Terrifying to live in a digital economy when something like this happens.
You're usually about 1 service away from realising that the "money you have" is just an int32, that, if everything works properly, you can modify.
Otherwise you have nothing except a pretty little plastic card.
(I'm aware that payments systems are not affected, but it's a sobering realisation that I've had a couple of times, but it works enough of the time that I forget about it... it's a bit like the meme about backups where a computer takes too long to boot, the person slowly builds panic and starts wishing they had backed up and published all their important work - then when the computer works they say "*phew*, thank god I don't have to do any of that".
Imagine someone "enthusiastically digitized" (as much as possible) in a foreign country alone and then they lose their iPhone Plane tickets, all hotel reservations, they don't remember any phone numbers. They use ApplePay and other mobile payments. Cards may be in the same wallet case.
Without a trusted device or Recovery Key, Apple may impose a security delay (24 hours to several days) before allowing a password reset. Getting new SIM and re-authenticating our life will be pain.
I remember hearing that Zimbabwe, during its period of hyperinflation, had problems because the databases for the banking system couldn't handle a time with $100 trillion banknotes, and ATMs didn't work because of overflow errors.
well, luckily, that's not how money is stored, but instead, they're transaction based. Aka, that number you have is a calculated value, not a stored, arbitrary value.
Except...perhaps the central bank's, where they could really just generate that money as an arbitrary value to lend out to other banks.
footnote: of course, your account balance is cached, so that it is not recalculated over and over again...
Payments were affected somewhat. In Denmark it is often required to sign in to MitID when doing online transactions using credit/debit cards, it is called 3D Secure. You usually have other options. MobilePay, PayPal, the likes.
Was at a checkout the other day, forgot my wallet in my bag, thoughts went through my mind: tap to pay? (not setup), crypto? (need USD, tap to pay). Had bad internet in that one spot, faster to run outside to my car and get my wallet.
Given reliability and security of payment systems - simple credit card (chip/nfc) should be enough for identity. You could pull off entire election using payment terminals.
I'm a British expat with a Danish job. I really dislike MitID and the Danish centralised world of (very good) public services that come with it. Each person has a number, CPR, which effectively defines your life solely to the state. Visit a library, doctor, tax man, anything official, and your ID is recorded. Buy alcohol online, go grocery shopping, use your bank card -- and sign in with it. This undoubtedly makes things easier for the state -- and I've seen produce some pretty good epidemiology work where the government can link purchasing habits and health outcomes(!) -- but it's a privacy nightmare.
MitID doesn't work on rooted android phones, or those running a custom rom. Reports from others who have disassembled it indicate that in fact a hard coded list of custom roms is checked against. It's a highly obsfucated binary, and by design is a single point of failure. If you sign in with an unauthorized device it helpfully centrally blacklists your IMEI. It's hard (but not impossible) to get a phone contract on Denmark without indirectly giving over your CPR number, so I imagine trying to get around this is frustrating. I didn't try and have a hardware dongle. One. By design, this whole system is a massive centralised single point of failure. It's absolutely key to Danish life.
That all said, most Danes would vigorously defend privacy, say that the state doesn't abuse its powers, and they're probably right. It's a very vivid vision of the 1960s Nanny State, where Nanny knows best and has your best interests at heart. Most of the time, she does. They're frequently voted as some of the happiest people on earth, so clearly the recipe of pay a ton of tax and get things from it works well. I find the privacy lack rather shocking and I've never got used to it -- in quite some ways it's an incredibly authoritarian society although no Dane would ever say that, and tell me to drink more øl and get off the internet and go for a walk in a forest. They point out that the UK has far more CCTV cameras and that we have more prosecutions for bent policemen and politicians. There's truth in all of this.
Either way, I'd be interested in seeing if they issue a post mortem on this. It'll cause a lot of issues for many, many people.
Italian living in Sweden, Malmö, and lived in the UK in the past.
I don't get the obsession you Brits have against IDs, in Europe you are pretty much the only ones. But a lot of what you say resonates with my observations:
- single point of failure: absolutely, but so is the "sign in with Google" or equivalent. It's just too convenient. I'd rather have a public service do it than a private company that can cut you out at any time without any explanation.
- Nanny State: 100% also in Sweden, actually worse here. But historically they have been pretty good at protecting freedoms, so far. The UK (or Italy) may be less nanny, but have got some very illiberal things going on these days (left or right government doesn't really matter, it seems).
- Happiest people on earth: I really doubt the surveys measure happiness. They tend to measure trust in institutions, which is very high in Scandinavia.
- It's an incredibly authoritarian society although no Dane would ever say that: exactly the same in Sweden! They would NEVER admit any failure in their society, no matter the hard evidence in front of their eyes. I guess that it's the other side of the same trust of the previous point.
