It used to be that on the Internet, nobody knew you were a dog … or a trading partner, or a rogue. In this era of Big Data, geolocation, and light bulbs that call home, it may seem that those days are behind us.
But it’s one thing to know who somebody is in order to send them a personally targeted advertisement. It’s another to know with enough certainty to engage in large-value transactions, or to confer on them some public benefit, like a welfare payment or a student loan.
Therefore the management of identity online remains an important question, despite at least a generation’s work on the topic in various expert forums.
Experts distinguish between foundational and functional identity. A person’s foundational identity is who one is as a person. The World Bank has found that over a billion people in the world cannot prove their basic identity – who they are. This of course causes great difficulty to them in many ways, well before they contemplate carrying on business. It is one of the United Nations’ Sustainable Development Goals (item 16.9) to provide legal identity for everyone, including birth registration.
Functional identity allows people to identify themselves for whatever activities they want. Methods of doing so often build on foundational identity provided by state authorities, notably Civil Registration and Vital Statistics (CRVS). From this base, commercial practice has developed a number of way of proving the basic state information to the satisfaction of transacting parties. Additional information may also be required: authority to act, attribution of responsibilities, solvency, and reputation specific or general. The list goes on, as do the methods for proving its elements.
The other F-word in this field is federated identity. A federated identity system is one in which entities recognize identities certified by someone else, as a federation joins individual states into a whole for agreed purposes. We see this informally, with blogs or newspaper comment features that allow postings by people who identify themselves by reference to their Facebook or Google accounts. We see it formally in Canada in the willingness of the Canada Revenue Agency to start to open an online account for a taxpayer by reference to an electronic banking account with a commercial bank.
The more people who recognize an identity and will rely on it, the more power the recognized individual has to engage effectively in the world. It is easier to recognize someone else’s identification or authentication system than it is to recognize the people directly. Thus federated identity systems have been increasingly popular. The EU regulation discussed below is such a system.
With this sketch of elements of identity, we turn to management of identities for legal purposes and recent developments in the international community..
Effective identity management requires both technical and legal input. The United Nations Commission on International Trade Law (UNCITRAL), the leading source of commercial law rules about electronic communications, is considering this month whether to assign to its Working Group on Electronic Commerce a project on the topic. The report before the Commission is document A/CN.9/891, at the bottom of the documents list here.
Where would law reform have the most impact? One can think of three levels of applicable rules for e-communications that affect identification (the list is from Thomas Smedinghoff of the US, a tireless advocate of identity management principles): the most general level is legislation validating electronic communications generally, such as the UN Model Law on Electronic Commerce, widely implemented around the world, including in Canada. Such laws sometimes deal with the support of identification, such as reliability standards for electronic signatures or (more rarely) for identity-certification bodies.
The most specific level is contractual arrangements among users of e-communications, either party-to-party or more often common to all users of a particular communications system. System rules can apply to large groups – consider the SWIFT worldwide electronic banking protocols or the rules governing global credit card transactions. But they can’t change rules of mandatory national law, or compel outsiders to acknowledge identities generated by the system.
It therefore seems promising to look at a middle level, which would set out legislative rules with state authority that would provide a framework for identity management. This is the field that UNCITRAL is likely to decide to cultivate.
A colloquium held by UNCITRAL in April discussed two recent examples of law at this level: the European Union’s Electronic Identification and Electronic Signatures regulation (eIDAS, Regulation 910/2014), effective throughout the EU in 2018. The other is the Electronic Identity Management Act of Virginia from 2015.
The EU regulation affects identification for governmental purposes. The citizens of one EU state will be able to authenticate their identity to all EU governments by using a system that is used in their own country, if their government has given notice to the EU that they wish this to happen. In other words, if one’s own government relies on the system, the other governments will also rely on it. But no government is required to notify the EU that its systems can be so used.
The regulation sets out rules for trust services, being commercial services that certify the identity of users of electronic signatures, for example. It also “establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.” (article 1(c))
The regulation provides for assurance levels of the means of identification notified to other states. Further, it spells out liability for failure to comply with the obligations under the Regulation, but applied according to national rules. While the Regulation aims to promote interoperability, “[n]evertheless technical requirements stemming from the inherent specifications of national electronic identification means and likely to affect the holders of such electronic means (e.g. smartcards), are unavoidable.” (Regulation – recital 19)
Virginia’s statute focuses more on private uses of identification. It contemplates authorized identification authorities, functioning according to official technical rules. Identifications issued by such authorities could be trusted to be effective in law by those who needed to rely on them. The first step in implementing the Act is to create a body of experts to draft the technical rules. That is not expected to be a speedy process.
These two initiatives have a different focus and a different range. They also rely on technical standards that do not yet exist.
Some international bodies have been working on the technical side as well. The UNCITRAL colloquium heard of a number of examples, including at the Centre for Trade Facilitation (CEFACT) of the UN Economic Commission for Europe and at the UN Economic Commission for Asia and the Pacific. Other regional bodies are discussing similar issues, such as the Arab CIT Organization. References appear in the UNCITRAL document.
There was a general feeling at the colloquium that it was timely to try to work out some general principles that might shape all these initiatives and help ensure global interoperability of identity management rules. A preliminary review of potential principles included these (paragraph numbers again from the UNCITRAL document mentioned at the outset):
- Technology neutrality: the law should not impose the use of specific technology to achieve legal consequences. This is a traditional UNCITRAL principle reflected in Canadian law as well, along with media-neutrality (the same legal effect is given to information whatever the medium of its communication) and respect for freedom of contract.
- Applicability to commercial and governmental uses.
- Presumptions of legal effect for identity management systems or trust services that meet certain requirements. “Such presumptions may shift the burden of proof on origin, integrity, time of dispatch and receipt, etc.” (para. 36.)
- Liability rules: Limiting or excluding liability for parties involved in identity management systems or trust services so long as they comply with prescribed requirements may be an alternative to legal presumptions. “The law may also set forth that contractual agreements may not derogate or vary liability for gross negligence or willful misconduct.” (para. 37)
- Cybersecurity standards that would reflect the allocation of risk and responsibility arising from the foregoing rules.
- Mutual legal recognition of authentication methods to be contained (as they are currently contained) in international instruments such as free trade agreements.
- Principles for the establishment of centralized accreditation systems, notably on a regional basis.
- The role of trust services to support identification: what makes the judges of reliability themselves reliable? Some principles are available to build on, such as parts of the UN Model Law on Electronic Signatures.
The UNCITRAL report suggests however that privacy and data protection considerations are beyond its scope and its expertise and would probably have to be left for another time or place. (para. 53)
As noted earlier, experts have been in search of legal and technical rules to confirm identity online since the beginning of the commercial Internet in the early 1990s, if not before. The debates have sometimes appeared endless – perhaps in part because the participants could not count on a state putting its authority behind a particular solution, or a number of states. Thus the attraction of the EU and other regional initiatives.
Recent developments such as the discussion at the colloquium and at some of the other events mentioned in the report, such as a conference sponsored by the World Bank and the American Bar Association in the US in January, may justify more optimism about an UNCITRAL project. At the colloquium, both the generalists and the technology people appreciated the benefits of finding the right level of legal rules.
It may therefore be possible for a meeting of minds on the allocation of tasks between legal and technical fields, between rules and presumptions and exemptions, between liability to promote reliability and contract to permit flexibility.
The international initiatives both legal and technical seem both pressing enough and preliminary enough to make it timely to develop some guidance on the global scale. UNCITRAL has a good record in providing such guidance. If the project is adopted – the decision is imminent – we should send our wishes for success, and of course our suggestions for what the global rules should be.