(eID) and electronic signature (eSig) for eGovernment

0 downloads 0 Views 503KB Size Report
Mar 17, 2016 - However, it is important to note that the electronic signature cannot ...... E-Government law and further amendment of laws. 2011 he worked out ...
Transforming Government: People, Process and Policy Electronic identity (eID) and electronic signature (eSig) for eGovernment services – a comparative legal study Peter Parycek Gabriel M Lentner

Article information: To cite this document: Peter Parycek Gabriel M Lentner , (2016),"Electronic identity (eID) and electronic signature (eSig) for eGovernment services – a comparative legal study", Transforming Government: People, Process and Policy, Vol. 10 Iss 1 pp. Permanent link to this document: http://dx.doi.org/10.1108/TG-11-2013-0047

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Downloaded on: 17 March 2016, At: 06:39 (PT) References: this document contains references to 0 other documents. To copy this document: [email protected] The fulltext of this document has been downloaded 25 times since 2016*

Users who downloaded this article also downloaded: Zahir Irani, Muhammad Kamal, Ulf Melin, Karin Axelsson, Elin Wihlborg, Marijn Janssen, (2016),"Transforming Government: People, Process, and Policy - Editorial", Transforming Government: People, Process and Policy, Vol. 10 Iss 1 pp. Ulf Melin, Karin Axelsson, Fredrik Söderström, (2016),"Managing the development of e-ID in a public e-service context – challenges and path dependencies from a life-cycle perspective", Transforming Government: People, Process and Policy, Vol. 10 Iss 1 pp. Karin Hedström, Fredrik Karlsson, Fredrik Söderström, (2016),"Challenges of introducing a professional eID card within health care", Transforming Government: People, Process and Policy, Vol. 10 Iss 1 pp. -

Access to this document was granted through an Emerald subscription provided by emerald-srm:357042 []

For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services. Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.

Electronic identity (eID) and electronic signature (eSig) for eGovernment services – a comparative legal study

1. Introduction

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

1.1 Legal Interoperability for eGovernment Services Identity management is one of the cornerstones of eGovernment applications, especially regarding legally relevant communication between government (including authorities and agencies) and citizens (Parycek, 2006). Identification plays a vital role and is still a challenge in the virtual world, which by design, lacks a well-designed identity infrastructure (Andrade, 2012). The issue of electronic identities (eIDs) is therefore an essential element of a comprehensive eGovernment solution. It ensures communication with the competent authorities for the eGovernment service in question proceeding without a change of medium. Otherwise, physical proof of identity would have to be performed in person during an electronic procedure (Albrecht and Schmid, 2013). Identification in the electronic communication with authorities is clearly a core responsibility of public administration. In fact, from the viewpoint of the state, the ‘‘official’’ identity of a citizen is created by authorities issuing certified documents of identification (Hornung and Roßnagel, 2010). Imagining the ‘‘analog’’ process of public administration services, further illustrates that eGovernment solutions must deal with a totally different environment in the digital world in comparison to its ‘‘analog’’ counterpart. For present purposes, a simple legal definition of eGovernment is adopted which refers to all electronic communication with and between government authorities (Feik and Randl, 2012). Following the European Union’s definition, eGovernment is about using tools and systems to provide better public services to citizens and businesses. Furthermore the European interoperability framework for public services differentiates four different levels of interoperability: technical, semantic, organizational and legal interoperability (European Commission, 2010). These four levels are crucial for the success of eGovernment projects. Present scholarship deals mostly with the technical, semantic and organizational level, but very few papers focus on the legal aspects. This disregards the fact that legal incompatibilities 1

between legislation in different Member States hinder cross border eGovernment services. Especially in the field of eID the legal aspect is essential for regional, national and cross boarder services. The present paper therefore elaborates on and compares different approaches towards eID and eGovernment taken by Austria and Liechtenstein, Germany and the Swiss Canton Zug. Such an analysis will also help shed light on the regulatory framework provided for by the European Union. Before elaborating on the various national approaches towards electronic identity Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

management systems (eIDMS), this paper gives an overview of the general issues encountered when dealing with eGovernment processes pertaining to identification and authentication as well as the legal framework provided for by European Union law. Here an important distinction is made in order to understand the differences and possible solutions faced by eGovernment systems regarding eIDMS. The paper will then proceed to introduce the methodology adopted in this study after which its findings will be presented and discussed. For the purposes of this paper, one must distinguish electronic administrative procedures between Government to Citizen (G2C) (decisions, orders, notifications etc.) and Citizen to Government (C2G) (e.g. submissions, motions, requests of documentation). This study shall deal only with the latter. Furthermore, it should be noted that this paper will not deal with private sector use of eID or eSignature.

1.2 Identification and Authentication In order to dissect the various eGovernment solutions regarding eIDMS, it is important to distinguish the two functions eID and eSig are performing. This is important to note since the two main functions are sometimes not clearly separated which can make an analysis difficult and potentially cause one to overlook alternative solutions to a traditional model. The following terminology is proposed to coherently and clearly illustrate the different functions of the process of identification and authentication and is based on the respective legal definitions contained in the eGovernment Acts of Austria1 and Liechtenstein2: Identification means the process necessary to perform unique verification or determination of identity.3 Authentication means the genuineness of a declaration of intent or an act.4 More precisely, § 2 Z 5 Austrian eGov Act further defines authenticity to mean "the genuine nature of a declaration of intent or act in the sense that the purported author of that statement or act is in fact the actual author." 2

This distinction is important since only the eSignature, whose function is primarily authentication, is presently regulated within the EU through the eSig Directive and – as will be shown in the model proposed in the Swiss Canton of Zug – the declaration of intent does not necessarily require an eSignature to operate in eGovernment services. In any event, it is important to link these authentication procedures to natural persons; here diversely reliable methods are used. This makes different eGovernment solutions, particularly one without an

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

eSignature requirement for simple Citizen to Government processes possible.

