Identity Assurance in the UK: technical implementation and legal
                    implications under eIDAS

Niko Tsakalakis; Sophie Stalla-Bourdillon; Kieron O’Hara

doi:10.1561/106.00000010

journal article Dec 07, 2017

Identity Assurance in the UK: technical implementation and legal implications under eIDAS

Niko Tsakalakis

Sophie Stalla-Bourdillon

Kieron O’Hara

The Journal of Web Science Vol. 3 No. 1 pp. 32-46 · Emerald

View at Publisher Save 10.1561/106.00000010

Abstract

Gov.UK Verify, the new Electronic Identity (eID) Management system of the UK Government, has been promoted as a state-of-the-art privacy-preserving system, designed around demands for better privacy and control, and is the first elD system in which the government delegates the provision of identity to competing private third parties. Under the EU eIDAS, Member States can allow their citizens to transact with foreign services by notifying their national elD systems. Once a system is notified, all other Member States are obligated to incorporate it into their electronic identification procedures. The paper offers a discussion of Gov.UK Verify's compliance with eIDAS as well as Gov.UK Verify's potential legal equivalence to EU systems under eIDAS as a third-country legal framework after Brexit. To this end it examines the requirements set forth by eIDAS for national eID systems, classifies these requirements in relation to their ratio legis and organises them into five sets. The paper proposes a more thorough framework than the current regime to decide on legal equivalence and attempts a first application in the case of Gov.UK Verify. It then assesses Gov.UK Verify's compliance against the aforementioned set of requirements and the impact of the system's design on privacy and data protection. The article contributes to relevant literature of privacy-preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture. It is also, to our knowledge, the first exploration of the future of eID management in the UK after a potential exit from the European Union.

Topics

No keywords indexed for this article. Browse by subject →

References

45

[1]

(2011)

[2]

Barak (2007)

[3]

Barnard, C. 2013. “Competence Review: The Internal Market”. Department for Business, Innovation and Skills. URL: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/226863/bis-13-1064-competence-review-internal-market.pdf> (accessed on 11/20/2016).

[4]

Beynon-Davies "The UK national identity card”" Journal of Information Technology Teaching Cases (2011) 10.1057/jittc.2011.3

[5]

Bitkom . 2013. Position Paper on the Proposal for an EU Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. URL: https://ameliaandersdotter.eu/sites/default/files/wp-content/uploads/2013/04/20130408-BITKOM-Position-on-eID-regulation1.pdf (accessed on 07/25/2015).

[6]

Forms and paradoxes of principles-based regulation

J. Black

Capital Markets Law Journal 2008 10.1093/cmlj/kmn026

[7]

Brandão (2015)

[8]

BSI . 2016. TR-03110 eIDAS Token Specification. URL: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/BSI_TR-03110_Part-2-V2_2.pdf?__blob=publicationFile˜%5C&˜v=1(accessed on 01/12/2016).

[9]

Burton (2016)

[10]

Cabinet Office . 2013. “Identity Assurance Hub Service SAML 2.0 Profile v1.2a”. Report. URL: https://www.gov.uk/ government/uploads/system/uploads/attachment_data/file/458610/Identity_Assurance_Hub_Service_Profile_v1.2a.pdf (accessed on 07/23/2015).

[11]

Cabinet Office . 2014. Good Practice Guide No. 45 Identity Proofing and Verification of an Individual. URL: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/370033/GPG_45_identity_proofing_v2_3_July_2014.pdf (accessed on 08/08/2015).

[12]

Cavoukian, A. 2006. “The Case for Privacy-embedded Laws of Identity in the Digital Age”. White Paper. URL: https://www.ipc.on.ca/images/resources/up-7laws_whitepaper.pdf (accessed on 06/11/2015).

[13]

Chatfield, T. 2014. Digital Government Review. URL: http://digitalgovernmentreview.readandcomment.com/ (accessed on 06/15/2015).

[14]

Cooper, A., H.Tschofenig, B.Aboba, J.Peterson, J.Morris, M.Hansen, and R.Smith. 2013. Privacy Considerations for Internet Protocols. URL: http://www.rfc-editor.org/info/rfc6973 (accessed on 09/06/2016). 10.17487/rfc6973

[15]

Crosby, J. 2008. “Challenges and opportunities in identity assurance”. URL: http://www.statewatch.org/news/2008/mar/uk-nat-identity-crosby-report.pdf (accessed on 08/16/2015).

[16]

Cuijpers (2014)

[17]

Dumortier, J. and N.Vandezande. 2012. “Critical Observations on the Proposed Regulation for Electronic Identification and Trust Services for Electronic Transactions in the Internal Market”. ICRI Research Paper: 9. URL: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2152583 (accessed on 12/25/2016). 10.2139/ssrn.2152583

[18]

Duncan "Defining and describing what we do: Doctrinal legal research" Deakin Law Review (2012) 10.21153/dlr2012vol17no1art70

[19]

eIDAS Technical Sub-group . 2015. “eIDAS Technical Specifications”. v0.90, July. URL: https://joinup.ec.europa.eu/sites/default/files/eidas_technical_ specifications_v0_9.pdf (accessed on 11/04/2016).

