Restricted - Confidential Information

GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
GSMA Mobile Identity Programme
2
CONFIDENTIAL
Agenda
1. About GSMA

2. GSMA Mobile Identity programme

3. COM (2012) 238/2 regulation proposal on eID and electronic trust
services

4. GSMA proposed approach

5. Draft regulation expected timeline

6. Additional slides: Mobile ID case studies

3
CONFIDENTIAL
About GSMA
Spectrum Mobile NFC Connected
Living
Rich Communications
mIdenity
Global Roaming
Founded: 1982
Objective: Progress mobile technology and usage
Membership: 800 network operators with 230+companies from wider mobile
ecosystem.
Main achievements: GSM standards, Roaming interconnect and the industry
representative with Regulators and Government

4
CONFIDENTIAL
Mobile Identity Programme






The GSMA Mobile Identity programme is a global initiative established to support mobile
operators in understanding and unlocking the potential of electronic and mobile identity

Through research and engagement with mobile operators, governments, and the broader
mobile ecosystem, the GSMA will build a community to share best practice and support
the launch robust, coordinated identity solutions that leverage the ubiquity of mobile
technology

The Mobile Identity programme will also make recommendations to governments on how
best to leverage the capabilities of mobile operators identity creation / management
solutions
By 2015, the Mobile Identity programme will have positioned mobile at the heart of identity
management, having initiated and supported multiple implementations globally. The GSMA
will have driven uptake through the provision of expert commercial, technical and regulatory
support to mobile operators, whilst simultaneously helping to remove barriers facing
operators, solutions providers, governments and end-users.
5
CONFIDENTIAL
The GSMA programme is supporting operators
across the full mIdentity spectrum
Information
gathering
1
Pilot
consideration
2
Pilot
implementatio
n
3
Increase to
scale
4
GSMA
Mobile
Identity
programm
e
Provide operators
understanding of
developments and
best practices
within mobile
identification
without having to
develop own
internal resource
Enable operators
to identify the
opportunity via a
standard business
models and
industry best
practice to support
the design of a
pilot
Provide resource
where most
valuable to the
operator to
support successful
implementation
and measurement
of the pilots
impact
Share best
practice from
other markets and
wider eco-system
to identify
roadmap for
scaling up mobile
identity services
Working alongside operators, governments, regulators and others to ensure that
mobile identity is fulfils its role as part of the broader digital identity ecosystem
and serves end users to the greatest possible extent
6
CONFIDENTIAL
Connect and Authenticate
o Single Sign-On
o Strong Authentication

Mobile Digital
Signature
Mobile ID Innovations
o Secure Cloud
o Health Records
o Verified Subscriber
o Loyalty
o Secure NFC
Mobile Identity Programme Focus Areas
7
CONFIDENTIAL
Identity is about access to rights, services and
places
Core Needs Use Cases
Access to
Places
(will become
relevant with NFC)
Having Access
to Services
Having a
Recognised
Identity / Status
Access to Public
Places: Borders
Access to Private
Areas: Buildings
Access to Healthcare
Life event
registration: Birth,
marriage, death
registration
Identity
as
Enabler
Creation
of Identity
Access to Education
Access to Financial
Services
Other: Access to
information, contract
signature, voting etc
At its most fundamental level, digital
identity management services can help
overcome weaknesses in legacy
processes
Without an identity, individuals lack the
ability to access even the most basic rights
/ services

Once created, identity whether document
based or digital is effectively an enabler
It allows the user to access real world and
digital services it allows the provider of
the service to verify the identity of the user
prior to providing the service
Digital identity management is about
sharing elements (attributes) of the identity,
as opposed to the entire identity
A retail bank does not need to know
my blood type
A social network does not need to
know my home address
A content website does not need to
know my date of birth
My office building does not need to
know my bank balance
8
CONFIDENTIAL
Mobile Identity Enabling Products

Description:
Use mobile as second factor
overlay; including NFC /
biometrics



SIM-based strong
authentication /
verification, with
considerable scope for
value add: location
sensitivity, behavioural
profiling; integrate with
cloud
2FA market already exists,
but operators often dis-
intermediated

