Possibilities and challenges in the development and use of secure eID - Experiences from Sweden, Karin Axelsson, Linköping University
1. Possibilities and challenges in the
development and use of secure eID
– Experiences from Sweden
Karin Axelsson
Professor in Information Systems
Department of Management and Engineering
Linköping University
karin.axelsson@liu.se
2. e-ID – A small technical artefact?
In one sense, yes – but we should not underestimate its
contextual and organizational complexity
2
3. Agenda
• Background and introduction to e-ID development
and use
• The problem in focus
• Research approach and case introduction
• The Swedish program and a case study in health care
• Analyzing the management of the e-ID development
case
• From a life-cycle perspective and a CSF perspective
• Conclusions
• Further research
4. Background and introduction
• e-ID is a key enabler for the secure identification,
authentication and digital signing via the Internet
• A part of secure e-service design (European Commission,
2010; Halperin and Backhouse, 2008; Price, 2008; Rössler, 2008)
• As digitized citizens, we become reliant on e-ID
solutions that give us a certain level of utility and
trust when we interact with local and central
government (Collings, 2008) in an e-service context
• In digitizing Europe e-ID is regarded as an important
back-office enabler for launching e-services and
transforming government (European Commission, 2010)
5. The problem in focus
• Developing, implementing and managing public eservices and secure e-ID solutions are challenging
• Require coordination and management
• Include people, processes and technology
• Stresses the complexities and interwoven character
of the e-ID as an artefact in an e-service setting and
in an institutional arrangement
• Can be governed by an active role of the
government, and/or managed by market driven
solutions (cf. Grönlund, 2010; Kubicek, 2010)
6. The problem in focus
• Several e-government initiatives face a number of
challenges of complexity; calls for further studies (Irani
et al., 2007; Gil-García and Pardo, 2005; Rosacker and Olson, 2008)
• e-ID as a contemporary example
• An important issue for IS project management and
e-government, in practice and research
• To understand how we organize initiatives like this
and why some initiatives progress to success while
others end in failure (e.g. Heeks and Stanforth, 2007; Melin and
Axelsson, 2009)
7. 19800819-0123
WebCare_L
Purpose and research questions
• To analyse the management of e-ID development in
Sweden from:
• an e-government systems development life-cycle
perspective and
• a project challenge and CSF perspective
• What challenges and success factors are represented
in a national e-ID development initiative?
• How can we judge the success/failure of an e-ID
initiative using a life-cycle framework?
• What can we learn from the management of
development of e-ID in a public e-service context on
a program level?
• Illustrate the implementation process in health care
8. Research design
• A qualitative, longitudinal case study
• Two cases today: the national development and an
implementation case
• The study is part of a larger project focusing e-ID in a public
e-service setting (2011-2014), financed by the Swedish Civil
Contingencies Agency
• Future safe electronic identification
•
eID in government agencies
•
eID in schools
•
eID in health sector
• Interviews
• Document studies
• Forums for presentations and discussions
• Hearings, meetings with the Swedish e-ID Board,
practitioners’ networks events and documents, scientific
conferences
9. e-ID development in Sweden – Phase 1
• The emergence of the present national public e-ID
policy can be traced back to the end of the 1990s
• Future use of public e-services
• In 2000/2001 the Swedish Tax Agency got the
commission to investigate a national e-ID solution for
the public sector
• Frame agreements with the actors delivering secure
e-ID to the banking sector
• A market driven e-ID delivery model
• e-banking is well established, 80% of the e-ID use
• An installed base of solutions for identification
10. e-ID development in Sweden – Phase 2
• The e-Government Delegation was formed in 2009
• Strengthen national inter-organizational development
of e-government including e-ID
• A next generation of inter-organizational e-ID
solutions was needed
• The current procurement model was outdated, without
any option of renewal
• The investigation resulted in a report, dominated by
a technical oriented blueprint
• In January 2011 an authority named The Swedish
e-ID Board was created
• Centrally manage and develop sustainable e-ID
solutions
11. The national e-ID program initiative in a
European context
Kubicek and Noack, 2010a, p. 237
2013-10-24
12. Managing e-ID Development –
A Life-cycle Perspective
Project
Project
assessment
assessment
Implementation
Implementation
and beyond
and beyond
System
System
construction
construction
Analysis of
Analysis of
current reality
current reality
Design of the proDesign of the proposed system
posed system
(Heeks, 2006, p. 159)
13. Managing e-ID Development –
A Challenge and CSF Perspective
• Several sets of success factors in the e-government
area and in ISD in general (Sarantis et al., 2011)
• E.g. top management commitment, linkage to
