When the Internet was in its infancy, few people could even imagine how vast would the masses of people who use the World Wide Web someday. At the beginning of this year, there were more than 541 million computers which were connected to the Internet, and the estimated number of Web users was 1.3 billion. The Internet has become an integral part of everyday life. In Estonia, 70% of people aged 16 to 74 use the Net, according to the latest surveys. We conduct much of our daily business online these days we read newspapers, write letters, pay taxes, buy things, fill out income tax returns, communicate with the state. The success of the Internet has also attracted crime incidents of online identity theft have become more frequent in recent years. As increasing amounts of money circulate on the Net, attempts to steal user bank codes have become more commonplace. As times and criminal practices change, we have to think about additional secure means for personal identification. The Mobile ID service is one such possibility, and it also provides users with the effective functionalities of the digital signature.
WHAT IS MOBILE ID?
Mobile ID is a companion to the ID card which is well known in Estonia already. It is a SIM card for mobile telephones which contains the owners electronic identity, as well as all of the usual SIM Card functions. Providers of online services can effectively identify users, while users can sign documents, conduct bank transfers, etc. Mobile ID is based on the Public Key Infrastructure (PKI), and it is sometimes known as WPKI (Wireless PKI). Mobile ID offers many advantages in comparison to the ID card. No more need for card readers, as long as the user has a mobile phone. No additional software in the computer, because Mobile ID will work on any computer that is connected to the Internet. Mobile ID is universal. It can be used for all Web services which support Mobile ID. There is no more need to memorise lots of different passwords.
USING MOBILE ID
To use Mobile ID, users must replace their old SIM cards with new ones that contain their electronic identity. Mobile ID is then an electronic ID, which means that the procedure of issuing it must be very secure. These procedures will differ somewhat from country to country, but personal identification is always subject to strict technological and organisational requirements. In the case of Estonia, there are two steps in getting Mobile ID applying for it and then activating it. Only holders of ID cards can use Mobile ID in Estonia at this time. After a visit to their mobile phone operator, users activate their Mobile ID over the Internet and with the help of the ID card. Opportunities to provide Mobile ID to people who cannot use their ID cards electronically are being considered in co-operation with the state. In Lithuania, for instance, Mobile ID is activated by a card payment that is made by the applicant. Mobile ID SIM cards at this time are provided by EMT in Estonia and Omnitel in Lithuania, while other mobile phone operators have their Mobile ID solutions in the pipeline. Mobile ID is free of charge during this testing phase, but eventually it will become a fee-based service. Most operators plan to charge a monthly fee for unlimited ID and digital signature transactions. Here is how the process of authentication occurs with Mobile ID. Lets use the example of the DigiDoc portal (http://digidoc.sk.ee), which is an environment for file sharing and digital signature functions. Using an ordinary Web browser, the user goes to the DigiDoc portal and selects Mobile ID authentication. After entering a personal identification code, the user clicks on Enter with Mobile ID. The Mobile ID authentication page is displayed with a unique verification code. A few seconds later, a message appears on the users mobile telephone, requesting confirmation. Users ascertain that the verification code on the computer screen matches the one on the phone, and then confirm the entry in the DigiDoc portal. Next the phone asks the user for a Mobile ID identification PIN. In mere seconds, the user can access documents that are stored on the portal. This process can be shown in graphic terms from the point of view of users (Figure 1). The DigiDoc portal can be accessed by Mobile ID users in Estonia and Lithuania. As is the case with the DigiDoc portal, Mobile ID can be used to access other Web-based services. The personal ID process may involve the users personal identification code, phone number or user name (in the latter case the service provider must be able to match the user name with the users personal identification code). An animated presentation about using Mobile ID can be found on http://www.id.ee/public/Mobiil_ID_animation.
