BNR radio on facial recognition by Dutch police



Already some time ago, but at request below the link to the broadcast of the BNR Dutch radio station on announcement of the Dutch police that they are going to use facial recognition to identify suspects. I’m a guest in the second halve of the broadcast (“Ask me anything” with Jörgen Raymann presenting, on 16 December 2016). Of course, in Dutch. We discussed issues like effectiveness and privacy.

Guest at BNR Digital radio on biometrics


biometrie-BNR-MaartenOn August 17th I was a guest at the Dutch BNR news radio station, as part of the weekly BNR Digital broadcast. I was there as expert on biometric authentication. I responded to the questions on the opportunities for biometric authentication in mostly positive manner. I argued that biometric authentication can be a user-friendly second authentication factor. But I also voiced some concerns: not all implementations as done well, liveness detection (presentation attack detection) is and will remain a (if not the) challenge and privacy can be a serious issue.

Read the rest of this entry »

Digi2: a PoC app for DigiD



DigiD is the Dutch national digital identity solution for citizens to use e-government services (and online health and pension-related services). It is quite popular actually, in 2015 there where 12 million citizens that had a DigiD, on a population of a bit of 17 millions. Also the amount of logins had increased significant over the year, with over 200 millions logins in 2015. InnoValor did a project in 2015 to make a proof-of-concept app for DigiD that can 1) serve as replacement of SMS as second-factor, 2) can be used with government mobile app and 3) is more secure than current DigiD because it can use the contactless chips in e-passports etc as second factor. We did this project for and with DUO (government organisation responsible for student enrolment, student finance etc), in collaboration with RDW (government organisation responsible for driving licenses, vehicle registration etc) and Logius (government organisation responsible for DigiD).

The below blogpost is written jointly with Jan Kouijzer from DUO and gives details. It is in Dutch and includes links to videos with a demo. It appeared earlier (7 December 2015) on

Read the rest of this entry »

Re-usable identities instead of different passwords everywhere



Below is a blog post in Dutch on re-usable identities instead of different passwords for all websites. The trigger for the blogpost is that Hold Security released the Dutch (or actually, .nl) part of the logindata/emailadresses that they discovered to be hacked. The NCSC (National Dutch Cyber Security Centre) IMHO focusses to much on educating users to prevent this, contrary to fnding/promoting solutions such as re-usable identities, including the Dutch eID Stelsel NL (similar to NSTIC in the US).

Read the rest of this entry »

What if I want to share my data from my bank with others?


This is a cross-post from a blogpost in Dutch on the InnoValor site in which I provide my view of the announcement of and responses to the plans of the Dutch bank ING on providing personal data they have to third parties (after opt-in).

En wat als ik mijn bancaire klantdata nu wil delen?

Mijn ING

Er is sinds het interview in de FD van 10 maart jl. veel aandacht geweest voor het plan van de ING om een proef te gaan doen met het delen van klantdata met derden. ING heeft hier blijkbaar onderschat wat voor reacties dit plan zou oproepen, wat misschien wel een beetje naïef is geweest, zeker na wat er met Equens gebeurde vorig jaar. Ze hebben het plan voorlopig ook in de koelkast gezet en gaan eerst werken aan draagvlak bij toezichthouders, consumentenorganisaties en privacy-organisaties. Ze konden weinig anders meer doen lijkt me.

Maar zijn al die negatieve reacties wel terecht ? Het ligt wat mij betreft aan de manier waarop een bank klantdata zou delen of dit een goed of een slecht idee is. En het belangrijkste hierbij is of degene waar die data over gaat, de consument, dit wil. Read the rest of this entry »

Which level of assurance is needed for LSP and other patient portals?



More and more health providers offer patient portals. These portals can contribute more efficient and effective health care. In addition, because since they provide easy access to personal health records and personalized health information, they can contribute to more patient empowerment. But there is also a risk: the wrong person (i.e., an identity thief) may get access to this very personal information.

Novay participated in a working group that developed a guide for health providers to help them determine how secure the authentication solution for patient portals should be, i.e., which levels of assurance is needed. My colleague Mettina Veenstra and myself tried out this new guide on the Dutch national infrastructure for the exchange of personal health records. This infrastructure is in Dutch called Landelijk Schakelpunt (LSP), which I have no idea how to translated in English (it resembles what the EU epSOS project calls a National Contact Point). The LSP recently added the possibility for patients to see which health professionals used the LSP to access their health records. It does not provide access for patients to the actual health records. Nevertheless, if an identity thief can see that e.g. an oncologist accessed your medication record as stored by your local pharmacy, then it implies something you may not want to share. The blog post discusses this, including the relationship to the national identity solution in the Netherlands (DigiD which is STORK 2, and lack of STORK 3 solution in the Netherlands).

The full blog post is only in Dutch, see here and copied below for convenience. For non-Dutch speakers, this is what Google translate makes of it.

Read the rest of this entry »

CIO perspective on (the future of) privacy


As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in  CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days.  This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:

Read the rest of this entry »