Historical background

Sweden has a long tradition of population registering, the first records dating back to the early 17th century (Tax Agency 2009a). Evolving from that history is a national register of personal ID numbers which constitutes the base of Swedish government administrative operations. Since 1974 there is a single personal ID number which is used as the key to every public record and many private ones. Hence, when the development towards electronic services to citizens and the related issue of electronic IDs (eID) begun in the mid-1990s there was both a well established back-office administrative organisation and general acceptance in society for registration. Sweden also has a long tradition of having ID cards being issued and distributed by private organizations, mainly banks and post offices, containing the personal identification number. In line with this history of government-licensed identification and with the ambiton to quickly reach a large part of the population, the choice for eIDs as well as eID management was a market solution where, mainly, the banks provide the user base and the government regulates by legislation and requirements in recurring procurements. Electronic signatures were legally defined in 2000. eIDs are procured by government by means of “framework contracts” since 2001. There are today four contracted providers, basically the same ones as in 2001. As a result there are a number of different eIDs, all of which are valid for citizen-government interaction. The central agency for eID is the Tax Authority which today hosts both the procurement, administration, and as of the latest proposal soon also the “embedded” regulating body. It also manages the population register, which is the basis for identification of individuals, and it is the largest provider of electronic services where eIDs are used. The policy-making body, the e-Delegation, is situated within the Ministry of Finance.

The market model was chosen for several reasons. First, it was assumed that competition among providers would make costs as low as possible. Second, as the eIDs were seen as an important driver for e-service development, the use of existing providers, i.e. the banks, would be the quickest way to reach a large number of people as all bank customers would get an eID at no cost. Third, this solution would avoid a large upfront investment by government. As stated by the Parliament (Trafikutskottet 2005/06; translation by the author), the role of government should be to “support the use of e-legitimations, stimulate competition between providers of such legitimations and remove obstacles related to infrastructure, market and competition [....] work for the development of technology-neutral standards for electronic signatures”. Not only the eIDs themselves but also the control structure, the certification system, was left to the providers. This paper reviews the history of the eID and eID management (eIDM) in Sweden, as well as the 2009 evaluations and proposals for the near future.

The eIDs and the ID cards

eIDs are based on the Swedish administrative tradition and hence include the personal identity number, taken from the national population register, as identifier and key to compare data across data bases. The personal identity number consists of 10, more recently 12 digits. Digits 1–6 (1–8) contain date of birth at YYMMDD or YYYYMMDD format, digits 7–8 (9–10) codes geographic area, digit 9 (10) sex, and digit 10 (12) is a checksum. Originally administered by the Church of Sweden, effective by 1st of July 1991 the task was transferred to the National Tax Agency (Tax Agency 2009f). In the national registration file (Swedish: folkbokföringsdatabasen), the following personal information is registered (Tax Agency 2009g): Name, personal ID number, address of residence, partner, children, parents, caretaker, adoption (as applicable), place of birth and place of residence at time of birth, citizenship, marital status, migration to Sweden, and deregistration from the population file due to death, emigration or other.

There are two versions of eIDs, one “soft” on a file downloadable to the user’s computer and one “hard” which comes on a chip on a plastic card. There are four private providers of eIDs contracted, one of which heads a consortium of several banks, who provide downloadable eIDs on file as well as on their own cards. In addition there are two “national” ID cards provided by government. One is the NIDEL (“National ID card prepared for E-Legitimation”), issued by the Police, the other is issued by the Tax Authority. The Tax Authority card carries, optionally, an eID issued by Telia. The NIDEL has a chip but does not as of today carry any eID.

The eIDs have different backgrounds. The eIDs in general were motivated by the development of electronic government which required secure transactions. For this purpose, the soft eID is today used for virtually 100% of the transactions. The cards are motivated by other arguments. The NIDEL national ID card was motivated by the indentification needs of the Schengen Treaty, and the Tax Authority ID card was requried by the need to provide as many people as possible with an ID document (e.g. people under the age of 18 and non-Swedish citizens residing in Sweden).

eIDs

eIDs are generally regulated by the Law 2000:832 (SFS 2000) on qualified electronic signatures (Law 2000:832), which implements the EU directive 1999/93/EC (a Community Framework for Electronic Signatures and Their National Implementation). This regulation deals with electronic signatures in general but not eIDs and/or cards specifically. The Law defines two types of signatures, “advanced” and “qualified”. “Qualified” is a higher security level and requires that the eID is based on a qualified certificate and created by a secure device for eID creation (SFS 2000). All existing eIDs fulfil the criteria for advanced eIDs, none for the qualified (Kjölberg 2005). The difference between the two has to do with the production of the signature. While both types must uniquely identify a single individual, a qualified certificate must also be produced in such a way that data used for the production:

