End of September, Switzerland will vote for E-ID. A big threat for our privacy as it will widely used for tons of new use cases.
Behind the government pitch of an “open source project, completely optional” hides big tech industry… Which will make it mandatory to access their services.
What are your thoughts on that ?
#Switzerland #Privacymatters
Any privacy freak who did a review on ItsMe? I just shared minutes ago https://lemmy.ml/post/36346569/21174131 that I don’t trust them but maybe I’m just paranoid. The fact that they are regulated means little, Meta and Google also are and they legally siphon everything we let them.
We have a local privacy podcast (Dasprivé). The CISO was featured on the podcast. I can’t transcribe everything but the community consents on the fact that they run a tight ship. The use case is very local so apart from Flemish and French speaking sources i sadly can’t get further than ‘trust me bro’ at the moment.
Every authentication uses your SIM, your civil service number and your password (PIN, fingerprint, face id). Before authenticating you’ll see all the info that’ll be shared like your, date of birth, adress, phone number,…
Acces is granular. If age verification is needed, the request will only state that you’re 18 or above for example. They don’t get my date of birth. As a resident, I get a reduction at our local swimming pool. The can use my id but the only info they see is whether I live in the city or whether I’m from outside.
Everytime my data is accessed, the acces is logged. The log contains information about the organisation and, if it applies, the person that made the manual lookup. The legality is checked by logging the legal ground for acces.
Are they trustworthy? I don’t know. We use our eID for online verification for over 20 years now and ItsMe has certainly made the whole process a breeze.
Maybe I misunderstand what you are covering but I don’t think so, e.g. card reader and Ente Auth do not require connectivity.
It’s used for official authentication. The certificates are handled by the federal government. That’s only possible with a call to the federal governments servers.
Any eID or other card wil have outdated data on it at some point. Like, when you move or, when you die.
Works for me, URL please and thanks already for the clarifications.
I can’t find the blog post that I was referring to but this might help:
From their own site: https://www.itsme-id.com/en-NL/why-itsme/security
ISO cert: https://www.itsme-id.com/en-BE/business/blog/iso27001
It’s good to point out that the system was developed by a consortium of banks to simplify identity verification en prevent fraud. Banks are held to ‘‘Know Your Customer’’. KYC entails that they need to check your identity every now and then and up until ItsMe that meant that you had to verify with your eID and a card reader. Those card readers have issues. Outdated firmware and whatnot make the proces a terible experience. I have several government websites that I use from day to day and the all need my eID for authentication.
Some figures. Nearly 1.700.000 authentications every day for 11.700.000 Belgians. 80% Of the Belgians use the app.
To clarify, I know it works. I used it years ago (2022 I guess) and found it extremely convenient then. I did even help others set it up because I found it so efficient. So that’s or popularity is not into question. How secure it is also isn’t what I’m questioning because honestly if my bank suggests to use it, and it’s not secure, they will have to pay in the end. No, the question is solely WHO gets WHICH data. For example is the bank consortium that can see my purchase? Is it “anonymized” (whatever that might in practice means) then sold to 3rd party?
Ah, you can see clearly who gets which data with every authentication. It’s logged and I can look it up on my portal.
Actually’', apart from ItsMe, I can see every time someone did any lookup on my online data with the federal government for the last 10 years. I even get to see their names.
There’s no third party watching with ItsMe because the traffic is encrypted. The data is owned by the Federal government and the party that requests authentication gets to see what the are legally allowed to see and what you clear. With every authentication you get to see what info they request.
So who gets to see then beside I guess your bank and the merchant site? You don’t have to share anything specific, can be company names but if that would reveal some of your personal preference you can share type of economical actors (e.g. other shops, advertisers, insurances, etc).