End of September, Switzerland will vote for E-ID. A big threat for our privacy as it will widely used for tons of new use cases.
Behind the government pitch of an “open source project, completely optional” hides big tech industry… Which will make it mandatory to access their services.
What are your thoughts on that ?
#Switzerland #Privacymatters
In Belgium we do have e-ID and we had it for years.
If in any of the circles there is only BigTech then indeed you are right it is a threat.
In Belgium though I can access my official document with some of these (honestly I don’t remember which, but AFAIR It’sMe is one option) but more importantly there are some options with some decoupling, e.g. SMS (arguable as one must have a phone number usually via BigTelco) but, last and not least :
which means as long as at least one of these alternative is available then IMHO we can get some of the benefits without the centralization risk.
Those aren’t eID. They are a way to authenticate using CSAM.
There are different weights tied an authentication method, card reader scores highest.
From the top of my head there’s email, sms, totp, card reader, eiDAS and itsme® (which I avoid because it’s proprietary and controlled by a 3rd party).
There’s a list of properties a service can request when accessing data via ACM/IDM, for example your ssn, name, etc.
You can read your eID with local software too, with the aptly named eid viewer. Click on the picture in the overview and drag it into a text editor to see the entire exportable xml.
If I’m not mistaken, it’s up to the the service that’s using the Belgian e-id to enable some of the options or not. For example, the website where I check my payroll only works through itsme or with a card reader — no TOTP or SMS 2FA. It’s a big issue because itsme refuses to run when you don’t pass Google’s safety net.
I’m talking about public services. For private services I have no idea what they all do and, as importantly, what they are legally bound to do. I would hope that obviously they would have to provide at least 1 solution that doesn’t rely on any third party, e.g at least provide the card reader with legal Belgian ID option (which seems to be what they offer you, so IMHO that’s good enough), but I don’t know.
ItsMe not running is pretty good in terms of privacy because their entire business model is, and correct me if I am wrong, to be an intermediary. I didn’t check what data they share but I’d be pleasantly shocked if it was none.
The card reader might seem slightly inconvenient or outdated but there is no intermediary and it is, AFAICT, secure because it’s based on well established cryptography.
PS: it’s also fun because you can play with PAM and thus, I didn’t try that, login or get
suandsudowith your ID card.It doesn’t matter whether it’s a private or public service if they both use the same auth provider (beId). I wouldn’t be surprised if the SMS/TOTP options went away completely at some point for our “security”.
A different issue is that itsme is often the only option when doing things on mobile. Sure, you can avoid it for now, but it’s getting increasingly inconvenient to do so, unfortunately. I try to express my disappointment to itsme every now and then about the fact that they require Google’s SafetyNet and that the Connective Plugin needed to activate itsme in the first place doesn’t even work on Linux, but to no avail. They sent me a detailed email about setting up a Windows VM to get it working so credit where it’s due for the effort, but the situation is still bad…