Identity Assurance in the UK: technical implementation and legal implications under eIDAS

Gov.UK Verify, the new Electronic Identity (eID) Management system of the UK Government, has been promoted as a state-of-the-art privacy-preserving system, designed around demands for better privacy and control, and is the first eID system in which the government delegates the provision of identity to competing private third parties. Under the EU eIDAS, Member States can allow their citizens to transact with foreign services by notifying their national eID systems. Once a system is notified, all other Member States are obligated to incorporate it into their electronic identification procedures. The paper offers a discussion of Gov.UK Verify's compliance with eIDAS as well as Gov.UK Verify's potential legal equivalence to EU systems under eIDAS as a third-country legal framework after Brexit. To this end it examines the requirements set forth by eIDAS for national eID systems, classifies these requirements in relation to their ratio legis and organises them into five sets. The paper proposes a more thorough framework than the current regime to decide on legal equivalence and attempts a first application in the case of Gov.UK Verify. It then assesses Gov.UK Verify's compliance against the aforementioned set of requirements and the impact of the system's design on privacy and data protection. The article contributes to relevant literature of privacy{preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture. It is also, to our knowledge, the first exploration of the future of eID management in the UK after a potential exit from the European Union.

[1]  Audun Jøsang,et al.  Assurance Requirements for Mutual User and Service Provider Authentication , 2014, DPM/SETOP/QASA.

[2]  Phillip J. Windley Digital identity , 2005 .

[3]  Walter Hötzendorfer,et al.  Privacy by Design in Federated Identity Management , 2015, 2015 IEEE Security and Privacy Workshops.

[4]  Tarvi Martens,et al.  Electronic identity management in Estonia between market and state governance , 2010 .

[5]  A. Barak,et al.  Purposive Interpretation in Law , 2005 .

[6]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[7]  Jos Dumortier,et al.  Critical Observations on the Proposed Regulation for Electronic Identification and Trust Services for Electronic Transactions in the Internal Market , 2012 .

[8]  J. Black Forms and Paradoxes of Principles Based Regulation , 2008 .

[9]  Dan Jerker B. Svantesson A 'layered approach' to the extraterritorality of data privacy laws , 2013 .

[10]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[11]  Sophie Stalla-Bourdillon,et al.  Digital identity and French personality rights - A way forward in recognising and protecting an individual's rights in his/her digital identity , 2015, Comput. Law Secur. Rev..

[12]  Paul Beynon-Davies,et al.  The UK national identity card , 2011, ICIS.

[13]  Eve Maler,et al.  The Venn of Identity: Options and Issues in Federated Identity Management , 2008, IEEE Security & Privacy.

[14]  Georg Aichholzer,et al.  National Electronic Identity Management: The Challenge of a citizen-centric Approach beyond Technical Design , 2011 .

[15]  C. Kuner The internet and the global reach of EU law , 2017 .

[16]  Y. Honcharova,et al.  STORK - Promising project of european transnational electronic identification , 2014, 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology.

[17]  Marit Hansen,et al.  Marrying Transparency Tools with User-Controlled Identity Management , 2007, FIDIS.