It’s a question I’ve asked before, but is becoming even more pertinent as I see new identity management programmes being rolled out that are fragmented, uncoordinated and, in some ways, nonsensical.
The point was brought home to me as I listened to the stream of discussion about identity management that took place as a workgroup at the EPCA conference in Paris last week.
The work stream was titled: “e-identity: should banks take the lead?” and was moderated by Vincent Jansen of Innopay, the organisers of EPCA.
The presentation that caught my attention however came from Finansnæringens Fellesorganisasjon, which is Finance Norway (FNO) in English, a trade organisation for 180 banks, insurance companies and other financial institutions in Norway.
The presentation was a joint pitch by Eline Vedel of FNO and Semming Austin representing BankID Norge, a secure bank identity network established in partnership with FNO and the savings banks of Norway.
BankID is the result of a decade of collaboration in trying to create secure identities for the Norwegian markets, and now covers around half of the Norwegian population – 2.5 million people – as an eID and eSignature service.
The system uses a PKI as a shared service for the financial providers, with the main goal of BankID to provide security in digital services for online banking and shopping.
The scheme has four servicing firms who make it work:
- FNO provide the overall scheme management;
- Bankenes Standardiseringskontor (BSK), the banking standards office, provide the technical standards and security requirements;
- BankID Norge provide management for all of the operational aspects of the scheme; and
- BBS Infrastruktur AS provide the certificate factory and other core components.
I’m sure you’re with me so far, and it’s impressive that the service reaches so many people.
And it works.
Eline outlined FNO’s estimates for example of the growth of online banking and shopping in Norway, and its impressive:
Internet usage in Norway amongst citizens over 15 years old, according to FNO’s estimates:
- In 2000, 48% of citizens have internet access, and 17% use internet banking;
- By 2006, 79% have internet access, 68% are online banking and 26% are shopping regularly, defined as those who make more than five online purchases per annum; and
- Today, FNO believe that 89% of Norwegians have internet access, 79% are online banking and 47% are shopping online regularly.
FNO put the doubling from 2006 to 2010 down to the success of BankID.
For example, BankID is used about 800,000 times per day on average. This is known because each time a secure interenet transaction is requested, the BankID downloads a Java identity to the user. In fact, they know more than this, as 60% of their 2.5 million users (2.2 million certificates, with a further 300,000 issued to users who have more than one banks account) use BankID for online banking, but 40% use it outside banking across 155 merchant websites representing about 5% of transactions. A third of the transactions are digital signatures by the way, rather than securing payments transactions.
Another innovatory point of the presentation talked about how BankID has moved beyond the internet as Norway’s largest mobile carrier, Telenor, funded the move of BankID onto mobile SIM chips in 2009. There are now over 9,500 mobile BankID certificates issued and many more expected.
So far, so good.
Then the pitch started to unravel as it struck me that every country has its own and sometimes multiple eID programs, as there are few unique programs and few co-operative programs across banking and government.
For example, Norway has several other eID programs.
Buypass AS was established in 2001. Jointly owned by Norway Post and the Norwegian Lottery, it is issued by the state lottery on chip cards to identify players and has over 13 million transactions per month among around 2 million users. It is also the major supplier to all of Norway’s key eGovernment projects. Hence, you now have a bank program – BankID – and a government identity program – Buypass.
This is quite common.
You then have other programs for identity in Norway such as MinID with 1.5 million users. As of October 2009, more than 1.5 million Norwegians are registered users of MinID for more than 50 services from mainly governmental and municipal sectors, such as the Norwegian state benefits system, the Nav, as well as the Tax Administration and Loan Fund.
Even more confusing is that there are very similar programs for identity management over the borders of Norway in Sweden, also called BankID.
BankID Sweden is the leading electronic identity in Sweden with around two million active customers, and 170 organizations providing 400 services for citizens from online banking to e-trade to tax declarations. The BankID is used government, municipalities, banks and companies for identification as well as signing.
Oh yes, I forgot to mention that not only does this BankID have no relationship with the Norwegian BankID, but its actually a completely different incompatible program.
Meanwhile Denmark has a few of their own, such as NemID which aims to have 3.5 million users by the end of this year and NetID with 2.5 million Danish users. Meanwhile, Finland also has several programs, with TUPAS being the largest with four million users, and FinEID trailing some way behind.
The reason I’ve outlined all of these systems is, a little like my questioning of so many identities in the UK:
- Why are the Nordics proliferating so many systems?
- Where are the standards for interoperability and integration?
- Why can’t governments and financial institutions co-operate?
- Why can’t cross-border and pan-European schemes be agreed?
In fact, whole rafts of questions are begged by the systems the Nordics have introduced and the one that particularly bugged me related to the reasons why the Swedish BankID is incompatible with the Norwegian BankID? OK, the Swedes and Norwegians don’t like each other much, but is that really a good excuse?
Equally, why aren’t governments and banks co-operating on identity programs? The answer from the workstream is all related to liability – a government does not want to be liable for losses if someone uses a false identity. They’re fine with rescuing a lost citizen in a foreign land, but paying for those citizen’s false claims? Leave that to the banking system.
But if the banking system is liable for false identity claims, then surely a combined bank-government identity scheme has even more viability and appropriateness?
I just don’t get why, if my identity is meant to be unique, governments, financial institutions, merchants and municipalities want to give me so many different ones.