Computer!Totaal, July/August 2015: 'Identifying online with eID: never shop anonymously again?'

"If a police officer asks you to, in the Netherlands you must be able to identify yourself by showing a valid identity document. The cashier at the supermarket can also ask you for this, but only when you want to buy alcohol and there is doubt about your age. With your ID, you then show how old you are and a little later you walk out of the shop satisfied.

Online lacks such a means of identifying yourself, and businesses in particular find this difficult. Because who are they actually doing business with? In the Netherlands we do have DigiD, but that is actually only used by the government. With DigiD, you choose your own user name and password, which are linked to your citizen service number during registration: the unique number of each person in the Basic Registration of Persons (BRP). If you then log on to a government website with your DigiD, that government will know with whom it is doing business at that moment. In 2014, the 12 million DigiDs issued together logged in 158 million times.

This makes DigiD a success for the government, but all other organisations and companies are left empty-handed. Webshops want to know whether their customer is the person he claims to be, whether he is old enough, and creditworthy. According to trade association Thuiswinkel.org, the more than 45,000 Dutch webshops therefore currently have only one big question: where is eID? eID Stelsel is the name for the successor to DigiD, which the Dutch government is now developing. eID should enable all necessary ways of online identification between citizens, government and businesses.

(…)

In the eID programme (www.eid-stelsel.nl), the government is working with academics and industry on the new system, which should be ready by 2017. (...) Some pilots will start soon, with a small group of consumers logging in to government and commercial services using an identifier that complies with the new system. The advantage of this new system is that the identifier does not have to be issued by the government; companies can also issue identifiers, for example a loyalty card or an app on your smartphone. A citizen's identity is therefore online and available on demand. A name for the new system is also already there, Idensys. (...)

To gain momentum and because companies do not want to invest in yet another new identification system, it was decided to build the new system as an extension to eRecognition (www.eherkenning.nl). eHerkenning is 'the DigiD for companies', but unlike DigiD, it is not a government service but only an arrangement system. The government manages the system, mainly companies implement it.

Although websites will soon have an Idensys login just like they have a DigiD button now, it works completely differently from how DigiD and eID were once thought to work. With DigiD, the identification comes from the government, with eRecognition and soon with Idensys it will come from a broker, an intermediary. This 'identity provider' knows you and you have agreed with him how you want to identify yourself: with a smart card, your smartphone or just a username and password. If the identification is correct, the broker will obtain a pseudonym for you, which he can use to check whether you are authorised to use the service you want to log in to. He does that check in the BSN link register in which the pseudonyms are linked to the Citizen Service Numbers. So the broker is all about security and the BSN link register when it comes to privacy.

To base Idensys on eRecognition is not uncontroversial. A 'network-based identity model' like Idensys is characterised by many links, all of which must be trusted. The most suspect link is the broker, a market participant and the only one who sees all transactions. True, he does not see what happens in the transaction, but he knows which services each 'pseudonym' does business with. (...) Also missing [for the time being] is the option to use services anonymously, something that is certainly desirable in online medical services, for example. (...)

Where is the debate?

Because of the choices made with Idensys, you would expect a public debate, but this is completely absent. The Dutch Data Protection Authority is missing from the eID working groups and could not tell us it is involved in eID. "Privacy First is not involved either and has never been asked," says Privacy First's Vincent Böhre. "Apparently they want to finish a whole project first. Whereas by allowing a privacy-critical club to participate now, one avoids mistakes and ultimately creates public support." Privacy First favours an opt-in where people keep the choice to use the eID system or not. "The government should not require citizens to handle their affairs digitally and do so through an eID, the General Administrative Law Act prohibits that. Many people in the Netherlands do not have a computer or the internet, the way without an eID should therefore remain," Böhre said. (...)"

Source: Computer!Totaal, July/August 2015, pp. 54-58 (public preview).