sdecoret - stock.adobe.com
The Dutch Cyber Security Council (Cyber Security Raad – CSR) wants the government to better protect its citizens and businesses by making secure logins more widely available.
According to the CSR, the government has a facilitating and coordinating role in this respect. While the government’s current eID programme focuses primarily on the government domain, the Council would like to see the eID system broadened so that users enjoy the same facilities and protection everywhere, both in the private and public domain.
The CSR is a Dutch national and independent strategic advisory body to the government and the business community on cyber security in the Netherlands and is made up of high-level representatives from the public, private and scientific sectors.
The body recently presented the advisory report entitled Towards a secure eID system, to Minister Knops of the interior and kingdom relations, State Secretary Keijzer of economic affairs and climate, and Minister Grapperhaus of justice and security.
Developments in the digital domain offer many economic and social opportunities that can only be realised if the Netherlands is digitally secure. For the business community in the Netherlands, digital identification, the facilitation of economic transactions and (legal) clarity in the use of data are essential; they form the pillars for economic growth in the increasingly dominant digital domain.
“In the physical world we can hardly imagine economic transactions without certainties about identities, property and who is authorised to do what. There are means and organisations for this, such as passports and identity cards, land registry and the Chamber of Commerce, notaries and municipal counters.
“There are legal frameworks and guarantees for this structuring, and the government has a heavy responsibility,” according to CSR advice.
Uncertainty in a digital world
But in the digital world, such a broad infrastructure is still lacking and the necessary certainties are much less self-evident. The digitisation of transaction processes is difficult, particularly due to the lack of a flexible eID infrastructure for both the public and private domains.
The government not only leaves the authentication of companies to the market, but also the authentication of citizens in the private domain. As a result, citizens do not yet have an eID (secure and privacy-friendly) that can be used in both society and e-commerce.
“The question is whether we in the Netherlands are sufficiently committed to establishing a solid digital infrastructure that protects citizens and businesses in the digital age and facilitates economic growth in the next phase of the digital single European market,” according to the CSR advisory report.
Out of the hands of Google and Facebook
Therefore, the creation of a system in which citizens and businesses can safely do business digitally with public as well as private services is crucial, said the CSR. In this way, the Dutch can carry out safer online transactions and are less dependent on the major American players in this field, such as Google and Facebook.
A secure eID system is an important step towards protecting the privacy of Dutch citizens. In addition, it will benefit the digital security of the entire country. To make logging in easier, many websites offer citizens the option of logging in with their account at one of the major foreign platforms, such as Facebook, Apple, Amazon, Google or possibly soon Alibaba or Tencent.
This results in large concentrations of Dutch company and personal data on these platforms. This has direct consequences for the Dutch privacy and digital sovereignty.
The CSR believes that this must change quickly if the Netherlands is to be and remain a safe, open and prosperous society. It calls on the government to coordinate and facilitate the development of a reliable eID system in such a way that the rights to privacy, autonomy and self-determination are at the heart.
Read more about electronic ID in Europe
- Suppliers are reacting to the rapid adoption of digital government in Sweden with electronic ID technology that will replace passwords.
- A regulation aimed at cutting red tape to enable a digital single market in Europe will soon be in full force, but it could present some challenges to the UK after Brexit.
- In recent months the fuss about surveillance revelations has distracted attention from some good work in the European Commission to try to align and push forward a harmonised electronic identity and trust services approach.
However, the Dutch identity infrastructure is divided into two domains, namely the public domain (of citizens and governments) and the private domain (of citizens, businesses and non-public organisations).
The government’s current eID programme does not yet have the ambition to facilitate secure, privacy-friendly digital authentication and transactions in the social (private) domain.
The government’s main focus is to increase the level of reliability of its own existing logins and to guarantee continuity, so that citizens and businesses can do secure online business with government organisations and healthcare institutions in the public domain.
However, according to the CSR, there is every reason to provide the Dutch digital society with a broad eID system that offers users the same facilities and protection everywhere. The council argues that the urgency of a broad eID system is emphasised, among other things, by the fact that Dutch digital security is under pressure.
“Countries such as China, Iran and Russia have launched offensive cyber programmes against the Netherlands. This means that these countries are using digital means to achieve geopolitical and economic goals at the expense of Dutch interests.
A first line of defence against such activities is a solid eID infrastructure, which not only protects the public sector, but also the private sector against unauthorised access,” said the CSR.
Privacy and sovereignty under pressure
Moreover, Dutch privacy and digital sovereignty are under pressure. The Dutch are one of the top five European online shoppers. Their digital infrastructure is highly dependent on a limited number of foreign organisations with their own interests when it comes to collecting and using user data.
This makes the Netherlands potentially vulnerable. To date, national initiatives in the private and non-profit sector in the field of eID have been small-scale and not widely applauded, said the report. As a result, it is not clear to users what applications they can use and whether they meet security and privacy requirements.
Therefore, citizens still have to log in using the vulnerable username and password system for almost every service and have to reveal their personal details manually.
To simplify this process, many websites offer the option of logging in with an account from Google or Facebook, for example. This means that they capture large amounts of Dutch company and personal data, which has direct consequences for their privacy and digital sovereignty.
Broad role of government necessary
The Netherlands must be and remain a safe, open and prosperous society, stated the CSR. The safe identification and authentication, safe login, secure data sharing, but also the safe digital signing and adequate encryption of data is part of the necessary basic infrastructure of a digital world.
In the physical world, such things are guaranteed by numerous regulations and agencies. “Whether the Netherlands is able to realise the benefits of a digitising society depends on the safeguarding of three core themes: security, privacy and trust,” according to the CSR.
The Netherlands must speed up the construction of a digital eID infrastructure that can be used by both the public and private sectors.