Around the world, digital identity projects are gaining momentum. From identity papers to driver’s licenses and electronic passports, physical documents are being digitized at lightning speed. These new forms of digital identity enable us to access essential public services, medical records, travel or business documents online, deal with new service providers and protect our identity in all aspects of our daily lives.
Over the past 15 years, several attempts have been made by the government to develop a digital identity ecosystem in France prior to FranceConnect. Unlike other European countries, none of the major French financial institutions or cell phone operators have chosen to invest in the development of a digital identity service.
France: lagging behind
France introduced an electronic identity card (CNIe) in March 2021. The deadline imposed by the European Commission to strengthen the security of EU citizens’ identity cards meant that biometric identity documents had to be in place by August 2, 2021.
EU countries have moved into the world of digital identity (biometrics: facial and digital recognition), either via a physical card (usually an ID card), or via a digital service, usually on a smartphone (23 countries have launched a digital identity): Estonia (98% of the population covered by a digital ID card), Belgium (100% of the population), Finland (87% penetration rate), Portugal, the Netherlands, etc. In all other EU countries, biometrics have been introduced. In all other countries, secure digital identity has been co-produced by the government and major banking and telecoms groups.
Everything pointed to France becoming an early leader in this field: the hexagon is a leading technological power, evolving in a Union that has the most comprehensive legal framework for personal data protection in the world (RGPD) and boasts world-class specialist companies in secure credentials (Thalès Gemalto, Idemia and Atos).
A legal battle in France
In 1973, the “SAFARI” project (Système automatisé pour les fichiers administratifs et le répertoire des individus – Automated system for administrative files and individual registers), the computerization of the directory of numbers held by INSEE (The French National Institute for Statistics and Economic Studies), caused a scandal. The project was criticized for seeking to “file” the entire French population on behalf of the public authorities. In response, the French Data Protection Act of January 6, 1978 was passed, creating the CNIL (Commission Nationale Informatique et Liberté) with extensive investigative powers to ensure respect for the protection of personal data and therefore privacy.
From the 2000s onwards, given the scale of identity fraud, “no fewer than five projects to modernize the identity card were launched”. Among them, two stand out:
- INES program in 2005 (Secure Electronic National Identity)
- Idénum project in 2010.
INES program (2005)
Following the launch of the INES program by the French Ministry of the Interior between 1999 and 2005, the new electronic identity card was to be introduced in 2006 as the second component of the biometric passport imposed in the wake of the September 11, 2001 attacks. Its aim was to “better guarantee identity against the risks of usurpation and misappropriation, to combat terrorism, to authorize authentication of the bearer for the use of teleservices in relations with administrations or others, and electronic signature for commercial and consumer services on the Internet”, as well as to simplify requests for electronic identity documents and their renewal… In the face of ideological opposition, but also the risk of technical censure by the CNIL – due to the centralization of nominative data deemed too important – the reform was abandoned.
Idénum project (2010)
The subject was revived in 2010, with the aim of introducing two electronic chips in the national identity card: one called the “regalian” chip, readable only by authorized government agents, and the other called the “everyday life” chip, which included more common services. But the law was censured on this last point by the Constitutional Council. This offered the possibility of integrating electronic signature functions into the national identity card as part of a wider range of e-services. In addition, the creation of a centralized identity database and access to this database by internal security forces (police/gendarmerie) caused problems. This file will only be created in 2016, authorizing the processing of personal data relating to passports and national identity cards.
Merger of IdeNum and FranceConnect projects (2018)
To get around this difficulty, the IdeNum pilot project developed in partnership with Caisse des Dépôts, SFR, La Poste, Crédit Mutuel-CIC and PagesJaunes launched in parallel with the 2010 Identity Protection Act to create a single digital identification portal. This project was relaunched in 2013, but abandoned again in 2015 to “merge” with the current FranceConnect project under development, piloted at the time by SGMAP[1] (Secrétariat Général pour la Modernisation de l’Action Publique). This was a recentralization operation, with private partners excluded from the scheme, which became carried exclusively by the State. In September 2018, FranceConnect “claimed 6 million registered users and 350 partner service providers.”
The development of FranceConnect is therefore evolving separately from that of the CNIe (electronic national identity card). This is in contrast to foreign examples, where the development of the two has gone hand in hand, even enabling the CNIe itself to play this role (Estonia, Portugal). The development of the CNIe will re-emerge in France with the adoption of the European regulation on June 20, 2019, which will stabilize the legal situation. There are no more loopholes, since biometric security will become a mandatory European standard from August 2, 2021.
FranceConnect is misrepresented as a digital identity, but in reality it is a “simple aggregator of standardized identifiers”, and its deployment has undoubtedly further delayed the arrival in France of a truly unique digital identity. With the expulsion of the other stakeholders between IdeNum and FranceConnect, La Poste is the only company to offer “a genuine digital identity with the France Cybersécurité label.” Which goes to show that the lack of development with major commercial partners, such as Estonia or Portugal, has slowed down the process rather than accelerated it.
Difficulties inherent to France
It would appear that digital identity deployment is proceeding in a scattered, siloed fashion, due in part to the obstacles posed by the CNIL (the French Data Protection Authority), which is leading to a multiplication of projects and costs: the dematerialization of the carte vitale (health insurance card), with the possibility of later deployment of biometrics, and work on the national health identification number.
