Privacy - Wat niemand over je mag weten

Master's research on DigiD

22-04-2021, 17:47 door veni, 13 reacties
Hi everyone,

First, let me apologize for not writing in Dutch. I am a student in the Netherlands and I did not have time yet to learn it! But please, feel free to answer in Dutch and I'll use Google Translate.

I'm writing my anthropological thesis on the digitalization of public services in the Netherlands through the lens of DigiD. I've been reading many posts on this forum and that's why I'd like to start a conversation with you all about your perceptions/opinions of DigiD. You all seem very critical and aware and I am sure you can inspire me in this way!

The reason I chose that subject it's because I was surprised by the rapidity and efficiency of the Dutch administration. The difference between France (my country of origin) and The Netherlands is this DigiD system. This digital central database! Does the efficiency of the Dutch administration rest on DigiD?

But then I've started wondering... but is efficiency at the expense of my privacy? Where is all my personal information stored? What can happen to it if it's hacked like it was a few months ago at the GGD in Amsterdam? Why are there 4 different security levels when logging in? Why doesn't the Dutch government provide us with the one and only safe way to log in?

So please feel free to answer any of these questions... But overall, I think the core question is: to what extent or in what ways is DigiD a new means of surveillance?
Reacties (13)
23-04-2021, 10:49 door Anoniem
I think you have a misunderstanding of what DigiD is. It is not "a digital central database", it does not store your personal
information. It only serves as an authentication mechanism. When you logon on some site that uses DigiD, you get
redirected to a DigiD logon which can use whatever method to identify you, and then passes back information about your
identity (your BSN) to the site where you logged on. So that site can be sure that you are who you claim to be.
(within the limitations of the chosen authentication method, which can be as simple as username/password which does
not provide much guarantee, but it can also include 2nd factor and more)

When DigiD would be hacked, it would be possible to access sites that use it under someone else's identity. But as long as it
is not hacked, there still is no guarantee of the security of your personal information, as shown in the GGD case, because
there can be other paths to the information that do not involve a DigiD login (in this case: access by employees working
for GGD and needing access to information, but had "export data" functions available to them they did not need)

I would say DigiD is only a small part of the system as a whole. You still need systems to store and manage the actual
information in a secure way, DigiD is only there to authenticate the citizen when accessing their own information. It is
not involved in the storage of information, the exchange of information between government departments, etc.
23-04-2021, 12:52 door Erik van Straten
Door veni: Why doesn't the Dutch government provide us with the one and only safe way to log in?
Because there is no such thing (that I know of).

I suggest that you read https://www.zdnet.com/article/researchers-want-australias-digital-id-system-thrown-out-and-redesigned-from-scratch/, https://www.digitalidentity.gov.au/sites/default/files/2021-01/consultation01-vanessa-teague.pdf and view https://youtu.be/TgPdVbUbtBM for another type of "solution".

If you know of any (publicly accessible) thorough comparison of civilian identity systems from multiple countries (revealing advantages, disadvantages and risks - both security and privacy), I would appreciate it if you share such information.

Door veni: But overall, I think the core question is: to what extent or in what ways is DigiD a new means of surveillance?
That is the least of my worries w.r.t. DigiD, if it is something to worry about at all.
23-04-2021, 13:16 door MathFox
Door Erik van Straten:
Door veni: But overall, I think the core question is: to what extent or in what ways is DigiD a new means of surveillance?
That is the least of my worries w.r.t. DigiD, if it is something to worry about at all.
Use of the BSN (Citizen number) to combine data from multiple data sources is the biggest worry for privacy. Any serious database contains errors and Dutch government is one of the worst in the Netherlands to get wrong data fixed as they're obliged to.
23-04-2021, 16:11 door Erik van Straten
Door MathFox:
Door Erik van Straten:
Door veni: But overall, I think the core question is: to what extent or in what ways is DigiD a new means of surveillance?
That is the least of my worries w.r.t. DigiD, if it is something to worry about at all.
Use of the BSN (Citizen number) to combine data from multiple data sources is the biggest worry for privacy.
Firstly, in most cases a name plus date of birth also uniquely identifies a person - just like a BSN. The IMO biggest problem with BSN's is that some people think that they are sufficiently secret to be used as a means of authentication (like knowing somene's BSN should grant you access to their health information, which obviously is rediculous).

