Explaining International IT Application Leadership: Electronic Identification Systems
An assessment of what the U.S. can learn from early adopters of national e-ID systems.
Identification is routinely used to help facilitate commercial and government transactions, such as taking out a loan or applying for government benefits. While individuals can use traditional forms of identification in face-to-face transactions, these forms of identification are less useful for conducting business on the Internet. To address this challenge, many governments are creating national electronic identification (e-ID) systems—a collection of technologies and policies that enable individuals to electronically prove their identity or an attribute about their identity to an information system. This report reviews the programs and practices of some of the countries with the most advanced and widely deployed national e-ID systems. It highlights the successes and failures of different approaches and focuses on the lessons that policymakers, particularly in the United States, can learn from nations that have begun adopting and using e-ID systems.
National e-ID systems offer a variety of benefits for individuals, businesses and governments. These systems can help reduce identity theft and enable individuals to use online applications more securely in a variety of industries such as health care and banking. Individuals can use an e-ID to authenticate to online services, securely communicate online, purchase goods and services, and create legally-binding electronic signatures, such as to sign a contract. Businesses can use identity management functions to better interact with their customers on the Internet, such as to authenticate users to online applications or to verify the ages of their customers. Finally, government can use e-IDs to streamline e-government services, allow individuals to sign and submit forms online, and offer innovative services.
Many European countries have been investing in national e-ID systems, as have countries in the Middle East and Asia. While no country has achieved universal deployment and use of a national e-ID system, some countries have made more progress than others. At present the clear leader is Estonia, which has issued approximately 1.2 million e-ID smartcards to an eligible population of 1.3 million citizens (i.e. individuals age fifteen and older). Since inception, cardholders in Estonia have used their e-ID to create more than 52 million electronic signatures and authenticate more than 88 million electronic transactions. Estonia has even used its e-ID system to allow citizens to vote online.
In contrast, as of 2011, the United States does not have a national e-ID system. Most individuals still use a collection of poorly secured usernames and passwords to access online services and, more than a decade after Congress passed the Electronic Signatures in Global and National Commerce Act (ESIGN), most individuals never use secure electronic signatures to sign documents. However, the federal government recently launched the National Strategy for Trusted Identities in Cyberspace (NSTIC), a new initiative to develop an online identity ecosystem. Policymakers have many opportunities to learn from the countries furthest along in deploying e-ID systems as they shape the technology, institutions and policies that will guide e-ID development in the United States.
Countries have many options for building an e-ID system, and each country can design a system to address its unique needs. While demographic, cultural and historical factors may influence a country’s national e-ID strategy, and existing ID infrastructure such as national registries may make deployment easier, all countries appear able to take advantage of this technology. Although the United States is late in creating a national e-ID strategy, if it heeds the lessons from early adopters it can capitalize on an enormous opportunity to create an e-ID system that can leapfrog those of other countries and help invigorate our information economy.
Therefore, to promote e-ID adoption and use in the United States, policymakers should do the following:
- Create an e-ID implementation plan with broad input from all stakeholders, including the private sector. The government cannot build a successful national e-ID system without support from all stakeholders. The countries with the most widespread use generally have both public and private-sector applications utilizing the e-ID system and virtually every country uses the private sector to operate a portion of the e-ID infrastructure. Moreover, the private sector has many resources that can be built on and is the current supplier of much of the identity infrastructure, such as certificate authorities, that will be used.
- Build an e-ID framework that supports both current and emerging technologies. The government should not specify any particular technology for e-IDs but rather establish a technology-neutral e-ID framework that allows both public and private-sector identity providers to issue e-IDs using the technology of their choice. Countries such as Austria that have not created a single national token, such as a smartcard, but rather have established a flexible framework for e-IDs, offer citizens more options for obtaining an e-ID.
