Electronic identification is the basis of any electronic interaction on the Internet. Its role is to distinguish the user from the general group, customers or even citizens. Its limitations are the natural limitations of the services that use it, its risks are the risks of the online service provided.
Next, I will analyze the accepted boundaries of risk associated with electronic identity today, from commercial practices to their interpenetration with government activity in the newest medialized public service, the online record.
The eID electronic identification has an initial component – user identification, sometimes with verification of the existence of a real person with such a set of attributes, and a recurring component – authentication at each access to the service, through which the user confirms his association with the initial identity.
The cost of both components increases exponentially with the desired level of security. Therefore, it is natural for any online service provider to want to optimize by reusing already existing eIDs issued by someone else. That other person, in turn, does not want the risk and responsibility for the activities of a third party from which he has no benefit.
It is important to note that proper eID reuse is when the assumptions and expectations of the parties are the same. For clarity, I will give an example from the area of ​​my service providers.
My bank advertises an online payment confirmation system also based on a unique code sent via SMS. In practice, it is believed that the SMS reaches only its client. But the bank agreement states that:
8.1.6. The bank is not responsible for the client not receiving SMS-OTP messages related to the service (…) if the client provided the bank with an incorrect phone number as well as for receiving these messages by another person who actually uses, at any time during the term of the contract (), the telephone number declared by the customer for this service.
How could “someone else” use your phone number without your consent?
A common method around the world is to trick the phone operator into issuing a new SIM card to the impersonator. This is easier or more difficult depending on the operator’s procedures, mainly on the costs he is willing to bear. In an economic context, these costs are justified by the corresponding financial risk, and my operator decided to limit them as follows:
9.3. In case of non-compliance with any contractual provisions until (…), the maximum amount of compensation provided to the Beneficiary at his request is limited to the cost of the monthly subscription and is set in proportion to the periods of absence from work. services or it will be set at most at the monthly subscription level for other situations.
So the maximum compensation I can expect if someone else gets access to my phone number due to their mistake is €5.
Thus, the authentication factor, limited to 5 euros, is currently used as a basis for banking transactions of thousands of euros. The difference between the cost of the damage and the amount of 5 euros is borne by the user.
This situation arose spontaneously, due to the correlation of different interests.
But there is also a holistic approach in a very close field, namely qualified electronic signatures. This is an area covered mainly by private providers, but the legislator has organized an insurance system based on two pillars.
In deciding its own economic interests, the provider of qualified certificates is obliged to ensure its ability to cover the losses of users of the minimum threshold, which in Romania is 10,000 euros.
In the classic government approach, there is a special body (ADR Romania Digitization Authority) that checks the technical quality of the supplier’s activities.
When a supplier is not profit-seeking, being a government agency like DPS, it no longer needs to demonstrate financial strength because it has no pressure to reduce costs and no prospect of being discharged from liability through bankruptcy.
However, in a mature qualified certificate market, there are other conditions to consider besides price, such as vendor restrictions.
We see that the interplay between those who measure risk and liability in economic terms and those who do so in legal (criminal) terms is naturally complex in terms of risk equalization. Such a mixed ecosystem is the SNEP National Electronic Payment System, visible in the form of giseul.ro and regulated by HG 1235/2010[i]. It is a successful project that has succeeded in bringing the flexibility and productivity of a commercial environment to a domain specific to government agencies.
The key to success was covering the costs and risks assumed by the card issuers who created Ghiseul.ro for ADR, due to the amount of commissions related to payments to government institutions. In this system there are no more restrictive provisions of the type quoted above, everything is governed by the GD and subsequent rules.
By tying up with the MAI HUB to issue an online record, ADR is apparently becoming an eID provider for another government agency for the first time. It is necessary to analyze these relations strictly from the point of view of the applicable legal norms, I will focus on those eIDs that appeared through the registration procedure at giseul.ro using a bank card. Analyzed stages:
The user opens his account by simulating payment with his bank card. Technically, he was already identified by his bank when the card was issued, now it’s an authentication process. After authentication, the bank creates its credentials in SNEP.
According to information received from ADR, the only incident rule for this activity is contained in the Methodological Rule[ii] issued by ADR on 25.01.2021, accordingly only this provision:
(3) The access data required for the authentication of taxpayers in SNEP shall be provided to taxpayers by distributors of access data using one of the following means, depending on the circumstances:
b) secure electronic means.
Since there are no national technical regulations on electronic authentication, we can assume that the procedure is a “secured technical means” by which a new SNEP means of authentication is issued.
From giseul.ro, the user gets access to the MAI link, through which he goes to the MAI HUB registration page. This page presents the identification procedure associated with MAI, and its strength is determined by its components. It is obvious that the MAI checks the existence of the person in its databases, there remains only the question of the quality of the authentication service offered by the ADR, respectively, the creator of the corresponding eID is the issuer of the EC card.
We note that there is no direct link between the EC and the MAI, the EC’s obligations only apply to SNEP. Is MAI part of SNEP? Not with the online case log process because it does not include electronic payment (limited scope of SNEP defined by HG1235) and does not transfer SNEP servers.
We are therefore in a confusing situation, an incomplete legal construct, for more reasons than the simplistic description above. We do not know if the online record is obtained by engaging MAI, ADR or the card issuer to identify the applicant.
We could end on such a pessimistic note, but there is another important factor – GDPR. This does not make the protection of personal data the value of the service, free scripts are equally protected. Contractual provisions may limit the amount of civil compensation, but may not limit liability and fines for an error that resulted in damage to personal data. Liability remains even if the further use scenario does not belong to and has not been approved by the responsible data controller. Read the whole article and comment on Contributors.ro
Source: Hot News
James Springer is a renowned author and opinion writer, known for his bold and thought-provoking articles on a wide range of topics. He currently works as a writer at 247 news reel, where he uses his unique voice and sharp wit to offer fresh perspectives on current events. His articles are widely read and shared and has earned him a reputation as a talented and insightful writer.