Session Topic: Identity & Government
Convener: Kaliya Hamlin, Elisabeth Mouchy
Notes-taker(s): Scott Fehrman
European workshop for identity workshop, how diff countries are doing it
- Who uses eID, Nordic countries: 1/3 people
- Who uses smartcard
- England pulled out of identity program
- Mapping digital identity to Physical (name, address, etc.)
- Use of postal service to process the identity, (like facebook connect model)
- User can manage their own account
- What does the US do?
- Gov employees have internal processes
- looking at USPS for citizens
Identity Lifecycle Flows:
- Id Proofing
- United States
- South Africa
- New Zeland
- (Common Law) Person: your who you say you are
- (Napoleonic Law) Agency: you are what we say you are
- How do you identify a new user
- Authoritative sources
- What problem are you trying to solve (what is in/out of scope), mandatory, optional, prohibited
- What is benefit to the citizen
- Government is suppose to provide services to citizens
- Authentication mechanisms
- What are peoples "legal rights" in myself as human being
- Gov data aggregation practices
- Liability, responsibility
- Who can / should be an identity provider (should a federal gov. be an identity provider)
- What used for health / tax, public / private
- France postal: digital verified mail, banking (soon), digital safe vault, authen to website
- Adoption rates, what is optional / mandatory
- What services can be actualized with an "in place" infrastructure
- Precursor: document authority (trust level)
- What has been tried ... (and failed)
- Data protection privacy regulations
- Risk level schemas for countries
- Range of attributes (schema alignment / mismatch)
- What "is issued" as credential
- User consent, flow requirements
- Who (agency) is authoritative or not
- Age of issue
- Proxying / delegation (youth / elder) eTrusteeship
- Vertical integration
- Phase of lifecycle ... continuity
- How is it "monetized", make money, save money, just because we are government
Revised Comparative eID list:
- What has been tried but failed?
- What problem are they trying to solve?
- What is the benefit to the citizen/user?
- How is ID Proofing done?
- Are there document validation/verification services?
- What authoritative sources outside the system/country are accepted?
- How does enrollment happen?
- What entities (who) issues precursor identities?
- How does enrollment happen for them?
- What age/life event are identities issued?
- How often does re-identification over time?
- What biometrics are captured?
- How are they stored?
- How are they used?
- What are the attributes captured?
- How are attributes shared?
- What is issued as the credential?
- How much does it cost for 1st issue?
- How much does re-issue cost?
- Is an digital identifier issued?
- What other identifiers are issued by the government for what purposes?
- What is the per-capita issuance rate?
- What is the incidence of duplication? (same number issued to two different people)
- Has it been cracked? How?
- What are the mechanism of authentication?
- Does the authentication "phone home"?
- Does the eID issued support e-signatures, signing as distinct from authentication?
- Can secondary credentials be generated?
- What is the per-capita usage volume?
- What is the value of transactions?
- How is it "monetized" by the issuing institution
- What can the eID be used for:
- in the Public Sector?
- in the Private Sector?
- What uses are
- What are the user-consent flow requirements?
- Is delegation / proxying enabled?
- Who does the eID belong to? Who's property is is?
- What are the data protection/privacy regulations?
- in the public sector? [are records across gov department seprate?]
- in the private sector? [what right do people have to manage pii]
- What standards are used?
- How is exchange (trust) managed between entities participating?
- What are the trust models are used? [drawing on Field Model of Internet Trust]
Law Policy Culture
- What are people's rights to themselves?
- What is the liability responsibility?