1.3 Electronic Identity (eID) The unique identity of a person5 in the traditional ‘‘analog’’ process manifests itself through possession of certain certified documents (in most states birth certificates, identity cards, passports, etc.) linked to the actual physical appearance of that person as a further means to verify the person’s “correct” identity. Digitally, in the field of eID, no such mechanism is feasible. Evidently, “traditional” identification through IDs and physical appearance, cannot be performed in the virtual world of the internet. Thus, there is a pressing need for the functional equivalent of public ID for the virtual world. Most eID systems create the unique identity of a person through the linkage to one or more unique numbers (unique identifiers, UI). Nearly all present eID concepts of EU member states involve generating a unique identification number or resorting to existing public registers with unique numbers (Strauß, 2011). Most European eIDMS utilize unique identifiers derived from national registers (e.g., public registration). A unique identifier generally means “an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context”. Primary digital identifiers directly connected to a person include e.g., name, address, mobile phone number, password, or electronic signature (Graux et. al., 2009). These identifiers are stored in an encrypted form or - as is the case in Belgium - directly stored on the eID device (Strauß, 2011). This way, a person can definitely be identified through the citizen or customer number attributed to him or her, which cannot be ensured by family and first name alone (Schwaighofer and Hötzendorfer, 2012). It furthermore ensures continuing linkage even in cases of change of name, marriage, adoption etc. From a data protection viewpoint, such a sensible attribution of someone's identity to a governmental citizen or customer number should only be implemented by the state. However, the attribution of the unique identification number for various purposes encounters data 3

protection limits as exemplified by cases in Germany, Hungary and Portugal where such attribution was ruled unconstitutional (Andrade, 2012). This paper will not elaborate on the data protection issues and the tension between privacy information and security (For an overview see e.g., Strauß 2010). However, it must be noted that, in principle e-IDM systems as such are – depending on their design – neutral regarding privacy concerns. Due to a wide range of approaches towards data protection within the EU, the technical and legal approaches differ substantially (for a survey of eIDMS approaches

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

within the EU see e.g., Graux et. al., 2009).

1.4 Electronic Signature (eSig) In order to perform the whole process of most eGovernment services – depending on the respective legal framework – a digital equivalent of the declaration of intent linked to the person identified is required, i.e., authentication of the submission or motion in question. As noted above, these two functions, identification on the one hand and declaration of intent on the other, must be strictly separated (Hornung and Roßnagel, 2010). There are different options available to perform the authentication of a submission or motion in eGovernment procedures, ranging from very low-security to high security models. There could be an open model not requiring anything else other than the click of the “send” or the “submit” button during an eGovernment application. It therefore depends much on the importance assigned to the procedure in question and the risk assessment of the legislator for such procedures. For instance, when the risk of abuse or fraud is deemed very low, an open approach could be taken, trusting the authentication through a mere “send” or “submit” click. On the intermediate risk level, a “username & password” approach could be adopted, where the focus would lie in identification. On the high risk level, when a higher level of assurance is usually required, the qualified signature could be used. Generally, the legal consequences of eSig find their legal basis not in the eSig Act itself but in the laws that regulate the respective substantive issues (Rossnagel, 2009). The different available approaches dealing with the issue of manifestation of intent in eGovernment procedures becomes visible in the interplay of identification and authentication. It is important to note in this context that the approach taken by the various countries regarding identification and authentication is determined mostly by the legal rules governing the necessary requirements that need to be met during administrative procedures. Broadly speaking, three models are distinguishable, their adoption depending on the respective risk assessment of the procedure. 4

In cases where the manifestation of intent must satisfy the legal requirements of the written form, e.g., a handwritten signature on a form, most eGov solutions opt out for a system of electronic signatures to digitally equate the “analog” signature.6 Since eID may perform both functions, such as the distinct identification of a person and the authenticity of his or her submission (Strauß, 2011), the application of electronic signatures can be set aside in cases where the procedure does not require written signatures. One obvious solution would be to repeal the respective written requirements for eGovernment procedures and provide for an eID model which includes means for authentication as well. Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Thus, in administrative procedures opting for a regulatory framework, the unique identification will be the decisive criteria, whereby simple mechanisms such as pushing the “send” button would be sufficient proof of the declaration of intent, so that the electronic signature need not be applied. However, it is important to note that the electronic signature cannot ensure the unique identity of the signatory, because the eSignature usually only contains the name of the signatory (Trauner, 2006). However, in most eGovernment services, the identification of the individual concerned is of vital importance, whereas for eCommerce and eBusiness the eSignature suffices because further instruments such as payment methods are in place to ensure the identification necessary. By way of example, during the process of e-signing, a submission “identification” takes place. This must be understood as referring solely to the relationship between signatory and the certification service provider, which is a private entity. It is the identity of the signatory with regards to the private entity uniquely linked to the electronic signature. This means that only in their internal relationship must the identity of the signatory be ensured (Art. 2 [10] SigDir). However, this does not correlate to the unique governmental identification needed for egovernment services. Rather, the identification is grounded solely in civil law, which is not a sufficient instrument for the identification for governmental purposes, because the unique governmental identification can only be established – as with physical IDs – through governmental entities. Another insufficiency compared to most eID models, as noted above, is that the eSig is not linked to a unique identifier.

1.5. Legal Framework within the EU Within the European Union, there exists only a rudimentary legal framework regarding eGovernment. Presently, only the issue of eSignatures and not that of eID has been 5

harmonized within European Union law. The SigDir7 establishes the legal framework for the issuance and utilization of electronic signatures and certification-services (Art. 1 SigDir), with which the basis for eSigs was established, ensuring the detection of any counterfeiting regarding the data of the signature or the content of the signed document. At the time the main motive was the establishment of a common legal framework for electronic communication and e-commerce within the single European market.8 However, the European eSignature market did not evolve due to interoperability issues, in particular because the handover between different eSig providers was not standardized. As has been shown, eSig is not the Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

only element for the operability of eGovernment services and we continue to witness a process of fragmentation in that regard all over Europe (see also, European Commission, 2013). This to the detriment of interoperability because these isolated solutions have no crossborder impact and represent only isolated solutions for national administrative procedures (Jacobi et. al., 2013). The Treaty of Lisbon now provides the EU an express competence to adopt provisions concerning national identity cards, therefore also including eID pursuant to Art 77 Treaty on the Functioning of the European Union (TFEU), the Commission’s proposal on electronic identification and trust services for electronic transactions in the internal market which is grounded on the general competence of Article 114 TFEU, that concerns the adoption of rules to remove existing barriers to the functioning of the internal market.9 The new Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market repealing Directive 1999/93/EC, combines eID and eSig, providing a more coherent legal framework but still allowing member states to go ahead with their respective national solutions. However, the regulation has been criticized for not providing the necessary depth of detail to ensure interoperability of the various solutions in practice (Quiring-Kock, 2013).

