The European Network and Information Security Agency (ENISA) today launched its Position Paper on security features in European eID schemes. The paper gives the first overview of the vast disparity between privacy features in eID cards across Europe.

eID cards are currently used mainly for tax declarations and other e-government services, but applications are branching out into the commercial sector. At the same time, Europe lacks a coordinated strategy for how to protect the private data stored by the card, which is both an obstacle to eID interoperability and limits its acceptance by the users. This analysis sets the stage for a privacy baseline in European eID cards.

Today, ten national eID card schemes are already in use across the EU and thirteen more are in the pipeline. Presently, eID cards are used primarily by e-government services, eg, for taxation, but there are also commercial applications of eID cards.

Many more eservices are planned in the near future, using the data on the card for anything from secure chat to library access and piggybacking on the infrastructure investments which have been made. In all these applications, the eID card is a gateway to personal information, be it at national or European level. At the same time, it is key to address privacy concerns related to eID: unwanted disclosure of data and subsequent misuse.

The ENISA paper points out that privacy features have been developed, implemented and tested at a national level only. There is no co-ordinated strategy at European level addressing which [and how] features should be implemented and this is an important obstacle for cross border eID interoperability. This is a major hurdle for the acceptance of eID cards and their usage in day-to-day applications. ENISA’s paper provides the first comprehensive overview of the state of play in Europe - an essential step towards improving the base-line of citizen privacy and protection in eID cards across Europe.

The paper charts how available privacy-enhancing technologies are implemented in existing and planned European eID card specifications. The paper analyses in detail eleven risks to personal privacy resulting from the use of national electronic identity card schemes. It also lists eight practicable techniques available to address and mitigate these risks. Furthermore, through eight comparison charts, the paper maps out the situation of available privacy features in existing cards. With numerous references to national specifications, it is a good starting point for identifying best practices and a source of reference for future choices to be made by European policy makers.

The entire paper is available for download here.