Government // Cybersecurity
Commentary
5/29/2014
09:55 AM
Wyatt Kash
Wyatt Kash
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
100%
0%

UAE National ID Program: Model Worth Watching

United Arab Emirates officials are laying the foundation for a national identity verification system that could change how people are ID'd for everything from passports to employment documents.

offices, with WiFi, refreshments, and childcare help. It also figured out how to get the application process, including capturing photos and biometrics, down to five minutes and conduct the background checks afterward.

By last year, all of the UAE's 9.4 million residents -- more than 85% of whom are expatriates working in the UAE's fast-growing service economy -- are now enrolled in the national ID card system.

The centerpiece of the EIDA program is an eighth-generation encrypted smartcard, with 144 KB of memory and near-field communications capability. The card has nine security features, including a PKI-enabled digital certificate and three-factor authentication, making the card more secure and falsification more difficult than most chip-based credit cards, according to Al-Khouri.

All United Arab Emirates residents must use an encrypted 144-KB smart card to conduct government transactions. (Image: EIDA)
All United Arab Emirates residents must use an encrypted 144-KB smart card to conduct government transactions.
(Image: EIDA)

But it's the vision of the UAE and Al-Khouri for how the cards will be used that bears watching.

"Today, it is mandated the cards be used everywhere in the government," he told a group of data experts in a private briefing following the Open Government Data Forum. But in the long run, "we're trying to inject it in the private sector," by serving as an online identity validation gateway for the UAE, said Al-Khouri.

Just as millions of credit card transactions get routed daily to a centralized authority to validate each credit card, the EIDA wants to play a comparable role, creating a UAE eTrust Center "where we verify the identity of the person doing the transaction," he said.

That raises enormous privacy protection questions. But EIDA officials insist their goal is to provide a higher level of trust in electronic transactions to help drive the UAE's economy.

"Our job is to verify the identity (of an individual), not collect the transaction itself," says an EIDA spokesman. "We do track where the transactions are occurring." The EIDA expects to aggregate data to make economic and investment decisions. But EIDA has taken a number of steps to protect and validate personal identification data independent of transactions.

The EIDA, for instance, uses a "zero-knowledge proofing" system, which separates biometric and digital certificates from personal information about the identity of a person. Requests for identity verifications must go through a secure service client provided by EIDA. While the Gulf nations lag behind Europe in data protection and privacy laws, the UAE has adopted the legal approach that privacy is a constitutional right. It has enacted several data-protection laws, according to Julia Glidden, a senior research fellow at the Vrije Universiteit Brussel, Institute for European Studies, who follows open-government trends.

Al-Khouri and EIDA officials point to a variety of benefits the national identity management program has already demonstrated. Courts in Dubai have shortened data-entry times from 10 minutes to five seconds. Banks have cut the time it takes to open a bank account by about 15% using the ID card. Law enforcement agencies have been able to solve thousands of cases in a fraction of the usual time by matching biometric information obtained at crime scenes with data on the EIDA's national registry.

The UAE, reportedly, was the first country in the world to use a single ID card in a national election. EIDA officials estimate government agencies have saved "hundreds of millions of man-hours" processing records because of improved speed and the reliability of digital identities.

However, the EIDA still faces a number of hurdles and an urgent set of deadlines. Although the core identity management infrastructure, including the deployment of roughly a million card readers, is in place, the EIDA still must complete a significant amount of work over the next two years to integrate fully the government's systems and services. The EIDA also is wrestling with how

 

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio
Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
6/6/2014 | 6:18:00 PM
Just what the US needs
Oh good, the US is considering yet **another** national ID card (in addtn to soc. sec.) to further put its citizens lives and data in peril.  I was afraid that data security was actually being taken seriously.   
batye
50%
50%
batye,
User Rank: Ninja
6/2/2014 | 2:22:56 AM
interesting info
interesting info, as problem of the  Nation ID facing by many gov. uncliding Canada... but at least UEA trying and they have money to spend... and after other countries could follow... proven solution...
RamgopalNC
0%
100%
RamgopalNC,
User Rank: Apprentice
5/30/2014 | 11:53:03 PM
Re: Alternative solutions for EID
Smart Phones, Tablets etc are all devices and cannot be directly used to serve the purpose of primary identity instruments.

A National ID Program is meant to provide certified credentials for an individual to be able to assert his/ her identity on demand. The key here is that such credentials are provided by the Government and thus serve as highly trusted identification tools, especially when the authenticity is verifiable online. The UAE National ID Program is also one such program which identifies a person with biometric and biographic details provided during the national enrollment. The credentials then are packaged as a pair of Digital Certificates, biometric data along with biographic data into a Secure Smart Chip.

This serves as the primary Digital ID for an individual and can then be used to acquire multiple derived identities in the form of lets say SIM Cards, credentials for use on tablets, browsers etc. This linkage to the primary digital ID (National ID Card) exponentially increases the security in the identification systems used for Smart Phones.

The Fast ID Online (FIDO) initiative is also based on the same concepts used in the UAE National ID Card in terms of the multi factor authentication. Ultimately, it is standardization and interoperability that serve as the key for Diigtal Identity and Authentication in the scheme of a multitude of personal identification schemes. It is here that Government backed and provided Identification programs are expected to make a difference.

We would be happy to provide any further details.
ArshadNoor
0%
100%
ArshadNoor,
User Rank: Apprentice
5/29/2014 | 2:07:39 PM
Alternative solutions for EID
While smartcards are very useful in many contexts, for the average consumer - and potentially, EID - this technology is likely to be eclipsed by two technological shifts:

1) Smartphones/Tablets; and
2) FIDO Authenticators (www.fidoalliance.org). 

What makes the FIDO technology interesting is that it encompasses all functions of the smartcard for strong-authentication, does not require a smartcard reader, works with desktops, laptops, smartphones, tablets, etc., AND preserves privacy for consumers when authenticating to any FIDO enabled site.

Since the UAE government has already sunk money into smartcards, I would encourage its use as a basis for registering end-user FIDO credentials for sites and use the FIDO credentials for strong-authentication  The smartcards can eventually be replaced in their life-cycle with just photo-IDs to save money.

Arshad Noor
StrongAuth, Inc.

 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.