Contradictions in U.K. and European eID Regulations

The next session at Web Science 2016 begins with Niko Tsakalakis, whose focus is on electronic identity. eIDs are a set of identifiers that set us apart from other people, and these can take a number of forms from software to hardware identifiers and biometric data. Such eIDs are now enshrined in a number of regulations at national levels, and also enable cross-border transactions across Europe.

But regulations do not necessarily define eIDs: they define only a minimum set of requirements for eID management, and outline an aspiration for such eIDs to be able to be used also in private systems – which could mean that we can eventually log on to Facebook using national eIDs. Such eIDs are seen as providing higher levels of trust, must include privacy by design, should be technology-neutral, and need to uniquely represent a natural person.

A minimal dataset is required for every transaction, and a persistent unique identifier is part of the scheme; this is a potential problem as modern ID systems have tended to give up on the idea of a single unique identifier for operational and privacy reasons.

The U.K., for instance, has an overall identity architecture that combines a single central hub with multiple private providers. This is facilitated by a matching service that operates a randomly created translation process in order to keep private providers from having access to any single unique identifier – which therefore seems to be in inherent conflict with the requirements of EU eID regulations, unless the randomly created translation identifiers used by the U.K.'s matching service are themselves seen as unique identifiers.

There is an obvious question about why the EU regulation lags behind current (non-unique) state of the art in eID architecture, then; unless it is changed, the U.K. will now need to make some fundamental changes – arguably downgrades – to its eID infrastructure.