Despite legal and practical hurdles, electronic ID cards have a lot to offer
ID cards have been resisted in Britain so far but not so in the rest of Europe. Lawyer Patrick van Eecke looks at the wide range of uses for electronic identity cards - from e-government to signing into chat rooms.
The Labour government recently announced its plans to extend compulsory ID cards to skilled migrants from outside the European Union when their visas expire. In response to British citizens' resistance to ID cards, the government has been experimenting by enforcing compulsory ID cards on its migrant population instead.
While Britain is showing strong resistance, most European countries appear to be moving along with the practice of carrying ID cards, and more specifically, with the gradual introduction of electronic identity, or eID, cards.
eID card initiatives were first introduced in 2000 in three pioneering countries: Belgium, Estonia and Italy. Since then, these countries have seen massive rollouts of the cards. Close to 40 million eIDs will have been issued in Italy alone by 2011.
The promising results of the pilot projects in these countries quickly triggered the attention of the other European countries. France, Germany, Spain and the UK have all launched eID projects, leaving only a small minority of European countries without them.
In most European countries, the eID card looks like a typical plastic credit card. The card is 'smart' because it has an embedded computer chip that can perform computations and store a limited amount of data, such as the individual's name, date of birth, picture and fingerprint. Some of this data is also physically printed on the front and back of the card, just like a passport or driver's licence.
The first obvious use of the eID card is identification - it enables a citizen to identify himself to authorities or third parties. The identification can be performed from the information that is physically printed on the eID card or from the electronic information stored on the chip.
A more advanced use of the eID card lies in the electronic certificate and the cryptographic key pair that are stored on its embedded chip. Using this data, citizens can authenticate themselves in a way that's mathematically proven to be practically impossible to forge with currently available computer technology.
In addition to the identification and authentication uses in a citizen-to-government context, the eID cards of some countries store a second key pair and a second electronic certificate which can be used to generate digital signatures for legally binding transactions.
The digital signatures created by the eID cards of a selected number of EU member states are recognised, across the EU, as being legally equivalent to traditional handwritten signatures. This creates the possibility for holders to sign day-to-day electronic transactions with their eID card.
So far eID cards are primarily used in an e-government context. Throughout Europe and on all governmental levels, the cards can create a bridge between government and citizens, and lower the threshold toward the adoption of e-government projects.
Examples include secure authentication for electronic submission of personal taxes, VAT listings, or yearly accounts; requesting copies of personal documents from governmental instances (e.g. birth certificates or non-bankruptcy declarations); electronically requesting subsidies; sending registered letters; and paperless customs procedures.
Perhaps the most interesting fact about the eID cards, however, is that they are not limited to government use. The cards that permit their holders to create digital signatures can be used between citizens to sign legally recognised transactions. They can also be combined with other card-based projects, such as health cards and professional cards, for a variety of uses.
From a legal point of view, as eID cards start flourishing in citizen-to-citizen and business-to-citizen transactions, a key issue that arises is the extent to which governments can be held liable, or can protect themselves against liability, for the eID infrastructure they create (e.g. in the event of faulty chips).
Those eID cards that can be used to generate digital signatures also suffer from the long-term validation problem. This problem essentially results from the fact that, due to the fast evolution of information technology, it is quite likely that cryptographic methods that are considered safe today could be cracked by more powerful technology in the future.
From a privacy perspective, eID cards offer strong authentication possibilities, supporting increased trust in online transactions and online services. The cards are already used to operate online chat facilities, where only persons below a certain age can participate (e.g. children under 15).
While there are distinct legal and practical hurdles to overcome, the results of uptake across Europe are undeniably promising and within this context, the UK is bound to enforce eID cards.
Should the British government decide to introduce compulsory eID cards solely to its migrant workforce, skilled migrants might get a competitive advantage over other citizens. If the UK lacks the technological savviness and opportunities of the rest of Europe, is there a risk that British citizens will be left behind?
Patrick van Eecke is a partner in the technology, media and commercial group at law firm DLA Piper.