Government Europa speaks to John Erik Setsaas, identity architect at Signicat, about the electronic future of identity protection in the Digital Single Market.
As devices become increasingly interconnected and we are immersed even deeper into the Digital Single Market, a range of security complications are arising. As a result, the need to implement legislation to counteract these risks is even greater. The General Data Protection Regulation (GDPR) will come into effect in May 2018 in order to protect personal data, whilst the ‘electronic identification and trust services for electronic transactions in the internal market’ (eIDAS) regulation aims to provide EU citizens with a means of electronic identification and access to trust services, to reinforce identity protection across borders.
In order to combat a range of complications, including privacy, anti-money laundering, anti-terrorist legislation and regulation, and the ‘know your customer’ regulation. Electronic identification (eID) methods are being utilised in increasing frequencies. Signicat is just one of the providers of digital identity protection and authentication services, providing electronic signatures for the public and private sector. Government Europa spoke to John Erik Setsaas, Identity Architect at Signicat, about the future of identity protection and authentication in the Cloud and Internet of Things (IoT).
What kind of vulnerabilities are becoming more prevalent as we move towards external data stores and advanced technologies?
The Cloud is a fantastic way of being able to store data, yet by storing this data in a shared space, users may be vulnerable to attacks, as they aren’t aware as to where that data is stored. This raises several questions:
- Do you really know who has access to your data?
- Could governments wanting to access the information you’re storing be conducting surveillance activities?
That’s one area whereby users really need to be cautious when storing their data in the Cloud. The GDPR is there to protect personal information, but not necessarily the data of companies. It’s something that all users should be aware of in regards to cloud storage; therefore users should take additional measures, such as ensuring data is encrypted before uploading.
As for IoT, the biggest challenge I see from this perspective is the lack of security – there is so much focus on the functionality and so little on security. For instance, IoT devices can be harnessed as an attack vector on the user’s network. Therefore, hackers can access IoT devices and, as a result, may be able to gain access to the connected network. It can also be used for Distributed Denial of Service (DDoS) attacks; a DDoS attack was carried out against Domain Name service provider,Dyn, in 2016 and rendered the internet in the surrounding area unavailable. This was caused by IoT devices that were not secured.
How has the eIDAS regulation changed operations for end-users and providers in the Digital Single Market?
Although it hasn’t had a great impact yet, it is still early and I think it has a lot of potential. The ideas encompassed in eIDAS are very good, and as a result, I will be able to use my individual eID login to access services in different countries. There have been some successful experiments for its application to banking in British banks, whereby users can sign up with a Nordic eID.
In Nordic countries, eIDs are very successful. I use my own eID (BankID in Norway) for access to a range of different services, including:
- Insurance; and even
- Peer-to-peer platforms.
Right now, Signicat is playing a role in eID through providing electronic signature services. The eIDAS regulation states that an electronic signature mustn’t be denied on the basis that it is electronic. That, I think, will assist in business-to-business (B2B) communications across borders. Signicat is working to be able to establish qualified services – that will evidently establish a level of trust amongst the people using such services and platforms.
What more needs to be done at an EU level?
If we look at eIDAS, this really is a great step forward in setting up the services and Signicat is taking part in ongoing discussions. However, I think that the limitations of eIDAS lay in its isolated use for public services. To make it successful, we need to embrace the private sector, and I know there are initiatives around that. I think that’s really important, as public sector applications are limited – users may access the bank each week, insurance services a couple of times a year, and the government annually. We must avoid the situation where users have different eIDs for different purposes.
Furthermore, the GDPR is great on a personal level, and for our societies, in protecting individual privacy, and I am sure that everybody will be following the implementation of GDPR as it comes into effect in May.
What roles does Signicat play in this process?
Our vision is to be the provider of identity protection services to regulated industries across the world, such as banking and other businesses, which have higher than average security requirements. We have eID services in place in the Nordics, in the Netherlands, and we’re working heavily in the UK. We are also implementing our services in Germany. One of the biggest challenges is to engage in digital onboarding, in order to establish an identity digitally. A study we did last year showed that 40% of consumers had abandoned banking applications.
We’re happy to announce that we have received funding from the EU Horizon 2020 initiative for Identity Assurance as a Service (IDAaaS), under this specific topic. Moreover, this is about being able to do digital onboarding via different mechanisms. This will be one of the main priorities for us to make identity assurance a success across Europe.
John Erik Setsaas