Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Privacy Baseline" For European EID Cards

Posted by timothy on from the you-don't-need-to-know-to-that dept.

giles hogben writes "This paper from the European Network and Information Security Agency looks at the roll-out of privacy features in electronic identity card technology (PDF) over Europe. It includes numerous tables for easy comparison but doesn't make too much comment on the relative privacy-merits of different cards. Readers can draw their own conclusions though ..."

24 comments

  1. Hey guys! by fuzzyfuzzyfungus · · Score: 2, Insightful

    Here is the list of eID privacy features you asked for. Don't worry, it's not like you get to choose whether you carry one or not, and which one you carry, so don't get too excited. Have a great day!

    1. Re:Hey guys! by Anonymous Coward · · Score: 0

      Yes, you can. I live in Finland and my ID card has an RFID chip in it. However, no law requires me to own one or always carry it with me.

      Even with passport, which is required if I want to leave the country (well, technically I can leave with my ID card too but as it has the RFID it isn't very relevant) I can circumvent the RFID (which my passport doesn't yet have but maybe would if I now got a new one) thingy by visiting the local police department and asking for a temporary passport. It can be aquired in half an hour.

      Not that any of this really mattered because I have RFID blocking wallet...

    2. Re:Hey guys! by Mind+Booster+Noori · · Score: 1

      Unfortunately not every country is like Finland on that regard: in Portugal, for instance, every citizen has to own and carry their ID card (which, on the other hand, has no RFID, so you have to use a card reader). Also, if you read the report, you'll see that the problem isn't only on RFID, so having an RFID-blocking wallet won't help you that much...

      --
      Mind Booster Noori
  2. Missing item by Anonymous Coward · · Score: 0

    Number 15. Governments forcibly extracting private information from their citizens and using it to gain more state power.

  3. where are all the europeans? by Anonymous Coward · · Score: 0

    right now there are only 2 comments...

    but in every thread that is specifically about the US (or god forbid if guns come up) is chock-full of europeans that bitch about the US-centric discussion. so where are they all now?

    1. Re:where are all the europeans? by KlaymenDK · · Score: 1

      At home, eating dinner. :) Or watching tv.

      Or ... reading FTA. Ok, ok, only kidding!

      --
      "Good news, everyone!"
    2. Re:where are all the europeans? by zeridon · · Score: 1

      Here ...
      Now ... it is 6PM (GMT) where do you think normal people are ... traveling home maybe ...

      Just let me finish reading and maybe i will rant

      --
      In fire we trust http://www.getoto.net
    3. Re:where are all the europeans? by KlaymenDK · · Score: 2, Interesting

      Ok, so I haven't exactly read all 24 pages, but I've given them a good skim and studied some of the notes.

      It seems to me to be a good primer, but I don't for a second think that anyone who matters will pay it deserved consideration. (Such is my trust in and opinion of politicians.)

      Anyway, Denmark, as I well knew already, is not really on the list except as part of the EU. But even so, we do have a central ID register that's represented in the form of a plastic card (no chip, only magstripe and barcode) with minimal info such as name, address, birthdate, and a few other things -- but nothing valid for getting you across a real border.

      Still, this ID register --specifically, one's individual ID number-- is used *all over the place* where it's not s'posed to, solely because it's such a darn good unique ID for the customer database, you know? Wanna open a bank account or borrow a bucket of money? Fair enough, I'll need to give out my ID number so they can check I don't owe the Golden Gate Bridge worth in taxes. Wanna rent a video at Blockbuster? I have to give out my ID number as well, or entertain myself with my action figures instead. Nevermind that that's the key to privileged information which Blockbuster, bless 'em, just don't need. Making a statement to that effect is not going to get you a membership, as I suppose you've all guessed.

      With this rant I really just mean to say that it's not about the KIND of key you have, it's how you USE it. And, given the (inter)national context, you don't get to decide how to use it, the politicians will take care of that for you -- and I don't think they've read this ... or Little Brother for that matter. Of course, making sure it's not sniffable is important, but if the law requires us to have the thing glued to our foreheads it's going to be a pain anyway.