Secondly, BSN's get leaked all the time but I don't recall that Logius (the organization responsible for DigiD) was ever to blame. This does not mean that such an incident is impossible, but the chance of BSN's leaked elsewhere seems a lot bigger to me.

Door MathFox: Any serious database contains errors and Dutch government is one of the worst in the Netherlands to get wrong data fixed as they're obliged to.
Unless you think that Logius is to blame for this, how would DigiD be responsible?
27-04-2021, 10:29 door veni
Door Anoniem: I think you have a misunderstanding of what DigiD is. It is not "a digital central database", it does not store your personal
information. It only serves as an authentication mechanism. (...)
I would say DigiD is only a small part of the system as a whole. You still need systems to store and manage the actual
information in a secure way, DigiD is only there to authenticate the citizen when accessing their own information. It is
not involved in the storage of information, the exchange of information between government departments, etc.

Thanks for that clarification. I did not know that there were other systems in charge of the storing and management of this data. i thought DigiD was all of it, but thanks!

Door Erik van Straten:
Door veni: Why doesn't the Dutch government provide us with the one and only safe way to log in?
Because there is no such thing (that I know of).

I suggest that you read https://www.zdnet.com/article/researchers-want-australias-digital-id-system-thrown-out-and-redesigned-from-scratch/, https://www.digitalidentity.gov.au/sites/default/files/2021-01/consultation01-vanessa-teague.pdf and view https://youtu.be/TgPdVbUbtBM for another type of "solution".

If you know of any (publicly accessible) thorough comparison of civilian identity systems from multiple countries (revealing advantages, disadvantages and risks - both security and privacy), I would appreciate it if you share such information.

Thanks Erik for all this! I'm gonna look at those sources then! On my side, the anthropological literature mostly focuses on biometric technologies in countries like India or Solomon Islands. I'm not sure it's really about privacy or security but more about accessibility and how biometric technologies do not match with the everyday bodies (for example, in Solomon Islands there are a lot of fishermen so their hands get scars and then they cannot identify anymore. Or the lighting of the room disrupts the authentication system... and people in India need to prepare their hands with lots of washings before going to a place where they use biometric technologies etc.) So if you are interested I can share those articles with you! But unfortunately, it is hard to find anthropological sources about privacy and security in systems like DigiD.

Door veni: But overall, I think the core question is: to what extent or in what ways is DigiD a new means of surveillance?
That is the least of my worries w.r.t. DigiD, if it is something to worry about at all.

Thanks! That's really helpful. Maybe I've looked at DigiD under the wrong angle. Rather than surveillance, I should focus more on issues of privacy and security. Because the problem seems to be that, we are kind of forced, or let's say pushed, to use DigiD. So it's like we give up our data to vulnerable systems that cannot guarantee at 100% our privacy and security. Although In understand that there is no such thing as a 100% safe and secure identification system, why does it mean that we have to accept it and even worst, not even question it...? Almost all of my interviewees never thought about their privacy when dealing with digid... so what can we do as citizens to ensure our privacy? What do you do? Should we just accept it and cross our fingers? Should we refuse to do everything digitally and prefer to fill up paperwork?
27-04-2021, 10:36 door veni
Door Erik van Straten:

Secondly, BSN's get leaked all the time but I don't recall that Logius (the organization responsible for DigiD) was ever to blame. This does not mean that such an incident is impossible, but the chance of BSN's leaked elsewhere seems a lot bigger to me.

I've interviewed a representative of Logius and he told me an analogy that still bothers me... He said "DigiD is like the front door of your house. It is very secure. You have CCTV and locks, it's safe. But then, when we give DigiD to other organizations, it's like the back door of your house is opened." And he said that with such ... candor, naivety... Like nothing was wrong with that. So then I asked, but why don't you make the whole house more secure then? And he said that because technology is going so fast, they don't have the means and the money to follow it...
27-04-2021, 17:00 door Erik van Straten
Door veni: Because the problem seems to be that, we are kind of forced, or let's say pushed, to use DigiD. So it's like we give up our data to vulnerable systems that cannot guarantee at 100% our privacy and security.
Here's how I see it.

Back in the old days, if you wanted a long-lasting parking permit for say Amsterdam, you'd go to the city hall and identify yourself by telling your name and date of birth, and authenticate using your passport.

