We had these electronic identity cards in Finland for quite a while, but I think they've been considered a failure:
It was initially planned as a general network authentication device for both public and private sector strong authentication needs. In 2009, however, the card was viewed by a government committee as a failure. There has been less than 300000 cards around by 2011 out of population of 5.3 million. The rationale to apply for a card has mostly been traveling abroad. Only few dozen government services have adopted it, and only one bank adopted it as login card to their netbank. All banks in Finland use a national standard called TUPAS, which uses one-time passwords. Banks also provide TUPAS authentication to other Internet-enabled businesses. Since TUPAS requires no dedicated hardware, cost of a card reader and card itself have been main causes in the failure of the eID card.
The problem is simply that smart card readers never got integrated into computers, and people didn't want to buy a USB dongle for that just to be able to authenticate with some government websites.
Instead, what happened was that the two-factor authentication system provided by banks became the dominant "secure authentication" method. By now it is supported by most sites that need such a thing, like banks, insurance companies, postal services, and several government sites.
I can for example authenticate with my bank user credentials to file my taxes (or could, when I was still living in Finland).
An additional benefit of the ID card is that you can use it for travel inside the European Economic Area. But I'll rather carry my passport with me, as that way I don't have to wonder whether the ID card is enough for my itinerary or not.
edit: ID cards are valid travel documents inside EEA (which is a larger area than Schengen)
In Belgium the electronic card took off ~10 years ago but it is seldom used outside of official state matters (on the top of my head: when you move in/out, when you get married, etc. Basically used for anything that the state has to formally identify you). Administration are well-equipped with readers and you can file your taxes with it if you have a reader (everyone that I know and own a reader bought one for that sole purpose).
We have two-auth for banking as well.
edit: oh and some public transport use it to fill in addresses field faster when creating bus or train card.
Basically it's a glorified unique address memento.
It's not considered a failure though.
edit2: Most importantly: id cards are mandatory in Belgium and most entities have switched to electronic card.
I think I've seen the same in police stations in Finland... some kiosk PCs with a card reader and access to the various forms you might want to file there. Can be used to skip the line when applying for a driver's license, gun permit, or something like that.
IMO, the couple of times you might do that in a decade are not quite worth buying and carrying the electronic ID.
> IMO, the couple of times you might do that in a decade are not quite worth buying and carrying the electronic ID.
I think this hilights the main issue with Finlands ID card experiment. Many places accept drivers license (which many people have) as a sort of semi-official ID. So most people had no need to get another card for ID, especially when it costs money and expired relatively quickly.
The picture on the site is Estonian ID card. Being an Estonian I'm pretty sure that unlike our neighbours Finns our card is actually used a lot. The main driver is the ability to do your stuff from home, without going to some office during business hours. Given the size of Finland I'd expect it to be very useful in northern parts of the country.
Being able to interact with the government via web was indeed the main reason why electronic IDs were initially created. But because they require additional hardware we've ended up using OTP auth provided by banks (TUPAS) instead.
Can you explain this bit? My bank here in the UK has an OTP mechanism for internet access, but it uses a small key generator card provided to each customer, controlled by a PIN on each use.
As I understand it, TUPAS is more of a protocol for providing authentication. Every authentication provider is allowed to implement the authentication at their end however they please. I think some have keyfobs, but afaik majority rely on printed list of OTP codes[1]. If you are familiar how 3-D Secure (eg Verified by Visa, MC SecureCode) works, the process is somewhat similar. So there is no "TUPAS card".
In Finland universities also have the need for federated authentication, as students can take courses in different schools. Instead of TUPAS they standardized on Shibboleth and SAML.
"A proposition for a standard digital signature in every EU citizen's identity card.
....
No extra cards - it will just replace your existing ID card when it expires"
Well unlike most of the continent, Britain and Ireland have no mandatory I.D. card (thankfully) so this doesn't cover the whole EU...
I allways wondered about the aversion to id-cards. Doubly when I heard the story about catch-22 style schenigans I heard you need to go through in GB, if you want to open a bank account, and rent a flat at the same time (or so I heard, that most of the time bank accepts as proof of identity utility bills from place where you live, and landlord accepts similarily a proof of existence of a bank account) ... in czech republic I just show them my id card, and everyybody is hapy. I could even pay a little bit extra to have digital signature embedded, which would allow me to fill my taxes via web ...
A lot of things end up being tied to your ID number, and it becomes very difficult to limit the collaboration of companies to create a dataset about you, never mind making it easier for the Government to track people en masse.
Lack of ID card doesn't stop UK to share all your data with private companies, like in case of care.data and now also HMRC data. I never felt as tracked as in UK, where all companies know where I live and lived for last several yers.
On the other hand in Poland we do have mandatory ID card, and companies still don't have that much access to your data.
I'll have to break it to you then: it's exceedingly easy to get the same use of data without an ID. The lack of national ID does not protect your privacy.
