While visiting Belgium on my recent trip, I met Joeri. At fifteen he's already a for-real identity person, thinking about identity issues and what they will mean for computing. In this picture he's wearing a “Code is Poetry” tee shirt, and I'm presenting him with some backpack gear that he won as part of an international contest.
Believe it or not, he's been working on the redesign of a website for sick children based on strong identities.
When my Belgian colleague Peter Vander Auwera first met Joery, he found himself facing questions about whether Belgian ID Cards were based on version 3 X.509 certificates, and what extensions they supported.
Joeri came to see a presentation I gave on the Laws of Identity at a very successful Belgian eID conference organized by Peter (and thought the laws were “excellent”). The conference included presentations of many actual working systems for obtaining government services based on the Belgian smart card.
It is interesting to see how different the Belgian system is from the proposed British system. First of all, in keeping with the first law, the use of government smart cards in establishing digital identity is optional and under the control of the person described. Secondly, most municipalities seem to be giving it out for free. Third, they contain only a very small number of attributes – the same ones Belgians have always had on their identity cards. Fourth, there are no biometrics. Fifth, there is no intention of restructuring all citizen data into a pan-sectoral database ripe for information leakage. So Belgian cards are not only dramatically more “moderate”, but they are incremental in the sense that they are part of an established tradition of identification. About 800,000 smart cards have been distributed to date.
Having real cards in circulation is having the effect of making people think deeply about what they want to accomplish. The people I met seem to like the idea of using the cards to obtain “two factor” authentication, but don't want all aspects of their identities (formal and informal roles, for example) mixed and conflated with their official government personal identity.
For example, does a government official sign government documents using his or her personal identity? I've always assumed so. But the government officials I met didn't like the idea one bit. They were prepared to use their eID to authenticate to a government system, but were looking for ways to do their electronic signatures using credentials that expressed their role, not their identity as an individual. The same concepts came up repeatedly as I listened to what people were hoping to achieve in other aspects of life.
There seems to be a lot of interest in how the card can be combined with web services in order to heighten privacy. Belgium is a country we should all be watching very closely to learn about identity issues.