Mobile Identity a Regulatory Overview 2 Mobile Identity a Regulatory Overview

Mobile Identity A Regulatory Overview 2 Mobile Identity A Regulatory Overview

Introduction

This paper provides an overview of the The paper forms part of a broader series regulatory background and key policy of mobile identity related documents issues associated with digital and published by the GSMA. These include mobile identity services. Its objective is technical white papers, case studies to inform and stimulate discussion on and service blueprints. For more the key policy principles required for information, please go to http: the successful development of mobile //www.gsma.com/mobileidentity/. identity services.

Background

At a simple level, digital identity is to different regulatory contexts. Mobile identity is essentially an a proxy for, or supplement to, the For example, under the European extension of digital identity provided real identity of an individual (or Commission’s proposed regulation via mobile networks and devices – for organisation) – and as such it can be on electronic ID1 it is defined as “the example via SIM-based solutions or viewed as the digital representation process of using personal identification by using mobile devices and service of a set of claims made by one party data in electronic form unambiguously credentials to form part of a personal about itself or another entity in a given representing a natural or legal person”. identity. Mobile represents an ideal domain. These subsets of claims or platform for identity services not only attributes are typically conveyed to get Examples of digital identity services because it is capable of providing a person or a thing recognised within range from the provision of secure identity services on the move (wherever a system or organisation (for example, access to online personal and financial a user takes his or her handset) and whether or not that identity is allowed data and eGovernment services (for through a secure medium, but also to enter a certain website or get access example e-Health or tax filing services), through newer technologies such as to services such as a bank account). the use of multiple factor authentication Near Field Communication (NFC). Digital identity is often defined as the technologies for digital payments and NFC-enabled service examples include set of electronic credentials or attributes online banking, to digital signatures providing users with authenticated required in order to gain access to a based on Public Key Infrastructure access to physical buildings, facilities particular service or resource in the real (PKI) and biometric-based electronic and borders through their mobile, and or virtual world. However, definitions identity cards or tokens. access to transport systems, m-ticketing of digital identity may vary according and domestic utilities2. Mobile Identity A Regulatory Overview 3

Digital identity, the digital economy and the importance of trust

Digital identity is increasingly Building “trust” in the online users, governments and the private recognised as a key enabler of the environment is critical to facilitate the sector. In order to provide digital “digital economy”3 and as such is growth of digital identity services and services, companies and public becoming progressively important to digital economies as a whole, and is administrations need to distinguish governments and regulators. An EU a preoccupation of governments and between trusted and non-trusted study by MICUS consulting indicated regulators around the world. As EU counterparts in cyberspace; they that the digital economy in Europe Commissioner Neelie Kroes stated also need to be recognised as trusted could contribute an increase in the in her speech on EU Cyber security parties themselves. Likewise from a annual economic growth rate of +1.09 “the big opportunities of the digital consumer perspective, as consumers per cent across the EU 27 Member economy will not be realised if people provide increasing amounts of sensitive States4. Many other studies have are worried about security and do not identity data in order to access analysed the positive effect of digital trust networks and systems”6. online services, they require stronger identity on GDP, employment, tax, authentication methods (beyond simple business efficiencies and other social Trust is at the heart of digital identity. username/password schemes) and are factors such as the reduction of Trust is crucial in the context of increasingly demanding more security, cybercrime and identity theft5. delivery and consumption of electronic privacy and safer online environments. interactions between parties including Market players and key stakeholders

The digital identity ecosystem is operators, banks and other for information exchange relating increasingly complex, with a wide range financial institutions to large public to identity management. These are of business models and participants administration institutions, depending typically self-regulated industry operating at different points in the value on the market and national legislation. identity initiatives. chain with diverse roles, interests and ■ ■ priorities. Other commercial entities operate Governments may act as direct at many different points within the providers of essential online ■ Consumers, as users of both value chain and often provide varying eGovernment services and as commercial and eGovernment identity services / roles depending on market Registration Authorities to guarantee services, should have the ability to circumstances. Such roles include the identity of a subscriber to a trust minimize and contextualise the digital acting as relying parties or verification service provider8. Governments play a credentials they use to authenticate authorities (for example web site or key role in fostering the use of digital themselves or be recognised by application providers) that serve to identity within the private sector. Most online, whilst also demanding more verify the end-user’s authenticity, importantly, governments have a key secure, anonymous and safer online without necessarily sharing any of the role in facilitating effective regulation environments. user’s personal identity data. of digital identity both at a national ■ ■ and regional level, by helping markets “Trust service providers” or “Open trust frameworks” and adopt a consistent framework for Certificate service providers play federated identity models (for identity management and improving a critical role in issuing digital example Open Identity Exchange 7 privacy protection and regulation, so certificates for electronic identification (OIX) and Mozilla’s Persona) are that trust is secured and maintained. and for other services that provide large scale networks made up of authenticity, integrity and non- multiple actors (such as policy ■ Regulators, Data Protection repudiation to electronic transactions. makers, assessors, auditors and authorities and supervisors/auditors The trust service provider role can dispute resolution specialists) that that control, certify and audit digital be provided by many different provide a set of technical, operational, certificates have varying roles that organisations from mobile network legal and enforcement mechanisms depend on national circumstances. 4 Mobile Identity A Regulatory Overview

