The Belgian Identity Crucible

A picture named joeri While visiting Belgium on my recent trip, I met Joeri. At fifteen he's already a for-real identity person, thinking about identity issues and what they will mean for computing. In this picture he's wearing a “Code is Poetry” tee shirt, and I'm presenting him with some backpack gear that he won as part of an international contest.

Believe it or not, he's been working on the redesign of a website for sick children based on strong identities.

When my Belgian colleague Peter Vander Auwera first met Joery, he found himself facing questions about whether Belgian ID Cards were based on version 3 X.509 certificates, and what extensions they supported.

Joeri came to see a presentation I gave on the Laws of Identity at a very successful Belgian eID conference organized by Peter (and thought the laws were “excellent”). The conference included presentations of many actual working systems for obtaining government services based on the Belgian smart card.

It is interesting to see how different the Belgian system is from the proposed British system. First of all, in keeping with the first law, the use of government smart cards in establishing digital identity is optional and under the control of the person described. Secondly, most municipalities seem to be giving it out for free. Third, they contain only a very small number of attributes – the same ones Belgians have always had on their identity cards. Fourth, there are no biometrics. Fifth, there is no intention of restructuring all citizen data into a pan-sectoral database ripe for information leakage. So Belgian cards are not only dramatically more “moderate”, but they are incremental in the sense that they are part of an established tradition of identification. About 800,000 smart cards have been distributed to date.

Having real cards in circulation is having the effect of making people think deeply about what they want to accomplish. The people I met seem to like the idea of using the cards to obtain “two factor” authentication, but don't want all aspects of their identities (formal and informal roles, for example) mixed and conflated with their official government personal identity.

For example, does a government official sign government documents using his or her personal identity? I've always assumed so. But the government officials I met didn't like the idea one bit. They were prepared to use their eID to authenticate to a government system, but were looking for ways to do their electronic signatures using credentials that expressed their role, not their identity as an individual. The same concepts came up repeatedly as I listened to what people were hoping to achieve in other aspects of life.

There seems to be a lot of interest in how the card can be combined with web services in order to heighten privacy. Belgium is a country we should all be watching very closely to learn about identity issues.

No horns or tails (at least during daylight hours)

A friend pinged me to point out this amusing posting from the very likeable Robin Wilton on what it actually feels like as we learn to “get over” the previous fracturing around identity infrastructure…

Well, without any great fuss or fanfare, I‘ve had a couple of ‘firsts‘ in the last few days.

Last Thursday I met Kim Cameron for the first time, along with Caspar Bowden and Jerry Fishenden, and we had a very engaging chat about identity, liberty (with and without a capital L ;^), privacy and related matters. Many thanks to Jerry, Microsoft‘s UK National Technology Officer, for hosting that one.

And yesterday I had my first visit to Microsoft‘s UK campus at Thames Valley Park. In the interests of ‘breaking them in gently‘, I felt I had to wear my “Sun Java Web Services” shirt. Well, I think they are going to need to get used to seeing a Sun logo onsite a lot more than it would have been in the past! And no, the shirt did not spontaneously ignite as I walked through the badge-locked doors…

And on the ‘flammability‘ theme, I have to report that our hosts didn‘t have horns, tails or little pointy forks. In fact, we had a very positive and relaxed meeting and made huge progress. Thanks this time to Gary Kelly for hosting us and making us feel extremely welcome. I genuinely look forward to working with you and your colleagues over the coming months…

I probably should have handed this in at reception on the way out, but under the circumstances it seemed a good souvenir!