Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this pieceRob Otto, Field CTO/Principal Architect at Ping Identity, takes a look at digital documentation as it effects the new relationship between the UK and the EU.

With the Brexit deal done, there is still a great deal of confusion around how UK citizens abroad, and EU nationals in the UK, can interact with their respective local government – a situation made worse by lockdown and the elimination of face-to-face contact between citizens and businesses. With growing calls internationally for transnational travel to be restricted to only people that have had a COVID-vaccination, a storm is brewing around how to electronically validate identity, vaccination status and other entitlements.

5 million impacted

In 2019, according to UN data, 1.3 million people born in the UK lived in EU countries. Spain hosted the largest group, at 302,000, followed by Ireland, with 293,000. France was third with 177,000, Germany was fourth with 99,000 and Italy was fifth with 66,000. In the same year, the ONS estimated that 3.6 million EU-born migrants lived in the UK in 2019, making up 5.5% of the UK population.

Prior to Brexit, citizens of the UK and EU enjoyed largely the same rights of access to service, benefits, and free travel.  Now, only EU national that have lived legally in the UK for at least 5 years by 31 December 2020 can qualify for permanent residence. In principle, these EU citizens and family members will continue to have permanent residence after 31 December 2020. This includes non‑EU family members.

However, these citizens must apply to the EU Settlement Scheme in the UK to be granted a new residence status. And crucially, the UK will issue these successful applicants with a residence document in digital form. Although these digital residence documents are valid in the UK, they are not recognised by other nations and highlight a wider problem: the lack of portable, easy to access and secure digital identities.

Digital documentation

Digital documents related to identity have been growing in recent years and many stem from the biometric passport (also known as an e-passport or a digital passport) that started in the late 1990s. An e-passport has an embedded electronic microprocessor chip which contains biometric information that can be used to authenticate the identity of the passport holder. E-passports use contactless smart card technology embedded in the document with the critical identity information printed on the data page of the passport, repeated on the machine-readable lines and stored in the chip. Public key infrastructure (PKI) is used to authenticate the data stored electronically in the passport chip, making it expensive and difficult to forge when all security mechanisms are fully and correctly implemented.

Standardised but not universal

As of 2017, it was estimated that 120 nations now issue these e-passports and most use International Civil Aviation Organisation’s (ICAO) Doc 9303 standard that defines the biometric file formats and communication protocols to be used in e-passports. However, some larger nationals, the United states included, do not comply with this standard. In addition, when the standards first emerged, there was little thought given to encrypting the data on these e-passports, leading to potential privacy and identity theft issues by corrupt third parties.

In early 2021, ICAO, an agency of the United Nations, announced that it is collaborating with the World Health Organisation (WHO) and the International Air Transport Association (IATA) to standardise vaccination and testing certificates, thereby promoting mutual recognition leading to the possible reduction of quarantine measures. The current e-passport could offer a technical solution for the vaccination and a testing certificate could be built within Visible Digital Seals (VDS), as already defined in ICAO Doc 9303 on Machine Readable Travel Documents (MRTDs), to ensure globally interoperability and a secure, customer friendly approach.

However, this process of mass updating of passports is logistically challenging and the process of printing out a mass of paperwork and hoping that individual border control agents accept their validity is largely ad hoc.

Public and private initiatives

There is a consultation taking place in the EU which in the words of Ursula von der Leyen, President of the European Commission, aims to create, “… a secure European e-identity. One that we trust, and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data and how data is used.”

Some of the digital groundwork has taken place under the EU’s existing eIDAS (electronic IDentification, Authentication, and trust Services) laws which went into effect in 2016, but eIDAS has not been integrated into the plethora of national identity schemes that run separately in different EU nations.  As such,  as of 2019, only 15 Member States were at various stages of notification of their national identify schemes in relation to eIDAS.

However, the private sector has shown significant innovation in terms of digital identification.  One such example is Project COVID Freedom that creates a secure and private way for healthcare providers, businesses, and individuals to verify test and vaccination results, while keeping users up to date on vaccination status over time via private encrypted messages. Individuals instantly receive digital proof of their vaccinations in a secure mobile wallet from enrolled healthcare providers, then can securely share with participating employers and third parties such as restaurants and entertainment venues, using a QR code.

This example empowers individuals to securely store, access and share sensitive documents electronically, but could also involve governments and trusted third parties such as banks and travel services providers to handle citizen data securely with consent-based privacy controls. This could include sharing health data as well as residency status that could form part of a standardised method of cross border identity sharing.

Practical steps

For the UK expat community, the situation is varied across Europe. For the largest constituent in Spain, the new TIE (Foreigners Identification Card) allows British residents to prove that they have the rights to residency, healthcare or social security which are guaranteed under the Withdrawal Agreement. Unfortunately, there is no electronic equivalent, but it is easier to handle than having to constantly carry a passport.

For UK citizens, the government has started a major consultation and policy paper under the “UK digital identity and attributes trust framework.” Although identity cards are politically toxic in the UK, the scheme aims to create “…a clear framework of rules which show what ‘good’ digital identities look like — this will enable business to innovate and help citizens to access products and services with ease, confident that there are standards in place to protect against fraud and safeguard privacy.” The framework also aims to establish a governance and oversight function to own these rules, keep them up to date, and make sure they are followed.

Open banking innovation

The relatively early stages of the policy framework make no mention of whether it will be interoperable with any EU wide scheme. On a more positive note, schemes such as open banking – as part of the EU’s second Payment Services Directive (PSD2) – are still progressing on a largely EU and UK wide footing. The scheme which makes it easier for banks to deal electronically with each other and with the data of EU citizens is starting to look like the best option for a universally agreed method of handing some parts of the digital identity issue – at least for financial matters – and  neatly sidesteps any political divide.

Although there is no silver bullet to this complex issue, advances made by both technology innovators and third parties outside of the complex political landscape have an opportunity to make it easier for citizens to use digital identities moving forward.

Rob is a Senior Technical Architect for Ping Identity in the UK and also the EMEA representative to the Ping Identity CTO Office. Rob holds a BSc (Computer Science) degree from Pretoria University and has nearly 20 years experience in identity and access management. He has worked on complex implementation projects in the UK, USA, Europe and South Africa. His current area of focus is on applying industry standards like OpenID Connect and OAuth 2.0 to enable businesses to interoperate and securely expose data and API’s.