The Belgian eID adventure started of with competent people, high hopes and motivation: plugins and middlewares were made, software development kits (SDK’s) distributed, and the future seemed bright and progressively open-source, with digital signing services etc…

As far as I know, internal struggles eroded that motivation, critical people started to leave, founding their own companies. As a developer, I lost all hope of an active and open community, and anyone pretending Belgium is leading the eID effort is a blatant liar, conveniently ignoring Estonia.

Back on topic: Vasco, the Swiss-American former owner of the dutch Diginotar at the time of its infamous security breach, has now become the purveyor of digital authentication services for Belgian e-government applications. Vasco’s main product is it’s DIGIPASS.

It may seem innocuous, but in order to use the DIGIPASS, Vasco needs some information: full name, email, telephone and/or mobile phone and a full address. You may think that this isn’t overly broad. And you may suspect that is only the beginning.

Once you connect with your eID card, Vasco “actively” stores anything it can find on it: eID Card number, eID Card certificates, begin and end dates of the eID Card validity period, the municipality where the eID Card was issued, your name, nationality, where you were born, your birth date, if you’re a member of nobility, and once again your complete address, should you be cheating.

Then there’s your activity: websites you visit, how you visit them, the timing, marketing permissions, areas of interest, language preference... In other words, your complete internet personality, or as much as they can extract from it.

Still not undone, Vasco then proceeds to collect “Passive information”, supposedly anonymised. Again, visited websites, preferences, cookies, IP address, type of browser. That reads a lot like device fingerprinting.

All that data can transit globally across Vasco’s data centers and third party services and contractors they are related to, across jurisdictions, all in the name of protection of your security, theirs, or anyone else's as long as someone has the impression some illegal activity may be happening.

You may note that Belgian e-government applications using the “official” CSAM authentication portal are excluded from most of the active and passive data collection procedures. All other websites, applications and services will be continuously probed and analysed, their users exposed and listed, should they want to use Vasco’s DIGIPASS.

This could include the Belgian e-government application I’m responsible of, because I didn’t use CSAM. I didn’t see the need for it. I elected not to surrender control.