Several readers have sent more information and details on the Belgian Identity Card program.
In a previous posting I said, “the use of government smart cards in establishing digital identity is optional and under the control of the person described.” Apparently my distinction between use of the card for digital identity and bricks and mortar identity wasn't at all obvious, so let me try again.
Belgians who have reached the age of 12 are obliged to carry an ID-Card. In the past this has been a paper ID Card. It is now being replaced by a smart card. It will remain mandatory that citizens carry this identification card.
Twelve-year-olds get a new (smart) card right away. Others in the population already have cards that are valid for ten years. What happens when they expire?
-
You get an invitation letter from your municipality.
-
You go to the municipality with your old card and the letter.
-
You fill in a form, and sign it manually to assert that the data on the form is accurate. You add a picture, and pay between zero and fifteen euros, depending on the municipality.
-
A few weeks later you get a letter with a “PUK” and a “PIN Code”, and the request to pick up your new card.
-
When you pick up your card, you are asked whether you wish to “activate” it (there is basically an opt-out procedure).
-
You use your PUK to activate it.
-
You may change your PIN.
-
You are done.
Thus, citizens can opt out of using their cards for digital identity purposes. They can opt out in the sense of not activating their card. And if they do activate their card, they can still, if they feel so inclined, opt to use some other authentication mechanism when accessing eGovernment.
Citizens, government departments and businesses will have to be convinced to buy card readers before the eID cards can be used in a widespread way for digital purposes in consumer scenarios And sites will have to provide users with alternatives besides smart cards – at least during the time period when large portions of the population are not equipped with both the activated smart cards and readers.
So while it may be mandatory to carry the card for brick and mortar (physical) identification, we should be careful before making the assumption that the same level of coercion is easy to apply in the digital realm. To me this is a bit of an aha.
The law of user control and consent will continue to make the success of the system contingent on user acceptance – unless a number of draconian changes are made to current legislation.
This emphasizes again the need to see this kind of system as part of a continuum of potential underlying identity options, and indeed, part of an identity metasystem. If we could get the metasystem “out there”, relying parties could accept self-asserted identity starting on day one (certainly a lot better than passwords) and users could upgrade the strength of their authentication just by plugging in an identity provider which recognizes strong tokens like the eID card. We would see the emergence of identity providers that could do claims transformation to suppress the universal identifiers and constant public keys associated with today's eID cards and issue tokens containing minimal necessary information in accordance with laws two and four.
Get the usability and privacy aspects right, and make use of the government identity part of a wider set of identity choices, and end-users will probably come in droves. Especially if eGovernment allows citizens to save time by doing things on the computer which otherwise would require that they visit a government office.
