34
Restricted - Confidential Information © GSMA 2012 All GSMA meetings are conducted in full compliance with the GSMA’s anti -trust compliance policy GSMA Mobile Identity Programme
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
GSMA Mobile Identity Programme
2 CONFIDENTIAL
Agenda
1. About GSMA
2. GSMA Mobile Identity programme
3. COM (2012) 238/2 regulation proposal on eID and electronic trust
services
4. GSMA proposed approach
5. Draft regulation expected timeline
6. Additional slides: Mobile ID case studies
3 CONFIDENTIAL
About GSMA
Spectrum Mobile NFC Connected Living
Rich Communications mIdenity Global Roaming
• Founded: 1982
• Objective: Progress mobile technology and usage
• Membership: 800 network operators with 230+ companies from wider mobile ecosystem.
• Main achievements: GSM standards, Roaming interconnect and the industry representative with Regulators and Government
4 CONFIDENTIAL
Mobile Identity Programme
• The GSMA Mobile Identity programme is a global initiative established to support mobile
operators in understanding and unlocking the potential of electronic and mobile identity
• Through research and engagement with mobile operators, governments, and the broader
mobile ecosystem, the GSMA will build a community to share best practice and support
the launch robust, coordinated identity solutions that leverage the ubiquity of mobile
technology
• The Mobile Identity programme will also make recommendations to governments on how
best to leverage the capabilities of mobile operators’ identity creation / management
solutions
By 2015, the Mobile Identity programme will have positioned mobile at the heart of identity
management, having initiated and supported multiple implementations globally. The GSMA
will have driven uptake through the provision of expert commercial, technical and regulatory
support to mobile operators, whilst simultaneously helping to remove barriers facing
operators, solutions providers, governments and end-users.
5 CONFIDENTIAL
The GSMA programme is supporting operators
across the full mIdentity spectrum
Information
gathering
1
Pilot
consideration
2 Pilot
implementatio
n
3
Increase to
scale
4
GSMA
Mobile
Identity
programm
e
Provide operators
understanding of
developments and
best practices
within mobile
identification
without having to
develop own
internal resource
Enable operators
to identify the
opportunity via a
standard business
models and
industry best
practice to support
the design of a
pilot
Provide resource
where most
valuable to the
operator to
support successful
implementation
and measurement
of the pilot’s
impact
Share best
practice from
other markets and
wider eco-system
to identify
roadmap for
scaling up mobile
identity services
Working alongside operators, governments, regulators and others to ensure that
mobile identity is fulfils its role as part of the broader digital identity ecosystem
and serves end users to the greatest possible extent
6 CONFIDENTIAL
Connect and Authenticate
o Single Sign-On
o Strong Authentication Mobile Digital
Signature
Mobile ID Innovations
o Secure Cloud
o Health Records
o Verified Subscriber
o Loyalty
o Secure NFC
Mobile Identity Programme Focus Areas
7 CONFIDENTIAL
Identity is about access to rights, services and
places
Core Needs Use Cases
Access to
Places (will become
relevant with NFC)
Having Access
to Services
Having a
Recognised
Identity / Status
Access to Public
Places: Borders
Access to Private
Areas: Buildings
Access to Healthcare
Life event
registration: Birth,
marriage, death
registration
Identity
as
Enabler
Creation
of Identity
Access to Education
Access to Financial
Services
Other: Access to
information, contract
signature, voting etc
At its most fundamental level, digital
identity management services can help
overcome weaknesses in legacy
processes
Without an identity, individuals lack the
ability to access even the most basic rights
/ services
Once created, identity – whether document
based or digital – is effectively an enabler
It allows the user to access real world and
digital services – it allows the provider of
the service to verify the identity of the user
prior to providing the service
Digital identity management is about
sharing elements (attributes) of the identity,
as opposed to the entire identity
A retail bank does not need to know
my blood type
A social network does not need to
know my home address
A content website does not need to
know my date of birth
My office building does not need to
know my bank balance
8 CONFIDENTIAL
Mobile Identity Enabling Products
Description:
Use mobile as second factor
overlay; including NFC /
biometrics
• SIM-based strong
authentication /
verification, with
considerable scope for
value add: location
sensitivity, behavioural
profiling; integrate with
cloud
• 2FA market already exists,
but operators often dis-
intermediated
2 Factor Authentication
ID Storage / Retrieval
Description:
Make it possible to prove
identity by showing the phone
Federated Identity
Description:
MNO provides managed ID
services to SPs
Mobile Digital Signature
Description:
Use mobile as a replacement
for legally binding ‘wet’
signatures
Secondary mID
enabling
products
• User can use their existing
credentials held by the
MNO to sign in to any
relying party website, while
maintaining the privacy of
the profile generated.
