Swedish project for FLOSS e-identification system, alternative to proprietary “Bank-ID” that dominates now

There is an open meeting about this soon, on June 20, 2022:

“Sweden can do better than BankID - open collaboration for free e-identification”
https://www.dfri.se/projekt/e-legitimation/meeting-invitation-sweden-can-do-better-than-bankid-open-collaboration-for-free-e-identification/

“Working towards a free and open e-identification solution in Sweden”
https://www.dfri.se/projekt/e-legitimation/project-introduction-in-english/

What do you think?

Are there countries where this is solved, so that someone using only FLOSS can use some official e-id system to for example access government services, healthcare and so on?

Great to see progress in Sweden! Please keep us posted on further developments.

The IRMA project might be of interest to you in this regard. One could debate as to whether this method is actually open source and/or still is a vendor lock-in kind of situation, still it is a much better alternative to non-free applications offered by Google and Apple.

In order to achieve fully free alternatives our community have urged the national politics to enable citizens not to be dependant on tech giants’ software and hardware. This has been worded in open letters sent to policy makers and subsequently politicians have been forced to alter the legislation accordingly to improve the current laws on (e-)identification and access to governments services.

These changes include login tools based on the principles of privacy by design by default, mandatory open source-based identification login tools (suppliers) and further assessment of the risks of data collection by commercial entities (third-party) in case such sensitive login data would be made available through that kind of databases before amending the national law.

Maybe this can be of use as well, just for reference
https://blogs.fsfe.org/nico.rikken/2022/03/16/dutch-digital-identity-system-crisis/

Many european countries are facing the same problems, maybe the Swedish branch of FSFE can provide you with information each - and all countries have been using to demand FLOSS options. Considering our common goal this should be tackled on EU level, not having citizens of each country develop their own.

Raising awareness by spreading the open letter initiative could be helpful too

I don’t like digital ID of any kind. The problem with digital ID is, it’s very easy to revoke, should you say something “wrong”. Imagine an overbearing Reddit moderator being given the right to delete your “IRL account” and revoke your access to basically everything, because you produced evidence of believing something that leads people to object to basically any of your government’s current policies.
Of course, it’s not like that can’t be done with a plastic card of any kind, but you have to convince each person that sees your plastic card that the bearer of that card should have no access; with digital ID you’ll find yourself feeding some certificates to other computers MUCH more often, and those computers take no effort to be persuaded that your certificates are invalid.
Obviously, with a free and open source solution with many providers, this becomes more difficult as in theory you could move to another identity provider…somehow. If the system allows it.
The thing is in practice I doubt it will. Identity authentication services and certificate authorities have to pay to run their servers, and that’s true even if your certificates are stored on a mostly passive device like a YubiKey, because someone has to tell the computer you’re showing the device to that the certificates on it are valid. So, you can’t pay for this service without the digital ID, and you can’t get your digital ID without this service, so the service providers, or someone who contacts the service providers on your behalf, have to be someone that makes money off you regardless, like the government or a bank, both of which have shown themselves to be far to willing to kick you out of society if you object too strongly to government policy that you believe is wrong.

These articles mention “surveillance” as a problem. The thing is, an identity provider that DOESN’T track everything you do doesn’t solve the “kicked out of society with no due process of law” problem. You break one of Reddit’s/Google’s/Microsoft’s/wheover’s rules, and if that rule happens to also violate your identity provider’s terms of service, they can contact your identity provider which will presumably be identified on the certificate that identifies you, and your identity provider can kick you out of society that way.
When people are worried about surveillance, it’s because they’re worried about something bad happening to them because of that. “nothing to hide, nothing to fear” is absolutely true; the problem is everyone has something to hide. The only difference with a FOSS solution is that it doesn’t necessarily happen automatically, someone has to ask for you to be kicked out, but these days someone will always be willing to do so.
And we’re going to be running into that more often. Recent developments in neural network applications (aka “AI”) have convinced me that people will need to prove that any given text, image, video, or audio file they create was produced by a human and they will have to prove it was not doctored in order for it to be accepted as evidence of anything happening. How do you prove to a computer that you’re a human? You have a human who is afraid of losing its job if it issues certificates to bots, issue you a certificate that says you’re human. In the name of “fighting fake news, misinformation, disinformation, and spam” there’s no more effective solution.
The problem is social engineering companies are some of the biggest purveyors of lies.
That article describes users of Google/Microsoft/Botnet services as “customers.” That’s not accurate. Users of these services are the products of these companies. A social engineering company’s customers are those who pay the company to make its products behave in a certain way. If that means lying to you, they will. If that means kicking you out of society for saying things their customers paid them to make people think are lies, they will and they will try to do so regardless of if they’re your identity provider or not.