2. Methodology The present paper adopts a comparative law methodology. It analyses and compares the legislative measures taken in Austria, Liechtenstein, Germany and the Swiss Canton of Zug in the identification and authentication for Citizen-to-Government eGovernment services. In this respect, the chosen comparative law methodology is similar to case study research, which is a common qualitative research method in information systems (Myers, 2013; Yin, 2002). 6

The comparative law methodology is, however, more precise and focused in that it asks how the different legal systems deal with and examine the various approaches to the same problem (de Cruz, 2009). The comparative law methodology was adopted specifically under the premise that the legal framework is essential for the design of eIDM, based on the reasoning that law provides the foundation for any technological solution and also the framework within which it operates. Thus, this study also provides insights for legal informatics research, which combines technology and law concepts. Based on the three phases of the comparative law methodology (Kamba, 1974), the present Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

paper proceeds as follows. First, the descriptive phase (Chapters 3.1 to 3.4) describes and analyzes the legislation to be compared. Second, the identification phase (Chapter 3.5) identifies the differences and similarities between the systems compared. Finally, the explanatory phase (Chapter 4) then attempts to explain the resemblances and similarities between the systems. In doing so, the corresponding legal acts, statutes and documents as well as preparatory works and studies are scrutinized and interpreted in light of existing scholarship. Besides the existing literature and interpretation of the legal material, the sources for the findings presented here pertaining to the situation in Austria, Switzerland and Liechtenstein stem from internal records information, protocols of internal governmental deliberations, variants, and the internal background and drafting history of the relevant legislation.10 To a large extent, this is based on the practical experience of drafting and advising governments in their respective eGovernment solutions with regards to identification and authentication which are presented here.11 Regarding the situation in Germany, the findings presented here rely on an analysis of the existing legal literature and doctrine as well as the publicly available drafting history and interpretation of the relevant legal material. The study elaborates on the legal differences of the following elements: The general legal framework in which eID and eSig operate, the legal solution adopted as regards identification in eGovernment services, the legal solution pertaining to authentication, and, finally, the token options for the actual C2G procedure and how this token is linked to the individual person. The country studies therefore begin by stating the main cornerstones of the respective legal framework, followed by a discussion of the adopted approach dealing with identification and authentication along with their respective particularities. These countries were chosen in order to illustrate that even in countries with a similar legal culture different legal solutions were adopted. 7

3. Findings The following sections provide an overview of the legal basis within the national legislation regarding e-government and particularly eIDs and eSignatures, before turning to the

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

particularities of the respective eID concept and commenting on it.

3.1 Austria The legal basis regarding electronic governmental procedures is delimited in the Austrian EGovernment Act (E-GovG),12

the Signature Act (SigG)13 and the General Act on

Administrative Procedures14 (öAVG). In line with most other countries such as Germany, the electronic signature was regulated first. However, since – as has been shown above – the electronic signature cannot ensure the unique identification of the signatory meeting the standard required by eGovernment services, Austria introduced in 2004 its eID system in form of the so-called “Bürgerkarte” (CitizenCard). The “Bürgerkarte” has its legal basis in the E-GovG15 which allows for the electronic communication with public authorities, respecting the principle freedom of choice of means of communications (Huber, 2004). The Austrian approach combines eID and eSignature (Kubicek and Noack, 2010): The authenticity, i.e., “the genuine nature of a declaration of intent or act in the sense that the purported author of that statement or act” (§ 2[5] Austrian eGov Act) is verified through the electronic signature contained in the CitizenCard pursuant to § 4(4) leg cit. Pursuant to § 2 Z 10 öE-GovG the CitizenCard is a logical unit that, independent of its technical implementation, combines a qualified electronic signature16 with an identity link (§ 4(2) Signature Act) and the associated security data and functions as well as any existing data on representation. This means that the Citizen Card provides for an open concept which is not limited to a specific physical unit as, for example, in the German Personalausweis, but can be implemented through various devices such as a Bankcard or a Social Security Card (“e-card”) (Schweighofer and Hötzendorfer, 2013; Otter, 2004). In 2009, a non-card-based option for the CitizenCard, the mobile phone signature, was authorized. This open concept was chosen because in Austria there is no obligation to carry identification papers, in contrast to the legal situation in Germany where this is mandatory (Kubicek and 8

Noack, 2010). Also, due to the lack of a written form requirement in communication between the authorities and the natural person pursuant to §13(1) General Administrative Procedure Act 1991 (AVG) 17

which states “unless provided for differently in the administrative rules and regulations, any

submissions, applications, information laid against somebody, complaints, and other reports may be filed with the respective authority in writing, orally, or by telephone.” Only for “appeals and submissions with a specific deadline or determining the duration of a period of time with a deadline shall be submitted in writing.” Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Furthermore (2) states that “written submissions may be communicated to the authority in any technically feasible form, by e-mail however to the extent that no specific means of communication are provided for the electronic communication between the authority and the persons involved. Eventual technical requirements or organizational restrictions of the electronic communication between the authority and the persons involved are to be published in the internet.” This allows for a wide variety of possible means to also use modern means of telecommunication (Trauner, 2006). The unique identity is generated through the identity link, consisting of the source identification number (sourcePIN)18 of the citizen and his or her two public keys. For natural persons, the sourcePIN is generated through the Central Registration Register (CRR) which is then signed electronically to ensure the identity link (Aichholzer and Strauß, 2010). Through that, this identity link achieves the unique identity of all persons registered in Austria. The sourcePIN for natural persons is not used directly for identification because of data protection concerns. Instead, sector-specific identifiers (ssPINs) based on an irreversible cryptographic function are created, which are unique for 26 sectors (Schweighofer and Hötzendorfer, 2012). With this, Austria has taken important steps towards unlinkability and selective disclosure (Strauß, 2011; Kubicek and Noack, 2010). Although private sector use is encouraged and provided for in § 14 of the E-GovG, the use of the Citizen Card for non-government services has been rather disappointing (Schweighofer and Hötzendorfer, 2012). However, due to the lack of stringent formal requirements in basic administrative procedures, the identification is sufficient to use certain services, such as filing one’s tax return electronically via “FinanzOnline”,19 which requires only Username & Password; a service which is widely used in Austria.

9

The current (2014)1 activation figures of the software based solution indicate a higher user acceptance compared to the card based solution.

