Record integrity and attribution are two major themes for companies that have implemented or are exploring the usage of electronic signatures and records – despite the fact that they’re not explicitly stated in ESIGN or UETA. How does one ensure a record is accurate? How does one know that the person signing the record is who they say they are?
ESRA gathered four experts to discuss all of these implications. They are:
Abe Smith: Founder, IOCS
Tom Smedinghoff: Of Counsel at the Locke Lord
Etienne Combet: Secretary General, ClubPSCo
Arne Vidar Haug: Co-founder and VP, Business Development, Signicat
Smedinghoff started with an overview of electronic identity in the context of online transactions. He said there are basic issues that he sees as two questions: Who are you? How can you prove it?
“The goal is to create a system by which we can trust the results we get,” he said. “It’s interoperable and it crosses borders. This is important from a variety of perspectives, including who signs the document, who has access to the database, and so forth.”
Identity starts with an identity proofing process with the gathering of attributes about someone, Smedinghoff continued. That includes things like name, address, employer, credit report, and so forth. Then an identity credential, a document or data, can be issued. Offline, it’s a passport or a driver’s license. Online, it’s a user name, a digital certificate, and so forth.
The next step is how you prove who someone is, which involves an authentication process, he said. Offline, an authenticator can be a photo on a driver’s license. Online, a user name can be authenticated with a password. “And of course we know no one has anyone else’s password,” Smedinghoff said with a knowing smile. “But there are more sophisticated ways of authenticating someone.”
He then talked about the three basic roles that come with e-identity:
- The subject, the person who’s identified
- The identity provider, who does the proofing and issues the credential (can be multiple providers)
- The relying party, the entity that relies on the credential
There are also key legal issues, he noted:
Right now, over 100 different countries issue national identity cards and many are converting them to e-ID cards with chips that contain different kinds of information, depending on the county.
In the US and the UK, they’re going a different way, though. Both want to provide government services to citizens but do so without the government being in the identity proofing business. They prefer to rely on the private sector, such as a bank. Both are in the development stage. (The EU has a project called STORK that has private and public sector components.)
There are also several efforts led by the private sector, particularly in high-value transactions. Several organizations are looking certification, research, and other areas, and the ABA is looking at the legal issues – Smedinghoff is involved in the latter.
New identity law is being enacted too, with other laws on the way. For example, the state of Virginia adopted an electronic identity act, which addresses the issue of liability and the adoption of a formal standard.
Finally, the UN commission on international trade law is working on international laws around online identity, and in the US, the Uniform Law Commission has a proposal to establish a committee to look at the same subject.
The European Outlook
Combet then discussed the European perspective on the issues, beginning with the situation there before eIDAS was enacted. (eIDAS is the European Union’s version of ESRA.) From 1999, the European Union had its version of UETA, a directive that allowed for e-signatures but which was hampered by the fact that it didn’t work smoothly among the member countries.
“We were also lacking on trusted services. No definition, nothing real clear,” Combet explained. “The states had their own markets and own technical and legal frameworks.” In contrast, he said, business drove e-signature adoption in the US, not government, which allowed it to progress quickly, unlike in Europe, where the 1999 directive led to a poor adoption rate.
However, Combet went on, the situation was due to change with the implementation of eIDAS in 28 countries in July 2016, with the goal of boosting efficiency, trust, delivery services, and website authentication for e-signatures across the European Union. (If this panel was being conducted when this blog post was published, the UK’s vote to leave the EU would have been a major topic of discussion regarding how it will affect eIDAS.)
“What will be the main improvement of the legislation?” Combet asked. “Remote e-signatures was boost mobility and simplicity. Time stamping will make proof management easier. Electronic registered delivery services will be more homogenous. Electronic seal will be improved, allowing a legal body like a company to have a legal signature. Previously, in a country like Germany, the CEO of a company would have to personally sign an invoice for a delivery, which made things difficult for large companies.”
He added: “If we want to have common practices, we have to build them. I don’t think governments are interested in doing that. They don’t put much energy into it since it favors businesses. The industry needs to work on that in Europe and build some common rules and processes that make it fair for everyone.”
The Norwegian View
Haug then took control. He’s from Norway and noted that his country is not part of the European Union, despite being part of the European economic area.
“You have a lot of different identity sources in Europe,” he said, “such as teleco IDs, post IDs, and so forth. It’s a fragmented market. Many of them are based on public and private key infrastructure and some are card-based, with a chip, along with mobile apps and other kinds of solutions, with various kinds of assurance attached to those identities.”
He continued: “There are more bank IDs out there, so you can reuse your bank credentials to log in or for a signing process at another bank. That will be more and more common because of the new payment services directive. That kind of thing is happening in Norway, Denmark, Sweden, and other countries. The Netherlands will start a bank ID federation that will be used for authentication and signing.”