The feeling of protection hinges on how easy it is. A bit over ten years ago I was working in database "cleaning": merging databases from different organizations[1] into one coherent dataset. The data volumes were large, but other than that it is a simple task with low error rates and one which absolutely does not need global unique IDs.
This was ten years ago. The task only got easier since then.
On the flip side, the lack of national ID has inconveniences. How do you authenticate yourself when selling your house?
[1] Ethical work. These were needed either after mergers or because of the MS Access syndrome, where every department designed their own customer database.
Definitely the same in the UK. It's likely the death of Blair/Brown's <s>citizen tracking</s>ID card scheme killed the idea for other countries considering one.
Case in point: HMRC (UK Taxman) is about to sell 'anonymized' taxpayer data. With enough 'anonymized' data-dumps and CPU power, at some point, it will become trivial to correlate an ID Card ID with datapoints.
In countries where you have ID card, you just show it to confirm your identity and you're done.
In UK you need to bring your bank statement and utility bills, with your address. Combined with your date of birth, it makes it much easier to match with companies database.
Same issue as with SSN in the USA. Lots of things requesting it what should not ever have access to it, opening people up to everything from privacy intrusion to identity fraud.
I wear a tinfoil hat because governments have a history of abusing their powers. Although we live in steady and somewhat well-governed democracies, there's no guarantee that this will always be the case.
U'll join in with the chorus and point out that this point of view is an outdated relic of the national identity card debates of the 80s and 90s. Back then it was possible to imagine a world where we weren't tracked permanently. With the advent of ubiquitous mobile phones, the Web (with cookies!), public transport electronic passes, license plate readers for cars, face recognition linked with CCTV networks, that era has gone. In my opinion, if we can't have privacy, then we should at least get some of the potential benefits that are possible when privacy is removed, and national ID cards give you just that.
Finland doesn't have a mandatory ID card either, but you've been able to get an electronic ID like the one described for quite a while if you want one.
It has tax records, which have a link to my NHS records. My tax number isn't used for anything aside from taxes, though, and only organisations which have to report tax-related information about me to the Government have it.
Since I don't really understand the local sentiment of the Irish and the British, I gotta ask, do the people think it's a good think that there isn't a central Primary Key to link all of their records together?
In my country, a lot of places use the National ID card (NIC) as a means of security. For example at a lot of office buildings or at "extra-secure" neighbourhoods (especially where military personnel live), they ask you to leave your NIC (or a copy of it) at the gate. So in case of an incident, they would have a record of who checked in and stuff.
Another security use case is in Banks. Since handwritten signatures are weak security, they usually ask you to attach a copy of your NIC when cashing/depositing cheques so they can trace the guy later in case of unlawful activity.
Yes yes, all above measures have loopholes but it's still security. I m just saying that ID cards aren't all bad. they have their uses.
So each govt body seems to have it's own persona of you. While I understand that this in some way supports privacy against the govt, but it just makes me wonder how they handle certain issues. off the top of my head:
Aren't your passport or driving license connected to your other persona's?
If someone gets arrested, wouldn't that be tied to some existing Primary Key? How else would you know past criminal records of a person?
Do all the bodies simply work on "Foreign Keys" since there is no central Primary Key? And if all records have each other's foreign keys, doesn't that defeat the purpose?
It sort of defeats the purpose, but because these are across organisational boundaries, it makes it rather more difficult for anyone to actually do anything with those links, and more expensive. A national ID system leads to a national database where much of this data would be much more accessible to the entire Government.
oooooh boy. Might want to do some research before your holiday to Belfast (or Derry).
Edit -
I realize that came off snarky - it was meant lightheartedly. In all seriousness, though -
Republic of Ireland - a soverign nation of 26 counties. Split from the UK nearly a century ago. There's some interesting (but very painful) history behind that.
Northern Ireland - 6 counties at the northeast of the island
Ireland - a geographical entity (the island itself)
Ireland (or Eire) - the official name of the Republic
Great Britain - the island with England, Scotland, and Wales. Often used to refer to the UK (but this isn't completely accurate, if we're being pedantic it's a geographical, not political, term, and there's still Northern Ireland).
United Kingdom - England, Scotland (for now), Wales, and Northern Ireland
It would make sense for me to make an error in there, but I think I've got that right. Hope it's helpful!
What a joke. So you have no DL, no passport, you don't have any bank accounts or credit cards, no internet account or phone account, no national health insurance account, and no address?
Thats great! Since you're not required to have an ID card then you can't be identified and your privacy is secure.
Also you're homeless, probably destitute and unable to live or participate in society.
In the UK, one does not need government approval or permission to live in a house, so it's quite possible not to be homeless and also not to have government ID. Crazy times.
You miss my point entirely. If you have an address you have a unique identifier which is shared widely, usually publicly. You therefore you can be easily identified.
And do I need to present that address to interact with society? If a policeman stops me in the streets, can he demand to see my address for no reason at all? Is it now, or will it one day be illegal for me not to carry that address around with me?