3.2 Liechtenstein On the basis of the adopted “Informatics and E-Government Strategy” of 2008, the legislator in Liechtenstein20 enacted the E-Government Act (a law regarding the electronic communication with authorities)21 (LE-GovG) in the course of which related legal bases were Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

amended to fully implement the necessary legal bases for eGovernment services, such as the Service of Documents Act (Zustellgesetz)22, Central Person Register Act (Gesetz für das zentrale Personenregister)23 and Signature Act (Signaturgesetz)24 . Similar to the one in Austria the eID system in Liechtenstein, called “lisign”, combines the eID based on a physical identity card with the electronic qualified signature function. “Lisign” provides for the eID (“elektronischer Identitätsausweis”) in Art 3(1) lit I LE-GovG25 which is further governed in Arts 11 ff leg cit. Arts 12(1), 22 and Art 23(b) LE-GovG provides for the possibility of authentication through means other than the electronic signature (Art 23(a)) by allowing any electronic proof of the authentication process. This means that, as opposed to the Austrian solution, which closely links eID and eSig together, the legal framework in Liechtenstein provides for a simple use of its eID to also perform the function of authentication without having to resort to the costly and not easily accessible eSig for procedures that do not require this heightened standard of authentication which would usually require handwritten signatures. Its unique identification is achieved through reference to the personal identification number (PEID) generated by the Central Person Register pursuant to Art 3(1) lit g leg cit similar to its Austrian counterpart.

3.3 Germany In Germany26 the legal basis for eGovernment is found in the German eGovernment Act27 (eGovG), the Personal Identification Document Act28 containing the regulatory framework for eIDs, the DE-Mail-Act29 and the Signature Act30 concerning electronic signatures.31 The recent amendments encompassing 31 articles in the EgovG, which enter into force from 1.8.2013, are being viewed as necessary developments for ushering Germany into the world 1

http://www.digitales.oesterreich.gv.at/site/7905/default.aspx more than 400000 activated accounts and a growth rate of 15000 to 20000 per month.

10

of Government 2.0 services (Albrecht and Schmid, 2013). It serves as the basis for a new standard in electronic communication with public authorities and administration in Germany (Johannes, 2013). The German eID system combines the traditional identification system with the eID function by including the eID in the physical ID document (Personal Identity Card, Personalausweis). This function is activated by default (at no extra cost), but allows also for its deactivation (§ 10 PauswG) (Hornung and Roßnagel, 2010). Due to the obligation to carry identification documents pursuant to § 1 PauswG,32 the Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

combination of eID with the traditional ID represents a practical solution because its proliferation is due to its widespread use (Schweighofer and Hötzendorfer, 2013). The new German ID entails both the electronic proof of identity and optionally the qualified electronic signature; its sole ownership is therefore indispensable security. It is no longer allowed to demand the ID card to be handed over as a security deposit for example, while exemptions exist. It is also possible to use the eID for private legal transactions, provided that no special provisions or requirements of written form are necessary. In case of a written form requirement, the activation of the function of electronic signatures on the eID card is necessary. This, however, incurs extra costs for the user because it requires a contract with a private certification service provider. This market-based approach as regards to certificationservice providers seems unlikely to be altered meaning that qualified certificates for the official German ID cards will be issued by private sector providers (Hornung and Roßnagel, 2010). However, the practice of its application is very limited, costly and impractical. In contrast to the other eID solutions of Austria, Liechtenstein and the Swiss Canton of Zug highlighted in this paper, Germany has a widespread written form requirement which is usually requested during a procedure while the applicable law actually does not demand it (Fromm et al., 2013). For these reasons, Art. 3 Nr. 1 eGovG provides explicitly for the adoption of the so-called DEMail function as adhering to the standard of written form of communication means, pursuant to § 3a(2) Nr. 2, Nr. 3 and Nr. 4 Administrative Procedure Act33 (VwVfg) and thus provides a more user-friendly alternative to the qualified electronic signature (Albrecht and Schmid, 2013). DE-Mail ensures the delivery of legally sensitive documents to the recipient only. Since the DE-Mail function only operates with optional end-to-end encryption and not as standard, it has been criticized for a lack of security by data protection and security experts (Minnerup, 2013; Albrecht and Schmid, 2013). 11

With the recent amendments to the German eGovernment Act, the eID is ready to be used for a growing number of eGovernment services. The newly introduced extension of the legal basis for the use of DE-mail is particularly intended to be an alternative to eSig (Johannes, 2013). With the legal basis for DE-mail, the usability of communication between citizen and authorities has been enhanced at the expense of security (Minnerup, 2013).

3.4 Canton of Zug Before elaborating on the rather unique proposal introduced in the Swiss Canton of Zug Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

which is presently under consideration by the legislature, the general legal framework in Switzerland will be discussed.34 On the federal level an eSignature model was adopted. The eSig has its legal basis in the Federal Act regarding the electronic Signature (ZertES)35. On this basis, the SuisseID was introduced, which combines electronic identification with signature functions (qualified electronic signature). The SuisseID is available on three data carriers: a chip card, USB stick or the SwissStick with a PIN.36 However, it is important to note that the SuisseID does not operate with a unique identifier to establish the unique identity of the user. Generally, electronic communication with governmental authorities is proscribed in the Regulation on the electronic submission with regards to an administrative procedure (VeÜVwV).37 On the level of the Cantons, the administrative procedures are regulated through Cantonal regulations. The particularity of the solution envisioned in the Swiss Canton of Zug is worth elaborating on. The proposed regulation concerning the electronic communication in administrative

procedures

(“Verordnung

über

die

elektronische

Übermittlung

im

Verwaltungsverfahren”) has passed the stage of the first reading of the Regierungsrat. It adopts a unique solution insofar as the Zug eID system allows not just for identification but also for authentication, i.e., declaration of intent without having to resort to the qualified signature of the SuisseID. This is done by simply adding a few paragraphs to the Cantonal Administrative Procedure Act38 – as proposed to be included in § 5a Z 3 and §9 lit b Z 2 and 3 and passed in the first reading of the Act39– which states that the Zug eID can serve as electronic identification and as a means for the declaration of intent (§5a Z 3 leg cit). In a following paragraph, submissions which require a written signature are signed through the qualified electronic signature of the SuisseID or via eID which satisfies the legal requirement of written signature (proposed § 9 lit b Z 2 and 3 leg cit). This is excluded for appeals, which 12

require higher formal standards. According to the proposal, the individual will be linked through reference to a unique tax register number or a unique social security number (pursuant to §§ 3 and 8 leg cit). Pursuant to § 7 leg cit, three possibilities for the identification process are available. § 7(1) allows for the combination of user number and password, while (2) requires additionally the entry of a password that is sent to the mobile phone via text message (mobile transaction authentication number, mTAN) to the registered phone number of the individual concerned.