• SPs can outsource identity
mgmt to MNOs and provide
a better user experience
through seamless login
• User can sign & send
documents, securely
transmit messages & m-
payments, provide verified
ID for e-services.
• Enterprises/businesses
can verify authenticity of
messages, payments,
“permissions” for access ..
18+
Event Registration
Description:
Make it possible to create a
digital identity documents, e.g.
birth certificate in Uganda
9 CONFIDENTIAL
The role for Mobile in identity management
Why identity should go mobile?
Mobility
• Mobile networks
cover over 90% of
the world’s
population
• Standards-based
GSM technology
provides a uniform
platform for ID
Ubiquity
• Circa 6 billion
mobile
subscriptions
today
• Represent 3.8
billion subscribers
1 2 Security
• Mobile is a secure
medium, backed by
sophisticated fraud
detection
• SIM-based
Authentication is at
the heart of mobile
3
Why operators are interested in identity management?
Portability
• Most commonly the
mobile device is
always with its
owner
• Users already “trust”
mobile for the
storage and
management of
personal data
4 Cost
• Mobile
infrastructure is
already in place
• Little additional
infrastructure
required – only
new SIMS
5
Manage CRM
• The more mobile
networks are
involved in ID, the
more useful
information they can
harvest to improve
their service offering
Leverage assets
• SIM cards are a
powerful tool –
mobile ID makes
optimal use of
them
1 2 New revenues
• Diversify revenue
streams with new
B2B solutions to
public and private
clients
3 Relationships
• Operators already
have material
relationships with
subscribers, backed
by payment / billing
systems
4 Competition
• OTT connect
services already
exist and are
manifest over
mobile
5
10 CONFIDENTIAL
Mobile Identity Programme Working Group
France, Moldova
Finland, Moldova,
Azerbaijan, Estonia
Turkey, Spain
India
China
Turkey
Japan
Japan
Philippines
Norway
Sri Lanka
Ghana, Tanzania
Germany
UK
Finland
Uganda
UAE
Argentina
Brazil
Cambodia Egypt
Switzerland
• 32 operators involved in the Mobile
Identity Working Group
• 11 associate members involved
China Mobile China Telecom SMART Philippines Taiwan
11 CONFIDENTIAL
Common principles of the draft regulation
COM (2012) 238/2
GSMA welcomes the Commission’s proposal to provide legal and regulatory
clarity across Member States and stakeholders for digital identification and
we strongly support its approach that is technology neutral and open to
innovation
It upgrade the legal framework of electronic signatures replacing the existing
eSignature Directive, e.g. it allows you to “Sign" with a Mobile phone
Timeliness of the intervention: Public Private Partnerships are key for the
scalability, demand, and cross-sectors interoperability of Trust Frameworks
The GSMA also welcomes the European Parliament’s draft opinions
12 CONFIDENTIAL
Mobile is the heart of digital identity
Mobile devices are ubiquitous in everyday life
Average mobile subscriptions
per 100 inhabitant at 123% in the
EU-27 in 2012
Smartphone penetration at 51% in Western Europe in 2012
Subscriber Identity Module (SIM) with more then 2 billion cards in use globally is the largest
de-facto identity standard
No additional hardware
No additional software
Mobile devices are easy and widely used also amongst the elderly people
Basic technology (GSM or SMS)
One single device for authentication
The role of mobile operators is key for the development of the digital economy
and will have significant economic and social impact fostering economics
growth, innovation and job creation
+1.09 per cent GDP growth across
the EU 27 Member States
Other positive economic, social
and environmental externalities
13 CONFIDENTIAL
Mobile identity is private, secure and
trustworthy
• Most of the existing solutions rely on cell
phones in combinations with PKI
enabled SIM cards with Secure
Elements
• Mobile devices can also be used as an
additional proof of authentication via
SMS
• The connection with the user may
also be performed via NFC, WiFi,
RFID or Bluetooth
• Mobile devices enable users to carry out
signatures “on board” via:
• The SIM as cryptographic device
• The handset for PIN entry
• Mobile network operator for reaching
the user
• Secure Elements :
• Mobile device memory (software)
• An internal Universal Integrated Circuit
Card (UICC) containing the Subscriber
Identity Module (SIM) (non-removable
hardware) or SD or micro SD
(removable hardware)
• Server side components (such as
Hardware Security Module which stores
the user private key)
Mobile solutions allow the initiation of on-line identity schemes that get access
to sensitive personal information to be protected by strong forms of
authentication
14 CONFIDENTIAL
Mobile identity empowers consumers and
innovative business models
Mobile identity enables user friendly access to new services and applications
and balancing the trade-off between
Meeting the demand for increasing need of robust security and user privacy.