- Drink more øl and get off the internet and go for a walk in a forest: At least you've got øl, in Sweden alcohol is taboo. Forests are nice, but become boring quite quickly :)
Also British, living across the bridge in Malmö, Sweden.
I really like the centralised system, it makes navigating society surprisingly easy when compared to say, Germany or the UK.
The difference is that I sort of trust the Swedish government, they've never really done anything to breach that trust - up to and including their handling of COVID (while controversial, they took the stance of individual liberty and a "collective responsibility" over mandatory top-down systems).
The UK in contrast has a much more heavy handed relationship with the population, up to and including incarcerating people for saying the phrase "we love bacon" at a construction site or typing the letter "n" on social media. It's a different context entirely.
Also, BankID, the central system is a definite weakness, but you can have a card/pin device that still works, and it does work on grapheneOS, though it will complain a bit if you don't have google services installed... which I find hilariously awful...
I would recommend getting the hardware dongle. I don't have the app, never did, and I've had none of the issues others have been complaining. The dongle is, generally, a much better experience from what I can tell, except if you need to do any authorizations on the go.
Your other complaints: 100% agree, the whole thing is a privacy nightmare.
I wouldn't count on a post mortem of any value. They still refuse to explain how the system has been abused in the past. Regardless of how hard I try, I fail to understand how it has been abused after QR codes was added to ensure presence at the device you're trying to authenticate at. The system feels secure, but has been abused a number of times and we're almost never told how.
I've gone the other way from Denmark to UK. And I've often had to mail copies of my passport or other identity documents via email. And my bank requires me to regular scan my face to check that it aligns with the picture in my passport.
I have experienced the same privacy culture shock in Denmark. Generally, I think the people’s trust in their government is the greatest social asset of the danish society, as well as their biggest blind spot.
>MitID doesn't work on rooted android phones, or those running a custom rom.
I find these arguments quite strange. A big part of MitID and similar services is to protect you against fraud. The most vulnerable in society (e.g. old people) aren't running these kinds of devices, and I'd rather we optimize for the general population and the people most at risk, rather than people running some weird setup that is almost identical to setups a scammer would run.
What privacy aspects are you lacking here? For all the services that MitID connects you to, there are government required responsibilities for these companies to track all of this information anyways and be able to provide it to the government if needed. That goes for banking, public services, telecom, etc. And this is in no way unique to Denmark, it's how most countries operate. Denmark has just acknowledged this and decided to make it easier.
Did you expect your UK bank to not be required to know who you are and be able to track and keep records of literally all financial interactions you have with them and their services? I'm a bit confused on what society you are comparing against.
I wouldn't bet on a postmortem. MitID is well into maintenance mode, like NemID before it.
NETS have always been very sparse with their post mortems, they don't act like a SaaS provider. Not even as a partner did we get postmortem. They're well and truly into the jaded territory. During two jobs, both as a provider (customer of NETS), and as a consumer of a provider of MitID
Note this is as a customer. The provider and in turn their customers pay pr login and a quite hefty fee at that. NETS are just too big.
They were down every few weeks for a short while (between 2020-2023), so I guess this is probably still the norm
Having lived in Germany it's quite different, but I'd argue the centralized handling of the CPR is actually quite convenient and doesn't meaningfully impact privacy. In Germany every authority has its own ID for you anyway (my password manager has a category "Government Primary Keys" for this), however that means that you have to provide all your information from scratch to every authority. This would theoretically lead to more privacy if we lived in 1926, but now computers are ubiquitous and a rogue government (like Germany is close to electing) can just correlate these keys together. Relational databases have existed for decades and JOINS are cheap. Thanks to surveillance capitalism by now we have very sophisticated ways to deanonymize people, the government can just hire someone to do it.
So the privacy in Germany is most often inconvenience for the citizen paired with hardly any privacy gain from a potentially hostile government. At this point I think the better solution is to avoid electing hostile governments. To Denmarks credit, they're currently doing that better than many other European countries.
The Netherlands had a similar system with BSN and DigiD.
I personally prefer it, and I wish the country I live in right now had a better centralized system to deal with the government. It massively reduces bureaucracy and the need for me to produce all sorts of extremely privacy-invasive documents (such as bank statements, utility bills, scans of my driver license and passport) when dealing with the government. Sometimes I even need to mail those things, like, with an envelope.
The government can and will collect all data it needs about you at any given time, no matter if there's a centralized ID or not. It just spares everyone time and effort by removing friction.
Also, I have a very hard time to take seriously someone that unironically says the words "nanny state". It says a lot about your stance on the role of governments and society in general. What it says, to me, is very unflattering.
