Last Monday and Tuesday, iText sponsored the eID & ePassport Conference in Berlin for some pictures of the event). I attended all the talks, and these are some of my impressions.
As it was the first time I attended the conference, I didn't really know what to expect. Would this be an event promoting the eID, ePassports and smart cards in all their forms? Would this be a technical conference? Or would it be something else? This question was already answered in one of the first sessions: the conference discussed technical aspects of identity, but was mostly a political conference:
Because of the political aspect of the conference, there were some very lively debates with lots of tensions between different sides. For instance: countries without an identity card such as the US on one side, versus countries where having an identity card is the most natural thing in the world. There was also a tension between countries who make their cards so secure that they can hardly be used in a convenient way versus countries with a more pragmatic approach.
I've been in a bizarre discussion about the eID once with an American professor who had very strong feelings against the idea of an identity card, because such a card would be bad for the minorities in the US. I didn't understand what he was talking about. Being born in Belgium, I'm born with an identity card and I've never heard about the identity card being a problem for a minority in Belgium. In his talk entitled "Reasons for the US not having a single National ID", John Mercer explained that having a national ID would be unconstitutional.
The 4th amendment says that The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. Introducing a national number or a national identity card is seen as an infringement of this right. The 10th amendment says that "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." This explains why the existing cards, such as drivers' licenses are issued by the different states, not by the federal government. Different attempts to introduce a federal ID, be it under a Republican or a Democratic president, failed. For instance: there was a plan to use the Social Security Number (used for health care) as a national number, but it's never a good thing to mix identities that shouldn't be mixed, said different American speakers. Needless to say that they had strong opinions regarding the talk "eID Cards launched in the Republic of Georgia" where Levan Samadashvili explained that the national ID card could also be used as a student card and even as a bank card to withdraw money.
Surprisingly the cultural difference between the US and the EU was best illustrated by professor Anthony Mbewu from South-Africa who talked about "The South African Smart ID Card Project: Restoring Dignity and Identity to all South Africans".
Professor Mbewu explained how the identity card (nicknamed "dompass" which literally means "stupid pass") originally supported the apartheid regime. The pass restricted the freedom of movement of colored South-Africans. Today South Africa is introducing the Smart ID Card for completely opposite reasons: to open up access to services for all. The same message was propagated by Dr. Suhazimah Dzazali from Malaysia in her talk "How Malaysia is transforming eGovernment Services via eID". Engineers often focus too much on technology, and not enough on what the technology is for: to help people.
In one of the technical panels, I asked a question about standards. When writing an application that uses the Belgian eID, I implemented the TLV protocol, but my application didn't work. Why not? Because the Belgian implementation of the TLV protocol is different from the standard implementation. Similar problems arise once you start writing software for different national eID cards. I received an honest answer:
Local vendors and integrators have a grip on their national governments and they want to secure their revenue. They don't want the government to use standards because then they'd get competition from foreign vendors offering solutions that are less expensive. Obviously the situation is completely different in developing countries.
Cost is indeed one of the factors in the discussion about the eID. According to the US speakers, no government can justify the cost of introducing an eID to the tax payer. Asked for the killer app for the eID, no European country could come up with a better example than: "All citizens use their eID to submit their tax return form."
The joke that we need to pay taxes so that the government can introduce the eID so that we can pay taxes, was countered by an interesting question:
I don't remember the numbers that were mentioned regarding identity theft, but they were overwhelming. However, Henrik Biering from the OpenID Foundation made an interesting remark:
Apparently, a high percentage of identity fraud is done by family. The identity of a child is used to commit crimes to avoid litigation: "It wasn't me, it was my son and he's only 10 years old, you can't prosecute him." If a man is on a blacklist of a shop because of insolvency, he uses his wife's ID to get another loan. You can't always avoid these situations with an eID. Peter Waegemann defended the American point of view explaining that the cost of introducing a smart card for banks outweighs the current loss of money due to fraud, which is manageable and doesn't justify more secure cards for day-to-day use.
China countered the American attitude by referring to EMV. According to a Chinese attendee, the US was the last country to join EMV (even after China) because not joining would have led to the ridiculous situation where every citizen in the world —except US citizens— could pay bills using EMV in every country in the world —except the US. Maybe one day, we'll have a situation where every citizen of the world has an identity card except the US citizens...
The real success stories for the eID are those where the eID cuts costs and reduces errors and overhead:
The Belgain speakers at the conference gave some nice examples, for instance explaining how the eID can be used to apply for a student grant in a painless, paperless way.
Painless is a very important word. I overheard an American saying: the security of the German card is so gründlich that nobody is able to use it. The health card is costing billions and not one doctor is happy with it (sic). Convenience is important and it doesn't matter how safe you make your card if nobody wants to use it.
I had the same feeling when listening to the Cross-border Security panel. Sure, the ePassport is a technological marvel, but what good is it to have a giant lock on the door if you leave all windows open? Again the question emerged if we aren't blinded too much with what we can do on the technical level, forgetting the human aspect: can we expect people to use technology that isn't user-friendly?
Coverage for internet services are a major problem in emerging countries, but it was interesting to hear that India sees the SIM card of a phone as a viable alternative to the eID. In South Africa there are more phones registered than people (which doesn't necessarily mean there are more phones than there are people).
Finally, there was a discussion about identity and the cloud. Given the current debate about the NSA, the European speakers were very negative about it.
I can't say I agreed with everything that was said on the conference, but that was what I found the most interesting about it. There were some more technical talks as well, but those didn't interest me that much. A couple of talks were merely explaining how a specific proprietary service of product works, and that wasn't the reason why I attended the conference.
It was interesting for iText to meet with the different players in the eID, ePassport, eSecurity and eIdentity market. I hope we'll find ways to do business together, in spite of the differences between countries and cultures and in spite of the fact that there are more questions than there are answers when identity is concerned. One thing is certain: we don't need to invent problems just because we think it's fun to develop some neat technology. As engineers, we have the task to provide easy-to-use solutions for real-life problems.