EU lacks common ID privacy specs, says agency

EU lacks common ID privacy specs, says agency

Summary: Europe lacks a common ID card privacy strategy, which is hindering interoperability and citizen acceptance, according to Enisa

SHARE:
TOPICS: Security
3

European Union members lack a co-ordinated strategy on how to protect citizen data linked to ID cards, according to an EU agency.

That lack has hindered the development of interoperability standards that would let each country's authorities work with the electronic identity card (eID) of another, the European Network and Information Security Agency (Enisa) said.

"Privacy is an area where the member states' approaches differ a lot, and European eID will not take off unless we get this right," said Enisa executive director Andrea Pirotti in a statement. "Europe needs to reflect on eID privacy and its role in the interoperability puzzle."

An Enisa spokesperson told ZDNet UK on Thursday: "Member states should get their act together and formulate a strategy on this matter in more detail."

Enisa published a paper outlining its position on Tuesday, in which it evaluated privacy protections in ID card schemes across Europe. For example, the assessment looked at whether the primary data on the card could be changed, which is essential if the data is incorrect. Out of the eleven countries in the EU that have eIDs, only six of them had systems that allowed primary data to be changed.

While the use of electronic identity cards offers opportunities for governments to be more efficient in providing services to citizens, there is the risk that the citizen data collected could be misused, either by criminals or future governments, Enisa said. This is not desirable, it added.

"The fundamental human right to privacy must be guaranteed for all European eID card holders," said Pirotti.

Privacy fears have limited citizen acceptance of the cards, according to Enisa.

The quality of UK data-privacy safeguards could not be evaluated by Enisa, as the UK government has not revealed any specific details about the technology behind its scheme.

While the first UK ID cards have been issued, currently no police stations, border-entry points or job centres have any way of reading the information stored on them, ZDNet UK's sister site, silicon.com, reported on Thursday.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Hold on ??!

    The ID card is supposed to be based on the technology they used for the RFID passport. We were sold this white elephant partly on the basis that it was the same tech and so would be usable across the United States of Europe in place of a passport. Now we are being told that they didn't actually do anything about making this happen before they started issuing the things. Unbelievable! So come on, once and for all, what ARE they for?
    Andrew Meredith
  • Apparently in the US

    they are using the same technology in driving licences and passports.

    This article highlights the potential risks of the system in terms of both security and abuse.

    The author has apparently created a simple device to read electronic passport and driving licence chips (RFID's) without much difficulty or expense.

    http://www.theregister.co.uk/2009/02/10/new_dns_amplification_attacks/

    Simultaneously, I understand that we are considering all sorts of technology to remotely read cards as we just pass by to facilitate all sorts of services.

    The much quoted European Identity Cards aren't linked to massive databases (yet) and are often issued locally so that, so far, they are not so draconian and therefore do represent a useful service without any strings attached, at the moment.
    The Former Moley
  • Almost but not quite

    As Moley says:

    "The much quoted European Identity Cards aren't linked to massive databases (yet) and are often issued locally so that, so far, they are not so draconian and therefore do represent a useful service without any strings attached, at the moment."

    Unusually, I have to disagree with something he has said; specifically the assertion that the ID cards are useful.

    I am at a loss as to what they would be used for, I'm afraid. All of the uses I have heard expressed are not actually to the benefit of the holder, but are a way of saving the bureaucrats time and effort while they subject the poor Joe Blow to endless red tape and coordinated scrutiny .. known in the north as "Pokey Nosing".

    Also, the assertion that they don't bear any strings is, I suspect, a little premature. The UK, in typical fashion has taken the EU directives and guilded the living sweat out of them. We are up against the full multiply linked database and all the trimmings in one fell swoop. The rest of the European governments who are more used to trying to be subtle over these things, are just doing the piece of card with a picture bit first, to get the proles used to having one about them. The second phase, the addition of all the control freak goodies, will come once the first bit is done. By then, they won't even notice.

    I am fully aware that the above sounds all conspiracy freakish, and in truth I love a good conspiracy theory as much as the next world dominating lizard, but when you pull back from the bull dust spread by the government and the emotion on both sides and take a hard logical look at the new laws the UK government have been touting for the last 10 years or so, there is a perfectly clear design and pattern.

    The only thing you have to decide is whether this pattern is accidental or deliberate. For my part, I don't think there are any where near enough monkeys or typewriters in Whitehall to have done this purely by accident.

    The last decision is why. I am hoping it is a the misguided attempt to improve the lot of the common man by a government who's only instincts are centralised control and high RPM spin. "We need to Benefit the public and to do so we need to know absolutely everything about them at all times of the day and night. How do we get this?"
    Andrew Meredith