Recently, I was asked to become a member of the program committee for the eID and ePassport Conference.
A week and a half ago, we had our first meeting for the next edition of this conference, and it was decided that it would take place in Berlin on October 28th and 29th. The web site for the event is still under development because we're now compiling the results of last week's meeting.
The audience of the conference consists mainly of people from the governmental sector. This year, the conference will be endorsed by the EU with the attendance of the Vice-President of the European Commission, Neelie Kroes. The central theme of the conference is always PKI-based authentication and signing, but the main theme for the Berlin edition will be "the future of identity". There will be a panel discussion regarding commercial credentials (Google, Facebook, Amazon, PayPal, Apple,...) versus Government eIDs. Will they compete or will they converge? For instance: the UK has recently decided to allow PayPal authentication for some governmental services. The other topics for the next edition will be published online soon.
One of the observations we made regarding the previous editions (Lisbon, Athens, Istanbul and Kuala Lumpur), was that there were people from Europe, Asia and Africa, but almost no speakers or attendees from the US. For the conference in Berlin, we'd like to invite at least one American speaker to talk about the use of "e-Identity" solutions in the US.
I volunteered to ask around in my iText network in the US and ask people to submit a proposal for a talk. So far, I wasn't very successful. This confirms the huge cultural difference between Anglo-Saxon countries and the rest of the world regarding eIDs (and identity cards in general) I noticed whilst writing my white paper on digital signatures.
In many European countries people think of their identity card the same way as they would think of the key to their house. We need our identity card to open a bank account, we need it to get a registered mail from the postal office, we need it to vote,... Just like we use the key to our house to protect our home, we use our identity card to protect our identity, because we don't want anybody else to open a bank account in our name, to get access to our mail, to vote in our name.
Whilst writing my white paper, I had a long e-mail discussion with Dr. Juan Gilbert. He's renowned for his research regarding electronic voting and he received an award from president Obama in 2012. He had a totally different point of view. He said the eID would never be accepted in the US because such a card would violate people's privacy.
Being "born" with an identity card, his point of view was very difficult to understand for me, but Dr. Gilbert explained that an eID would be problematic for minorities: minorities would have to show their identity card more often than the majority.
Again, that was hard to grasp for me, as I often have a feeling that Europe is a continent that consists of nothing but minorities. I live in Ghent, a city with people from more than 150 different countries. 12% of the population is of a foreign nationality, of which more than 55% from outside the European Union. I've never heard of problems caused by the existence of the eID.
Being confronted with different points of view is one of the most rewarding aspects of writing. I think it would be an interesting debate if we discussed the pros and the cons of e-Identity. In some contexts, privacy shouldn't be an issue: when security is involved (e.g. access control for NATO buildings), in situations when you DO want your identity to be known (at a bank, at a notary, at your wedding,...), and so on...
When governments do not provide a means to check identity, companies will: Google launched their Sign-In service last week, DocuSign and EchoSign provide signing services, banks are starting different identity services,... In the US, this is generally accepted; in Europe, that's problematic.
I realize this is often seen as controversial matter, but it shouldn't be. Why don't we look at these topics from an academic point of view: it would be very interesting to explore if these two different approaches diverge or converge. Will we end up with multiple credentials? If so, what if the different identities contradict each other? Will one set of credentials have more authority than the other? There's no definitive answer to these and many other related questions, but that doesn't make them less interesting.