WeChat effectively is all of this but does work on rooted phones. There are far too many brands and variations of phones all over China running various forks of Android for them to keep track of.
I see a few people here complaining about the idea of a central digital identity service.
As a Dane, having lived in other countries, MitID is an insanely superior to anything I've ever tried. It simplifies so many touchpoints with the government, and is honestly such a good upgrade going from nothing -> physical NemID card with codes -> digital MitID (literally "My ID").
The only real disruption I'd say is if you happen to be buying something online that triggers the 3DS prompt (an additional security layer to prevent cards getting stolen/scam). In Denmark the 3DS prompt for VISA at least uses MitID to verify you are the owner of the card, so that'll obviously not work when MitID is down.
I'll say, it has been surprisingly stable though otherwise, and disruptions usually aren't a big impact (I literally wouldn't have known unless I saw this HackerNews post).
As for a centralized identity system: I personally see this as an acceptable contract for living in a society. Most countries have SSNs anyways, your taxes and many other things are tied to this. Centralizing this identity allows the government to streamline so many things to give a better service to their citizens. For example, all official communication goes to your "DigitalPost" email inbox, your verify identity with "MitID", and every person or company has a registered "NemKonto" tied to them for any salary or government payouts.
I maybe see people get tripped up at the concept that your government should actually care about the service they deliver. That's probably already the point where we diverge when talking about if these things are a good idea or not.
> I see a few people here complaining about the idea of a central digital identity service.
Digital identity service is fine for gov services. It’s not OK as a hard requirement for anything else such as banking.
Digital ID in my country is down for about 7 days and counting. iOS app no longer opens after the recent update. I cannot pay tax without digital id app working but i can do banking and everything else.
> The only real disruption I'd say is if you happen to be buying something online that triggers the 3DS prompt (an additional security layer to prevent cards getting stolen/scam). In Denmark the 3DS prompt for VISA at least uses MitID to verify you are the owner of the card, so that'll obviously not work when MitID is down.
If you use Lunar, the 3DS prompt uses the Lunar app and not MitID.
Dane by choice (refugee).
Would just add as a counterweight to the negative views from people outside the country.
From a technical and user point of view, MitID have had less outages than Cloudflare, AWS and MS Azure in the last year. While I agree with the single point of failure, I also like that I setup my startup with all government and banking online via a login I had the last decade, painless and faster than most places without having to upload a single document in many a unsecured ways I heard from my US and Other European friends (outside the Nordic countries).
Yes we Danes trust our institutions more than others and trust is given by default and then lost, rather then "earned" (I would argue bought) in other places.
This is mostly a case of them not really reporting it, MitID is down quite frequently (now once a month ish, but in the first few years every week or so), or at least partially down . They now finally have their own status page, previously you had to get your status from a provider when they noticed that logins began to fail ;)
They're very light on reporting issues, in this case Signaturgruppen a subsidiary of NETS, didn't even mark this as a full outage.
As someone who was part of developing the “start your business”-registration system in DK, I’m pleased to hear that!
(It really is pretty complex, but a lot of effort went into making it both user friendly and reliable)
This type of centralisation presents a classic tail risk. It's wonderful and works perfectly well for everybody and the government does nothing wrong with it. It's all fine and good until the day it isn't. Some authoritarian gets voted in, or the country gets invaded, or a corporation buys off politicians, or an immoral law is passed which you disagree with, and suddenly the digital ID is a point of leverage used to coerce you.
Liberal democracy is a very young experiment and people do not realise how fragile it is. In the 1940s less than 10% of countries were democratic, and we could go back there again easily.
In Sweden there’s at least one more competitor to BankID called Freja. There’s also some kind of EU-level system.
Would be cool if multiple actors were allowed and shared the same kind of auth signing method so that there aren’t just one point of failure. Or something distributed like a blockchain type of signing method, at least I don’t think Bitcoin or Ethereum have downtime that often, and authorization should probably be read heavy only to check if some identity is still allowed
Can anyone tell us the current status? I put "was down" in the title to be conservative, since usually these things get resolved after a few hours.
I converted this to a Tell HN post since there didn't seem to be a good 3rd party article about it in English (yet, at least). The submitted link is in the toptext. (Submitted title was "MitID, Denmarks sole digital ID, has been down for over an hour and counting".)
(p.s. In case anyone is wondering, I think this was a good submission with aspects worth discussing. It set off the flamewar detector, so I turned that off and re-upped the post a bit.)
Meanwhile the Netherlands is selling the DigiD system to foreign companies and today it came out that we are also are going to outsource of of our key tax systems to an American company.
The Swedish BankID has the same potential weak point. Any centralised system does.
