Digital Identity Management In Norway Is Catastrophe

Although digital identity management in Norway is a success in many respects, it faces serious challenges and deficiencies, states Marte Eidsand Kjørven. She is a professor at the Department of Private Law at the University of Oslo and has led the project "Societal Security and Digital Identities," known as the SODI project.

Kjørven received the Rule of Law Award (Rettssikkerhetsprisen) for this work in 2024.

Market-based electronic solutions such as BankID, Buypass, and Comfides have contributed significantly to the digitalization of both the private and public sectors.

These "universal keys" provide access to a range of vital services for large portions of the population, including online banking, tax services, health services, and Altinn.

At the same time, these solutions bring serious challenges related to social exclusion, ID abuse, and failing legal protection. Digital identity management is complex, functioning almost as an ecosystem with numerous actors, technical solutions, and legal regulations. This digitalization has occurred rapidly.

In a podcastepisode at 'Universitetspodden' Kjørven and Henriksen discuss the problems (only in norwegian).

However, Kjørven explains that the legal rules intended to ensure responsible digitalization do not sufficiently account for the serious consequences this has brought about.

Scathing Criticism

In the project's final report, the research group directs scathing criticism at what they believe are serious failings in the public governance of digital identity management in Norway. The word "catastrophe" is communicated clearly as early as the introduction.

Key terms Kjørven uses to describe this catastrophe include disclaimers of responsibility, lack of legal protection resulting in financial miscarriages of justice, human rights violations, and challenges to democracy and national security.

Digital Exclusion and Disempowerment

It is vital to maintain good control over who has access to electronic ID solutions to avoid abuse and fraud. Simultaneously, digital exclusion is a major problem under current conditions.

Digital identity management is characterized by some actors and parts of the population reaping the benefits, while vulnerable groups bear the disadvantages and costs.

For many elderly people and individuals with disabilities, it is impossible to use electronic ID solutions without assistance.

Bendik has Down syndrome and is denied BankID. — 'Bendik' has Down syndrome and is denied BankID. Photo: Colourbox.

The report tells the story of Bendik, who has Down syndrome and is denied BankID, thereby losing access to digital public services due to his diagnosis.

- When a "universal key" in the form of an eID is necessary for access to essential services and real participation in society, the consequences are extremely serious for those without such a key, Kjørven points out.

Norwegian authorities have left it to private actors to decide who shall have access to digital public services and who shall be excluded and thus disempowered.

Sent Backwards in Time

Kjørven believes it can be difficult for those who have access to the digital services they need to imagine how intrusive it is to lack an eID, and BankID in particular.

- These people have not just been left on the platform while the digitalization train has raced past; they have been sent on a train moving backwards.

They do not have access to the same basic services as others, which constitutes a very serious problem, including from a human rights perspective, the law professor emphasizes.

Miscarriages of Justice, Financial Ruin, and Broken Lives

Several serious digital fraud cases have been featured in the media in recent years.

Phishing for personal information is common method fraudsters use to trick victims into giving up usernames, passwords, and credit card numbers. Last year, DNB customers were targeted in fraud attempts worth over 3.3 billion NOK, a 30 per cent increase from the previous year. Of these, the bank managed to stop 3 billion NOK from falling into criminal hands.

Criminals who steal others' electronic IDs can manipulate information in public registers, apply for loans, transfer money, set up companies, and receive public benefits on false grounds. This leads to major losses for individuals, companies, and the public sector.

Marte E. Kjørven og Marianne Henriksen. — Professor in Law Marte E. Kjørven and director Marianne Henriksen at Skatteetaten. Photo: UiO.

Individuals can have their finances destroyed and, in extreme cases, face criminal prosecution and miscarriages of justice. Some are forced to move from their homes and have their entire futures ruined.

- These are millions of pounds from the welfare state, individuals, and businesses being channeled into organized crime, which can contribute to increased criminality and all the associated consequences, Kjørven explains.

Defrauded by Close Relations

Fraud within close relationships is also not uncommon, and the Supreme Court is currently hearing such a case. A man handed over his BankID to his ex-partner to get help with daily tasks due to mental health challenges. The woman abused this access to take out several large consumer loans, for which she was later criminally convicted.

Nevertheless, the credit company has sued the man to cover its loss. The Supreme Court must decide whether the voluntary handover of BankID can mean the man is legally bound to cover the loss, despite being a victim of fraud and identity theft.

It is also noted that BankID code devices have for years been sent to customers via the post without any verification of who collects them.

Lack of National Governance

At the heart of these challenges lies the absence of a holistic strategy and governance of digital identity management in Norway, according to the project group. They write in the report that responsibilities are fragmented, coordination fails, and there is a lack of democratic anchoring. They believe important decision-making processes are opaque and that stakeholders are not sufficiently involved.

The report proposes how these problems can be mitigated and how the field can be managed more holistically. It contains a range of objectives and measures and resembles an Official Norwegian Report (NOU), Kjørven suggests.

The report and its recommendations are based on collaboration between four research institutions in Norway and Estonia, as well as various public and private partners, including the Tax Administration (Skatteetaten) and one of their directors, Marianne Henriksen.

Justified Criticism

Marianne Henriksen believes the criticism presented in the report is constructive and justified.

- The SODI project has done a very important job that the public sector can benefit from.

The Tax Administration has collaborated with the project through its role as owner of the National Population Register (Folkeregisteret). She describes the project's research as well-founded, constructive, and valuable.

The SODI-project:

The SODI project is funded by the Research Council of Norway and began in 2021 as a multidisciplinary collaborative project. The project group included Rolf Riisnæs, Tobias Mahler, Malcolm Langford, Tone Linn Wærstad, and Petter Omland (all from UiO), as well as Kristian Gjøsteen (NTNU). The report also draws on practical experience from the legal aid service "ID-juristen".

Sources

/University of Oslo Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.