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Alternatively (3) identification can be performed via SuisseID. For the declaration of intent during a submission, § 12(1) prescribes that in cases in which the administrative procedure law requires the written form or handwritten signature for the authentication of a declaration or change of will, the electronic submission must be accompanied with either the entry of the transaction-code which is sent via text message to the registered phone number and clicking the “submit” button, or through qualified electronic signature with the SuisseID. The advantage of the transaction code is that it comes with no extra costs, as opposed to the costs of a certificate of the SuisseID.40 On the federal level, the government plans to comprehensively overhaul its identity card and passport procedures to ensure their usability in eGovernment and eBusiness applications. 41

3.5 Results This table summarizes and structures the results: Identification Card based solution Identification Software based solution Authentication eSig Authentication mTan UI: Sector-specific identifiers (ssPINs) => encrypted UI: One to four identifier => non encrypted existing numbers

AT X X X

LI Y X Y X

Zug

Y/X

X

X X

X

DE X X (X) X -

The cases analysed demonstrate the differences of four eIDM solutions in Europe. The comparative results are structured into three main aspects: Identification, Authentication and Unique Identifier (UI). First, as regards identification, Austria, Liechtenstein and Germany offer smart card based 13

solutions, which combines possession (e.g. Smart card) and knowledge (e.g. of a PIN) (Kubicek and Noack, 2010) and hence provide more security than mere knowledge-based systems only identified by username and password (Strauß, 2011). Additionally Austria and Liechtenstein offer a software-based solution and Canton Zug will offer only a software-based solution. The user acceptance of this software based solution appears to be higher compared to card based solutions as the activation figures of Austria demonstrate (see above 3.1). In the case of Austria, the card-based security factor possession is replaced by the possession of a mobile phone, which is linked for identification credentials. Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

A further detail of the analysed cases is the integration of the identification process into the signature process, which is realized in Austria and Liechtenstein. In the Austrian case, the card- and the software-based solutions use both qualified signatures for the identification process; whilst Liechtenstein offers two different solutions: one card-based with the integrated signature functionality Art. 12 LE-GovG (marked with Y in the table) and one software-based solution without signature functionality Art. 15 LE-GovG (marked with X in the table). The authentication process is not legally regulated and cannot replace handwritten signatures. Zug plans to implement a very similar e-ID system comparable to that of the software based solution adopted by Liechtenstein, which should also offer software based mTan transaction for declaring the intent (authentication). The difference to that of Liechtenstein lies most importantly in the fact that the Zug eID concept would fully replace eSignatures for public processes by way of procedural law changes to that effect.

The Canton Zug concept

demonstrates the possibility of a single amendment of a law, which can offer completely new and more pragmatic solutions for eGovernment services. The German card-based concept is primarily focussing on the identification and thus offers electronic signatures only as an optional fee based function. The combination of the Personal-Identity-Card (card-based solution) and DE-Mail (software-based solution) is the alternative to the electronic signature for authentication § 2 DE-E-GovG-E; therefore the citizen can use different possibilities such as mTan, Personal-Identity-Card or other solutions selected by one of the DE-mail providers; the authorities can also define certain requirements. The third critical element is the usage of unique identifiers (UI) in the processes and in the backend databases, which is a critical data protection issue. The Liechtenstein law enables the usage of already existing personal identification number (PEID) numbers for all administrative procedures and therefore links the PEID to the e-ID certificate Art 10 LEGovG. This concept is also quite common in Scandinavian countries, like Sweden, but has been criticized for data protection issues (Ludvigsson et al, 2009). Zug has planned a similar 14

solution and will use the unique identifier of its tax database. The German eGovernment law offers no unique identifier, because of its strong data protection culture. On the other hand, regarding unique identifiers, the Austrian eIDMS strikes the balance between a strong data protection and internal effectiveness with the help of sector-specific identifiers as descript. Generally, eIDMS appears to become more and more important in Europe. According to a 2009 IDABC-Study “Study on Mutual Recognition of eSignatures: update of Country Profiles” of the European Commission, eight European Economic Area (EEA) states offer their citizens eIDs and a further eight are planning to commence with eID solutions within the Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

next three years. eID is on the agenda of most European states as well as the European Union (Andrade, 2012). Therefore, a trend towards a combination of eIDs with eSignatures can be witnessed. All states that have eID systems also opt for eSignatures; and 5 of the 8 countries are planning to implement this also. In conclusion, the results of this study suggest that a combination of the three main eID elements, i.e., identification, authentication and unique identifiers, could be a starting point for designing or re-designing a country specific eIDMS. The four cases demonstrate the range of possibilities of eIDMS and shows that they are very closely linked to existing legal frameworks and the respective data protection culture. Overall, it thus appears that the countries under consideration in this study represent a trend within Europe to adopt domestic legal solutions based on the respective existing legal framework, without much consideration of inter-operability issues on a European level.

4. Conclusion As has been shown, the four countries compared adopted four different technical and legal solutions. The reason lies in the different legal cultures and the existing legal frameworks in which the legislator in most cases seeks to fit the respective eGovernment solution, rather than adopting a completely new solution. In a country where it is obligatory to carry ID cards, the tool used thus offers only an ID-Card-based solution, whereas Austria has a totally open carrier system, in practice ranging from various card-based carriers, to token-based solutions by virtue of the Mobile signature, because no such obligation exists in Austria. 15

Regarding identification, we witness in Austria and similarly in Liechtenstein, that the eID is closely linked to the eSig, whereas in Germany and in the Canton of Zug the focus lies in identification and the eID itself. Authentication in countries can generally be performed via eSig, but they have different prioritization strategies. While Austria and Liechtenstein primarily focus on eSig, in Germany and Zug, this is merely a secondary solution. However, as elaborated above, this does not exclude different possibilities to perform authentication through simpler means in connection

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

with identification. This resulting complexity has its root cause in the high number of combination possibilities in the field of identification and authentication. It is interesting to note that the traditional, paperbased world still has one relevant thing in common with the digital world: the predominant importance of identification during an administrative procedure. Authentication on the other hand is only of secondary importance and the virtual world offers various solutions, ranging from high to low security models to perform authentication, of which the electronic signature is organisationally very complex and costly. In the legal systems of the countries examined, the legal framework of the administrative procedures in the respective countries presently allow in practice for simpler solutions regarding identification and authentication under the threshold of eSig and complex eID models. Indeed, all of the solutions adopted in the countries subject to this study are a result of the already existing legal concept of identification and authentication. Especially in the case of eIDMS the legal aspect is the critical element for the information system solution and therefore legal amendments could be a critical success factor for the eID service: law is code.

