Privacy

46030 readers

976 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

280

Discord will require a face scan or ID for full access next month (www.theverge.com)

submitted 4 days ago by mr_MADAFAKA@lemmy.ml to c/privacy@lemmy.ml

109 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] mcv@lemmy.zip 1 points 10 hours ago (1 children)

I'm still talking about the same thing, but I understand the nature of our misunderstanding now. You see eID as something you download and can share (but what kind of security would that provide?). I mean an online ID service, similar to the Dutch DigiD. I assume the EU eID is also something similar, although I have no personal experience with that.

The first paragraph on Wikipedia contains a good description of what I'm talking about: https://en.wikipedia.org/wiki/Electronic_identification

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

The online authentication is the important part. The article also talks about physical cards with a chip, but I honestly don't quite understand how that's different from a regular chip in a passport.

When I have to access any government service, I get redirected to digID to log in, then redirected to the site I want to visit. This is very similar to other online authorisation schemes, except it's tied to me official legal identity.

My proposal is to use this not just to log in to government sites, but to use it to provide any legally required online identification, tailored to the highest amount of privacy possible in that situation. So if a site needs to confirm you're 18+, let that site ask the eID service for just your age, or even just whether you're 18+ or not, log into the eID system, and the eID system sends confirmation of your age back to the site.

[–] Ferk@lemmy.ml 1 points 10 hours ago* (last edited 9 hours ago)

Oh, I see the misunderstadning.

Note that "authentication and login" does not necessarily require network communication with a government service. In fact in Europe the eIDs (eIDAS) are digital documents that use cryptography to authenticate without the need of spending resources in a government-funded public API that could be vulnerable to DDOS attacks and would be requiring reliable internet connections for all digital authentication (which might not always be an online operation). The chips are just a secure way to store the digital document and lock under hardware the actual key, making it much harder for it to be copied/replicated, but they don't require internet connection for making government-certified digital signatures with them that can be used in authentication, this is the same whether the service itself you are login into is online or offline.

In any case, in your example where actual network communication is used, it would still be possible for the government to track you regardless of proxies, because then they can store a log of the data & messages exchanged in the communication.

They can either ask the sites to authenticate previously with the government for the use of the API (which would make sense to prevent DDOS and other abuse, for example), which would let them know immediately which site you were asking login for, or simply provide a token to the site as result of the user authentication (which is a common practice anyway, most authentication systems work through tokens) and later at any given time in the future ask the sites to provide back which tokens are linked to each account on the site (just like I was saying before with the "documents" example) so the government can map each token with each individual person and know which users of that site correspond to which individuals.