The upgraded electronic national identification cards (eID) to be issued in October next year are multifunctional, integrating Citizen Digital Certificates, National Health Insurance cards and driver’s licenses.
The Ministry of the Interior says that the integrated data will end the inconvenience of carrying so many cards and that “there will be absolutely no information security problem, so the public can rest assured,” as the data would be protected by encryption and only accessible with a password.
However, supporters of the ministry’s policy have turned a blind eye to the potential threat to information security because of the convenience brought by digitized administration. They justify their support despite the risk by saying that “all innovations come with a price.”
The government’s digitization policy would spread information on taxes, subsidies, vehicles, labor insurance, national health insurance and other facets of people’s lives across the ministries of finance, interior, transportation and communications, health and welfare and others.
However, the “convenience” of eIDs to log in to online services is worrying. The cards will become an Achilles’ heel of the national digitization policy if the risks of centralized design are not addressed.
People typically use multiple online services, such as Gmail, work or school e-mail, cloud storage, online banking and online shopping. It is convenient to use the same password for these accounts, but anyone who has even the faintest awareness of information security knows that is dangerous — if a work e-mail were hacked, the data on all of their accounts would be vulnerable. When digital assets are stolen in this manner, that affects a single person. However, if people are to use an integrated eID to access government services — a situation known as a single point of failure — that would make it easy for hackers to steal the personal data of all Taiwanese.
Top information officials in the government usually do not have a clear understanding of information security. Even those who have passed the national senior civil service examination usually have had limited experience with technology. Their only trick for managing information security is to outsource it. When a problem occurs, the contractor is responsible for resolving it.
Surely a single point of failure is a considerable security risk, even a national security threat. Which civil servant would be held accountable if it were to be exploited — and how?
Anyone with understanding of information security knows that no system is 100 percent secure. Information security is neither a single product nor a project with a dedicated technician in charge, but a top-down management system.
Information security includes technology and management aspects. There are always technical problems and even if it were possible to provide technologies that were 100 percent secure, it is management that is the main risk — the human factor is the weakest link in every system.
This is especially true when the management of national information security does not involve a security clearance system; when there are no regulations to clearly define who has access to sensitive and confidential information; and when there are not sufficient penalties to deter and punish the leaking of sensitive information and personal data.
Given this context, implementation of the integrated eID is a completely irresponsible government policy.
When the ministry says that eIDs involve “absolutely no information security problem, so the public can rest assured,” it is either ignorant or lying.
During World War II, Nazi Germany used the Enigma machines — which they claimed were unbreakable — for data encryption, but it was cracked by British mathematician Alan Turing. Given that China has many supercomputers, once Taipei adopts a centralized design, the system and the chips would definitely be targeted by the full force of China’s vulnerability scanning and side-channel analysis attacks — from the lowest to the highest level — and once a loophole is found in this Achilles’ heel, the consequences would be unimaginable.
Although the public and private keys of an eID are generated in its chip, the generation of a personal certificate signing request requires reading the public key data. The public key can be exported and so can the private key. However, the ministry has told people that the private key cannot be exported, which is obviously inconsistent with the facts.
The only one who would know how to produce the public and private key pairs for every card holder would be the contractor, while government authorities have no way to verify them. This creates a crisis out of thin air.
The government must respond to the call for “one card for one purpose” proposed by the private sector and academia by adopting a decentralized framework to construct the national digitization policy and abandon the inappropriate integrated eID policy.
Lin Tsung-nan is a professor of electrical engineering at National Taiwan University. Li Jung-shian is a professor of electrical engineering at National Cheng Kung University.
Translated by Lin Lee-kai
Saudi Arabian largesse is flooding Egypt’s cultural scene, but the reception is mixed. Some welcome new “cooperation” between two regional powerhouses, while others fear a hostile takeover by Riyadh. In Cairo, historically the cultural capital of the Arab world, Egyptian Minister of Culture Nevine al-Kilany recently hosted Saudi Arabian General Entertainment Authority chairman Turki al-Sheikh. The deep-pocketed al-Sheikh has emerged as a Medici-like patron for Egypt’s cultural elite, courted by Cairo’s top talent to produce a slew of forthcoming films. A new three-way agreement between al-Sheikh, Kilany and United Media Services — a multi-media conglomerate linked to state intelligence that owns much of
The US and other countries should take concrete steps to confront the threats from Beijing to avoid war, US Representative Mario Diaz-Balart said in an interview with Voice of America on March 13. The US should use “every diplomatic economic tool at our disposal to treat China as what it is... to avoid war,” Diaz-Balart said. Giving an example of what the US could do, he said that it has to be more aggressive in its military sales to Taiwan. Actions by cross-party US lawmakers in the past few years such as meeting with Taiwanese officials in Washington and Taipei, and
The Republic of China (ROC) on Taiwan has no official diplomatic allies in the EU. With the exception of the Vatican, it has no official allies in Europe at all. This does not prevent the ROC — Taiwan — from having close relations with EU member states and other European countries. The exact nature of the relationship does bear revisiting, if only to clarify what is a very complicated and sensitive idea, the details of which leave considerable room for misunderstanding, misrepresentation and disagreement. Only this week, President Tsai Ing-wen (蔡英文) received members of the European Parliament’s Delegation for Relations
Denmark’s “one China” policy more and more resembles Beijing’s “one China” principle. At least, this is how things appear. In recent interactions with the Danish state, such as applying for residency permits, a Taiwanese’s nationality would be listed as “China.” That designation occurs for a Taiwanese student coming to Denmark or a Danish citizen arriving in Denmark with, for example, their Taiwanese partner. Details of this were published on Sunday in an article in the Danish daily Berlingske written by Alexander Sjoberg and Tobias Reinwald. The pretext for this new practice is that Denmark does not recognize Taiwan as a state under