Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards. An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically sign and submit sensitive documents such as tax returns and voting ballots over the Internet. Many people see e-IDs as the future of secure identification since they offer the potential to greatly facilitate cardholders’ personal and business transactions, and the EU Commission has recognized this potential by drafting regulations meant to eliminate transactional barriers currently hindering the cards’ cross-border reach. However, the increasingly widespread use of e-ID systems also gives rise to significant data security concerns.
Countries including Spain, Italy, Germany, and Belgium already have adopted e-ID systems, and the precise mechanics of the systems differ from country to country. In the Estonian system, for example, each e-ID carries a chip with encrypted files that provide proof of identity when accessed by a card reader (which a cardholder may purchase and connect to his or her computer). Once the card is inserted into the card reader, the user inputs different PIN numbers to access the appropriate database and electronically sign e-documents.
In fact, as recently detailed in The Economist, the small Baltic country of Estonia has one of Europe’s most highly-developed e-ID systems and exemplifies the underlying potential of this technology. Around 1.1 million of the country’s 1.3 million residents have electronic ID cards, which they can use to take advantage of the country’s fairly advanced array of e-government offerings. Estonians can use their e-IDs to go online and securely file their taxes, vote in elections, log into their bank accounts, access governmental databases to check their medical records, and even set up businesses, among many other tasks. Estonia even has established an e-prescription system that permits doctors to order a refill by forwarding an online renewal notice to a national database, thereby allowing a patient pick up a prescription from any pharmacy in the country simply by presenting his or her e-ID. The Estonian government also has announced a plan to start issuing cards to non-Estonians, so that citizens of other countries can easily set up businesses in Estonia or otherwise take advantage of that country’s many e-services. Estonia’s e-ID system thus illustrates how these cards can enhance convenience and save time that may otherwise be spent waiting in line to file documents in government offices, and they represent a significant step in that country’s efforts to brand itself as “e-Estonia.”
Naturally, the use of these cards to access such large quantities of personal data implicates important data security issues. Estonia assures its cardholders that their transactions are secure because each card’s files are protected by 2048-bit public key encryption, and because users need to enter multiple PIN numbers to access and use certain online services. To date, Estonia’s e-ID system has not suffered a major data breach. Nevertheless, the security of the system has been called into question by researchers that claim that Estonia’s e-voting process is vulnerable to manipulation by skilled hackers.
So what other factors may hinder the deployment of this technology, beyond the large upfront costs of developing an e-ID system and distributing e-ID cards? As mentioned above, the e-ID system requires the adoption of extensive data security measures to ensure the confidentiality of personal data. Furthermore, systems like those established by Estonia are so efficient in part because they draw on personal data – including health information – held within government databases. Citizens of other countries, such as those that have largely privatized medical systems like the United States, may be much more wary of government efforts to consolidate this type of personal information, even for the sake of efficiency. Others countries share a similar concerns about governmental collection of personal information. When the U.K. government announced plans to issue ID cards linked to a national identity register, for example, opposition proved so fierce that the government abandoned its pursuit of the project. Denmark and Ireland also do not issue ID cards to their citizens.
Regardless of this opposition, the European Commission believes that e-IDs will facilitate business within the EU and is dedicated to removing many of the legal barriers hindering the implementation of this technology. As early as 1999, the Commission issued Directive 1999/93/EC, which provided a framework for the legal recognition of electronic signatures. And in 2012, the Commission issued its draft regulation on electronic identification and trust services for electronic transactions. The regulation set forth a mutual recognition scheme mandating that all member states recognize and accept electronic IDs issued in other member states for the purposes of accessing online services. The regulation would, for example, allow an Italian student attending a German university to pay her school fees online via the university’s German website by using her Italian e-ID.
In sum, e-IDs have the potential to simplify the lives of cardholders – but only if those issuing the cards are willing to take the appropriate security precautions and work to achieve mutual recognition of other countries’ IDs.