Let’s talk about digital identity with Rainer Hörbe, Senior Manager at KPMG Austria.

Rainer HörbeIn episode 14, Oscar and Rainer discuss identity management and eGovernment, including views on challenges in real eGovernment projects – India’s Aadhar, Austria’s smart ID card and China’s residents’ card. They also talk about Kantara’s eGovernment work group, of which Rainer is the chair, and the annual TIIME conference, which he organises.

[Scroll down for transcript]

Rainer graduated in Computer Science from the University of Vienna. Working as a software developer for some years, he then specialised in identity and access management starting in 2001. In roles as a security and identity architect he contributed to projects like the Austrian eGovernment identity federation and European framework projects (epSOS, MAPPING). He is chair of the eGovernment WG at Kantara Initiative and contributor to standardisation activities in standards developing organisations like ISO SC27. He started the TIIME event – an annual identity conference – in 2013. Currently he has the position of Senior Manager at KPMG Austria, consulting clients in different sectors on enterprise IAM topics.

Find Rainer on Twitter @rhoerbe1 and on LinkedIn.

Find out more about the annual TIIME (Trust and Internet Identity Meeting Europe) event in Vienna at tiimeworkshop.eu. The event facilitates the cooperation between the innovative communities in various fields of trans-organisational trust and identity matters.

Check out Kantara’s eGovernment Work Group here – kantarainitiative.org/confluence/display/eGov/Home.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

[Podcast transcript]

Oscar Santolalla: Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Hello! Thanks for joining today. We will have a conversation about eGovernment, a very interesting conference coming now in February, and many more things. So let me introduce to you our guest today, Rainer Hörbe. He graduated in Computer Science at the University of Vienna. Working as a software developer for some years, he then specialised in identity and access management starting in 2001. In roles as security and identity architect, he contributed to projects like the Austrian eGovernment identity federation and European framework projects, epSOS and MAPPING.

He is chair of the eGovernment Work Group at Kantara Initiative and contributor to standardisation activities in standards developing organisations like ISO SC27. He started the TIIME event, an annual identity conference in 2013.

Currently, he has the position of a Senior Manager at KPMG Austria, consulting clients in different sectors on the enterprise IAM topics.

Hi, Rainer.

Rainer Hörbe: Hi, Oscar.

Oscar: Welcome. Very nice talking with you. So it’s starting now- just talking that we are in the middle of winter there, a little bit minus on your side, a little bit of sun.

Rainer: Yeah. Thank you for having me. It’s a good opportunity to start the year with identity management and eGovernment.

Oscar: Exactly. So let’s get started. Let’s talk about digital identity. So I would like to hear first from you how you entered this world of digital identity.

Rainer: So well, I think in 2020, a 40-year professional anniversary. And around half of that time, so almost 20 years ago, after working mostly as a software engineer, I came into identity and access management. So before that, I was exposed to topics like PKI and the host mainframe identity management tool, RACF, Lotus Notes, directories, etc. And I obviously as a developer had to do authentication, etc.

But I would say from today’s point of view, I was living in blissful ignorance because I didn’t understand identity management. Well, today still, if I could cite a Game of Thrones character, Ygritte, she was always saying to Jon Snow, “You know nothing.” Identity management is such a vast topic that I still think there are many, many things to be learned.

So just to make it short, after my first project in the Austrian government, the Central Residency Database, I had the opportunity to move into a project to federate government-to-government authentication and authorisation. And this was a project that I was accompanying for almost 16 years. And the interesting thing about this project was that the Central Citizen Registry was kind of a killer application at that time for establishing a government federation which is today almost 100% pervasive.

And beyond that, I did the usual things in IAM, some role manager, two factor authentication, data-clearing jobs. So I’ve been writing policies. I’ve been working on SAML profiles with open-source products. What I find interesting in general that people in my profession, identity and access management experts, usually have a pretty strong background with some commercial product, and this I don’t have. So I have been doing projects in various areas without commercial products, developing from scratch or using open source products up until recently.

