[cooperation-wg] Elephants and eIDs

Patrik Fältström wrote:
> What is irritating with just that snippet on top of page 12 you
> reference is that they say in more or less the same sentence that it
> is important to decide who to trust, while one should be told to
> trust whatever eID Brussels decides on.

That snippet, and the paragraph before it, are very confused pieces of
thinking.

> In particular, online platforms need to accept credentials issued or
> recognised by national public authorities, such as electronic ID
> cards, citizen cards, bank cards or mobile IDs.
[...]
> Further, the Commission will draw up a plan to strengthen public
> authorities' capacity to process and analyse large-scale data to
> support the enforcement of EU single market policies and to ensure
> platform users are more aware of the data collected by platforms and
> how it is used.

The paper then mention fake online reviews as being an example that
deserves particular merit.  In the long list of things which cause
erosion of trust, fake online reviews are pretty far down.

Apart from the concerns you mentioned, there is a complete lack of
understanding about the stupidity of using:

1. very widely or universally accepted access credentials.  The more
widely accepted an access token is, the more damage you can do by
compromising the token.

2. irrevocable tokens (e.g. biometrics in national ID cards) as trust
credentials on the Internet.  One of the centre-pieces of trust is that
it can be revoked.  If something cannot be untrusted, it should not be
trusted in the first place.

In either case, it would be pretty catastrophic if trust databases of
this form were compromised.  The more widely used a trust database is,
the more valuable it is and the more likely it is to be viewed as an
interesting target by threat actors, whether state or criminal.

Overall, while the intentions of this suggestion cannot be doubted, the
idea of mandating wide acceptance of eIDs seems to be an extremely
unwise plan of action.

Nick