From the perspective of administration, such regulatory frameworks must not be considered as sacrosanct. In fact, the solution adopted in the Canton of Zug exemplifies the feasibility of incorporating eID with declaration of will by simple means of legislation, without having to rely on costly means such as eSig to satisfy the existing legal framework. Such complex and costly systems should therefore only be implemented where the necessity (security or privacy issues) warrants the effort. Thus, time will tell if these heterogeneous legal and technical solutions of the various EU Member States can be connected as piloted in the so-called STORK project42. If the new Regulation (EU) 910/2014 fails and Governments are not able to offer the necessary 16

interoperable eID for digital processes, this could - for the first time in European administrative history - bring about a situation in which private companies, who are offering such interoperable solutions, could take over the sensitive process of identifying individuals in the digital world.

5. Limitations and further research These results notwithstanding, important limitations need to be considered. First, the current

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

study has only examined four countries and it is therefore difficult to apply these results directly to other states without recognizing differences in their respective legal systems. Another limitation of the present study is the open question as to how the new Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market repealing Directive 1999/93/EC will effectively be implemented in detail by the EU in its implementation regulations. Based on these findings, further research could potentially produce an interesting comparison to other European eID related legislation. This would be particularly useful in light of the new Regulation (EU) 910/2014, raising pertinent questions of legal, technical and semantic interoperability of the various EU Member States’ eID solutions.

17

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Notes: 1 § 2 Z 4 and 5 eGovernment Austria Act, Federal Law Gazette I Nr. 10/2004 as amended Federal Law Gazette I Nr. 83/2013. Austrian Laws are available online at: http://www.ris.bka.gv.at/defaultEn.aspx (accessed 09 April 2014). 2 Art 3 Abs 1 lit b and c Liechtenstein eGovernment Act. 3 Art 3 Abs 1 lit b Liechtenstein eGovernment Act reads „‘Identifikation‘: der Vorgang, der zum eindeutigen Nachweis oder zur Feststellung der Identität erforderlich ist;“. 4 Art 3 Abs 1 lit c Liechtenstein eGovernment Act reads „“Authentizität”: die Echtheit einer Willenserklärung oder Handlung“. 5 In § 2 Z 2 Austrian eGovernment Act e.g. "unique identity" is defined as the "designation of a specific person [...] by means of one or more features enabling that data subject to be unmistakably distinguished from all other data subjects." See Federal Law Gazette I Nr. 10/2004 as amended Federal Law Gazette I Nr. 83/2013. 6 In Germany for example, the written form of the declaration of intention, in accordance with § 126(3) and § 126a of the German Civil Code (Bürgerliches Gesetzbuch, BGB), is substituted and also, in accordance with § 371a of the German Code of Civil Procedure (Zivilprozessordnung, ZPO), the qualified electronic signature provides prima facie evidence as regards the integrity and the authenticity of the declaration. 7 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, Official Journal of the European Communities, L13, 19.1.2000, pp. 12ff [henceforth: SigDir] 8 See recital 4ff of SigDir. 9 Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market of 4.6.2012, COM(2012) 238 final, 2012/0146 (COD) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:en:PDF (accessed 09 April 2014). 10 All documents, protocols etc. are on record with the authors. 11 Peter Parycek was legal advisor for the Austrian Government at the Federal Chancellery in the field of eGovernment and was furthermore involved in the drafting of the eGovernment Act of Liechtenstein, that of the Swiss Canton Zug, and was consulted for the German eGovernment Act as well. Interviews, notes, preparatory work etc. are on record with the authors. 12 Federal Law Gazette I Nr. 10/2004 lastly amended by Federal Law Gazette I Nr. 83/2013 13 Federal Law Gazette I Nr. 190/1999 as last amended by Federal Law Gazette I Nr. 75/2010, English translation available at: http://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_190/ERV_1999_1_190.pdf (accessed 09 April 2014). 14 Federal Law Gazette I Nr. 51/1991 amended by Federal Law Gazette I Nr. 33/2013. 15 Federal Law Gazette I Nr. 10/2004 amended byFederal Law Gazette I Nr. 83/2013. 16 Pursuant to § 2 No. 3a of the Signature Act, Federal Law Gazette I No. 190/1999. 17 AVG English translation available at: http://www.ris.bka.gv.at/Dokumente/Erv/ERV_1991_51/ERV_1991_51.pdf (accessed 09 April 2014). 18 Defined in § 2 Z 8 Öe-GovG as „a number which is attributable to a data subject to be unambiguously identified and which also serves as the basis for generating sector-specific personal identifiers (ssPINs) (§ 9 and § 14)“. 19 Finanz online, available at: https://finanzonline.bmf.gv.at/fon/ (accessed 09 April 2014). 20 A Compilation of the Laws of Liechtenstein is available at: http://www.gesetze.li (accessed 09 April 2014). 21 Gesetz vom 21. September über den elektronischen Geschäftsverkehr mit Behörden, Liechtensteinisches Landesgesetzblatt Jahrgang 2011 Nr. 575 ausgegeben am 19. Dezember 2011. 22 Liechtensteinisches Landesgesetzblatt Jahrgang 2008 Nr. 331 ausgegeben am 19. Dezember 2008 Gesetz vom 22. Oktober 2008 über die Zustellung behördlicher Dokumente (Zustellgesetz; ZustG). 23 Liechtensteinisches Landesgesetzblatt Jahrgang 2011 Nr. 574 ausgegeben am 19. Dezember 2011 Gesetz vom 21. September 2011 über das Zentrale Personenregister (ZPRG). 24 Liechtensteinisches Landesgesetzblatt Jahrgang 2003 Nr. 215 ausgegeben am 11. November 2003 Gesetz vom 18. September 2003 über elektronische Signaturen (Signaturgesetz; SigG). 25 Art. 3 Abs. 1 lit. i defines the eIDA as "ein Ausweis, welcher der elektronischen Identifikation einer Person dient, indem unabhängig von der technischen Umsetzung die PEID mit einer sicheren elektronischen Signatur (Art. 2 Abs. 1 Bst. d SigG) oder einer eIDA-Zugangskennung und den dazugehörigen Sicherheitsdaten und -funktionen sowie mit allenfalls vorhandenen Vollmachtsdaten verbunden wird." 26 A Compilation of Germany’s Laws is available at: http://www.bgbl.de/Xaver/start.xav?startbk=Bundesanzeiger_BGBl (accessed 09 April 2014).

