Bill Gates Talks about Belgian eID Card

Brainsur writes "Today Bill Gates visited Belgium to talk about the Electronic ID card introduced last year in Belgium as experiment. Microsoft announced that they will integrate the electronic identification into the Windows Software so they can deliver more security and privacy on the internet. The register has more news."

Unanswered Questions

[Staplerh]

Hmm. There's a BIG question unanswered in this article.

Microsoft believes that combined with the eID Card MSN Messenger chatrooms will be much safer. Users would have a trustworthy way of identifying themselves online. The Belgian Federal Computer Crime Unit (FCCU) could even refuse young children access to certain chatrooms based on their electronic identity.

Now.. is the ID card REQUIRED to use the MSN service, or is it just another level of idenitifcation? One model, such as what Amazon.com uses for reviews, is to accredit reviews with a 'Real Name' sticker if it is indeed the poster's real name (as verified by their credit card). But it isn't required to actually post a review, only to get that extra level of verification.

Anybody else have a different take on it, did I miss this important point?

Finland has had it for a while

[TommydCat]

Finland has been issuing smartcard electronic IDs that the citizens use for electronic voting among other things (hanging chads, anyone)?

Any Fins here wish to comment?

it wont be bothering me for atleast 3 years

since i have a rather recent classic paper ID
but i guess i should start looking for a lead lined wallet.

funny thing on the train a lady was asked for her ID
she only had one of those new ones. train personel had no way of cheking the info on the eID twas quite funny how they kept going on how she needed to have papers proving she was she along with the eID.

anyway this seems to be the perfect software for market research, now you are certain who it is that is looking at websites about what ever.
A nice reminder that i should be ashamed to be belgian, almost forgot becauze of the US bashings that have been going on lately

But it does run linux!

On the bright side: there are drivers for the card reader for linux, solaris, Mac, ... source code too!

http://www.belgium.be/zip/middleware_source_code_n l.html
http://www.registrenational.fgov.be/bev_nl/bev_n_d ispatcher.htm

Re:Privacy?

Take it a step further: I would consider the terms "ID Card" and "Privacy" to be contradictory.

Not necessarily...an ID card also has the use of distinguishing "John Smith" from his neighbor "John Smith" and his coworker "John Smith". Having a standard method of unique identification can actually increase privacy in some situations by not requiring someone to offer personal life details just to distinguish oneself.

In the US, the Social Security number is an ideal candidate for this. I really wish the government would declare something to the effect of "All SSNs will be publically available in 5 years...anyone still trying to use them as a security implementation will need to find a real system by then. Deal with it."

The problem with a national ID card used as security is one of trust. If it's easy to fake, nobody will trust it, and potential damage is small in single instances. If it's difficult to fake, it's trusted, and potential damages in the few instances of successful deception are unlimited. Total potential damages and costs to society remain the same, regardless of how difficult counterfeiting might be.

I'm fully in favor of national, random, checksummed unique identifier that is completely public. Claiming to be "DHSGX-2814" would provide no actual proof of identity, but there is only one "DHSGX-2814" in the nation. We could stop confusing duplicate names and requiring extra personal details like address, etc, simply to provide uniqueness.

I agree that it's a little impersonal to be a number, not a name, but it's far more practical.

Re:Privacy?

[lucabrasi999]

If you don't think of the passbook of a Swiss numbered bank account as being a form of ID

Yes, it is. But, if I understand how Swiss banks work correctly, they don't keep track of all of my activities (just key Financial transactions). An ID card issued by the goverment would, by it's very definition, keep track of all of my activities in a central location (Financial and non-Financial).

I'll take off my tin-foil hat now. I am being a bit over-reactionary. But, as I posted elsewhere, here in the United States, we do tend to cite privacy concerns when it comes to the idea of the national government keeping track of all of our activities. In reality, I know they COULD keep track of me today, if they tried. I'm just being a bit of a devil's advocate.

My thoughts.

[pavon]

Hehe. I started this post when the story was still in the mysterious future and it kept growing till, now when most everyone has already moved onto the next story. Oh well, might as well post it and this thread is as good of a spot as any.

I would actually be in favor of a Smart-card ID - especially if the citizen ID was just one uses of a generic smart card authentication system. The use of Social Security Numbers is inherently insecure. Every authentication system needs a public identifier, and at least one secret key. But as things stand right now SSN are treated as both an identifier and a key - it is impossible to be both public and secret simultaneously! It is scary how many institutions act as though anyone who can rattle off my SSN. Something like this could greatly decrease potential for identity theft and fraud, and frankly I don't think it will decrease my privacy any (more on that later).

Suppose you had a smart card which contained a readable id and public key, an non-readable private key (encrypted with a passcode), and a small amount of processing power. When you need to authenticate yourself, you would place the card in a a drive, and enter your passcode. The person requesting authentication would generate a challenge using the public key, and the drive would pass the challenge and passcode to the smart-card. The card would then use the private key to generate a response.

The nice thing about the smart-card doing the processing is that the private key would never leave the card. In fact, the user would not have to know anything about public/private keys (unlike PGP). And it follows the good policy of "something you have" (the card), "something you know" (the passcode), and could easily include the option of "something you are" (biometrics) for high security applications. But even without the biometrics, this would be infinitely more secure than SSN, more secure than a credit card or ATM, and on par with PGP signatures.

