挪威的数字身份管理是一场灾难

挪威的数字身份管理是一场灾难
Digital Identity Management in Norway Is a Catastrophe

原始链接: https://www.uio.no/english/research/research-news/articles/2026/digital-id-management-is-a-catastrophe.html

Marte Eidsand Kjørven 教授及其“社会安全与数字身份”（SODI）项目组针对挪威的数字身份管理发布了一份措辞严厉的报告。尽管 BankID 等电子身份认证系统推动了快速数字化，但报告将当前的治理现状称为一场“灾难”，其特征是监管缺失、职责碎片化以及法律保护机制的失效。该项目重点指出了两项主要危机。首先是数字排斥：老年人或残疾人等弱势群体常常因无法使用复杂的电子身份系统而被剥夺获取必要公共服务的途径，这实际上侵犯了他们的数字权利。其次是系统极易遭受欺诈。犯罪分子利用电子身份进行身份盗用，导致受害者陷入经济困境、面临潜在的刑事起诉，同时也给福利国家造成了巨大损失。研究人员认为，当局将控制权不当地下放给私人主体，忽视了由此带来的广泛民主和人权后果。为纠正这一问题，报告呼吁制定全面的国家战略并改善治理，以确保数字服务保持安全、包容并符合法律问责要求。包括税务局在内的公共实体已承认这些担忧的合理性，并认同进行结构性改革的必要性。

抱歉。

原文

Although digital identity management in Norway is a success in many respects, it faces serious challenges and deficiencies, states Marte Eidsand Kjørven. She is a professor at the Department of Private Law at the University of Oslo and has led the project "Societal Security and Digital Identities," known as the SODI project.

Kjørven received the Rule of Law Award (Rettssikkerhetsprisen) for this work in 2024.

Market-based electronic solutions such as BankID, Buypass, and Comfides have contributed significantly to the digitalization of both the private and public sectors.

These "universal keys" provide access to a range of vital services for large portions of the population, including online banking, tax services, health services, and Altinn.

At the same time, these solutions bring serious challenges related to social exclusion, ID abuse, and failing legal protection. Digital identity management is complex, functioning almost as an ecosystem with numerous actors, technical solutions, and legal regulations. This digitalization has occurred rapidly.

In a podcastepisode at 'Universitetspodden' Kjørven and Henriksen discuss the problems (only in norwegian).

However, Kjørven explains that the legal rules intended to ensure responsible digitalization do not sufficiently account for the serious consequences this has brought about.

Scathing Criticism

In the project's final report, the research group directs scathing criticism at what they believe are serious failings in the public governance of digital identity management in Norway. The word "catastrophe" is communicated clearly as early as the introduction.

Key terms Kjørven uses to describe this catastrophe include disclaimers of responsibility, lack of legal protection resulting in financial miscarriages of justice, human rights violations, and challenges to democracy and national security.

Digital Exclusion and Disempowerment

It is vital to maintain good control over who has access to electronic ID solutions to avoid abuse and fraud. Simultaneously, digital exclusion is a major problem under current conditions.

Digital identity management is characterized by some actors and parts of the population reaping the benefits, while vulnerable groups bear the disadvantages and costs.

For many elderly people and individuals with disabilities, it is impossible to use electronic ID solutions without assistance.

Bendik has Down syndrome and is denied BankID. — 'Bendik' has Down syndrome and is denied BankID. Photo: Colourbox.

The report tells the story of Bendik, who has Down syndrome and is denied BankID, thereby losing access to digital public services due to his diagnosis.

– When a "universal key" in the form of an eID is necessary for access to essential services and real participation in society, the consequences are extremely serious for those without such a key, Kjørven points out.

Norwegian authorities have left it to private actors to decide who shall have access to digital public services and who shall be excluded and thus disempowered.

Sent Backwards in Time

Kjørven believes it can be difficult for those who have access to the digital services they need to imagine how intrusive it is to lack an eID, and BankID in particular.

– These people have not just been left on the platform while the digitalization train has raced past; they have been sent on a train moving backwards.

They do not have access to the same basic services as others, which constitutes a very serious problem, including from a human rights perspective, the law professor emphasizes.

Miscarriages of Justice, Financial Ruin, and Broken Lives

Several serious digital fraud cases have been featured in the media in recent years.

Phishing for personal information is common method fraudsters use to trick victims into giving up usernames, passwords, and credit card numbers. Last year, DNB customers were targeted in fraud attempts worth over 3.3 billion NOK, a 30 per cent increase from the previous year. Of these, the bank managed to stop 3 billion NOK from falling into criminal hands.

Criminals who steal others' electronic IDs can manipulate information in public registers, apply for loans, transfer money, set up companies, and receive public benefits on false grounds. This leads to major losses for individuals, companies, and the public sector.

Marte E. Kjørven og Marianne Henriksen. — Professor in Law Marte E. Kjørven and director Marianne Henriksen at Skatteetaten. Photo: UiO.

Individuals can have their finances destroyed and, in extreme cases, face criminal prosecution and miscarriages of justice. Some are forced to move from their homes and have their entire futures ruined.

– These are millions of pounds from the welfare state, individuals, and businesses being channeled into organized crime, which can contribute to increased criminality and all the associated consequences, Kjørven explains.

Defrauded by Close Relations

Fraud within close relationships is also not uncommon, and the Supreme Court is currently hearing such a case. A man handed over his BankID to his ex-partner to get help with daily tasks due to mental health challenges. The woman abused this access to take out several large consumer loans, for which she was later criminally convicted.

Nevertheless, the credit company has sued the man to cover its loss. The Supreme Court must decide whether the voluntary handover of BankID can mean the man is legally bound to cover the loss, despite being a victim of fraud and identity theft.

It is also noted that BankID code devices have for years been sent to customers via the post without any verification of who collects them.

Lack of National Governance

At the heart of these challenges lies the absence of a holistic strategy and governance of digital identity management in Norway, according to the project group. They write in the report that responsibilities are fragmented, coordination fails, and there is a lack of democratic anchoring. They believe important decision-making processes are opaque and that stakeholders are not sufficiently involved.

The report proposes how these problems can be mitigated and how the field can be managed more holistically. It contains a range of objectives and measures and resembles an Official Norwegian Report (NOU), Kjørven suggests.

The report and its recommendations are based on collaboration between four research institutions in Norway and Estonia, as well as various public and private partners, including the Tax Administration (Skatteetaten) and one of their directors, Marianne Henriksen.

Justified Criticism

Marianne Henriksen believes the criticism presented in the report is constructive and justified.

– The SODI project has done a very important job that the public sector can benefit from.

The Tax Administration has collaborated with the project through its role as owner of the National Population Register (Folkeregisteret). She describes the project's research as well-founded, constructive, and valuable.

The SODI-project:

The SODI project is funded by the Research Council of Norway and began in 2021 as a multidisciplinary collaborative project. The project group included Rolf Riisnæs, Tobias Mahler, Malcolm Langford, Tone Linn Wærstad, and Petter Omland (all from UiO), as well as Kristian Gjøsteen (NTNU). The report also draws on practical experience from the legal aid service "ID-juristen".