John Bullard - TrustChains - London 30 April, 2009, 09:59 0 likes

Bo;

I agree with your points- and believe that Governments around the world are starting to understand that "eGovernment applications" can indeed be underpinned by "bank issued electronic identity credentials". It doesn't make any sense to reinvent a wheel if banks already have one which works in their space.

As for your 3 neutralities:

i) yes Regulation both at a local (ie national) and worldwide (ie at a "scheme" level) is essential. Not just Technology audits (eg WebTrust) but also at the Policy level- with some form of Policy Approval Authority for the conduct of the Scheme.

ii) Applications will drive the nature of the underlying tool. For accessing a low value application, hi-level eID assurance can be overkill. But as technology costs are driven down, the use of higher assurance tools (such as certificates on some form of hardware device) become more affordable for lower value apps.

iii) The platform should be able to support multiple different tokens-including mobile- again it is the Application/Use which will drive the token- and the eID token itself should be "thin" (ie not loaded with attributes- which would pose security/privacy issues).

Critical to all of this (and exactly as happened in the card payment world some 30 years ago) , there must be some sort of contract-based Operating Ruleset which simply defines the "minimum operating requirements" for issuing and relying parties in eID- in order to define liabilities between all the parties- these MOR's form a set of solid foundation building blocks removing grey areas/inconsistencies (which is where risk/losses occur).

The MOR's of a Ruleset should be globally applicable (just like the rules of the Card Schemes are essentially global ), and then can be blended to meet local needs.

Banks are ideally placed to fulfill the roles of issuance of, and reliance upon eId's on behalf of their customers, and to prosper in doing so. That is why they created a Ruleset/Scheme based approach (IdenTrust) some 10 years ago, and why it is now seen as a practical/workable solution to an enormous problem.

Best wishes

John 

A Finextra member 01 May, 2009, 04:29 0 likes

The three neutralities mentioned are ideal given the competitive landscape that we are in. And these tools and technologies are hardly new. What would be novel is a very strong scheme to enable one e-id service work for different applications and purposes (i.e., secured email, secured online banking, secured payments, secured e-gov, etc.).

There are reasons why, despite all these tools and technologies and even the definition of MORs ten years ago, card schemes and banks have still not been able to squash online payment fraud. Lack of consumer protection and lack of competition between card schemes and banks comes to mind.

As much as I agree with the 3 neutralities, I would have to disagree with the following : 

"eGovernment applications" can indeed be underpinned by "bank issued electronic identity credentials" and "Banks are ideally placed to fulfill the roles of issuance of, and reliance upon eID's on behalf of their customers, and to prosper in doing so."

for many reasons (and I state a few) :

- This assumes that everyone who wishes to have an electronic id has a bank account.

- This also assumes that a person has only one bank account

- Tying-in my bank e-id to secure other applications will make it problematic for me to change my bank if I'm not happy with it?

- Tying-in my bank e-id to secure payments with cards issued by other banks would pose some conflicts? 

- Tying-in my bank e-id to secure a p2p payment with a payment service provider that competes with the bank that issued my e-id would certainly pose a conflict.

An e-id is an asset that belongs to a consumer. A consumer should have the ultimate choice of how he wants to use this e-id.

An e-id should be considered a neutral asset which is obviously consistent with the 3 neutralities mentioned. For this ultimate reason, and since consumers do have IDs issued by their government, the best entity that can put this all together would be a neutral trusted third entity, with no particular ties to any card scheme, any bank, any payment service provider, any email provider...  

This scheme that uses a neutral trusted third entity would also require other entities such as banks, online merchants, ...  to  present and use their own e-ids. 

eBank, eGovernment and other applications should be underpinned by "a neutral trusted third party-issued electronic identity credentials". Regulation of electronic id issuance, both at a local, national and worldwide level (much like the regulation of the assignment of urls, IP addresses...) should take place.

There does not have to be ONE neutral trusted third party. Neutral trusted third parties can service this scheme.

In the case of the United States, it would not be a bad idea for the Federal Trade Commission (FTC) to be the 'fulcrum' that can start the regulation of neutral trusted third entities, the issuance of e-IDs, and the usage of e-IDs by consumers, businesses and government. For those unfamiliar with FTC, "The FTC deals with issues that touch the economic life of every American. It is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy."

There are many positive foreseeable consequences in consolidating the issuance and verification of eIDs by a neutral trusted third entity. It will leverage the total cost of ownership of authentication tools, devices and services. The most exciting consequence, I believe, is that this scheme provides consumer protection and will treat business (a merchant or a bank) just like any other user-entity that will have to authenticate itself.

Cedric Pariente - EFFI Consultants - Paris 01 May, 2009, 05:28 0 likes

Bo,

Thank you for this interesting blog.

It completely makes sense and let's hope it happens fast as e-crime rates are increasing everyday in these times of crisis.

