European Union member states have been developing electronic identity (eID) schemes for some time now to allow citizens to access services safely and securely online. Many of these schemes are linked to national identity cards or schemes, whereas others involve working with the private sector much like our own GOV.UK Verify.
These schemes generally allow people to access services within their home country. But what if you want to live and work in another European member state and, for instance, want to open a bank account or access local services online. Not so easy when you don’t have the right national eID.
Robin Walker has posted before about the role of the European Commission and its member states in defining a Regulation for the reuse of national eID to access services in another member state.
What STORK is
As well as its work on the regulation, the European Commission also funds large scale pilots to investigate the potential for new technologies and approaches to provide better services to citizens across the EU.
One of these pilots, STORK (Secure idenTity acrOss bordeRs linKed), has been developing a means of using your eID to access services provided in a member state other than where you gained your national eID. The aim is to make it as simple as possible for people to access services regardless of where they are in the EU.
STORK 2.0 - latest version of the pilot
The latest version of this pilot, STORK 2.0, is now starting to pilot services in multiple member states covering eLearning & Academic Qualifications, eBanking, Public Services for Business, and eHealth. It involves 19 member states across Europe including the UK, and 58 partners in the public and private sectors.
STORK allows different national eID systems to talk to each other, so that when you want to access a service in, say, France, the French eID system can find out from the UK system whether your eID is valid, and if so accept that as a way of giving you access to the service.
This happens through a Pan European Proxy Service, or PEPS.
Each member state is responsible for providing their home PEPS to handle requests from its national services when they need users to sign in and from foreign PEPS in other member states when one of their nationals wishes to access a foreign service online.
In general, a PEPS forwards requests to sign in from an online service to your home eID system (this means that regardless of where the service provider is you always signin with your home eID system), and then handles the business of signing you in to the service you wanted to access.
Role of the UK's identity assurance programme
The identity assurance programme represents the UK government as a STORK 2.0 member state. We lead a work package defining standards for STORK 2.0 and analysing how these systems may be accredited or supervised in the future. We also contribute to the ongoing development of the STORK services.
Our main priorities are to ensure that the interoperability framework and associated technical architecture will continue to be appropriate when the eIDAS regulation comes into force, but to also make sure that appropriate standards are applied to cross-border eID reuse. This means analysing existing standards and applying best practice to the current architecture to define requirements for a production ready version of STORK.
Benefits of STORK for the UK
As the Regulation has now been passed the practical experience gained under STORK has helped us develop an interoperability framework and eID standards for the wider adoption of cross-border eID.
STORK has many parallels with our approach to eID in the UK and is based on many similar technologies. This means that, should we choose to, the UK could straightforwardly allow people in the UK to access services in other member states using GOV.UK Verify.
This won’t happen immediately - it’s likely to be another couple of years before we are likely to be ready for that. But we think it’s worth our investment of time and effort now so that we can make sure that when and if we want to be able to allow people to do that, there’s a system in place that will work for our users.
4 comments
Comment by MarkK posted on
Could you please add a few words on whether the PEPS and EU will comply with the HMG privacy principles, and also about the implications for those public (central and local) government services which will be required by eIDAS to accept European eIDs of similar or higher levels once those existing systems (such as the Estonian one) are notified? (That part of eIDAS isn't optional.)
Comment by Janet Hughes posted on
Hi Mark - yes, we'll be happy to say more on these issues - we'll put together a new post or two in the new year.
Comment by Mark Craddock posted on
The eIDAS Regulation passed into law in 2014 and requires all Public Sector online service providers to accept the approved eID’s issued by other Member States by summer 2018.
"This means that, should we choose to, the UK could straightforwardly allow people in the UK to access services in other member states using GOV.UK Verify."
I thought It's not a matter of choice, but it's the law, you must provide the capability for UK citizens to use their IDs to access European services.
Comment by Janet Hughes posted on
Hi Mark, thanks for your question.
It will be up to each Member State to decide whether to notify their scheme. If the UK notifies its scheme, that will mean other Member States have to allow people to access their services using the UK's notified scheme. It works the same in the other direction, so that if another Member State chooses to notify its scheme, the UK would have to allow people to access digital services through that scheme.
Thanks
Janet