Blogs

Authenticating/registering to online platforms – how about having the choice to use your own eID means?

  • Andrea SERVIDA profile
    Andrea SERVIDA
    15 December 2016 - updated 4 years ago
  • 2 comments
    Total votes: 3

On a recent trip I tried to log in to the free wifi network at a major European airport to check my emails and social networks. The first step was to "log-in with my Facebook or Google ID". I was wondering – what happens if you don't have such an ID (answer: the fine print allows for a lengthy sign-on process without such an ID). And secondly: what personal data are they going to use here, and for what purpose?

In order to empower consumers and to safeguard principles of competition, consumer protection and data protection, the Communication on Online Platforms and the Digital Single Market said that the Commission will further promote interoperability actions, including through issuing principles and guidance on eID interoperability at the latest by 2017. The aim is to encourage online platforms to recognise other eID means — in particular those notified under the eIDAS Regulation — that offer the same or higher assurance as their own.

The policy goal of this commitment is two-fold. Firstly, it is to allow both private and business users to take greater control of how their cross-platform data is shared. Secondly, where identification and authentication are mutually agreed by both parties, the eID framework can offer the only privacy-respecting EU-wide authentication scheme. In case you don't have an eID card for you or for your business, anyone can get one in Estonia, a pioneer in digital services.

In many cases, businesses that use intermediary online platforms want to be sure that their counterpart is indeed the natural or the legal person one claims to be, for example in order to minimise the risk of fraudulent transactions.

Individual users want to protect their personal data as best as possible. In this context, it is recommended that they use different username and password combinations for each platform/website. However, as this is quite inconvenient it has become a frequent practice to use one’s platform profile for accessing a range of websites and services. This in itself poses both security and data protection risks as it often involves non-transparent exchanges and cross-linkages of personal data between various online platforms and websites.

As a remedy, in order to keep identification both simple and secure, individual and business users should be able to choose the credentials by which they want to identify or authenticate themselves. In particular, online platforms should accept credentials issued or recognised by national public authorities, such as electronic or mobile IDs, bank cards, etc.

This could bring benefits not only to users, but also to the online platforms themselves and here are examples of such possible benefits:

For online platforms

  • eID means issued or recognised by national public authorities provide the possibility to safely enrol users and quickly validate their identity, and mitigate the potential risks attributed to unverified users. Registering with their real identity is often part of the terms and conditions that the users sign upon registration.

  • This is a good solution especially in areas like travel, banking, rentals or other transactions where proving the “true identity” is important. E.g. for payment platforms, authenticating merchant identities reduces the risk of having a fraudulent merchant trying to generate illegal revenue.

  • Platforms often use various complex tools to analyse user data and behaviour in order to detect identities which are not real. Of course this comes at a cost and, in addition, the effectiveness is not 100%. With the use of eID, individual users are identified with a much higher effectiveness.

  • The cost of securely protecting identity data is removed as this is done by the identity provider. Identity data indeed neither needs to be collected nor retained, as each authentication involves the sending of a unique identifier to guarantee correct record matching ("querying of third-party identity databases").

  • The use of eID means may increase the user acquisition rate by enabling users to trust and know that they are interacting with real people (or genuine legal entities) who have been verified to be the person they claim to be. It can also lead to multiplication of traffic and transactions by increasing users’ feeling of trust. The more the users trust other users, the more they’ll interact with them through a platform.

For businesses

  • The use of government issued/recognised credentials can help establish mutual trust between participants in a transaction, by ensuring that each knows the real identity of the other, thus minimising risks of fraud and consequently of financial and reputational damages.

  • Some online marketplaces enforce sale quotas on new merchants in order to reduce risks. By creating an account with his real identity in a marketplace a merchant may have such quotas reduced.

  • A trusted environment may lead to an increased traffic and number of transactions, and thus increase turnover and profits.

For individual users

  • An eID can enhance users' privacy as it limits the need to always, and repeatedly, provide personal data.

  • It gives citizens control of their identity – they decide when to present the credential and when not to.

  • It brings more convenience as it reduces the number of usernames and passwords for the user to remember.

  • It enables more efficient and secure access, provides a higher level of online safety, stronger protection against identity theft and fraudulent use compared to the simple username/password combinations.

  • It allows cross-border identification, which is in unison with the nature of online platforms.

We would like to hear your views on this. To what extent the above would be real benefits for you. Are there others? What could be the principles we could jointly agree on to enable eID use in online platforms?

Feel free to express your views directly in the comments sections below, by contacting us at CNECT-EGOVERNMENT-AND-TRUST@ec.europa.eu.