2 Factor Authentication
ID Storage / Retrieval
Description:
Make it possible to prove
identity by showing the phone
Federated Identity
Description:
MNO provides managed ID
services to SPs
Mobile Digital Signature

Description:
Use mobile as a replacement
for legally binding wet
signatures
Secondary mID
enabling
products
User can use their existing
credentials held by the
MNO to sign in to any
relying party website, while
maintaining the privacy of
the profile generated.
SPs can outsource identity
mgmt to MNOs and provide
a better user experience
through seamless login
User can sign & send
documents, securely
transmit messages & m-
payments, provide verified
ID for e-services.
Enterprises/businesses
can verify authenticity of
messages, payments,
permissions for access ..
18+
Event Registration
Description:
Make it possible to create a
digital identity documents, e.g.
birth certificate in Uganda
9
CONFIDENTIAL
The role for Mobile in identity management
Why identity should go mobile?
Mobility
Mobile networks
cover over 90% of
the worlds
population
Standards-based
GSM technology
provides a uniform
platform for ID
Ubiquity
Circa 6 billion
mobile
subscriptions
today
Represent 3.8
billion subscribers


1 2 Security
Mobile is a secure
medium, backed by
sophisticated fraud
detection
SIM-based
Authentication is at
the heart of mobile
3
Why operators are interested in identity management?
Portability
Most commonly the
mobile device is
always with its
owner
Users already trust
mobile for the
storage and
management of
personal data
4 Cost
Mobile
infrastructure is
already in place
Little additional
infrastructure
required only
new SIMS
5
Manage CRM
The more mobile
networks are
involved in ID, the
more useful
information they can
harvest to improve
their service offering
Leverage assets
SIM cards are a
powerful tool
mobile ID makes
optimal use of
them
1 2
New revenues
Diversify revenue
streams with new
B2B solutions to
public and private
clients
3
Relationships
Operators already
have material
relationships with
subscribers, backed
by payment / billing
systems
4
Competition
OTT connect
services already
exist and are
manifest over
mobile
5
10
CONFIDENTIAL
Mobile Identity Programme Working Group
France, Moldova
Finland, Moldova,
Azerbaijan, Estonia
Turkey, Spain
India
China
Turkey
Japan
Japan
Philippines
Norway
Sri Lanka
Ghana, Tanzania
Germany
UK
Finland
Uganda
UAE
Argentina
Brazil
Cambodia
Egypt
Switzerland
32 operators involved in the Mobile
Identity Working Group
11 associate members involved
China Mobile China Telecom SMART Philippines Taiwan
11
CONFIDENTIAL
Common principles of the draft regulation
COM (2012) 238/2
GSMA welcomes the Commissions proposal to provide legal and regulatory
clarity across Member States and stakeholders for digital identification and
we strongly support its approach that is technology neutral and open to
innovation

It upgrade the legal framework of electronic signatures replacing the existing
eSignature Directive, e.g. it allows you to Sign" with a Mobile phone

Timeliness of the intervention: Public Private Partnerships are key for the
scalability, demand, and cross-sectors interoperability of Trust Frameworks

The GSMA also welcomes the European Parliaments draft opinions



12
CONFIDENTIAL
Mobile is the heart of digital identity
Mobile devices are ubiquitous in everyday life
Average mobile subscriptions
per 100 inhabitant at 123% in the
EU-27 in 2012
Smartphone penetration at 51% in Western Europe in 2012
Subscriber Identity Module (SIM) with more then 2 billion cards in use globally is the largest
de-facto identity standard
No additional hardware
No additional software

Mobile devices are easy and widely used also amongst the elderly people
Basic technology (GSM or SMS)
One single device for authentication
The role of mobile operators is key for the development of the digital economy
and will have significant economic and social impact fostering economics
growth, innovation and job creation
+1.09 per cent GDP growth across
the EU 27 Member States
Other positive economic, social
and environmental externalities
13
CONFIDENTIAL
Mobile identity is private, secure and
trustworthy
Most of the existing solutions rely on cell
phones in combinations with PKI
enabled SIM cards with Secure
Elements
Mobile devices can also be used as an
additional proof of authentication via
SMS
The connection with the user may
also be performed via NFC, WiFi,
RFID or Bluetooth