business, technical alignment, knowledge and user
involvement (Pardo and Ho, 2004)
• Several challenges linked to
• (1) information and data, (2) IT, (3) organizational and
managerial, (4) legal and regulatory, and (5)
institutional and environmental (Gil-García and Pardo, 2005;
Melin and Axelsson, 2009)
14. Analysis – Managing e-ID Development –
A Life-cycle Perspective
Project stage (Heeks, 2006)
e-ID development case
Project assessment
Oriented towards pragmatic problem solving
An outdated procurement model; a need for a new e-ID solution;
stimulate competition
Opportunity seeking
Analysis of current reality
Extremely forced and temporarily staffed
The technology put in the foreground
Contextual analysis put in the background
Design of the new system
Conceptual design; no technical artefact designed
Model development; multiple contracted private e-ID providers and a
federated e-ID solution
Important design issues (digital signing) not solved
System construction
Conceptual infrastructure in focus
Time consuming building of trust
Implementation and beyond
Changes in the constitution, preparation of agreements,
technological development, frameworks for security and trust
A transition plan (the new solution in use during 2014)
15. Analysis – Managing e-ID Development –
A Challenge and CSF Perspective
Challenge/CSF
e-ID development case
Information and data
The federative solution in the suggested e-ID infrastructure demands data
interchange between different actors
IT
The technological conditions for the program are based on different existing eID artefacts on the market (installed base; widespread solutions from e.g.
Swedish banks). There is also a situation where the infrastructure and
application are conceptually designed in parallel – resulting in an untested,
conceptual, e-ID infrastructure.
Organizational and
managerial
The role of the e-Gov Delegation is perceived as unclear
The size and scope of the e-ID development program perceived as unclear, so
is the ownership of the program
A complex infrastructure with relationships between technology, law and
business model; harder to communicate with different stakeholder groups
A high risk program
Legal and regulatory
Changes in law and regulations are needed (procurement model etc.)
Institutional and
environmental
A step towards a more centralized and consistent e-ID infrastructure
Challenging the norms and power structures (decentralization)
16. Implementation and use of e-ID in health
care – an ongoing study
• Studies of an implementation project in a county
• Early use of e-ID (SITHS card)
CREATE VALUE
PERCEIVED BENEFITS
INCREASED USE
• Clearly driven by law requirements on patient
security (Patient Data Act, 2008)
• Step by step approach – the "easy" first – is not so
simple
• Related routines – development and use in parallel
• Dependence – strong professions – key persons
• Safety in everyday life – bet everything on
one card?
17. Conclusions 1(3)
• National level – eID development
• A high risk e-ID project and e-service program!
• The initiative is oriented towards pragmatic problem
solving and an explicit demand from public agencies
(secure e-ID solutions for e-services)
• The problem solving and implementation process is
forced in time and have limited available resources
• The program scope is unclear and the relation to the
existing and dominating e-ID solution (BankID) is unclear
and hard to coordinate from a governmental perspective
• A significant challenge in the designing of the
infrastructure for e-ID (conceptually and applying
it in parallel)
18. Conclusions 2(3)
• National level – eID in development
• Significant challenges related to organization and
management of the program
• Involved actors are heterogeneous and have different
sets of expectations
• The technological artefact is in foreground, and the user
setting (citizens and professional users) and the link to eservices provided is in the background
• The e-ID needs to be managed as an integral part of
e-service development because it is intertwined with the
use of e-services from a user perspective
• e-ID is more than a back-office enabler – it is an
integrated part of successful e-service management and
use
19. Conclusions 3(3)
• e-ID in health care – SITHS card in use
• The pattern on national level is visible here as well
•
True challenges are related to the organization of the
implementation – the roll-out is in focus
• Involved actors are heterogeneous and have different
expectations on the result – strong professions
• The technical artefact is in focus – not use issues and the
relation between e-services and internal IT
•
Complicated use in the work settings
•
Trying to create benefits for users…
•
Some security risks are reduced – but new ones appear
20. Further research
• There is a lot of work to be done to develop secure
e-services and e-ID that creates safe everyday life
• Contextual studies of e-ID are needed
•
Health sector
•
Local government
•
Public agencies, national and international
• Generate more knowledge on the issue of e.g.
national and organizational differences, governance
structures, IT and e-ID user maturity and diffusion
• The implementation gap between policy and practice
• Systematic evaluation and governance
• Further studies on theoretical implications