The way TLS on the Web works is better: as long as the CA is up some time during the period I need to renew it is fine. Digital IDs should really work that way (probably with relatively short life spans just like let's encrypt: the digital ID could need to be renewed once a week for example, and it would opportunisticly renew when less than half the time is left).
Italy's digital ID (SPID) works by having multiple trusted providers that can attest your identity. You can sign up with multiple of them, and if one is not available you could use another one. Not perfect (it's still centralized in the hand of 10-20 providers) but better than nothing. Unfortunately most people only ever signed up with one provider, and the government is now pushing for a more centralized digital ID istead (CieID).
Agreed, there should not be a tight (temporal) couple.
But it's a trade off. Long-lived TLS certificates have always had the cert revocation problem. OCSP stapling never took off, so in the end the consensus seems to have been to decrease expiry date. (Mostly fueled by Let's Encrypt / ACME).
Relying on expiration rather than explicit revocation of course also assumes (somewhat) accurately synchronized clocks which is never trivial in distributed systems. In practice it put's pressure on NTP, which itself is susceptible to all kinds of hairy security issue.
I like to think of the temporal aspect as a fail-open / fail-close balance. These centralized solutions favour the former, and that's why we see this resulting outage.
when your sole digital identity provider goes down, it's not a service disruption. it's a national infrastructure outage. the blast radius of a single authentication system is the entire country.
Don't banks have their own id:s as well? At least in another nordic country, you have quite many login possibilities to many services. Banks even provide cross-login.
As I understand it, BankID in Sweden is still run by one organisation co-owned by the big banks, and banks handle verification for issuance. There is still a single point of failure for the operation of the system.
MitID and NemID before it was pretty much bought by the Banks and the government together.
It is to avoid the banks needing their own id for customers, as people would need to go into the banks using their passports etc to register.
Some banks do have their own logins and IDs for various purposes, but you often need MitID somewhere in there simply to verify the actual identity of the person with the account. All the other logins simply give you access to the ID it doesn't actually verify it. MitID does that.
For example Lunar doesn't need MitID during 3D Secure (online payments), but that is only because you used MitID at some point to store your proof on your phone, that you can unlock with a secure enough method, and then do the payment. This is considered enough, as you still use an identity that has been verified by MitID at some point.
No. As I understand it the previous system, NemID was actually (co?)designed by the banks so this is what they all use. Likewise MitID is another unholy alliance of Nets (a Danish payment provider) and Danish banks.
Given the Swedish version of it is called BankID I assume the situation is nearly the same in Sweden.
No. Many/most of them support login through hardware ID on your smartphone (i.e fingerprint/TPM-style pin), but the actual authorization of transfers or any privileged access is entirely MitID
this is not big news in dk, it will be up again soon - i dont know of any mitid services that are life-or-death enough to have people panicing about an hours downtime
This is a tech site, not a news site. Threads posted here are rarely if ever "big news" nor is that the point.
The topic is an opener to discuss MitID, electronic ID's in general, the protocols behind them, what happens when they fail, privacy, societies reliance on them or something similar.
Not a cryptobro but... The only acceptable digital identity is or local (smart-card) or a blockchain kept by any connected citizen on his/her own iron. The Orwellian dream of the nazi will cause pain also to those who push it.
MitID is not great, I worked on the implementation for one of the providers.
I am surprised this is even a frontpage topic, 3 years after it was rolled out, we saw downtime every week or so. So much so that we implemented automatic pop ups for our customers, and no on-call, signaturgruppen a subsidiary of NETS didn't even file this incident as a major outage lol. There is also no alternative, you simply can't access banking apps without MitID, so without it people in Denmark are just screwed, 3D Secure (online payments doesn't work for most merchants), login to government and banking sites doesn't work.
The main issues are that we have a central provider NETS whom are known for NemID its predecessor, and card payments in Denmark. They're huge in this space, at least for Denmark.
The government and the banks wanted more control over MitID, so the responsibility was split between the major banks, Digitalstyrelsen (the government), and NETS.
Basically, customers, middle man and NETS the vendor.
It was truly a shit show. The middleman (Digitalstyrelsen - Agency for Digital Government was technically illiterate, either by contract, or because they wanted to be in control, had inserted themselves in-between customer and vendor, and now we suddenly couldn't provide feedback, or talk to the vendor at all, this meant that the vendor had full control over how they interpreted the contract.
During development they shipped a version of the product that had a single flag set to false, preventing a login. NETS weren't allowed to ship a fix for this for 3 months. Many of the customers had to use burp suite during their testing simply to progress with development.
