Securing identities in the digital age

 |   Kim Cameron - Architect of Identity

Overheard workspace

When you go shopping or have an appointment at your local town hall, you rightly expect the person behind the counter to be an official representative of the business or public administration in question. We need to have the same confidence that websites and online services are legitimate. Sadly, the nature of the internet means that imposters can deceive us. That’s why we urgently need digital identity systems that clearly show who we are connecting to when we share information or spend money online.

September 29 marked a major step towards the creation of such a system, with the entering into force of EU-wide legislation (the eIDAS Regulation) enabling cross-border recognition of electronic IDs. Instead of a patchwork of incompatible identities that only worked locally, Europe is building a pan-European system unifying technology and legal interpretation. This includes alignment about how websites are vetted and technology letting users know whether the service they are using is legitimate or fraudulent.

The introduction of eIDAS means that the European Union now has the world’s first multinational identity trust framework. It enables services such as website authentication, seals and timestamps, so citizens, businesses and public administrations can trust their digital transactions. This is a game-changer for Europe’s Digital Single Market, increasing security and reducing friction for electronic transactions across the continent.

Establishing such a framework and creating trust across borders is technically complex, time-consuming, and fraught with political complications. For this reason, several EU Member States have yet to complete the legal process for mutual recognition. In the meantime, global policy makers are likely to emulate the European Union in setting up trust frameworks of their own. Microsoft welcomes such efforts, which could result in a “framework of frameworks” making the international exchange of digital legal identity practicable.

The European Commission has also demonstrated vision by beginning to explore how eIDAS can be used in a world of identities created by individuals who use, own and control them, rather than by governments and corporations.  People can choose to add assertions made by governments and other parties – in particular eIDAS Trust Service Providers – to the identities they create: for example, age group, official name or even a qualified signature.  This approach makes it possible to securely and reliably share only the data needed  for a given transaction, effectively implementing the privacy-by-design principle and achieving compliance with the General Data Protection Regulation.

By relying on eIDAS’ trust services providers, the trustworthiness of these assertions can be greatly improved making it possible to securely and reliably share only the data needed for a given transaction. That’s how eIDAS makes “digital identity speak for you and not about you” thus effectively implementing the privacy-by-design principle and easing the compliance with the General Data Protection Regulation. It is heartening to see industry and government collaborating to see how crypto identity wallets controlled by citizens can benefit from and strengthen the European trust framework.

Microsoft supports the EU’s work on data protection and electronic identity. Electronic identity initiatives such as eIDAS require collaboration between businesses and public administrations using advanced services.

One such service is Microsoft’s Azure Active Directory B2C, which is used worldwide by governments and businesses seeking to provide citizens with fully customizable experiences while protecting their identities. The technology behind the service has been built from the ground up to support identity trust frameworks such as the EU’s eIDAS.

Microsoft is committed to shaping a digital world which balances security, privacy and ease-of-use, while also recognizing the importance of legal identity systems. We believe that citizens should be in control of how their personal information is managed, stored and processed – and we will continue to work with governments and civil society alike to achieve transparency and security in digital services.

Tags: , , , ,

Kim Cameron
Architect of Identity

Kim Cameron is Architect of Identity in the Identity Division at Microsoft, where he champions the emergence of a privacy enhancing Identity Metasystem reaching across technologies, industries, vendors, continents and cultures. As Architect of Identity, Kim Cameron played a leading role in the evolution of Active Directory, Federation Services, Microsoft Identity Manager, CardSpace and Microsoft’s other Identity Metasystem, Azure Active Directory, and most recently, AzureAD B2C, identity initiatives.