Oscar: So half of your career so far is dedicated to digital identity. And one of the main things you’ve been doing in the last years is eGovernment as you mentioned. So, how do you define eGovernment?

Rainer: So eGovernment is the digitisation of processes between the government and citizens, businesses, other government entities, or different levels of government from municipal to state, national, EU, United Nations, whatever. So there are different concerns in government like social, economic, legal, organisational, ethical data protection. And this also applies to this subtopic of identity within eGovernment. Again here, it’s a multilevel problem which if you don’t get the legal stuff right, you can have implemented lots of technology and you will suffer.

Just to cite one example would be the Indian Aadhaar System. So they started 10 years ago implementing it with lots of use cases and penetration. But they have been plagued by people who sued the government and the Supreme Court has been deciding that some features are not constitutional, etc.

So identity is really not only a legal, not only a technical thing, and not only a commercial thing. And this makes this really interesting.

Oscar: OK. So what would you say were the main reasons why this project, well, not failed, but had this setback?

I mean in the design most probably, yes.

Rainer: Yeah. But maybe just to give you a little background because in the identity vault, those people you frequently meet on international conferences – we have a little bit of kind of Euro-centric view in the sense of history sciences. So we know quite well what’s going on in North America and in Europe but we have less experience with India, China, Indonesia, Africa, etc. So, bear with me for a second.

So Aadhaar is a project to obtain or to assign a number, an identifier, to each Indian resident being connected with a biometric authentication, so fingerprint and iris scan. And there were a lot of expectations to what that project should deliver. So what was being expected internally and what was being sold to the public obviously was also not 100% coherent because there were early notes that this was used to differentiate between citizens and noncitizens in critical regions. Also, officially was a residential registry.

So this is one of the patterns I found frequently in project that you’re targeting different groups and the use cases are slightly different. So whether it’s a residential registry or a citizen, it’s a vast difference. Also, if you think 99% or more of the cases, it’s identical, but the French cases did hurt. And as an example, if you have the sex, the gender being male or female, and then some people sue you because they say, “Well, I’m transgender” and in this country it’s constitutional to have it registered, these small things might bite back because it occurs once you have started and already a lot of data in the system and it’s operational and changes are very, very hard later on.

  1. So back to Aadhaar, they didn’t consider the legal aspects enough. So they didn’t have a legal foundation until 2016. So they started the project without a law which is, not only in India but also in India, unconstitutional because the government must act on the basis of law.

And then there is the problem of exclusion. The government must not force usually to use digital access methods to government use cases, government processes. Again, they didn’t consider that. People sued them. The Supreme Court ruled, it’s not allowed to make the digital access or this Aadhaar number mandatory.

So I think the second largest eID project in the vault after the Chinese and it’s amazingly complex and they are I think still quite well-underway to provide food subsidies and registering SIM cards and they have many use cases. But they are really plagued by legal issues, by security breaches, and all these things. So it’s really interesting to watch such a project in the large scale because all the same things happen on the smallest case in European projects as well.

Oscar: Yeah, thanks for sharing. I haven’t heard about this Aadhaar project from India. It’s very interesting and I imagine as you said, the second biggest in the world, it had to be a very complex project of course.

Rainer: Right. Right.

Oscar: And tell me in your country, your country in Austria, how is today eGovernment in Austria? What do you have there?

Rainer: So, Austria has started in around 2000 to have, actually in the time when I was involved in the project, to integrate eGovernment processes and identity management. So this was a very interesting time. The idea was to use digital signatures as a legal basis to identify citizens. And so, Austria was one of the first European countries to introduce a citizen card, an ID which was not related to a passport or other kind of government ID. It was a separate smart card.

And the idea was to have frequent use of this card in many use cases. Everybody would have it and government processes would then be automated and so you would have faster, better delivery of government services to the public.

And the idea was within 5 years to have electronic delivery, electronic single sign-on, and all government, all major government services integrated on the platform. And this was a severe miscalculation.

