FC: Finland mulls national IDs in cell phones -- with little outcry

From: Declan McCullagh (declanat_private)
Date: Sun Aug 12 2001 - 16:13:01 PDT

  • Next message: Declan McCullagh: "FC: Should security flaws like Code Red be disclosed publicly?"

    **********
    
     >FINLAND MULLS PUTTING NATIONAL IDs ON CELL PHONES
     >The Finnish government is considering using SIMs -- the subscriber
     >information modules inside every cell phone -- to take the place of its
     >national identity card, and eventually even a passport. Under the plan, the
     >computer chip embedded in every SIM would store personal information,
     >transforming the SIM into a person's legal proof of identity. Of course the
     >drawback would be what would happen if you lost your phone -- about 9,000
     >cell phones are left on the London Underground alone every year. The
     >solution, according to Roger Needham, manager of Microsoft's British
     >research lab, is to store the information on secure servers accessible via
     >a WAP connection to the Web. The SIM in this case would store only a
     >personal identifier -- an encryption key -- that the owner would have to
     >punch in a PIN to use. The Finnish government is already taking the
     >initiative with a national technical standard called FINEID. Currently
     >FINEID uses a smart card and a card reader attached to a PC, but the plan
     >is to migrate to an SIM, says Vesa Vatka of the Finnish Population Register
     >Center in Helsinki. (New Scientist)
     >http://www.newscientist.com/hottopics/tech/yourphoneisyou.jsp
    
    **********
    
    Date: Sat, 11 Aug 2001 12:57:01 +0300 (EEST)
    From: Sampo Syreeni <decoyat_private>
    To: Eugene Leitl <Eugene.Leitlat_private-muenchen.de>
    Cc: <cypherpunksat_private>
    
    On Fri, 10 Aug 2001, Eugene Leitl wrote:
    
     >>FINLAND MULLS PUTTING NATIONAL IDs ON CELL PHONES
     >>The Finnish government is considering using SIMs -- the subscriber
     >>information modules inside every cell phone -- to take the place of its
     >>national identity card, and eventually even a passport.
    
    Essentially they are thinking about putting FINEID into SIMs alongside the
    GSM subscriber application. FINEID is PKI implemented by the Finnish
    government, or more accurately, Vdestvrekisterikeskus (Population Register
    Center). See http://www.fineid.fi/. It is currently used in the smartcard
    version of our national ID card which is used to enable dsigging
    transactions with governmental and municipal authorities. If I'm not
    entirely mistaken, Finnish law has already been amended to make dsigs
    binding in the eyes of the law, so basically you can use the card for any
    transaction. The infrastructure is not widely deployed, yet, and few people
    have FINEID enabled ID cards.
    
    About Eugene's fears, one already needs a national ID card here, since it is
    needed to "prove" your identity whenever you have dealings with governmental
    authorities, or try to withdraw money from a bank, or whathaveyou. (In fact
    this is one of the fun countries where the police has the authority to
    detain you until such time they can verify your identity, for no reason
    whatsoever.) Since everybody has one such document already, and the vast
    majority also has a cell phone, the extension to FINEID on SIM ought to be
    relatively painless. I suspect there will be little outrage over the matter,
    here.
    
     >>Under the plan, the
     >>computer chip embedded in every SIM would store personal information,
     >>transforming the SIM into a person's legal proof of identity.
    
    That personal information is very limited in the current incarnations of
    FINEID. The application is basically a government certified binding between
    a running identifier (called SATU) assigned by person, and the person's
    first and last names. It is pretty strange that even as we do have a unique
    ID ("henkilvtunnus") in use for the populus, that is not included on-card.
    SATU does constitute another such number, if it's ever assigned to a
    significant majority of Finnish people, but there seems to be no way for an
    ordinary reader of an ID card to tie SATU to the national ID. VRK of course
    has the means, since they assign both numbers, and the info likely leaks...
    
    Now, it is quite probable that they'll include a digitized photograph and
    maybe fingerprints if FINEID is ever used to sub for a passport. That is
    something even I'm pretty concerned about. The same goes doublefold for any
    attempt to make the FINEID app invokable remotely, when the SIM is attached
    to a phone.
    
     >>Currently FINEID uses a smart card and a card reader attached to a PC,
     >>but the plan is to migrate to an SIM, says Vesa Vatka of the Finnish
     >>Population Register Center in Helsinki. (New Scientist)
    
    Which, of course, are basically the same thing. I believe the application
    already exists. It'll likely be put out in a year or two, likely without a
    significant counter-reaction over here.
    
    The interesting part for most people on this list is that if the application
    ever gathers support on the phone manufacturer side, it might well be that
    the app has some potential to spread abroad as a result. I'm mainly speaking
    about Nokia, with its Finnish roots and dominance of the GSM market, but
    also whichever companies thrive in the 3G mobile arena -- the latter will
    work unchanged in Europe, Japan and the US. If models are produced which
    support PKI-on-phone, they might well be easy to deploy throughout the
    world.
    
    Sampo Syreeni, aka decoy, mailto:decoyat_private, gsm: +358-50-5756111
    student/math+cs/helsinki university, http://www.iki.fi/~decoy/front
    
    **********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 16:54:18 PDT