A deeper more digital single market
Introduction and and summary
The principles for creating such an market are at the core of it very simple. Basically.
- You should be able to access anything from anywhere independent of your country of residence or country of origin, the only differentiator should be adherence to European sovereignty . This include services and also those offering services like banking,insurance etc.
- You will only provide information once and be able to retrieve attested information checked or collected by a custodian being a public or a private entity.
- This should work today/tomorrow and not in 10 years once we have figured out the next great thing which can solve this (maybe).
So it is really not more complicated but obviously we will dive into the inherent true complexities as we cover this in more depth.
As all elephants consumption is recommend piece by pice where the prime parts should be consumed first. Thus starting in already strongly regulated bushiness like financial sector is recommended which was the suggestion raised by the EU expert group on eID and KYC.
Once only principle
This is really old news in a sense as the once only principle has been used for quite a while and even has been allied cross border.
Now this is limited to public sector interaction and standard information which is where this falls short of what is required to build a cross border digital market. The following principle should be in place.
- A wide range of information should be available on demand and real time. This should be by regulated but the starting point should be that any information related to an legal entity or natural person should be available regardless if this is held by a public or private entity. There will be exceptions like competitor research or material related to ongoing investigations but the starting point should as described.
- This should be x-border and digital islands should be avoided.If one really want a single market one must facilitate one by getting ahead of the curve so no foundation exist for walled gardens or digital islands. These are currently on the rise and will continue so until they are made redundant by a better and stronger common building blocks.
- Access should be have a strong governance to exsert privacy and data governance.
- Access should by default only be allowed with proven user consent. The exceptions would have to be governed by law based on significant public interest or pertinent court orders as well as edge cases clearly stated strongly governed and regulated.
There are several layers of depth in this material but some obvious will be covered next.
For this to happen there needs to be a clear legal framework in place. This framework would need to stipulate what is required by the public and private entities and what is allowed.
It is obvious that sharing may not be something a lot of entities are inclined to do based on an altruistic perception of the common good so unless obligated it will not happen.
By the same token it is not obvious that an altruistic inclined entity can share information even when instructed by the owner and with proven consent.
Hopefully much of this is already in place trough the eids regulation but I will leave it to the lawyers to determine the gap and the politicians to fill the gap. The only relevant question would be if you want a deep digital internal market and how urgently you want this to happen.
My answers would be yes and real quickly unless you want the internal market to erode as digitization accelerates.
Like the power grid, the rail lines an infrastructure for this has to be built.
Without question this responsibility falls into the public domain but where that do not by default result in a huge public funded infrastructure program. Indeed for a lot of the infrastructure this is handled by private actors and is financed by road too or surcharges for use of the power grid or the rail lines.
There are no reasons why this should be the case here and if organizing this as P2P one can easily imagine a solution where this is free when both peers are public services and a reasonable surcharge where one or both parties are private sector actors.
Please notice that infrastructure spans more than wires where standardization of data and protocols are crucial to standardize and probably more and longer lasting than copper and fiber.
This is covered in more detail in my previous article.
Single European digital gateway
This is an exciting initiative for joining the digital islands of the jurisdiction for public services. This is limited to public sector entities even if there have been considerations to open up for a larger scope including private sector access.
As indicated this builds on electronic identities recognized cross border trough eidas but where there is an recognition of the need for added trustworthy and reliable information beyond who you are.
Self sovereign identity
This is a concept that still have a lot of mileage to cover and a lot of moving parts that need to fall into place and being proven robust before it is ready for primetime. However there is considerable interest in this domain and a clear premise is added value.
The basic pattern is still based on qualified certificates issued to the parties authorized to do queries on behalf of the end user and possibly qualified certificates for the parties entrusted of custodianship of the data in question.
On top of this explicit proof of user consent normally would be required which could take the form of an digitally signed artifact to that effect using eidas signatures.
This belt and suspenders approach safeguards privacy from rough authorized parties and the principle of requiring explicit proof of authorization safeguards against fishing and masquerade towards end users. Certificate revocation provides a robust and easy way of propagating de-authorization to an operational reality.
This proposal like so many P2P solutions do not require a costly infrastructure program to be initiated. In this case the actors will finance their own infrastructure part and where a funding model can be prescribed based on fair return on investment by pay to use like we have in the rail network, power grid or core telephone network which are examples of infrastructure where the same principles are used.
This the same pattern which can be used for any value added service and which can also be used for self storage in a self sovereign identity case. This assumes that the self storage user agent used in such scenarios will have authorization if it is to receive attested claims. This is crucial to maintain data sovereignty and for sensitive data protection toward the average users of such solutions.
Sense of urgency
I guess sometimes a image says more than a million words and this pretty much sums up why making progress is not only strategy but also urgently needed firefighting.
Like every journey the next steps would be to realize that a journey is to be had and to prepare before executing on the journey.
Like all journeys it is often a question of thinking of the big expedition but to start with a minor one as no planning will ever survive meeting realities as you will learn as you start to execute which you can feedback into preparations for the big expedition.
One way of doing this is to start with eKYC as a pilot case to learn from as this is something that is mature material and is a problem that needs to be addressed quickly rather than later. This should be executed based on what we have today and the current infrastructure solutions incorporating technology like self sovereign identities can nicely plug into this infrastructure when mature and stable enough for primetime usage.
Please feel free to reach out to me on this or related subjects I am fully aware that this is just the start on a discussion on the journey and will not be offended by any feedback or suggestions.
About the author
Ronny Khan is an IT and Business development specialist within the Norwegian financial sector, who is involved in standardization effort on remote natural person identification targeting trust level high as part of a shared effort by the Banking association with public sector stakeholders as well as member of the EU expert group on electronic identeties and KYC.
He is currently working full time seconded to the banking association as liaison with key players in the public sector to ensure deployment at scale of remote on boarding for electronic identities.
He is also participating in ISO standardization, national standardization with focus on biometrics and security in retail banking , a keen follower of the are of identity, identity proofing , KYC and always looking for new interesting domains. Currently he is focused on digital validation as a natural evolution of digital identities.
Previously he has been working within a broad field covering digital identities, internet bank authentication/authorization, card security and telecommunications.