I think at the time people just – well, we didn’t know better. So there were a number of interesting lessons to be learned. First, there was a little bit of confirmation bias because any government process looked like a use case for identity management. So what could be better than to have a high quality or high assurance authentication and attributes delivery for any use case? And that wasn’t the case.

Actually, the vast majority of government use cases works without electronic authentication quite well. For example, in many countries, filing tax returns in the electronic way is cited as a major online activity, which is true. It’s not necessary to have a high-quality assurance because people are anxious of lying to the Tax Office, or maybe the numbers may be optimised in some cases. I don’t know.

But in general, stating identities etc. is just not an issue. So if you just, let’s say, file a PDF, some numbers, and after two weeks, you receive a letter with your tax statement which is not a registered letter, which is just a plain letter, this is good enough.

The same is true if you have a speeding ticket. So this kind of transaction, people don’t want to authorise to authenticate to pay their, or to get access to, their speeding tickets. They want to – maybe in case they want to complain about it, but then usually, you just pay it and try not to think about it.

So there were some studies and they found roughly 90% of the state level, kind of more local use cases, you don’t need authentication. Either you have some letter, back office letter, or some payment, there is no need to care.

Oscar: Yeah, 90% is something quite high. And it’s really interesting that– about making the assumption that external authentication is always needed and it’s something that one could assume but it’s not the case.

Rainer: And on the other side, obviously, there are use cases where it’s very usual to have authentication with all the bells and whistles you expect nowadays like delegation and single sign-on and there is security and adaptive authentication. And it’s so hard to implement because of the different technology than 10 years ago roughly. Mobile access became so pervasive that you got a complete new technology platform or technologies that were just hard again.

And so it’s pretty messy. And you run into the economic problem of the network defects or if you don’t have enough use cases, people don’t use it. If people don’t use it, the IT projects don’t pick up the authentication services, so the usual problem. So it was really hard to get to that point.

To sum it up, it took I would say 15 years to get into a region where you can say the majority of citizens facing and business facing use cases are accessible online with an eID and you have a serious coverage of electronic delivery and solid authentication methods. So the good news is we are there. It just took much longer.

Oscar: Wow, it sounds like a long journey and bumpy road. And so now, the main authentication method is the ID card?

Rainer: No. Well, because the pick-up of the smart card was so difficult particularly for tech and support reasons, so I know Estonia did much better in that case but it just wasn’t feasible in Austria. So they implemented within the same type of interfaces mobile and thumb-based authentication alternative. And some legal tricks to assign the same assurance level to SMS-based authentication as it was with a smart card signature, which is difficult to understand for an engineer but lawyer can do miracles.

And actually, this approach was then copied in quite a number of European countries. And from today’s perspective, I think as a provisional measure, probably it was worth the risk because it’s just quite simple to implement SMS-based authentication.

Now, with PSD2 from the European Central Bank banning SMS, more and more, more sophisticated and strong authentication method will slowly trickle into the public.

Oscar: Sure. And tell us now about the work you do in Kantara Initiative. You are one of the leaders in the eGovernment Work Group.

Rainer: Yes. So Kantara is a professional network and the eGovernment Work Group used to be fairly technical for standardisation. So the SAML 2.0 eGovernment profile was used as a blueprint in many countries for national SAML profiles log-in, in Austria as well.

And in the meantime, Kantara has moved upwards more to the governance side on trust frameworks and assurance, which is a more tricky thing. And the eGovernment Work Group has changed as well. So it became much smaller and specific on topics. It’s kind of a resource pool for governments who are doing framework policies.

And so people throw some papers into it and get some feedback from people who are interested and also learning from that. And so the actual work on technical profiles in Kantara moved to other work groups like the Federation Interoperability Work Group which did recently a very modern SAML interoperability and deployment profile with best practices collecting in the last 10 years of movement to then your document.

And so again, that has been circulated on this mailing list where we have users and lots of vendors and consultants in the group. But in general, the eGovernment Work Group is now a fairly small group for occasional projects and keeping the network and the connections up.