That’s not a problem of digital IDs, but of centralized IDs. Especially of centralized digital storage of ID data.

It doesn’t matter if your ID is a chip card, a piece of wet towel, or a fingerprint on a tea cup, for the purpose of revoking. What matters is whether it can quickly be compared to a centralized record. That process doesn’t even have to be visible to the owner.

The FLOSS system is the part of the process that is visible to the owner, and because of that, it’s better than any proprietary process.

So you wouldn’t mind me installing a camera in your living room?

Finland has a digital identification project as well (https://vm.fi/en/digital-identity). There’s at least a need for an alternative solution to make strong digital sing-in/signature that’s not by a company - oftentimes a bank. It is government made and more or less an extension to current national ID registry, if I’m not mistaken. Has some good ideas about privacy (like, for age limits a “minor/adult” type of verification in stead of date of birth, name or any other info). Probably not FLOSS.

There is also https://suomentunnistautumisosuuskunta.fi/in-english/ which is an ID co-op that currently only has weaker email based ID but I seem to recall they were developing a stronger method as well. I think in the news it was commented as a national alternative to global corporations for services. No word about FLOSS.

I think that “point” is bad (both pro and con arguments of it) - badly thought out and out of touch of reality. It maybe worked back in the 80’s or 90’s but needs to be buried. When everything is connected, the reason and responsibility is not just about yourself but about your family, friends, work and other people around you. Information is also not static and can be used in a variety of ways - as part of misinformation, disinformation or malinformation, or just (accidentally) in a poor manner. The value and context of information change and can be made to change. A person may endanger the lives, livelyhoods, and even safety, by revealing too much because information also often times includes data about other people (direct or otherwise). Doing identification is no different - that act may tell not just about the person identifying. One of the basic principles in information security is to limit the attack surface and limiting info is doing just that - for all of us.

I would, because I have things to hide. Which is what I said right after that. Everyone has something to hide, and indeed that can include anything you might do, since there are always people who will have a problem with it.
I admit I might be conflating “hide” and “not share” a bit much for a sane society, but when people try to build social credit systems, or targeted advertising systems built into every mainstream OS, that are meant to judge you for your every action, then more or less any amount of “not sharing” becomes “hiding”.

Fair enough, I think you meant it more literally than I read it. I come from an I supposed biased stance that I don’t want to be watched, period.

Article about this topic in Dutch:

Wow, thanks for that, this sounds really great! If the translation I got is correct, I ran it through a translation website and got the following translation to English:

State Secretary for Digitalisation Van Huffelen wants DigiD to be fully open source in the future. Something that is not yet the case. Van Huffelen made this known during a debate on the Digital Government Act. In principle, future identification and log-in tools should also be open source.

The Digital Government Act regulates that Dutch citizens and companies can log in safely and reliably to the (semi-)government. Citizens will receive electronic means of identification (eID) with a higher degree of reliability than the current DigiD. In addition, these means of login must be fundamentally open-source. Something that does not yet apply to DigiD.

“It does not work entirely with open source software. That’s because it cannot yet be used securely for all processes. But this must also apply to DigiD, of course, just as it applies to other log-in tools. We want to shape the growth path for this in the coming period”, said the State Secretary.

Van Huffelen himself herself calls it “growing towards it”, because not all log-in systems are open source at the moment. “DigiD, for example, is not yet fully open source. It is a login tool that we use and that we consider secure, but it is not fully open source. So we want to make sure that the login tools that private or public parties use and that we want to allow into our system in the future are ideally based on 100 per cent open source.”

During the debate, there was also discussion about requiring only open source login tools in the law. “If you demand in the law that it must always be, that it must be one hundred percent, and it’s not possible now, then you’re already failing to meet the requirement today. Then you would have to stop the DigiD,” Van Huffelen responded. “We are going as far as possible with the open source principle and the obligation, apart from cases where security or continuity is at stake.” The Lower House will vote on the bill and the motions submitted during the debate on 7 June.

Assuming you know Dutch, would you say the above translation is correct?
Is that “security.nl” site trustworthy?
Do you know if there is more to read about this somewhere?

Then I think the Netherlands is way ahead of Sweden regarding insight about the importance of FLOSS for security.