Mobile devices enable users to carry out
signatures on board via:
The SIM as cryptographic device
The handset for PIN entry
Mobile network operator for reaching
the user

Secure Elements :
Mobile device memory (software)
An internal Universal Integrated Circuit
Card (UICC) containing the Subscriber
Identity Module (SIM) (non-removable
hardware) or SD or micro SD
(removable hardware)
Server side components (such as
Hardware Security Module which stores
the user private key)
Mobile solutions allow the initiation of on-line identity schemes that get access
to sensitive personal information to be protected by strong forms of
authentication
14
CONFIDENTIAL
Mobile identity empowers consumers and
innovative business models
Mobile identity enables user friendly access to new services and applications
and balancing the trade-off between
Meeting the demand for increasing need of robust security and user privacy.
Operator imperatives for efficiency, scalability and open interoperability with
diverse key players of IdPs and SPs

Both the Governments and identity service providers should assist citizens
and consumers in managing their identity and release of credentials data
online

Federated/OpenID (and similar solutions) can provide a convenient and low
cost method of providing identity services to consumers whilst ensuring
increased security to service providers and end users.


15
CONFIDENTIAL
GSMA proposed approach
Effective implementation of an Open Trust Framework for
Digital Identity the regulation could be enhanced by
providing:
1. Appropriate and proportional security requirments
2. Self-regulation and balanced supervision
3. Proportional laibility requirements for qualified trust service
providers
4. A consistent privacy and data protection framework
5. A consultative approach and industry cooperation with
delegated and implementing acts
6. Automatic processing for international interoperability
Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
(1) Appropriate and proportional
security requirments

GSMA beleives that a harmonized definition of security assurance
levels shall gurantee that the adoption of minimum security
measures in the provision of electonic identity and trust services
across borders and across sectors. This will facilitate
interoperability.

A risk based approach shall be adopted whereby the security levels
shall be appropriate and proportionate to the to the degree of risk
provided by the undertakings involved in the electronic transaction.
17
CONFIDENTIAL
Open standards and best practices to meet
emerging requirements
Mobile Operators are able to cover the entire spectrum of identity
requirements ranging from simple login to the provision of identity
assertion for high assurance eGovernment services.
Harmonized acceptance of security assurance levels shall not only gurantee cross border and cross
sector interoperability, but also that the notified schemes shall adopt security measures proportionate
and appropriate to the to the degree of risk provided by the undertakings in the provision of electonic
trust services (including other Member States).
Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
(2) Self-regulation and balanced supervision

Appropriate supervision of service providers that issue qualified
certificates is a building block of trust in the digital identity and trust
services eco-system

The adoption of self-regulated schemes does not only strengthen
the accountability of organisations operting within the identity
management eco-system but also encourage the development of
innovative services and best practices

19
CONFIDENTIAL
Balanced and harmonized supervisory model
of the trust services eco-system
Proposed regulation on supervision are excessive, the roles of regulators and
supervisory authorities unclear

Member States have implemented the supervision requirements of the eSignature
directive in various ways including very basic supervisory controls, self-regulated
initiatives and formal certification and prior authorisation.
For example, in some countries supervisors rely on the work of public authorities and national
accredited auditors that operate under standard audit practice, in others, supervisors work
under independent, industry-led, voluntary, self-regulatory scheme set up to create strict
assessment criteria, for trust services.

The adoption of voluntary accreditation schemes strengthens the accountability of
organisations. By supporting self-regulatory approaches a balanced supervisory and
enabling framework is encouraged

GSMA believes that the supervision model that this regulation shall introduce, should
be harmonised and provide legal clarity and regulatory certainty for the stakeholders in
order to encourage best practices and open industry standards for interoperability and
best practices


Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
(3) Proportional laibility requirements for
qualified trust service providers

A risk based approach to liability requirements shall ensure
transparency and accountability while fostering large scale
deployment and innovation.

The Regulation should aim to clarify minimum liability requirements
and mechanisms for automatic processing.

