3.3 Suggestions for Nordic-Baltic region
In general, our proposed solution consists of answers to two crucial questions:
How actually member state e-services would be able to smoothly start serving non-residents of a given member state regardless of the user being a returning user with changed residency or a new user?
How potential match between identities from different member states be made with the least amount of effort on the level of required assurance and following once only principle?
As we considered that member state services architecture will remain dependent on the local identity data structure for a while, then we deemed priority to implement “change on border” type of solution. This means everyone who enters e-service in a member state will be granted the ability to explain their identity in a format that is known in local ecosystems.
For that to happen our suggestion is to change it through proxy like eIDAS Node that is described in detail in “eIDASNode+” scenario, where we extend the existing framework to accommodate the multitude of identities. The implementation of identity matching solution must respect the fact that not all e-services require local identity. Named e-services should not be impacted by the change and must be able to operate with setup that corresponds to current eIDAS node and business logic.
We still considered that direct connection to e-services should be regarded as well, and this can be done through EAA (which is created through completing of “Hard_EAA” or “Easy_EAA” scenario) as part of authentication and authorization process.
Further, if a person has an EAA that connects different identities and that individual needs to prove some rights (eligibility) or needs to create connections to any dataset, then person will be enabled to present and prove that claim, even if through a manual process. With working eID and EAA all the evidence needed is immediately at persons disposal and ready to be presented for a decision.
Dependent of the agreed objectives, identity matching solution can be built up this way that “eIDASNode+” can be used as core solution or foundation for provisioning the service. There are several countries in Nordic-Baltic region, who either have deployed solution common to “eIDASNode+” or have made plans following mindset of “eIDASNode+”. Other solutions can be incorporated into logic of “eIDASNode+” following the added value that they provide either by facilitating matching process (e.g., “Easy_EAA” pairing of eID means, “QuickFix” digitizes process of new identity creation) or providing interoperable scheme in format of EAA (“Easy_EAA”, “Hard_EAA”) for distribution and further utilization of identity matching results. Nevertheless, all 4 solutions do have properties that allow their deployment as standalone solutions.
To answer the second question, identity matching service availability together with ability to find existing and assign new member state specific identifiers is the cornerstone of the proposal. It must be noted, to fulfil targets of SDGR ability to assign new member state identifiers through digital process is of same importance as having capability to match identities of different members states.
In most countries such a service exists but is often not available remotely. Our QuickFix scenario improves the availability of receiving member state specific identity attributes and produces. Also, the Easy_EAA is easy to implement alongside any existing identity matching allowing most of the work to happen as self-service. The Hard_EAA model builds on the fact that e-Service user is known to have a high level of assurance for one member state and the next member state can rely on the first, therefore. That again improves the availability of identity matching services.
There is substantial potential for efficiency in sharing the matching service results to the member state from where the matched identity is from. Matching made in one country should not be contested by another country and both countries could use the match for translating identity in their member state services. EAA format allows data to be shared and checked for validity in quite a general sense whereby the integrity and authenticity of data is well protected. Solution for exchange and recognition of EAAs between registries of member states is subject for further design and agreement.
Common rules of making the match could also mean that matching will have its own “level of assurance” to indicate what process and data was used to match the identities. The highest level of assurance should mean that the matching could be trusted to hold true in any transaction regardless of the context. Lower levels could be appointed if the assurance holds true only in clearly one sector specific context (healthcare, construction, taxation, etc.) or where there was a need to make the match with clear lack of data and associated risks allowed still to pursue.
While dealing with data exchange between member states and ensuring the trustworthy results of matching process, the necessity for data sharing between member states’ registries during identity matching process must be noted. During interviews with Nordic and Baltic countries the need to extend scope of attributes available for identity matching process was expressed multiple times. Not limiting to but attributes like ‘nationality’ and ‘place of birth’ have been regarded as records what would facilitate matching process and provide required trustworthiness. Although eIDAS node has several attributes (incl. ‘place of birth’) that may be distributed, then due to their optional nature these attributes are mostly not available to relying parties. Accordingly, such additional attributes could be shared through data exchange of registries in countries whose identities are involved in a particular matching process.
Actionplan to implement suggestions
The following must be done, to implement proposed solutions:
Define EAA standard to use and specify content (e.g. OpenID Connect for Verifiable Credentials (OIDC-VC) for electronic usage, but we do recommend PDF to support F2F interactions as well). Although the content of the attestation is not too complex, issues like data minimization and privacy preservation may lead to some difficulties. Standards that exist allow interpretations that do not guarantee interoperability on attribute level, so specific implementation must be agreed. Also, we note that the agreement must be ready to be changed as the maturity of eIDAS defined attribute attestation service evolves in coming years.
Create common extension or use existing one to allow eIDAS Node to replace incoming identity with local one before reaching e-Service provider. Organizationally the identity matching data and the service that translates the foreign eID’s into locally acceptable ones, does not need to be bundled with eIDAS Node hosting, but that might ease the implementation. It is important that the service is usable by eIDAS Node and that is supported in the product lifecycle as an extension. This may need cooperation agreement with European Commission that is responsible for the building blocks development.
Review national legislations for processing of personal data in terms, that would support deployment of once only principle and in justified use cases facilitate identity management processes in a user controlled manner. Initiate legal changes necessary for introduction of proposed procedural and technical activities.
Agree on NBCM level that electronic identification of one’s resident on “high” level of assurance must be accepted as proof of identity on the same level as using physical identity documents from that country and to identify physical person, countries grant to each other similar rights and obligations what are contextually needed.