  • in practice only can be used once

  • with reasonable probability can not be back-traced, and

  • can be protected satisfactorily by the signator so that no other person can retrieve it or use it (Law 2000:832, 3 §)

The eID is a service provided by businesses and procured by government by means of “framework contracts” (Swedish: ramavtal), which is a common way of procuring services from the private sector. It means that the responsible government agencyFootnote 1 procures a service for the whole public sector. The framework contracts award the right to issue eIDs to a number of companies for a limited time by means of a procurement process. Public sector departments must use existing framework contracts, which means all contracted eIDs are in principle accepted by all public agencies. The actual use of eIDs, however, is decided by each agency who wants to use it for some e-service. That agency also pays for use per transaction. The first eID procurement process took place in 2001, subsequent ones in 2004 and 2008. Current contracts are valid until 2011 and involve four contract holders; Swedbank (representing the BankID owned by a consortium of banks), Nordea (a bank), Telia (Swedish Telecom) and Steria (a company in the IT security business). All issuers provide eIDs of basically similar technical specifications issued on cards or files downloadable to a computer. and include two certificates, one for authentication and one for signing. Technical specifications are for all eIDs.

While the different eIDs are technically virtually identical, at the interface level they are different, which creates a need for multiple interfaces and dialogues on the user side. There may also be practical restrictions to use; all contracted eIDs are accepted in principle all across government departments but as each department makes a business agreement with each eID provider the number of eIDs accepted at each e-service varies. The eIDs contain the following information: A public key, family name, given name and personal ID of the card holder, validity dates for the public key, a serial number for the eID, name of the issuing company (CA), digital signature for the CA (Telia 2009).

The framework contracts are awarded in such a way that the whole Swedish population (9,3 million) can easily get an eID. Together the banks involved have 5,6 million Internet bank customers, and Telia, is the major telecom operator in Sweden in terms of coverage, both geographically and concerning number of users.

There is also a separate framework contract for an intermediary service called the “infra service” (Swedish: infratjänsten) which helps government agencies developing and operating electronic services. The infra service is contracted to two companies for 2003–2013. According to a new proposal (E-Delegationen 2009a) this service will be expanded, partly as a response to the criticism that the number of eIDs and their different designs require complex handling for service providers as well as users (Verva, 2002), partly for increasing security and control. Figure 1 illustrates the general scheme with four contracted eID providers (rightmost column), the intermediate infra service (middle; two providers contracted) assisting the department providing an e-service in need of an eID (left).

Fig. 1
figure 1

The relation between the eIDs and the Infra Service exemplified by the Logica version (Dahl 2008)

Full size image

There is also a professional eID (Swedish: tjänstelegitimation) offered by some companies. This is tied to a specific individual in the organization, not the organization itself as a legal entity. This service fulfils an important role in that a person can be identified as affiliated to a company and hence can communicate on behalf that company, e.g. sign documents electronically. Technically the professional ID is similar to the personal ID but there are differences in the information contained. The professional IDs contain the organisation’s identification data (name and number) but not the personal ID number of the individual eID holder. Organizations own the professional eIDs and have the right to cancel them.

National (e)ID cards

The Swedish Police issues the Swedish national ID card, NIDEL since October 2005. The reason for establishing this card was the Schengen treaty on mobility within the European Union. This card contains information about Swedish citizenship and is issued only to Swedish citizens. The card has a chip and can hence carry an eID. This functionality is, however, not offered. The intention is that the contracted eID providers will be able to install an eID on the card, but so far none of them do that. The NIDEL card can be used as travel document within countries who have signed the Schengen treaty. As of October 2009, 291 990 NIDEL cards had been issued (Timm 2009).

Since June 1st 2009 the Tax Authority offers an ID card which optionally includes an eID (from Telia) to people who are registered in the Swedish population register and are over 13 years of age. This means also non-Swedish citizens can obtain such a card (Tax Authority 2009b). This service is provided by the Tax Agency as a substitute for the former Swedish Mail (Swedish: Posten) card, the issuing of which was cancelled when Swedish Mail closed their national office network. As of October 2009, about 20 000 cards had been issued (Kinberg Sjögren 2009, by December the number was 30 000 (Tax Authority 2009c). Table 1 displays the characteristics of the cards and the eIDs. To obtain a card it is necessary to visit an office in person and present a valid ID card or personal identification by another person who can identify herself by means of a valid ID card, e.g. a parent.