[20]

Federal Office for Information Security [BSI] . 2011. Technical Guideline TR-03127: Architecture electronic Identity Card and electronic Resident Permit. URL: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03127/BSI-TR-03127_en.pdf (accessed on 05/23/2016).

[21]

Fiat "How To Prove Yourself: Practical Solutions to Identification and Signature Problems" Advances in Cryptology - CRYPTO' 86 (1987) 10.1007/3-540-47721-7_12

[22]

Hansen (2008)

[23]

Honcharova (2014)

[24]

Hörbe (2015)

[25]

Hulsebosch, B., G.Lenzini, and H.Eertink. 2009. “D2.3 – Quality authenticator scheme”. STORK deliverable, 3 March. URL: https://perma.cc/R5SH-DQG3 (accessed on 07/29/2015).

[26]

ICAO (2017)

[27]

Jøsang (2015) 10.1007/978-3-319-17016-9_3

[28]

Jøsang "Trust requirements in identity management" Proceedings of the 2005 Australasian workshop on Grid computing and e-research (2005)

[29]

Kuner (2017)

[30]

Lloyd (2009)

[31]

Maler "The Venn of Identity: Options and Issues in Federated Identity Management" IEEE Security & Privacy (2008) 10.1109/msp.2008.50

[32]

Martens, T. 2010. “Electronic identity management in Estonia between market and state governance”. Identity in the Information Society. 3(1): 213–233. DOI: 10.1007/s12394-010- 0044-0. URL: http://dx.doi.org/10.1007/s12394-010-0044-0. 10.1007/s12394-010-0044-0

[33]

Massacci, F. and O.Gadyatskaya. 2013. “How to get better EID and Trust Services by leveraging eIDAS legislation on EU funded research results”. White Paper. URL: http://www.cspforum.eu/Seccord_eidas_whitepaper_2013.pdf (accessed on 07/27/2015).

[34]

Pfitzmann, A. and M.Hansen. 2010. “Anonymity, Unlinkability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology”. Version v0.33, April 8. URL: https://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.33.doc (accessed on 06/12/2015).

[35]

Roßnagel "Futureid - shaping the future of electronic identity" Datenschutz und Datensicherheit (2012)

[36]

Rundle (2005)

[37]

Strauß "National Electronic Identity Management: The Challenge of a Citizen-centric Approach Beyond Technical Design" International Journal on Advances in Intelligent Systems (2010)

[38]

Sullivan (2011)

[39]

Sullivan "Digital identity and French personality rights — A way forward in recognising and protecting an individual’s rights in his/her digital identity" Computer Law & Security Review (2015) 10.1016/j.clsr.2015.01.002

[40]

Svantesson, D. J. B. 2013. “A “layered approach" to the extraterritoriality of data privacy laws”. International Data Privacy Law. 3(4): 278–286. DOI: 10.1093/idpl/ipt027. URL: http://idpl.oxfordjournals.org/content/3/4/278.abstract. 10.1093/idpl/ipt027

[41]

UNCITRAL . 2016. Legal Issues Related to Identity Management and Trust Services. URL: https://documents-dds-ny.un.org/doc/UNDOC/GEN/V16/026/34/PDF/V1602634.pdf (accessed on 10/15/2016).

[42]

Whitley "On technology neutral policies for eidentity: a critical reflection based on UK identity policy" Journal of International Commercial Law and Technology (2016)

[43]

Windley Digital Identity (2005)

[44]

Zwingelberg, H. 2011. “Necessary Processing of Personal Data: The Need-to-Know Principle and Processing Data from the New German Identity Card”. In: Privacy and Identity Management for Life. Ed. byS.Fischer-Hübner, P.Duquenoy, M.Hansen, R.Leenes, and G.Zhang. IFIP Advances in Information and Communication Technology. Springer Berlin Heidelberg. ISBN: 978-3-642-20768-6. DOI: 10.1007/978-3- 642-20769-3_13. URL: http://dx.doi.org/10.1007/978-3-642-20769-3_13. 10.1007/978-3-642-20769-3_13

[45]

Zwingelberg (2012)

Metrics

3

Citations

45

References

Details

Published: Dec 07, 2017
Vol/Issue: 3(1)
Pages: 32-46

Authors

N

Niko Tsakalakis

Web and Internet Science, University of Southampton

S

Sophie Stalla-Bourdillon

Institute for Law and the Web, University of Southampton

K

Kieron O’Hara

Web and Internet Science, University of Southampton

Cite This Article

Niko Tsakalakis, Sophie Stalla-Bourdillon, Kieron O’Hara (2017). Identity Assurance in the UK: technical implementation and legal implications under eIDAS. The Journal of Web Science, 3(1), 32-46. https://doi.org/10.1561/106.00000010

Identity Assurance in the UK: technical implementation and legal implications under eIDAS

You May Also Like