- Use government to increase both supply and demand for e-IDs. Technologies like e-ID systems exhibit strong network effects whereby the value of the technology grows as the number of users increases. A critical mass is needed to create the right value proposition for private-sector service providers to rely on the technology; without that critical mass, systems that accept e-IDs will not develop. Government, at the federal, state and local level, should invest in the identity ecosystem to overcome this “chicken-or-egg” problem inherent in its creation. The countries that are further ahead in e-ID adoption and use have aggressively invested in e-ID technology in advance of market demand for the technology; the most successful countries have also coupled these investments with demand-side programs to spur use of the technology.
- Design an e-ID solution that maximizes utility for both users and service providers. One of the reasons that e-ID solutions have had slow adoption in many countries is that many of the security benefits of using e-IDs, compared to using one-off solutions, have been one-sided: service providers use e-IDs to verify the identity of users, but users do not have the opportunity to verify the identity of the service providers. The United States should follow the lead of Germany, one of the few countries to implement an e-ID system that uses mutual authentication. Using mutual authentication confers the security benefits of e-IDs to both service providers and users, thereby giving users more incentive to adopt e-IDs.
- Ensure that privacy does not come at the expense of eliminating useful information from the information economy. Although privacy is often cited as a concern for the development of national ID systems, an e-ID system can enhance user privacy by reducing the amount of information revealed during a transaction. For example, individuals can prove that they are over the age of twenty-one without revealing their exact date of birth or name. While this is a potential benefit for individuals, there is a risk that data sets that might otherwise be generated and that are useful for society will no longer be created. The solution to such a risk is to ensure that policymakers understand the value of data sets and take into account the need to enable beneficial types of data sharing when legislating or rulemaking. Given the importance of information to the information economy, the government agency leading the development of the e-ID system should ensure that enabling beneficial forms of data sharing is one of the metrics by which potential solutions are evaluated.
- Strive for disruptive innovation, not just incremental innovation. Technological progress is often evolutionary rather than revolutionary. This is often the case in government where technology is used only to make existing processes more efficient, rather than to find new ways to redesign or reengineer processes to take advantage of new technology. Implementing an e-ID system gives government the opportunity not only to implement incremental innovation, but also to use the technology for disruptive innovation. Some steps are straightforward. For example, government agencies can be better integrated by allowing single-sign-on and reducing the number of login prompts as users navigate from one agency to another. Government can also find opportunities for more radical change in how it delivers services to citizens. For example, the government can follow Belgium’s lead and use e-IDs to implement an “ask once” policy, eliminating the need for users to provide information to government more than once.
- Ensure that e-ID solutions are accessible and available to all individuals. As e-IDs become more common, they will likely become a prerequisite to participation in certain aspects of digital society and commerce. Thus it will be necessary to ensure that a digital divide does not emerge whereby certain populations are unable to participate because the technology is either not accessible or not available for their use. The development of the e-ID should therefore specifically take into account the needs of different groups, including non-U.S. citizens, low-income populations, and people with disabilities. Providing all individuals access to an e-ID will help ensure that organizations can phase out legacy systems for electronic authentication and signatures, and will not need to run additional programs for those unable to obtain an e-ID.
- Design an e-ID system for the global digital economy. Systems designed for today’s digital economy should reflect its global nature. Ideally, an e-ID issued in one country should be accepted in another. Unfortunately, every nation with an e-ID system today faces significant challenges to making its system interoperable outside of its borders. To this end, the U.S. should more actively lead the development of international standards for federated identity-management systems. In addition, it should work to develop an interoperability framework that would allow e-IDs created in one nation to be accepted in another for online authentication and electronic signing. Properly managed, the growth of e-ID technology should help reduce barriers to the free flow of information by allowing secure transactions between individuals and organizations across national borders.
A national e-ID system will provide a platform for the public and private sectors to develop a wide array of innovative and productivity-enhancing products and services online that require one’s identity, or an aspect of one’s identity to be confirmed. Policymakers should embrace the opportunity to create an innovation-driven approach to a national e-ID system that balances competing interests, improves privacy and security for users, and combines the strengths of both the public and private sector.
