Id cards

[foofighter]

I just finished reading the article on the Bilderberg meeting, and one thing I noticed was the comment about avoiding id cards. The reason I'm interested in it is because I'm somewhat involved in these things in my country, and am currently working with loads of government branches with their websites. All of them want to be able to interact with citizens through their websites, and in order to do so they basically need a way to identify users. This is the main problem they are all facing. The current trend in my country is towards id cards with chips, which would be used with card readers. This would enable people to easily log on to the websites and access their information and communicate with the government. This is what pretty much all people in the gov. want to achieve, and quite a lot of regular people as well.

So, my question then is: is it just the physical id card that is a bad thing, for the reasons mentioned in the article, or is it a generally bad idea to create a system allowing people to log on to government websites using certificates or somesuch. As I'm in a position to have a quite strong influence on this I would like to see as many sides of this coin as possible. Any insights would be highly appreciated!

 

[Rich]

I just finished reading the article on the Bilderberg meeting, and one thing I noticed was the comment about avoiding id cards. The reason I'm interested in it is because I'm somewhat involved in these things in my country, and am currently working with loads of government branches with their websites. All of them want to be able to interact with citizens through their websites, and in order to do so they basically need a way to identify users. This is the main problem they are all facing. The current trend in my country is towards id cards with chips, which would be used with card readers. This would enable people to easily log on to the websites and access their information and communicate with the government. This is what pretty much all people in the gov. want to achieve, and quite a lot of regular people as well.

So, my question then is: is it just the physical id card that is a bad thing, for the reasons mentioned in the article, or is it a generally bad idea to create a system allowing people to log on to government websites using certificates or somesuch. As I'm in a position to have a quite strong influence on this I would like to see as many sides of this coin as possible. Any insights would be highly appreciated!

Hi foofighter,

Very interesting job you have. The main concern as I see it is to do with the potential misuse of the data that is collected. A Government may become increasingly authoritarian and wish to victimise a certain subset of it's population. It could be due to their race, religion or particular genetic characteristic, e.g. Nazi Germany persecuting Jews, homosexuals and gypsies.

With increasingly centralised databases and the ability to link individuals with their web browsing activity, email, phone call and messaging contacts. Potential dissenters can be specifically targeted and as we see with the advent of the no-fly terror suspect database, the lives of these innocent civilians can be made increasingly unpleasant.

The potential risks are well illustrated in this 2 minute extract from the Documentary 'taking liberties' _http://www.youtube.com/watch?v=97Ym7eU_OYU

It points out how the colonial Belgian Government insisted on ID cards in Rwanda to split up the native tribes by their physical differences. In 1994 the Hutu declared war on the Tutsi's. Because everyone had an ID card it in enabled the genocide of 1 million Tutsi's in 100 days - they were easily identifiable. stopped at checkpoints and murdered.

So while authenticating users to access websites is a legitimate concern and an ID card solution maybe acceptable now, if the power structure changes and psychopathic leaders take control, then the potential abuse of the data is very real.

 

[foofighter]

Very interesting job you have.

Very much so. But, now that I have it, I want to try and use the position I am in as positively as possible. To be honest though, it's not looking good. Last year there was a report produced on the issues with the current system, which is run by the bank consortium. Nobody likes it, but the guy running the id system on the gov side is quite psychopathic and has blocked any discussion about alternatives. The report, which I helped review, suggests an alternative system where the banks are not able to see who logs in where, which is the case right now (e.g. if you log into the unemployment database and then the social welfare website, chances are that could impact your status with the bank, and there would be no legal problem with it!). However, the entire department behind the report was cancelled this year, and so that report just became a "recommendation", if even that. Very disturbing. So now we're back to the BANKS owning our national identity as citizens, which is just totally crazy. Fortunately the system is also quite crappy, so the uptake from the gov branches is slow, and I hope it will continue to be so.

The main concern as I see it is to do with the potential misuse of the data that is collected. A Government may become increasingly authoritarian and wish to victimise a certain subset of it's population. It could be due to their race, religion or particular genetic characteristic, e.g. Nazi Germany persecuting Jews, homosexuals and gypsies.

With increasingly centralised databases and the ability to link individuals with their web browsing activity, email, phone call and messaging contacts. Potential dissenters can be specifically targeted and as we see with the advent of the no-fly terror suspect database, the lives of these innocent civilians can be made increasingly unpleasant.

See above. This is already the case with the system in place now. What I'm interested in is if there's a way to get what they want (website login) without compromising individual integrity and without enabling central collection of such data.

The potential risks are well illustrated in this 2 minute extract from the Documentary 'taking liberties' _http://www.youtube.com/watch?v=97Ym7eU_OYU
It points out how the colonial Belgian Government insisted on ID cards in Rwanda to split up the native tribes by their physical differences. In 1994 the Hutu declared war on the Tutsi's. Because everyone had an ID card it in enabled the genocide of 1 million Tutsi's in 100 days - they were easily identifiable. stopped at checkpoints and murdered.

Thanks for the link! I had not seen that before, and it puts the idea into an interesting perspective.

So while authenticating users to access websites is a legitimate concern and an ID card solution maybe acceptable now, if the power structure changes and psychopathic leaders take control, then the potential abuse of the data is very real.

