The upgraded electronic national identification cards (eID) to be issued in October next year are multifunctional, integrating Citizen Digital Certificates, National Health Insurance cards and driver’s licenses.
The Ministry of the Interior says that the integrated data will end the inconvenience of carrying so many cards and that “there will be absolutely no information security problem, so the public can rest assured,” as the data would be protected by encryption and only accessible with a password.
However, supporters of the ministry’s policy have turned a blind eye to the potential threat to information security because of the convenience brought by digitized administration. They justify their support despite the risk by saying that “all innovations come with a price.”
The government’s digitization policy would spread information on taxes, subsidies, vehicles, labor insurance, national health insurance and other facets of people’s lives across the ministries of finance, interior, transportation and communications, health and welfare and others.
However, the “convenience” of eIDs to log in to online services is worrying. The cards will become an Achilles’ heel of the national digitization policy if the risks of centralized design are not addressed.
People typically use multiple online services, such as Gmail, work or school e-mail, cloud storage, online banking and online shopping. It is convenient to use the same password for these accounts, but anyone who has even the faintest awareness of information security knows that is dangerous — if a work e-mail were hacked, the data on all of their accounts would be vulnerable. When digital assets are stolen in this manner, that affects a single person. However, if people are to use an integrated eID to access government services — a situation known as a single point of failure — that would make it easy for hackers to steal the personal data of all Taiwanese.
Top information officials in the government usually do not have a clear understanding of information security. Even those who have passed the national senior civil service examination usually have had limited experience with technology. Their only trick for managing information security is to outsource it. When a problem occurs, the contractor is responsible for resolving it.
Surely a single point of failure is a considerable security risk, even a national security threat. Which civil servant would be held accountable if it were to be exploited — and how?
Anyone with understanding of information security knows that no system is 100 percent secure. Information security is neither a single product nor a project with a dedicated technician in charge, but a top-down management system.
Information security includes technology and management aspects. There are always technical problems and even if it were possible to provide technologies that were 100 percent secure, it is management that is the main risk — the human factor is the weakest link in every system.
This is especially true when the management of national information security does not involve a security clearance system; when there are no regulations to clearly define who has access to sensitive and confidential information; and when there are not sufficient penalties to deter and punish the leaking of sensitive information and personal data.
Given this context, implementation of the integrated eID is a completely irresponsible government policy.
When the ministry says that eIDs involve “absolutely no information security problem, so the public can rest assured,” it is either ignorant or lying.
During World War II, Nazi Germany used the Enigma machines — which they claimed were unbreakable — for data encryption, but it was cracked by British mathematician Alan Turing. Given that China has many supercomputers, once Taipei adopts a centralized design, the system and the chips would definitely be targeted by the full force of China’s vulnerability scanning and side-channel analysis attacks — from the lowest to the highest level — and once a loophole is found in this Achilles’ heel, the consequences would be unimaginable.
Although the public and private keys of an eID are generated in its chip, the generation of a personal certificate signing request requires reading the public key data. The public key can be exported and so can the private key. However, the ministry has told people that the private key cannot be exported, which is obviously inconsistent with the facts.
The only one who would know how to produce the public and private key pairs for every card holder would be the contractor, while government authorities have no way to verify them. This creates a crisis out of thin air.
The government must respond to the call for “one card for one purpose” proposed by the private sector and academia by adopting a decentralized framework to construct the national digitization policy and abandon the inappropriate integrated eID policy.
Lin Tsung-nan is a professor of electrical engineering at National Taiwan University. Li Jung-shian is a professor of electrical engineering at National Cheng Kung University.
Translated by Lin Lee-kai
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
The past few months have seen tremendous strides in India’s journey to develop a vibrant semiconductor and electronics ecosystem. The nation’s established prowess in information technology (IT) has earned it much-needed revenue and prestige across the globe. Now, through the convergence of engineering talent, supportive government policies, an expanding market and technologically adaptive entrepreneurship, India is striving to become part of global electronics and semiconductor supply chains. Indian Prime Minister Narendra Modi’s Vision of “Make in India” and “Design in India” has been the guiding force behind the government’s incentive schemes that span skilling, design, fabrication, assembly, testing and packaging, and
As former president Ma Ying-jeou (馬英九) wrapped up his visit to the People’s Republic of China, he received his share of attention. Certainly, the trip must be seen within the full context of Ma’s life, that is, his eight-year presidency, the Sunflower movement and his failed Economic Cooperation Framework Agreement, as well as his eight years as Taipei mayor with its posturing, accusations of money laundering, and ups and downs. Through all that, basic questions stand out: “What drives Ma? What is his end game?” Having observed and commented on Ma for decades, it is all ironically reminiscent of former US president Harry