The challenges for policymakers and regulators

The legal and regulatory framework for For example, in the European Union gives a good insight into the nature mobile identity management generally the regulatory framework is comprised of regulatory and policy issues revolves around issues of authentication of a number of separate directives and around mobile identity, which other / identification. Given the wide variety regulations that cover the following policymakers may need to consider of digital identity applications, it is elements: when assessing their own frameworks difficult to formulate a common or ■ and regulatory requirements. single definition of digital identity on Electronic identification, signature which policy and regulatory issues can and trusted services for electronic As markets develop and trust and be based. One approach, as adopted transactions; reputation become more important by the European Commission when ■ Data protection and privacy assets within the economy, policy considering its own eID regulation, is to regulations; makers need to ensure consistency take a ‘process based’ perspective. This between the different legal and incorporates the legal and regulatory ■ Technical standards; regulatory instruments that affect framework around the processes of digital identity management. Such ■ Other sector regulations such as identification and authentication and consistency and legal certainty will be e-commerce regulation. more specifically around the inherent required to ensure harmonisation across data that is processed over electronic The extent to which these regulations borders, to provide business efficiencies networks and through digital identity are part of a harmonised and consistent and fair competition across different related electronic transactions. framework is still being determined platforms, and consistent experiences by EU policy makers. However, for users, thereby enabling innovation, consideration of each of these topics competition and market growth.

Electronic identification, signature and trust services

In recent years national strategies to A major new development in electronic the effectiveness of public and private define standards and regulations identification regulation is also taking electronic services, e-business and for trusted digital identities, both place within Europe. The current EU e-commerce. The legislative approach for the public and private sectors, framework for electronic signature and is technology neutral and open to are increasingly being introduced or digital certificates9 is under review and innovation, and its intentions are to considered around the world. a new set of rules on eIdentification, provide the basis for cross border For example: eAuthentication and eSignature interoperability of strong forms of (referred to as ‘elAS services’) have identification and authentication, such ■ In the USA, a National Strategy for been proposed10. as eID to access electronic public services Trust Identities in Cyberspace (NSTIC) or digital signature. has taken steps to create secure online The new framework is a two-fold identities for Americans; regulation predominantly related to: At the same time, the regulation will also introduce more stringent rules for ■ In the UK, the Cabinet Office has ■ A system of voluntary and progressive service providers, in terms of security recently launched an Identity mutual recognition and acceptance and data protection requirements, the Assurance Programme (IDAP) to across EU Member States of ‘notified’ national supervision of eSignature and provide citizens with secure access to electronic identification means and related trust services, reinforced data online public services. A government schemes. protection and the obligation for data certification programme is also being ■ minimisation. developed to enable any organisation, A general framework for the use including mobile network operators of online trust services, such as Additionally, these new rules will not and other private sector providers, time-stamping, electronic delivery, oblige EU Member States to introduce, to become an authorised identity electronic seals and website or individuals to obtain, national provider; authentication, and an explicit obligation to grant the same legal identity cards, electronic identity cards ■ In the European Union, electronic ID effect as handwritten signatures to or other eID solutions. But it will be cards now exist in Belgium, Estonia, qualified electronic signatures. necessary to ensure the emerging Finland, Germany, Italy, Portugal and identity ecosystem agrees common Spain, and mobile signature solutions The proposed European rules seek to definitions and terminology, standards are also available in Finland, Norway, enable secure and seamless electronic and practices to ensure consumer Spain, German, Poland and Latvia. transactions between businesses, citizens and citizen confidence as well as and administrations, thereby increasing business efficiency. Mobile Identity A Regulatory Overview 5