But many others remain outside the system: a new driver’s license card, valid for 15 years as of September 16, 2013, while electoral cards are still issued without biometrics and without cross-checking with holders’ actual contact details.
Finally, interfaces with local administrations are still a work in progress. Clearly, they are not yet included in the program set up as part of the Digital Transformation of Territories (TNT), where they are not explicitly mentioned.
Some European examples
Estonia
Estonia chose to roll out its ID-Kaart (national identity card and resident card) in 2002. This unique regal identity is issued from birth. The ID-Kaart is compulsory for all Estonian citizens over the age of 15. It is used by 98% of the population, whether it’s the card itself or its smartphone application equivalent (mobil-ID and smart-ID) developed in 2007. The card contains a secure chip with two embedded certificates (one for online authentication, the other for electronic signature). It can be used to carry out all administrative procedures, except for marriage and divorce certificates, which are now paperless.
In Estonia, use of the ID-Kaart is declining, while its dematerialized version, the Smart-ID, is gaining ground. E-identity makes it possible to dematerialize new services such as online voting, parking, online banking, public transport, social security and health services (e-health: online medical prescriptions), retailer loyalty programs, etc.
Data is exchanged via a system of interconnected databases. This is a decentralized, secure, state-administered infrastructure, based on an open source solution. With important consequences in terms of public safety, “the Estonian policeman who checks a motorist can verify the digital identity of the person being checked, whether he has a valid driving license, whether he is properly insured, etc.”
Finally, a “grand register” (“citizen portal”) informs each citizen of any consultation of his or her personal data by a third party. This system is an additional guarantee of trust (which makes it possible to check for any risks of digital identity theft).
Belgium
In 2002, Belgium opted to base “its digital identity solution on a physical regalian support”, which resulted in the delivery of a compulsory electronic identity card to every citizen. Deployment took 5 years, enabling it to cover 100% of the population, via a chip incorporating, as in Estonia, two certificates (online authentication and electronic signature of the owner).
Since 2017, the Belgian eID card has included the equivalent of the French “carte vitale”. From now on, the only “vitale” card in circulation is the ISI+ card for insured persons who do not have a Belgian eID (non-residents, foreigners, etc.). For the time being, only Belgians living abroad can use the eID card to vote remotely, although the card has theoretically been able to do so since 2005. The eID is used to vote in experimental “citizens’ ballot” projects.
Electronic data exchange is handled by the Itsme system (for Belgian mobile identity), run by a private consortium of 4 banks and 3 mobile telecom network operators. It is organized under the authority of the FAS (Belgian Government’s Federal Authentication Service). The project is being launched after the widespread introduction of the Belgian electronic identity card in 2017.
Portugal
As part of its drive to reform the State and simplify administrative procedures, Portugal introduced its first eCNI, called Cartão de Cidadão (Citizenship Card) in 2007, via an experiment in the Azores region. The system was extended in 2008. Until then, different cards had been used in Portugal to access different public administrations. The Portuguese citizenship card now merges the identity card, taxation card, voter’s card, social security card and health card (which were previously separate in Portugal). Since 2019, resident foreigners and Portuguese living abroad have been able to apply for a citizenship card.
In addition, the Portuguese identity card has had an online counterpart via a dedicated application since 2014. The card generates a digital signature enabling secure online administrative declarations via a single dedicated government portal: the Chavel Movel Digital. This system complies with the Portuguese Constitution, which prohibits the creation of a single centralized database containing all citizens’ personal administrative data. From now on, via the Chavel Movel Digital, it will be possible to access civil status certificates, birth certificates, social security declarations and more.
Since 2020, this has been joined by a biometric recognition system using the cell phone to replace the second identification factors. These include ID card number, cell phone number, passport number and/or residence permit number for foreigners. While the citizen (ID) card is compulsory, the Chavel Movel Digital remains optional. Since 2019, citizens can also upload their driver’s license and other documents to a digital identity wallet application available on their cell phone.
What should France do? Dematerialize all systems?
It’s easy to understand, when you look at foreign examples and their best practices, the gap that exists in France.
The migration of the electoral card and eCNI should be a priority, as should that of the carte vitale, or even the driving license (which seems to be experiencing a few problems of late). In addition, interfacing with payment systems could, with the help of the French Banking Federation, the Insurance Federation and even mutual insurance groups, enable us to go one step further, allowing online payment, reimbursement of benefits, and simpler links between social security and complementary health insurance.
In addition, the periodicity of document renewal is important, and should remain short (5 years) rather than 10 as is currently the case for the CNI. Once again, this should help combat fraud (particularly social security and medical fraud) and identity theft. Making it compulsory to hold an electronic identity card could help limit the circulation of identity documents and contribute to this objective, as could the creation of a truly unique digital identity in France.
To get a clearer idea of how far France has fallen behind in the field of digital identity, we can compare the developments described above with the best practices deployed by our European neighbors. This analysis can focus on two essential components of the digital identity creation system: the CNIe itself and its interfacing as a central identification component; and the system for interfacing and dematerializing the digital identity (which in France is still in the making with France Connect).
[1] The SGMAP (Secrétariat Général pour la Modernisation de l’action Publique) was replaced in 2017 by the Direction interministérielle de la transformation publique (DITP) and the Direction interministérielle du numérique et du système d’information et de communication de l’Etat (DINSIC).