Operator imperatives for efficiency, scalability and open interoperability with
diverse key players of IdPs and SPs
Both the Governments and identity service providers should assist citizens
and consumers in managing their identity and release of credentials data
online
Federated/OpenID (and similar solutions) can provide a convenient and low
cost method of providing identity services to consumers whilst ensuring
increased security to service providers and end users.
15 CONFIDENTIAL
GSMA proposed approach
Effective implementation of an Open Trust Framework for
Digital Identity the regulation could be enhanced by
providing:
1. Appropriate and proportional security requirments
2. Self-regulation and balanced supervision
3. Proportional laibility requirements for qualified trust service
providers
4. A consistent privacy and data protection framework
5. A consultative approach and industry cooperation with
delegated and implementing acts
6. Automatic processing for international interoperability
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
(1) Appropriate and proportional
security requirments
GSMA beleives that a harmonized definition of security assurance
levels shall gurantee that the adoption of minimum security
measures in the provision of electonic identity and trust services
across borders and across sectors. This will facilitate
interoperability.
A risk based approach shall be adopted whereby the security levels
shall be appropriate and proportionate to the to the degree of risk
provided by the undertakings involved in the electronic transaction.
17 CONFIDENTIAL
Open standards and best practices to meet
emerging requirements
Mobile Operators are able to cover the entire spectrum of identity
requirements ranging from simple login to the provision of identity
assertion for high assurance eGovernment services.
Harmonized acceptance of security assurance levels shall not only gurantee cross border and cross
sector interoperability, but also that the notified schemes shall adopt security measures proportionate
and appropriate to the to the degree of risk provided by the undertakings in the provision of electonic
trust services (including other Member States).
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
(2) Self-regulation and balanced supervision
Appropriate supervision of service providers that issue qualified
certificates is a building block of trust in the digital identity and trust
services eco-system
The adoption of self-regulated schemes does not only strengthen
the accountability of organisations operting within the identity
management eco-system but also encourage the development of
innovative services and best practices
19 CONFIDENTIAL
Balanced and harmonized supervisory model
of the trust services eco-system
Proposed regulation on supervision are excessive, the roles of regulators and
supervisory authorities unclear
Member States have implemented the supervision requirements of the eSignature
directive in various ways including very basic supervisory controls, self-regulated
initiatives and formal certification and prior authorisation.
For example, in some countries supervisors rely on the work of public authorities and national
accredited auditors that operate under standard audit practice, in others, supervisors work
under independent, industry-led, voluntary, self-regulatory scheme set up to create strict
assessment criteria, for trust services.
The adoption of voluntary accreditation schemes strengthens the accountability of
organisations. By supporting self-regulatory approaches a balanced supervisory and
enabling framework is encouraged
GSMA believes that the supervision model that this regulation shall introduce, should
be harmonised and provide legal clarity and regulatory certainty for the stakeholders in
order to encourage best practices and open industry standards for interoperability and
best practices
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
(3) Proportional laibility requirements for
qualified trust service providers
A risk based approach to liability requirements shall ensure
transparency and accountability while fostering large scale
deployment and innovation.
The Regulation should aim to clarify minimum liability requirements
and mechanisms for automatic processing.
21 CONFIDENTIAL
Liability conditions are key building blocks of
the regulation
Proposed liability conditions increase the risks and costs to
businesses of providing qualified electronic trust services.
