ICELAND – a politics of technologised services and authentication to access

Implementing truly self-sovereign identities calls for strenuous efforts to unravel the technological, administrative and managerial lock-ins across the assortment of agencies and operations already in the online services sector.

As the IMPULSE blog from 8 July 2021 points out, the federated identity-based model separates the services that require proof of identity from the identity management system used to provide that proof. Identity checks and authentication are delegated to a third party – an identity provider (IdP) serving as the obligatory passage point.

While this is widely considered a convenient solution to the obvious conundrum of using multiple identifiers to access as many online services, safety and convenience hinge on how the solution is implemented and supervised. For example, IdPs may take advantage of the tracking and profiling potential of users’ logins across multiple sites – and broker such data – for lack of adequate supervision. Facebook and Google are named in this respect because they offer IdP services and operate opaquely. However, an important distinction can be made between services that require proof of a registered user account, and services that are obliged to require proof of users indeed being who they say they are. The latter concerns a whole range of public services, e.g., access to benefits, pension, tax filing, health and criminal records and other private and potentially sensitive dealings. The full consolidation of the identity management might certainly be desired along with a secured one-stop-only verifiability to ensure seamless access.

The Icelandic model

The example of implementation and supervision of federated identity and authentication in Iceland is a case in point. This is a management model serving a total population of about 360k, governed and supervised by the Icelandic Ministry of Finance and Economic Affairs, which is effectively the Ministry of Technology, hereafter MoT.

The MoT supervises the ‘Digital Iceland’ programme which, in certain respects, operates like the European Digital Innovation Hubs (DIH). It provides direction and material support to digital innovation and networking in online public and private services. The MoT supervises as well the island.is platform, through which eID solutions are federated to provide one-stop online authentication. The dominant IdP is Audkenni, so far owned by Icelandic banks and telecommunications, and authentications are processed on-the-fly by machines housed in a centre of calculations. The dominant eID is the smartphone-based eID on a SIM, adopted now by 90% of the population, and the onboarding is done in person, e.g., at a local bank where people’s identities are verified against photo-IDs and data checked against Registers Iceland, the national registry of residents. IdPs are vetted by yet another MoT-supervised agency, Iceland root (Íslandsrót), providing eIDAS-compliant certificate (CRT) and a rolling e-Certificate Revocation List (CRL) of lost and stolen eIDs.

As this description indicates, the model is not only federated but firmly centralised in all aspects of processing. Agencies, programmes and platforms are under MoT oversight, operating authentications inside a centre of calculations, on identities checked against a central registry of people.

The figure also illustrates the complete separation of developments of online services from eID solutions, some of which have come and gone while an eID on a SIM is the winner so far.

What does this mean for participation in IMPULSE?

By all accounts, it might seem that there is no room for the IMPULSE eID solution. Reykjavík City participates by being a pilot site and testbed, but a substantive goal of IMPULSE is also to further implement and/or adapt the IMPULSE solution to existing identity and authentication arrangements and to markedly influence the development of European public services.

On the face of it, the Reykjavík pilot is testing the IMPULSE eID onboarding process and, thereafter, testing the usability and effectiveness of facial biometrics to authenticate participants. It has no relevance to the multitude of online services that exist within the administrative scope of the city, the Icelandic government, or amongst privately operated services. However, a rather more elaborate answer to the question of meaning needs to consider concrete operational differences compared with the federated model, especially, how IMPULSE will onboard identity and authenticate persons, using:

  • automated document verification
  • facial recognition
  • distributed eID management with blockchain

That said, eIDs can only be implemented in Iceland if the provider is vetted by Iceland root and, given the overwhelming success of eID on a SIM, best case scenario might just be to see the IMPULSE eID exist as an alternative authentication method on the island.is platform under MoT oversight—at least in the foreseeable future. Fully leveraging the pivotal potential of distributed ledgers to pick and choose only necessary data for sharing in different service contexts could be even further off in some distant future. Implementing truly self-sovereign identities calls for strenuous efforts to unravel the technological, administrative and managerial lock-ins across the assortment of agencies and operations already in the online services sector.

Setting these issues aside, it is worth mentioning that, while the pilots may have no direct bearing on current developments in online services, they have been designed alongside a portal on the Better Reykjavik civic participation platform, to discuss online accessibility issues experienced by people with certain disabilities. Participants in the pilot will also be recruited amongst disabled people which is very relevant as Reykjavík City and Iceland on the whole continue on the path of digital transformation. That includes transforming the legally binding services to the disadvantaged, keeping in mind that one of the three dimensions of Reykjavík’s Green Plan (2020-2030) is titled: No one left behind. Again, what it means to participate in IMPULSE could be much further elaborated, especially the opportunity therein to introduce blockchain into data and document management, smart contracts and the like. The snag is that the discussion points raised in this blog so far (including this last one) turn on politics, first and foremost, hence, are matters of policy much more so than of disruptive technological innovation. They turn on political will and leadership, asking pertinent questions on how the country should be governed in matters of personal identities and authentication, data and document processing, national and personal security, European co-operation, and civil participation in decisions on how the future should look.