Finally when the vendor had "delivered" to their contract, the customer was sitting back with a half-baked product, and because it was Digitalstyrelsen that was the primary arbiter of whether they'd fulfilled the contract, NETS got away with having delivered at that point 1 year past schedule.
I've never had so many support tickets. For such a technically tiny product, we saw so much trouble getting people to use MitID over NemID. It was incredible.
What is even more insane is that each provider implementation of MitID is technically an independent implementation, some are React, Preact (if using nets provided version), etc. All the providers have to provide a pixel perfect replication to be allowed to issue MitID credentials.
Also this was designed when OAuth was really hot, so most implementations are like 3 levels deeply nested of OpenID Connect and OAuth2, it gets pretty nuts.
Talk about an amount of wasted effort.
As with many other huge projects especially government lead. It is just a big power play, and as it turns out, power wins. In this case NETS.
Should have stuck with NemID a previous paper alternative or only offered MitID as a digital alternative. The rush to go all digital is coming back to bite them in the .....
One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.
Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.
How would you use a paper ID online? (Securely, i.e. not the insane thing of taking a selfie holding it or something similarly bizarre in an age of powerful GenAI.)
dijit|2 days ago
You're usually about 1 service away from realising that the "money you have" is just an int32, that, if everything works properly, you can modify.
Otherwise you have nothing except a pretty little plastic card.
(I'm aware that payments systems are not affected, but it's a sobering realisation that I've had a couple of times, but it works enough of the time that I forget about it... it's a bit like the meme about backups where a computer takes too long to boot, the person slowly builds panic and starts wishing they had backed up and published all their important work - then when the computer works they say "*phew*, thank god I don't have to do any of that".
u1hcw9nx|2 days ago
Without a trusted device or Recovery Key, Apple may impose a security delay (24 hours to several days) before allowing a password reset. Getting new SIM and re-authenticating our life will be pain.
nicoburns|2 days ago
If only it was a uint32
eesmith|2 days ago
I remember hearing that Zimbabwe, during its period of hyperinflation, had problems because the databases for the banking system couldn't handle a time with $100 trillion banknotes, and ATMs didn't work because of overflow errors.
If only they had used int128. :)
chii|2 days ago
well, luckily, that's not how money is stored, but instead, they're transaction based. Aka, that number you have is a calculated value, not a stored, arbitrary value.
Except...perhaps the central bank's, where they could really just generate that money as an arbitrary value to lend out to other banks.
footnote: of course, your account balance is cached, so that it is not recalculated over and over again...
p0w3n3d|2 days ago
throwmitid1234|1 day ago
ge96|1 day ago
neya|1 day ago
Damn, that's terrifyingly eye opening. That's a really, really strong argument for physical cash (or gold maybe?)
dzhiurgis|2 days ago
surgical_fire|2 days ago
All of those have some very annoying fail scenarios too.
ksimukka|2 days ago
Most of us who work in payment systems care a lot about precision and reliability.
davidguetta|2 days ago
boobsbr|2 days ago
unknown|1 day ago
[deleted]
Kate5477|4 hours ago
[deleted]
azalemeth|2 days ago
MitID doesn't work on rooted android phones, or those running a custom rom. Reports from others who have disassembled it indicate that in fact a hard coded list of custom roms is checked against. It's a highly obsfucated binary, and by design is a single point of failure. If you sign in with an unauthorized device it helpfully centrally blacklists your IMEI. It's hard (but not impossible) to get a phone contract on Denmark without indirectly giving over your CPR number, so I imagine trying to get around this is frustrating. I didn't try and have a hardware dongle. One. By design, this whole system is a massive centralised single point of failure. It's absolutely key to Danish life.
That all said, most Danes would vigorously defend privacy, say that the state doesn't abuse its powers, and they're probably right. It's a very vivid vision of the 1960s Nanny State, where Nanny knows best and has your best interests at heart. Most of the time, she does. They're frequently voted as some of the happiest people on earth, so clearly the recipe of pay a ton of tax and get things from it works well. I find the privacy lack rather shocking and I've never got used to it -- in quite some ways it's an incredibly authoritarian society although no Dane would ever say that, and tell me to drink more øl and get off the internet and go for a walk in a forest. They point out that the UK has far more CCTV cameras and that we have more prosecutions for bent policemen and politicians. There's truth in all of this.
Either way, I'd be interested in seeing if they issue a post mortem on this. It'll cause a lot of issues for many, many people.
dariosalvi78|2 days ago
I don't get the obsession you Brits have against IDs, in Europe you are pretty much the only ones. But a lot of what you say resonates with my observations:
- single point of failure: absolutely, but so is the "sign in with Google" or equivalent. It's just too convenient. I'd rather have a public service do it than a private company that can cut you out at any time without any explanation.