Data protection and security

There is increasing evidence that For example, in the EU mobile and fixed regulatory eSignature proposals the consumers and citizens are concerned line telecommunications operators are EC intends to give individuals the about their privacy and the misuse subject to rules not applicable to other right to compensation for damage of their personal information. These Internet players, especially with regards caused by poor security and to impose concerns may undermine trust and to the use of traffic and location data additional security obligations on confidence in online services, and for example. The data may be used to service providers. Given that the current the corresponding use of personal provide value added services, such EU ePrivacy Directives already impose information for identity management as commercial identity management security and security breach notification purposes11. Ensuring the safe, secure and services, only with a user’s consent. obligations on telecoms companies, and transparent use of data will, therefore, Telecoms operators are also required given that the EC is planning to extend be key to securing the success of digital to notify national regulators of security these obligations to other sectors, and identity services. breaches and to notify individuals introduce a Cyber Security Directive, it where such breaches may cause harm12, is crucial the EC adopt a consistent and In addition, data protection and privacy and these security breach obligations uniform approach and ensure alignment protection are currently subject to a currently do not apply to Internet-only of legal instruments. patchwork of non-harmonised laws and players (i.e. internet companies that are telecommunications-specific rules, both not licensed network operators). The challenge therefore for policymakers at a global and European level. This and regulators, whether in the EU or does not assist in ensuring the necessary As eID involves the use of broader other parts of the world, is to establish legal certainty for businesses, consumers and more private sets of data among a harmonised legal framework and and citizens, nor does it facilitate cross many more players, it will be necessary to ensure legal clarity and certainty border data flows or cross border to develop a consistent and effective for service providers, consumers and identity services. approach to ensuring not only the citizens. This will be necessary to security of data and identities, but remove barriers and market distortions also to the reporting and management and to creating an internal market on of security breaches. In its new digital identity management services.

Technical standards

There are many standards relevant Issues covered include the Standardisation processes are often to digital identity typically managed standardisation of PKI systems, based on co-regulatory models, by international agencies such as defining standards for qualified where standards are used as a tool to the International Organisation certificates, security management support the implementation of national for Standardisation (“ISO”13), the and certificate policy for trust service legislation. Although many standards International Telecommunications providers issuing qualified certificates; relevant to digital identity are already Union (“ITU”), and International Civil electronic signature syntax and encoding in place, there is a significant body of Aviation Organisation (“ICAO”) or formats for security management. work still in progress and consequently, regional bodies such as the European For mobile signature standards, this the overall standardisation framework Committee for Standardisation (CEN) may cover technical requirements for is still uncertain. and ETSI’s Electronic Signatures and interfaces between Mobile Signature Infrastructures Technical Committee Service Providers and those parties who (TC ESI), or National Accreditation choose to rely on mobile signatures for Bodies such as UKAS in the UK, ENAC whatever reason14. in Spain, DAkkS in Germany, NAT in Hungary and so on. 6 Mobile Identity A Regulatory Overview

Other sectoral regulations

Digital identity management services used within these specific domains, including the E-commerce Directive can unlock new business opportunities sectoral regulations will also often (Directive 2000/31/EC), the Payments across different sectors including apply. In Europe for example, there Directive (Directive 2007/64/EC) mobile payments, mobile banking and are a wealth of directives that are and the E-money Directive (Directive mobile commerce. However, when related to e-payment services and are (2009/110/EC). identity management services are strictly relevant to digital identity, Policy considerations