Strong authentication systems are costly to implement – only the
potential for mass market opportunities and network effects to be
exploited will help service providers to deploy
• For example, certificates issued by national authorities (or approved CAs)
are typically expensive (€50-200) because of the stringent security
requirements needed to protect the root keys and certification process.
• Where security requirements can be limited and/or the fixed costs of setting
up the certification process can be amortised across a higher volume of
certificates the costs can be brought down to a matter of Euro cents.
The proposed Regulation should aim to harmonize minimum liability
requirements and mechanisms for automatic processing
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
(4) A consistent privacy and data protection
framework
GSMA believes that privacy matters to individuals, to business and
governments. Consistent privacy and data protection experience
for users is key to to build trust in the identity ecosystem.
The proposed Regulation shall reflect existing directives and recent
regulatory developments to avoid compliance duplication and
overprescriptive rules.
23 CONFIDENTIAL
Consistent data protection and security experience
for end users and other stakeholders
• EU Member States have already largely implemented notification
regimes for loss of integrity and breach of security impacting the
operation of public telecommunications networks and services (Article
13a of the revised Framework Directive) as well as breaches of
personal data (Article 4 of the revised e-Privacy Directive).
• The EC has also proposed a comprehensive reform of General Data
Protection Rules, which will extend the notification obligation to
sectors other than telecommunications.
• GSMA is of the view a risk based approach is required and that gives
more consideration to the harms materialising from the use of
personal data and ways to address these risks and harms. This would
not preclude the use of data to support future knowledge based
actions to the benefit of citizens, consumers and society
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
(5) A consultative approach and industry
cooperation with delegated and
implementing acts
The adherence to code of practices and best practices
specifications shall guarantee flexibility for trust service providers
vis a vis-à-vis technological developments
25 CONFIDENTIAL
Consultative and transparent process
Most of the work still need to be carried out. Detailed technical aspects of the
Regulation that will be delegated to the Commission and subject to consultation
include:
Art 8 (3) interoperability of electronic identification;
Art 15 (5) security measures required of trust service providers;
Art 13 (5) recognised independent supervisory bodies responsible for auditing the service
providers;
Art 18 (5) trusted lists;
Art 21 (4) requirements related to the security levels of electronic signatures;
Art 25 (2) requirements of qualified certificates for electronic signatures their validation and
their preservation;
Art 23 (3) the bodies responsible for the certification of qualified electronic signature creation
devices; and
Art 29 (4); Art 30 (2) the requirements related to the security levels of electronic seals and to
qualified certificates for electronic seals;
Art 35 (3) the interoperability between delivery services
Technology-specific requirements or technology mandates represent
significant risk to innovation, competition and economic growth – a
consultative and transparent approach with key interested parties will help
reaching scale and interoperability
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
With automatic processing there are benefits to
international interoperability and positive impacts on
costs, large scale deployment and innovation.
(6) Automatic processing for international
interoperability
27 CONFIDENTIAL
Automatic processing
As machine-stamping will become increasingly used in signed documents (in
order to indicate personal authorization for the person to act in name of
particular organization), it is important that this information is processed
automatically and uniformly across EU.
It also makes possible to reduce customer’s involvement in set-up phase,
makes access to e-services more user-friendly and more reliable
Multiple service security levels could be supported by automated analysis
and for liability limit information on individual certificates
28
Timeline e-identification
Commission to work with EP/Council throughout process of adoption of the Regulation (co-decision procedure)
6 June:
Progress report at
Telecoms Council
(tbc)
Proposal
sent to
EP and
Council
Jan:-June Irish Presidency of the EU July-Dec: Lithuanian Presidency of the EU
15 May:
Deadline for
AM in
ITRE/IMCO
10 Dec:
Vote in
Plenary
On-going negotiations between EP and Council to seek an agreement in 1st reading
24 April:
IITRE,IMCO,JURI,LIBE
consideration of
report/opinion.
18 Sept :
Vote in
ITRE
Dec 12’
18 Dec:
EC
presentation.
3-4 April :
ITRE/ IMCO
draft
report/opinion
8 July:
Exchange of
views on CA.
Dec/Jan:
Adoption by the
Telecoms Council
(tbc)
April 13
May July June Sept Dec
9 JULY:
Vote in
IMCO
19-20 June ?:
Consideration
of AM.