To do that nowadays, you'd navigate to https://www.amsterdam.nl/parkeren-verkeer/parkeervergunning/aanvragen/ and log on using DigiD. As both an absolute identification- and authentication-service provider, DigiD is comparable to showing your passport to someone who authenticates you - albeit online. A difference with your passport is that the DigiD organization can (and probably does) keep track of each website you use DigiD to log on to.

However, such tracking is, IMO most likely, only used for auditing purposes and/or to detect abuse of the system. Considering the frequency that I use DigiD and the types of websites I use DigiD to log on to (such as de Belastingdienst), even if this information (which site did I visit when) would be leaked and published online, this wouldn't worry me much. Furthermore, how organizations (such as the municipality of Amsterdam) treat your personally identifyable information, is out of scope for Logius. Also, paper communication with an organization typically also results in them storing your PII so your risks are not limited to DigiD (example: https://www.security.nl/posting/699474/Harde+schijf+met+data+30_000+mensen+gestolen+bij+gemeente+Amsterdam).

In addition, one should keep in mind why you'd want to identify and authenticate yourself, for example using DigiD. Often reliable authentication is in your own interest - primarily to prevent someone else from "proving" they are you.

An advantage of a federated identification and authentication system such as DigiD is that one centralized system takes care of this, instead of thousands of organizations. This means that I don't have to have "an account" I can log on to at multiple of those organizations I want to (or must) communicate with; one DigiD account suffices. Furthermore, if I'd have to log on directly to each individual organization, each of them would have to store my credentials - with an increased risk of getting stolen. Also this raises the question of how to authenticate yourself while creating your account, and re-authenticating after you've forgotten your password. Using multiple log on systems probably leads to a lot more "privacy" risks - not of the type "being tracked by the government", but by criminals stealing your identity.

Which brings us to a related topic: the definition of (online/digital) privacy. Here's an attemp I made last year: https://www.security.nl/posting/676448/privacy+%3D+1_%28misbruik+risico%29. In any case I suggest you clearly define "privacy" in your thesis, because readers may have quite different associations with that word.

Door veni: Although In understand that there is no such thing as a 100% safe and secure identification system, why does it mean that we have to accept it and even worst, not even question it...?
There is an alternative, and we (anyone willing to consider their own risks and those of others) should definitely question it. For example, DigiD has proven to be vulnerable to phishing attacks and to stealing letters (the paper type) with credentials out of recipient's mailboxes. It also worries me that some people are using insecure or even compromised devices to authenticate themselves with.

Door veni: Almost all of my interviewees never thought about their privacy when dealing with digid... so what can we do as citizens to ensure our privacy?
That depends on your definition of privacy. Whether they like it or not, citizens will have to interact with governmental- and some other organizations that require absolute identification and authentication. It is in your interest that it is hard for someone else to request a grant (subsidy e.g. for solar panels) in your name and collect the money; your risk is that you will have to pay back if someone finds out that there are no solar panels on your roof.

IMO identity theft is one of the biggest privacy risks, but not everyone may agree that identity theft is a privacy risk.

Door veni: What do you do? Should we just accept it and cross our fingers? Should we refuse to do everything digitally and prefer to fill up paperwork?
Filling up paperwork is not the same as to authenticate yourself. Neither is adding a copy of your passport (because anyone who gets their hands on that copy, can resend it and claim to be you).

Door veni: I've interviewed a representative of Logius and he told me an analogy that still bothers me... He said "DigiD is like the front door of your house. It is very secure. You have CCTV and locks, it's safe. But then, when we give DigiD to other organizations, it's like the back door of your house is opened."
I don't think that they "give DigiD to other organizations". I have a name and a BSN assigned to me, but I do not "have a DigiD". I have an account on the DigiD server though. After I log on to DigiD in the Amsterdam example above, Logius tells Amsterdam's server: "the person logging in to your site is Erik van Straten, born dd-mm-yyyy in someplace with BSN nnnnn. And we're pretty sure it's him".