18

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

27 Act of 25.7.2013, Federal Law Gazette I, 2013, p. 2749 http://www.bgbl.de/Xaver/start.xav?startbk=Bundesanzeiger_BGBl (accessed 09 April 2014). 28 Act of 18.6.2009, Federal Law Gazette I, 2009, p. 1346, lastly amended by Art. 2 (5) of Act of 3.5.2013, Federal Law Gazette I, 2013, p 1084. 29 Act of 28.4.2011, Federal Law Gazette I, 2011, p. 666, lastly amended by Art. 2 (5) of Act of 22.12.2011, Federal Law Gazette I, 2011, p. 3044. 30 22. Juli 1997 (BGBl. I S. 1870, 1872 ff.). 31 16. Mai 2001 (BGBl. I S. 876) , lastly amended by Article 4 (111) of Act of 7. August 2013 (BGBl. I S. 3154) 32 Abs 1 leg cit stipulates that "Deutsche im Sinne des Artikels 116 Abs. 1 des Grundgesetzes sind verpflichtet, einen Ausweis zu besitzen, sobald sie 16 Jahre alt sind und der allgemeinen Meldepflicht unterliegen oder, ohne ihr zu unterliegen, sich überwiegend in Deutschland aufhalten. Sie müssen ihn auf Verlangen einer zur Feststellung der Identität berechtigten Behörde vorlegen. Vom Ausweisinhaber darf nicht verlangt werden, den Personalausweis zu hinterlegen oder in sonstiger Weise den Gewahrsam aufzugeben. Dies gilt nicht für zur Identitätsfeststellung berechtigte Behörden sowie in den Fällen der Einziehung und Sicherstellung." 33 Law of 14.12.1976 Federal Law Gazette I p. 3341, lastly amended by Art. 3 Law of 25. Juli 2013 Federal Law Gazette I p. 2749, 2753 f. 34 A Compilation of Swiss Laws is available at http://www.admin.ch/bundesrecht/00566/index.html?lang=en (accessed 09 April 2014). 35 Bundesgesetz vom 19.12.2003 über die elektronische Signatur (ZertES, SR 943.03) (official compilation 2004/5085) available at: http://www.admin.ch/opc/de/official-compilation/2004/5085.pdf (accessed 09 April 2014). 36 See Suisse ID, available at: http://www.suisseid.ch (accessed 09 April 2014). 37 Verordnung über die elektronische Übermittlung im Rahmen eines Verwaltungsverfahrens vom 18. Juni 2010 http://www.admin.ch/opc/de/classified-compilation/20100598/index.html , Der Schweizerische Bundesrat, gestützt auf die Artikel 11b Absatz 2, 21a Absatz 1 und 34 Absatz 1bis des Bundesgesetzes vom 20. Dezember 1968 [SR 172.021] über das Verwaltungsverfahren (VwVG) [Bundesgesetz über das Verwaltungsverfahren (Verwaltungsverfahrensgesetz, VwVG) vom 20. Dezember 1968 (Stand am 1. Mai 2013) AS 1969 737 http://www.admin.ch/opc/de/classified-compilation/19680294/index.html Art. 1 leg cit provides for the scope of its subject-matter referring to modalities of the electronic communication between citizen and governmental authorities for procedures which are governed by the VwVG. und auf die Schlussbestimmung zur Änderung vom 17. Juni 2005 des VwVG [AS 2006 2197]. 38 Gesetz über den Rechtsschutz in Verwaltungssachen (Verwaltungsrechtspflegegesetz) vom 1. April 1976 39 See Ergebnis 1. Lesung RR vom 14. Mai 2013, available at: http://www.zg.ch/behoerden/regierungsrat/vernehmlassungen/teilrevision-desverwaltungsrechtspflegegesetzes-und-verordnung-ueber-die-elektronische-uebermittlung-imverwaltungsverfahren/downloads/verordnung-ueber-die-elektronische-uebermittlung-imverwaltungsverfahren/at_download/file (accessed 09 April 2014). 40 See further documents pertinent to the proposal: http://www.zg.ch/behoerden/regierungsrat/vernehmlassungen/teilrevision-desverwaltungsrechtspflegegesetzes-und-verordnung-ueber-die-elektronische-uebermittlung-imverwaltungsverfahren (accessed 09 April 2014). 41 See http://www.news.admin.ch/message/index.html?lang=de&msg-id=42447 (accessed 09 April 2014). 42 Available at: https://www.eid-stork.eu/ (accessed 09 April 2014).