PLACES TO USE MOBILE ID
All of Estonias major providers of electronic services support Mobile ID identification banks, the states portal of E-services, the Tax and Customs Board, etc. In Lithuania, Mobile ID can be used in the online banking environment of Hansabankas and of SODRA (the State Social Insurance Fund Board). Mobile ID also allows people to access DigiDoc client software, as well as the DigiDoc portal for the issuing of digital signatures which are legally equivalent to handwritten ones.
MOBILE ID AND VOTING
Perhaps the ultimate online service of which one can think is voting on the Internet as a manifestation of democracy. E-voting was first used in Estonia in local government elections in 2005, and then again in a parliamentary election in 2007. Estonia broke new ground in this area, showing that E-voting is possible and thoroughly secure when citizens are identified by personal keys that are stored on their ID cards and the relevant certificates and when votes are confirmed with digital signature. Because Mobile ID is based on the same technologies as the Estonian ID card, and because the issuance of Mobile ID SIM cards is fully in line with the Estonian Digital Signatures Act and the EU Directive 1999/93/EC on the Community framework for E-signatures, one may well ask whether the next time that Estonians go to the polls, they will be able to do so by means of Mobile ID. The first deputy speaker of Parliament, Kristiina Ojuland, says that that solution might increase voter turnout, thus ensuring the more effective actualisation of the will of the people. A security study has been initiated to compare the technical and organisational security measures of Mobile ID and the ID card. The Election Act states that E-voting is carried out by means of the ID card, and the law would have to be amended to make it possible also to use Mobile ID.
MOBILE ID AND ONLINE SERVICES
It is relatively simple to make an online service compatible with the authentication and digital signature functionality of Mobile ID. This can be done via the SOAP protocol, which is supported by all modern development tools. The creation of a strong authentication solution is usually a fairly complicated and costly process for an online service provider (one might choose, for instance, to distribute PIN calculators or smart cards to users), but Mobile ID only requires a comparatively small-scale system upgrade. As is the case with personal identification, the functionality of the digital signature is also relatively easy to integrate into a system. The use of Mobile ID in an electronic service or online system will require a contract with a trust service provider. In Estonia and Lithuania, that could be AS Sertifitseerimiskeskus (www.sk.ee).
THE FUNCTIONING MODEL OF MOBILE ID
The Mobile ID service is offered by a central trust service provider whose task it is to connect the various parties to the process the online services which are compatible with Mobile ID, the issuers of certificates, the users, and the mobile telephone operators. This model offers several advantages. First, the providers of E-services dont need to enter agreements with mobile communications operators. E-services can be used by all of the clients of those mobile operators who have a valid agreement with the trust service provider. Irrespective of the technology that is used by the mobile operator, the trust service provider can ensure a common interface for all online services. The interface between electronic services and the trust service should be easily adoptable and compatible with as many electronic services as possible. The compatibility of parties amongst each other and with commonly accepted standards is essential, and that is why the Baltic WPKI Forum has been established to harmonise Mobile ID solutions in the Baltic States.
THE BALTIC WPKI FORUM
The Baltic WPKI Forum brings together 11 companies from Estonia, Latvia and Lithuania, including banks as the major providers of electronic services, mobile communications operators, trust service providers, and providers of certification services. The forum is always open to new members. The Baltic WPKI Forum discusses the business model of Mobile ID, the security of its developmental process, and other issues relating to the field. The technical workgroup of the Baltic WPKI Forum has already prepared a profile description of the Mobile ID SIM card, and it is about to complete work on a standard that will describe the common digital signature file format (bdoc) which is to be adopted by all of the Baltic countries. More information about the Baltic WPKI Forum can be found at http://www.wpki.eu.
CONCLUSION
The Internet today is a place not only to distribute information, but also one in which financial and other transactions are conducted. Bank transfers are made, products and services are bought, and elections are held. It is extremely important to ensure secure personal identification on the Internet, and that is exactly what Mobile ID does.
Authors contacts: +372 610 1894, urmo.keskel(at)sk.ee |