Friday, 27 November 2009

Security, privacy - online banking via European eID cards - ENISA paper

EU agency ENISA (the European Network and Information Security Agency) have just released a position paper on Privacy and Security Risks when Authenticating on the Internet with European eID Cards (PDF).

They analysed two very different use cases (online banking and social networking) to derive requirements for electronic ID cards which might in future serve as a universally applicable authentication token. Their main conclusions:

  • "Electronic identity cards offer secure, reliable electronic authentication to internet services, and
  • a privacy-protecting universally applicable eID card is technologically feasible."

Their eID authentication paper contains (see Chapter 5) an analysis of existing technologies based on the requirements they identified, including the existing position in EU member states in the context of their own eID card systems.

The devil is, of course, in the detail. ENISA's previous Jan 2009 paper Privacy Features of European eID Card Specifications compared the privacy features of European eID card specifications and highlighted some serious flaws, including measures for improved security and privacy which could (and should) be taken - but weren't, except by 1 member state.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.