Swedish project for FLOSS e-identification system, alternative to proprietary “Bank-ID” that dominates now

That’s not a problem of digital IDs, but of centralized IDs. Especially of centralized digital storage of ID data.

It doesn’t matter if your ID is a chip card, a piece of wet towel, or a fingerprint on a tea cup, for the purpose of revoking. What matters is whether it can quickly be compared to a centralized record. That process doesn’t even have to be visible to the owner.

The FLOSS system is the part of the process that is visible to the owner, and because of that, it’s better than any proprietary process.

So you wouldn’t mind me installing a camera in your living room?

Finland has a digital identification project as well (https://vm.fi/en/digital-identity). There’s at least a need for an alternative solution to make strong digital sing-in/signature that’s not by a company - oftentimes a bank. It is government made and more or less an extension to current national ID registry, if I’m not mistaken. Has some good ideas about privacy (like, for age limits a “minor/adult” type of verification in stead of date of birth, name or any other info). Probably not FLOSS.

There is also https://suomentunnistautumisosuuskunta.fi/in-english/ which is an ID co-op that currently only has weaker email based ID but I seem to recall they were developing a stronger method as well. I think in the news it was commented as a national alternative to global corporations for services. No word about FLOSS.

I think that “point” is bad (both pro and con arguments of it) - badly thought out and out of touch of reality. It maybe worked back in the 80’s or 90’s but needs to be buried. When everything is connected, the reason and responsibility is not just about yourself but about your family, friends, work and other people around you. Information is also not static and can be used in a variety of ways - as part of misinformation, disinformation or malinformation, or just (accidentally) in a poor manner. The value and context of information change and can be made to change. A person may endanger the lives, livelyhoods, and even safety, by revealing too much because information also often times includes data about other people (direct or otherwise). Doing identification is no different - that act may tell not just about the person identifying. One of the basic principles in information security is to limit the attack surface and limiting info is doing just that - for all of us.

I would, because I have things to hide. Which is what I said right after that. Everyone has something to hide, and indeed that can include anything you might do, since there are always people who will have a problem with it.
I admit I might be conflating “hide” and “not share” a bit much for a sane society, but when people try to build social credit systems, or targeted advertising systems built into every mainstream OS, that are meant to judge you for your every action, then more or less any amount of “not sharing” becomes “hiding”.

Fair enough, I think you meant it more literally than I read it. I come from an I supposed biased stance that I don’t want to be watched, period.

Article about this topic in Dutch:

Wow, thanks for that, this sounds really great! If the translation I got is correct, I ran it through a translation website and got the following translation to English:

State Secretary for Digitalisation Van Huffelen wants DigiD to be fully open source in the future. Something that is not yet the case. Van Huffelen made this known during a debate on the Digital Government Act. In principle, future identification and log-in tools should also be open source.

The Digital Government Act regulates that Dutch citizens and companies can log in safely and reliably to the (semi-)government. Citizens will receive electronic means of identification (eID) with a higher degree of reliability than the current DigiD. In addition, these means of login must be fundamentally open-source. Something that does not yet apply to DigiD.

“It does not work entirely with open source software. That’s because it cannot yet be used securely for all processes. But this must also apply to DigiD, of course, just as it applies to other log-in tools. We want to shape the growth path for this in the coming period”, said the State Secretary.

Van Huffelen himself herself calls it “growing towards it”, because not all log-in systems are open source at the moment. “DigiD, for example, is not yet fully open source. It is a login tool that we use and that we consider secure, but it is not fully open source. So we want to make sure that the login tools that private or public parties use and that we want to allow into our system in the future are ideally based on 100 per cent open source.”

During the debate, there was also discussion about requiring only open source login tools in the law. “If you demand in the law that it must always be, that it must be one hundred percent, and it’s not possible now, then you’re already failing to meet the requirement today. Then you would have to stop the DigiD,” Van Huffelen responded. “We are going as far as possible with the open source principle and the obligation, apart from cases where security or continuity is at stake.” The Lower House will vote on the bill and the motions submitted during the debate on 7 June.

Assuming you know Dutch, would you say the above translation is correct?
Is that “security.nl” site trustworthy?
Do you know if there is more to read about this somewhere?

Then I think the Netherlands is way ahead of Sweden regarding insight about the importance of FLOSS for security.

In Sweden, the situation is rather that the government has setup a kind of framework that allows different private entities to connect their eID solutions, which are so far all proprietary with the main one owned by the big banks, and the government has so for shown little understanding of the problem with that. There is an opening in the fact that the framework in principle allows a FLOSS system to exist, but there is no initiative from the government to create such a FLOSS system. So it seems someone else will have to do it, which is what the project I linked to is about.

