reliAble euRopean Identity EcoSystem

The widespread digitalisation of society and the increasing number of online processes and services will contribute to the establishment of the European digital market and the European prosperity but it will be inevitably source of new dangers and risks. Without adequate protection, personal data and in particular individual identities are vulnerable in a virtual world with European stakeholders interacting in globalized scenarios (Internet usage, social media, Internet of Things etc.). Identity-related crimes, fraud and theft are quickly growing and costs companies, countries and citizens billions of euros. The lack of global joint solutions and a coherent joint approach in Europe, in terms of legislation, cross-border cooperation and policy, contribute to reduce citizens’ confidence and trust.

ARIES aims to improve identity, trust and security, and better support the law enforcement by addressing the challenges posed by wrong identity, identity fraud and associated types of cyber and other forms of organized crime. The project activities address technical, legal and ethical requirements of a comprehensive framework for a reliable e-identity ecosystem that will help citizens to increase their security and privacy in the digital world and their trust in online transactions. ARIES will provide mechanisms to allow citizens to generate a digital identity linked to the physical one and promote the usage of mobile and smart devices for trustworthy online authentication.

These were the project specific objectives:

• Develop a trustable, reliable identity ecosystem for secure, ethical and privacy respecting virtual identity management processes, with the aim of reducing identity fraud and associated crimes.

• Strengthen the link between physical and digital identities by using high assurance elements, including biometric verification and tamper-proof certified checks with breeder documents.

• Validate the ARIES approach in two realistic citizen-oriented scenarios: eCommerce and at the airport.

• Address key legal, ethical and societal aspects of eID adoption and identity-related crimes to augment confidence in eID use.

These are the main results produced over the project life:

We have investigated actual existing processes of identity management in the physical and digital worlds and their life cycles, examining their weaknesses and identifying the improvements that are needed to reduce threats and we have designed an architecture, following privacy by design principles, open and extensible which enables the integration with different IDM services providers.

We have built a system that derives virtual identities from official identities issued by national authorities, such as ePassport and Spanish eNIC. The identity derivation process includes automatic document verification and document’s holder biometrics verification prior to issuance. These unique characteristics improve the level of trust perceived by end users and foster the adoption of eIDs by citizens.

ARIES identities are stored encrypted in users' mobiles. No information is permanently stored in ARIES components. Personal data are under users’ control. They can create different ID’s with different levels of security and privacy for different purposes. They decide on the information shared with services providers ensuring minimal disclosure.

ARIES architecture has been instantiated in two scenarios and evaluated by end users: eCommerce and airport demonstrators. Each of them pursuing different purposes.
In the eCommerce scenario the main goal was registration and authentication at an online eCommerce site. In the Ecommerce scenarios two biometrics were integrated: face biometrics and voice recognition. In the airport demonstrator ARIES identities were used in a high security demand environment, such as airplane boarding, combining physical and virtual identity management. In addition, a proof of concept of the use of privacy preserving technologies was carried out at the airport duty free shop, customers proved they were over 18 years old, and so entitled to buy alcohol beverages, without disclosing their current age.

Our research encompassed main socio-ethical considerations of the actual use and future adoption and acceptance of eIDs. Privacy and security perceived by end users evaluating our two demonstrators were greater than in the case of using other types of eIDs. The EU legal context applicable to ARIES system and future service providers using the ARIES system, mainly the eIDAS and GDPR Regulations have been analysed and legal implications identified.

ARIES assets have been clearly identified and ownership assigned to individual partners. Project partners are already very well positioned in the e-ID market, and the exploitation of individually owned components is not considered as a problem. Thanks to open source APIs and modular architecture each of partners is also able to reconstruct the whole ARIES platform, if needed. Nevertheless, the joint exploitation of ARIES results is considered through future agreements between ARIES partners. Consultants and integrators will be given a catalogue with description of ARIES components that enables them to “mix and match” to create custom designed offerings for the client

Various efforts have been made up to date to create, issue or manage multiple variants of electronic identities. Demand from citizens resulted in growth of usability and user-friendly features. It has been widely acknowledged that the societal acceptance of eIDs may be compromised by the inappropriate use, potential loss, misuse or impersonation of an individual or cluster of individuals whose data has been fraudulently acquired. Europe is a forerunner when it comes to the use of biometrics, notably fingerprint and facial image scans, for official documents on smart cards, and is also leading the research in privacy preserving identity schemes. Combining these two areas in a single project and a single ecosystem is a main added value of ARIES. Putting the first bricks for the bridge that will cross two worlds, one of high level of assurance of identity, and another one of citizen preferences regarding privacy is one of ARIES most relevant achievements and impacts.

We hold privacy in the highest regards, we have analysed the personal data treatment across the system components and carried out an ethical assessment of the project demonstrators. Enrolment and authentication were studied, and potential risks highlighted. We have issued recommendations on information security safeguards to control privacy risks and produce specific data protection impact reports for future system implementations.

ARIES has contributed to future developments of identity management standards. ISO SC 27/WG 5 “Identity management and privacy technologies” has opened a new study period to collect and document use cases with a scope of compiling and produce functional requirements for identity assurance. The project has presented, through KANTARA discussion group, two use cases.
The Estonian presidency of the EU invited ARIES to a thematic meeting on "Registry of identity" with representatives of EU Member States in the framework of the Action plan to strengthen the European response to travel document fraud. Project concepts and achievements were explained to the policy makers audience.