Table 1 Characteristics of the Swedish eIDs and cards
Full size table

Main phases and actors constellation

Development phases

The work with developing an eID system in Sweden started in the mid-1990s when the development towards electronic services to citizens begun. The first leading group was the Top Leaders’ Forum comprised of Directors General for the major government agencies. Roughly the development can be characterized by three phases marked by the years of the eID framework contracts of years 2001, 2004 and 2008. The phases can roughly be labeled inception, implementation, and maturity.

Phase 1: Inception. The period before 2000/2001 is characterized by a number of projects and strategy development. The first major implementation milestone, “phase 1”, can be defined as the legislation of 2000 and the ensuing first framework contracts procured in 2001. By that time EU legislation recognizing electronic signatures as equally valid as physical ones had been implemented. The Swedish Law on electronic signatures was established in 2000. By that time some electronic services had grown to great popularity, in particular e-banking which at the time encompassed 2,7 million customers in Sweden (BankID 2009e), out of a total population of 9 million. Because of this large customer base, the great credibility of the banks, the fairly high security in the operation of the electronic banking system, and the high alternative costs involved in organizing a separate government national eID system, it was decided to use the banks as the eID infrastructure. A consortium involving the major Swedish banks was formed with the purpose to develop a general eID usable for all kinds of e-services. The consortium was legally insitutionalized in the company Finansiell ID-Teknik BID AB in 2002, and in 2003 the first BankID, as the product was named, was issued. By the end of 2003 the number of users exceeded 100 000. The service offers were very limited at that time, but 27 000 people filed their annual income declaration electronically that year. The Taxation Office and the Social Insurance Office were the pioneers in the public sector in developing electronic services using eIDs.

Phase 2: Implementation. A second development phase may be defined by some events marking that eID was established in government operations as well as in terms of use. This includes the second framework contract procurement process in 2004, increased availability of eIDs and increased use. By May 2005 the number of users exceeded 500 000. In November the same year eIDs became available on cards (earlier versions were only available as files downloadable to the users’ computers).

After this time growth of electronic self-services increased rapidly. In 2006 a new record of two million use occasions during one month was recorded. By that time there were three eID issuers on the market, in addition to BankID there was Nordea (the major bank) and Telia, both companies with major government ownership. An eID web site was established jointly by the issuers for the purpose of facilitating eID use among citizens (www.e-legitimation.se) A 2007 survey showed that 95% of the Swedes are aware of the BankID (BankID 2009e), the market leader. According to government measurements, in 2008 1.5 million Swedes used their eIDs every month, and use is increasing (Verva 2008, p 16).

Phase 3: Maturity. A third phase can be expected in the near future following the new E-Delegation’s proposal (SOU 2009:86). This phase will include at least some of the proposals made by the e-government coordinating agency, Verva, just before its closing in 2008, all of which aimed to establish the eIDs more firmly legally and organizationally. The proposals include in particular legal definitions of eIDs (today not existing), an eID for professionals, and more government regulation and integration by means of a national government coordination unit supervising the CA hierarchy, providing value added services such as a single interface to service providers and users, and a federation approach ot identity control which will improve privacy by keeping a considerable part of transaction files within government and induce savings by internal certificates replacing (contracted pay-per-use) eID use for many transactions. More generally—concering eGovernment overall but certainly important also specifically for eIDs—the instructions include working towards open source software and solutions that “stepwise makes the administration less dependent on individual technical platforms and solutions” (E-Delegationen 2009b, translation by author).

The development for this third phase is led by the E-Delegation which as of 2009 is taking over most of the tasks that previously were assigned to Verva. This is an expert group comprised of the Directors General of the major government agencies, led by the Tax Agency. The work will draw on the eGovernment Action Plan of 2008 and the E-Delegation is broadly charged with “implementing it” (by Government Directive 2009:19; E-Delegationen 2009b).

Table 2 summarizes some milestones in the history described above.