Although one could argue that they "give DigiD to other organizations" should be interpreted in the sense that only specific organizations are entitled to use DigiD (that is, redirect users to the DigiD server for authentication) - and only after being audited and found to have reasonable security in place (which apparently is not without exceptions, for example see https://www.security.nl/posting/689686/De+Jonge%3A+GGD+voldoet+niet+aan+beveiligingseisen+DigiD).
28-04-2021, 19:45 door Anoniem
Concerning your question about levels of authentication:

https://www.forumstandaardisatie.nl/sites/bfs/files/atoms/files/fs-guide-assurance-levels-v2-en.pdf

And it is a requirement:

https://www.enisa.europa.eu/publications/map-auth-lev/at_download/fullReport
28-04-2021, 23:34 door Anoniem
A major problem with DigiD is its reliance on Big Tech. Certain services require DigiD with two-factor authentication enabled, this can be done in different ways. The first method uses SMS for two-factor authentication, which is inherently insecure. The second method uses the DigiD app for two-factor authentication, which is reasonably secure but relies heavily on Big Tech infrastructure (Google in my case as I use Android). First of all, the only official way to download the DigiD app is via the Google Play Store, which requires an account with Google. The second problem is the DigiD app relying on Google Play Services, a proprietary piece of software that harvests massive amounts of personal data. You can read about the data collection by Google Play Services in this paper (reading the abstract is enough):

https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf

I know this paper is not about DigiD, but Google Play Services should behave in the same way with DigiD as it does with COVID-19 contact tracing apps. To answer some of your questions directly:

“is efficiency at the expense of my privacy?”

Yes, to make full use of DigiD you have to have two-factor authentication enabled. And to enable two-factor authentication, you have to choose between security and privacy.

“to what extent or in what ways is DigiD a new means of surveillance?”

DigiD itself is not a (new) means of surveillance, but the way DigiD is implemented facilitates surveillance by Big Tech companies.
29-04-2021, 10:46 door Erik van Straten
Door Anoniem: The second method uses the DigiD app for two-factor authentication,
This is, IMO, a good addition to the discussion.

I wouldn't be surprised if details from passport scans -via NFC- also end up in Android's system log (as do BLE data, https://security.nl/posting/701227), with the risk that any pre-installed app has access to this data; that would be a seriously worrisome privacy leak.

What else ends up in this log?
29-04-2021, 16:10 door Anoniem
Een prangende kwestie, over DigID. De vraag: leest Google mee?

Android system log
29-04-2021, 11:00 door Erik van Straten

https://www.security.nl/posting/701284/Android+system+log
30-04-2021, 12:17 door Anoniem
It is also a matter of how safe and secure you will find yourself in a digital society being part of a digital community.

To quite a degree it is impersonal. You often do not see or know who is there at the other side of your screen.
Now 6 feet apart from each other we all grow into little islands that drift along not interacting much but digitally.

I think it is better to break up global village into minor communities. In the old days you would know who is who inside your very social surroundings and more or less would know what to expect. For instance the postman could ring to deliver your wages. Now he comes along with your Amazon sent parcel from Hong Kong before a drone of sorts comes to deliver at your doorstep.

You cannot go to a big shopping mall after closing hours to get some sugar when the sugar bowl at home seems empty and you cannot lend some from a friendly neighbour's. Will the build-back-better mantra come up with answers for a better world? Will it colour your rainbow in a different way, whenever you are being turned into a cyborg of sorts in the not so far off future ahead. Cyborg-humanoids that cannot seem to think for themselves any longer?

The neighbour won't let you in, because you do not know who is who at your apartment. Social embedding largely gone, I won't open up to someone pretending to be a Social Marshall, but isn't that our future, if we still have one? I do not trust a lot of characters from my e-mails. Are they after my money or data? How to check data validity?

Sometimes I can long for the good old days. But still anxious what the future will have in store for us. We have to give it a hard long thought to come up with a better world than the one we have at hand and/or have almost left behind us now.

Just my two Eurocents,

#sockpuppet
01-05-2021, 12:14 door veni
Here I am again. Sorry for the delay but after everything you guys wrote, I needed to process everything and do some research. I feel like I'm totally digitally illiterate on this fora!

Door Anoniem: I know this paper is not about DigiD, but Google Play Services should behave in the same way with DigiD as it does with COVID-19 contact tracing apps. To answer some of your questions directly:

“is efficiency at the expense of my privacy?”

Yes, to make full use of DigiD you have to have two-factor authentication enabled. And to enable two-factor authentication, you have to choose between security and privacy.