Oscar: And what had been the highlights, the best achievements, what would you say for the Work Group?

Rainer: Yeah. Well, historically, what I said, this interoperability thing, if I see the different published government profiles, you see the templates and the profiles from Kantara. Also, I would have wished that the quality would have been better. But it was the experience of 2008 and 2009, it just wasn’t better to have more specific profiles.

And recently, yes, I think it’s nice to see that people ask for the profiles to the group, ask questions, and present their ideas. And then we have useful feedback for them. And you see their documents changed.

Oscar: So, these are the best ways that someone in some government in some country can benefit or contribute. So they could bring their, you say, papers or what they are working on, and you would give them feedback with the network that is active. Excellent.

And overall, as you are definitely an expert in eGovernment, you mentioned the project in India. You mentioned also– I asked you about Austria. What other interesting projects or eGovernment you could mention, some experience anywhere in the world?

Rainer: Well, the biggest project is obviously the China’s residential identity card. So you see the history of that card. So they started fairly early. I don’t remember exactly. But I think in the ‘80s or ‘90s. It was a very simple card, which didn’t have a lot of security features. And as I understand, it was – the main purpose was physical validation of identity, not online.

And some 15 years ago I think, the second generation of their card already was for online verification but they were– they didn’t use the standard smart card technology so it kind of […indiscernible]. And this one is still in use and they have been plagued by counterfeit and fraud of this card so there are still markets on the internet where you can buy your identity card for a few dollars. And it’s interesting to see how they adapt to that.

So the Chinese government decided to completely move to online. So WeChat is the Chinese – the major online community. And they use it for payment and communication and purchasing and many things. So the government will be– I think a year ago, they started to pilot WeChat as an identity system. So they are going mobile and commercial or somehow commercial or PPP you would say in the West. And replacing this somehow flawed smart card completely with an online system.

So with a lot of technology and fixing the problem that they had there, for example, their previous cards had the problem that they didn’t have a separate card number but the citizen ID on the card. So you couldn’t reissue the card if there was an identity theft. The card was stolen. So you couldn’t make a difference between a stolen and the reissued card. So many interesting things, which I see when I do assessments of enterprise systems. Sometimes you see similar patterns in applications or legacy systems.

The interesting thing about eGovernment is in some sense, usually more diverse and complex than a typically enterprise system because there are in governments usually thousands of processes to very different user groups and a lot of legal obligations, etc. So what works in the government usually you can say to some extent also works in the private sector.

And after the Chinese example, the resident’s information card was I think 1.5 billion users or so. Obviously, the eIDAS, the EU-driven cross identity government eID system is a very interesting one.

An interesting pattern here – and this is kind of an essential difference to the Chinese or even the Indian one – is that the government in the West usually doesn’t have a mandate to structure IT processes in the private sector. It can do– so regulators for regulators industries, utilities and finances, etc, can require certain security things to some extent.

But in general, it’s very difficult for the government to establish standards. And this is really the difficult point of many eGovernment systems including eIDAS, or in particular eIDAS, because eIDAS is an interoperability project for eGovernment services. And so, you will see I would say given some time that government services will converge to use eIDAS, and that makes a lot of sense.

But the usual citizen has very few government interactions. People work with their bank, with their employer, or with many systems, but the government is not present in everyday life. And so, it’s really hard for the government to offer a system that is very attractive for the public.

So quite interesting in the Scandinavian countries, bank ID has been quite successful because it was used from – both for online banking and for the government. And in other countries, this wasn’t the case. And the number of transactions done in the eGovernment systems is dwarfed by what’s being done in any other commercial system where people authenticate.

So this is really a problem. And so, [?] applications are really essential to get into the network to effect those authentications or identification systems, and it’s very hard for the eGovernment. And so, China, it’s easy. The government has a much longer lever to integrate essential services into their system. But for a variety of reasons, we don’t want that, Western societies.