Point taken.

So, the question is: how would you (or anyone else) suggest that these websites solve this problem? Are there any other better alternatives, or should they just give up on the idea of being able to strongly authenticate citizens? If so, that would basically mean that any communication would have to continue to be done by signed papers in envelopes, which is what they want to get away from, both for budget and efficiency reasons.

 

[Psalehesost]

What I'm interested in is if there's a way to get what they want (website login) without compromising individual integrity and without enabling central collection of such data.

To my understanding, in order to be able to authenticate, enough information must be present to identify taken together, meaning that the system - if not such from the beginning - can be modified to store it. So there is no way to prevent - at any rate, in a future version thereof - a system that can preserve it and send it off to wherever. For that matter, the old paper system could be made to do so.

The only aspect I can think of that could be improved would be that part of the identification carried by the citizen, which instead of a personally identifying card could be a fairly unique (and non-guessable/non-viably brute-force-able) string of data not in itself identifying to the person - not centrally stored upon being issued - which upon being combined according to some algorithm with a number analogous to a social security number would yield either a passing or failing validation. But if both of these are sent to the server, the server could centrally store and relate the data-string to the number and so make it personally identifiable! So in the end even that would turn out the same.

So, the question is: how would you (or anyone else) suggest that these websites solve this problem? Are there any other better alternatives, or should they just give up on the idea of being able to strongly authenticate citizens? If so, that would basically mean that any communication would have to continue to be done by signed papers in envelopes, which is what they want to get away from, both for budget and efficiency reasons.

As far as I can see, ability to strongly authenticate implies ability to - if not already there from the beginning - retrofit the system (on the server side) to do so in the future. But as for the paper solution, the same thing applies - only it is somewhat clumsier, as with the rest of the process. So the only difference there - apart from convenience - ends up being speed and the absence of forced ID-cards. OSIT.

 

[foofighter]

To my understanding, in order to be able to authenticate, enough information must be present to identify taken together, meaning that the system - if not such from the beginning - can be modified to store it. So there is no way to prevent - at any rate, in a future version thereof - a system that can preserve it and send it off to wherever. For that matter, the old paper system could be made to do so.

There are several issues here. One is the actual authentication, which yes, relies on being able to take (as a MINIMUM and usually NOT sufficient) password and other information about the user in order to establish identity of the user. In many newer architectures this process is separated from the service that is using the authentication, in what is called "federated security". In other words, you login over here, and then use that identity over there. As long as the service provider trusts the identity provider all is well, and then the service provider never gets the password or other credentials. There are variations of this where the service never really gets a username or anything that can be used to identify the person in real life. Instead it just gets a token (like "32fgh289") and an assertion that "whenever you get this from the identity provider you can be sure it's the same individual". This provides a level of anonymity for the user as it relates to the service provider, and yet the service provider can still be sure that whatever is shared (such as communication and records) will always be shared with the same user. This type of authentication would, for example, be very useful for this forum, as there is no need to know "who is who", other than that the user always is the same physical person.

As for how the service provider then stores usage information about when the service is accessed, and such, that has to be regulated in law. Sadly however, right now there are new laws in place in our country that places such requirements on the NETWORK operators rather than the service providers, meaning, it doesn't matter if they try to be "good". Some operators refuse to follow this law, on purpose, saying that the other laws on personal integrity take precedence. There is also a huge upshot in use of anonymizer services.

The only aspect I can think of that could be improved would be that part of the identification carried by the citizen, which instead of a personally identifying card could be a fairly unique (and non-guessable/non-viably brute-force-able) string of data not in itself identifying to the person - not centrally stored upon being issued - which upon being combined according to some algorithm with a number analogous to a social security number would yield either a passing or failing validation. But if both of these are sent to the server, the server could centrally store and relate the data-string to the number and so make it personally identifiable! So in the end even that would turn out the same.

That is handled by existing PKI's (where the user has a secret key and the identity provider has a public key), so that's ok. The main question is where to store the secret key for the user. Currently "soft certificates", meaning "files on disk", are being used mostly, but that is a HUGE risk considering that sooo many Windows machines are hacked. Having them on a physically removable media, such as a card, is much better from a security standpoint. Although, my personal favourite is to keep them in cellphones, which we all carry around anyway.

As far as I can see, ability to strongly authenticate implies ability to - if not already there from the beginning - retrofit the system (on the server side) to do so in the future. But as for the paper solution, the same thing applies - only it is somewhat clumsier, as with the rest of the process. So the only difference there - apart from convenience - ends up being speed and the absence of forced ID-cards. OSIT.

Just so we agree on terms here, "strong authentication" usually means using "multi factor authentication", meaning, to authenticate yourself you need a password ("something you know") and a card or cellphone or other gadget ("something you have"). This is much much more secure than just password or card separately: I can steal your password and login as you, and I can steal your card and login as you, but if I have to do BOTH that's much less likely. Funnily enough there is software out there that allows this to be used by systems without having to change them at all (as long as they use LDAP for authentication, which many do), but it's OpenSource and the maintainer has had a rough time personally and so isn't working actively on it. Quite sad really. If only there was money to develop that, it would be a really nice way to do it, and very very cheap too.