A proper online identity framework is long due though. Maybe this is not the proper one but sending copies of my passport, electricity bills and lately selfie recordings as well to "prove my identity" doesn't seem right either.
Governments though can do that through their own passive demand. Ie., they can issue proper smartcards/tokens for citizens to identify themselves with, and then say that those can (and eventually must) be used for electronic interactions with the government itself (taxes being a big one but they'd easily be useful for a range of stuff). Follow/improve open standards. With something good, open and convenient private usage will naturally follow. Government can also by definition get involved with the issue of legal liability and fix BS like "identity theft" by shifting liability for businesses who do not meet good authentication standards. Doing it that way also creates room for fixing serious issues in practice before a natural rollout, as it starts by the government dogfooding its own standard. And if a lot of sites demand it, browsers will respond absent overwhelming reason not to, which itself is a good form of pressure to get said overwhelming reasons fixed.
I'm very doubtful though that trying to just directly legislate how software universally works though bypassing process is a good idea. Massive room for abuse as well.
Having a standard for Identity Management seems reasonable. Mandating that such a state-regulated identity be used for all on-line data passing on the internet seems like a nightmare waiting to happen.
That may not be the step in between "collect underpants" and "profit" but it feels like it's coming. In the U.S., I'm sure something like this will be sold in the clothing of think-of-the-children.
> Mandating that such a state-regulated identity be used for all on-line data passing on the internet seems like a nightmare waiting to happen.
They didn't mandate that though, the proposal was that it should be possible to use it, not that everyone should be forced to use it. You would still be able to log in using other means.
Basically, facebook would be required to provide you with the option to use e-id to log in. But you could still log in with other means. It just gives you more freedom.
Please, we know how that works. Youtube age filter? Will be mandated for anything controversial as soon as such a system is in place to protect the children. Meanwhile we spend trillions on e-commerce. There is crime, but nothing that warrants such an ID scheme.
When this becomes widespread then you can expect to have to authenticate this way everywhere. Want to make a Twitter account? Please authenticate with your government ID. Facebook? Of course. Video games? You bet.
South Korea already has these retirements for (some of) their video games.
The draft revisions actually propose such authentication to be mandatory to implement for service providers if their users would like to use it.
That is, it specifically targets websites (particularly Very Large Online Platforms) that they MUST accept such ID in lieu of an email or password, at the user’s request. This was part of the original motivation for the revisions, to target “Sign in with Facebook” or “Sign in with Google” and require such sites also offer a “Login with EU” option.
So $VLOP is compelled to accept QWAC user-certificates, if one user requests it? And QWAC user-certificates are issued by TSPs whose CA cert must appear in the root-store unconditionally?
That means there is nothing preventing $TSP from forging my certificate, and giving it to criminals/government-agents, and nothing to keep the TSP in line, because the single audit constraint is "Keep the Minister satisfied".
I personally don't have a problem with the idea of replacing passwords with user-certs, provided I get to generate my own cert with my own private key. But the evidence is that general users can't learn how to use certificates.
I hate passwords, but I'd rather use passwords than a user-cert issued by an unreliable CA.
The "unreliable CA" you are talking about here happens to be banks and similar. Do you trust that your bank doesn't just steal your money? Yes, you basically can't function in modern society if you don't. These e-id's just piggybacks on that trust to also work on online sign-ins. Most people worry more about their bank account being compromised than their github, so if these CA's (ie banks) starts to abuse their position we would have way bigger troubles than someone stealing your github accounts.
I see, QWACs are to be issued by banks. And websites are required to trust them.
So if the bank gets hacked, then presumably the EU will indemnify the relying website against any legal action for trusting an unreliable CA? Even if that website is in China/Russia/Belarus?
You seem to have read the proposed regulation, Jensson; the information you've given is not in the position paper. Any chance of a summary?
The QWACs can be issued by anyone who meets the minimum requirements, which are substantially less than those required for TLS server CAs in browsers. So while it’s true that banks can issue these, in practice there are many small companies with fewer than a thousand or so certs out there which have the same requirement that they must be accepted.
The eID certificates do come with probative (legal) effect, but this is where it gets complicated.
If the CA is hacked or screws up, yes, the CA is liable. But only if you did everything you were supposed to, such as checking every element of the certificate. These certificates have a variety of fields, such as “liability only up to XX euros”, and you (the site or user) are liable if you use it for more than that.
PSD2 has shown that the standards are a nightmare to fully implement. https://wso2.com/blogs/thesource/all-you-need-to-know-about-... gives a useful overview of how it’s worked for PSD2, and the new Digital Identity Framework/eIDAS Revisions proposes to make that the approach the standard everywhere.
In practice, this means that the server accepting your certificate needs to implement all of this correctly (spoiler: they don’t), or they bear the liability if the CA gets hacked - and they can’t distrust that CA. It also means the CA potentially learns every site you visit, because the sites have to check with the CA (if using OCSP).
Of course, if the government themselves directed the CA to misissue - e.g. at the direction of law enforcement - no such liability would be presumed, because it was a presumably lawful issuance.
I've worked on identity infrastructure in an EU country, I know a lot of details how it works, the EU proposal is just an extension and merger of the local ones. I can just explain how the local ones works, I don't know the exact details of the EU proposal as I no longer work in that industry.
I'm saying it'll go even further than that though. If you want to use the service you will have to authenticate through this method. This is pretty much as perfect as it gets for any company trying to vacuum up data, because they will be able to uniquely identify every user. It's effectively the end of privacy by obfuscation, because you will have to identify yourself.