- Nanny State: 100% also in Sweden, actually worse here. But historically they have been pretty good at protecting freedoms, so far. The UK (or Italy) may be less nanny, but have got some very illiberal things going on these days (left or right government doesn't really matter, it seems).
- Happiest people on earth: I really doubt the surveys measure happiness. They tend to measure trust in institutions, which is very high in Scandinavia.
- It's an incredibly authoritarian society although no Dane would ever say that: exactly the same in Sweden! They would NEVER admit any failure in their society, no matter the hard evidence in front of their eyes. I guess that it's the other side of the same trust of the previous point.
- Drink more øl and get off the internet and go for a walk in a forest: At least you've got øl, in Sweden alcohol is taboo. Forests are nice, but become boring quite quickly :)
dijit|2 days ago
I really like the centralised system, it makes navigating society surprisingly easy when compared to say, Germany or the UK.
The difference is that I sort of trust the Swedish government, they've never really done anything to breach that trust - up to and including their handling of COVID (while controversial, they took the stance of individual liberty and a "collective responsibility" over mandatory top-down systems).
The UK in contrast has a much more heavy handed relationship with the population, up to and including incarcerating people for saying the phrase "we love bacon" at a construction site or typing the letter "n" on social media. It's a different context entirely.
Also, BankID, the central system is a definite weakness, but you can have a card/pin device that still works, and it does work on grapheneOS, though it will complain a bit if you don't have google services installed... which I find hilariously awful...
mrweasel|2 days ago
Your other complaints: 100% agree, the whole thing is a privacy nightmare.
I wouldn't count on a post mortem of any value. They still refuse to explain how the system has been abused in the past. Regardless of how hard I try, I fail to understand how it has been abused after QR codes was added to ensure presence at the device you're trying to authenticate at. The system feels secure, but has been abused a number of times and we're almost never told how.
kasperni|2 days ago
I've gone the other way from Denmark to UK. And I've often had to mail copies of my passport or other identity documents via email. And my bank requires me to regular scan my face to check that it aligns with the picture in my passport.
shantara|2 days ago
mhitza|2 days ago
Did they collectively close their eyes while Denmark was the latest, at EU presidency, in charge of pushing chat control?
Tehnix|2 days ago
I find these arguments quite strange. A big part of MitID and similar services is to protect you against fraud. The most vulnerable in society (e.g. old people) aren't running these kinds of devices, and I'd rather we optimize for the general population and the people most at risk, rather than people running some weird setup that is almost identical to setups a scammer would run.
What privacy aspects are you lacking here? For all the services that MitID connects you to, there are government required responsibilities for these companies to track all of this information anyways and be able to provide it to the government if needed. That goes for banking, public services, telecom, etc. And this is in no way unique to Denmark, it's how most countries operate. Denmark has just acknowledged this and decided to make it easier.
Did you expect your UK bank to not be required to know who you are and be able to track and keep records of literally all financial interactions you have with them and their services? I'm a bit confused on what society you are comparing against.
throwmitid1234|1 day ago
NETS have always been very sparse with their post mortems, they don't act like a SaaS provider. Not even as a partner did we get postmortem. They're well and truly into the jaded territory. During two jobs, both as a provider (customer of NETS), and as a consumer of a provider of MitID
Note this is as a customer. The provider and in turn their customers pay pr login and a quite hefty fee at that. NETS are just too big.
They were down every few weeks for a short while (between 2020-2023), so I guess this is probably still the norm
LeonidasXIV|2 days ago
Having lived in Germany it's quite different, but I'd argue the centralized handling of the CPR is actually quite convenient and doesn't meaningfully impact privacy. In Germany every authority has its own ID for you anyway (my password manager has a category "Government Primary Keys" for this), however that means that you have to provide all your information from scratch to every authority. This would theoretically lead to more privacy if we lived in 1926, but now computers are ubiquitous and a rogue government (like Germany is close to electing) can just correlate these keys together. Relational databases have existed for decades and JOINS are cheap. Thanks to surveillance capitalism by now we have very sophisticated ways to deanonymize people, the government can just hire someone to do it.
So the privacy in Germany is most often inconvenience for the citizen paired with hardly any privacy gain from a potentially hostile government. At this point I think the better solution is to avoid electing hostile governments. To Denmarks credit, they're currently doing that better than many other European countries.
surgical_fire|2 days ago
I personally prefer it, and I wish the country I live in right now had a better centralized system to deal with the government. It massively reduces bureaucracy and the need for me to produce all sorts of extremely privacy-invasive documents (such as bank statements, utility bills, scans of my driver license and passport) when dealing with the government. Sometimes I even need to mail those things, like, with an envelope.
