1

« The digital identity toolkit « The digital identity toolkit for African stakeholders »for African stakeholders »

by Alain Ducass

Director of Digital Economy at Adetef, the French technical assistance public operator

in the field of economy and finance.

International expert,

In Digital transformation of emerging countries. (alain.ducass @ mines.org)

2

After the 10th October , I think it more important to comment a Worldbank document : « Digital identity Secure toolkit for African stakeholders » 

prepared by Joseph J. Atick, PhD (Chairman of the Identity Counsel International) and Zaid Safdar (Task Team Leader, World Bank), with a French support and my own contribution as a reviewer.as it has been published recently on www.planetbiometrics.com/article-details/i/2201/

3

Interoperability with Interoperability with third countriesthird countries

4

1) Identity matters (1)1) Identity matters (1)

Identification is necessary for modern development.Today’s modern society creates new demands on identity: identity has to be mobile, transactional, interoperable, portable, and social—in addition to being secure.

One of the main e-Identity's applications for a country is a cross-sector platform on which to establish a robust identification system, enabling services across sectors to be delivered electronically.

Digital identity is growing in developping countries.

5

1) …/... Digital identity is growing in developping countries. (2)1) …/... Digital identity is growing in developping countries. (2)

6

2) How Identity management works (1)2) How Identity management works (1)

The goal of a National identity program should be to attribute one identity per person per lifetime for all needs.

The identity lifecycle includes Registration, Insuance and use.

Identity is at the core of human-human interactions and, by analogy, eID will be at the core of human-machine or human-information systems interactions.

7

2) How Identity management works (2)2) How Identity management works (2)

The Identity Registration is the first step in capturing a person’s identity.

It consists of a set of procedures for collecting data (enrollment) and using it to verify that the identity is authentic by validating the following conditions:◆◆ Existence: claimed identity exists (and is alive, not aghost) at the time of enrollment and can be localized(reached through address, email, phone number, etc.).◆◆ Uniqueness: claimed identity is unique or claimedonly by one individual.◆◆ Linkage: presenter can be linked to claimed social identity.

8

3. Developping an e-ID program : 3.1 Vision ; Legal & policy matters3. Developping an e-ID program : 3.1 Vision ; Legal & policy matters

The first step is the adoption of a vision, at a Cabinet level, for the pathway towards a national eID. This vision has to take in account 5 functional building blocks.

Two distinct options emerge: a top-down or a bottom-up approach.

Legal and policy matters need to be investigated : Legal Authority, Protection of rights of people, Pro eID policies.

9

3. Developping an e-ID program: 3.2 institutional Framework3. Developping an e-ID program: 3.2 institutional Framework

The Institutional Framework has to be adapted to the country and its goals.

10

3. Developping an e-ID program: 3.3. Technology (1)3. Developping an e-ID program: 3.3. Technology (1)

An eID system is built by putting in place several technology solutions including : Biometrics Electronic databases Electronic credentials Mobile, online, and offline applications

In a data-centric world, what is fundamental is notthe id card, but the identity data, which can be leveraged by storing it on various media dependingon needs and budgets.

In selecting a solution, the overall identitysystem should work with any mix of equivalentcomponents from different suppliers. Theimplementing agency should be able toeasily replace backend matching engines,biometric capture devices, or any otherelements seamlessly, without jeopardizingthe operations of the overall system. Systems should be based on open standards at all levels—biometric or IT.

The guide includes cost-advantages analyses of different

technologies, e.g. for biometrics or Cost & Security Tradeoffs for the

Different Credential Models.

11

3. Developping an e-ID program: 3.3. Technology (2)3. Developping an e-ID program: 3.3. Technology (2)

12

3. Developping an e-ID program: 3.3. Technology (3)3. Developping an e-ID program: 3.3. Technology (3)

13

3. Developping an e-ID program 3. Developping an e-ID program 3.4. Trust, Privacy & Security3.4. Trust, Privacy & Security

3.4.1 Trust3.4.1 Trust

All parties must be convinced ofthe integrity of the overall system.

Trust is not always fact-based taking in account that perception is much of a factor as reality.

There is to work on the following topics : Registration integrity Trusted credentials Identity Assurance Combatting Malfeasance (Human factors) Data protection & security Trust model

14

3. Developping an e-ID program 3. Developping an e-ID program 3.4. Trust, Privacy & Security3.4. Trust, Privacy & Security

3.4.2 Privacy3.4.2 Privacy

eID generates sensitive data that evokes privacy concerns primarily for the following reasons:

Personally Identifying Information (PII) collected for enforcement are generally consider private,

Central repository  with all individuals in a country creates significant concerns of security, exploitation, and misuse,

The Unique Identity Number (UIN) as an administrative tool, allows linkages that can be dangerrous for people privacy since the sum of data is more invasive than its individual parts.

Digital Audit Trail: Over time, if eID is successful, it would become pervasive.

In order to avoid the potential privacy pitfalls of eID, suitable protective measures need to be put in place.

15

3. Developping an e-ID program 3. Developping an e-ID program 3.5. Operational Processes and Controls3.5. Operational Processes and Controls

Ultimately, an eID system needs to be run as a goingconcern. This means that there must be processes andcontrols in place to avoid the failure of the NIA andto ensure the achievement of the following corporateobjectives: Regulatory compliance, Protection against man-made operational risk, Continuity of operations, Continued relevance, Efficiency of operations.

It is recommended that a full-scale IT risk and vulnerability assessment can be conducted prior to implementation of the eID solution, as well as on an ongoing basis, in order to monitor how the system withstands real-world operational attacks, that could undermine its functionality.

The guide includes recommendations about the controls to be undertaken

on identity management.

Corporate and Support Function Controls for eID System are recommended about Operational Governance, Human Resources, Supplier vetting, Change management, Audit & compliance, Awareness, Security and privacy, Business reliance.

Controls Related to Identity Management in an eID System are recommended about Registration, Insuance, Authentication and Maintenance.

16

Final policy considerationsFinal policy considerationsations

In developing an eID program, a government has number of policy choices to make. These choices require a review of the country’s specific economic, social and political context, and a

discourse with the actors in the local identity ecosystem to build a viable eID program.

The toolkit recommend them to: Conduct a diagnostic on the scope of eID in the country, Enlist champions and engage stakeholders of identity, Establish a supportive legal, regulatory, and authorizing environment, Determine enrollment approach for identity through civil registry or biometrics for development, Decide on a credential, if any, Anchor the eID program in a strong institution, with provisions for good governance, change

management, sustainable business model, managerial and technical capacity, data protection, strong operational controls, monitoring and evaluation (M&E), and long-term operations and maintenance (O&M),

Pursue PPP , where feasible, Communicate effectively and provide channels for complaint resolution and redress.

17

From my own point of view,The eIDAS regulation creates a new situation that will deeply forster eID and finally change the way of living with opportunities and risks.

We all have a responsibility in building up a better world.

Let us continue to discuss it, during the Secure Identity Alliance Workshop B« eIDAS State of affairs inside Europe and beyond »

Thank you for your attention !

Alain.Ducass @ mines.org