21
CONFIDENTIAL
Liability conditions are key building blocks of
the regulation

Proposed liability conditions increase the risks and costs to
businesses of providing qualified electronic trust services.
Strong authentication systems are costly to implement only the
potential for mass market opportunities and network effects to be
exploited will help service providers to deploy
For example, certificates issued by national authorities (or approved CAs)
are typically expensive (50-200) because of the stringent security
requirements needed to protect the root keys and certification process.
Where security requirements can be limited and/or the fixed costs of setting
up the certification process can be amortised across a higher volume of
certificates the costs can be brought down to a matter of Euro cents.
The proposed Regulation should aim to harmonize minimum liability
requirements and mechanisms for automatic processing






Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
(4) A consistent privacy and data protection
framework

GSMA believes that privacy matters to individuals, to business and
governments. Consistent privacy and data protection experience
for users is key to to build trust in the identity ecosystem.

The proposed Regulation shall reflect existing directives and recent
regulatory developments to avoid compliance duplication and
overprescriptive rules.

23
CONFIDENTIAL
Consistent data protection and security experience
for end users and other stakeholders
EU Member States have already largely implemented notification
regimes for loss of integrity and breach of security impacting the
operation of public telecommunications networks and services (Article
13a of the revised Framework Directive) as well as breaches of
personal data (Article 4 of the revised e-Privacy Directive).

The EC has also proposed a comprehensive reform of General Data
Protection Rules, which will extend the notification obligation to
sectors other than telecommunications.

GSMA is of the view a risk based approach is required and that gives
more consideration to the harms materialising from the use of
personal data and ways to address these risks and harms. This would
not preclude the use of data to support future knowledge based
actions to the benefit of citizens, consumers and society

Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
(5) A consultative approach and industry
cooperation with delegated and
implementing acts

The adherence to code of practices and best practices
specifications shall guarantee flexibility for trust service providers
vis a vis--vis technological developments
25
CONFIDENTIAL
Consultative and transparent process
Most of the work still need to be carried out. Detailed technical aspects of the
Regulation that will be delegated to the Commission and subject to consultation
include:
Art 8 (3) interoperability of electronic identification;
Art 15 (5) security measures required of trust service providers;
Art 13 (5) recognised independent supervisory bodies responsible for auditing the service
providers;
Art 18 (5) trusted lists;
Art 21 (4) requirements related to the security levels of electronic signatures;
Art 25 (2) requirements of qualified certificates for electronic signatures their validation and
their preservation;
Art 23 (3) the bodies responsible for the certification of qualified electronic signature creation
devices; and
Art 29 (4); Art 30 (2) the requirements related to the security levels of electronic seals and to
qualified certificates for electronic seals;
Art 35 (3) the interoperability between delivery services


Technology-specific requirements or technology mandates represent
significant risk to innovation, competition and economic growth a
consultative and transparent approach with key interested parties will help
reaching scale and interoperability
Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
With automatic processing there are benefits to
international interoperability and positive impacts on
costs, large scale deployment and innovation.
(6) Automatic processing for international
interoperability
27
CONFIDENTIAL
Automatic processing
As machine-stamping will become increasingly used in signed documents (in
order to indicate personal authorization for the person to act in name of
particular organization), it is important that this information is processed
automatically and uniformly across EU.
It also makes possible to reduce customers involvement in set-up phase,
makes access to e-services more user-friendly and more reliable

