eIdentity: Willl US and EU Meet in the Middle?

By Ken Moyle

Last week I revisited the history behind the rapid adoption of electronic commerce in the US over the past 15 years, along with a suggestion that we may be in for some growing pains.  Online identity and trust are still in their adolescence here, and if we do not work toward a more meaningful means of establishing online trust, we will not achieve the true potential of digital transactions.

On the other side of the spectrum lies the European Union.  While America was building private sector e-commerce empires with low-risk, low value transactions in the 1990’s, Europe instead worked on an electronic commerce model that focused on minimizing online risk.  They had good reasons for this: their mission was to create a framework to support a “digital agenda” for online delivery of government services. 

As I have previousy shared,

"Government agencies in the US have been pressured for years to offer paperless alternatives, but concerns about user authentication have driven most digital transformation projects into a brick wall.  There is no budget for fraud losses, nor is there an “acceptable level” of identity theft.  The institutional appetite for converting an admittedly imperfect paper process to a digital one decreases as the margin for error approaches zero, so that even the most obvious and available solutions do not get implemented.”

This is the very problem the Europeans sought to solve.  While America was building private sector e-commerce empires with low-risk, low value transactions in the 1990’s, Europe instead worked on an electronic commerce model that focused on minimizing online risk in order to support a “digital agenda” for online delivery of government services.  Rather than leaving attribution and authentication decisions up to the parties, the Europeans focused almost exclusively on identity.  They had to. Governments needed to rely on electronic documents presented to them by citizens of other countries, or by other countries’ governments.  Authenticity and reliability were paramount to eliminate unnecessary risk. 

So they picked the Utah statute off the American scrap heap, and proceeded to build an ornate legal and technical regime that unapologetically prescribed in excruciating detail the requirements for conducting a valid online transaction.  Not only was identity a component of an electronic signature, it was synonymous with an electronic signature.  After passage of the “Directive on a community framework for electronic signatures” in 1999, followed by years of defining standards for technology and process, the European electronic signature era was born.

It didn’t work.

The scheme was so grand in design that it ultimately collapsed under its own weight, suffering from lack of buy-in from the private sector and, worst of all, rejection of the standards by some of the very Member States it was intended to serve.  The standards were complex and, as with any legislative effort to address technology, were already outdated by the time they hit the market.  Businesses and legal counsel were confounded by some of the concepts, leading a majority to believe that electronic contracts faced a high risk of unenforceability unless the parties used an expensive, hardware-heavy, government-grade signature process.  In contrast to the American model, the European model was heavy on identity assurance, but fell short on key components affecting usability and adoption.

The 1999 Directive will be repealed next year and replaced with a uniform regulation, known as “eIDAS.”  In recognition of the failings of the Directive, eIDAS focuses on enhancing the reliability and interoperability of nationally-supported electronic identity schemes (eID).  Like driver’s licenses work today in the US, the eID is a government-issued credential that provides enough trust between Member States to allow holders to take advantage of benefits of citizenship across national borders.  In fact, such recognition is mandatory under the regulation.

A potential benefit of a high-assurance eID scheme is the easing of the 1999 Directive’s perceived stranglehold on private commerce by decoupling e-authentication from e-signature.  In theory, the method of signature used by a party to an agreement – particularly a private contract – is less critical if there is a highly trusted identification scheme supporting the identity of the signatories before they sign.  The prospects for adoption of electronic means of conducting higher-level, more complex transactions are much brighter if the parties have a mutual understanding of how their counterparts’ identities have been verified.

The eIDAS regulation does not prescribe the technical requirements for Member State eID schemes to meet the minimum assurance standards for cross-border recognition, but we can expect to see some interesting compromises as the 28 governments attempt to stack hands on a meaningful set of criteria for mutual recognition of citizen identity. 

If they can do that, they have solved a problem much broader than cross-recognition of government documents – they have removed a tremendous barrier to the advancement of global e-commerce.  

That sounds a lot like the goal the US was trying to achieve 15 years ago.

To learn more about e-Identity and how it may impact your organization, contact K6 Partners. K6 offers complete, end-to-end digital transformation consulting. From implementing an electronic signature process to digitally transforming your business, K6 can help. Contact us today.


Popular posts from this blog

SEC Cyber Unit files first charges

Stop passing blockchain laws

Just Published: Free Library of Digital Policies