If in the Netherlands you have government people saying that eID systems should be FLOSS, then that is fantastic and we need to get Swedish politicians to talk to them and learn from them right away!

The translation is quite good. Van Huffelen is a woman by the way, so it should be “herself”.

security.nl is a very trustworthy site in my opinion

The Dutch Ministry of Interior (and maybe also other ministries) is quite in favor of Free and Open Source Software. They also want to lead by example. If your are interested in Open Source in the Dutch government, you can here find more information (all in Dutch).

I think this was the case in the Netherlands as well, but there was quite some opposition against the idea that you need a commercial provider to access government services (like the tax office). But I do not exactly know all the details here. Also there is a fear that privacy is not ensured when using private solutions.

Yeah it would be great if government organisations of different nations would work together on FOSS projects - that is completely in line with the FOSS philosophy!

Thanks, I edited that now.

Yes, and also I think it will be much easier for politicians to (who are not always as brave as I would like) to dare to propose something when they can point to another country that has already done it. In this case, Swedish politicians can say that they have looked carefully at what is already done in the Netherlands, they have seen that it works well and achieves goals that Sweden also has, such as security and reliability, so now they propose something similar in Sweden. Basically, saying “this is well known and already tested” is much easier than saying “this is a new idea that we just came up with”.

That is the crux of the problem. If the digital id is tied to your IRL identity then revocation (cancellation) is a problem. Otherwise it doesn’t really matter.

For government services, and certain other services like banking, you are probably going to have to accept that the government will insist on your real identity.

So it will only be a problem if and when social media insists on your real identity. If social media does not insist on your real identity then if you say something “wrong” then your social media identity gets cancelled but that does not lead back to your real identity and you can just create a new social media identity.

I believe there are risks that, in the medium term, mainstream social media will insist on your real identity. The level of risk depends on your regulatory environment (i.e. the country you are located in).

However, no matter what social media does, government is probably going to insist on real identity, in which case it might as well be open specification, auditable, and even open source.

I believe there needs to be some nuance here in regard to the supposed positive view on open source as indicated by @janvlug .

The government digital infrastructure has been set in place by Logius which is in fact a private company. Even though Logius is complete owned by the government (allegedly), the company outsources activities to third party commercial companies like Capgemini, Visma, CGI, Atos, etc. on a daily basis. Considering that these commercial companies are not likely to opt for open source and although an underlying agreement is in place, hence a pot of data gold, I believe we should discern a political willingness (if that is actually the case and not just a way to temporaly please the general public) on the one hand, and have a critical view on how this will be received by Logius and its contractors on the other hand. It’s quite easy for politicians to state that open source is the preferred method but they have built in an escape plan (Open source…unless): if conditions are not right they opt for the alternative way to getting things done.

There’s a lot at stake when it comes down to collecting data, big tech lobbyists wanting that data and big private companies (like the Logius subconytractors) not being eager to develop for the common cause and painstakingly looking for ways on how to benefit from their initial investment and building a business model without using the sensitive personal data). We have seen in other public branches like healthcare and education governmental responsibilities have been transferred and commisioned to big tech and private cloud services.

It’s to soon to make any conclusions based on what we have seen in the last decade. Just to see the politicians move towards the idea of open source solutions is positive though.

Neither do I and I take it none of us really would, at least not the likely event that things go wrong (and it will).

"Self-sovereign identity is not a field where “move fast, break things” is acceptable. People are already talking about capturing enormously sensitive information in digital form, issuing attestations about other individuals either with or without their consent, and, in some cases, recording all of these things to immutable blockchains where they would be stored indefinitely. This terrifies me.¨
https://blog.mollywhite.net/is-acceptably-non-dystopian-self-sovereign-identity-even-possible/

Not to mention “big government” itself, which also has a keen appetite for data. Got to catch those “pedos and terrorists”.

As Edwin says, we have IRMA: https://www.sidn.nl/en/online-identity/irma

IRMA is open source and works decentralized. It lets you share only the attributes you are required to share. All attributes are validated, for example by the government and the bank. Some are validated by yourself, like your phonenumber and mailaddress.

Attributes are for example your Name, Address, City, SSN, Bank Account, Insurance number, mailadress, phone, but also the attributes +12, 16+, 18+, 21+ and 65+. The attribute “65+” says “No” in my app.

There is no debate as to whether IRMA is open source or not: https://github.com/privacybydesign

IRMA sounds awesome. I wonder, how is it possible that a free/libre/privacy freak such as myself has not heard of IRMA until now?

Is IRMA widely used in the Netherlands?

Also discussed here: USA: Government Agencies Starting to Mandate ID.ME for Identity Verification

Imagine going out of your way to buy Purism products and then supporting the concept of digital ID. Imagine buying Purism and still saying “nothing to hide, nothing to fear”.

Unfortunately not, as far as I am aware.