Well, I have read parts of it, but one thing that did pop out was this sentence: "[...]In particular, online platforms need to accept credentials issued or recognized by national public authorities, such as electronic ID cards, citizen cards, bank cards or mobile IDs.[..]"
I think that this creates a big security risk. In the Netherlands, this "trust" means that there will be a single point of failure: The authentication server, called "digi-d". This is a server where we have to log in every year for doing our tax report, and every year they have issues with DDoS due to people filling in their taxes. On top of that, when authenticated you have all the information on your passport + you can even use this form of authentication to legally "sign" documents. All you need to do is intercept 2 paper mails (one with username, one with password) and you can fill in all the paperwork for that person. At my job we have an "authentication" system that the EU desires already in place. You can log in with any credential you want (they are constantly adding new ones), and based on how you log in you get a different "clearance" rating. If you log in with an eID for example, you get a higher clearance rating than logging in with google ID. Based on the website that uses this system you get a different ID number, and only the authentication system itself knows who this user is (and can send emails to that user). The websites itself don't know who logged in, they only know an ID number and what the user shared with them. That way you can use your google ID for example to make an appointment with the municipality (if you have connected your google ID to your eID) but to make changes you still need to log in using your eID (due to the clearance level not being high enough). What I find the biggest issue with these "eID" from brussels is the fact that it is too easy to track them back to a particular user. You will always need to use the same identification method, and if someone steals your identity card + password they can basically steal your complete identity. Not only that, governments can track you down for writing down your ideas online. This has been happened before with Twitter, and I am pretty sure that advocating a Single Sign On (SSO) will make this even worse. I feel that this is going the same way as in China, where you have a "digital identity" that everyone can use to contact you, and when that "digital identity" leads to violations, then they simply have to trace it back to its owner. I am not sure if people like to visit Facebook with their identity card. Or use Twitter with their real name. What if they decide that when you want to be on the internet, you need to log in first? What if one of those SSO systems goes down, gets hacked (think Diginotar) or even fails to protect its users? "Freedom of Speech" is something that I think should be cared for, and that also means the possibility to have something that is not a single point of failure. I think that the EU should advocate an universal log-in system like U2F that can be used by everyone without having a single authentication system that needs to be monitored by the EU. The SSO that the EU advocates can quickly become something that directly comes out of a book from George Orwell. Without a single point of failure, or a single point of "trust", only then you can be sure that privacy is ensured. That way people can securely browse the internet without having to rely on state-issued identification tokens to browse the internet. Julius ter Pelkwijk On Sun, May 1, 2016 at 6:12 AM Patrik Fältström <[email protected]> wrote: > Thanks Gordon, > > What is irritating with just that snippet on top of page 12 you reference > is that they say in more or less the same sentence that it is important to > decide who to trust, while one should be told to trust whatever eID > Brussels decides on. > > Thats a contradiction in terms. > > There are too many "trust" issues where Brussels think the path forward is > to tell people what to trust. Incident reporting, how CERTs are managed and > get their information and eID. Just to mention a few. > > Thats not how trust is built up. And specifically not how trust is moved > from trust between individuals to trust between organizations. > > Patrik > > On 30 Apr 2016, at 23:00, Gordon Lennox wrote: > > > Some people here may remember the presentation on eIDs at a previous > RIPE meeting. > > > > > https://labs.ripe.net/Members/chrisb/engaging-with-eu-legislative-process > > > > A draft Commission document which mentions eIDs has recently been > “leaked”. > > > > > http://www.politico.eu/wp-content/uploads/2016/04/Platforms-Communication.pdf > > > > See in particular the top of page 12. > > > > I understand from folk within the bubble (the Brussels/EU bubble) that > this kind of thing is now seen as a way of testing the reaction of experts, > of those really interested, before proceeding. > > > > So any prompt reaction, and this could be individual reactions rather > than the reactions of organisations, may be useful. > > > > Indeed any reaction now may more useful than when the Commission has > taken a formal position on the proposal and when the services are naturally > obliged to defend it. > > > > This item from The Register - > http://www.theregister.co.uk/2016/04/29/eu_login_youtube_national_id_card/ > - would suggest that one person to write to is the Estonian Commissioner. > > > > Regards, > > > > Gordon >
