conduct business with the government and industry online, using one or more means of logging in.
How will this work in practice?
People will be able to register for an account at a company, the so-called authentication provider. They will be able to register for different accounts at companies, for example both a private account and a business account, which will be treated separately.
One account will have three levels of assurance: a basic level; a level with a greater degree of assurance (equivalent to a bank card); and a high level of assurance (for example if you act on behalf of others). These levels of assurance are subject to European guidelines, so that the account can be used throughout Europe.
For some time, the government has been working on and with the levels of assurance for registration and issuing of documents, which can be issued without face-to-face contact, as well as on the quality of authentication tools and processes. The tools and processes may be the user’s name and password rather than, for example, text messages, tokens or smart cards. The various levels of assurance are based on the STORK levels/standards for the use of e-standards across borders within Europe, which rates the security of people’s electronic authentication from level 1 (low) to 4 (high).
An account is issued in a defined and well-structured procedure. You are given a digital identity consisting of identity information, a password and another item in your possession with which you can prove that you are who you say you are.
This item may be a password and an app, which generates a separate code. The agreed procedure is designed in such a way that it will develop as technology develops. As soon as other means become available, these can be used too.
The difference between the proposed system and DigiD is that the eID has a higher level of assurance potential and that it is suitable for commercial uses. This is not possible with DigiD.
How does logging in work in practice?
If you visit a web shop that is connected to the eID Scheme, you will see a button, which you can use to identify yourself through the eID Scheme. It then displays a list of authentication providers that closely resembles iDEAL, an Internet payment system that is commonly used in the Netherlands. You choose your account provider from the list. You then register through your authentication provider and enter the web shop.
The web shop receives the necessary information regarding your identity from the authentication provider.
The first time that you log in, the web shop displays the information that it requires in order to do business with you. You only need to fill in the information once and you will have access on subsequent visits.
The eID Scheme is a set of agreements between Dutch public and private organisations. It is designed in such a way that web shops may not request more information than they need for each particular transaction. Furthermore, each individual determines the information that he/she wishes to share. Those wishing to use the scheme must meet a number of conditions. Companies that flout the agreements can be removed, including companies requesting information that is not relevant to the business in question.
One example is that a wine merchant does not need to know a customer’s age. All he needs to know is whether the customer is above the legal minimum age of 18 years. The authentication provider has this information and validates it so that the wine merchant receives reliable information.
All the information required for making online transactions are ‘saved’ in the eID environment. You authorize, as it were, a company operating according to the eID Scheme to store, verify and use the information.
Can I remain anonymous?
Yes. Natural persons remain anonymous in the eID Scheme. If you do not consider it relevant to share your name for a particular transaction you are not compelled to do so. The eID Scheme gives you the option of creating an anonymous, unique identity and you yourself decide what details may be used for that identity.
Many web shops may want to know a name, but it is your choice whether you wish to use it.
If I regularly log in to the authentication service, will that service know everything I do?
The authentication service supplies the information to the web shop, but it does not need to store your history. Any customer is free to request that his/her history be stored in order to trace any misuse of his/her account. The police may only request this history, if there is valid reason to do so and a court procedure has ended. Thus, your history may only be shared if there are good reasons to do so, and it may not be shared without your knowledge.
Can my account be misused and if so will I know?
The eID Scheme meets the most stringent quality standards and the encryption technologies that it uses are modern and reliable. Tests are carried out continuously to find any weaknesses.
When you log in, you will see when you logged in last, so that you can check if the date is correct. In addition, you can opt to receive a message for each transaction that is done using your account.
Do other European countries also use electronic identity cards?
countries in Europe are using electronic identity cards as well. The countries where
eID cards are either being developed, or are being applied to varying degrees
for electronic services between residents, companies and government include Estonia,
Belgium, Austria, Germany, England and Sweden.
Can the eID Scheme be seen as a trust framework?
The eID Scheme can be compared to a trust framework in the sense that it comprises a set of specifications, rules and legal obligations that address a specific element or issue of importance to the transaction. It defines the rights and responsibilities of the trust framework’s community participants; qualifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. In order to be a part of a trust framework, it must still meet the baseline standards established by this framework.
In a framework such as this, it is preferable for the eID card to be issued by the private sector under the monitoring and supervision of the government. The private entities develop the technology that will best protect the eID card. The public may choose which entity to obtain an eID card from, and is free to switch suppliers if a private entity develops a better technical solution.If the government is responsible for the issuing of the eID card, the public will inevitably lag behind any technological developments and will then run major risks in terms of the best possible protection of the eID card. In a trust framework such as this, the government’s function should primarily be to be responsible for supervision and monitoring.
The details listed above may only be saved and changed by the Identity Provider. And solely at the request of the eID card holder (or the authorised representative) will the details be issued to the service providers.
The Dutch eID Scheme has several advantages: the individual retains control over his/her information while being able to make online transactions with private and public entities using just one or a few accounts. People no longer have to have many accounts, which they then need to keep track of. The government monitors compliance to agreements by companies and entities involved in the Scheme to ensure that the information is and remains secure. The government is working towards having the eID Scheme operational in 2017.
For further information, see: www.eid-stelsel.nlPeter Hoogendoorn (teamlead demand and portfolio management ABN AMRO)