19

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

References Aichholzer, G. and Strauß, S. (2010). The Austrian Case: Multi-card concept and the relationship between citizen ID and social security cards. Identity in the Information Society, Vol. 3, No. 1, pp. 65-85. Albrecht, F., and Schmid, A. (2013), "Das E-Government-Gesetz des Bundes: Auf dem Weg zur "Verwaltung 2.0"? Kommunikation & Recht, Vol. 16 No. 9, pp. 529–535. Andrade, N. N. G. de. (2012) “Towards a European eID regulatory framework: Challenges in constructing a legal framework for the protection and management of electronic identities”, in Gutwirth, S., Leenes, R., Hert, P. d., and Poullet, Y. (Eds.), European data protection. In good health?. Springer Netherlands, Dordrecht, pp. 285-314. De Cruz, P. (2009) “Comparative Law, Functions and Methods”, in Wolfrum, R. (Ed.), Max Planck Encyclopedia of Public International Law. Oxford University Press, Oxford. European Commission (2010), “Annex 2 to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions 'Towards interoperability for European public services'”, COM(2010) 744 final, available at http://ec.europa.eu/isa/documents/isa_annex_ii_eif_en.pdf (accessed 25 September 2014). European Commission (2013), “Study on Analysis of the Needs for Cross-Border Services and Assessment of the Organisational, Legal, Technical and Semantic Barriers”, available at http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=2310 (accessed 09 April 2014). Feik, R., and Randl, H. (2012), “E-Government”, in Jahnel, D., Mader, P., and Staudegger E. (Eds.), IT-Recht, Verlag Österreich, Vienna, pp. 395-414. Forder, J. (2010), “The inadequate legislative response to e-signatures”, Computer Law & Security Review, Vol. 26, No. 4, pp. 418–426. Fromm, J., Hoepner, P., Pattberg, J., Welzel, Ch. (2013), „3 Jahre Online-Ausweisfunktion – Lessions Learned“, available at: http://www.oeffentlicheit.de/documents/18/21941/Personalausweis-Erkenntnisse+aus+drei+Jahren+OnlineAusweisfunktion (accessed 09 April 2014). Graux, H., Majava, J. and Meyvis, E. (2009), “eID interoperability for PEGS – update of country profiles – analysis & assessment report”, available at http://ec.europa.eu/idabc/servlets/Doc2ba1.pdf?id=32521 (accessed 09 April 2014). Hornung, G., & Roßnagel, A. (2010), “An ID card for the Internet – The new German ID card with “electronic proof of identity””, Computer Law & Security Review, Vol. 26, No. 2, pp. 151–157. Huber, M. (2004), „Reglement für den elektronischen Verkehr mit öffentlichen Stellen - Neue Kommunikationstechnologien durch das E-Government-Gesetz“, Recht & Finanzen für Gemeinden, Vol. 20, No. 1, pp. 17-20. Jacobi, A., Jensen, M., & Kool, L. (2013), „Security of eGovernment Systems”, available at http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/513510/IPOLJOIN_ET%282013%29513510_EN.pdf (accessed 09 April 2014). Johannes, P. (2013), „Elektronische Formulare im Verwaltungsverfahren“, MultiMedia und Recht, Vol. 16, No. 11, pp. 694-700. 20

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Kamba, WJ. (1974), “Comparative Law: A Theoretical Framework”, International and Comparative Law Quarterly, Vol. 23, pp. 485–519. Kubicek, H., & Noack, T. (2010), “The path dependency of national electronic identities: A comparison of innovation processes in four European countries”, Identity in the Information Society, Vol. 3, No. 1, pp. 111-153. Ludvigsson, J., Otterblad-Olausson, P., Pettersson, B., Ekbom, A. (2009) “The Swedish personal identity number: possibilities and pitfalls in healthcare and medical research”, European Journal of Epidemiology, Vol. 24 No. 11, pp. 659–667.Myers, M.D. (2013), Qualitative Research in Business & Management. Second edition, Sage Publications, London. Minnerup, S. (2013), „Inkrafttreten des E-Government-Gesetzes“, Der IT-Rechts-Berater, Nr. 9, p. 197. Otter, H. (2004). Die e-card als Bürgerkarte im E-Government: Elektronische Signaturen authentisieren Zugriffsberechtigungen bei telematikgestützten Behördenkontakten. Soziale Sicherheit, p. 499. Parycek, P. (2006), „E-Government: Terminologie und Konzeption eines rechtlichen Modells“, in Schweighofer, E., et al. (Eds.), e-Staat und e-Wirtschaft aus rechtlicher Sicht, Boorberg, Stuttgard, pp. 102-106 Quiring-Kock, G. (2013), „Entwurf EU-Verordnung über elektronische Identifizierung und Vertrauensdienste: EU weite Interoperabilität - Anspruch und Wirklichkeit“, Datenschutz und Datensicherheit, Nr. 1, pp. 20–24. Rossnagel, H. (2009), Mobile qualifizierte elektronische Signaturen: Analyse der Hemmnisfaktoren und Gestaltungsvorschläge zur Einführung, Gabler, Wiesbaden. Schwaighofer, E., and Hötzendorfer, W. (2012), „Elektronische Identitäten - Öffentliche und private Initiativen“, in Lucke, J. v., et al. (Eds.), Auf dem Weg zu einer offenen, smarten und vernetzten Verwaltungskultur, Gesellschaft für Informatik, Bonn. Schweighofer, E., & Hötzendorfer, W. (2013), „Electronic identities – public or private”, International Review of Law, Computers & Technology, Vol. 27, Nr. 1-2, pp. 230–239. Strauß, S. (2011), “The Limits of Control - (Governmental) Identiy Management from a Privacy Perspective”, in Fischer-Hübner, S. (Ed.), Privacy and identity management for life, Springer, New York, pp. 206–218. Trauner, G. (2006), „E-Government“, in Holzinger, G., Obendorfer, P., and Raschauer, B. (Eds.), Österreichische Verwaltungslehre, Verlag Österreich, Vienna, pp. 267–298. Yin, R. K. (2002), Case Study Research, Design and Methods, 3rd ed., Sage Publications, Newbury Park.

Author Biographies Peter Parycek, PhD, MSc, is Head of the Center for E-Governance at the Danube University Krems and Chairman of the ministerial working groups “E-Democracy & E-participation” and “E-Government Training” at the Austrian Federal Chancellery. From 2006 to 2011 he worked as scientific advisor in the Austrian Federal Chancellery, from 2010 and 2011 as scientific advisor for the Principality of Liechtenstein and was responsible for the 21

Downloaded by DONAU UNIVERSITAET KREMS At 06:39 17 March 2016 (PT)

Liechtenstein E-Government law and further amendment of laws. 2011 he worked out the technical and organisational eID concept for Canton Zug and the legal framework. As a lawyer and graduate of the Master's program Telematics, his work is at the intersection of legal policy, social and technological developments. His research and project priorities include eGovernance, eDemocracy and eGovernment. He is responsible for the conference series CeDEM (International Conference for e-Democracy and Open Government) and the open access journal JeDEM (eJournal of eDemocracy and Open Government).

Gabriel M. Lentner, Mag.iur. is a Research and Teaching Fellow at the Department of Business Law and European Integration and Project Researcher at the Centre for EGovernance at the Danube-University Krems. He is also a PhD candidate at the University of Vienna.

22