To unlock the potential of the digital However, the concept of eID should the information they are sharing, economy and ensure the successful receive political recognition in its and with whom, to strengthen trust. implementation of mobile identity broader form, i.e. digital identity Both Governments and industry solutions, policy makers should: should be seen as a way for users stakeholders should work together ■ to get access to a wide variety of to raise awareness and encourage Ensure consistency and harmonization digital rights and be inclusive of the understanding of how electronic between applicable legal instruments; softer forms of authentication used identification works. ■ Prioritise the implementation of user for more general online transactions ■ and activities. Allow for interoperability, friendly identity solutions; standardisation and good ■ ■ Ensure transparency and the Provide legal and regulatory governance. Standardisation is a application of clear and consistent clarity and certainty. Uncertainty key step to achieve interoperability. rules for privacy and security; of regulation may hinder industry’s If identity solutions are to be used willingness to invest. Policy across national borders, applicable ■ Facilitate interoperability of secure makers should ensure that pro- open standards and best practices electronic transactions across borders investment policies are sustained, for consumers and industry players and across industry sectors; and harmonisation and compatibility must be adapted accordingly. There between regulations and self- are various industry groups already ■ Minimise compliance costs for regulatory models encouraged. working towards a common set of industry and address any other This will not only provide more specifications but the market place barriers arising from existing or new legal clarity, but will also ensure needs standards that embrace business legislation. interoperability and cooperation process issues around assurance, between key stakeholders in the privacy, and liability. As regulations In order to meet these objectives, the key mobile identity ecosystem. and policies around these are finalised, issues and considerations that need to be mobile identity can become an even addressed include: ■ Ensuring the application of good stronger foundation for trust among principles around privacy and ■ Mobile identity is at the core of all parties exchanging information. security while ensuring business digital society. The mobile industry efficiency and fair competition. has a significant role to play to build Fundamentally, electronic, digital and In the emerging mobile identity trust in the digital economy. But to mobile identity are intangible, which market, the protection of privacy and ensure mobile’s role and the benefits makes them difficult for governments, security is a key issue, and industry, of mobile are realised, will require service providers and consumers government and regulators need to consistent approaches across the / citizens to understand, use and work closely together to clarify their emerging identity management manage. Legislation and regulations roles and responsibilities. Equally, ecosystem. This consistency will be are important as a means of making mobile operators and other service necessary in order to ensure the safe sure that the identity authentication providers who aspire to become and secure use of data and identity standards that are defined and solutions providers of trust and convenience for management services, and to drive that are adopted are appropriate: they citizens and consumers should drive consumer trust and confidence. must be easy to use, fundamentally the application of good principles of secure and private, and they must ■ Ensuring Government “acceptance”. privacy and security such as privacy promote interoperability and the Electronic eID is a key enabler for by design, identity portability, establishment of trust. This is, of course, Government and business transactions accountability and education for no small matter, but it is essential that online. Governments are playing a key consumers and citizens. policy makers play their part, so as role in unlocking the potential benefits ■ Empower consumers. Users need to ensure that individual countries’ of mobile identity by providing to understand the role of electronic societies and economies benefit most eGovernment services and accordant identification, and how it works in from the continued emergence of online applications to the mass market, reality. They also need to increase activities, whilst minimising their paving the way for further consumer their awareness and knowledge of attendant risks. and citizen service digitisation. Mobile Identity A Regulatory Overview 7

Endnotes

1 COM (2012) 238/2 which seeks to enable cross-border and secure electronic transactions and identification in the EU Digital Single Market. 2 For more information on mobile identity use cases please see GSMA papers on “Global mID Review” and “The Mobile Identity Economy”. 3 Digital economy or internet economy generally refers to the network of economic and social activities enabled by digital infrastructures, content services and applications. 4 Source: “The Impact of Broadband on Growth and Productivity” http://ec.europa.eu/information_society/ eeurope/i2010/docs/benchmarking/broadband_impact_2008.pdf 5 Sources: Cf. Álvarez Capón (2010): Catastro, políticas públicas y actividad económica, p. 16 or RSO, CapGemini, CS Transform (2009): Benchlearning: Study on impact measurement of eGovernment; BSG (2013) The value to our Digital identity http://www.lgi.com/PDF/public-policy/The-Value-of-Our-Digital-Identity.pdf 6 World Economic Forum 2013 http://europa.eu/rapid/press-release_SPEECH-13-51_en.htm 7 See: http://openidentityexchange.org/ 8 The registration will typically occur at a government institute of the entity domicile (e.g. a municipality) that is acquiring the electronic or physical token and credentials to be used for electronic authentication. 9 A community framework for the legal recognition of electronic signatures, EU E-Signature Directive 1999/93/EC 10 COM (2012) 238/2 and http://ec.europa.eu/information_society/policy/esignature/eu_legislation/regulation/ index_en.htm 11 See Eurobarometer: Attitudes on Data Protection and Electronic Identity in the European Union http:// ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf 12 See E-Privacy Directive (2002/58/EC) and its amendments and http://eur-lex.europa.eu/LexUriServ/LexUriServ. do?uri=OJ:L:2002:201:0037:0047:EN:PDF 13 See ISO/IEC 24760, A framework for identity management; ISO/IEC 29115, Entity authentication assurance framework; ISO/IEC 9798, EntityAuthentication; ISO/IEC 29100, Privacy Framework; OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication; NIST Recommendations for establishing an identity ecosystem governance structure. 14 Current Mobile Signature Standards are stated in ETSI TS 102 203. For further information, please contact Marta Ienco, Regulatory and Policy Director, Mobile Identity [email protected]