Formalize sharing of the matched identity data between countries. Establish framework defining principles for identity matching process and acceptance of matched identities in Nordic-Baltic region. It should give requirements for:
Accepted sources for identity attributes (e.g., eID means, identity documents, cross-border data exchanges between registries),
Handling identity attributes (e.g., minimum data set, encoding of characters),
Defining the level of assurance for results of identity matching process dependent of identity attributes’ sources and procedures in involved case,
Data governance rules, protection, and mechanisms for supervision for data handling (e.g., notification to matched identity about established cross-border connection with other identity, enable users to view events accessing their data).
Harmonized and enforced requirements allow participants of framework to trust each other’s matching results and enhance identity management in region through cost-effective approach.
Enable data exchange of attributes between countries, deemed necessary for identity matching process.
Address the issue of derived personal identification number usage as value for person’s unique identifier delivered by eID schema in a cross-border context. Following EC published information there are several countries in Nordic-Baltic region, who implement such practice. Handling of derived personal identification numbers adds remarkable complexity layer to identity matching process and to usage of matching results, if created evidence does not contain personal identification number values that are operated domestically or communicated to other countries (i.e., receiving country specific derivation).
Amend domestic legislation and processes so that creation of identities through digital process would be allowed. Currently persons accessing cross-border e-services without having an e-service provider’s domestic country’s personal identification number are queued in virtual “waiting rooms”. Passage through a virtual waiting room is granted only after completion of specific physical activities in receiving country. Digital transformation of physical procedures meets the aim of SDG regulation. Dependent of country specifics, the identities created through digital processes could have dedicated level of assurance or status in country’s identity management system.
What will the future safety concerns be for identity matching?
Identity matching, if done incorrectly, may leak data of a person and create constant backdoor to their records. If matching is done in a very privacy preserving, non-linkable, non-traceable manner then catching the fact that something has at all happened may be hard, but also investigation on the topic would be hard.
Identity matching not done where needed leaves people without access to their records, for which they have legitimate rights to. This may hinder a person’s most basic functions such as health, ability to earn income or have access to their loved ones.
What will the future need for identity matching be and are the suggested solutions scalable?
EUDIW is identity matching machine – withing single EUDIW person is meant to generate as many pseudonyms as they wish, and service providers must accept these if law is not directly forcing people to reveal their actual personal data. Our solution does introduce EAA concept that is external proof of identities that can be matched, however given the nature of eIDAS and EUDIW ARF we do see that we are bound to have much more orphaned accounts to which the original owner will be unable to get access to even if they want to.
Suggestions on how quality of data across countries can be improved
Only used data is accurate and it is accurate because something depends on it. Therefore, link the data and use the linked data and show that to data subjects and make their life depend on it. We also believe that sharing the data about matches created will improve data quality and allow quicker error spotting.
eIDAS revision implications
At the point of report writing eIDAS revision still has not finished. However, the discussions and released versions of the text bring in several changes relevant to this report and we would like briefly to touch on the following:
Electronic Attestation of Attributes. Electronic Attestation of Attributes is seen as Trust Service in regulation, and it will create greater clarity on organizational and technical requirements for such services and attestations themselves. However, nothing prohibits Nordic and Baltic countries to use such methods already now. In principle this is document with e-seal confirming that identity data set of one member state belongs to the same person as identity data set from another member state. These e-seals must be trusted by the NBCM community. As there is e-seal issuance and handling in current regulation then agreement can be made based on this. It is important to note that lifecycle management of such attestations must be well thought through. Although it is assumed that identity matching is done once and the link between identities is persistent forever, then as the process is open to errors of different kinds, the need to revoke this link must be foreseen. Attestation is a digital document and is living independently of its issuer. The other attestation related concern might be data privacy. Attestation should include only a minimal set of user data, but enough that it is unique to the member state it originates from. Additionally, it is possible to create attestations that would only be usable to validate the claim of identity matching and that cannot be used to derive the identities it connects. We do see that such discussions must take place before launching the system, but there are solutions that allow to implement a politically agreed solution.
eID scheme notification obligation. eIDAS’ new version foresees that all member state will have to notify an identity scheme and at least one such scheme should be on the level of assurance high. Although this statement may change but it at least now gives hope that there is a way to authenticate from every member state using the highest level of assurance through eIDAS node infrastructure. There is no statement however how many citizens of any country such scheme should cover, but in our proposals, we can assume that for willing participant such mechanism is available, and it is not discriminatory to request using such scheme to interact with identity matching service.
Introduction of EU Identity Wallet. The introduction of the EU Identity Wallet (EUDIW) will change the landscape of e-services in coming years and may well compete for attention and budget for most other issues either this report or any other may address. Therefore, alignment of this change has been a burning issue for the research. Introduction of EUDIW as mandatory tool for authentication for public and private sector services creates incentives to leave central identity brokers such as eIDAS Nodes infrastructure. We have therefore envisaged the EAA model alongside the eIDAS Node extension. We see that the proposal allows smooth transition from one model to another. However, we do see that the shift that is planned creates an environment without identity data that could be matched, rather a lot of pseudonyms and only claims about attributes existence. That leaves the active and cooperative participant sometimes without proper support - because data is not available to help then but even more it hides the traces of these who did not want to be matched in the first place. It leaves no room for state-to-state cooperation. So based on that we also feel that our focus on the scenario of helping a person who seeks help and is supportive on the identity matching is best suited.