Neil Clowes, specialist on eIDAS the electronic identity regulations in the European Union, has been advising UNHCR in recent months on the possibility of establishing a trusted identity for refugees. We asked him how he foresees the role UNHCR could play in that process.
Since the 19th century States have had a monopoly in establishing the legal identity of its citizens. Are States ready to share parts of that responsibility with the private sector and international organizations now that countless human transactions are moving into cyberspace and that each individual can obtain a digital identity that allows interaction across national borders?
Neil Clowes: States are already sharing the responsibility of establishing the legal identity of its citizens. In the EU for example the private sector has a number of roles supporting states in issuing legal identities and in some states this includes undertaking the whole identify issuing and authentication process for the state.
UNHCR has been registering refugees for six decades. Why would the organization now be concerned that the identity tokens (ID and ration cards) are recognized by States and businesses?
N.C: The advantages of recognition are to the benefit of both the refugee and the state or business. Digital identities are more secure and trustworthy than “paper based” identities, and enable services to be provided online and across borders. This means services can be provided more efficiently and economically and for the refugee it means quicker and easier access to a wide range of services.
Looking at UNHCR’s policies and practices what trust could be put in an identity established by UNHCR?
N.C: UNHCR is an organisation of considerable stature and good reputation. If UNHCR adopted procedures which were largely compatible with the EU eIDAS regulation including biometrics, a refugee would be locked into a digital identity which uniquely identifies him from any other person. The transparency of these eIDAS procedures, as with a state, provides for the trust needed by all involved.
The European Union, by adopting and implementing the General Data Protection Regulation, has created maybe instant customary law, but certainly best practice, with regard to data protection rights. Is the identity regulation eIDAS going to have a similar impact?
N.C: This is already happening. There is a global reach in eIDAS as it is founded on an outcome based approach, not technology limited standards. It is a cross border scheme with the largest number of states participating anywhere in the world and represents best practice. There is clarity about the trust in the identity and the means of asserting that identity and that the person is uniquely identified. We are seeing not only the EU states adopting the scheme but also authorities in other parts of the world are looking to adopt compatible procedures.
If UNHCR were to decide to become eIDAS compatible, what needs to be done?
N.C: That is not straightforward to answer. There are different levels of trust known as Levels of Assurance in eIDAS. UNHCR will need to decide whether they are seeking to be compatible with the high, substantial or low levels of trust for the different elements of an identity scheme. These include how the identity is verified at registration, what the means of asserting the identity is and how it is issued.
Whichever level UNHCR may seek, they will certainly need to extend their risk assessment across all processes and adapt their IT systems so that identities asserted for a service can be immediately authenticated.
Neil Clowes is a former UK civil servant who has worked in many front line government functions including 15 years in migration and identity. From 2011 to 2013 he was Head of EU and International Engagement for the Cabinet Office Identity Assurance Programme and negotiated the eIDAS Regulation. Following this he worked at the European Commission providing expert advice about the content of the secondary legislation needed to operationalise interoperable eID across the EU under the eIDAS Regulation and advice on related topics. He established eIDAS Identity Consulting Ltd in 2017 and provides analysis and guidance on electronic identification and related topics.