Terrifying to live in a digital economy when something like this happens.
You're usually about 1 service away from realising that the "money you have" is just an int32, that, if everything works properly, you can modify.
Otherwise you have nothing except a pretty little plastic card.
(I'm aware that payments systems are not affected, but it's a sobering realisation that I've had a couple of times, but it works enough of the time that I forget about it... it's a bit like the meme about backups where a computer takes too long to boot, the person slowly builds panic and starts wishing they had backed up and published all their important work - then when the computer works they say "*phew*, thank god I don't have to do any of that".
show comments
azalemeth
I'm a British expat with a Danish job. I really dislike MitID and the Danish centralised world of (very good) public services that come with it. Each person has a number, CPR, which effectively defines your life solely to the state. Visit a library, doctor, tax man, anything official, and your ID is recorded. Buy alcohol online, go grocery shopping, use your bank card -- and sign in with it. This undoubtedly makes things easier for the state -- and I've seen produce some pretty good epidemiology work where the government can link purchasing habits and health outcomes(!) -- but it's a privacy nightmare.
MitID doesn't work on rooted android phones, or those running a custom rom. Reports from others who have disassembled it indicate that in fact a hard coded list of custom roms is checked against. It's a highly obsfucated binary, and by design is a single point of failure. If you sign in with an unauthorized device it helpfully centrally blacklists your IMEI. It's hard (but not impossible) to get a phone contract on Denmark without indirectly giving over your CPR number, so I imagine trying to get around this is frustrating. I didn't try and have a hardware dongle. One. By design, this whole system is a massive centralised single point of failure. It's absolutely key to Danish life.
That all said, most Danes would vigorously defend privacy, say that the state doesn't abuse its powers, and they're probably right. It's a very vivid vision of the 1960s Nanny State, where Nanny knows best and has your best interests at heart. Most of the time, she does. They're frequently voted as some of the happiest people on earth, so clearly the recipe of pay a ton of tax and get things from it works well. I find the privacy lack rather shocking and I've never got used to it -- in quite some ways it's an incredibly authoritarian society although no Dane would ever say that, and tell me to drink more øl and get off the internet and go for a walk in a forest. They point out that the UK has far more CCTV cameras and that we have more prosecutions for bent policemen and politicians. There's truth in all of this.
Either way, I'd be interested in seeing if they issue a post mortem on this. It'll cause a lot of issues for many, many people.
show comments
Tehnix
I see a few people here complaining about the idea of a central digital identity service.
As a Dane, having lived in other countries, MitID is an insanely superior to anything I've ever tried. It simplifies so many touchpoints with the government, and is honestly such a good upgrade going from nothing -> physical NemID card with codes -> digital MitID (literally "My ID").
The only real disruption I'd say is if you happen to be buying something online that triggers the 3DS prompt (an additional security layer to prevent cards getting stolen/scam). In Denmark the 3DS prompt for VISA at least uses MitID to verify you are the owner of the card, so that'll obviously not work when MitID is down.
I'll say, it has been surprisingly stable though otherwise, and disruptions usually aren't a big impact (I literally wouldn't have known unless I saw this HackerNews post).
As for a centralized identity system: I personally see this as an acceptable contract for living in a society. Most countries have SSNs anyways, your taxes and many other things are tied to this. Centralizing this identity allows the government to streamline so many things to give a better service to their citizens. For example, all official communication goes to your "DigitalPost" email inbox, your verify identity with "MitID", and every person or company has a registered "NemKonto" tied to them for any salary or government payouts.
I maybe see people get tripped up at the concept that your government should actually care about the service they deliver. That's probably already the point where we diverge when talking about if these things are a good idea or not.
show comments
xquce
Dane by choice (refugee).
Would just add as a counterweight to the negative views from people outside the country.
From a technical and user point of view, MitID have had less outages than Cloudflare, AWS and MS Azure in the last year. While I agree with the single point of failure, I also like that I setup my startup with all government and banking online via a login I had the last decade, painless and faster than most places without having to upload a single document in many a unsecured ways I heard from my US and Other European friends (outside the Nordic countries).
Yes we Danes trust our institutions more than others and trust is given by default and then lost, rather then "earned" (I would argue bought) in other places.
dang
Can anyone tell us the current status? I put "was down" in the title to be conservative, since usually these things get resolved after a few hours.
I converted this to a Tell HN post since there didn't seem to be a good 3rd party article about it in English (yet, at least). The submitted link is in the toptext. (Submitted title was "MitID, Denmarks sole digital ID, has been down for over an hour and counting".)
(p.s. In case anyone is wondering, I think this was a good submission with aspects worth discussing. It set off the flamewar detector, so I turned that off and re-upped the post a bit.)
show comments
balboah
In Sweden there’s at least one more competitor to BankID called Freja. There’s also some kind of EU-level system.