      On a side note, though I realise that passports!=ID cards, our passports are going all "arphid'ey", and from what I've seen and read I'm very happy my old one still has a number of years left on it. /rant off. Sorry.

      --
      "Good news, everyone!"
    4. Re:where are all the europeans? by Teun · · Score: 1
      Europeans have a far greater trust in their governments than Americans, rightly or wrongly.

      But many have noticed that all the designs for stricter and more comprehensive electronic ID schemes are coming from the US government.

      For many years Europeans and Americans could go and visit each other without many barriers but especially after 9/11 the demands on Europeans travelling to the US have dramatically increased.

      Had it been up to Europe we'd still use the old and trusted paper passports.

      Personally I'm quite disgusted about this 'bend over' attitude of our politicians but hey, they get more power while blaming the other! (USA)

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    5. Re:where are all the europeans? by Anonymous Coward · · Score: 0

      I've posted many times (as AC) when similar topics were up. Most of the postings were bitching on how their privacy was invaded, while being /completely/ off regarding the underlying technology. You would imagine that people would know by now that these eID cards are not RFID in the sense that they only contain an identifier. Still even reporters don't have the slightest problem stating such a thing.

      Since this page is about the technology only, without stating anything too strong to start bitching about, I'm not surprised about the lukewarm response.

    6. Re:where are all the europeans? by Anonymous Coward · · Score: 1, Insightful

      Personally I'm quite disgusted about this 'bend over' attitude of our politicians but hey, they get more power while blaming the other! (USA)

      Aye. Well, in theory, EU is supposed to exist mainly for stopping that kind of stuff.

      When USA said "We now demand this. Begin supplying us loads of private info about anyone flying here or you will no longer fly here", EU could have gotten together, smiled and said "Okay. We won't. Say goodbye to all your income and jobs from tourism. And it will work both ways. You won't be getting holidays in Paris, Berlin, Amsterdam, etc. any more. It will hurt both of us a lot. So what about we don't force that to happen?" and USA would have had no options but to remove such requirements.

      However, what EU did was... Nothing at all. It bended over. I have been quite bitter about that to our politicians lately.

    7. Re:where are all the europeans? by Anonymous Coward · · Score: 0

      Oh, you have no idea.

      Ready normal people?

  4. Privacy? by Anonymous Coward · · Score: 0

    Privacy? What's that? This must be some sort of hoax...

  5. ENISA by Elektroschock · · Score: 2, Interesting

    What you have to understand that ENISA is a completely useless EU agency residing in Greece. It was installed by the lobby, and is back mostly by BSA members as Symantec, Microsoft,...

    This year the Commission attempted to rewind it by merging its competences into a new regulatory institution for the Telecom sector. However the Telecom package debate lead to the rejection of the regulatory authority and thus to the survival to ENISA.

    In other words, this institutione is owned by the industry lobby. It is just an advisory institution and its guidance is bullshit so far. It has no competence to propose laws or anything.

    The studies carried out so far are of low quality and target imaginary audiences. For them Enisa experts have trivial recommendations. And Enisa openly says it lacks expertise and asks the vendor lobby for input. Enisa is a placebo institution for IT security. Anything that comes out of the body is suspicious.

    1. Re:ENISA by Anonymous Coward · · Score: 0

      If you think that's bad, imagine working for them.

    2. Re:ENISA by Anonymous Coward · · Score: 0

      On the other hand, the article is written by many authors, and none seem to be part of any lobby group. There are authors in there that are knowledgable.

      It's main purpose seams to be to give an overview of possible threats, protection against them and an oversight of which countries use what kind of protection. I do think that the latter has failed, the information is rather useless without providing more information (what consitutes write acces?).

      rant:

      Of course, we can all worry about the government choosing bad technologies and protocols, but in practice I would be more worried about RF credit cards and transport cards. None of those seem to have privacy in mind.

