Electronic identity cards are not without risk

Electronic identity cards are not without risk ("Get a job and flat, even vote online, thanks to e-ID"; last Saturday).

The important question is about surveillance and how citizens may be monitored via the data inside the e-ID chip.

Their transactions can be stored, and consumer profiling done. Insurers could use this to conduct risk analysis and, perhaps, refuse home insurance to people living in burglary-prone areas.

The data can also be manipulated, with targeted advertisements based on the profiles.

This might violate the rights to personal data under the Personal Data Protection Act. Citizens using the e-ID should be explicitly informed about what data will be processed and for what purpose.

Who will control the processing of data? Should citizens be given a choice on whether they want to use the e-ID? Will people trust it enough to use it with services they deem sensitive? Might it affect user behaviour, such as causing some people to refrain from some behaviours?

Should an attacker manage to extract the chip authentication key from the e-ID card, he would be able to forge arbitrary identities. Electronic ID servers may not be able to recognise forged cards.

How well our data is protected is a matter of application security. If e-ID cards are not accompanied by further security measures, the overall vulnerability and risk might increase.

Francis Cheng

A version of this article appeared in the print edition of The Straits Times on June 18, 2016, with the headline 'Electronic identity cards are not without risk'. Print Edition | Subscribe