The upgraded electronic national identification cards (eID) to be issued in October next year are multifunctional, integrating Citizen Digital Certificates, National Health Insurance cards and driver’s licenses.
The Ministry of the Interior says that the integrated data will end the inconvenience of carrying so many cards and that “there will be absolutely no information security problem, so the public can rest assured,” as the data would be protected by encryption and only accessible with a password.
However, supporters of the ministry’s policy have turned a blind eye to the potential threat to information security because of the convenience brought by digitized administration. They justify their support despite the risk by saying that “all innovations come with a price.”
The government’s digitization policy would spread information on taxes, subsidies, vehicles, labor insurance, national health insurance and other facets of people’s lives across the ministries of finance, interior, transportation and communications, health and welfare and others.
However, the “convenience” of eIDs to log in to online services is worrying. The cards will become an Achilles’ heel of the national digitization policy if the risks of centralized design are not addressed.
People typically use multiple online services, such as Gmail, work or school e-mail, cloud storage, online banking and online shopping. It is convenient to use the same password for these accounts, but anyone who has even the faintest awareness of information security knows that is dangerous — if a work e-mail were hacked, the data on all of their accounts would be vulnerable. When digital assets are stolen in this manner, that affects a single person. However, if people are to use an integrated eID to access government services — a situation known as a single point of failure — that would make it easy for hackers to steal the personal data of all Taiwanese.
Top information officials in the government usually do not have a clear understanding of information security. Even those who have passed the national senior civil service examination usually have had limited experience with technology. Their only trick for managing information security is to outsource it. When a problem occurs, the contractor is responsible for resolving it.
Surely a single point of failure is a considerable security risk, even a national security threat. Which civil servant would be held accountable if it were to be exploited — and how?
Anyone with understanding of information security knows that no system is 100 percent secure. Information security is neither a single product nor a project with a dedicated technician in charge, but a top-down management system.
Information security includes technology and management aspects. There are always technical problems and even if it were possible to provide technologies that were 100 percent secure, it is management that is the main risk — the human factor is the weakest link in every system.
This is especially true when the management of national information security does not involve a security clearance system; when there are no regulations to clearly define who has access to sensitive and confidential information; and when there are not sufficient penalties to deter and punish the leaking of sensitive information and personal data.
Given this context, implementation of the integrated eID is a completely irresponsible government policy.
When the ministry says that eIDs involve “absolutely no information security problem, so the public can rest assured,” it is either ignorant or lying.
During World War II, Nazi Germany used the Enigma machines — which they claimed were unbreakable — for data encryption, but it was cracked by British mathematician Alan Turing. Given that China has many supercomputers, once Taipei adopts a centralized design, the system and the chips would definitely be targeted by the full force of China’s vulnerability scanning and side-channel analysis attacks — from the lowest to the highest level — and once a loophole is found in this Achilles’ heel, the consequences would be unimaginable.
Although the public and private keys of an eID are generated in its chip, the generation of a personal certificate signing request requires reading the public key data. The public key can be exported and so can the private key. However, the ministry has told people that the private key cannot be exported, which is obviously inconsistent with the facts.
The only one who would know how to produce the public and private key pairs for every card holder would be the contractor, while government authorities have no way to verify them. This creates a crisis out of thin air.
The government must respond to the call for “one card for one purpose” proposed by the private sector and academia by adopting a decentralized framework to construct the national digitization policy and abandon the inappropriate integrated eID policy.
Lin Tsung-nan is a professor of electrical engineering at National Taiwan University. Li Jung-shian is a professor of electrical engineering at National Cheng Kung University.
Translated by Lin Lee-kai
US President Donald Trump on Thursday issued executive orders barring Americans from conducting business with WeChat owner Tencent Holdings and ByteDance, the Beijing-based owner of popular video-sharing app TikTok. The orders are to take effect 45 days after they were signed, which is Sept. 20. The orders accuse WeChat of helping the Chinese Communist Party (CCP) review and remove content that it considers to be politically sensitive, and of using fabricated news to benefit itself. The White House has accused TikTok of collecting users’ information, location data and browsing histories, which could be used by the Chinese government, and pose
Chinese President Xi Jinping (習近平) at a ceremony on July 30 officially commissioned China’s BeiDou-3 satellite navigation system. The constellation of satellites, which is now fully operational, was completed six months ahead of schedule. Its deployment means that the People’s Republic of China (PRC) is now in possession of an autonomous, global satellite navigation system to rival the US’ GPS, Russia’s Glonass and the EU’s Galileo. Although Chinese officials have repeatedly sought to reassure the world that BeiDou-3 is primarily a civilian and commercial platform, US and European military experts beg to differ. Teresa Hitchens, a senior research associate at the University of
There are few areas where Beijing, Taipei, and Washington find themselves in agreement these days, but one of them is that the situation in the Taiwan Strait is growing more dangerous. Such a shared assessment quickly breaks down, though, when the question turns to identifying sources of rising tensions. Several Chinese experts and officials I have consulted with recently have argued that Beijing’s increasingly belligerent behavior in the Taiwan Strait is driven mostly by fear. According to this narrative, Beijing is worried that unless it puts a brake on Taiwan’s move away from the mainland, Taiwan could be “lost” forever. They
Former president Lee Teng-hui (李登輝), who died on Thursday last week, coined the phrase “new Taiwanese” and used it in some of his public speeches. The concept of “new Taiwanese” was an important link in the chain of his political thought. Lee proposed the term in August 1998 on the eve of the anniversary of the end of the Pacific War. His intention was to consolidate a common understanding around the idea of “new Taiwanese,” and to embody the Taiwanese spirit of never giving up and not fearing hardship, and to create bright prospects for generations to come. However, after