[cooperation-wg] Elephants and eIDs

Dear all,

I can't claim I am an expert on eID systems in general, or on the eID regulatory framework that the EU put in place about a year and a half ago specifically (it's the "eIDAS Regulation"), and for clarity I cannot, as an official of the EU, comment on leaks (European Commission rules - not that I necessarily agree with this particular rule, but it is what it is). 

However, my limited understanding of the eIDAS framework is that it does not impose the use of any particular electronic Identification, Authentication or Signature (that's what "eIDAS" stands for) system, but rather creates a security baseline and interoperability obligations for EU Member States in order to ensure mutual recognition of different systems across the EU. 

If people have concerns about this particular field of EU policy, I think it would indeed be great to raise them so that colleagues in Brussels (and in national capitals, too - let's not forget that the eIDAS Regulation was adopted via the "ordinary legislative procedure", which means that both the European Parliament and the Council, i.e. Member States' governments, approved it) are aware of the concerns and can clarify misunderstandings, if indeed there are any. 

You can find more information on eIDAS at https://ec.europa.eu/digital-single-market/en/trust-services-and-eid, and you contact the colleagues in the "eIDAS Task Force" at CNECT-TF-eIDAS-LT at ec.europa.eu. I seem to remember that the Head of the Task Force, Andrea Servida, did give a presentation on the topic at a RIPE meeting some time ago, but I might well be wrong. 

One word of friendly advice: although as EU officials we are obliged to respond to all queries by EU citizens within 15 working days (unless they are manifestly baseless, repetitive, etc - I once got an email asking why the European Commission was scheming with the Reptilians to bring about the fall of Western Civilization, and I honestly didn't known what to answer as I first would have needed to demonstrate I was not a Reptilian fifth column myself) it is always more efficient if similar questions / comments are grouped together in one single message. Just common sense I guess. 

I hope this helps,

Andrea

Sent from my iPad

> On May 1, 2016, at 08:39, Julius ter Pelkwijk <pelkwijk at gmail.com> wrote:
> 
> Well, I have read parts of it, but one thing that did pop out was this sentence: "[...]In particular, online platforms need to accept credentials issued or recognized by national public authorities, such as electronic ID cards, citizen cards, bank cards or mobile IDs.[..]"
> 
> I think that this creates a big security risk. In the Netherlands, this "trust" means that there will be a single point of failure: The authentication server, called "digi-d". This is a server where we have to log in every year for doing our tax report, and every year they have issues with DDoS due to people filling in their taxes. On top of that, when authenticated you have all the information on your passport + you can even use this form of authentication to legally "sign" documents. All you need to do is intercept 2 paper mails (one with username, one with password) and you can fill in all the paperwork for that person.
> 
> At my job we have an "authentication" system that the EU desires already in place. You can log in with any credential you want (they are constantly adding new ones), and based on how you log in you get a different "clearance" rating. If you log in with an eID for example, you get a higher clearance rating than logging in with google ID. Based on the website that uses this system you get a different ID number, and only the authentication system itself knows who this user is (and can send emails to that user). The websites itself don't know who logged in, they only know an ID number and what the user shared with them. That way you can use your google ID for example to make an appointment with the municipality (if you have connected your google ID to your eID) but to make changes you still need to log in using your eID (due to the clearance level not being high enough).
> 
> What I find the biggest issue with these "eID" from brussels is the fact that it is too easy to track them back to a particular user. You will always need to use the same identification method, and if someone steals your identity card + password they can basically steal your complete identity. Not only that, governments can track you down for writing down your ideas online. This has been happened before with Twitter, and I am pretty sure that advocating a Single Sign On (SSO) will make this even worse.
> 
> I feel that this is going the same way as in China, where you have a "digital identity" that everyone can use to contact you, and when that "digital identity" leads to violations, then they simply have to trace it back to its owner. I am not sure if people like to visit Facebook with their identity card. Or use Twitter with their real name. What if they decide that when you want to be on the internet, you need to log in first? What if one of those SSO systems goes down, gets hacked (think Diginotar) or even fails to protect its users? "Freedom of Speech" is something that I think should be cared for, and that also means the possibility to have something that is not a single point of failure.
> 
> I think that the EU should advocate an universal log-in system like U2F that can be used by everyone without having a single authentication system that needs to be monitored by the EU. The SSO that the EU advocates can quickly become something that directly comes out of a book from George Orwell. Without a single point of failure, or a single point of "trust", only then you can be sure that privacy is ensured. That way people can securely browse the internet without having to rely on state-issued identification tokens to browse the internet.
> 
> Julius ter Pelkwijk
> 
>> On Sun, May 1, 2016 at 6:12 AM Patrik Fältström <paf at frobbit.se> wrote:
>> Thanks Gordon,
>> 
>> What is irritating with just that snippet on top of page 12 you reference is that they say in more or less the same sentence that it is important to decide who to trust, while one should be told to trust whatever eID Brussels decides on.
>> 
>> Thats a contradiction in terms.
>> 
>> There are too many "trust" issues where Brussels think the path forward is to tell people what to trust. Incident reporting, how CERTs are managed and get their information and eID. Just to mention a few.
>> 
>> Thats not how trust is built up. And specifically not how trust is moved from trust between individuals to trust between organizations.
>> 
>>    Patrik
>> 
>> On 30 Apr 2016, at 23:00, Gordon Lennox wrote:
>> 
>> > Some people here may remember the presentation on eIDs at a previous RIPE meeting.
>> >
>> > https://labs.ripe.net/Members/chrisb/engaging-with-eu-legislative-process
>> >
>> > A draft Commission document which mentions eIDs has recently been “leaked”.
>> >
>> > http://www.politico.eu/wp-content/uploads/2016/04/Platforms-Communication.pdf
>> >
>> > See in particular the top of page 12.
>> >
>> > I understand from folk within the bubble (the Brussels/EU bubble) that this kind of thing is now seen as a way of testing the reaction of experts, of those really interested, before proceeding.
>> >
>> > So any prompt reaction, and this could be individual reactions rather than the reactions of organisations, may be useful.
>> >
>> > Indeed any reaction now may more useful than when the Commission has taken a formal position on the proposal and when the services are naturally obliged to defend it.
>> >
>> > This item from The Register - http://www.theregister.co.uk/2016/04/29/eu_login_youtube_national_id_card/ - would suggest that one person to write to is the Estonian Commissioner.
>> >
>> > Regards,
>> >
>> > Gordon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/cooperation-wg/attachments/20160501/82c6d6ab/attachment.html>