Someone then asked a question about the potential for fraud, if bank log-in information is being reused. “We have been running this for a lot of banks and different schemes, along with the same for credit cards, so it can’t give away your credentials,” Haug replied. “It’s about educating people and businesses about what they should do with their credentials and how to use them. That’s crucial. In addition, the European banks require strong authentication, and in Norway they’re combining government IDs with bank IDs to create one solution to be used across all parties.”
He added: “If you’re working across countries, you need to aggregate government IDs, bank credentials, teleco IDs, and so forth. The regulators are saying you should be able to reuse credentials but there’s no interoperability and a lot of IDs don’t have native support for signatures, so you need to build a signature environment too.”
For credit card applications, car loans, and so forth, bank credentials, government IDs, and other IDs are being reused, Haug said. They’re also being used in stores, on the phone, and in online applications. Ninety-nine percent of online applications are being signed electronically in the Nordic countries.
Mobile bank IDs are being reused three times more than other credentials, Haug also noted. They can put them in a mobile device’s SIM card, he said.
The UK: A Common Law Country Within Europe
Smith was the final speaker. “The banks we work with have some basic problems,” he said. “Most people in the UK don’t walk around with ID cards and haven’t subscribed to a federated ID scheme, which leaves everyone with a problem. We have a legal framework that’s similar to the US, where qualified signatures aren’t handled the same way as in Europe.”
He continued: “In essence, a bank dealing with a new customer must find out if that person exists, is legitimate, and is the actual person who’s about to conduct a transaction. We need evidence-based options to establish identity, such as a multiplicity of sources, like credit reference agencies, to create a picture of the person. We need to be able to extract data from those sources and process it quickly.”
He gave an example, such as geo-location services. “If a customer is applying from London and geo-location says they’re in Australia, we will likely ask questions,” he said. “We can also figure out who their device has been linked to before, whether someone legitimate or not. And we can link to their bank account to match up information. Finally, we triangulate all that data on the fly, in real time.”
Smith continued: “We’re also doing a full documentary authentication. We process a secure image of the document along with a bio scan of the customer, including a short video clip of them that proves they’re alive and which is matched to the photo ID. And we have things like knowledge-based authentication, such as asking questions that only the customer knows the answers to.”
If there are problems during authentication, that’s where the multiplicity of sources comes in. For example, the bank can go to a different agency if Experian’s service is down. And then when someone is authenticated, that information is embedded in the documentary evidence, at least during the IOCS process, which demonstrates the integrity of the data.
After Smith was done speaking, the panel moderator turned to the question of the variety of standards around the world and which one would win. Smedinghoff said, “I think we’re in a situation where identity is becoming very important, and to do significant transactions, we need a trustworthy source of identity information. We have the technology to do it, but what’s missing is some level of agreement on the rules of the game, so to speak.”
He continued: “Whether that happens in the private sector, like in the US, or through the government, as in other countries, that has yet to be decided. If it’s the private sector side, we need a business model and liability rules to make it work. On the government side, we need the will and the funding to make it work.”
Asked if we’re heading toward a model where there’s always a third party in the middle of the transaction, Smedinghoff replied, “You see some people discussing whether there should be a global verifying authority. In the US, people say there should be multiple authorities in the private sector offering competing options. But where that will go is still up in the air.”
Combet added, “I think the same, except in B2B. When we work with large corporations, they don’t need a third party to verify them. That’s more for B2C or government-to-individual. It’s like a mountain: Everyone is climbing from a different place, but we’ll all have common rules when we reach the top. We need trust and efficiency to make it happen faster.”
Asked for his thoughts on the subject, Haug replied: “I think we need to look at the fact that there’s no one-size-fits-all approach. It’s almost like a beauty contest where people ask which country has the best solution, but it’s about having the least friction possible. If you can combine your mobile phone with your identity for signing, that’s a lot better than walking around with a card reader in your pocket. We have to think about solving real world problems. It takes time and needs education.”
When Smith was asked about interoperability in the UK when working with European countries, he said, “The issue with European regulation at the moment is that it’s ID-focused and technology-centric. That’s dangerous because technology changes fast. The US built its solution around the needs of the business community. The problem with federated identity is that the moment that breaks, you’re in big trouble because all your eggs are in one basket. I think eventually practicality and commerce will win out and Europe will become more like the US.”
Smedinghoff said, “Different kinds of laws can inhibit e-ID systems, and the current laws can lave providers uncertain about risk and liability. We need to be careful, though, that any law doesn’t create problems, rather than solve them.”
There was time at the end for two questions. The first one was addressed to Smith, who said his country has a risk-based approach that tells the consumer what checks are being done. (The question was largely inaudible.)
The other question concerned how someone can now do many things on their phone by using their fingerprint. Smith said that such a system is only as good as the information used to authenticate the account on the phone originally. “Apple probably didn’t ask too many questions,” he observed.
Smedinghoff said, “From a broader perspective, people are looking at that phone as a key identity credential. So the mobile networks are looking at how to turn the phone into an identity credential, and Apple is leading the way there.”