The National Civil Registry (RNEC) announced that the digital ID card is available since the first week of December 2020, which was influenced by the digital ID implemented in Estonia, a European country pioneer in digitization. This initiative will have a positive impact on society, facilitating access to health, social protection and financial services, among others. The implementation strategy should consider technological, regulatory and infrastructure aspects specific to the country. These characteristics would guarantee that the entire population would benefit from the remote identification service and would also promote innovation in the public and private sectors.
Estonian digital ID: Smart-ID
Estonia is a European country that has distinguished itself for having a clear digitalization policy born in the mid-1990s, which has allowed it to achieve significant achievements in e-government, government-industry integration, and in the digital identification of people. In 2017, SmartID was launched, a free application that can be installed on any mobile device, which aims to serve as digital identification of the citizens of that country. As of 2019, the application hads been downloaded by more than 2 million people (Estonia’s population is 1.3 million), which enabled more than 50 million transactions.
The operation of Smart-ID is quite intuitive for a digital native [SID2020]. Once the application is downloaded from the corresponding store (AppStore for Apple devices or Google Play for Android devices), the user must create an account with their phone number, email and a password. After creating the account, the user must associate his/her physical identity with the identity created in the app, for which different methods can be used. This process is facilitated in Estonia, since the ID card has an electronic chip, and the government has also provided people with readers of this technology. In this way, the process of association to the physical identity can be done in a remote manner. As a last step, the user must create 2 PINs, i.e., two numbers that the user must memorize and that will serve to validate the user and the transaction to be carried out. With the creation of this account in the state portal, the user can use his digital document in the number of devices he wants.
Smart-ID security is based on traditional tools such as asymmetric encryption, the use of digital signatures and a PKI. The user’s keys are stored on the device. Additionally, to encrypt and decrypt messages, the collaboration of several devices is required, which prevents that if the security of any of those involved in the transaction is compromised, the security of the entire system is also compromised. This security is complemented by mechanisms that prevent PINs from being attacked using brute force by means of measures such as time limits or maximum number of retries.
Implementation considerations
According to the World Bank [ID42019], the digital document implementation strategy should consider the following characteristics:
- Ensuring access for all people.
- Security from the design stage.
- Control and monitoring policies.
The first aspect refers to the need to expand the coverage of the identification service, which is a major challenge in countries such as Colombia, where geographical and socio-economic conditions make this task difficult. In fact, in Colombia the Vulnerable Population Attention Unit (UDAPV) program was implemented with the objective of reducing the identification gap in regions that are difficult to access. In addition, ICT services must be made available to the entire population. This aspect must be evaluated on the one hand from the penetration of mobile telephony in Colombia (23% of the population with 4G access in 2017) and likewise from the use of smartphones (51% of lines used these devices in 2017). Therefore, initiatives such as those carried out by MINTIC [MIN2020] are necessary for the success of these strategies. This is especially relevant if we consider that the keys necessary for the use of Smart-IDs need to be updated with a certain frequency (3-5 years), making connectivity a basic element for their operation and maintenance.
In the second aspect, it is necessary to ensure that the identity of the person is not violated, for which the Smart-ID technology took the measures mentioned above. However, this application does not work independently, but exists in an ecosystem where different actors have different needs and technological characteristics. Therefore, it is necessary to use open protocols and promote technological neutrality, to ensure that all types of actors can make use of this service, and thus promote innovation associated with the use of digital identity. This aspect is also very important because it has a direct impact on the economic viability of the initiative.
Finally, the third aspect refers to the regulatory apparatus necessary to guarantee the validity of the credentials, as well as the creation of rules and processes that ensure adequate follow-up by all the actors involved, in order to guarantee that if any vulnerability in the system is exploited, the corresponding responsibility can be established.
The Colombian Digital ID
The introduction of the digital ID in Colombia was done with the objective of becoming the access key to the citizen folder in the e-government model of the country. This folder is envisioned as a repository that Colombians will have to facilitate their interaction with the State, and where they can store, in an effective way, the most important documents that are usually necessary, such as: civil registration, driver’s license, medical history, among others.
Initially, the new digital ID will not be mandatory, and for the time being it around 50000 citizens are using it. The document has a cost, and is normally delivered between 10 and 15 days.
Some of the benefits that the Registraduria Nacional del Estado Civil provide the document are:
- Increased security.
- Biometric identification and authentication.
- Remote identification in procedures, through the WEB.
- It avoids identity theft or usurpation.
- Guarantees the protection of personal data.
- Generates confidence in the procedures and services of public and private entities.
- Allows the verification of identity in a secure way by the authorities.
- Service that provides proof of data integrity and origin (non-repudiation).
- Meets the highest standards worldwide in terms of identification of persons.
- Colombia will be a pioneer in the world in the issuance of digital identification, among others.
Conclusions
The Estonian experience is very representative of the evolution of identity credentials. The Smart-ID application has been successfully used for more than three years in that country, which is a good indicator of its robustness and security level. This successful experience enhances the country’s digital strategy not only at the government level but also in the private sector. A successful implementation of the digital document in Colombia must consider regulatory, technological and infrastructure aspects to ensure that these developments impact the entire population, meet security standards and are sustainable.
Diego Pacheco-Páramo and Anasol Monguí
Translated by: Anasol Monguí
Bibliography
[SID2020] Smart-ID. «https://www.smart-id.com». Revisado Febrero 2020.
[SIT2020] Smart-ID. «https://github.com/SK-EID/smart-id documentation/wiki/Technical-overview». Revisado Febrero 2020.
[ID42019] «Digital ID and the data protection challenge».Identification for development. October 2019.
[GSM2018] La Economía Móvil en América Latina y el Caribe 2018. GSM Association.
[MIN2020] MinTIC publica borrador del proyecto que llevará Internet a 10.000 zonas rurales del país. Enero 11 de 2020. https://www.mintic.gov.co/portal/inicio/Sala-de-Prensa/MinTIC-en-losMedios/125620:MinTIC-publica-borrador-del-proyecto-que-llevara-Internet-a-10- 000-zonas-rurales-del-pais
[RNEC2021] La Cédula Digital Colombiana. Revisado agosto de 2021. https://www.registraduria.gov.co/?page=cedula-digital