Table 2 Milestones in the eID/eIDM introduction process
Full size table

Actors involved

There have been a number of actors involved over the eID development period. Most notably, leadership has changed several times. As Fig. 2 illustrates there have been parallel but interrelated action tracks over the years. The topmost track concerns the national government, its temporary groups and institutions. Over the years formal leadership has shifted from SAPM (Swedish Agency for Public Management) to Verva to the Ministry of Finance. “Spiritual leadership”—which has been important in a situation where the national government is not in formal control of the agencies—has also shifted, from SAMSET to the e-committee to the 24/7 delegation to the e-delegation. These bodies have been installed for the purpose of coordinating actions across departments. However, in all those groups (and already from the 1995 Top Leaders’ Forum) a common denominator is that the Directors General of the major government departments have been represented, with a core consisting of the Tax Agency and the Social Insurance Agency. This is where the real power has been all the time as this is where reforms are going to be paid for and where the largest number of users and transactions are found.

Fig. 2
figure 2

Actors in the Swedish eID development process

Full size image

The middle track concerns the private sector which includes a number of banks forming the BankID consortium as a response to government policy as discussed at the time.

The bottom track concerns the development in the health care sector, dominated by the County Councils. This sector has had to move more quickly than the national government as EU regulation requires more of standardization and convergence from the health care sector than from government overall. To achieve interoperability in a distributed organiational setup the health sector has acted mainly through two jointly owned companies, Carelink and Sjukvårdsrådgivningen AB (Health Care Advisor Inc.). The two have recently merged into one, using the name of the latter. These joint actions have led to a national Enterprise Architecture for the sector and specific professional eID solution which includes the SITHSFootnote 2 eID card as well as a CA structure. Figure 2 provides an overview of the actors in the eID development process.

In an international perspective, Sweden has a special context for “policy” as the relative independence of the public administration is great whereas the Ministries are weak. Policy is hence not decided top-down but negotiated. The government agencies are implementing policy, and they are regulated by goals and budget allocation. This means the Ministries can not regulate in detail what the agencies do. Because the budget allocations are usually designed to induce savings, policy discussions are strongly influenced by department economic reasoning. This is the reason the major agencies, in particular the Taxation Office and the Social Insurance Office, have had a strong influence over the process. Because the Agencies and the Ministries cooperate closely, not least informally through personal contacts and working groups, it is hard to distinguish who influenced who the most.

The Police issues a national – voluntary – ID card but not eIDs. The card was created for the Schengen treaty and does not today contain an eID. Public administration in general has not been driving towards services using eID and leadership has been weak and shifted between different organizations. The national agencies have all had an advisory role. Industry is currently providing the basic infrastructure. It was pro-active in the early 2000s by forming a consortium for joint action producing the BankID. The Ministry of Trade has been involved mainly at the margin of the eID, however as being in charge of the IT security field in general it has all through the process been an important actor. The Tax Agency has been leading both policy development and service implementation since the Top Leaders’ Forum (1995) with the Social Insurance Agency as a ubiquitous partner as two of the major service providers. The Ministry of Finance has a formally important role being in charge of the process for several years. Political leadership has been weak all through the process (NAO 2009), following the basic Swedish regulation; however the 2009 leadership change is intended to put the Cabinet more in control.

Diffusion and promotion

Usage

As of 2009, according to BankID statistics—which is the main data source as they log transactions (RRV 2009; 48)—1/3 of the population aged over 18 has an eID and 75% of those who have one use the BankID. According to a survey in 2007 (n = 1248), 95% of the population over age 18 knows about BankID and eID in general and 56% have used it (BankID 2009d). Use is highest in the ages 18–55 years, for ages 18–36 use is evenly distributed from a gender perspective; over 37 men dominate by about 60/40% (BankID 2009a,b). As for the service supply, private sector services dominate with 52% of transactions; however, virtually all of this concerns e-banking. There is no other private e-service market for eIDs as of 2009. Government service use represents 41% and almost exclusively pertains to national government; the local and regional government sectors together account for only 0.7% of transactions. Overall, about ¾ of the use concerns login and ¼ signing of a transaction of some kind in both the government and the private sector. 92% of the eIDs used are the soft version on file, only 8% uses cards. This distribution matches exactly the number of issued soft vs hard eIDs. ID cards are more used in the private sector, for about 10% of the transactions, whereas in the (national) government sector their share is only 1.3%. This means eID cards are not important for government e-services.