EC
presentation
at MCOM
Meeting with
rapporteurs/
shadows
Text
proposals
sent to
rapporteurs/s
hadows/
secretariats
and political
advisors of
IMCO and
ITRE.
Amendments
sent to key
MEPs/
Political
advisors.
Meeting with Telecoms attaches and
Lithuanian Presidency.
Voting
recommendation to
IMCO and political
advisors.
Voting
recommendation to
ITRE and political
advisors.
Voting
recommendation
MEPs and follow
results.
7 June:
MCOM
meeting
Restricted - Confidential Information
© GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Additional slides
Case Studies
30 CONFIDENTIAL
Current service footprint
Mobile birth
registration Subscriber
data management
31 CONFIDENTIAL
Mobile ID: A national implementation in
Finland
Mobile ID in Finland Electronic ID on the phone SIM card
27/11/12 Elisa Varmenne Palveluntarjoajille 6
Seamless eServices ecosystem from operators – authentication,
authorization, payment approval
Mobile ID - tool for convenient
and secure eTransactions
• GSM number + Mobile ID PIN-code
• Same user-experience across all channels
and services: web, mobile, phone call
• Clear roles between players
• Simple, transparent business model
Common service from
leading Finnish operators
• Strong authentication according to the law
• ”Trust network” between operators
• Single agreement and integration to reach
all users
• Mobile ID registration with home operator
(operator store, internet with Bank ID)
32 CONFIDENTIAL
Key findings
• Enterprise users are the early adopters: consumers not
there yet
• Financial services and e-Government access drive
adoption
• Ease of subscription is key to customer adoption
• Large range of service providers and services is necessary
to boost adoption
• Launch by an individual operator alone is challenging
Digital signature: Mobile Signature in Turkey
Available for download on our
website:
gsma.com/mobileidentity
Turkish mobile signature service was launched in 2007 by Turkcell,
and was the first in the world to go live
Mobile
Signature
User
$29.5
Average
Turkcell
subscriber
$11.8
Average Revenue Per
User
Transactions by category
Finance 68% E-Govt
27%
Business
Solutions
3%
Other 2%
33 CONFIDENTIAL
Mobile e-ID: Mobiil-ID in Estonia
Estonia has been pioneering mobile services for every-day use since 2007, and was the
first to conduct mobile voting in national elections in 2011
Key findings
• Strong ecosystem for mobile-ID usage - all e-services
(login/signing) are available also with mobile-ID
• Ease of adoption for consumers (in case of server-based
model, no need to replace SIM or special registration, etc)
• Low-cost and convenience for service providers (no
computer, special software or smart card readers needed)
• Strong stakeholders are needed in order to get mass usage
and de facto standard status (internet banking, public
transportation)
• In Estonia, possibility to extend Estonian ecosystem and
technological infrastructure operated by TeliaSonera in
Estonia (EMT + Certification Centre) to other TeliaSonera
markets
M-PAYMENTS
- mobile banking
- web payment
- public transportation
- insurance, energy companies
- person 2 person
- cross-operator mobile payments
M-GOVERNMENT
- information access
- digital signature
- business register actions
- citizenship registers
- tax and customs
- e-School, e-Health…
- parliament voting service
34 CONFIDENTIAL
Birth registration: Uganda Telecom
Uganda Telecom has become a pioneer in the use of mobile as a means
of dealing with fundamental challenges relating to physical identity
Key findings
• In developing countries like Uganda, there is a critical need
for mobile technology to help solve “real-world” practical
problems
• Paper-based birth registration processes are slow,
inefficient and often incomplete
• Paper records are easily lost or destroyed
• It is not uncommon for official stationary to be
unavailable
• Distances involved in submitting documents are
substantial, and the accordant time and cost
associated with the process are disproportionate
• Village chiefs – who typically have responsibility for
such matters – have many other, arguably more
pressing issues to deal with
• Mobile provides a highly efficient solution to a perennial
problem
• Even in deep rural areas, coverage is available – whereas
fixed networks are typically unavailable outside major
urban centres
• Costs are low; benefits are almost immediate
Available soon for download
on our website:
gsma.com/mobileidentity
Picture of cover