Regarding the comments, lots of smart things have been said.

However, there is one thing on which I disagree, Banks should definitely NOT be the electronic ID issuer.

It goes against the neutrality principle. Why not ask Madoff to manage a Pension Fund?

I'm being provocative on purpose here.

Banks are fully capable of doing such a job, but it would not make sense for security reasons.

Whatever the business domain, one cannot be in charge of "doing" and "controlling". It's too many caps to wear for a single entity.

I would add that Banks (or e-Merchants) should be authenticated as any end-user is today. Mutual authentication is key in a secure e-ID scheme.

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 03 May, 2009, 16:39 0 likes

When going global with e-ID service interoperability I agree that the card schemes are good examples. In this case - like for e-invoicing - we should work for a network solution that also allow non-bank service providers to join and compete.

Thank you very much for good comments.

Bo

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 03 May, 2009, 17:30 0 likes

Marite:

Thanks for agreeing to main point: "The three neutralities mentioned are ideal given the competitive landscape that we are in."

"And these tools and technologies are hardly new." I agree.

"What would be novel is a very strong scheme to enable one e-id service work for different applications and purposes (i.e., secured email, secured online banking, secured payments, secured e-gov, etc.)." I disagree - the way e-id services have been developed in the Nordic-Baltic area have provided this since on  a rising scale (for Finland's part since 1992). e-banking was launched in my bank in 1982 for consumers and the tool - 1-time code for login has been used since then. First 3rd party usage was launched in 1992 and the public sector started to use the service towards late 90s.

"There are reasons why, despite all these tools and technologies and even the definition of MORs ten years ago, card schemes and banks have still not been able to squash online payment fraud. Lack of consumer protection and lack of competition between card schemes and banks comes to mind." I disagree on most points - consumers are well protected in card schemes and banks certainly have competed in many areas. Card schemes have mostly been about branding - they have also competed - often to the dismay of merchants, issuers and acquirers when this has caused interoperability problems. Card payment fraud is a big cost for banks and I agree that more should be done to tie the payment to a strong e-id.

"- This assumes that everyone who wishes to have an electronic id has a bank account." I did not say that bank e-id would be the only alternative - only that it should be a natural alternative as it has been proven to be the citizen's absolute preference,  saves money and speeds up adoption of new services. Those who for some reason still do not have a bank account are unlikely to need e-id - but can get alternative tools (and pay for such transparently)."

"- This also assumes that a person has only one bank account" This does not assume anything like that - a big part of the population have several accounts in  different banks and even several e-banking services with strong and different e-id tools - you just use the one you prefer.

"- Tying-in my bank e-id to secure other applications will make it problematic for me to change my bank if I'm not happy with it?" You are not tying your bank e-id to any application and the technical interface is standardized - so changing bank is no problem - as is not changing service provider in the 4-corner model.

"- Tying-in my bank e-id to secure payments with cards issued by other banks would pose some conflicts?" Why? Open competition should be furthered and development towards federated e-id schemes should be promoted.

"- Tying-in my bank e-id to secure a p2p payment with a payment service provider that competes with the bank that issued my e-id would certainly pose a conflict." Why? In our cases banks have been quite prepared to let also up-to-ethical-standards service providers use their services - again furthering competion.

"An e-id is an asset that belongs to a consumer." Disagree - the habit to use something offered by somebody belongs to the consumer - and is an asset for society at large that should be leveraged.

"A consumer should have the ultimate choice of how he wants to use this e-id." Not only how - but naturally also which up-to-standards-tool.

The three neutralities mean that there will be choices - banks and others providing reuse of their strong tools, single-purpose "neutral" service providers, possibly even governments issuing tools (even if that has failed to take off in all cases I know about - well known and very expensive failure in Finland - please do not do the same mistakes we have done..).

E-identity is classified as a business in EU and any service should thus be transparently priced and compete on equal terms.  In the Nordics it has been as natural to further public-private partnership in this field - and the private sector has well understood that proper supervision is needed. All involved have - after some debate and experimentation come to the conclusion that this works well - nobody has after 17 years of 3rd party e-id bank services really come across any downsides. The only thing that needs to be changed (under way) is the move to a proper 4-corner model.

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 03 May, 2009, 17:40 0 likes

Cedric,

Thank you for finding my blog interesting.

"However, there is one thing on which I disagree, Banks should definitely NOT be the electronic ID issuer."  Banks are natural e-id issuers and reuse for 3rd party needs - including the public sector has been a fact for a long time in many countries (very much appreciated by citizens) - and will be in all if common sense rules.

"It goes against the neutrality principle." Why? It is a natural service for banks -  guaranteeing identity has been there since banking started in Venice..

"Banks are fully capable of doing such a job, but it would not make sense for security reasons." Appears contradictive - capable but not secure?

