Working towards a free and open e-identification solution in Sweden
First, what do we mean by “free” and “open” here?
“Free” here means free as in freedom, people should be free to use the e-identification system using any kind of computer and operating system they want, including people who choose to use only free/libre open-source software (FLOSS). People should not be forced to install unknown and unverifiable software on their computer/smartphone in order to use the e-identification system.
“Open” means that the system should be based on open standards and protocols.
Our starting point is that e-identification is something very useful and it is used more and more, not least when people communicate with authorities. It is therefore important to have an e-identification system that respects digital freedoms and digital rights.
One important principle regarding digital freedoms and digital rights is that each person should be free to make their own individual decisions about what software to install on their computer/smartphone. The government/state/authorities should not decide which operating system you use on your computer, that should be up to you.
The problem that this project focuses on is that in Sweden today, we have a situation where a person who needs to use e-identification is forced to use operating systems owned and controlled by Microsoft, Apple, or Google. If someone insists on using a coiputer running only free/libre software (such as GNU/Linux), that person can in practice not use e-identification. We are forced to choose between either liviing completely without e-identification (something that is becoming increasingly difficult), or surrendering our freedom and installing software that gives Microsoft/Apple/Google power over us.
The goal of this project is that there should be a free and open e-identification solution in Sweden, that can be used by everyone, a solution that respects our digital freedoms and digital rights.
Instead of demanding installation of things that a person cannot verify on the person’s own computer/smartphone, the e-identification system should openly present a protocol specifying how we can communicate with the system. This makes it possible for everyone to use the e-identification system, regardless of which kind of computer/smartphone that person chooses to use.
Paths to reach the goal
The following are a few different possible ways in which the project goal could be reached:
- Convince one of the existing commercial actors, such as the creators of BankID or Freja eID Plus, to make their e-identification solution available also for people who want to use only free/libre software on their computer.
- Convince the government via relevant authorities such as the Swedish Tax Agency that issues the “AB Svenska Pass” e-identification, to make that solution available also for people who want to use only free/libre software on their computer.
- Convince politicians so that authorities are forced to solve the problem via changes in the laws or regulations.
- Support development of alternative solutions that respect digital freedoms and digital rights, if such solutions already exist.
- Develop our own solution as a “proof of concept” to demonstrate how a free and open solution could work.
Current e-identification alternatives and the problems with them
See https://www.elegitimation.se/skaffa-e-legitimation where the corrent types of e-identification in Sweden are listed.
- BankID (issued by the banks): only wirks for people who use closed operating systems from Microsoft/Apple/Google. Furthermore, closed source code of the client software for e-identification that is installed on the user’s computer/smartphone. The user cannot control or verify what happens on their own computer/smartphone.
- Freja eID Plus (issued by Freja eID Group AB): demands operating system from Apple/Google, same drawbacks as BankID.
- AB Svenska Pass (issued by the Swedish Tax Agency): Compared to the other two options this one has the advantage that it is possible to use in a GNU/Linux system, but the client software for e-identification is closed and the user must accept a “End-User License Agreement” saying that reverse-engineering is prohibited and so on. Here, again, the user cannot control or verify what happens on their own computer/smartphone.
Things we can do in the project
We can do many different things within the project, for example:
- Collect information about how e-identification systems can work, and which the challenges are, to better understand the problem.
- Communicate with existing issuers of e-identification systems to try and convince them to develop a free and open solution, but also to gain more understanding and knowledge about why they act the way they do in the current situation.
- Communicate with authorities to find out their view of the problem.
- Carry out an information campaign directed at the public to make more people understand the problem and demand change.
- Find out if there are politicians who understand the issue and are interested in working on it politically.
- Find out if there are journalists who are interested in writing about the issue.
- Investigate what kinds of e-identification systems are used in other countries to see if any of them respect digital freedoms and digital rights better than the systems available in Sweden today.
- Investigate the situation from a legal standpoint, for example find out if it is illegal for the government to offer services exclusively to citizens who are customers of certain large companies.
- Investigate if existing open standards for encryption, digital signatures and so on can be used as a basis for e-identification systems. There are well known and well tested open standards for e.g. public key cryptography, Diffie-Hellman key agreement, certificatesm etc., with existing free/libre open-source software to handle such things, for example software used for ssh and https.
- Sketch some suggestions for how a future free and open e-identification system could be built. (Simplified example: an authority responsible for e-identification could keep a register of the public keys of individuals and each individual would have their own private key and could use that to prove their identity.)
- Develop our own solution as a “proof of concept”.
Arguments to explain why the project is needed
Here are some other arguments to explain why this is an important issue:
- Unfair advantage of tech giants compared to possible competitors: today’s situation gives the tech giants Google/Apple/Microsoft a big advantage through the fact that anyone who needs to use e-identification is forced to use operating systems owned and controlled by Google/Apple/Microsoft. This makes it much more difficult for alternatives to compete. Examples are smartphones like the Librem 5 and PinePhone that use GNU/Linux and thus make it possible to be free from Google/Apple/Microsoft and their constant surveillance. The current situation regarding e-identification makes it easier for the tech giants to keep their dominance, since alternatives that would allow people more freedom cannot compete regarding e-identification.
- Compared to some other issues involving digital freedoms and digital rights, the issue of e-identification is a case where the government/state has a clear role, it can be argued that the government/state has an obligation to make e-identification available to everyone in society in a fair way. Who benefits from today’s situation? The banks are happy. Google/Apple are happy, Who suffers from today’s situation? Individuals who want to control their own lives, and the government/state that fails to protect the interests of individuals and instead has become dependent on big tech companies.
- The security of the current systems can be questioned, as “security by obscurity” is not always the best approach. Recent revelations regarding NSO and Pegasus have also shown that Android and iOS are not necessarily secure platforms. Then it is unfortunate if the government/state pushes everyone to use only those platforms. People should at least have the option of keeping their own private key safe without being forced to use tech giants’ systems that cannot be verified.
- The responsibility of the government/state to protect digital security independent of big tech companies: when the Swedish state refers everyone to use systems that only work for customers of Apple/Google that gives a big advantage to Apple/Google, companies that already have a huge power over people’s lives. The Swedish state should not contribute to increase the power of Apple/Google even further. Instead, the state should bein control of its own systems amd let citizens decide for themselves if they want to be customers of Apple/Google or not. It is wrong that the state pushes people towards being customers of Apple/Google in order to use e-identification. Why should the Swedish state help Apple/Google in that way? The state should serve the interests of citizens, not the interests of big tech companies.
- Surveillance society: since the current e-identification systems demand installation of unknown, closed-source software on a person’s computer/smartphone, it can happen that the software performs surveillance of the individual, surveillance on behalf of the state and/or Apple/Google or other actors, without the user having any possibility to control or verify what the software is actually doing.
- Security policy: today’s situation, with very large dependence on Apple/Google, means that a huge company can decide to shut down the Swedish systems for e-identification. The Swedish state does not have control, but is entirely dependent on Apple/Google.
Get in touch
To participate in the discussions about this project, please join the project’s open mailing list. Join the list by sending an email to firstname.lastname@example.org after which you can post messages to the list. The list archive is at: https://lists.dfri.se/eleg-projekt/