The Journal of Web Science > Vol 3 > Issue 3

Identity Assurance in the UK: technical implementation and legal implications under eIDAS

Niko Tsakalakis, University of Southampton, UK, N.Tsakalakis@southampton.ac.uk Sophie Stalla-Bourdillon, University of Southampton, UK, S.Stalla-Bourdillon@soton.ac.uk Kieron O'Hara, University of Southampton, UK, kmo@ecs.soton.ac.uk
 
Suggested Citation
Niko Tsakalakis, Sophie Stalla-Bourdillon and Kieron O'Hara (2017), "Identity Assurance in the UK: technical implementation and legal implications under eIDAS", The Journal of Web Science: Vol. 3: No. 3, pp 32-46. http://dx.doi.org/10.1561/106.00000010

Published: 07 Dec 2017
© 2017 N. Tsakalakis, S. Stalla-Bourdillon, and K. O’Hara
 
Subjects
 
Keywords
eIDASGov.UK VerifyBrexiteIDeIDMElectronic identityTrust servicesElectronic identificationInternal market
 

Article Help

Share

Open Access

This is published under the terms of CC BY-NC-ND 2.0.

In this article:
1. Introduction
2. Methodology and Related Work
3. Electronic Identification in the UK
4. eID Policy in the EU
5. Compliance and Interoperability
6. Future Work
7. Conclusions
Acknowledgments
References

Abstract

Gov.UK Verify, the new Electronic Identity (eID) Management system of the UK Government, has been promoted as a state-of-the-art privacy-preserving system, designed around demands for better privacy and control, and is the first eID system in which the government delegates the provision of identity to competing private third parties. Under the EU eIDAS, Member States can allow their citizens to transact with foreign services by notifying their national eID systems. Once a system is notified, all other Member States are obligated to incorporate it into their electronic identification procedures. The paper offers a discussion of Gov.UK Verify’s compliance with eIDAS as well as Gov.UK Verify’s potential legal equivalence to EU systems under eIDAS as a third-country legal framework after Brexit. To this end it examines the requirements set forth by eIDAS for national eID systems, classifies these requirements in relation to their ratio legis and organises them into five sets. The paper proposes a more thorough framework than the current regime to decide on legal equivalence and attempts a first application in the case of Gov.UK Verify. It then assesses Gov.UK Verify’s compliance against the aforementioned set of requirements and the impact of the system’s design on privacy and data protection. The article contributes to relevant literature of privacy–preserving eID management by offering policy and technical recommendations for compliance with the new Regulation and an evaluation of interoperability under eIDAS between systems of different architecture. It is also, to our knowledge, the first exploration of the future of eID management in the UK after a potential exit from the European Union.

DOI:10.1561/106.00000010