In Sweden, the situation is rather that the government has setup a kind of framework that allows different private entities to connect their eID solutions, which are so far all proprietary with the main one owned by the big banks, and the government has so for shown little understanding of the problem with that. There is an opening in the fact that the framework in principle allows a FLOSS system to exist, but there is no initiative from the government to create such a FLOSS system. So it seems someone else will have to do it, which is what the project I linked to is about.

If in the Netherlands you have government people saying that eID systems should be FLOSS, then that is fantastic and we need to get Swedish politicians to talk to them and learn from them right away!

The translation is quite good. Van Huffelen is a woman by the way, so it should be “herself”.

security.nl is a very trustworthy site in my opinion

The Dutch Ministry of Interior (and maybe also other ministries) is quite in favor of Free and Open Source Software. They also want to lead by example. If your are interested in Open Source in the Dutch government, you can here find more information (all in Dutch).

I think this was the case in the Netherlands as well, but there was quite some opposition against the idea that you need a commercial provider to access government services (like the tax office). But I do not exactly know all the details here. Also there is a fear that privacy is not ensured when using private solutions.

Yeah it would be great if government organisations of different nations would work together on FOSS projects - that is completely in line with the FOSS philosophy!

Thanks, I edited that now.

Yes, and also I think it will be much easier for politicians to (who are not always as brave as I would like) to dare to propose something when they can point to another country that has already done it. In this case, Swedish politicians can say that they have looked carefully at what is already done in the Netherlands, they have seen that it works well and achieves goals that Sweden also has, such as security and reliability, so now they propose something similar in Sweden. Basically, saying “this is well known and already tested” is much easier than saying “this is a new idea that we just came up with”.

That is the crux of the problem. If the digital id is tied to your IRL identity then revocation (cancellation) is a problem. Otherwise it doesn’t really matter.

For government services, and certain other services like banking, you are probably going to have to accept that the government will insist on your real identity.

So it will only be a problem if and when social media insists on your real identity. If social media does not insist on your real identity then if you say something “wrong” then your social media identity gets cancelled but that does not lead back to your real identity and you can just create a new social media identity.

I believe there are risks that, in the medium term, mainstream social media will insist on your real identity. The level of risk depends on your regulatory environment (i.e. the country you are located in).

However, no matter what social media does, government is probably going to insist on real identity, in which case it might as well be open specification, auditable, and even open source.

I believe there needs to be some nuance here in regard to the supposed positive view on open source as indicated by @janvlug .

The government digital infrastructure has been set in place by Logius which is in fact a private company. Even though Logius is complete owned by the government (allegedly), the company outsources activities to third party commercial companies like Capgemini, Visma, CGI, Atos, etc. on a daily basis. Considering that these commercial companies are not likely to opt for open source and although an underlying agreement is in place, hence a pot of data gold, I believe we should discern a political willingness (if that is actually the case and not just a way to temporaly please the general public) on the one hand, and have a critical view on how this will be received by Logius and its contractors on the other hand. It’s quite easy for politicians to state that open source is the preferred method but they have built in an escape plan (Open source…unless): if conditions are not right they opt for the alternative way to getting things done.

There’s a lot at stake when it comes down to collecting data, big tech lobbyists wanting that data and big private companies (like the Logius subconytractors) not being eager to develop for the common cause and painstakingly looking for ways on how to benefit from their initial investment and building a business model without using the sensitive personal data). We have seen in other public branches like healthcare and education governmental responsibilities have been transferred and commisioned to big tech and private cloud services.

It’s to soon to make any conclusions based on what we have seen in the last decade. Just to see the politicians move towards the idea of open source solutions is positive though.

Neither do I and I take it none of us really would, at least not the likely event that things go wrong (and it will).

"Self-sovereign identity is not a field where “move fast, break things” is acceptable. People are already talking about capturing enormously sensitive information in digital form, issuing attestations about other individuals either with or without their consent, and, in some cases, recording all of these things to immutable blockchains where they would be stored indefinitely. This terrifies me.¨
https://blog.mollywhite.net/is-acceptably-non-dystopian-self-sovereign-identity-even-possible/

Not to mention “big government” itself, which also has a keen appetite for data. Got to catch those “pedos and terrorists”.

As Edwin says, we have IRMA: https://www.sidn.nl/en/online-identity/irma

IRMA is open source and works decentralized. It lets you share only the attributes you are required to share. All attributes are validated, for example by the government and the bank. Some are validated by yourself, like your phonenumber and mailaddress.

Attributes are for example your Name, Address, City, SSN, Bank Account, Insurance number, mailadress, phone, but also the attributes +12, 16+, 18+, 21+ and 65+. The attribute “65+” says “No” in my app.