Oscar: Right. Yeah, very interesting cases you’re describing and what the differences are. And tell us now about the TIIME, the conference that is coming now in February.

Rainer: Yes. So the Trust and Internet Identity Meeting Europe as its named, so the acronym is TIIME, is an annual event since 2013. And actually, a brainchild of the IIW Events or the IIW, the Internet Identity Workshop, that happens two times a year in San Francisco is an unconference on internet identity. So a lot of technologists head there for the meetings there like OAuth and OpenID Connect and many other interesting things.

And when I talked to Kaliya who is facilitating this conference if she wanted to bring it to Europe, she said, “Well, no.” She doesn’t have the resources but she will help me to set up something like that in Vienna. And actually, we did that.

So the key feature of TIIME is to bring together different communities like the eGovernment but predominantly, the higher education and research community, which is running large scale, very large scale federations and they had a lot of technical experience in that area, but also private sector companies and banks, etc. So it’s pretty much free of any member pitches and sales talk. So people meet here to talk on subject matter things like technology and architecture and policy. So people like it.

Oscar: And this is going to happen exactly from …

Rainer: It’s in February, in the week from February 17th to 20th. The first day will be user group meetings for various research federations and open-source user groups. The second day is a programmed experience. We have track on open source and another track on identity governance and administration.

And then we have two days of unconferencing. This is in my experience, the most effective things because it allows people to bring their own topics and customise their own sessions to get out the knowledge or to share experience about their projects. And so, having these kind of formats proved to be very, very effective.

Oscar: So what is the best way to find more about TIIME conference?

Rainer: So the easiest way is to go to tiimeworkshop.eu and there is a website explaining the concept, showing the results of previous conferences and obviously there’s a link to register and to get the ticket for the conference.

Oscar: OK. Sounds very good. And it’s coming now in February. Thanks for this. And before I let you go, I would like to ask you a final tip for anybody to protect their own digital identity.

Rainer: So if you’re a developer or a software architect, I ask you to don’t implement any local identity management in your applications. Even if you don’t have services somewhere, push it to a container like a Tomcat or Apache or whatever application server. But don’t code it into the application. So whenever later on you need to integrate/change anything, it can be done without touching the application, because this is really a pain in access management later on. The same would be true for any provisioning interface. So maintaining users and their access rights always should be done via an API. Never, never locally.

If you’re an expert on identity management, please reserve some time in your project to minimise data, to privacy by design. This really helps to reduce headaches later on.

And for the majority of users who have different objectives and just don’t want to be bothered with technical and legal details of identity and privacy, there are different levels of protection. The basic one is to minimise your data. So if you don’t use anything online, move it to an archive. If you don’t need it in the archive, delete it. This is the first point of how you can reduce your exposure.

The second one is, don’t use services which you really don’t need. Delete your accounts. So again, reduce your attack surface.

Then if you have done that, try to use brand name, trusted sources. So where you authenticate, where you keep your data, keep your identities, what you use for authenticating to other services, like you might be using your government or a social account like Twitter, LinkedIn, Google, or whatever, don’t use too many. Manage those ones carefully and look for whom you can trust.

Finally, because this is not good enough, the Google and etc. accounts are not as trustworthy as they appear. They are on the technical level but not on a policy level. What’s really protecting is regulation and law and so engaging in net politics and democratic processes and transparency is the ultimate help in protecting society.

Oscar: Yeah, I couldn’t agree more. So, thanks a lot for these tips and for this very interesting interview. Please let us know, Rainer, how we can find you on the net. What are the best ways?

Rainer: Yes. So there is an imprint on the TIIME Workshop homepage and otherwise, my name is so unique that Googling Rainer Hörbe will find you to the right places.

Oscar: OK. Perfect. We will find you there. OK, Rainer, it was a pleasure talking with you and all the best.

Rainer: Thank you, Oscar. Thank you for having me.

Oscar: Thanks for listening to this episode of Let’s Talk About Digital Identity, produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the hashtag #LTADI. Until next time.

[End of transcript]