People are often confusing eID related topics that are not one and the same. Not knowing all the facts makes them scared of their privacy. Lets clarify some questions that I have seen people to be misunderstanding.
Using national eID cards or others solutions do not have significant differences from privacy standpoint compared to for example self-sovereign identity (SSI).
What is an eID?
eID is type of verifiable credential. It is issued by an trusted authority, only you have control over it and websites or apps can request you to present this credential for verification. After verification the website will get some identity information about you that the issuer has embedded into the certificate.
eID can be in the form of Smart Card like national ID card which is issued as an alternative to passport, USB cryptostick or security token, SIM card with embedded certificates in your phone or specially engineered and secure mobile app.
How are government information systems related to eID?
Your medical history, tax and income information, family relationship, addresses etc are all already in government databases. Government can read this data any time it wants according to its regulation regardless if you have eID card or not. Difference is that if you do not have secure eID credential then you yourself cannot access it and you cannot check who has been reading your data.
Is personal unique code for every citizen constitutional?
All governments must be able to differentiate one citizen from another. You do not want to end up in jail because somebody else with same name has murdered someone. Without unique identifier it is also really complicated for institutions like banks to make sure that the guy with the same name as you cannot withdraw all the money from your account. See examples of different possible unique identifiers below from the ETSI EN 319 412-1 standard.
How much new information I must give to get eID token?
There is no difference if you request true SSI verified credential from your government, get your new passport or get national electronic ID card. If government is taking height and weight measurements, capturing fingerprint, checking hair and skin color and saving this all to its database then it is not related to electronic ID card function. For electronic ID card function is minimally enough to have only personal ID code. Name is also a good practice. This means that no new information is given to the government.
Is every eID usage registered in government database?
Similarly to the SSI the issuer might or might not be contacted to verify the credential. Electronic national ID cards can be verified in 2 ways. One is checking Certificate Revocation List (CRL) which are updated usually a few times per day. Using this method the eID card can be verified completely offline and ID card issuer never knows if and who verified the card.
Second option is to use realtime Online Certificate Status Protocol (OCSP). In this case the issuer OCSP responder can save IP addresses of verifiers who have verified your certificate validity at this point of time. This is useful because if your card and pin has been stolen then you can block the card and next moment the bad guys cannot use it anymore.
Is there too much information revealed when using electronic ID card online? Service providers usually get very basic information, for example name and personal identity code. Often the identity code contains your birthday as well.
Excerpt from ETSI EN 319 412-1 – Natural person semantics identifier
The semantics of id-etsi-qcs-SemanticsId-Natural shall be as follows. When the natural person semantics identifier is included, any present serialNumber attribute in the subject field shall contain information using the following structure in the presented order:
- 3 character natural identity type reference;
- 2 character ISO 3166  country code;
- hyphen-minus “-” (0x2D (ASCII), U+002D (UTF-8)); and
- identifier (according to country and identity type reference).
The three initial characters shall have one of the following defined values:
- “PAS” for identification based on passport number.
- “IDC” for identification based on national identity card number.
- “PNO” for identification based on (national) personal number (national civic registration number).
- “TAX” for identification based on a personal tax reference number issued by a national tax authority. This value is deprecated. The value “TIN” should be used instead.
- “TIN” Tax Identification Number according to the European Commission – Tax and Customs Union (https://ec.europa.eu/taxation_customs/tin/tinByCountry.html). Or
- Two characters according to local definition within the specified country and name registration authority, identifying a national scheme that is considered appropriate for national and European level, followed by the character “:” (colon).
Other initial character sequences are reserved for future amendments of the present document.
EXAMPLES: “PASSK-P3000180”, “IDCBE-590082394654” and “EI:SE-200007292386”.
When a locally defined identity type reference is provided (two characters followed by “:”), the nameRegistrationAuthorities element of SemanticsInformation (IETF RFC 3739 ) shall be present and shall contain at least a uniformResourceIdentifier generalName. The two letter identity type reference preceding the “:” character shall be unique within the context of the specified uniformResourceIdentifier.