Slashdot Mirror
"Privacy Baseline" For European EID Cards
giles hogben writes "This paper from the European Network and Information Security Agency looks at the roll-out of privacy features in electronic identity card technology (PDF) over Europe. It includes numerous tables for easy comparison but doesn't make too much comment on the relative privacy-merits of different cards. Readers can draw their own conclusions though ..."
Here is the list of eID privacy features you asked for. Don't worry, it's not like you get to choose whether you carry one or not, and which one you carry, so don't get too excited. Have a great day!
At home, eating dinner. :) Or watching tv.
Or ... reading FTA. Ok, ok, only kidding!
"Good news, everyone!"
Here ... ... it is 6PM (GMT) where do you think normal people are ... traveling home maybe ...
Now
Just let me finish reading and maybe i will rant
In fire we trust http://www.getoto.net
What you have to understand that ENISA is a completely useless EU agency residing in Greece. It was installed by the lobby, and is back mostly by BSA members as Symantec, Microsoft,...
This year the Commission attempted to rewind it by merging its competences into a new regulatory institution for the Telecom sector. However the Telecom package debate lead to the rejection of the regulatory authority and thus to the survival to ENISA.
In other words, this institutione is owned by the industry lobby. It is just an advisory institution and its guidance is bullshit so far. It has no competence to propose laws or anything.
The studies carried out so far are of low quality and target imaginary audiences. For them Enisa experts have trivial recommendations. And Enisa openly says it lacks expertise and asks the vendor lobby for input. Enisa is a placebo institution for IT security. Anything that comes out of the body is suspicious.
Ok, so I haven't exactly read all 24 pages, but I've given them a good skim and studied some of the notes.
It seems to me to be a good primer, but I don't for a second think that anyone who matters will pay it deserved consideration. (Such is my trust in and opinion of politicians.)
Anyway, Denmark, as I well knew already, is not really on the list except as part of the EU. But even so, we do have a central ID register that's represented in the form of a plastic card (no chip, only magstripe and barcode) with minimal info such as name, address, birthdate, and a few other things -- but nothing valid for getting you across a real border.
Still, this ID register --specifically, one's individual ID number-- is used *all over the place* where it's not s'posed to, solely because it's such a darn good unique ID for the customer database, you know? Wanna open a bank account or borrow a bucket of money? Fair enough, I'll need to give out my ID number so they can check I don't owe the Golden Gate Bridge worth in taxes. Wanna rent a video at Blockbuster? I have to give out my ID number as well, or entertain myself with my action figures instead. Nevermind that that's the key to privileged information which Blockbuster, bless 'em, just don't need. Making a statement to that effect is not going to get you a membership, as I suppose you've all guessed.
With this rant I really just mean to say that it's not about the KIND of key you have, it's how you USE it. And, given the (inter)national context, you don't get to decide how to use it, the politicians will take care of that for you -- and I don't think they've read this ... or Little Brother for that matter. Of course, making sure it's not sniffable is important, but if the law requires us to have the thing glued to our foreheads it's going to be a pain anyway.
On a side note, though I realise that passports!=ID cards, our passports are going all "arphid'ey", and from what I've seen and read I'm very happy my old one still has a number of years left on it. /rant off. Sorry.
"Good news, everyone!"
Unfortunately privacy just isn't an important political issue.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
But many have noticed that all the designs for stricter and more comprehensive electronic ID schemes are coming from the US government.
For many years Europeans and Americans could go and visit each other without many barriers but especially after 9/11 the demands on Europeans travelling to the US have dramatically increased.
Had it been up to Europe we'd still use the old and trusted paper passports.
Personally I'm quite disgusted about this 'bend over' attitude of our politicians but hey, they get more power while blaming the other! (USA)
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Personally I'm quite disgusted about this 'bend over' attitude of our politicians but hey, they get more power while blaming the other! (USA)
Aye. Well, in theory, EU is supposed to exist mainly for stopping that kind of stuff.
When USA said "We now demand this. Begin supplying us loads of private info about anyone flying here or you will no longer fly here", EU could have gotten together, smiled and said "Okay. We won't. Say goodbye to all your income and jobs from tourism. And it will work both ways. You won't be getting holidays in Paris, Berlin, Amsterdam, etc. any more. It will hurt both of us a lot. So what about we don't force that to happen?" and USA would have had no options but to remove such requirements.
However, what EU did was... Nothing at all. It bended over. I have been quite bitter about that to our politicians lately.
Dear citizen of the EUSSR,
Here is the privacy you can expect from an ID card:
NONE!
Thank you for your tax money to aid the state oppression of Europe's citizens. We knew you'd never consent to having ID cards, that's why we sneaked in ID laws under disguise of other laws (see UK as an example of how state oppression is pushed through).
Have a nice day.
Take Nobody's Word For It.
OK, this is rough thought, but this is one way off the top of my head to make privacy as integral as part of the structure as security.
First of all, start with your average smart card, have your user private key on it and a PIN. The key stored can be revoked by whatever the EU's CA is and reissued.
Now, start adding certificated by whatever certifying agencies. For example, a county adds a certificate that this user is born in their county. A university adds a certificate that the user got a B. S. in chainsaw fencing at this time. The immigration authority signs a certificate saying the owner of the key is a bona fide citizen of the country. Finally the police department signs a certificate (perhaps a normal life, perhaps a short-lived certificate that is renewed when asked) stating the person has no felonies on their record.
Something that happens to change this (someone drops their citizenship), it gets revoked.
Now, by starting on the principle of assume nothing, a pub can ask for someone's smart card, check that the picture of the person holding it is the keyholder, then check a certificate on the key that the user is over 21 for drinking (if in the US.) The certificate does not give a birthdate. All it states is that the person is of legal age to get plastered. If someone is applying for a job that requires no felonies, the card will have a certificate stating this. All that is answered is just the question, no personal details are offered.
If a place finds no certificate stating a user isn't a felon, then they can do a background search with the user's consent, but if a user isn't a felon, no searching is needed.
Of course, a user can hide/show certificates, so when signing a pay receipt, the merchant doesn't get free access to all the details of citizenship, etc.
The one problem I see is a lost or compromised key. This can be fixed by one of two ways. One is to revoke the core key and have all the CAs re-sign certificates to a new key. Another way is a certificate granted by the core card authority basically stating that all the goodies on revoked key "x" now apply to current key "y".
Voila, people get privacy, and security is also assured (as best a PKI and other structures can. Nothing is perfect, and I'm SURE there are flaws in this idea.)