The government can and will collect all data it needs about you at any given time, no matter if there's a centralized ID or not. It just spares everyone time and effort by removing friction.
Also, I have a very hard time to take seriously someone that unironically says the words "nanny state". It says a lot about your stance on the role of governments and society in general. What it says, to me, is very unflattering.
Nekorosu|2 days ago
dheera|2 days ago
wodenokoto|1 day ago
Tehnix|2 days ago
As a Dane, having lived in other countries, MitID is an insanely superior to anything I've ever tried. It simplifies so many touchpoints with the government, and is honestly such a good upgrade going from nothing -> physical NemID card with codes -> digital MitID (literally "My ID").
The only real disruption I'd say is if you happen to be buying something online that triggers the 3DS prompt (an additional security layer to prevent cards getting stolen/scam). In Denmark the 3DS prompt for VISA at least uses MitID to verify you are the owner of the card, so that'll obviously not work when MitID is down.
I'll say, it has been surprisingly stable though otherwise, and disruptions usually aren't a big impact (I literally wouldn't have known unless I saw this HackerNews post).
As for a centralized identity system: I personally see this as an acceptable contract for living in a society. Most countries have SSNs anyways, your taxes and many other things are tied to this. Centralizing this identity allows the government to streamline so many things to give a better service to their citizens. For example, all official communication goes to your "DigitalPost" email inbox, your verify identity with "MitID", and every person or company has a registered "NemKonto" tied to them for any salary or government payouts.
I maybe see people get tripped up at the concept that your government should actually care about the service they deliver. That's probably already the point where we diverge when talking about if these things are a good idea or not.
winstonwinston|2 days ago
Digital identity service is fine for gov services. It’s not OK as a hard requirement for anything else such as banking.
Digital ID in my country is down for about 7 days and counting. iOS app no longer opens after the recent update. I cannot pay tax without digital id app working but i can do banking and everything else.
tyilo|1 day ago
If you use Lunar, the 3DS prompt uses the Lunar app and not MitID.
xquce|2 days ago
From a technical and user point of view, MitID have had less outages than Cloudflare, AWS and MS Azure in the last year. While I agree with the single point of failure, I also like that I setup my startup with all government and banking online via a login I had the last decade, painless and faster than most places without having to upload a single document in many a unsecured ways I heard from my US and Other European friends (outside the Nordic countries).
Yes we Danes trust our institutions more than others and trust is given by default and then lost, rather then "earned" (I would argue bought) in other places.
throwmitid1234|1 day ago
They're very light on reporting issues, in this case Signaturgruppen a subsidiary of NETS, didn't even mark this as a full outage.
halffullbrain|1 day ago
chr15m|1 day ago
Liberal democracy is a very young experiment and people do not realise how fragile it is. In the 1940s less than 10% of countries were democratic, and we could go back there again easily.
balboah|2 days ago
Would be cool if multiple actors were allowed and shared the same kind of auth signing method so that there aren’t just one point of failure. Or something distributed like a blockchain type of signing method, at least I don’t think Bitcoin or Ethereum have downtime that often, and authorization should probably be read heavy only to check if some identity is still allowed
dang|2 days ago
I converted this to a Tell HN post since there didn't seem to be a good 3rd party article about it in English (yet, at least). The submitted link is in the toptext. (Submitted title was "MitID, Denmarks sole digital ID, has been down for over an hour and counting".)
(p.s. In case anyone is wondering, I think this was a good submission with aspects worth discussing. It set off the flamewar detector, so I turned that off and re-upped the post a bit.)
mousepad12|1 day ago
It is indeed up again, and I appreciate you recognizing that the thread had/have some great discussion aspects about e-ID in general.
It was completely down from 10:40 to 12:17 GMT+1
Doerge|2 days ago
tiku|2 days ago
macintux|2 days ago
That’s a remarkable failure to read the room, given the digital sovereignty initiatives across Europe.
kakoni|2 days ago
Muromec|2 days ago
VorpalWay|2 days ago
The way TLS on the Web works is better: as long as the CA is up some time during the period I need to renew it is fine. Digital IDs should really work that way (probably with relatively short life spans just like let's encrypt: the digital ID could need to be renewed once a week for example, and it would opportunisticly renew when less than half the time is left).
SkiFire13|2 days ago
lxgr|2 days ago
repelsteeltje|2 days ago
But it's a trade off. Long-lived TLS certificates have always had the cert revocation problem. OCSP stapling never took off, so in the end the consensus seems to have been to decrease expiry date. (Mostly fueled by Let's Encrypt / ACME).
Relying on expiration rather than explicit revocation of course also assumes (somewhat) accurately synchronized clocks which is never trivial in distributed systems. In practice it put's pressure on NTP, which itself is susceptible to all kinds of hairy security issue.
