Swift Access at the Cost of Swift Access: Diginotar
On the tenth of July 2011, the Dutch web security company Diginotar was hacked by (supposedly) a student from Iran. He was able to corrupt the so called SSL certificates and break into Gmail accounts and government websites. Nine days later, Diginotar noticed the infiltration in their system. The company claims to have responded according to security protocol. More than a month later, at Augustus 29th, the press is informed through Google. After that, Mozilla Firefox, Google and Microsoft, amongst others, “distrusted’ all Diginotar certificates. The Dutch government debated about this topic extensively, as the Dutch secure civil login website DigiD.nl used Diginotar certificates.
DigiD.nl grants civilians access to governmental websites where they can manage their citizenship, ranging from being a donor to doing taxes to applying for an education. Needless to say, these are very private and drastic settings which should only be accessible by the person concerned. In the past, these settings had to be dealt with through a process of paperwork, identification and desks. Now in the age of the internet, citizens can create an account at DigiD.nl and log in at the many governmental websites. When I moved to Amsterdam, the procedure never required for me to show my face and passport at any desk at all. I could simply arrange everything from the comfort of my home. This might sound harmless and practical. The government can employ less civil servants saving money (although the same number of employees might now be required in the back-office), everything is registered, filed and saved for a long period of time automatically and citizens (or users) can save time and trouble by accessing their files from any internet connected computer. However, by shifting from paper to web file, the government made our private information more swiftly accessible not only to the rightful person, but also to others.
Perfect security on the web does not exist. Hackers and viruses have proven to be capable of breaching the most sophisticated safety systems. Not to mention the share of computers which have low rate protection and outdated virus scanners. Hackers and viruses will always be one step ahead of the protection programs, for the simple fact that the hackers can find breaches whom the programs need to secure after those breaches have been discovered.
Why, then, would governments choose to take this risk? Are they aware of the increased risks? Surely it was possible to steal files from offices before the existence of the internet, but now the physical challenge this required has been removed completely. Is it because the internet is novel, innovative, ‘The Future’ and cannot be ignored? Is it to save money? Is it to make it easier for the citizens and to make paying taxes more inviting? Is it a combination of the above? Whatever the case, we are at the stage where many civil settings are done on the web and looking at the past, it is highly unlikely that this step will ever be reversed. Many years ago, once we started farming and building settlements, we couldn’t go back to hunting for supporting the population. Once we invented steam machines, we didn’t go back to doing things by hand. Once we start filling out digital files, we won’t go back to pen and paper.
Is this a bad development? One the one hand, things are made easier and people are more engaged in the process of their citizenship. On the other hand, other people can also become involved if they choose to invest the time. Hackers such as the one hacking Diginotar will find ways to breach security systems, infiltrating privacy, triggering clients to find another security company and accumulating a lot of media attention. We needn’t forget that if accounts of citizens fall into the wrong hands, lives can be at stake. Is our comfort worth that?
What the government decides for us citizens is not (entirely) in our hands. However, we should be aware of the risks of those decisions and understand the consequences. We should not sit back in our comfy chair nodding our heads and praising the fact that we are spared waiting in line to fill out a piece of paper or licking stamps. Instead, we should pose critical questions and stay engaged with – well, our lives really. Are we willing to put our lives in the hands of companies like Diginotar?
Read the Fox-it security report on Diginotar here: DigiNotar Certificate Authority breach “Operation Black Tulip”.
View the website of Diginotar.
An overview article in Dutch can be found here.