BankID is the by far most used eID with a reported 1.5 million users in early 2009 (BankID 2009c) and 2 million in November (NAO 2009; 48). It is provided by nine banks—Handelsbanken, SEB, Swedbank, Skandiabanken, Länsförsäkringar Bank, Danske Bank, Sparbanken Finn, Sparbanken Gripen and Ikano Bank—who together have a customer stock of 5,6 million people.

As for the service supply, the picture is mixed. Including both the public and private sectors, there are today some 300 services offered where eIDs can be used (e-legitimation 2009). In February 2009 there were 5 million transactions, 46% of which pertained to financial services, i.e. e-banking, and another 46% to government services (BankID 2009a). The by far most used e-service is the annual income declaration. In 2009, 3,9 million Swedes, 53% of those who could do so (up from 33% in 2005), delivered their income declaration “electronically”, which includes not just using eIDs but also automated telephone service, SMS and over the Internet by using an individually assigned code which is printed on the tax form and used for signing the declaration. The code, as well as the phone and SMS options can only be used to approve a declaration prepared by government. An eID is needed for making changes; however, a majority of the population does not need to do that. Table 3 shows the distribution of users among the different technical possiblities and compares shares for 2005 and 2009 (Tax Agency 2009d).

Table 3 Number of users for different e-declaration methods 2005 and 2009
Full size table

Among people born in the 1970s and 1980s the e-declaration share is over 70% with a maximum for people born 1987; 79%. Women are slightly more likely to e-declare than men; 52,8% vs 47,2%.

By comparison, the number of ID cards distributed is very small. By December 2009 about 30 000 Tax Agency ID cards (Tax Agency 2009c) and about 300 000 NIDEL cards (Timm 2009) have been issued.

There are different opinions as to whether this uptake is good or poor. Mass use is still limited to the major government agencies, in particular the Tax and Social Insurance agencies. The use numbers for the major user, the Tax Agency, are increasing but still not quite reach the goals. Calculations by the National Audit Office (NAO 2009) suggest that the number of eID users are “at most” 40% of the population who regularly use the Internet. People under the age of 13 can not get one (in all one million). The reasons for this claimed underuse can not be easily assessed, but the NAO as well as Verva (2008) both suggest poor usability as one important factor. Usability requirements increase when perceived need decreases. Use of eIDs competes with other solutions such as special codes defined by the Tax Agency, which means that although “electronic” services are much used, eIDs are not necessary in many cases and hence other methods prevail. The advantage of confirming your income declaration by use of eID compared to sending “YES” by SMS is not necessarily obvious to users as both the above presented numbers and earlier research on uptake of technlogy suggest (Rogers 1962, 2003). Even though all four eIDMS under investigation are each easy to install and use there is complexity because different eIDs must be used for different services, the technical process of authentication is generally obscure to users, and the advantage of higher security is not visible and not observable. The new proposal from the E-Delegation (E-Delegationen 2009a) suggests a centralized coordination function within the Tax Agency. This would provide a single user interface to individuals as well as to government agencies. The use of federations would make identifications re-usable within government, which would generally facilitate use and also make it possible to coordinate use of different means of identification. In all this can be expected to increase both use and security overall.

Following the request from the Parliament (Trafikutskottet (2005/06), Government has tried to stimulate use in different ways. One kind of stimulation has to do with costs. eIDs on file are free for the user. The cost for using them is paid by each government agency using the eID service for their electronic services. The ID cards come at a cost, currently 400 SEK (app. € 40) for the NIDEL and the Tax Authority card and 800 SEK (€ 80) for the Telia card (NAO 2009; 49). That may certainly be one explanation why eIDs on file are by far the most commonly used.

Another kind of stimulation has to do with the service supply. The outstanding leading service is the annual tax declaration. Use of this service has been stimulated by paying tax returns earlier for people who file their declaration electronically. The Tax Authority has put quite some effort in promoting this service by making it increasingly useful and usable.

Judging from both the debate and the statistics on use and service provision, the most difficult problem is to stimulate service providers within government to use the eID. As showed above, virtually no municipalities and no private companies except the banks use it. The Government has sought to stimulate the public sector organizations by means of the “infra service” framework contract by which prospective service providers can get a complete start package including not only communication but also document transfer services. The new proposal from the e-delegation extends that service, so as to facilitate for both service providers and users.

