New Danish law will make digital communication with the public sector mandatory

In 2010, Denmark introduced NemID, which is a joint internet banking login and digital signature system. When NemID is used, either for online banking or for digital signature purposes, the user must enter a secret password on a Java applet (webpage), followed by a six-digit one-time-password (OTP) code from a printed card (the card with about 140 codes is distributed by postal mail). NemID is used by all Danish banks, and this ensured that a large fraction of the Danish population adopted NemID in 2010. Currently, about 3.5 million Danes have NemID (almost 80% of the Danish population above 15 years), and 2.9 million have activated the digital signature part (it is possible to use NemID only for internet banking, by refusing to accept the "digital signature" part).

The digital signature part does not follow the Danish law for qualified electronic signatures, since the private key is stored on a central server (with a HSM infrastructure). The server is operated by DanID, a company owned by Danish and Norwegian banks (a subsidiary of Nets). The sole legal framework for NemID is an agreement between the Danish government and DanID, called the Certificate Policy, as well as the agreement between DanID and users of NemID when the users (citizens) register for the service. The English version of the agreement can be seen here (these rules can be changed unilaterally by DanID, and they omit the details about the central storage of the private key)

In a previous article, we have described the main security and privacy risks of NemID.

Currently, it is voluntary whether Danish citizens want to use NemID or not. However, this will change if two Danish law proposals, L 159 (mandatory digital self-service) and L 160 (public sector document box), are passed by the Danish parliament. These laws will force Danish citizens to use digital communication with the public sector and to use specific computer systems for this purpose. In most cases, these systems can only be accessed with NemID.

The implication of this is that Danish citizens will be forced to give their consent to DanID, so that they can use a digital signature where the private key is stored on a central server.

Public sector document box

Law proposal L 160 is about the so-called public sector document box, which is meant to replace (almost) all paper letters from the public sector to Danish citizens. The text of the law proposal is only available in Danish.

The law makes it mandatory for all Danish citizens from 15 years and above to use this service (starting in November 2014, before that date it is voluntary to use the service). When a digital letter from the public sector is delivered to the document box, it has the same legal effect as sending an ordinary paper letter. It does not matter (legally) whether the citizen has actually registered with the document box service, so that the citizen in question is able to read his/her mail. In the comments to the law proposal, the Finance Minister justifies this with an analogy to the physical mail box that everyone (strictly speaking: every residential building owner) has to put up in order to receive mail through the postal services (there are legal requirements in Denmark about the size and the placement of the physical mail box, designed to make the postal services more efficient). However, putting up a physical mail box does not require consent to a specific private company.

Furthermore, L 160 gives the Finance Minister the authority to select a single vendor for managing the public sector document box system. Danish citizens will have to register with this vendor, and accept the terms for using the service. Specifically, citizens will have to accept that they are the data controller for the digital mail stored in the document box system, even though they have no influence on whether they want their "own" mail stored by this private company or not.

The public sector document box system is already functioning, so the vendor has been selected (at least until 2015, when the contract is up for renewal). The document box system is managed by the company e-Boks, which operates a similar system designed primarily for communication from banks and other private companies to their Danish customers. This is an English version of their marketing webpage (select English in the upper-right corner)

A pre-condition for using e-Boks is NemID since this is the only login method accepted by e-Boks. Shortly after the introduction of NemID, it was decided in early 2011 to drop all other login methods (one method was the traditional username/password combination). This change in the terms for using e-Boks came with a very short notice.

The company e-Boks is owned 50/50 by Nets (owned by Danish and Norwegian banks) and PostDanmark (the Danish postal service, 22 percent owned by CVC Capital Partners). The e-Boks service started in 2001, and it is marketed as being voluntary for the users, so that they can decide on a company-by-company basis whether they want to receive digital post or ordinary letters. In reality, however, the private e-Boks system is becoming less and less voluntary since many companies are forcing their customers to accept that letters are sent to e-Boks. In 2005, the Danish government made it mandatory for government workers to receive their monthly salary statement through e-Boks. Nobody was asked to agree to this. The government simply decided that asking for consent was not necessary since, narrowly interpreted, there was no legal requirement for employers to send a salary statement to their employees.

There are a couple of differences between the private e-Boks system, and the public sector document box system operated by e-Boks, mainly that the latter system is designed for two-way communication so that Danish citizens can write letters to the public sector through the document box system.

It's worth noting that the law proposal L 160 not only makes digital communication mandatory, it makes it mandatory to use a specific system selected by the Finance Minister. The NemID digital signature can be used for signing and encrypting ordinary email messages (whether this is "secure" depends, needless to say, on your view of the centrally stored private keys), but Danish citizens will not be given the option of using this method for digital communication with the public sector.

