ENISA, the EU agency and responsible for assessing Europe’s digital security, has published a position paper highlighting problems with current and planned European electronic ID card schemes.
ENISA (The European Network and Information Security Agency), based in Heraklion, Crete, describes itself as Europe’s centre of expertise for information security, with the mission of ‘defending the future’. The centre operates as a hub for exchange of information and best practices in the field of Information Security.
The new EHISA paper gives the first overview of the differences between privacy features in eID cards across Europe.
There are currently ten national electronic ID card schemes already in use across the EU, with thirteen more in the pipeline.
Electronic ID cards and health smart cards form a key part of the e-health initiatives in European countries including Germany, Austria and France.
ENISA says Europe lacks a co-ordinated strategy for how to protect the private data stored by the card. It says the lack of such a strategy is both an obstacle to electronic ID interoperability and limits its acceptance by the users.
The ENISA paper says that privacy features have been developed, implemented and tested at a national level only. As yet there is no co-ordinated strategy at European level addressing which features should be implemented. The paper says the absence of such clear guidance is an important obstacle for cross border electronic ID interoperability.
This is a major hurdle for the acceptance of electronic ID cards and their usage in day-to-day applications. ENISA’s Position Paper provides the first comprehensive overview of the state of play in Europe – an essential step towards improving the base-line of citizen privacy and protection in eID cards across Europe.
Electronic ID cards are currently used mainly for tax declarations and other e-government services, but applications are branching out into the commercial sector.
Many more eservices are planned in the near future, using the data on the card for anything from secure chat to library access and piggybacking on the infrastructure investments made by different European countries.
In all these applications, the electronic ID card is a gateway to personal information. At the same time, it is key to address privacy concerns related to electronic ID: unwanted disclosure of data and subsequent misuse.
The paper details how available privacy-enhancing technologies are incorporated in existing and planned European eID card specifications. The paper analyses in detail eleven risks to personal privacy resulting from the use of national electronic identity card schemes. It also lists eight practicable techniques available to address and mitigate these risks.
Andrea Pirotti, executive director of ENISA, comments: "Privacy is an area where the member states’ approaches differ a lot and European electronic ID will not take off unless we get this right.”
Pirotti added: “The fundamental human right to privacy must be guaranteed for all European eID card holders. Therefore, ENISA will continue to work in this field in 2009”.
Link
www.enisa.europa.eu/doc/pdf/deliverables/enisa_privacy_features_eID.pdf