Useful and secure digital identities for all areas of life and their properties
Digital identities are with us every day. The technical possibilities are very diverse. How can digital identities enable secure identification for eGovernment and eHealth on the one hand and guarantee privacy protection on the other? Digital identities enable access to the digital society. They represent persons, organisations and objects in the digital world and are used in more and more areas of life. Each of us thus has – consciously or unconsciously – digital representations of our person for various purposes. Be it the Cumulus card from Migros, the SwissPass from the SBB or the SIM card in a mobile device, all these digital identities accompany us every day. Digital identities are very diverse. From a technical point of view, the spectrum ranges from user name/password combinations and smart cards to biometric means of identification and hardware-based certificates such as SuisseID. What characteristics should a digital identity have? A digital identity should be useful. It is a tool to be able to perform certain functionalities in the digital world. For example, with a digital identity you can prove who you are and thus use certain online services. You can digitally sign documents or data – analogous to a handwritten signature. With other, more passive identities, you can collect benefits from bonus programmes or use other real-world services, such as public transport. For some applications in the digital world, such as eGovernment, you have to be sure who is behind a digital identity. Identities, such as SuisseID, can be used as a digital ID. To do this, the identities used must be secure and trustworthy. With an identity based on a SuisseID, you can be 100% sure that you are dealing with the corresponding person. Trust in SuisseID is based on the one hand on a certified registration process, where you have to be present in person, and on the other hand on the security of the technologies used. For example, a hardware token, the SuisseID stick, prevents the SuisseID identity from being stolen. Only those who have the stick and the matching PIN can use the SuisseID. This is referred to as 2-factor authentication. A state-recognised electronic identity enjoys the highest level of trust. Here, the state assumes responsibility for registration, which is usually linked to the application for an identity document, for example an identity card or passport. But the high level of trust and security of a digital identity comes at a price: higher costs as well as complicated handling and an elaborate registration process. This usually results in poor user acceptance. Therefore, user-friendliness should always be weighed against security requirements when using digital identities. For example, a high level of security can be dispensed with for an online subscription to a daily newspaper, as the potential for damage is low. Privacy must be protected The data collection frenzy of some service providers on the Internet and various hacker attacks on customer data in recent months have strengthened the desire to protect privacy and anonymity. Particularly as it is now very difficult, and in some cases almost impossible, to remove data from the digital world once it has been disclosed. A good digital identity therefore also makes it possible to move anonymously or pseudonymously in the digital world. With these methods, the true identity of a person is hidden and only the characteristics that are essential for the use of a service, such as age, are revealed. This makes it possible to control access to inappropriate content for minors without knowing their name or gender. The disclosure of the identity (or parts of it) or the preservation of anonymity thus remains a decision of the person himself. A digital identity is not enough The various possible properties of digital identities make it clear that several identities are needed for the different areas of application. In eGovernment and also in eHealth, it is important to identify citizens and patients unambiguously in order to avoid confusion. Only a state-recognised digital identity or identities at a similarly high level of trust, such as SuisseID or the planned insurance card, which also has a unique identifier, make this possible. In other areas, where the potential for damage is lower, one can also use simpler electronic identities, such as those provided by Google or Facebook. These free identities are mostly based on self-registration with email or SMS confirmation. The personal attributes provided are mostly self-declared. Here, users and server providers alike should be aware of the dangers and risks.