Most likely, the government believes that there will be fewer problems and helpdesk contacts with having all letters stored on a central server, and log files can prove that a letter has been delivered to a citizen. The privacy problems associated with the central storage solution are largely ignored in the comments made by the Finance Minister when the law proposal was submitted to the Danish parliament.

Some Danish citizens will not be able to access their mail through the document box system for various reasons (such as no experience in using computers or residence in certain rural areas with no internet access). It is possible for these citizens to obtain an exception from the mandatory system, but no citizen has a legal right for an exception. The general legal principle is that "if you can use the document box system, you must use the system". Citizens asking for an exception will be encouraged to give an authorization to a family member (or someone else) who can then receive digital communication from the public sector on their behalf.

In summary, from November 2014 Danish citizens will be forced to receive letter from the public sector through the official document box system, and in order to access these letters, "voluntary" agreements with the private companies e-Boks and DanID (for NemID) will be required.

Mandatory use of public sector digital self-service systems

The law proposal L 159 (mandatory digital self-service) makes it mandatory to use digital self-service systems (similar to online banking) for certain purposes. The text of the law proposal is available here (in Danish)

Eventually, electronic self-service will be mandated for all applications and registrations from citizens, and L 159 is the first leg of this plan which covers moving registrations, school registrations for children, applications for daycare service for children, and applications for medical cards under the Danish healthcare system. When Danish citizens move, they are legally required to register their new address with the local municipality within five days. Failure to do so is punishable by a fine.

Most, if not all, Danish municipalities already have online self-service systems for most of the tasks covered by L 159, so the main novelty of the law proposal is that from December 2012 it will become mandatory to use these systems.

It is up to the Danish municipalities to design their self-service systems, and no specific requirements are given here. In principle, a Danish municipality could design a system which can only be used with computers running Microsoft Windows (most likely, the self-service systems will be running on web servers, but there are examples of PDF forms which can only be read by Adobe PDF reader and not free software such as Evince and Okular). There are also ongoing discussions about developing solutions for mobile devices (which cannot run Java and use NemID in its current form), and this may involve installing apps that will only be available for certain smartphones (iPhone, Android and Windows Phone are usually mentioned in this connection).

Furthermore, while L 159 does not specifically mandate that citizens use NemID, in practice this will be forced upon the Danish citizens since it will not be possible to use the (mandatory) self-service systems without NemID.

Quite interestingly, the comments in the law proposal (part of the preparatory work for the law, if passed) are quite ambiguous about the situation where a Danish citizen refuses to register for NemID. If a citizen is unable to use the self-service systems, an exception can be granted on a case-by-case basis (meaning that the citizen will have to re-apply for an exception the next time), but the above principle of "if you can use it, you must use it" applies here as well. However, if a citizen refuses to obtain NemID from the private company DanID, the municipal authorities apparently do not have the legal power to directly force the citizen to obtain NemID. Instead, the municipal authorities are supposed to "request" that the reluctant citizen registers for NemID and to reject the application or registration until it is submitted in the "proper" digital form which, needless to say, will require NemID. This would create the Kafka-like situation where, for example, a citizen contacts the municipal authorities to register his/her new residence, but the authorities refuse to accept the mandatory registration because it is not submitted in digital form (with NemID).

There are a couple of prior examples in Denmark of mandatory digital communication with the public sector, and typically this is done with a section in the law stating something like: "The minister of XYZ is given the authority to lay down rules for mandatory digital communication between citizens and some public sector organization". Typically, NemID or the "digital signature" is not mentioned directly in the law, but all public sector systems are moving towards using NemID as the only login/authentication method. Since 2009, digital communication has been mandatory for applications of financial aid for students (the SU programme), and in 2011 NemID was selected as the only login method for this system. Previously, students could use a password (PIN code) which did not require consent to private companies such as DanID.

It is also possible for the Minister of Taxation to make digital filing of tax returns mandatory, but this authorization has not been used yet. The tax authorities have been fairly successful with a voluntary system that is used by a large number of Danish citizens (so many that the system breaks down every year when the income tax statements are "sent out" electronically). Currently, citizens have the option of using NemID or an alternative login method based on a PIN code (not involving a private company) received by postal mail or by email if an email address has previously been registered with the tax authorities. In March 2012, when the 2011 income tax statements were sent out, 30% still used the old PIN code option (and 70% used NemID). The tax authorities are supposed to make NemID mandatory, but they have been reluctant to do so, maybe fearing that people will turn to paper filings again if the PIN code option is dropped.

Some of the current public sector self-service systems (for voluntary use) are not particularly user-friendly (to put it mildly), and there is some concern among experts (and a few politicians) that a mandatory principle will remove the incentive for the public sector to make the systems more user friendly.

In summary, the law proposal L 159 will (just like L 160) indirectly make it mandatory for Danish citizens to use NemID, a digital signature where the private key is stored on a central server.

