The United Nations Commission on International Trade Law (UNCITRAL) recently published a proposal for future work on the topic of digital identity.
UNCITRAL brings together governments, academics, lawyers and industry bodies to develop legal instruments that support international trade. Given the range of countries and experts involved, UNCITRAL’s work on identity is a good forum to discuss how national approaches to identity assurance can interact with each other, consider how to support the development of an international market for identity services, and spot opportunities to make government services better for users by learning from other countries.
We are going to be following the group’s work over the coming year. We’ll use the opportunity to keep up to date with what other countries and the UN are thinking about in relation to identity at an international scale, and to share how the UK has approached identity assurance.
UNICTRAL’s work on identity is in early stages of discussion. One possible outcome would be a convention - that’s a type of international agreement that countries can choose whether or not to participate in.
UNCITRAL’s work could be an important tool for establishing mutual recognition of different national identity systems across international borders. In the EU, the eIDAS regulation has set the technical specifications and legal requirements so that identities issued in one country can be trusted when they are used for online services based in other countries.
Being able to prove your identity using digital identity assurance opens up possibilities for transactions to take place online that could only previously happen face to face. That will affect on online transactions of all kinds, in international trade, health, justice and many other sectors. The fact that a group like UNCITRAL is considering identity as a subject for future work reflects the numerous potential use cases for digital identity assurance services in the public and private sectors, and that the market for identity assurance is international, both in terms of the companies providing it and the people using it.
Over the next year, UNCITRAL’s working group on e-commerce will be exploring the topic of identity to develop a clearer picture of what a convention on identity might look like. We'll blog again when the UNCITRAL Commission has thought more about the scope for this work.
If you are interested in UNCITRAL’s work and would like to know more, see their website where many resources are publicly available.
17 comments
Comment by MarkK posted on
You state that eIDAS has set the technical specifications, which suggests that the relevant implementing act must be published. Could you please provide a link to the specifications and the act?
Comment by Rebecca Hales posted on
Hi Mark
The technical specifications are due to be published within the next couple of weeks. We will update this post with a link when we have it.
Comment by MarkK posted on
It's now a couple of months since this post, and it is important for us to understand the way that HMG (and perhaps the US, but also not Scotland) envisages providing a unique persistent identifier from a system that goes to great lengths to avoid being able to do so. Could you provide an indication of what the further delay might be, and a revised publication date?
There is mention elsewhere that gov.scot is a matter for the devolved assembly, but international relations is not a devolved matter, so the way that the Scottish public sector system will accept other EU ID will need to be covered.
Comment by Rebecca Hales posted on
Hi Mark
Keep an eye on the blog - we'll be publishing further posts from our EU team about what the new UN rules mean, and how the EU approach to ID fits with the approach being developed by GOV.UK Verify, later this week and next.
Comment by MarkK posted on
Without wishing to cause further delay, could they include an explanation as to why the Commission went ahead with one of the implementing acts when a majority voted against, or do we have to wait until after the referendum for that? It would seem unlikely that the UN or standards bodies would endorse anything with such a high level of disagreement.
Comment by Rebecca Hales posted on
Hi,
We can't comment on behalf of the Commission about it's decision making process, but we will be blogging shortly about the other points you've raised.
Comment by Philip Virgo posted on
What relationship, if any, does this exercise have to the UNCITRAL Model Law on Electronic Signatures? I can understand why, in an age of mass electronic impersonation, many players wish avoid responsibility/liability for third party losses consequent on compromises of the "signatures" (alias "identities") they issue or use. But why should others trust such players further they can thrown them.
Comment by Rebecca Hales posted on
Hi Philip
Apologies for the slight delay in this response.
This is distinct from the model law on electronic signatures as UNCITRAL's focus for this project will be digital identity.
In order to ensure identity providers can be trusted, international law is considering assurance levels which can be used to map between different national approaches to identity. These are comparable to our domestic good practice guides (https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions).
We hope to blog soon on Europe's work on assurance levels.
Comment by MarkK posted on
This was published in November, and appears to be the missing link:
https://joinup.ec.europa.eu/sites/default/files/eidas_interoperability_architecture_v1.00.pdf
Comment by MarkK posted on
UNCITRAL is not EU, so presumably is not caught by EU referendum purdah. There have been blogs describing the EU processes, but since the points raised above in September apply to more general international interoperability it would be good to have something on the handling of persistent identifiers, the level of Verify on the EU scale, and interoperability with Scotland.
Comment by MarkK posted on
The next UNCITRAL meeting is 22/23rd April. The General Data Protection Regulation
http://www.uncitral.org/uncitral/en/commission/colloquia/identity-management-2016.html requires
"Information provided under Articles 13 and 14 and any communication and any actions
taken under Articles 15 to 22 and 34 shall be provided free of charge." This means that companies and organizations will have to pay for identifying anyone who asks to see information, whether they have any or not. This seems to be a significant imposition (worldwide), not least because eIDAS only stops governments from charging foreign public sector entities. Please include how ID is paid for in the convention.
Comment by Rebecca Hales posted on
Hi Mark
The obligations on under data protection legislation and eIDAS are separate.
GOV.UK Verify, in using certified companies, is designed to avoid creating a central database of personal data within a single supplier or within government. Data protection legislation is complied with by the federation.
Under the eIDAS regulation, it will only be mandatory for GOV.UK Verify to recognise eID's sent from other Member States. Unless we decide to notify voluntarily - which is something we’re currently analysing the risks and benefits of - there is no obligation for us to send Verify ID's across borders.
Comment by MarkK posted on
The UNCITRAL Secretariat’s paper regarding the results of the April colloquium has been posted on the UNCITRAL website at http://www.uncitral.org/uncitral/en/commission/sessions/49th.html as document A/CN.9/891 - Legal Issues Related to Identity Management and Trust Services.
Perhaps you could blog again on what has happened in this context the last 8 months?
Comment by Rebecca Hales posted on
Hi Mark
We will be publishing updates on our international work soon.
Comment by MarkK posted on
It's too early to expect post-Brexit policy, but eIDAS comes into force fully in 2018. The political decision as to whether to notify may not have been taken, but the system design has presumably been done so as not to exclude this option. Could you please include in the blog at least a link to information on the intended identifiers, namely:
for outgoing, what is to be used as the required "unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time";
for incoming, how can users of a notified system that has the minimum mandated "minimum data set" (without the optional extras as these are optional for the sender) be identified, as demanded, when that does not cover the whole matching data set (e.g. address), but does have a unique identifier that isn't in the Verify "matching data set".
Please also explain, using eIDAS definitions of the levels, how it can both be "only a low-to-medium assurance system" and offer "high security".
Comment by Emily Ch'ng posted on
Hi Mark
It has not yet been decided how the unique identifier will be constructed. For example, it may be based on the unique identifier (PID) created by the certified company, or we may ask the certified company to create another PID for use cross border.
The other issue you're exploring here is about how a service can match an identity received to a local identifier. You can see the comments on https://identityassurance.blog.gov.uk/2014/11/05/tech-arch-privacy/ for further information.
Comment by MarkK posted on
The latest UNCITRAL meeting notes that "the Working Group agreed that its future work on IdM and trust services should be limited to the use of IdM systems for commercial purposes" and
"it was not advisable to make a decision on whether future work should include IdM and trust services provided by private entities when used for non-commercial purposes"