Ah, you can see clearly who gets which data with every authentication. It’s logged and I can look it up on my portal.
Actually’', apart from ItsMe, I can see every time someone did any lookup on my online data with the federal government for the last 10 years. I even get to see their names.
There’s no third party watching with ItsMe because the traffic is encrypted. The data is owned by the Federal government and the party that requests authentication gets to see what the are legally allowed to see and what you clear. With every authentication you get to see what info they request.
I can’t find the blog post that I was referring to but this might help:
From their own site: https://www.itsme-id.com/en-NL/why-itsme/security
ISO cert: https://www.itsme-id.com/en-BE/business/blog/iso27001
It’s good to point out that the system was developed by a consortium of banks to simplify identity verification en prevent fraud. Banks are held to ‘‘Know Your Customer’’. KYC entails that they need to check your identity every now and then and up until ItsMe that meant that you had to verify with your eID and a card reader. Those card readers have issues. Outdated firmware and whatnot make the proces a terible experience. I have several government websites that I use from day to day and the all need my eID for authentication.
Some figures. Nearly 1.700.000 authentications every day for 11.700.000 Belgians. 80% Of the Belgians use the app.
We have a local privacy podcast (Dasprivé). The CISO was featured on the podcast. I can’t transcribe everything but the community consents on the fact that they run a tight ship. The use case is very local so apart from Flemish and French speaking sources i sadly can’t get further than ‘trust me bro’ at the moment.
Every authentication uses your SIM, your civil service number and your password (PIN, fingerprint, face id). Before authenticating you’ll see all the info that’ll be shared like your, date of birth, adress, phone number,…
Acces is granular. If age verification is needed, the request will only state that you’re 18 or above for example. They don’t get my date of birth. As a resident, I get a reduction at our local swimming pool. The can use my id but the only info they see is whether I live in the city or whether I’m from outside.
Everytime my data is accessed, the acces is logged. The log contains information about the organisation and, if it applies, the person that made the manual lookup. The legality is checked by logging the legal ground for acces.
Are they trustworthy? I don’t know. We use our eID for online verification for over 20 years now and ItsMe has certainly made the whole process a breeze.
I think avoiding functioneren creep will be a certain issue.
Belgium has such an e-id for nearly 10 years now. It works pretty good and acces to your personalia data is granular.
If only age verification is needed, the request will only grant you birth date.
Comanies that want to use it need to be vetted and their acces to your data is centrally regulated.
I’ll gladly introduce you to Massive Attack because it seems you never heard of these Trip Hop legends from Bristol.
You could try Qubes OS? Portable version maybe? That’s quite easy and sucure.
It’s not the ID. It’s the implementation. I do like the Belgian implementation… It’s been nearly 10 years now and it seems to be pretty secure and trustworthy.