Then imagine that this is a standard authentication system - you have a card to authenticate that you are Citizen 123-45-678 for government programs, another to authenticate that you are VISA Card Holder 1111-2222-3333-4444 for purchases, another to authenticate that you are user on domain for login authentication, and yet another to authenticate that you are user@domain.com for signing and decrypting email. If there was a standard, there is no reason that the drive could not be built into all computers, greatly increasing the security of online financial transactions, and finally creating a user-friendly mechanism for encrypted communications.

In short it would solve a great deal of the security issues (or at least technical aspects thereof) that our rush into the digital world has created. Of course all the social engineering exploits are still there, and so we should never operate on the assumption that the system is infallible.

Now privacy. I don't like giving out my social security number more than anyone else. I have gone through great trouble to not give it to people that do not need it. But even so, there are a huge number of organizations that are entitled to it by law, and have a legitimate need for my personal information. Which brings up the real crux of the government privacy issue in my opinion: We asked the government to take care of our retirement, so they need some information to do that job. We asked the government to provide medical care and drug coverage for the elderly, so they need to know my medical record. We asked the government for all sorts of benefits and exceptions in the tax code, so they need to know the nitty-gritty details of my financial life. We asked the government to help pay for college, so they need to know even more information. And now people want to ask the government to provide everyone healthcare and that will erode my privacy even more. I have an idea - if we don't want the government to know everything about us how about we stop asking it to do everything for us. Until then all this cry for privacy

Re:You Just Proved the Grandparent's Point

You just proved the grandparents's point. The Belgian government, reflecting the will of the large foreign population, just banned a political party because the foreigners view efforts to slow immigration as "racist".

You would welcome a party that has as one of its main goals the overthrowing of the constitution and disbandment of the united states of america?

How very unpatriotic of you.

Re:With one major caveat of course

[rem1313]

Electronic ID card primariliy is a means to reliably authenticate anyone in electronic communication just like a passport in physical world.

Secondly, it is also a means to electronically sign documents as a replacement for physical pen-and-ink signatures.

It is based on public key cryptography, and private keys are generated on tamper-resistant smart-card and never leave the card (by smart card design). Governmet issues a certificate (signed by gov. CA) that confirm your identity and association with your private key (your public key is included in certificate). The microchip on the card provides functions that enable use of private keys such as signing hashes, etc (but never retrieval).

The authentication and signature functions are seperated and protected by different PIN numbers (or biometric data).

As a result, a variety of services can be put online that could never be possible without a _highly reliable_ means of authentication of individuals. Examples are government services: tax declarations, access to state registers, communication with government, e-voting, etc.

Using signatory function you could prepare and sign contracts, submit formal applications and sign them elecronically. It will provide such assurances as non-repudiation, integrity (nobody can claim that you didn't sign it and your signature is automatically invalidated if document integrity is compromised). And by law, public sector organizations are obliged to accept such documents.

If the card gets lost or stolen, the certificates are blacklisted and as a result access to online services is blocked. Certification service provider also provides a means to verify if such and such certificate was valid at certain time. Time-stamping services are also possible.

If you think about it, nobody forces you to use it, but once implemented and opportunities appear, the possibilities are endless. Your identity is protected by PIN codes and without your consent, the information available (and collectable) is very limited.

Sure, it might be a bumpy road in the begining, especially because the average user probably does not realize the importance of actually protecting his online identity, but once technology matures, users get educated and more services appear, life will become much more easier.

And imagine time saved when dealing with, for example, governmental institutions - no standing in lines to fill out some form or fill in tax declarations, etc. And it is cost and time benefits are realized on the other end too - if e.g. tax declarations are submitted electronically then nobody needs to go over each and every one and retype to get them into database for later processing. It could be done automatically.

Actually, i'm writing b.sc. thesis regarding impelmentation of electronic identity and signature in Latvia - so anyone has valuable comments, please don't hesitate to contact me :) rem[at]fabrika[dot]lv

You might want to check out Estonia, which has implemented the eID project and they have issued some 700,000 ID cards with electronic functions on them. Pretty impressive.

Re:With one major caveat of course

[rem1313]

You are totally missing the point.

I never said the system is perfect or totally secure, it is merely an extension of current physical identity and signatory functions to electronic medium in such way that they have the same legal effect. Once again: (1) secure and reliable authentication and (2) signatory functions.

Think of it as a passport and pen-and-ink signature. Your passport can be stolen and used fraudulently and your signature can be faked quite easily. Just as you could be physically tortured to sign some documents, just as well you could be tortured to reveal your PIN and then use your eID card to sign them afterwards. Just as in the former case any court will rule your signature invalid, and the same applies in the latter case when document is signed electronically.

In the same good old physical world, the government still tracks your activities when communicating with public sector organizations, when you fill your tax declarations, fill out forms, etc. The information of course will be logged when you knowingly choose to authenticate yourself electronically - no principal difference here.

I never mentioned that the card is also used for shopping and not even close to also enlisting the items bought. Currently if you use any credit card, the shop already knows your name and what you bought - so nothing changes here. If you are paranoid - use cash. Period.

So nothing really changes in principle, just the way how transactions are done.