Privacy and security in an eID solution?



In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »

CIO perspective on (the future of) privacy


As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in  CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days.  This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:

Read the rest of this entry »

Step-up authentication as-a-Service


IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »

eRecognition won Novay Digital Identity Award


eRecognition (in Dutch: eHerkenning) has won, congratulations to Logius, ICTU, ministerie of Economic Affairs, all the partipating companies in eHerkenning and of course especially to the people that have contributed to eHerkenning! Below the official press release. What I’d like to personally add to this is that I think it is great that eHerkenning simply started facilitating business-2-government identification, with the parties that saw oppertunities to provide identity services and only a limited set of government service providers. It now has a growing usage, and is also targetting business-2-business.

Physically the award is a small statue (ceramics), from the artist Alexandra Veneman. A (bit shortened) explanation on her idea when she made this:

Read the rest of this entry »

Nominees Novay Digital Identity Award 2012: Evolok, eRecognition and IDchecker


For the third year in a row I’m responsible for the Novay Digital Identity Award, which Novay in collaboration with IDentity.Next will give to an innovation in the area of digital identity. The first winner (2010) was Ziggur (digital dealth service), last year’s winner was Edentiti (online identity verification).

We have an independent jury (which I’m not in), which picked three nominees for this year:

  • Evolok – which combines identity & access mngt with a paywall system for online content. Easy-of-use for consumers, flexibility w.r.t. business model for online content providers.
  • eRecognition – an identity trust framework from the Netherlands, for business-2-government (and also aiming for business-2-business). Ahead of similar initiatives in US (NSTIC) and UK, and usage is increasing.
  • IDchecker – a company that is very big in a niche market: a SaaS service for verifying physical ID documents based on a optical scan, or, IMHO much ‘cooler’, using a mobile app.

I copied the official announcement/press release below  (in Dutch is here). The winner will be announced on 20 November, during IDentity.Next in The Hague.

Read the rest of this entry »

7′ speech: students in control over their own data



SURFnet, the Dutch National Research and Education Networking organisation, had their two-year networking event for their customers and partners (3-4 October 2012). A new item were 7′ TEDx-like speeches, one of which was give by me. I talked about putting the student central is discussions about privacy in higher education, e.g., when introducing promising innovations like learning analytics. Although preparing for 7′ takes way more time per minute than preparing for 45′ or 90′ presentations (the length of the presentation the day and week before), it was fun doing it. I basically argued that the user acceptance of privacy-sensitive innovations in higher education is more important than if lawyers think that these innovations are allowed. This means that you should 1) explain the benefits of the innovation for the student and why the data is needed, 2) that you should be transparent on what data is collected exacly and 3) that whenever possible the student should be able to control the collection/sharing/rentention of this data.

For more information (all in Dutch ..): here is a blog post from SURFnet on my presentation. Here are the slides, but since they have a lot of pictures and little text, you are probably better of watching the video. It is only 7′ 🙂 My presentation starts at 1:11′. You can also watch the other presentations, including cool visualisations of open data by the VPRO (first talk) and interesting thoughs on Next-generation trust infrastructures by Roland van Rijswijk (SURFnet, second talk).

Internetbanking fraud in Netherlands increases again


The Dutch Banking Association (NVB) for a couple of years now makes internetbanking fraud numbers in NL public, with updates every half year. The damage for the first half of 2012 was €27.3M, compared to €35M for the whole of 2011 (see graph below, with the amount for 2012 calculated by simply doubling the first half of 2012) . The relative increase, again calculated by simply doubling the 27.3M to get a number to compare to the €35M, is roughly 1.5 times. This means the growth is less than it was the previous years (see the graph below). Also if you compare the first half of 2012 to the second half of 2012, the growth has decreased to 14%. This does not mean that I’m optimistic, the fraud still increases, and the absolute numbers are also becoming worrisome. With ~11M internet banking users, this is ~€5 per user, which is IMHO significant.

Read the rest of this entry »