Identity Assurance in the UK: technical implementation and legal implications under eIDAS
Identity Assurance in the UK: technical implementation and legal implications under eIDAS
Gov.UK Verify, the new Electronic Identity (eID) Management system of the UK Government, has been promoted as a state-of-the-art privacy-preserving system, designed around demands for better privacy and control, and is the first eID system in which the government delegates the provision of identity to competing private third parties. Under the EU eIDAS, Member States can allow their citizens to transact with foreign services by notifying their national eID systems. Once a system is notified, all other Member States are obligated to incorporate it into their electronic identification procedures. The paper offers a discussion of Gov.UK Verify's compliance with eIDAS as well as Gov.UK Verify's potential legal equivalence to EU systems under eIDAS as a third-country legal framework after Brexit. To this end it examines the requirements set forth by eIDAS for national eID systems, classifies these requirements in relation to their ratio legis and organises them into five sets. The paper proposes a more thorough framework than the current regime to decide on legal equivalence and attempts a first application in the case of Gov.UK Verify. It then assesses Gov.UK Verify's compliance against the aforementioned set of requirements and the impact of the system's design on privacy and data protection. The article contributes to relevant literature of privacy{preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture. It is also, to our knowledge, the first exploration of the future of eID management in the UK after a potential exit from the European Union.
electronic identity, eID, eIDAS, GDPR, data protection, trust services, Gov.UK Verify
32-46
Tsakalakis, Nikolaos
eae42e98-58b8-45b9-8c11-35a798cc9671
Stalla-Bourdillon, Sophie
c189651b-9ed3-49f6-bf37-25a47c487164
O'Hara, Kieron
0a64a4b1-efb5-45d1-a4c2-77783f18f0c4
December 2017
Tsakalakis, Nikolaos
eae42e98-58b8-45b9-8c11-35a798cc9671
Stalla-Bourdillon, Sophie
c189651b-9ed3-49f6-bf37-25a47c487164
O'Hara, Kieron
0a64a4b1-efb5-45d1-a4c2-77783f18f0c4
Tsakalakis, Nikolaos, Stalla-Bourdillon, Sophie and O'Hara, Kieron
(2017)
Identity Assurance in the UK: technical implementation and legal implications under eIDAS.
The Journal of Web Science, 3 (3), .
(doi:10.1561/106.00000010).
Abstract
Gov.UK Verify, the new Electronic Identity (eID) Management system of the UK Government, has been promoted as a state-of-the-art privacy-preserving system, designed around demands for better privacy and control, and is the first eID system in which the government delegates the provision of identity to competing private third parties. Under the EU eIDAS, Member States can allow their citizens to transact with foreign services by notifying their national eID systems. Once a system is notified, all other Member States are obligated to incorporate it into their electronic identification procedures. The paper offers a discussion of Gov.UK Verify's compliance with eIDAS as well as Gov.UK Verify's potential legal equivalence to EU systems under eIDAS as a third-country legal framework after Brexit. To this end it examines the requirements set forth by eIDAS for national eID systems, classifies these requirements in relation to their ratio legis and organises them into five sets. The paper proposes a more thorough framework than the current regime to decide on legal equivalence and attempts a first application in the case of Gov.UK Verify. It then assesses Gov.UK Verify's compliance against the aforementioned set of requirements and the impact of the system's design on privacy and data protection. The article contributes to relevant literature of privacy{preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture. It is also, to our knowledge, the first exploration of the future of eID management in the UK after a potential exit from the European Union.
Text
WebSciJournal
- Accepted Manuscript
Text
106.00000010
- Version of Record
More information
Accepted/In Press date: 26 July 2017
e-pub ahead of print date: 7 December 2017
Published date: December 2017
Additional Information:
Associated publications:
Tsakalakis, N., O'hara, K., & Stalla-Bourdillon, S. (2016). Identity assurance in the UK: technical implementations and legal implications under the eIDAS regulation. 55-65. Paper presented at WebSci '16 Proceedings of the 8th ACM Conference on Web Science, Germany.
Tsakalakis, N., Stalla-Bourdillon, S., & O'Hara, K. (2016). What's in a name: the conflicting views of pseudonymisation under eIDAS and the General Data Protection Regulation. 167-174. Paper presented at Open Identity Summit 2016, Italy.
Keywords:
electronic identity, eID, eIDAS, GDPR, data protection, trust services, Gov.UK Verify
Identifiers
Local EPrints ID: 413943
URI: http://eprints.soton.ac.uk/id/eprint/413943
PURE UUID: 2b803d3e-02f3-4a09-bb94-a8c2b1cef4b7
Catalogue record
Date deposited: 11 Sep 2017 16:31
Last modified: 16 Mar 2024 05:42
Export record
Altmetrics
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics
