95 comments

[ 2.9 ms ] story [ 124 ms ] thread
Is this a joke?

"Checking your browser before accessing a GSC Managed Website Checking your browser before accessing "www.consilium.europa.eu". Please turn JavaScript on and reload the page."

[flagged]
Propaganda from EU haters?

Pointing out how EU is corrupted by Big Tech?

(comment deleted)
> With the approval of the European digital identity regulation, we are taking a fundamental step so that citizens can have a unique and secure European digital identity. This is a key advance for the European Union to be a global reference in the digital field, protecting our democratic rights and values.

Another shoehorned decision which almost no-one wanted and no-one consulted the public on, since if they did it would be a resounding:

No.

While I can be quite critical of the EU this actually sounds somewhat convenient, from a practical standpoint at least.

Currently in Finland I can identify online through my Finnish bank credentials, but that's of no use in Spain for example because even if they were to recognize Finnish banks as authoritative the information that is passed from there is my Finnish social security number, while in Spain I identify either by passport number or by NIE (foreign identity number).

A standardization would be convenient, that I could verify my identity online regardless of which European country I'm dealing with.

Edit: I mean from a privacy standpoint we all have social security numbers already, this (on the surface at last) just seems like a standardization of identifying online across Eueopean countries. Or am I missing something?

Edit2: But..! I would definitely vote against tying this to biometrics. But I think that ship has already sailed? Aren't everyone requiring biometrics for passports nowadays? So the only way to avoid it is to not travel.

(comment deleted)
[flagged]
What?
"I love being governed strongly. Government is like my mum or dad, and keeps me safe!" says every Scandinavian everytime. I thought you guys were vikings!
The German ID also has an online verification function already in it, but if you are a Spanish citizen for example on holiday in Germany that doesn't help you. One EU-wide system is much better than a different one for each country as it helps to give equal access to online services regardless of your country of origin.

That system is mostly just used for government websites, stuff like getting a new passport, change your registered address or view/submit your taxes. If you could do this stuff anywhere in the EU online no matter where you are from it would be way easier to move between countries and navigate different bureaucracies.

If such an ID were to be broadly established, people start to demand it being used for everything. Age verification, any form of transaction, social media will require it to filter content... We already see some of this even today, Blogger for example.

At that point anonymity on the net becomes impractical. Honestly, even with government services getting easier to access, this is mostly not worth it.

People generally don't demand anything, people in power do. Using all sorts of excuses like "your safety" or "pedophilia and terrorism".

I just don't see a way to fight it, it's inevitable. The golden age of a free internet is already over. People are mostly on huge centralized platforms.

You can fight it tooth and nail but it's a constant uphill battle where you take one step forward and two steps back.

Meanwhile there will always be places like the dark web, where you can transact in crypto, but most of the internet will be strict and regulated. I just don't see why it wouldn't, since centralized power seems to be the tool of choice for most problems. It fucking sucks but it is what it is.

I'll still keep donating to the EFF but that's just delaying the process. Sorry for the pessimist take.

The desirability of eID that just works, regardless of what EU country you are from or in, has been discussed for years in tech circles in Europe, including on this very site.
Most people who use official digital authentication appreciate the value and wish it was widely available. Such systems have not been breached or leaked information yet, despite being used daily by millions of people.
The problem I see is with having the government be the one that issues your digital id. It gives them more power to fuck with politically undesirable people. Currently I can get one of several companies to issue me with a digital certificate that I am person A, at least one of which could operate in defiance of corrupt orders.

As an example, our banks will refuse to do business with you if you use your account to trade cryptocurrency. That is, if a bank catches you transferring money for the purpose of buying or selling cryptocurrency, you get blacklisted from doing any business with them at all forever. Your accounts get closed, you get your money back and are told to fuck off and never return. But you can still do it by using some other banking service. In contrast, if my government was the only bank I could use, they could debank me entirely and totally fuck me.

Banks don't have to offer you an ID; governments do.
> In contrast, if my government was the only bank I could use, they could debank me entirely and totally fuck me.

Digital government ID doesn't make the government into a bank. It also doesn't confer any powers that they don't already exercise through your physical government ID. Most countries already require some form of government ID in order to open a bank account, presumably they already blacklist these.

They two authentication systems that I know of that allow users to freely choose between authentication suppliers are websites supporting openid and RFC 6238.

There are works being done in Sweden to create an open government identification standard where users can choose which trusted entity to use, assuming that those entities are trusted by the government website or service that require government ID. For Sweden that would likely mean a choice between banks or government issued digital id, which is a step up from current system of only having banks being the authority of online identification. An EU digital identity would be a third options.

Those are not a digital certificate. They are more similar to single-sign-on system. It is the "authenticate with facebook" but without facebook and for things like healthcare and taxes.

As a side note, the current system in Sweden is such that if you do get banned from banks in Sweden then you also loose your digital identity and will be unable to do most things in relation to government or healthcare.

Are you an EU citizen? Because anyone who is who likes to do things online would find this very convenient.

Identity is very important when dealing with things like taxes, legal cases and various other rights and responsibilities. Instead of jerry rigged systems like SSN in the US, having something secure and reliable is gold.

The only reason against I think is not wanting to give the government more control and more information about you than they already need.

And what happens if/when they get hacked?

(comment deleted)
> Another shoehorned decision which almost no-one wanted and no-one consulted the public on, since if they did it would be a resounding: > > No.

Are you sure?

I live in Europe, and I am in favor of this idea.

What's wrong with plastic national identity documents exactly, are they too heavy, too large, not enough waterproof? With the next wave of broad consent for authoritarianism like during 2020-2022, the new "features" promptly integrated into this ecosystem will be not nice at all.

> Finally, the revised law clarifies the scope of the qualified web authentication certificates (QWACs), which ensures that users can verify who is behind a website, while preserving the current well-established industry security rules and standards.

Pan-Europan edition of the German Impressum enforced by hordes of vicious bloodthirsty legal trolls and predators.

This is about proving identity online across the EU. Most plastic national IDs obviously don’t work for EU-wide online uses because not all EU identity cards have a corresponding smartcard chip, and there would not be a standardized system without an EU-level decision like the one discussed here.

When eID has been rolled out at the national level, it allows you to log into, say, your tax account or social-security account by simply logging into your bank. Your bank was already compelled to do all the work of vetting your identity, so the state trusts the bank to pass on your authentication.

> Your bank was already compelled to do all the work of vetting your identity, so the state trusts the bank to pass on your authentication.

Long time ago I thought it's an okayish idea, but to think of it... banks and governments are separate entities with not exactly overlapping interests. Lots of heavyweight lobbying happening. Many of their interests are not in favour of an individual. I don't want to connect dots for them, it's not going to work in my favour. Ideally the only data shared between banks and governments regarding a law-abiding citizen would be only an IBAN.

> Most plastic national IDs obviously don’t work for EU-wide online uses because not all EU identity cards have a corresponding smartcard chip

This is a good thing. It should be inconvenient to authenticate real identities over the internet because otherwise it will be used for tracking. Meanwhile there is no real problem with doing a one-time account creation with your bank or social security administration in person for the few things that actually need it.

> It should be inconvenient to authenticate real identities over the internet because otherwise it will be used for tracking.

Depends on how it is implemented.

It doesn't. Once you're required to give your name, there will be political pressure to create a process for associating the name with whatever you did in the event that you did something "bad" and then tracking infrastructure will be tacked on regardless of whether it was in the original system.

Meanwhile the more convenient it is, the more websites will use it, but there are people who won't risk giving their name because they're a persecuted minority. So they get excluded from spaces they can currently exist unless they put their lives at risk by hoping that the security of the system holds even though it was designed by committee and implemented by the lowest bidder. It's still tracking even if you're not supposed to store the information, when there is no way for the client to verify that.

That is a bad implementation, then. You could just as well design a system, where the only parties involved are the person and the party asking for identification. The only way to then track behavior would be to be embedded at every single business, etc.

Take the German eID system, for example. Every national ID thus person has a signed certificate on the ID chip. Let's say a porn site wants to know you are over 18. They ask you to provide this. The chip response with a signed yes. No name, no other data. The site checks if the certificate is signed correctly but doesn't know anything else about you. The government also doesn't know anything about your behavior.

> Every national ID thus person has a signed certificate on the ID chip. Let's say a porn site wants to know you are over 18. They ask you to provide this. The chip response with a signed yes. No name, no other data. The site checks if the certificate is signed correctly but doesn't know anything else about you. The government also doesn't know anything about your behavior.

If the government knows when or how often you're requesting/generating a signature, you have a timing attack that allows use of the service to be correlated with the signatures.

If anyone can generate completely anonymous signatures that no one can ever trace back to them then the system is pointless because someone will set up a service that will sign for anyone and there is no way to know who is operating it.

You can't know how old someone is without knowing who they are. Otherwise they can just use someone else's ID.

The certificates are generated once for each document. So every 10 years for a national ID.

The information is then signed using the certificate with the helpg of your local device. Since the government is the CAA, the receiver can quickly check if a valid certificate was used, thus whether the information is valid.

The certificate is saved on the chip which is embedded in the ID, preventing the user from altering the data.

> You can't know how old someone is without knowing who they are.

With this scheme you can. The system guaranteed that the ID used is either a certain age or above/under 18.

> Otherwise they can just use someone else's ID.

Just like in the real world. That is why with increasing stakes, say a bank account, additional information or tests might be needed.

> The certificates are generated once for each document. So every 10 years for a national ID.

So what stops someone from correlating your certificate with your identity and continuing to be able to do so for the next ten years?

> With this scheme you can. The system guaranteed that the ID used is either a certain age or above/under 18.

That's because the system knows who they are, which is the vulnerability.

> Just like in the real world.

In the real world your ID has your picture on it and they can compare it with your face. Also, if you're 11 years old they can tell that you're not 55 years old.

> So what stops someone from correlating your certificate with your identity and continuing to be able to do so for the next ten years?

Since it is decentralized, you would need to attack every single entity (business etc.) separately. Since the transaction is not saved, you would also need to attack during the identification process.

> That's because the system knows who they are, which is the vulnerability.

Your ID knows who you are, that is not a vulnerability, that is the point.

> your ID has your picture on it, and they can compare it with your face

Fake IDs and people looking similar are also a common thing.

Plese read the technical documentaions zeeZ posted, I think you are misunderstanding the concept: https://www.bsi.bund.de/dok/TR-03130 https://www.bsi.bund.de/dok/TR-03124

> doing a one-time account creation with your bank or social security administration in person

You think people like going to a government office and standing in a queue forever? The whole purpose of this stuff is to reduce hassles that people commonly complain about. Especially when dealing with tax and social security, it is a point in many countries’ favor for entrepreneurs that, thanks to eID through the bank, you can run your whole business without having to visit the office in person. As far as tracking concerns, those were already dealt with during the long period that this legislation was being drafted.

> You think people like going to a government office and standing in a queue forever?

You do it once in your life. Then you have a sign on to the social security website and never have to go back to the office. It's not that bad.

> As far as tracking concerns, those were already dealt with during the long period that this legislation was being drafted.

It isn't possible to deal with them except by not building the system. Its existence is the vulnerability.

> You do it once in your life.

This discussion is about the EU, a region well known for mobility. People commonly have to do this more than once, whether they are moving to another country or only registering a business there. In-person visits to offices in other EU countries can, besides the usual hassles of waiting in queues, involve annoyances of unfamiliar language or culture.

All this stuff already exists at the national level, and ordinary people have overwhelmingly found it convenient and time-saving. This legislation simply ensures that it works EU-wide so that it can solve the inconveniences that arise at that level.

So you're saying what the EU needs is not this but rather the Full Faith and Credit clause.

But that still doesn't seem like a real justification. How often do people actually move? Once every five or ten years? Even if it was every year, going to the local government office to show them your ID and set up an account once a year is hardly an ordeal, and you shouldn't even need to talk to them. Just print out a form from the website -- in your own language -- and show them your ID when you hand it to them.

> you shouldn't even need to talk to them

Bureaucracy in many countries is infamously intransigent. Even if technical processes at offices may slightly improve, the behavior of clerks does not. Some ability to interact in the local language is often demanded no matter how perfectly you think you have prepared your documents. And whether you are in your own country or abroad, it’s very common that you’ll be told you that you are missing something and have to come back on another day and stand in the queue all over again.

If you think that, instead of legislation that facilitates doing everything online, you can realistically make in-person visits pleasant across the EU, you’re dreaming. And I’ll join the other poster in questioning your firsthand familiarity with these matters. You appear to be in the USA and trying to apply your own political battle to a completely different context.

> And whether you are in your own country or abroad, it’s very common that you’ll be told you that you are missing something and have to come back on another day and stand in the queue all over again.

This is every part of government, not just their offices. You go to a government website and input information that as far as you can tell is correct. The website gives you a generic error message and tells you to call some number. Now you get to wait on hold. When someone finally answers they tell you to mail them the form instead and wait a month for them to process it, or if you want it to be two weeks instead of a month then you need to build a time machine so you can go back in time and find a fax machine. Governments suck, it has nothing to do with whether or not you're interacting with them in person.

> You appear to be in the USA and trying to apply your own political battle to a completely different context.

This is not a thing the context changes. Centralized identity systems are a security vulnerability no matter where you are.

No, I think people in many EU countries would report a very satisfying experience with online forms from their state offices. It’s only the in-person visits that suck. The nightmare you describe of having to call a number and wait on hold may be something you have experienced in America, but it doesn’t sound familiar to me at all. Again, if are in a faraway country and you don’t actually know anything about the context of the current discussion, it would be wiser to refrain from pontificating.
> Meanwhile there is no real problem with doing a one-time account creation with your bank or social security administration in person for the few things that actually need it.

How the fuck would you know? I live in a country where I don't speak the local language and on an island in the Adriatic sea. Dealing with banks and government online is a godsend. I use Google translate. I don't even have to get out of bed.

And yet you're doing it already, before the centralized identity system is active. Because you don't actually need it for that after you've created your account with whoever it is you're interacting with.
> What's wrong with plastic national identity documents exactly, are they too heavy, too large

Yes, in fact they are. I can store my credit cards on my phone, but I still have to carry around my id cards and it's annoying. I have to take my phone and I'd rather not take anything else.

Having only one thing to lose (actually two including my car key) means that I might actually be able to keep track and hold onto it. It's a real problem for the absent minded.

Inconveniencing yourself due to some vague paranoia about government is for the tin foil hat crowd. Here in the real, rational world you need to carry your driver's licence and your id card to get things done.

> credit cards on my phone

Take a physical card and a phone. Throw both on them on the ground and step on them, then let them lay there for two full days without connecting any cables to them. Then let me know which one will still work.

> Inconveniencing yourself due to some vague paranoia about government is for the tin foil hat crowd.

I'm equally irritated by an another extreme. Nowadays the bank branches are all hostesses selling credit deals. Cannot update personal details, refuse to deal with cash. On whatever non-credit request they almost snatch a mobile from my hand and force to install their bank app - "simply do it on your mobile". That's an inconvenience.

> Then let me know which one will still work.

Neither of them work, now what do you do? Within minutes I can buy a new phone or retrieve my backup phone and be up and running again. Replacing those cards would take me several weeks.

The cards are much more likely to survive such "disaster". Cash as well. They can lay without needing attention for months.
Take a physical card and a phone. Throw both on a busy street and let them stay there for a few days.

Come back and find them stolen.

Which one is easier to reacquire? You can just walk to any store, grab a phone and restore it from a cloud backup (or even a local one if you're so inclined).

To get a full-on ID is a huge hassle of reserving a time to the police station, them asking you weird tidbit questions about your life and parents to make sure you are you and then you'll get an ID in 1-3 weeks depending on how busy they are.

The type of card we're talking about here is not the American driver's license kind that every teenager seems to be able to forge according to the movies. This is a proper personal ID card with holograms and security measures.

> Which one is easier to reacquire? You can just walk to any store, grab a phone and restore it from a cloud backup (or even a local one if you're so inclined).

Losing the phone can equally lock you out of services for good. There are a lot of overzealous and badly implemented 2FA.

Yes, some shitty services don't allow 2FA transfers properly.

But most of it will work.

This doesn’t sound very GDPR compliant.
It actually is, there were long and debates and safeguards against misuse.

E.g. if you have to verify you age, the service online gets a True or a False.

There is no identifiers for transactions and so on

This doesn't actually fix it.

Suppose there is a some age-gated content you want to access. It's age-gated because it's controversial and politically sensitive. You now have to give your identity to a third party each time you access it, which they can use to correlate what you read with who you are if they collude with the service provider or either of them is compromised and the intruders record the data and either publish it or are themselves a government intelligence service that directly uses it for oppression.

It also does nothing about the concern with turnkey authoritarianism. Once the infrastructure is in place, shouldn't we have a way to unmask these people? What if they're child abusers? Or the profane religious minority? The minor advantage of building something like this is vastly outweighed by its potential for use by governments in order to do things that Must Never Happen Again.

> You now have to give your identity to a third party each time you access it

No. This is one of the safeguards. The ID just tells you if you are above the age or not. Nothing more.

Your scenario is something that is explicitly considered and guarded against.

> The ID just tells you if you are above the age or not. Nothing more.

The ID has your name attached to it. The ID provider has to know who you are in order to know your age -- or the system would be worthless because all you would need is access to one adult ID which could be shared by everyone underaged in the world.

The website queries the ID provider about the age of the person in question getting a yes or no response and no other information, and ideally the ID provider doesn't keep information on which sites were querying which people.
"Ideally" being the problem, since the client has no way of verifying this, and the ID provider could be adversarial or compromised. Which you'd have no way of knowing until it was too late, which is why it's necessary to avoid systems that require anyone to give their name just to prove their age.
Well, the client doesn't have to verify anything. They just need the yes/no response.

The ID provider is the government in this case, so hopefully there would be laws and oversight to closely regulate their behavior in this context.

I'd probably opt out though, due to a lack of trust in government competency and motivation. Australia has a similar eID thing and I've avoided it completely, and will until it's mandatory.

> why it's necessary to avoid systems that require anyone to give their name just to prove their age.

Well, in this case the name is never given to the third party site.

> Well, the client doesn't have to verify anything. They just need the yes/no response.

The client meaning the user. They have no way to verify that the server isn't associating their name with the response.

> The ID provider is the government in this case, so hopefully there would be laws and oversight to closely regulate their behavior in this context.

The government is the thing that enforces the law. It has a tendency of not enforcing the law against itself.

Criminals who compromise government servers are already breaking the law. A foreign intelligence service or drug cartel is not going to adhere to your country's laws.

> Well, in this case the name is never given to the third party site.

You have to give your name to someone in order to access the site. It doesn't matter who the someone is, that's enough to deter people who can't have their name associated with the site, because they have no way to prove that the system is trustworthy and competently secured, these kinds of things commonly aren't, and can't they take the risk. Classic chilling effects.

> They have no way to verify that the server isn't associating their name with the response.

That's where laws and overwatch come in.

> The government is the thing that enforces the law. It has a tendency of not enforcing the law against itself.

That's where separation of powers and checks and balances come in.

> Criminals who compromise government servers are already breaking the law. A foreign intelligence service or drug cartel is not going to adhere to your country's laws.

That's where taking security seriously comes in.

> You have to give your name to someone in order to access the site.

No, you don't. You click that you want to access, site redirects you to a government portal, you authenticate, government portal sends back a token and no personal information. This has been a solved problem for some time.

> That's where laws and overwatch come in.

When someone breaks the law and you get killed as a result, you don't come back to life even if the perpetrators get arrested.

> That's where separation of powers and checks and balances come in.

That has a history of not working in this context.

> That's where taking security seriously comes in.

It's not your security which is the problem, it's their security, which you have no control over.

> No, you don't. You click that you want to access, site redirects you to a government portal, you authenticate, government portal sends back a token and no personal information.

You just described "giving your name to someone in order to access the site." The someone is the government portal. In many cases the government is the entity you need to have your privacy protected against. In other cases the government is innocent but incompetent and the portal gets compromised by someone malicious. This is not a solved problem; it keeps happening.

> When someone breaks the law and you get killed as a result, you don't come back to life even if the perpetrators get arrested.

lol, well sure. By your reasoning we shouldn't have any laws against murder then.

> That has a history of not working in this context.

This is a brand new context, so not sure how you can say that. Still, got some examples?

> It's not your security which is the problem, it's their security, which you have no control over.

I never implied otherwise.

> You just described "giving your name to someone in order to access the site."

The point is you don't give the name to the party seeking to verify.

> In many cases the government is the entity you need to have your privacy protected against.

Which is where laws and overwatch come in.

> This is not a solved problem; it keeps happening.

The solved problem is being able to verify age to a non government site without revealing any personal information.

Sure, the government could screw stuff up, but then you have an incentive as a voter to prevent that from happening.

I understand being skeptical of government competency, but EU governments tend to be better than most in this regard.

Besides, far as I can see the eID is not mandatory to use, so just don't.

> By your reasoning we shouldn't have any laws against murder then.

You can have the laws, but they don't do any good unless they're enforced, which tends not to happen when the perpetrator is the government.

> This is a brand new context, so not sure how you can say that. Still, got some examples?

Snowden provided a wide variety of them.

> I never implied otherwise.

I'm pointing out the inadequate incentives. The ones who have to secure the system aren't the ones who get killed if they fail to.

> The point is you don't give the name to the party seeking to verify.

But the problem is if you have to give it to anyone.

> Which is where laws and overwatch come in.

Quis custodiet ipsos custodes has been an unsolved problem for such a long time that it's in Latin.

> Sure, the government could screw stuff up, but then you have an incentive as a voter to prevent that from happening.

The victims of this kind of thing are persecuted minorities. Minorities by definition don't have a majority of the votes, so appeal to democracy is no solution.

> I understand being skeptical of government competency, but EU governments tend to be better than most in this regard.

Systems like this tend to persist once they're established, even if the competence of the government implementing them wanes, so it's much better to avoid them being implemented to begin with than to assume that a government that hasn't screwed up today will never screw up tomorrow.

> Besides, far as I can see the eID is not mandatory to use, so just don't.

If the service allows you to proceed without using it then how could it do any good for age verification? Anyone under age would just opt not to use it.

If it doesn't, it's mandatory to the user. And once it exists, services will be put under pressure to require it.

Alllright buddy. I don't have time to argue with someone that just wants to be contrarian and argue for the sake of arguing.

Best of luck to you. Enjoy the inevitable last word you'll want to have.

I'll have the last word. AnthonyMouse is right that any centralized govt database presents an opportunity for abuse by the govt itself and theft by an external actor. Although both are ostensibly "against the law" (not counting any secret laws/rulings that clandestinely enable abuse a-la PRISM/FISA courts) illegality presents very little recourse for the victims of those acts (i.e. the common people.) Therefore the magnitude of potential harms should be weighed heavily when choosing to adopt such national databases.
EU can amend GDPR to make it compliant.
Yes, it's handy when you write the rulebook.
[flagged]
Lol!

You dont have to give up your spanish identity to be able to log into govt services in other countries.

I would take eID any day to buy internet over the asinine NIE process as a foreigner in Spain.

What are you talking about?
Usefully, one identity system is as legitimate as the next, so if anyone wanted to start one with an actual constitution, the hubris of the EU has created the opportunity.
> this is a key advance for the european union to be a global reference in the digital field, protecting our democratic rights and values.

very few things are as abused as ‘democracy.’ the mind boggles how a global identification system has anything to do with democracy. not to talk of protecting ‘democratic rights and values.’ bear in mind that at the european union level there is no democracy. at least in the form that we have come to expect it at the national level. it has become an all-recipe ingredient: drop a few pinches in there and criticism of the scheme is criticism of democracy itself.

update: more broadly, communications in general, but political communications especially, have intentionally embraced the nonsense and murky. they don’t expect it to make sense to you, but worse, they don’t expect to be grilled through their own words. see the US’s white house press briefing for example. stinkiest of word salads but hey!

> the mind boggles how a global identification system has anything to do with democracy. not to talk of protecting ‘democratic rights and values.’

But she did talk about democratic rights and values, the rest is you editorializing. As to the how: the idea is that it's more secure and more respectful of privacy than alternatives, which are virtually ubiquitous and mostly in the hand of US tech and finance companies. You don't have to agree that a) those are important values, b) having a European (not global!) SSO serves them, or c) that this implementation does, but if the whole thing is incomprehensible to you, then you're not part of the conversation.

> bear in mind that at the european union level there is no democracy. at least in the form that we have come to expect it at the national level. it has become an all-recipe ingredient: drop a few pinches in there and criticism of the scheme is criticism of democracy itself.

The parliament is directly elected, the commission is designated by the (democratically elected) governments and approved by the parliament, the European council consists of representatives of the (democratically elected) governments. It's just complicated enough that people who either don't understand it or just don't like the EU for other reasons keep repeating that it's not democratic.

> the idea is that it's more secure and more respectful of privacy than alternatives, which are virtually ubiquitous and mostly in the hand of US tech and finance companies.

i think we can’t have an argument because you’re seeing the idea rather than the implementation and all the mutations it will undergo. there’s no orwellian system in existence now, except in the hands of intelligence agencies, that set out with explicit goal to do evil. they start nobly, but with such unfettered access to personal information that only supernatural self-restraint can stay the hand of abuse. so maybe let’s talk about this system in a couple of years time.

i preambled my submission with an acknowledgment that democracy is among the most abused terms. i guess all you need is to throw a popular election somewhere in there and voila there’s your democracy, however far away it is removed from the decision making body.

"Ihre Papiere, bitte"
"Papiers électroniques s'il vous plaît"...

... Pardon my French

I can see from the ISS where this is going, given Lagarde announcement about the digital euro from the last month [1].

Digital identity wallets, open sourcing the application components only, giving the states ability to implement whatever they want, not disclosed...

At the end the CCP social credit system will be a joke compared to this.

[1] - https://twitter.com/Lagarde/status/1715019514985775178

I live in Norway, that is one of the many European countries that have a national eID system, and it's one of these things that might not make much sense if you haven't lived somewhere where its there. But if you've used to it. It's such a clear good thing, that being against it makes no sense.

I'll try to explain why it's such a positive, but it feels a bit like trying to explain why paying with cards is nice, to someone who had only used cash. So at the moment, I'm in the process of moving to a new bank, and will be moving my mortgage, getting new credit cards, and closing my old bank accounts. I'll be able to do all of that, without signing and faxing documents around, but instead doing all that signing with my eID, or BankID which the Norwegian variant is called. I can also use this id system to login to the health care system, look at my prescription, or any other government service that's on the internet. One simplified way of looking at these eID system is that they are a way prove that you are you, on the internet, that courts and the government believes in. That opens the door to services that just isn't possible without it.

This isn't surprising to hear from someone who lives in a highly developed country like Norway, where you have very high (and obviously implicit!) trust in your government. I'd still argue the details of the implementation are very important and even in places where people trust their governments things like this should be approached with caution. But I'm not surprised.

The same attitude doesn't make much sense if your government is a bunch of untrustworthy criminals with unchecked (or unevenly-checked power). Imagine being from Nigeria or China and wanting those governments to have more power and visibility! Nah.

I agree that the legislation need to be done properly, and be of high enough quality. But there is a lot of EU states, that have had these kind of systems for a long time, and would have experience with the pitfalls of this. If the EU manages to ruin eID in memberstates, with this legislation, that will probably enrage every citizens in countries that have them, let's hope the bureaucrats aren't that dumb.

Since the article was in the context of EU, I was commenting in the context of countries in it, or comparable to it. I'm sure you are right. A bad government will be able to turn anything, including something like this, into a bad thing.

As far as I understand it, the main problem / risk is not that it's an eID system (which many EU countries already have), but that government CAs are being introduced into browsers and devices without the possibility of removing them - even if those CAs don't conform to current CA standards like certificate transparency.

We already have CAs from e.g. the German Bundesdruckerei in trust stores, that's not new, but those can be distrusted, if one wants to. The law may disallow this, and those CAs can be used to e.g. MitM TLS connections.

See: https://blog.mozilla.org/netpolicy/files/2023/11/eIDAS-Indus... and https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr

I was not aware of this part. Not being able to disable CA seems like a weird thing to add. In practice how much difference will this make, the list of trusted CA in browser seems to already be a bit of a problem?

In any case what I want out of this legislation is that you can use an eID from country a in country b. That, that isn't possible is the main downside of the current setup.

Major browsers today only accept CAs that use certificate transparency. This law will force them to accept CAs that don't use certificate transparency.

If a CA misbehaves, browsers will distrust it. That happened to Symantec, which was the largest CA. This law will prevent browsers from distrusting CAs that misbehave.

https://news.ycombinator.com/item?id=38112520

Technically, I can't imagine how this could be implemented. In the worst case, it would mean that everybody caring for privacy would use alternative builds. But realistically, a week after publishing the first browser with this kind of hostile certificate, we would have several hacks on how to disable it. It simply makes no sense at all.
I live in the UK. We don't have any form of national ID, let alone an online eID. Yet I can open a bank account entirely online without needing to sign or fax documents and I can also access my health records, file taxes, tax vehicles, apply for a new passport, etc online.
For the health/tax aspects, do you use a login with username and password, is it an smartphone app attached to your phone number, or something else?
So how do your prove that you are you, and how robust is that against fraud?

I was under the impression that the UK had a really old fashioned and clunky consumer bank sector. But that is just hearsay, so I might be wrong.

The closest I've every been to a British bank, was getting a Curve credit card, where they wanted a picture of me and my passport. Which imo. Was hilarious and must be way to easy to forge.

> The closest I've every been to a British bank, was getting a Curve credit card, where they wanted a picture of me and my passport. Which imo. Was hilarious and must be way to easy to forge.

Yep, and this is standard operating procedure at pretty much every bank in the UK, and they wonder why they have to spend so much money on mitigating financial crime (not to mention employing people to review pictures of customers full time)...

I've had friends be deadlocked getting an apartment in UK/Ireland

1. To get an apartment you need a bank account 2. To have a bank account you need to identify yourself 3. How do you do that? Provide them with a GAS BILL for your apartment - which you don't have.

IIRC the deadlock in this case was solved by another friend loaning their bank account to bootstrap the system.

They do also check a few other things - eg that you are registered to vote at the address you give, and they also use credit reference agencies to check you "exist" with the same name and address.

The face and passport thing is new and I'm not sure the traditional banks use it. There are some systems which ask for a video of you plus a photo of your passport (I think I used this for opening an account with Chase recently).

But there is a bit of a problem "bootstrapping" this, especially for recent immigrants who aren't registered to vote and don't have any credit records yet.

I got interested in how it works in the UK, and I went looking for how one could log into government services. First I found the discountinued verified id system, and then the new gov.uk one login system. Which based on my understanding of them, both are eID systems. Limited in scope compared to systems that integrate with non governmental systems, but still eID systems.
Well it depends on what you mean by eID. Many government systems of course have ways to log in. But I would dispute that these are really ID systems.

For example, to pay road tax for my car, the government send me a reminder letter in the post every year which has an 11 digit number on it. I can then log in to the DVLA website using this number and the car registration plate number (or alternatively I can do it using the serial number on the vehicle's "log book" and the registration number).

When I renewed my son's passport, the log in used (I think) the old passport number and his date of birth and name.

And so on. Each bit of government is only supposed to ask for what they need and no more.

Problem begins when every commercial site needs to have your eID. Banks are already forced to "know their customer". It could be a step to deanonymize the net broadly. Or restrict access where you haven't proven your age. We already see some of that today.

I personally would always restrict usage to government services, but I doubt people will care about their privacy.