 

Comments

Log in to post comments
Denis PINKAS's picture
Denis PINKAS,
20/02/2017 09:30

On December 15, 2016, Mr Servida wrote:

"Individual users want to protect their personal data as best as possible. In this context, it is recommended that they use different username and password combinations for each platform/website."

However, the current approach in the Commission implementing Regulation published in accordance wit Article 12 from the eIDAS Regulation does not allow to "use different username and password combinations for each platform/website" since the needs of the users have been omitted (i.e. forgotten) in the eIDAS Regulation.

Mr Servida wrote:

"the eID framework can offer the only privacy-respecting EU-wide authentication scheme".

Unfortunately, this is not the case.

Mr Servida also wrote: "We would like to hear your views on this". So, here they are.

The eID framework was supposed to address both "privacy by design" and 'interoperability" but these two important topics have not been taken into consideration in the Commission implementing Regulation (EU) 2015/1501 issued on 8 September 2015. This means that the Commission implementing Regulation (EU) 2015/1501 is not conformant with Article 12 from the eIDAS Regulation, which is a rather odd situation.

Its normative annex specifies "Requirements concerning the minimum set of person identification data uniquely representing a natural or a legal person" which violate three "privacy by design" principles:

  • Data minimization : to minimize the amount of attributes to be disclosed to a server to the minimum necessary to achieve the stated purpose,
  • User Consent : to enable users to agree to consent for the communication of a subset of their attributes through an affirmative process,
  • Unlinkability : to prevent the linkability of transactions of a given user among distinct servers or even for a single server.

Since the unlinkability principle has been forgotten, any Service Provider will have the possibility to make sure that an access to their web site can be correlated with an access to another web site that is not under their responsibility

Furthermore, the mandatory nodes that need to be placed between MSs violate another "privacy by design" principle :

  • Untraceability : to prevent a node to know to which Service Provider an access token will be presented by a User.

These nodes will have the perfect position to act as Big Brother.

The end result looks more like a construction based on "spy by design" principles rather than on "privacy by design" principles.

The interoperability framework is likely to be a chimera as long as every MS will be able to notify any kind of electronic identification scheme.

If we assume that a MS will only register one eID scheme, each cross-border node will need to support 26 translation protocols (since the UK will be leaving the EU). Altogether these cross-border nodes will need to support 702 translation protocols (27 x 26) which is rather unrealistic since the feasibility of these 702 translation protocols has not even been demonstrated.

Furthermore, "the recognition of the electronic identification means under that scheme (...) shall take place no later than 12 months after the publication of that scheme".

The Commission announced that it will promote interoperability actions, including through issuing principles and guidance on eID interoperability at the latest by 2017.

The remaining of this contribution is to pave the way for an eID scheme able to take care of both "privacy by design" principles and of "interoperability" considerations as required by Article 12 from the eIDAS Regulation.

Such a scheme has been built from scratch using "privacy by design" principles, "privacy by default" principles and also taking into consideration potential security attacks including some sophisticated attacks like the Alice and Bob Collusion attack (ABC attack) that none of the systems handling attributes contained in access tokens is able to counter today.

See: https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html 

In particular, Idemix from IBM and U-Prove from Microsoft are both vulnerable to the ABC attack. They have been developed under the ABC4Trust project where the EC has invested 8.85 million euro. However, the ABC attack has never been considered by the team members of the project when the project has been developed.

This alternative eID scheme will not require the use of national eID smart cards issued by governments but will require the use of secure elements (e.g. smart cards) supporting specific characteristics. It is based on a subset of the architecture principles from FIDO (First IDentity Online) and has been expanded to add attribute management on top of it.

If possible, I would appreciate to get a time slot at the Workshop "Towards principles and guidance on eID interoperability for online platforms" that will take place on 8 March 2017 to explain how it is possible to built an eID scheme that is "privacy friendly" and which takes care of "interoperability" considerations that is not restricted to the EU, nor to relationships with governmental administrations.

Hence, such an eID scheme would be worldwide scalable for both the private sector and the public sector.

Total votes: 0
Stephan Engberg's picture
Stephan Engberg,
21/12/2016 18:44

The questionaire fails to recognice the obvious need - to establish accountable identity which does NOT identify towards the platform, i.e. Pseudonym Signature.

Except for this using horisontal SSO inhernetly involve a privacy/security risk or even violation. So of course eID or Id structures securely derived from eID should be both required legal tender on online platforms (illegal to require identification beyon ensuring accountaiblity) and actively promoted.

Total votes: 0