Thank you for that paper! I did not know about data collection from Google Play Servies, I suppose it works the same for Apple Store? Because when I did some research on the Apple Store, I found out about the new Apple "privacy labels." Now you can see for each app which "data is used to track you" and "data is not linked to you" and we can also see it for the DigiD app! and you can deactivate the use of your data for statistics and stuff...

You also point out the problem of our reliance on Bigh Tech. That's very interesting. I cannot help but wonder... what would happen if someone happened to hack or takedown DigiD..? Also, I've come across a show called "Zondag met Lubach" and an episode "Digibetocratie" in which he says that we are living in a highly digitalized society and yet, people at the top don't know anything about technology. You all sound like experts in technology but apparently, politicians don't know anything about it, which is certainly problematic when it comes to privacy/security. I'm sure they rely on experts but it does not seem like one of their priorities.


Door Anoniem: It is also a matter of how safe and secure you will find yourself in a digital society being part of a digital community.

Yes, totally! Because you guys are very digitally skilled, you develop another kind of trust. Trust seems like a big parameter in one's perception/adoption of DigiD. Up until now, everybody I have interviewed is not very concerned about privacy or security. Erik said for example that people might connect with their DigiD on compromised devices. I mean, I don't even know what "compromised" means really...

Also, I like your idea of "breaking up global villages into minor communities". But would "knowing who is inside your very social surroundings" make them more secure/safe? Like you never know that your lovely neighbor is a killer until he makes the headlines. Or more possibly, when you lovely neighbour hits his wife at night. If I’d know that, I would not feel safe anymore. Which makes safety and security so relative then... And if I understand well Erik's definition of privacy in another post (https://www.security.nl/posting/676448/privacy+%3D+1_%28misbruik+risico%29): "For me, data privacy is inversely proportional to the risk that data from and/or about me, to my disadvantage or to my loved ones, will be misused.
Voor mij is data-privacy omgekeerd evenredig met het risico dat er misbruik wordt gemaakt van data van en/of over mij, in mijn nadeel of van mijn naasten." again data privacy is relative to one's perception of risk. What if don't care that people see compromising pictures of myself? if they leak and I don't feel bad about it then it does not harm my privacy. This is why this definition seems a bit too relativist for me... Or maybe I got it wrong, Erik? I understand you would not be worried if you’re BSN was to be leaked but isn't data privacy also the right to know where your data is? Something like the right to own it, trace it, and repossess it if you want to...? I’m not sure that privacy starts where it harms. I think it should already start before and risk/harm should be the limit and the border of it.

But for sure, we do not act the same on the internet if we know it and this further shapes our definition/perception of privacy and security, I guess.

The problem, I think, is that we are given all these means to communicate digitally but the directives and “things to know” before using them are opaque. Also, I did not know that I had to choose between security and privacy when logging in. And that’s quite problematic I think. You are lucky, or maybe unlucky, to know everything you know but most people don’t know and that’s not fair. I know that your knowledge and digital skills are not luck but critical questioning and years of research, but then, it turns our misuse of those technologies into a fatality. Most of my interviewees don't realize how harmful the internet and the data they generate can be for them. Or on another level, for example, I heard one story by a bewindvoerder that one of his clients, an old lady, one day gave her DigiD login credentials to her pastor because he asked her to, like "give them to me, so you don't lose them". and then the pastor asked for benefits in her name (I don't remember which ones) and then the old lady had to refund everything later when the pastor disappeared. She was scammed, too naive for sure, but because DigiD is supposed to be one hundred percent you, there is nothing she can do, legally. I know this is an extreme example, but some people just don't understand the digital world. If the pastor would have asked for her bank details, she would certainly have known but login credentials...?

Anyway, I'm super happy to have all of your perspectives on this subject. Up until now, I've only been looking at the social dimension of DigiD (for example, how it deepens the gap between vulnerable people and the rest of society, between poor/rich, educated and under or uneducated people... how vulnerable people are even more distanced from the government, and become dependant vis-a-vis someone who helps them to digitally communicate with the government. etc. The pressure of being digital etc.)

Question: do you think that login in biometrically would be safer? And how harmful can it be if someone hacks into the system and steals "our face"? for example, sometimes I wonder when I unlock my iPhone with Touch ID... what could go wrong? since my fingerprint or my face (with face ID) are the most inherent qualities I have ... If the Dutch government tomorrow says, let's do everything with biometric technologies, should we be worried?
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.