      E.g almost al transport cards use Mifare or such and a static and unigue ID, which can be read from large distances. So we would have rather well protected mandatoy passports and eID applications, but everybody could be tracked using countless other methods anyway.

      Of course, as everybody is almost always carrying a GSM phone, everybody is ACTIVELY giving away their location anyway. /rant

    3. Re:ENISA by Mind+Booster+Noori · · Score: 1

      Funny, according to their website (which is not what you linked, BTW) none of their members seem to be part of any lobby, much less representatives of entities such as Symantec, Microsoft and so on. I could be wrong, but I'll have to ask you to please back up your statements with evidence...

      --
      Mind Booster Noori
    4. Re:ENISA by Elektroschock · · Score: 1

      McGann is the lobbyist of EICTA. You don't expect members of the administration to work for a lobby organisation. The question is who defines what they do. And here ENISA does mostly awareness raising efforts for imaginative audiences.

      http://www.enisa.europa.eu/pages/05_01.htm

      The point is not what ENISA is but what it is not! Ask European IT security experts what they think about ENISA and their consultant puppets.

    5. Re:ENISA by Mind+Booster+Noori · · Score: 1

      If your point is that "their work gets no attention" of even "their work is useless", I might agree with you. But if you're saying they're lobby puppets, then I want proof, that is all.

      --
      Mind Booster Noori
    6. Re:ENISA by Elektroschock · · Score: 1

      You don't know Enisa. But I do know for whom Ebert works for.

    7. Re:ENISA by Mind+Booster+Noori · · Score: 1

      Prove.

      --
      Mind Booster Noori
  6. tl;dr by AmiMoJo · · Score: 1

    Unfortunately privacy just isn't an important political issue.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Privacy? by Wowsers · · Score: 1

    Dear citizen of the EUSSR,

    Here is the privacy you can expect from an ID card:

    NONE!

    Thank you for your tax money to aid the state oppression of Europe's citizens. We knew you'd never consent to having ID cards, that's why we sneaked in ID laws under disguise of other laws (see UK as an example of how state oppression is pushed through).

    Have a nice day.

    --
    Take Nobody's Word For It.
  8. Want to know how to make a card private? by mlts · · Score: 1

    OK, this is rough thought, but this is one way off the top of my head to make privacy as integral as part of the structure as security.

    First of all, start with your average smart card, have your user private key on it and a PIN. The key stored can be revoked by whatever the EU's CA is and reissued.

    Now, start adding certificated by whatever certifying agencies. For example, a county adds a certificate that this user is born in their county. A university adds a certificate that the user got a B. S. in chainsaw fencing at this time. The immigration authority signs a certificate saying the owner of the key is a bona fide citizen of the country. Finally the police department signs a certificate (perhaps a normal life, perhaps a short-lived certificate that is renewed when asked) stating the person has no felonies on their record.

    Something that happens to change this (someone drops their citizenship), it gets revoked.

    Now, by starting on the principle of assume nothing, a pub can ask for someone's smart card, check that the picture of the person holding it is the keyholder, then check a certificate on the key that the user is over 21 for drinking (if in the US.) The certificate does not give a birthdate. All it states is that the person is of legal age to get plastered. If someone is applying for a job that requires no felonies, the card will have a certificate stating this. All that is answered is just the question, no personal details are offered.

    If a place finds no certificate stating a user isn't a felon, then they can do a background search with the user's consent, but if a user isn't a felon, no searching is needed.

    Of course, a user can hide/show certificates, so when signing a pay receipt, the merchant doesn't get free access to all the details of citizenship, etc.

    The one problem I see is a lost or compromised key. This can be fixed by one of two ways. One is to revoke the core key and have all the CAs re-sign certificates to a new key. Another way is a certificate granted by the core card authority basically stating that all the goodies on revoked key "x" now apply to current key "y".

    Voila, people get privacy, and security is also assured (as best a PKI and other structures can. Nothing is perfect, and I'm SURE there are flaws in this idea.)