Monday, 19 December 2005

Is Big Brother Belgian ?

Belgium is the first European country with a nation-wide electronic ID card.

Microsoft Belgium on Monday announced a new Electronic ID (eID) Early Adopter program. Under the program, Microsoft will be working with local software vendors to develop eID-based applications. Microsoft's MSN division will develop one such application — an authentication service for MSN, according to Microsoft officials.

Information on MSN's work with the Belgian government around e-ID cards was first reported by the www.mess.be [sic: uninteresting] Web site. Mess.be reported that Microsoft also might add authentication for eID cards to future Windows releases as well.

Sun Microsystems is on it too: The e-ID 'project' is the single largest government deployment of Java Card technology in Europe.

And Adobe is as well.

From Stefan Brands' superb Identity Corner web-site [recommended]:

"Two glaring problems:

The citizen certificates on each ID chipcard contain the cardholder’s name and RRN (the “rijksregistratienummer,” a single government-wide identification number for each natural person). The name and RRN are disclosed whenever a card is used at a relying party. The RRN (which has a simple structure based on the citizen’s birthday) serves as the key to numerous databases containing citizen information; on the basis of this number, all cardholder actions and movements with the eID chipcard can be electronically traced and linked (not merely by the government itself!).
The eID card specifies the following information, both visibly on the card itself and stored within the card’s chip: cardholder’s photo, surname and first names, gender, nationality, place and date of birth, signature, RRN, and the validity period of the card. In addition, the chip also stores the cardholder’s current address. Some of this information is privacy-sensitive, yet the cardholder has no control over its disclosure. (Historically, this is the same information as has always been on Belgium identity cards, and so arguably this does not constitute a reduction in privacy; however, in most countries around the world an information-rich national identity card would not pass in the first place.)

The privacy problems do not stop here. Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here.

As reported by EPIC and Privacy International in their 2004 report on Privacy & Human Rights, “the new ID card has been criticized by the Commission and civil liberties organizations as presenting a serious threat to individuals’ privacy.” In many ways, the Belgian eID card is the worst nightmare come true of the smartcard’s original inventor, Ronald Moreno. Moreno came up with the card in 1974 as a means of replacing low value cheques, and repeatedly warned of the slippery slope dangers of the card when used for other purposes. In one famous statement, Moreno warned about the potential of smartcards to become “BIG BROTHER’S LITTLE HELPER”.

At present, only a few government services have been hooked up to the Belgian eID card. Consequently, the privacy implications of the card are relatively minimal. However, as stated on the Web site, over time the eID card will give access to a wide range of government services:

“With the electronic ID card, you will be able: to access the records kept by the local authorities about you. […] to request on-line documents for which you now have to go to your administration personally […]; to exchange information on-line with your administration, private companies or organisations through a secured channel. […] to make statements or transactions (social services, banks, post, insurance…) from a distance; […] Several municipalities are already equipped with electronic windows that enable you to make requests by filling in electronic forms. […] to get in touch with the regional and federal services on the Internet. […] to make secure commercial transactions on the internet (on-line selling and buying); to affix your electronic signature on documents […]. You will also be able to send electronic messages with a legal signature, to sign contracts on the Internet: to use all applications which will be put at your disposal in the future by the State as well as by the private sector. You will be able to make bookings, registrations, payments, to place orders, to terminate contracts as well as many other things, in complete security. Company badges, electronic payment cards, on-line VAT declarations represent other examples of possible applications.

It does not take a PhD to figure out the ENORMITY OF THE PRIVACY IMPLICATIONS of using the current eID card for all these services. Apart from privacy dangers, there are also SEVERE SECURITY IMPLICATIONS, not only for citizens but also for service providers. In the words of the authors of the recent LSE report (see Chapter 18), replacing “today’s local non-electronic identifiers by universal identifiers that are processed fully electronically […] would remove the natural segmentation of traditional activity domains. As a consequence, the damage that identity thieves can cause would no longer be confined to narrow domains, nor would identity thieves be impaired any longer by the inherent slowdowns of today’s non-electronic identification infrastructure. Furthermore, service providers and other parties would be able to electronically profile individuals across all activity domains on the basis of the universal electronic identifiers that would inescapably be disclosed whenever individuals interact with service providers. […] [It] would also eliminate the ability of government service providers to function autonomously, and would introduce enormous security risks to citizens and government alike; fraudulent insiders and successful hackers would have the ability to electronically impersonate citizens across government areas, to cause false denial-of-access to citizens on a fine-grained per-transaction basis, and to cause massive identity theft damage.” The current Belgian eID card suffers from ALL these risks."

Funny post on a Forums:
"Think about it, the session-id of a site replaced by your id-card.
You can only access the internet when you insert your id-card."
...


Another opinion in responses to “The problem with the Belgian eID card” also at Identity Corner web-site:
"How is it possible that a country whose cryptographers gave us, among others, the AES (the Advanced Encryption Standard; see here for details) can field such a horribly bad identity chipcard infrastructure? Are the legislators doing this on purpose, or are they just so asleep at the switch that they don’t think of tapping into the cryptographic talent present within their own borders in order to propose something better?"

A new Belgian electronic ID card contains typos introduced purposely to confound potential fraudsters, Luc Vanneste, General Director Population and Institutions of the Belgian Home Office, proudly announced this week.
To trick fraudsters, the Home Office has introduced three circular arcs on the card - just beneath the identity photos - where you will find the name of the country in the official languages spoken in Belgium - French, Dutch and German, as well as in English. But instead of 'Belgien' in German, the ID card incorrectly uses the name 'Belgine' and instead of 'Belgium' in English, the card reads 'Belguim'. Vanneste has promised other errors will be printed on the card to "further confuse fraudsters". With any luck, these will not be revealed.<= Doofus !

Nationmaster:

All Belgians that are 12 and above are issued a national identification card. Belgians 15 and above are required to always carry it with them unless they are within a 200 meter range of their homes. (Foreigners too must at all times be able to provide identification, either a passport, or an ID issued by the Belgian Government)

Belgians aren't required to show their IDs unless dealing with:

Particular Governmental Agencies
The police
Authorised bus and train personnel


From a Belgian UK resident:
An argument that is used against ID cards here is "function creep": the notion that more and more data will be introduced, making ID cards in effect more of an intrusion into personal life and privacy of the individual.

Companies involved in the Belgian electronic ID card project include Zetes (manufacturer of the card), Axalto (ex-SchlumbergerSema, provider of the chip operating system and secure modules), Steria (provider of the exploitation structure in the federal PKI environment), and Certipost (a subsidiary of Belgacom and the Belgian Post Group providing Certification services).

Oh and also Belgium is a NICE country !

Search