Danish politicians seem to think of these laws as an offer to citizens

The first debate about L 159 and L 160 was held in the Danish parliament on 26th April 2012. Several politicians consistently described these laws as an "offer" to Danish citizens who would be given the opportunity of not having to wait in lines at public sector offices with limited opening hours, and be able to read their mail from the public sector while travelling abroad. This is certainly true, but no new law is required for a voluntary system of digital communication. The laws are necessary to make it mandatory for citizens to use the systems. It will truly be an offer than you cannot refuse [inspired by the famous quote in the movie Godfather I].

Comments from the Danish Data Protection Agency

During the hearing phase in February, several organizations and public authorities submitted comments on a draft of the two law proposals. The Danish Data Protection Agency (Danish DPA) submitted comments on L 160 and L 159 which are available here (in Danish)

The Danish DPA has previously issued some mildly critical comments about NemID, especially the centrally stored private keys. The contract between DanID and the Danish government stipulates that DanID should offer a version of the digital signature where the private key is stored/generated on a smartcard (token) instead of the HSM (central server) operated by DanID. This version of NemID was originally supposed to be available in December 2010, but it has been postponed several times, and the current status is "postponed without any new deadline". The Danish government has made no initiatives to force DanID to live up to its contractual obligations in this area. The government seems much more interested in developing solutions for mobile devices, which were not part of the original design requirements for NemID when the project started around 2007.

In the hearing response, the Danish DPA reiterates their earlier critique of the centrally stored private keys, and states that this issue becomes more important when the use of self-service systems based on NemID will become mandatory. The DPA also expresses some privacy concerns about the document box system. Specifically, the DPA points out that a formal Privacy Impact Assessment (PIA) has not been made about the document box system, despite earlier promises about this from the government.

Unfortunately, the comments from the Danish DPA do not at all touch upon the critical issue of forced consent to the private companies managing NemID and the document box system (e-Boks). This is first of all very disappointing, and also a bit surprising in light of a recent statement from the Danish DPA about the mandatory use of NemID by public sector employees for work-related purposes.

Unrelated to the two law proposals discussed here, a number of Danish municipalities want to have their employees to use NemID for secure authentication (or identification) in various computer system. This ranges from simple tasks, such as external access, to an intranet system used for holiday and sick-leave registration, to using NemID as a security element instead of, say, an RSA token to access administrative systems (in short: "sign in to your work computer with your private NemID"). The company DanID offers various employee digital signatures for such purposes, but unlike the private NemID, these systems are not free for the local municipalities. Hence the interest in using the private NemID, which has been paid for by the public sector (central government) with a fixed amount covering any use by Danish citizens.

On 30th March 2012, the Danish DPA issued a statement about the use of the "private NemID" for work-related purposes by municipal employees (only available in Danish)

The decision (statement) is a conditional approval for the use of the private NemID. The statement contains several security requirements in the case where NemID is used to grant access to administrative systems with sensitive data about other citizens (basically, NemID can only be used a third-factor security element, like an RSA SecurID token, in such cases), but the interesting thing is that the DPA explicitly states that mandatory use of NemID for employees would be in violation of the Danish Data Protection Act. This also applies in cases where NemID is only used for registering holidays and sick leave. Even here, the municipal employer must offer an alternative that does not involve NemID. Unfortunately, the Danish DPA is rather vague as to which parts of the Data Protection Act are violated, if NemID use is made mandatory in this context.

Needless to say, the plans by certain municipal employers to get their employees to use NemID for work-related purposes (which is the basis for the above statement/decision from the Danish DPA) cannot be directly compared to a law enacted by the Danish parliament. On the other hand, nobody is forced to work for the municipal authorities and certain forms of consent under the Data Processing Act are quite normal for employment contracts. Everybody, however, is forced to obey Danish laws including mandatory registrations that will require NemID and consent to a private company (if the law proposals L 159 and L 160 are passed).

Initiatives by IT-Pol to oppose these laws

Unfortunately, IT-Political Association of Denmark was not aware of the official hearing period in February, so we did not submit our comments during the hearing phase. However, we have subsequently written letters to members of the Danish parliament with our critique of the two law proposals. The letters are available here (in Danish)

We find it completely unacceptable that Danish citizens will have to give consent to private companies in order to fulfill their obligations under Danish law. But this is what will happen, if these law proposals are passed.

Realistically, we must expect that these law proposals will be passed by the Danish parliament before the summer (every year there is a rush to pass a large number of new laws before mid June, so that politicians can start their summer break). During the first debate in parliament, the support was rather overwhelming, and only one party opposed the mandatory use of digital communication. As mentioned earlier in this note, several politicians seem to view this as a very attractive offer to Danish citizens.

In the past 10 years, privacy concerns for citizens have played a very modest role in Danish legislative work. The new mantras are surveillance and control of citizens through new technology, as well as economic efficiency (the latter has become more urgent with the recent pan-European government debt crisis, and Denmark has a very big public sector).