Anonymous, Liberal and User-Centric Electronic Identity Supports Citizen Privacy Protection in e-Government
OASIS eGov Workshop - 1 May 2008
Libor Neumann
2
Current electronic identity needs
• User-centric solution
• Technology-neutral solution
• Support of scalable levels of the security, including high security standards
• Protection against known and future attacks in the network environment
• Privacy protection
• Support for the functions and levels of security needed in the e-government
Current e-government privacy threats related to e-ID
• Digital certificates • Certificates include personal data
• The quality of the data is verified by Certification Authority
• No access control to personal data used in the certificates
• Biometrics• Biometric data are private data - data related to the body
• No access control or limited access control to biometric data used for remote e-ID
• Consequences• Huge unmanaged distributed “database” storing private data
• The name or body cannot be changed if the data is misused
• The issue• Personal data used by e-ID technology
• Not personal data stored in e-government systems
Anonymous identity (1)
• Anonymous identity – Nonsense?
• Real life examples of anonymous identity• Mail carrier or the neighbour’s cat or dog
• Dog and its master
• Mother and her baby
• Program variable in virtual memory
• ALUCID® separates distinguishing between subjects from naming of subjects
Anonymous identity (2)
• The ALUCID® principles related to anonymous identity • No user, and no service provider, works directly with
identifiers and credentials (secrets).
• No personal data are included directly or indirectly in the identifiers or credentials.
• Identifiers and credentials are shared only between the user and the service provider. No generally valid identifier or credential exists.
• Identifiers and credentials are very large random (or pseudorandom) numbers with limited validity in time.
Liberal identity
• User freedom in selecting his or her options • Selecting a product, producer, form, size, features,…
• No obligation to use that product
• Possibility to use more than one product
• Possibility to change his/her mind in future
• Producer and service provider freedom• Seamless interoperability
• Open standard interface strategy
• No registration, no central authority
• Production of “empty product” – supports mass production and standard sale of products
User-centric identity (1)
Local Communication
Channel
Logical Communication
Remote Communication
Channel
Personal Electronic Identity Gadget
Internet
Near Area Communication
Open Standard Interfaces
ALUCID® technology
subjects
User
Service Provider
SecureStableLink
Name SurnameRegister
index
John Doe 172584Donald Duck 589241Herry Potter 259863… … …
User Database
User-centric identity (2)
• The user scenario should be:• The user selects a PEIG. It is sold empty.
• The user teaches his or her PEIG to recognize him or her when activated.
• The user connects the first time to the service provider and uses the activated PEIG.
• The user can (but need not) give his or her personal data to the service provider
• The user will be able to open his or her personified service directly if he or she activates his or her PEIG.
• The same procedure can be used with any other service provider supporting ALUCID.
Missing entities
• No login names, no passwords. No forgotten password, no phished password, …
• No user certificate. No recertification, no extra charges, no names on the network,…
• No identity provider. No user communication with an identity provider, …
• No government-issued identity. No “numbering” of citizens, no misuse of state-issued identifiers,…
• No biometric data without access control. No cloned biometric data from e-ID use, no remote verification of biometric data origin,...
Personal data management in the e-government
• Government and personal data• The government stores citizens’ personal data in its internal
information systems.• Governments do not need any other personal or private data
stored by e-ID means.• E-government only requires a secure link between the
person and the personal data record• The link itself need not use personal information
• Government uses personal data in e-ID system only due to the e-ID technology needs it
• ALUCID® technology supports creation of a secure and stable link between a specific PEIG® and a specific user database record without any personal data
Personal data management in e-government
• How to link anonymous PEIG® with the right personal data in the information system?
• Who is the person using the specific PEIG®?
• Secure initialisation of the link between the user and the record.
• Governments resolve the same issue in the non-electronic communication every day
• The owner of a specific PEIG® will introduce his or her PEIG® to the e-government service provider
• ALUCID® technology will support so-called “remote heritage of PEIG® introduction”
Citizen Centric Administration & e-ID
• Citizen centric administration should be personified administration
• e-ID technology is a key enabler of personified administration
• Users needs user-centric e-ID (shared e-ID tools)• E-government services are minority services • User centric e-ID is needed condition of citizen
centric administration but not sufficient one!• Possible options
• Citizens will use government issued e-ID for all other electronic services
• Government will enable use of citizen preferred e-ID tools
• Privacy protection has to by solved in both cases
Conclusion
• Privacy protection is today an underestimated threat of e-government
• The longer e-ID technologies based on personal data are used the greater grow the risks to citizen privacy
• Government does not itself need the personal data used in e-ID means
• ALUCID® should solve the needs of government without additional privacy threats for citizens
• ALUCID® is a new concept, a new solution. The first prototype exists. It needs to be verified in a pilot test in real life before mass use.
• We look for partners (cooperation, verification, standardization, deployment,…)