Yes, the current regulation is targeted at government sites authenticating citizens, but the goal with these revisions is to require VLOPs to support this, along with allowing them the ability to require this for all websites. The original roadmap called out by the European Agency for Cybersecurity (ENISA) suggests a long-term goal of making this mandatory, effectively reviving the idea of the “Internet drivers license” (for users) and “Authorized domestic website” (for servers).
They can already do that though, nothing is stopping them from adding this to their sites right now. EU already has e-id for people and companies can use that if they want.
Yeah, and I never get asked by US companies to prove my identity with my credit card for adult content (which includes music videos from Laibach?!?!)... yawn ... typical US hysteria about IDs, but commercial exploitation is all fine and dandy.
We spend trillions on e-commerce with "normal" user accounts that worked just fine. Some cases of thefts and other crimes that doesn't warrant any action in my opinion. Meanwhile we have a huge problem with governmental surveillance, which is a worse crime than theft depending on how you grade it.
I guess that depends what you expect from society and government.
Do you expect that everything runs like an extremely powerful well oiled machine, where 100% interoperability likely means complete surveillance? A seemingly technocratic dystopian reality where every impulse is quantified and catalogued? I think its naive to believe that governments don't want more money, power and control over its citizens and government likely will be extracting more with every optimization the system makes.
Or would you rather an extremely powerful machine that is disjointed, highly flawed and laden with inconvenience in-so-that society doesn't really know who you are? Where the individual has more freedom and liberty, but as a result there is more crime and less "safety". A world where powerful anti-social forces are at play, such as disinformation campaigns, polarization of discourse, fringe movements and revolution.
The commonality is they are both driven by technology. We have built an extremely powerful machine and that has introduced enormous complexity into our society.
This complexity equates to entropy and either we pull it together with draconian government policy, or the system unravels.
Question: how will the free/liberal society (plagued by polarization, etc) fare against the dystopian ones?
In the past we've been able to out-innovate and maintain moral leadership thru a fictional aspiration to democratic norms. Now state actors can run finely targeted propaganda campaigns and measure our engagement with them in real time while using extensive censorship measures to prevent us from doing the same to their populations.
None of this invalidates your point, but the tables have been tilted and abstract discussions of freedom tend to avoid wrestling with the geopolitical ramifications.
For citizens who want efficient, effective access to services that require identity. The need for identity isn’t going away, and a poor implementation doesn’t guard against overreach.
The EU is already doing that through eIDAS. It's basically a federated login system for government services that works (or at least, should already be working) across governments.
The implementation is not that different from the "log in with Google/Facebook/Twitter/MySpace/Apple" buttons on many websites, though the login procedure is a bit more involved because of the sensitivity of the data.
> For citizens who want efficient, effective access to services that require identity.
There are some citizens who want this. Not all.
> a poor implementation doesn’t guard against overreach.
A good implementation enables overreach as in, "Please confiscate everything belonging to John Q. Public." An effective identity enables government overreach.
My identity is just fine, but thanks for your concern :)
I can walk into my local bank branch and ask to either pay in or withdraw money and they don't ask for any kind of ID(!), or my account number, becuase they actually know me :) They even tend to say "Hello $firstname" when I walk in, even if I only called in to use the ATM.
Amazing how good ol'fashioned _offline_ identity can actually be secure.
Try walking into my local branch with faked ID of me and attempting to withdraw funds from my account.
Why would someone try your local branch instead of any one of their 200 convenient nation-wide locations that all have access to your money and don’t know what you look like?
Personal trust as a foundation for identity became an untenable option as soon as the modern age arrived and our world expanded beyond our immediate geographic area.
Eventually every system boils down to personal trust, from the doctor that certifies you were born, to the person looking at the computer screen in a licensing office who is deciding if she is going to issue the license. There is no escaping this.
Identify theft happens because you have weak online identity protections. Strong e-id systems as can be found in many parts of Europe almost completely fixes that. Where I live nobody is afraid of identity theft since you can't do anything just because you know someone's names, addresses or numbers.
Suppose I have my personal QWAC installed in my browser. Does this mean that I won't be able to visit $BIGSITE without authenticating and logging-in?
That wouldn't make things more efficient - it would create friction, because I'd have to switch browsers if I wanted to visit a site that I didn't want to authenticate to; or do some settings fandango to disable QWAC before clicking a link.
In Poland you can do a lot of things digitally by authenticating on governments sites with your Bank (Imagine "Continue with your bank" instead of "Continue with Google" or "Continue with Facebook"). It's nice because bank already verified my identity when I was creating a bank account. I did not have to scan&send anything, go verify in some office etc. and I was able to do multiple things: change how my company is taxed, register for COVID vaccination, government census.
> A proper online identity framework is long due though [..]
You're entitled to your opinion but for me, it's a firm "No, thanks".
I feel considerably more comfortable* carrying a paper document which proves my vaccination/negative test than I do using any kind of government-approved app on my phone.
You should be comfortable with carrying and using a document certifying a test result, but not with a document proving vaccination. The first is reasonable to due to its obvious utility in infection control, the second is not; it is now become a tool for sowing division and hatred in society.
If you care about limiting infections, get tested.
If you care about freedom, reject government certificates.
looks like you haven't lived in 5 European countries and have to interact with all of them for things like taxes, pensions, vehicles registrations, and with mobile phones numbers that change, 2FAs that go crazy, passwords that expire etc. etc.
Yes, a common electronic ID is an absolute godsend. Can't wait for it to be implemented on every fricking public administration website.
