Belgium gets smart about identity

The Belgian government hopes that, within five years, every citizen will be carrying a new electronic identity card. But will the new ‘smart' IDs prove to be the citizen's friend or Big Brother's little helper? 

Belgium plans to test run its new electronic identity cards in 11 communes starting from March. If the pilot scheme goes well, the government plans to phase in, over five years, more than 10 million new IDs across the country.

The ‘smart' IDs are being plugged as a convenient tool for citizens, which will save them time and energy by providing them with a safe and secure means to deal with the government electronically and conduct online business transactions.

“The new ID-card has been conceptualised from a citizen's point of view,” Manu Robbroeckx, spokesman for FEDICT, the federal information technology body overseeing the project, told me.

According to Robbroeckx a cardholder, using a special smart card reader and PIN code, would be able to fill in tax returns, pay social security and vote from the comfort of her armchair. Once our citizen of the future has fulfilled those tedious chores, she can kick back her heels and use the time it frees up to go online to order a pizza or a holiday in the sun.

These transactions would be safeguarded through the use of a dual authentication system in which a private key on the card, created through a complex random algorithm, is checked up against a public key on a database.

The government hopes that the new system, by filling the security holes that currently plague online authentication, will herald a new era of e-government and provide the sluggish growth in e-commerce with a helpful shot in the arm.

“The new system opens up the possibility for convenient and easy remote access to e-government (and e-business) services,” said Bart Preneel, an academic who advises the government on security issues related to electronic identification systems. “Basic PC configurations currently offer a very low security level, hence, transactions on such a PC are vulnerable… User authentication on a smart card is much more secure.”

Privacy fears

Despite the potential convenience of the new system, privacy campaigners and legal experts have voiced doubts regarding the smart IDs.

“There will be question marks regarding privacy. It's unavoidable,” said Godelieve Craenen, a professor of public law at Leuven University. “The new ID will act as an electronic bridge… This can multiply the risk of others gaining access to private information.”

One of the major concerns about the new system is the way in which it integrates data. Critics fear that the linkage of vastly varying personal data to a single authentication system could leave citizens vulnerable if the system is somehow compromised or breaks down.

“The bringing together of these separate information centres creates a major privacy vulnerability. Any multi-purpose national ID card has this effect,” Privacy International, an umbrella group campaigning on privacy-related issues, said in a recent report.

According to advocates of the new system, the smart cards in themselves are not a problem. “The protection of privacy has to be guaranteed, first and foremost, at the level of the individual databases of the government,” Preneel points out.

The government adviser goes further and argues that citizens without electronic identity cards may actually be at higher risk.

“There are always some risks to privacy in going online, but these risks can be higher without the adequate protection of a smart card,” he argues.

Ocean of information

At the core of the issue, therefore, is the migration of more and more information online in an increasingly wired world. “All the information floating around relating to a person may be risky,” Craenen cautions.

In addition to the danger posed by hackers, Craenen warns of the threat of unscrupulous individuals close to the system selling or otherwise abusing information at their disposal.

“Sufficient security measures have been set up to avoid any abuse,” insists Robbroeckx of FEDICT.

The government says it has minimised the possibility of individual abuses by using highly sophisticated encryption technology and by contracting out the various components of the system architecture to leading firms, none of whom, it says, will have access to personal data.

Telephone operator Belgacom and security firm Ubizen will provide the digital certification and smart card manufacturer Zetes will provide the physical IDs.

Nevertheless, Privacy International, which colourfully describes electronic IDs as ‘Big Brother's little helper', believes that the new system could facilitate increased government snooping.

“I do not believe that this card will reduce privacy compared to systems or countries without such a card,” counters Preneel. He says that the new technology, which he says is already very secure, will evolve to enhance the privacy of citizens.

“The next generation of such cards could be upgraded in a way that the privacy of the user would be better protected than in any other system,” he concludes.

___________

This article first appeared on Expatica on 11 December 2002