Multiple service security levels could be supported by automated analysis
and for liability limit information on individual certificates
28
Timeline e-identification
Commission to work with EP/Council throughout process of adoption of the Regulation (co-decision procedure)
6 J une:
Progress
report at
Telecoms
Council
(tbc)
Proposal
sent to
EP and
Council
J an:-J une Irish Presidency of the EU J uly-Dec: Lithuanian Presidency of the EU
15 May:
Deadline for
AM in
ITRE/IMCO
10 Dec:
Vote in
Plenary
On-going negotiations between EP and Council to seek an agreement in 1st reading
24 April:
IITRE,IMCO,JURI,LIBE
consideration of
report/opinion.
18 Sept :
Vote in
ITRE
Dec
12
18 Dec:
EC
presentation.
3-4 April :
ITRE/ IMCO
draft
report/opinion
8 J uly:
Exchange of
views on CA.
Dec/J an:
Adoption
by the
Telecoms
Council
(tbc)
April
13
May July June Sept Dec
9 J ULY:
Vote in
IMCO
19-20 J une ?:
Consideration
of AM.
EC
presentation
at MCOM
Meeting with
rapporteurs/
shadows
Text
proposals
sent to
rapporteurs/s
hadows/
secretariats
and political
advisors of
IMCO and
ITRE.
Amendments
sent to key
MEPs/
Political
advisors.
Meeting with Telecoms attaches and
Lithuanian Presidency.
Voting
recommendation to
IMCO and political
advisors.
Voting
recommendation to
ITRE and political
advisors.
Voting
recommendation
MEPs and follow
results.
7 J une:
MCOM
meeting
Restricted - Confidential Information
GSMA 2012
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
Additional slides
Case Studies
30
CONFIDENTIAL
Current service footprint
Mobile birth
registration
Subscriber
data management
31
CONFIDENTIAL
Mobile ID: A national implementation in
Finland
Mobile ID in Finland
Electronic ID on the phone SIM card
27/11/12 Elisa Varmenne Palveluntarjoajille 6
Seamless eServices ecosystem from operators authentication,
authorization, payment approval
Mobile ID - tool for convenient
and secure eTransactions
GSM number + Mobile ID PIN-code
Same user-experience across all channels
and services: web, mobile, phone call
Clear roles between players
Simple, transparent business model
Common service from
leading Finnish operators
Strong authentication according to the law
Trust network between operators
Single agreement and integration to reach
all users
Mobile ID registration with home operator
(operator store, internet with Bank ID)
32
CONFIDENTIAL
Key findings







Enterprise users are the early adopters: consumers not
there yet
Financial services and e-Government access drive
adoption
Ease of subscription is key to customer adoption
Large range of service providers and services is necessary
to boost adoption
Launch by an individual operator alone is challenging
Digital signature: Mobile Signature in Turkey
Available for download on our
website:
gsma.com/mobileidentity
Turkish mobile signature service was launched in 2007 by Turkcell,
and was the first in the world to go live
Mobile
Signature
User
$29.5
Average
Turkcell
subscriber
$11.8
Average Revenue Per
User
Transactions by category
Finance
68% E-Govt
27%
Busines
s
Solution
s
3%
Other
2%
33
CONFIDENTIAL
Mobile e-ID: Mobiil-ID in Estonia
Estonia has been pioneering mobile services for every-day use since 2007, and was the
first to conduct mobile voting in national elections in 2011
Key findings
Strong ecosystem for mobile-ID usage - all e-services
(login/signing) are available also with mobile-ID

Ease of adoption for consumers (in case of server-based
model, no need to replace SIM or special registration, etc)

Low-cost and convenience for service providers (no
computer, special software or smart card readers needed)

Strong stakeholders are needed in order to get mass usage
and de facto standard status (internet banking, public
transportation)

In Estonia, possibility to extend Estonian ecosystem and
technological infrastructure operated by TeliaSonera in
Estonia (EMT + Certification Centre) to other TeliaSonera
markets

M-PAYMENTS
- mobile banking
- web payment
- public transportation
- insurance, energy companies
- person 2 person
- cross-operator mobile payments
M-GOVERNMENT
- information access
- digital signature
- business register actions
- citizenship registers
- tax and customs
- e-School, e-Health
- parliament voting service
34
CONFIDENTIAL
Birth registration: Uganda Telecom
Uganda Telecom has become a pioneer in the use of mobile as a means
of dealing with fundamental challenges relating to physical identity
Key findings
In developing countries like Uganda, there is a critical need
for mobile technology to help solve real-world practical
problems
Paper-based birth registration processes are slow,
inefficient and often incomplete
Paper records are easily lost or destroyed
It is not uncommon for official stationary to be
unavailable
Distances involved in submitting documents are
substantial, and the accordant time and cost
associated with the process are disproportionate
Village chiefs who typically have responsibility for
such matters have many other, arguably more
pressing issues to deal with
Mobile provides a highly efficient solution to a perennial
problem
Even in deep rural areas, coverage is available whereas
fixed networks are typically unavailable outside major
urban centres
Costs are low; benefits are almost immediate
Available soon for download
on our website:
gsma.com/mobileidentity
Picture of cover