Would be cool if multiple actors were allowed and shared the same kind of auth signing method so that there aren’t just one point of failure. Or something distributed like a blockchain type of signing method, at least I don’t think Bitcoin or Ethereum have downtime that often, and authorization should probably be read heavy only to check if some identity is still allowed
VorpalWay
The Swedish BankID has the same potential weak point. Any centralised system does.
The way TLS on the Web works is better: as long as the CA is up some time during the period I need to renew it is fine. Digital IDs should really work that way (probably with relatively short life spans just like let's encrypt: the digital ID could need to be renewed once a week for example, and it would opportunisticly renew when less than half the time is left).
show comments
himata4113
Makes me appreciate that my government gives me like 17 different ways to authenticate including every bank that exists.
jdmoreira
These things should be offline / resilient first right?
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
show comments
kevincloudsec
when your sole digital identity provider goes down, it's not a service disruption. it's a national infrastructure outage. the blast radius of a single authentication system is the entire country.
aucisson_masque
I guess that's the one thing you don't want to be down and yet it's down..
tiku
Meanwhile the Netherlands is selling the DigiD system to foreign companies and today it came out that we are also are going to outsource of of our key tax systems to an American company.
show comments
Gravityloss
Don't banks have their own id:s as well? At least in another nordic country, you have quite many login possibilities to many services. Banks even provide cross-login.
show comments
mollerhoj
this is not big news in dk, it will be up again soon - i dont know of any mitid services that are life-or-death enough to have people panicing about an hours downtime
show comments
Croftengea
How ironic to see "MitID remains inaccessible" and "You are in charge of your data" cookie banner on the same page.
j45
At a more basic level, before software issues, digital wallets can run out of batteries. As can infrastructure.
Electricity isn't guaranteed.
bjarteaarmolund
Supposedly up again now
jasonvorhe
Just one of a dozen reasons to resist digital id.
dude250711
They went to Linux recently didn't they?
wosined
And who is the happy monopolistic receiver of this constant and unending stream of taxpayer money?
show comments
kkfx
Not a cryptobro but... The only acceptable digital identity is or local (smart-card) or a blockchain kept by any connected citizen on his/her own iron. The Orwellian dream of the nazi will cause pain also to those who push it.
jandragsbaek
The primary reason this is down is usally because of certificates running out, that has to be manually replaced
zenmac
Should have stuck with NemID a previous paper alternative or only offered MitID as a digital alternative. The rush to go all digital is coming back to bite them in the .....
show comments
plaguna
First, we saw Russian hacking campaigns in Ukraine before the invasion of the country. [1][2]
Are we seeing the same in Denmark/Greenland with the USA?
Terrifying to live in a digital economy when something like this happens.
You're usually about 1 service away from realising that the "money you have" is just an int32, that, if everything works properly, you can modify.
Otherwise you have nothing except a pretty little plastic card.
(I'm aware that payments systems are not affected, but it's a sobering realisation that I've had a couple of times, but it works enough of the time that I forget about it... it's a bit like the meme about backups where a computer takes too long to boot, the person slowly builds panic and starts wishing they had backed up and published all their important work - then when the computer works they say "*phew*, thank god I don't have to do any of that".
I'm a British expat with a Danish job. I really dislike MitID and the Danish centralised world of (very good) public services that come with it. Each person has a number, CPR, which effectively defines your life solely to the state. Visit a library, doctor, tax man, anything official, and your ID is recorded. Buy alcohol online, go grocery shopping, use your bank card -- and sign in with it. This undoubtedly makes things easier for the state -- and I've seen produce some pretty good epidemiology work where the government can link purchasing habits and health outcomes(!) -- but it's a privacy nightmare.
MitID doesn't work on rooted android phones, or those running a custom rom. Reports from others who have disassembled it indicate that in fact a hard coded list of custom roms is checked against. It's a highly obsfucated binary, and by design is a single point of failure. If you sign in with an unauthorized device it helpfully centrally blacklists your IMEI. It's hard (but not impossible) to get a phone contract on Denmark without indirectly giving over your CPR number, so I imagine trying to get around this is frustrating. I didn't try and have a hardware dongle. One. By design, this whole system is a massive centralised single point of failure. It's absolutely key to Danish life.
That all said, most Danes would vigorously defend privacy, say that the state doesn't abuse its powers, and they're probably right. It's a very vivid vision of the 1960s Nanny State, where Nanny knows best and has your best interests at heart. Most of the time, she does. They're frequently voted as some of the happiest people on earth, so clearly the recipe of pay a ton of tax and get things from it works well. I find the privacy lack rather shocking and I've never got used to it -- in quite some ways it's an incredibly authoritarian society although no Dane would ever say that, and tell me to drink more øl and get off the internet and go for a walk in a forest. They point out that the UK has far more CCTV cameras and that we have more prosecutions for bent policemen and politicians. There's truth in all of this.
Either way, I'd be interested in seeing if they issue a post mortem on this. It'll cause a lot of issues for many, many people.
I see a few people here complaining about the idea of a central digital identity service.
As a Dane, having lived in other countries, MitID is an insanely superior to anything I've ever tried. It simplifies so many touchpoints with the government, and is honestly such a good upgrade going from nothing -> physical NemID card with codes -> digital MitID (literally "My ID").
The only real disruption I'd say is if you happen to be buying something online that triggers the 3DS prompt (an additional security layer to prevent cards getting stolen/scam). In Denmark the 3DS prompt for VISA at least uses MitID to verify you are the owner of the card, so that'll obviously not work when MitID is down.
I'll say, it has been surprisingly stable though otherwise, and disruptions usually aren't a big impact (I literally wouldn't have known unless I saw this HackerNews post).
As for a centralized identity system: I personally see this as an acceptable contract for living in a society. Most countries have SSNs anyways, your taxes and many other things are tied to this. Centralizing this identity allows the government to streamline so many things to give a better service to their citizens. For example, all official communication goes to your "DigitalPost" email inbox, your verify identity with "MitID", and every person or company has a registered "NemKonto" tied to them for any salary or government payouts.
I maybe see people get tripped up at the concept that your government should actually care about the service they deliver. That's probably already the point where we diverge when talking about if these things are a good idea or not.
Dane by choice (refugee). Would just add as a counterweight to the negative views from people outside the country.
From a technical and user point of view, MitID have had less outages than Cloudflare, AWS and MS Azure in the last year. While I agree with the single point of failure, I also like that I setup my startup with all government and banking online via a login I had the last decade, painless and faster than most places without having to upload a single document in many a unsecured ways I heard from my US and Other European friends (outside the Nordic countries).
Yes we Danes trust our institutions more than others and trust is given by default and then lost, rather then "earned" (I would argue bought) in other places.
Can anyone tell us the current status? I put "was down" in the title to be conservative, since usually these things get resolved after a few hours.
I converted this to a Tell HN post since there didn't seem to be a good 3rd party article about it in English (yet, at least). The submitted link is in the toptext. (Submitted title was "MitID, Denmarks sole digital ID, has been down for over an hour and counting".)
(p.s. In case anyone is wondering, I think this was a good submission with aspects worth discussing. It set off the flamewar detector, so I turned that off and re-upped the post a bit.)
In Sweden there’s at least one more competitor to BankID called Freja. There’s also some kind of EU-level system.
Would be cool if multiple actors were allowed and shared the same kind of auth signing method so that there aren’t just one point of failure. Or something distributed like a blockchain type of signing method, at least I don’t think Bitcoin or Ethereum have downtime that often, and authorization should probably be read heavy only to check if some identity is still allowed
The Swedish BankID has the same potential weak point. Any centralised system does.
The way TLS on the Web works is better: as long as the CA is up some time during the period I need to renew it is fine. Digital IDs should really work that way (probably with relatively short life spans just like let's encrypt: the digital ID could need to be renewed once a week for example, and it would opportunisticly renew when less than half the time is left).
Makes me appreciate that my government gives me like 17 different ways to authenticate including every bank that exists.
These things should be offline / resilient first right?
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
when your sole digital identity provider goes down, it's not a service disruption. it's a national infrastructure outage. the blast radius of a single authentication system is the entire country.
I guess that's the one thing you don't want to be down and yet it's down..
Meanwhile the Netherlands is selling the DigiD system to foreign companies and today it came out that we are also are going to outsource of of our key tax systems to an American company.
Don't banks have their own id:s as well? At least in another nordic country, you have quite many login possibilities to many services. Banks even provide cross-login.
this is not big news in dk, it will be up again soon - i dont know of any mitid services that are life-or-death enough to have people panicing about an hours downtime
How ironic to see "MitID remains inaccessible" and "You are in charge of your data" cookie banner on the same page.
At a more basic level, before software issues, digital wallets can run out of batteries. As can infrastructure.
Electricity isn't guaranteed.
Supposedly up again now
Just one of a dozen reasons to resist digital id.
They went to Linux recently didn't they?
And who is the happy monopolistic receiver of this constant and unending stream of taxpayer money?
Not a cryptobro but... The only acceptable digital identity is or local (smart-card) or a blockchain kept by any connected citizen on his/her own iron. The Orwellian dream of the nazi will cause pain also to those who push it.
The primary reason this is down is usally because of certificates running out, that has to be manually replaced
Should have stuck with NemID a previous paper alternative or only offered MitID as a digital alternative. The rush to go all digital is coming back to bite them in the .....
First, we saw Russian hacking campaigns in Ukraine before the invasion of the country. [1][2]
Are we seeing the same in Denmark/Greenland with the USA?
[1] https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/7335... [2] https://en.wikipedia.org/wiki/2022_Ukraine_cyberattacks