Electronic identity is at the heart of all online electronic interaction. Its role is to single out the user from the general group, customers or even citizens. Its limits are natural limits for the services that use it, its risks are risks of the online service provided.
Andrei Nicoara Photo: Personal archive
In the following, I will analyze the accepted limits for the risk associated with electronic identity today, starting from commercial practices and ending with their interpenetration with government activity in the most recent mediatized public service – the online record.
The electronic identity eID has an initial component – identification of the user, sometimes with the verification of the existence of a real person with that set of attributes, and a repetitive component – authentication at each access to the service through which the user proves his association with the initial identity.
Both components have costs that increase exponentially with the desired level of security. It is therefore natural for any online service provider to want optimization by reusing already existing eIDs issued by someone else. That other person, in turn, does not want risk and liability for the activity of a third party from which he has no benefit.
It is important to note that a correct reuse of an eID is one in which the assumption, respectively the expectation, on the part of the parties are equal. For clarity I will give an example from the area of my service providers.
My bank promotes the online payment approval system also based on a unique code sent via SMS. In practice, it is assumed that the SMS only reaches its customer. But in the bank contract it says that:
8.1.6. The bank will not be responsible for the client not receiving the SMS-OTP messages related to the service (…) if the client declared an incorrect phone number to the bank nor for receiving these messages by another person who actually uses, at any time during the duration of the contract (), the telephone number declared by the customer for this service.
How could “someone else” use your phone number without your consent?
A common method worldwide is to trick the phone operator into issuing a new SIM to the impersonator. This is simpler or more complicated depending on the operator’s procedures, basically the costs he is willing to bear. In an economic context, these costs are justified by the associated financial risk and my operator chose to limit it as follows:
9.3. In case of non-compliance with any contractual clauses by (…), the maximum amount of compensation granted to the Beneficiary at his request is limited to the value of a monthly subscription and will be established proportionally to the periods of non-operation of the service or it will be set at most at the cost of a monthly subscription for other situations.
So the maximum compensation I can expect if their mistake gives someone else access to my phone number is 5 euros.
Thus, an authentication factor limited to 5 euros is currently used as a basis for banking operations of thousands of euros. The difference between the value of the damage and the amount of 5 euros will be borne by the user.
This situation arose spontaneously, through the correlation of distinct interests.
But there is also a holistic approach, in a very close field, that of qualified electronic signatures. It is an area covered mainly by private providers, but the legislator organized an insurance system based on two pillars.
In addressing its own economic interest, the provider of qualified certificates is obliged to ensure its ability to cover user losses of a minimum threshold, which in Romania is 10,000 euros.
In the classic governmental approach, there is a dedicated Authority (Authority for the Digitization of Romania ADR) that verifies the technical quality of the supplier’s activity.
When the supplier does not pursue profit, being a state institution, such as STS, it is no longer necessary to demonstrate financial capacity, as it has no pressure to reduce costs and no prospect of cancellation of liability through bankruptcy.
In a mature qualified certificate market however, in addition to the price, the other conditions such as limitations from the supplier should be taken into account.
We can see that the interaction between those who measure risk and liability in an economic key and those who do it in a legal (criminal) key is naturally difficult from the perspective of risk alignment. Such a mixed ecosystem is the SNEP National Electronic Payment System, visible in the form giseul.ro and regulated by HG 1235/2010[i]. It is a successful project that has managed to bring the flexibility and productivity of the commercial environment to an area specific to public institutions.
The key to success was covering the expenses and risk assumed by the card issuers who created Ghiseul.ro for ADR through the value of commissions related to payments to public institutions. In this system there are no longer restrictive clauses of the type cited above, everything is regulated by the GD and the subsequent rules.
With the interconnection with the MAI HUB for issuing the online record, ADR becomes, apparently for the first time, an eID provider for another public institution. It is necessary to analyze this relationship strictly from the perspective of the applied legal norms, I will focus on those eIDs that appeared through the registration procedure in giseul.ro with the help of a bank card. The analyzed stages are the following:
The user opens his account by simulating a payment with his bank card. Technically he was already identified by his bank when the card was issued, now it is an authentication procedure. After authentication the bank creates his credentials in SNEP.
According to the information received from ADR, the only incident norm for this activity is found in the Methodological Norm[ii] issued by ADR on 25.01.2021, respectively only this provision:
(3) The access data required for the authentication of taxpayers in SNEP are made available to taxpayers by the distributors of access data through one of the following means, as the case may be:
b) by secure electronic means.
As there are no national technical regulations regarding electronic authentication, we can accept that the procedure represents a “secure technical means” through which a new SNEP authentication means is issued.
From giseul.ro, the user accesses a link to the MAI through which they reach the enrollment page in the MAI HUB. This page represents an identification procedure related to MAI and its strength is given by its components. Obviously, the MAI verifies the existence of the person in its databases, there remains only the question of the quality of the authentication service offered by the ADR, respectively by the creator of the respective eID – the EC Card Issuer.
We note that there is no direct relationship between EC and MAI, EC’s obligations are only towards SNEP. Is MAI part of SNEP? Not with the online casebook procedure because it does not involve an electronic payment (limited scope of SNEP defined by HG1235) nor does it transit the SNEP servers.
We are therefore in an unclear situation, an incomplete legal construction due to more reasons than the simplified description above. We do not know if the online record is obtained by engaging the responsibility of MAI, ADR or the card issuer to identify the applicant.
We could end in this pessimistic tone, but there is another important factor – GDPR. It does not condition the protection of personal data on the value of the service, the free scripts are equally protected. Contract clauses can limit the amount of civil compensation but cannot limit the liability and the fine for a mistake that leads to the damage of personal data. Liability remains even if the further use scenario does not belong to and has not been approved by the at-fault data controller. Read the entire article and comment on Contributors.ro