"Whatever the business domain, one cannot be in charge of "doing" and "controlling". It's too many caps to wear for a single entity." I do not see the doing/controlling aspect here - bank e-id services are one alternative - and naturally need to be supervised - as any strong e-id issuing should be.

Cedric Pariente - EFFI Consultants - Paris 04 May, 2009, 04:27 0 likes

Bo,

Thank you for your comments. The most interesting debates are those where people disagree. And I must say I disagree with you on some points of your last 2 comments.

"Those who for some reason still do not have a bank account are unlikely to need e-id"

You are really limiting the role of the e-ID here. Besides governments wouldn't be happy, because there are 2 things that are sure in life: tax and death. What about the people who don't have a bank account? Should they be tax exempted?

"An e-id is an asset that belongs to a consumer." Disagree - the habit to use something offered by somebody belongs to the consumer - and is an asset for society at large that should be leveraged.

I have to say I'm really scared by what I read. Usually it's the governments role to take care of the society. The primary role of a bank is simply to lend money. We should not centralize all the services in a single place and make fraudsters' job so easy.

"Banks are natural e-id issuers"

Not really. Not even in Finland:

http://www.epractice.eu/en/news/283877

"Banks are fully capable of doing such a job, but it would not make sense for security reasons." Appears contradictive - capable but not secure?

Capable because they have money.

But not secure because banks are not security experts. It has been proven by all the data breaches lately. What if they also had the e-ID...?

"Whatever the business domain, one cannot be in charge of "doing" and "controlling". It's too many caps to wear for a single entity." I do not see the doing/controlling aspect here - bank e-id services are one alternative - and naturally need to be supervised - as any strong e-id issuing should be.

That's an option. But the next step is also to let banks issue passports, birth certificates...

No really I think it should be the government's job if it has to be a public service. Besides, the first thing a reasonnable public service would do is to consult and subcontract specialists.

All of this being said I'm interested in your comments on my point of view. I'm really an open minded person but so far you have not convinced me that banks would be a good substitute for the governments. Their position seem more legitimate to me.

Actually it's even in line with what's happening in the USA right now

http://money.cnn.com/2009/05/03/news/economy/risk_taking_obama.reut/index.htm?cnn=yes

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 04 May, 2009, 06:59 0 likes

Cedric,

Very briefly - I am not saying that banks should be the only service providers - or should do the passport or other primary identity tool. Only that it should be a choice also elsewhere than in the Nordic-Baltic area.

The state issued e-id was a very expensive flop in Finland - nobody used it. It is so seldom needed - and bank-id is so much more convenient and naturally has to be secure enough (27 years of experience - without problems).

Not to talk about saving tax payers' money...

Good debate - should illuminate issues - and hopefully avoid others doing same mistakes as we did.

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 04 May, 2009, 20:53 0 likes

Cedric,

This is an important discussion - I am sure you agree with me that we should give users choices, cut costs and speed up adoption of e-services. The public-private partnership model has worked really well in the Nordic-Baltic area - so why should it not work elsewhere?

I am sorry that I have not been clear enough on a few points - new try:

" What about the people who don't have a bank account? Should they be tax exempted?" Reuse of bank tool just one alternative - other tools are naturally welcome.

"Usually it's the governments role to take care of the society." Governments role is to superwise and procure services - not necessarily to produce all itself - nothing to be scared about.

"The primary role of a bank is simply to lend money." I disagree - banks have many other tasks - and new ones in the networked economy. Banks have since ancient times been a trust provider and guaranteed identity of trading partners - so this is not anything new.

" We should not centralize all the services in a single place and make fraudsters' job so easy." Banking has to be secure in all circumstances.

"Not really. Not even in Finland:" We offer alternatives - the state issued e-id has not been used - citizens prefer their familiar bank-id"

"But not secure because banks are not security experts." Most banks do this very well - and those who need to improve must do it - forced to do it by supervision if not otherwise - banking cannot be unsecure.  "It has been proven by all the data breaches lately. " Really? And state issued e-id would not have similar challenges?

"But the next step is also to let banks issue passports, birth certificates..." I do not see any logic in the state not doing this primary identity.

"Besides, the first thing a reasonnable public service would do is to consult and subcontract specialists." This is the public-private partnership we have in the Nordics - reusing strong e-banking tools and supervised procedures.

" but so far you have not convinced me that banks would be a good substitute for the governments." - I am not saying substitute - just one alternative - there can be other supervised private players also - and the state can issue e-id if necessary.

"Actually it's even in line with what's happening in the USA right now" When it comes to third generation e-banking and payments I think we are ahead of the US - I do admire them for much - but they are not always right in banking supervision as we  have seen..

Bo Harald - Transmeri, Demos, Real Time Economy Program,MyData - Helsinki Region 16 August, 2009, 13:21 0 likes

Should have remembered to say that you do not have to have a bank account or be the banks's customer to get the e-id tools needed. Many banks offer this also to this segment.