I like to think of the temporal aspect as a fail-open / fail-close balance. These centralized solutions favour the former, and that's why we see this resulting outage.
designerarvid|2 days ago
j45|2 days ago
Electricity isn't guaranteed.
himata4113|2 days ago
jdmoreira|2 days ago
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
xorcist|2 days ago
For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.
consp|2 days ago
jbverschoor|23 hours ago
aucisson_masque|2 days ago
kevincloudsec|2 days ago
Gravityloss|2 days ago
VorpalWay|2 days ago
throwmitid1234|1 day ago
It is to avoid the banks needing their own id for customers, as people would need to go into the banks using their passports etc to register.
Some banks do have their own logins and IDs for various purposes, but you often need MitID somewhere in there simply to verify the actual identity of the person with the account. All the other logins simply give you access to the ID it doesn't actually verify it. MitID does that.
For example Lunar doesn't need MitID during 3D Secure (online payments), but that is only because you used MitID at some point to store your proof on your phone, that you can unlock with a secure enough method, and then do the payment. This is considered enough, as you still use an identity that has been verified by MitID at some point.
LeonidasXIV|2 days ago
Given the Swedish version of it is called BankID I assume the situation is nearly the same in Sweden.
mousepad12|2 days ago
mollerhoj|2 days ago
mousepad12|2 days ago
The topic is an opener to discuss MitID, electronic ID's in general, the protocols behind them, what happens when they fail, privacy, societies reliance on them or something similar.
BSDobelix|2 days ago
Yep let's not learn from that incident and wait until is offline for like 2 weeks, and be assured that will happen.
dude250711|2 days ago
Croftengea|2 days ago
bjarteaarmolund|2 days ago
jasonvorhe|2 days ago
kkfx|2 days ago
throwmitid1234|1 day ago
I am surprised this is even a frontpage topic, 3 years after it was rolled out, we saw downtime every week or so. So much so that we implemented automatic pop ups for our customers, and no on-call, signaturgruppen a subsidiary of NETS didn't even file this incident as a major outage lol. There is also no alternative, you simply can't access banking apps without MitID, so without it people in Denmark are just screwed, 3D Secure (online payments doesn't work for most merchants), login to government and banking sites doesn't work.
The main issues are that we have a central provider NETS whom are known for NemID its predecessor, and card payments in Denmark. They're huge in this space, at least for Denmark.
The government and the banks wanted more control over MitID, so the responsibility was split between the major banks, Digitalstyrelsen (the government), and NETS.
Basically, customers, middle man and NETS the vendor.
It was truly a shit show. The middleman (Digitalstyrelsen - Agency for Digital Government was technically illiterate, either by contract, or because they wanted to be in control, had inserted themselves in-between customer and vendor, and now we suddenly couldn't provide feedback, or talk to the vendor at all, this meant that the vendor had full control over how they interpreted the contract.
During development they shipped a version of the product that had a single flag set to false, preventing a login. NETS weren't allowed to ship a fix for this for 3 months. Many of the customers had to use burp suite during their testing simply to progress with development.
Finally when the vendor had "delivered" to their contract, the customer was sitting back with a half-baked product, and because it was Digitalstyrelsen that was the primary arbiter of whether they'd fulfilled the contract, NETS got away with having delivered at that point 1 year past schedule.
I've never had so many support tickets. For such a technically tiny product, we saw so much trouble getting people to use MitID over NemID. It was incredible.
What is even more insane is that each provider implementation of MitID is technically an independent implementation, some are React, Preact (if using nets provided version), etc. All the providers have to provide a pixel perfect replication to be allowed to issue MitID credentials.
Also this was designed when OAuth was really hot, so most implementations are like 3 levels deeply nested of OpenID Connect and OAuth2, it gets pretty nuts.
Talk about an amount of wasted effort.
As with many other huge projects especially government lead. It is just a big power play, and as it turns out, power wins. In this case NETS.
Kate5477|4 hours ago
[deleted]
unknown|2 days ago
[deleted]
olegyakovik|1 day ago
[deleted]
irenetusuq|1 day ago
[deleted]
wosined|2 days ago
unknown|2 days ago
[deleted]
UebVar|2 days ago
jandragsbaek|2 days ago
zenmac|2 days ago
mrweasel|2 days ago
Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.
lxgr|2 days ago
plaguna|2 days ago
Are we seeing the same in Denmark/Greenland with the USA?
[1] https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/7335... [2] https://en.wikipedia.org/wiki/2022_Ukraine_cyberattacks
celpgoescheeew|2 days ago
ta9000|2 days ago