Technical and organizational aspects of diffusion/use

As of current, all eID providers have their own CA. There have been voices raised for a government control and guarantee of security by means of a national CA, not least by Verva (2008), but there have also been arguments against. For example the Data Inspection Board suggests that centralization of transaction information is a potential threat to privacy. The new E-delegation has proposed a new strategy (E-delegationen 2009a), still subject to political decisions, which responds to this criticism to some extent. The Delegation proposes the establishment of a national Committee for E-Coordination, within the Tax Agency, which is to coordinate all government departments’ use of e-legitimations, e-signatures and shared e-services. This committee is to serve as a gateway between eID providers and government agencies in several ways. Some of this has already been provided by the “infra service”, but the Committee is assigned a much extended task and a legal mandate. It will provide a common interface to eID users (citizens as well as government departments) so they do not have to deal directly with different providers. It will also provide different kinds of identifications. By means of federations it will be possible to re-use identifications among all national government agencies. It will also be possible to use other means of identifications than PKI based ones in some cases. This means savings as eIDs are payed per use.

This solution will provide a number of advantages compared to today’s situation, including simpler handling for government agencies, national CA control, maintaining the private solution to eID provision, and simpler use for citizens who will only need one eID.

The Swedish case in comparison

Comparing the Swedish case to other European countries we find a fairly complex solution stemming from a market approach, with several private eID providers, no centralized eIDM system, and no single Swedish eID card. However, in terms of both service supply and use the numbers are good in international comparison. The key to e-services is not the card but the “soft” variant with eIDs on downloadable files. Downloadable eID was the first choice for a token for online authentication, continues to be in terms of use, and will most likely continue to be as people mainly access services from their personal computer. The eID cards came on the agenda for other reasons such as the Schengen Treaty (the NIDEL) and the necessity to be able to provide ID opportunities also to non-Swedish citizens, non-bank customers, and people under age of 18 (the Tax Agency card).

The new proposal—still subject to political decisions—promises to do away with many of the current drawbacks. It also has the explicit ambition to serve as a “Trusted Node” in a European perspective, and serve as a role model for the private sector eID use, if nothing else by providing national federation policies that other federations, e.g. for the municipal and private sectors, can use (Kirei 2009).

In terms of the theme for this special issue the Swedish case exhibits a considerable degree of path dependency. The statement that “A national eIDMS can be described by technical, organisational and regulatory attributes. For all three dimensions, the existing IDMS is considered to be the most significant input into the eIDMS development process resp. the interaction system”Footnote 3 is certainly true in the Swedish case. The decisions taken for most of the technical components of the national eIDMS follow established paths of smart card and authentication technologies. Organizationally, very few changes were made. eID provision was outsourced; no government agency was charged with the tasks involved with setting up an eID system. The regulatory pattern has been kept quite stable, and to a minimum. Existing legislation has been adopted to legalize the technical and organizational changes. A signature law was designed, general existing laws such as concerning privacy and secrecy were applied, and many other laws and bylaws have been complemented with paragraphs detailing changes for specific agencies. Technical development was left to the providers. These have so far been slow at upgrading and not strived for a standardized or open solution; the technical systems are virtually the same today as by the time of the first procurement in 2001. Hence, as a side effect of taking the established path, the development towards interoperability which eGovernment in general and the Swedish national plan in particular strive for (NAO 2009). The National Audit Office also concludes that the path chosen has neither encouraged competition but rather given providers local monopolies as the eID comes as part of being customer in a bank, not as a product to be chosen individually based on quality and price criteria.

Even though the new proposal will remedy some of the observed shortcomings and lead to increased government engagement for control, economicality, and usability, it retains a high degree of path dependency. While government will establish a new unit for control and facilitation, the contracting model with private eID suppliers will remain and most likely the same providers will be sustained. The market solution was chosen for many reasons. While the historic continuity is often mentioned officially there were also other reasons, including no government agency fit to take up the role, a wish to save costs in central government to which the market solution helped by placing the costs at each government organization who uses eIDs and the investement at the private providers, and a general market approach to government. It should be kept in mind that in Sweden eGovernment is seen as a way to make administration more efficient, i.e. a way to cut resource spending, not as a modernization project to which resources are added. Because efficieny is measured at government agency level, both costs and benefits are allocated to that level as far as possible. The role of central government in this model is that of a regulator. This role has been upheld by numerous law additions and specifications so as to specify requirements for eIDs and to make them legally usable for government services. The new proposal is to increase control within the same basic market setup.

