Dutch digital identity system crisis
Dutch digital identity verification system DigiD has announced the phasing out SMS as second factor. That way they require citizens to install a smartphone app in order to use digital services from the government, municipalities, the health sector and others. These applications only work on iOS and Android phones, with reliance on third party services.
Plenty of members of our community choose not to use a device that is tied to vendor-specific services. There is a threat our community will practically be locked out of the digital infrastructure the government has set up for us to use. Official alternatives are to ask a friend with the app for help or go back to snail mail and physical meetings. This is an urgent matter with a big impact, so if you share my concern, please make your voice heard to policymakers. The commission Digital Affairs will meet on the 22nd of March to discuss the digital government which includes the topic of identity systems. I’ve written to members of this commission to call attention to this issue and share the views of our community. |
In the summer of 2021 I received a letter from my municipality that it was time to renew my driving license. The letter mentioned two ways of getting a renewal: either physically visit city hall or use the experimental digital process that has been around since 2018. More information on this digital process can be found on the dedicated Dutch webpage.
Rijbewijs beslisboom zoals weergegeven in de brief.
The first time I heard of this experiment was a couple of years ago at my local photographer, who was one of the first photographers to take part in this trial. Certified photographers act as the main point of contact in the process by ensuring a good photograph and identifying the citizen making the request. My local photographer was excited to take part in this experiment to help ease the process for customers. I too was excited because this seemed like a well thought-out process that would reduce the number of contacts and visits to get a driving license renewal.
So now, a couple of years later it was time for my renewal and it was about to experience how far our digital governmental services have come. I started the process by going to rijbewijsaanvragen.rdw.nl and I was immediately redirected to an DigiD prompt. DigiD is the login solution the Dutch government develops and uses. More information is available on Wikipedia and on the official website. Years ago DigiD was just using a username and password for verification, a single factor. Then SMS authentication was added as a possible second factor of authentication for improved security. Later a dedicated app was created for using your smarthone as a second factor, relying on the security features of the operating system. More recently the ability called check-id was added to apps read the NFC chip of identity cards and use that as the basis for authentication. More information on the identity card login method is available on the website.
When trying to start the digital request, this time the DigiD prompt didn’t show the SMS authentication option I would normally use. I could choose between the DigiD app and the option to read the NFC chip from the identity card. I was was baffled and assumed I had perhaps made a mistake. Carefully tracking my steps I retried but again I was faced with the same prompt.
DigiD prompt
Doing some more research, I found out that SMS was not considered safe enough for this application, and so this project was set up to at least require an installed DigiD App as second factor, or the use of an NFC readout of your ID-card.
I actually didn’t want to install the DigiD Android app, despite having a Nokia 8.1 smartphone with Google One Android on it. My previous phone was a Fairphone 2 with Fairphone Open OS, the Google-free Android version by Fairphone. Having experienced the Google-free Android, I’ve become aware how much apps rely on Google libraries and service to function. It had taken me quite some experimentation to move my app usage over to app that did not rely on Google Services. As I was considering another Google-free Android phone as my next phone, I didn’t want to commit myself to using an app that relied on Google to function, which the DigiD App does. Also I was looking towards a Linux phone like the Pinephone with Mobian, which would move me even further away from the Android app ecosystem.
I looked on the DigiD website for suggestions for this situation. The official recommendation is to ask somebody else with the DigD app for help. I couldn’t believe what I was reading. My government was now the single strongest force pulling me in the vendor-tied smartphone ecosystem I resent. I had already read about SMS planned to be phased out (Dutch article by Tweakers.net) and how the government is fuelling the Google and Apple duopoly (Dutch article, Archive.is), but being faced with it in real life made it so much more real and urgent. Already in 2018 when I was using the Fairphone, I emailed the DigiD if the if the DigiD app could be provided outside of the Google Play store, but got an answer that that was not possible.
In contrast, the situation in Germany is quite the opposite. AusweisApp2 is the German identification app, which is available in F-Droid, Debian and many other Free Software repositories. All of this is made possible because the source code is provided under a Free Software license (EUPL v1.2). This allowed the community to make the application available on many different platforms. The AusweisApp2 uses the chip in the identity card or passport as the basis for identity. So the app merely has to facilitate in communications with online services. Compared to apps like DigiD that act as a digital identity directly, only having to relay information reduces the security requirements. And without the reliance on vendor-specific crypto libraries it is easier to open up the code for transparency and collaboration as the Germans have done. |
I decided I would stand by my principle of not installing the app and try to see what I could achieve. Worst-case I had to go back to the physical process I had done the last time I got my driving license. So I reached out to the RDW team responsible for this digital process which was still called an experiment despite being a couple of years in use already. I explained my situation, mentioned that I was not willing to ask anybody for help because I didn’t want to be relying on others for my digital services, and I asked about alternatives. I got a formal reply repeating what I already read online: it was not possible without the app.
In the mean time there was also a desktop application available to read out the NFC chip of an identity card. This app is only available through the Windows 10 app store. With all my computers running Debian or Ubuntu, that was no option for me. Even besides the fact that I didn’t have an ID-card with a NFC-chip in it to actually identify with. So unless the government starts releasing the applications for different operating systems, I don’t see this as a solution for me either.
DigiD prompt for NFC cards
Not having a solution that I could use by myself without relying on Google, I resorted to the traditional physical process. I went to my local photographer to get my picture taken, the same one that had told me about the digital process a few years earlier. He asked my if I wanted to use the digital process after I mentioned my picture was for my driving license renewal. I replied I didn’t want to make use of that because I didn’t want to install the app. And so I got my pictures in analog format, rather than them being sent digitally to the correct agency. Later I went to city hall to hand over my photograph and sign the papers requesting the renewal. A couple of days I went back to city hall to pick up my new driving license, and that was that.
Compared to the digital process it took me one more trip to city hall to file the request and it took some more paperwork. For a single case this wasn’t so bad and it was something to overcome. But with SMS planned to be phased out in 2022 the impact would be much greater. Most online public services require a second factor of authentication now, and more and more services are becoming digital. Tax registration is one of the services that still allows authentication without a second factor of authentication, but for how long? Dealing with public services without the DigiD app will become increasingly difficult, and that is why we need a solution that meets the ‘vendor-neutral’ and ‘open’ principles that our government itself is calling for.
The Dutch DigiD app acts as the source of identity and thus relies on the frameworks by Apple and Android to guarantee a trustworthy identity. To ever achieve a Free Software app in the Netherlands we should not rely on the locked-down operating systems and libraries of vendors to provide security guarantees. Like in Germany, relying on an identification chip in hardware can provide the trust a government needs without introducing this reliance. Another solution might be the IRMA app which relies partly on online connectivity for its security. IRMA has an active community in the Netherlands consisting of public bodies like municipalities and several companies needing a secure and accessible means of authentication. Regardless of the technical solution we end up with, it is important that it is vendor-neutral, free software, based on open standards and open for community contributions like operating system support. In 2020 Waag together with other organizations has already pushed for these values in the #goedID campaign. |
It worries me that our government so far seems inconsiderate for our stance. The information on the website seems to imply that if you don’t have a Google Android or Apple smartphone you lack digital skills and fall into the same category as the elderly. Our community is quite the contrary. Exactly because we are so skilled and knowledgeable we avoid corporate dependence where we can. We need to make our voices heard and let the government know that we expect them to step up their game. In the last couple of years our community has shown in the Netherlands the willingness and ability to cooperate. For example by contributing to open source applications like the Covid tracing and QR-code apps and by making them available on F-Droid. So let’s keep that spirit of collaboration and call out the government on the current crisis they created and demand a solution that meets our values.