The problem isn't that it's possible to identify people. This is something that can be done, for example, by looking at someone. The problem is in the relationship between the state and the citizen.
Portugal already has these. Our ID card is a smartcard, and contains a personal X.509 certificate, issued by a national certificate authority (and a bunch more stuff, like my address or photo). You can use a card reader and standard software to sign legally valid documents. You can login into government websites with it.
I'd wager about 80% of ID cards already use the new model.
Unfortunately, there are too few countries. Portugal, Spain, Estonia, Finland, Belgium, India and a few more. Everyone solves the problem in their own way, sometimes incompatible with the others, and not taking into account all privacy concerns. Hence my suggestion for a standard, interoperable solution
The description of this card's features are a little too basic to my taste. Based on the "anonymous credentials" they mention it seems to imply that they're using attribute-based cryptography* to preserve privacy, which would be awesome. Can anybody shed some extra light on this?
* = See https://www.irmacard.org/. It allows your card to reliably answer questions like "Am I allowed to enter this country?" and "Am I old enough to buy liquor?" without you having to communicate all your personal data (like full name, exact age, exact country of origin) to the party who needs to check it. In fact, that party would not even be able to gain more information. It just communicates parts of your identity on a need-to-know basis.
Probably, but I'd be pretty easy to convince a court you did not actually transferrer your life time savings to Belarus because it is known that handwritten signatures are weak.
But courts have idiotic trust in technology. They accept the output of anti privacy program as a proof.
Its the first step to the EU mandatory-sex-offender-registry-for-everyone that most continental Europeans call the "resident register" or "population register". For all you uninformed, that's where you must register with the police whenever you stay someplace. (Which is why I'm so derisive.) And they are starting to use national ID cards for this purpose now.
So in that respect this makes perfect sense. An electronic EU ID makes (for example) mandatory registration with the police so much easier.
Some EU countries don't have an ID card, e.g. the UK.
Edit: Just saw it's some eurocrat's proposal, thankfully not an actual new imposed law. Not that it really matters once the referendum comes up as the UK will likely be out of the EU after that.
What is the problem with the idea of an ID card? There are situations where you need to prove your identity, and a government-supplied card can be useful in those cases.
The alternative is using a driver's license or a passport, both of which are also cards (or booklets), and government-supplied.
It is not like you'd be forced to get one, or carry it around. Finland has had ID cards as long as I can remember, and I never had to get one.
I had my passport stolen once, and identifying myself to the government to be able to get a new one was a bit of a pain in the ass, since I didn't have any other valid national ID (driver's license isn't considered one). The alternative way of authenticating involved maybe fifteen minutes of questions like What was your street address in 1987?
"What is the problem with the idea of an ID card?"
In my view, the problem is that it increases the government's power over citizens. Much government is useful and good, but it's an ineluctable law that powers are abused. ID cards extend the territory on which the abuse of power can play out.
In this case the power is "we can prove that you're a citizen of country X". Unless ID cards come coupled with mandatory carrying of them, I don't see an issue here. As long as countries provide services (like, say healthcare), there are valid reasons for needing to prove your nationality every now and then.
Driving license isn't a valid ID at least in most European countries. And residential address would probably need some proof, like those stupid utility bill scans some services require you to send.
Passport obviously works, but doesn't fit in your wallet. But that is the ID I use when I need one.
The problem is that governments are never competent when it comes to IT, so any database linked to it will be insecure and expensive; then there come the privacy implications - having a required identification means it can be used to track people more easily, especially if they then tie services into using it. Depending on the year and the stupidity of the government in question, it may even use RFID to allow individual movement patterns to be tracked.
It was initially planned as a general network authentication device for both public and private sector strong authentication needs. In 2009, however, the card was viewed by a government committee as a failure. There has been less than 300000 cards around by 2011 out of population of 5.3 million. The rationale to apply for a card has mostly been traveling abroad. Only few dozen government services have adopted it, and only one bank adopted it as login card to their netbank. All banks in Finland use a national standard called TUPAS, which uses one-time passwords. Banks also provide TUPAS authentication to other Internet-enabled businesses. Since TUPAS requires no dedicated hardware, cost of a card reader and card itself have been main causes in the failure of the eID card.
http://en.wikipedia.org/wiki/Finnish_identity_card
The problem is simply that smart card readers never got integrated into computers, and people didn't want to buy a USB dongle for that just to be able to authenticate with some government websites.
Instead, what happened was that the two-factor authentication system provided by banks became the dominant "secure authentication" method. By now it is supported by most sites that need such a thing, like banks, insurance companies, postal services, and several government sites.
I can for example authenticate with my bank user credentials to file my taxes (or could, when I was still living in Finland).
An additional benefit of the ID card is that you can use it for travel inside the European Economic Area. But I'll rather carry my passport with me, as that way I don't have to wonder whether the ID card is enough for my itinerary or not.
edit: ID cards are valid travel documents inside EEA (which is a larger area than Schengen)