The Swedish eID history is best understood in terms of the Swedish government organization with weak central government and strong departments, which hold the budgets and hence the resources for investment in eIDs as well as e-services. Historically it is the power and immediate interests of these departments that has directed the development, in combination of course with EU directives which mandate national action. Most of the public services elected by the Council of Ministers for e-government benchmarking are offered by offices on the national level. These units are quite autonomous with regard to which services they offer online and which authentication method they make use of. National governments can and do regulate a technical tool but not the ambition of its application.

The Swedish process has no important relation to divides in the political system, and political changes in government have not affected the process in any decisive way. The value of privacy is equally endorsed across the spectrum of political views and the tradition of making “framework contracts” between the Government and the private sector is long-standing.

There is virtually no eID use outside government and the bank sector. The eID project evolved as part of the eGovernment development and the banks at the time saw an additional source of income based on technology they already had developed for their own purposes. The eCommerce sector has had a different history and uses other secure transactions methods. Using the government defined eID in the private sector also creates a need for new regulation as the national personal ID is used, which is prohibited by law in the private sector.

The current model has in the eID field met criticism for many reasons including not being open enough, not flexible towards different security needs for different e-services, and drawing on unstandardized technologies among a multitude of providers leading to e-services needing to be adapted to different technical solutions which leads to high costs and complicated use. There have also been calls for a national CA hierarchy and for qualified signatures, and for improved legal regulation (Verva 2008; NAO 2009).

The new proposal from the E-Delegation addresses all these problems to some extent. While maintaining the market solution for eID provision it introduces government control of the CAs, national coordination of eIDs including centralized procurement, single interface, a federation approach to ID control, and extended legal regulation.

One criticism the new proposal does not address is that by the NAO (2009) of not supporting competition. The NAO suggets that as the model means that the user base depends on the access to the banks’ customer it is in practice not possible to exclude any bank from the framework contracts as this would mean excluding some citizens from government e-services (NAO 2009; 59). Hence there are no incentives for price competition.

Another point that is not clearly addressed is that of open standards. The new government organization will work to hide the differences among the proprietary technologies for service providers and users, not to make technologies themselves more interoperable. There is no direct way of establishing open, or even common, standards; this will be adressed by means of “discussions” with the providers.

Privacy issues have high priority in Sweden. The Personal Data Act is comprehensive and the Data Inspection Board (DIB) has a history of being very strict and in practice being able to veto new uses of personal data that are considered a threat to privacy. The DIB is regularly consulted both during the legislation process and after when development projects need to understand how the law should be interpreted before investing in new systems and services. Privacy issues are also frequently discussed in media which make them high profile. The new proposal by the E-Delegation means a change in the way eIDs are used. The federation approach means that identifications made will be re-used within government, not as in the current solution re-checked at each point of transaction. This means a “one authentic source” approach in which the coordinating function will issue a certificate on legitimation which can be used as reference to allow further processing. The federation approach also means that service providers must be certified by membership in a federation. On the one hand the new approach means transaction data will stay within government and not with private companies who can use them for their own purposes or even sell them. This is a privacy gain in terms of the Swedish policy. On the other hand, there is no doubt that data transactions between government departments will increase, which is considered negative from the perspective of the DIB.

Future perspectives

The recent proposal by the E-Delegation is clearly a step towards an improved eID infrastructure including increased standardization, usability, privacy, and lower costs for e-service providers. Although it is as yet only a proposal pending government decisions there are reasons to believe that decisions will actually follow. There have also been positive comments from actors in the field. One factor contributing to this expectation is the work towards European eID interoperability in which Sweden participates through the STORKFootnote 4, PEPPOLFootnote 5 and epSOSFootnote 6 projects, from which already some proposals have been included, e.g. the federation approach. While the proposal is clear in principle there are issues that still need to be resolved. Such issues include the degree of openness (a federation is basically a closed structure), at which level of legislation specific issues should be regulated (by law or by policy regulated by the new Coordination Committee), how market actors can be persuaded to converge towards technical standards, preferably open, how the municipal sector can be included, and other. Some of these issues can be decided by government (e.g. the level of regulation), others, such as the cooperation with market actors, are open to further negotiations and development regarding general standards and international agreements in the field. One specific issue, dealt with at length in the proposal, is the division of responsibilities between the new Committee and its host organization, the Tax Agency. The Committee will regulate the activities of the Tax Agency, which may be in conflict with the requirements for impartiality of a regulating body. There is also an open issue if the proposed solution, if implemented, will in practice succeed to realize the positive potential for eID use in the private market that lies in increased standardization, legal regulation, and control.