Possibilities and challenges in thedevelopment and use of secure eID

– Experiences from Sweden

Karin Axelsson

Professor in Information SystemsDepartment of Management and Engineering

Linköping University

karin.axelsson@liu.se

e-ID – A small technical artefact?

2

In one sense, yes – but we should not underestimate its

contextual and organizational complexity

Agenda

• Background and introduction to e-ID developmentand use

• The problem in focus

• Research approach and case introduction

• The Swedish program and a case study in health care

• Analyzing the management of the e-ID developmentcase

• From a life-cycle perspective and a CSF perspective

• Conclusions

• Further research

Background and introduction

• e-ID is a key enabler for the secure identification,authentication and digital signing via the Internet

• A part of secure e-service design (European Commission,2010; Halperin and Backhouse, 2008; Price, 2008; Rössler, 2008)

• As digitized citizens, we become reliant on e-IDsolutions that give us a certain level of utility andtrust when we interact with local and centralgovernment (Collings, 2008) in an e-service context

• In digitizing Europe e-ID is regarded as an importantback-office enabler for launching e-services andtransforming government (European Commission, 2010)

The problem in focus

• Developing, implementing and managing public e-services and secure e-ID solutions are challenging

• Require coordination and management

• Include people, processes and technology

• Stresses the complexities and interwoven characterof the e-ID as an artefact in an e-service setting andin an institutional arrangement

• Can be governed by an active role of thegovernment, and/or managed by market drivensolutions (cf. Grönlund, 2010; Kubicek, 2010)

The problem in focus

• Several e-government initiatives face a number ofchallenges of complexity; calls for further studies (Irani

et al., 2007; Gil-García and Pardo, 2005; Rosacker and Olson, 2008)

• e-ID as a contemporary example

• An important issue for IS project management ande-government, in practice and research

• To understand how we organize initiatives like thisand why some initiatives progress to success whileothers end in failure (e.g. Heeks and Stanforth, 2007; Melin and

Axelsson, 2009)

Purpose and research questions

• To analyse the management of e-ID development inSweden from:

• an e-government systems development life-cycleperspective and

• a project challenge and CSF perspective

• What challenges and success factors are representedin a national e-ID development initiative?

• How can we judge the success/failure of an e-IDinitiative using a life-cycle framework?

• What can we learn from the management ofdevelopment of e-ID in a public e-service context ona program level?

• Illustrate the implementation process in health care

WebCare_L19800819-0123

Research design• A qualitative, longitudinal case study

• Two cases today: the national development and animplementation case

• The study is part of a larger project focusing e-ID in a publice-service setting (2011-2014), financed by the Swedish CivilContingencies Agency

• Future safe electronic identification

• eID in government agencies

• eID in schools

• eID in health sector

• Interviews

• Document studies

• Forums for presentations and discussions

• Hearings, meetings with the Swedish e-ID Board,practitioners’ networks events and documents, scientificconferences

e-ID development in Sweden – Phase 1

• The emergence of the present national public e-IDpolicy can be traced back to the end of the 1990s

• Future use of public e-services

• In 2000/2001 the Swedish Tax Agency got thecommission to investigate a national e-ID solution forthe public sector

• Frame agreements with the actors delivering securee-ID to the banking sector

• A market driven e-ID delivery model

• e-banking is well established, 80% of the e-ID use

• An installed base of solutions for identification

e-ID development in Sweden – Phase 2

• The e-Government Delegation was formed in 2009

• Strengthen national inter-organizational developmentof e-government including e-ID

• A next generation of inter-organizational e-IDsolutions was needed

• The current procurement model was outdated, withoutany option of renewal

• The investigation resulted in a report, dominated bya technical oriented blueprint

• In January 2011 an authority named The Swedishe-ID Board was created

• Centrally manage and develop sustainable e-IDsolutions

The national e-ID program initiative in aEuropean context

2013-10-24

Kubicek and Noack, 2010a, p. 237

Managing e-ID Development –A Life-cycle Perspective

Projectassessment

Projectassessment

Analysis ofcurrent reality

Analysis ofcurrent reality

Design of the pro-posed system

Design of the pro-posed system

Systemconstruction

Systemconstruction

Implementationand beyond

Implementationand beyond

Projectassessment

Projectassessment

Analysis ofcurrent reality

Analysis ofcurrent reality

Design of the pro-posed system

Design of the pro-posed system

Systemconstruction

Systemconstruction

Implementationand beyond

Implementationand beyond

(Heeks, 2006, p. 159)

