Verify the identity of an online gambler



Below a blog post in Dutch that gives my perspective on a proposal for new legislation in the Netherlands on online gamling. Specifically, I discuss how players have to be identified, and how (in)secure this is. Bottom-line is that the proposal does not allow anonymous gambling, and that websites offering online gambling have to verify the identity of gamblers by asking for copy of a passport (or equivalent) combined with a bank account that is than remains linked to that specific player. This is certainly not an ideal solution, but I guess a pragmatic one in absence of an existing, re-usable consumer-2-business eID solution in the Netherlands.

Hoe zeker weten wie er online gokt?

Recent is een wetvoorstel in consultatie gegaan voor een vergunningenstelsel voor online kansspelen. Een belangrijk doel van dit wetvoorstel is consumenten te beschermen tegen zichzelf, oftewel, gokverslaving tegen te gaan. Onderdeel hiervan is dat er een centraal register komt waar op basis van BSN spelers met verslavingsproblemen worden geregistreerd. Dit register zal zowel door online als ‘offline’ vergunningshouders gebruikt worden (bv Holland Casino). Ook worden kwetsbare groepen mensen uitgesloten (minderjarigen).

Read the rest of this entry »

Privacy and security in an eID solution?



In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »

CIO perspective on (the future of) privacy


As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in  CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days.  This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:

Read the rest of this entry »

Step-up authentication as-a-Service


IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »

eRecognition won Novay Digital Identity Award


eRecognition (in Dutch: eHerkenning) has won, congratulations to Logius, ICTU, ministerie of Economic Affairs, all the partipating companies in eHerkenning and of course especially to the people that have contributed to eHerkenning! Below the official press release. What I’d like to personally add to this is that I think it is great that eHerkenning simply started facilitating business-2-government identification, with the parties that saw oppertunities to provide identity services and only a limited set of government service providers. It now has a growing usage, and is also targetting business-2-business.

Physically the award is a small statue (ceramics), from the artist Alexandra Veneman. A (bit shortened) explanation on her idea when she made this:

Read the rest of this entry »

Nominees Novay Digital Identity Award 2012: Evolok, eRecognition and IDchecker


For the third year in a row I’m responsible for the Novay Digital Identity Award, which Novay in collaboration with IDentity.Next will give to an innovation in the area of digital identity. The first winner (2010) was Ziggur (digital dealth service), last year’s winner was Edentiti (online identity verification).

We have an independent jury (which I’m not in), which picked three nominees for this year:

  • Evolok – which combines identity & access mngt with a paywall system for online content. Easy-of-use for consumers, flexibility w.r.t. business model for online content providers.
  • eRecognition – an identity trust framework from the Netherlands, for business-2-government (and also aiming for business-2-business). Ahead of similar initiatives in US (NSTIC) and UK, and usage is increasing.
  • IDchecker – a company that is very big in a niche market: a SaaS service for verifying physical ID documents based on a optical scan, or, IMHO much ‘cooler’, using a mobile app.

I copied the official announcement/press release below  (in Dutch is here). The winner will be announced on 20 November, during IDentity.Next in The Hague.

Read the rest of this entry »

7′ speech: students in control over their own data



SURFnet, the Dutch National Research and Education Networking organisation, had their two-year networking event for their customers and partners (3-4 October 2012). A new item were 7′ TEDx-like speeches, one of which was give by me. I talked about putting the student central is discussions about privacy in higher education, e.g., when introducing promising innovations like learning analytics. Although preparing for 7′ takes way more time per minute than preparing for 45′ or 90′ presentations (the length of the presentation the day and week before), it was fun doing it. I basically argued that the user acceptance of privacy-sensitive innovations in higher education is more important than if lawyers think that these innovations are allowed. This means that you should 1) explain the benefits of the innovation for the student and why the data is needed, 2) that you should be transparent on what data is collected exacly and 3) that whenever possible the student should be able to control the collection/sharing/rentention of this data.

For more information (all in Dutch ..): here is a blog post from SURFnet on my presentation. Here are the slides, but since they have a lot of pictures and little text, you are probably better of watching the video. It is only 7′ 🙂 My presentation starts at 1:11′. You can also watch the other presentations, including cool visualisations of open data by the VPRO (first talk) and interesting thoughs on Next-generation trust infrastructures by Roland van Rijswijk (SURFnet, second talk).

Internetbanking fraud in Netherlands increases again


The Dutch Banking Association (NVB) for a couple of years now makes internetbanking fraud numbers in NL public, with updates every half year. The damage for the first half of 2012 was €27.3M, compared to €35M for the whole of 2011 (see graph below, with the amount for 2012 calculated by simply doubling the first half of 2012) . The relative increase, again calculated by simply doubling the 27.3M to get a number to compare to the €35M, is roughly 1.5 times. This means the growth is less than it was the previous years (see the graph below). Also if you compare the first half of 2012 to the second half of 2012, the growth has decreased to 14%. This does not mean that I’m optimistic, the fraud still increases, and the absolute numbers are also becoming worrisome. With ~11M internet banking users, this is ~€5 per user, which is IMHO significant.

Read the rest of this entry »

Tooling and methologies for privacy & security in the cloud


We recently finished a project on privacy& security in the cloud for SURFnet (Dutch NREN, responsible for the Dutch research network and middleware services on top of this). Basically, we supplemented work of others that focussed on the contractual and legal perspective with a more technology perspective. We listed what an organisation can do themselves to improve privacy & security when taking applications to the cloud, focussing on authentication, autorisation, provisioning/account management and encryption. Below a more eloborate blog post in Dutch.

Zelf zorgen voor security en privacy in de cloud

Read the rest of this entry »

Submissons wanted for Novay Digital Identity Award 2012


Novay will for the third year grant an award to an innovation in the area of digital identity. Previous winners are Edentiti (in 2011), and Ziggur (in 2010). The award ceremony will be at the IDentity.Next 2012 (un)conference (20-21 November, The Hague, NL). For details on the award, see below. Please do submit your innovation! And please do suggest others to submit if you think they are good candidates for the award. For information you can contact me.

The below is copied from

Submissions wanted for Novay Digital Identity Award 2012

On November 20-21, the Novay Digital Identity Award will be granted to the best new concept or product concerning digital identity. The award is part of the conference Identity.Next’12 in The Hague. With the award, Identity.Next and ICT research institute Novay want to recognize and support new developments that are shaping the future of digital identity. Submissions are welcome until October 19th.

The conference on November 20-21 (2012)is organized by the IDentity.Next association, a non-profit organization on Digital Identity. Identity.Next will bring a program with top experts, professionals and industry stakeholders to discuss the world around Digital Identity and best practice.

The conference program will consist of debates, workshops, and presentations in four tracks: ‘Social consumer’, ‘Mobile-me’, ‘Private Eye, ‘eCitizen’, ’Own (y)our data’ and ‘Up in the air’.

The award winning concept should relate to one of these themes. Innovative concepts, projects and products on digital identity for the award can be submitted until October 19.

Submissions will be judged by a jury consisting of Kevin Cox (founder Edentity, winner 2011), John Hermans (partner with KPMG), Leendert Bottelberghs (Head of Business Development – Marktplaats, eBay Classifieds Group) and Hermen van der Lugt (chair of the jury and CEO of Novay).

Criteria include innovativeness (technological as well as business model), success & impact, how the privacy aspect is dealt with and added value for users and for stakeholders.

For more information, including jury members, factsheet and submission form, see: