Lack of coordination in European eID privacy features

By EDRi · February 11, 2009

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The EU funded European Network and Information Security Agency (ENISA)
issued, on 27 January 2009, its Position Paper on security features in
European eID schemes, showing a large disparity between the various systems
which might affect their usefulness.

The paper is an analysis of 10 ID card systems already used in EU and 13
under development. The eID cards are presently used mainly in relation to
tax declarations and other e-Gov services with some applications in the
commercial sector as well, but their application will largely extend in the
future. The study shows that Europe has no coordinated strategy to protect
the private data stored on the cards which leads to their lack of
interoperability and to reluctance in accepting them by potential users.
“Privacy features have been developed, implemented and tested at a national
level and there is no co-ordinated strategy at a European level as to which
features should be implemented and how they should be implemented. (…) The
lack of co-ordination is an important obstacle to any possible cross-border
interoperability of eID card schemes. (…) (This is) important in order to
create the necessary trust in the users of such schemes – any cross-border
scheme only offers as much protection as its weakest participating member:
If just one participating country offers what is generally considered to be
inadequate privacy protection, the citizens of the other countries are not
likely to accept any cross-border interoperability scheme which puts their
data at more risk than their national scheme.”

ENISA report shows that the lack of coordination in privacy controls all
over these systems will affect the usefulness of the cards. “Privacy is an
area where the member states’ approaches differ a lot and European eID will
not take off unless we get this right. Europe needs to reflect on eID
privacy and its role in the interoperability puzzle. The fundamental human
right to privacy must be guaranteed for all European eID card holders,” said
ENISA executive director Andrea Pirotti.

The paper presents the implementation of privacy-enhancing technologies in
existing and planned European eID card specifications, analyses in detail
eleven risks to personal privacy resulting from the use of national schemes
and lists eight practicable techniques available to address and solve these
risks. The present situation of privacy features available for the existing
cards is shown by means of eight comparison charts that can represent a good
reference in the identification of best practices in the domain.

“A lot of very practical techniques exist to protect the citizen’s privacy
and, from the survey of available techniques in this paper, it is possible
to identify a set of best practice guidelines for the protection of personal
data in national eID card schemes,” says the report.

ENISA report was designed to give policymakers the information necessary to
improve the present situation, providing a first comprehensive overview of
the status in Europe.

Citizen data protection in focus – ENISA on privacy in national eID cards:
Europe needs a strategy (3.02.2009)
http://enisa.europa.eu/pages/02_01_press_2009_02_3_privacy_features_eID.html

ENISA Position Paper: Privacy Features of Europen eID card specifications
(27.01.2009)
http://enisa.europa.eu/doc/pdf/deliverables/enisa_privacy_features_eID.pdf

Disparate privacy features devalue ID cards, warns EU security agency
(5.02.2009)
http://www.out-law.com//default.aspx?page=9771