Managing e-ID Development –A Challenge and CSF Perspective

• Several sets of success factors in the e-governmentarea and in ISD in general (Sarantis et al., 2011)

• E.g. top management commitment, linkage tobusiness, technical alignment, knowledge and userinvolvement (Pardo and Ho, 2004)

• Several challenges linked to

• (1) information and data, (2) IT, (3) organizational andmanagerial, (4) legal and regulatory, and (5)institutional and environmental (Gil-García and Pardo, 2005;Melin and Axelsson, 2009)

Analysis – Managing e-ID Development –A Life-cycle Perspective

Project stage (Heeks, 2006) e-ID development case

Project assessment Oriented towards pragmatic problem solving

An outdated procurement model; a need for a new e-ID solution;stimulate competition

Opportunity seeking

Analysis of current reality Extremely forced and temporarily staffed

The technology put in the foreground

Contextual analysis put in the background

Design of the new system Conceptual design; no technical artefact designed

Model development; multiple contracted private e-ID providers and afederated e-ID solution

Important design issues (digital signing) not solved

System construction Conceptual infrastructure in focus

Time consuming building of trust

Implementation and beyond Changes in the constitution, preparation of agreements,technological development, frameworks for security and trust

A transition plan (the new solution in use during 2014)

Analysis – Managing e-ID Development –A Challenge and CSF PerspectiveChallenge/CSF e-ID development case

Information and data The federative solution in the suggested e-ID infrastructure demands datainterchange between different actors

IT The technological conditions for the program are based on different existing e-ID artefacts on the market (installed base; widespread solutions from e.g.Swedish banks). There is also a situation where the infrastructure andapplication are conceptually designed in parallel – resulting in an untested,conceptual, e-ID infrastructure.

Organizational andmanagerial

The role of the e-Gov Delegation is perceived as unclear

The size and scope of the e-ID development program perceived as unclear, sois the ownership of the program

A complex infrastructure with relationships between technology, law andbusiness model; harder to communicate with different stakeholder groups

A high risk program

Legal and regulatory Changes in law and regulations are needed (procurement model etc.)

Institutional andenvironmental

A step towards a more centralized and consistent e-ID infrastructure

Challenging the norms and power structures (decentralization)

Implementation and use of e-ID in healthcare – an ongoing study

• Studies of an implementation project in a county

• Early use of e-ID (SITHS card)

• Clearly driven by law requirements on patientsecurity (Patient Data Act, 2008)

• Step by step approach – the "easy" first – is not sosimple

• Related routines – development and use in parallel

• Dependence – strong professions – key persons

• Safety in everyday life – bet everything onone card?

CREATE VALUE PERCEIVED BENEFITS INCREASED USE

Conclusions 1(3)

• National level – eID development

• A high risk e-ID project and e-service program!

• The initiative is oriented towards pragmatic problemsolving and an explicit demand from public agencies(secure e-ID solutions for e-services)

• The problem solving and implementation process isforced in time and have limited available resources

• The program scope is unclear and the relation to theexisting and dominating e-ID solution (BankID) is unclearand hard to coordinate from a governmental perspective

• A significant challenge in the designing of theinfrastructure for e-ID (conceptually and applyingit in parallel)

Conclusions 2(3)

• National level – eID in development

• Significant challenges related to organization andmanagement of the program

• Involved actors are heterogeneous and have differentsets of expectations

• The technological artefact is in foreground, and the usersetting (citizens and professional users) and the link to e-services provided is in the background

• The e-ID needs to be managed as an integral part ofe-service development because it is intertwined with theuse of e-services from a user perspective

• e-ID is more than a back-office enabler – it is anintegrated part of successful e-service management anduse

Conclusions 3(3)

• e-ID in health care – SITHS card in use

• The pattern on national level is visible here as well

• True challenges are related to the organization of theimplementation – the roll-out is in focus

• Involved actors are heterogeneous and have differentexpectations on the result – strong professions

• The technical artefact is in focus – not use issues and therelation between e-services and internal IT

• Complicated use in the work settings

• Trying to create benefits for users…

• Some security risks are reduced – but new ones appear

Further research

• There is a lot of work to be done to develop securee-services and e-ID that creates safe everyday life

• Contextual studies of e-ID are needed

• Health sector

• Local government

• Public agencies, national and international

• Generate more knowledge on the issue of e.g.national and organizational differences, governancestructures, IT and e-ID user maturity and diffusion

• The implementation gap between policy and practice

• Systematic evaluation and governance

• Further studies on theoretical implications

Thanks for your attention!

Questions andcomments?

www.liu.se