torsdag den 13. oktober 2011

e-Identity - How concerned are You really about privacy?

(Picture from PRISE showing multiple identities for 'John')

This morning the Danish Radio had a new story about the long-delayed travel card, which will provide train and bus passengers with a contact-less card instead of old tickets. The card itself is a bit of a problem as it has been delayed for several years (In spite of other countries that have implemented similar things years ago – Oyster Card in UK was launched in 1999) – but the issue was that the passengers are requested to identify themselves with the personal registration number to get a standard travel card. The card issuer – – at their websites explains that this is because it is a personal token, if you want an anonymized version, which you can use between yourself and your friends and family, you will have to pay extra. Also pensioners and students will have to have a personal photo on the card to ensure nobody is getting a discount they are not entitled to. Further the travel card requires that you link it to your bank account via the Dankort, but claims that this is only used when you are re-filling the card, that is, paying money for your upcoming trips. The identity data kept by the rejsekort-organisation is' stored safely at a central database' and access to this is only granted to ' and it's business partners'. Partners include a number of bus companies, Danish Railroads and others. And even if you cancel the card 'the data logged describing your trips will be kept for 6 months to analyze travel patterns or as a proof if disputes should arise.' And further guarantees that they will stick with the Danish legislation on privacy. (The web page is not even in English, sorry!)

I immediately came to think about this as yet another proof that the Danish population indeed are the most happy people in the World and they have a firm trust in their government as well as in semi-governmental institutions and that nobody will even consider complaining about it, while in other countries this would have aroused protests, strikes and boycotts. (UK, Germany, US ..)

After my participation in the meeting on 'the Internet of Things' it is obvious, that this kind of infrastructure and the logging of the use of it is yet another example of 'Function Creep' in the use of what seems to be an innocent way of identifying persons, the CPR-no. Yet this number and the accompanying name, address and maybe photo may be another source for new ways of identity theft and also a new way of getting money out of people's bank accounts.

In most other European countries the attitude of the citizens would have prevented a thing like this. We have even had several EU-sponsored studies that have been dealing with the concept of having multiple, secure identities, that any citizen has a need to change the e-ID over a life time and across the various sub-domains, where she/he may need an identity. In Denmark we are simply blind to the risks, because we take for granted, that we have secure banks, that our salary system with our employees are safe, that our pension funds are safe so that for instance the tax system works almost without any input from the tax payer, it is close to 'hands free' and has been for some years. Try to explain an Italian why the Government ID should be used for your employer before you can get your salary, or in UK why the insurance company should use the same identifier as you use to receive your social benefits.

This difference in attitudes is also visible in other areas: Denmark has a higher number of CCTV's pr. Capita than any other country in Europe, even including UK. Yet the general attitude is that 'It doesn't matter as long as you have nothing to hide'. But if you look at all the apps for the iPhone or Android that with or without your knowledge register your whereabouts at any given time, the growth of CRM systems capability and tools for analyzing vast amounts of data (Ref. The 'Watson machine' by IBM) then it would become clear, that you need to strengthen the control with who is actually gathering data, what data they gather, how it is protected and how this relates to your 'official e-identity' or is a sub-ID created for just the purpose, for which the data is gathered.

These concerns are getting more weight as hackers, spoofers, fishing attacks etc. are gaining momentum and as more citizens are being exposed to data thefts, not to mention identity thefts.

As I have mentioned other places, the PRISE (Privacy-Security) project funded by EU ended up by a number of recommendations as did the PRIME, later PRIMElife project, that developed prototypes and methods to demonstrate how multiple, yet consistent identities could be maintained and still remain under the user's control. As is clear from the picture above, most people have different identities, and even public ID's need to be changed as technology progresses and as decryption and new, powerful computers demand upgrades of security. But still, an individual will like to shield parts of her/his life from others: Multiple facebook identities? One entity for gmail, one for company correspondence and one for friends and family, one identity and network for people sharing your hobbies etc. If you combine this view with the 'Internet of Things', gadgets, that may or may not contain data about your behavior, whereabouts, messages, pictures etc., then it becomes obvious that whether you trust your government or not, it may not be the brightest idea to use the same, basic and omni-potent e-Identity everywhere you go.

Already in 2005, Kim Cameron developed what he called 'The Laws of Identity', which described the fundamental laws, that any identity management system would have to obey if it should work across domains and survive for a prolonged time. He suggested the following laws:

  1. Technical identity systems must only reveal information identifying a user with the user's consent

  2. The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution

  3. Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship

  4. A universal identity system must support both 'omni-directional' identifiers for use by public entities and 'unidirectional' identifiers for use by private entities

  5. A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers

  6. The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambigous human-machine communication mechanisms offering protection against identity attacks

  7. The unifying identity metasystem must guranatee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

These criteria were put to a test by PRIME and later by PRIMElife, that made some exceptional demonstrators to prove the feasibility of these principles.

Also ENISA focused on this topic in the report on 'Managing Multiple Identities' which contains a realm of references to other relevant EU studies on this and corresponding issues.

As EU is now moving on to look into further use of cross-border identities it becomes clear that solutions like this are needed, as countries like Denmark cannot continue to be like the sleeping beauty hiding behind a wall of roses, we need to confront the Nordic faithful citizen with the skeptics of UK and non-believers of benevolent government in other countries. We have to help the Danish citizen with a simple, yet consistent way of controlling her/his own data (law no. 7) which will help us to travel across Europe, get our Government services - like pension, social benefits, while studying abroad - or help us with our medical and health record if we by accident or deliberately turn to hospitals in other European countries to assist us. The days of a magnetic strip card are long past, and while we are waiting for a more intelligent Danish ID-card that the semi-paper based NemID, we need to think out of the box and more important, actively participate in the projects that intend to offer capabilities to use and re-use eID's acroos borders. (See for instance the STORK project based on the idea of the European Interoperability Framework)

Ingen kommentarer: