Privacy and security in an eID solution?

2013/05/27

irma4

In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »


Position paper on digital identity from Thuiswinkel.org (Dutch online retail association)

2011/06/23

 

Last week the Dutch online retail association Thuiswinkel.org published a press release and position paper (in Dutch) on online identity services. The press release contains five recommendations aimed at ‘parties in the online identity services area’. I think it is good that this is thuiswinkel.org apparantly considers this an important subject, and I agree with most of what they state in the recommendations. I do however have some comments on the specific recommendations. I translated each recommendation below, and give my comments to each of them.

  1. Re-use of existing consumer identities, such as login data, bank cards and phones
    My comment: yes! this is/was also a key element in our vision for a trustworthy consumer identity in the cidSafe priject (see whitepaper  and authencation overview) especially the “existing” in this recommendation is important because of the business case and user convenience implications.
  2. Choice for online retailers between several providers that each provide universal access to identities, also internationally
    My comment: this seemed a bit naive, that there will be several providers that can provide universal access. But checking the explanation in the position paper itself made is clear that they refer to intermediate brokers between the online retailers and the identity providers. These may make life easier, see a previous post on 3 vs 3.5 vs 4 party models.
  3. The user determines which parts of his identity he reveals, the online retailers determine the desired trust level
    My comment: good! Where in many case revealing “nothing” should be an option …
  4. Good communication about online identities for users
    My comment: absolutely, the question is more the ‘how’, and where the trade-offs are between keeping the solutions simple enough so we do not need to explain too much, and having an open and flexible solution.
  5. Government should start with a pilot with verified attributes that online retailers can use, including age
    My comment: no 😦 see below

In the press release, and following press articles such as this one, focus on the online age verification recommendation. This is a hot subject in the Netherlands, also because of legislation on what you cannot sell to minors, e.g., porn, violent video games or gambling to 16 years or younger. In the offline world this can be (but is not always …) checked by cassier, in the online world there is currently no way to do so. I however disagree with the fifth recommendation because of two reasons. The first is that it is more general on the verified attributes than age, and with minimal data disclosure in mind I do not see why this needs to be so general (with post-payment as a possible exception, but more creative things can be done there). Secondly, it assumes a government solution. Why exclude a private market solution? Actually, Novay (in the person of my colleague Bob Hulsebosch) did a impact & feasibility study on using iDEAL for online age verification for online retailers. Our client was a public-private working group from the Ministerie of Security and Justice and NICAM. iDEAL is the Dutch online payment service provider for retailers and is used by 81% of Dutch web shoppers. Online retailers would in this case rely on the banks behind iDEAL for age verification. See also this recent article in emerce with an interview with workinggroup lead Willem van Teeseling from Buro 240a. Of course, also a private market solution may benefit from ‘encouragement’ from the government, but that’s not what the fifth recommendation states (contrary to section 6.5 of the actual position paper which is more in line with my position on this).

Only somewhat related to the above, in the position paper a few sentences discuss combining identity with payment, which would streamline the user experience. We all know: less clicks, more convergence, thus this is IMHO a good point: payments providers have an edge as identity providers especially when it comes to online retail. And the point they also make is that the mobile channel needs a user friendlier identity solution (with less user input) , is also very true I think.