Introduced a few months ago our Danish national authentication system the Nets DanID’s “NemID” (easy ID) continues to bring new stories. Sometime in October it reached one million users. That’s around a fifth of the Danish population.The crucial system continues to be discussed quite a lot, and nerds welcome each new crash and trouble with joyful schadenfreude. Since I first wrote of NemID there as been new crashes, security issues and domain name/trademark issues: Assemble A/S based in Hellerup Denmark applies 24 january 2010 for registration of a trademark: nemID. In the remarks it says “NemID has been used as address and identification of citizens (unique identifiers) in the system NemPost since 2006” (page 3). The company also owns the domain nemid.dk.
DanID uses nemid.nu for their NemID. Searching on Internet Archive I find no results returned for either www.nemid.dk nor www.nemid.nu Whois reports a registration on 28 May 2007 for nemid.dk. Assemble A/S is recorded as the owner. My whois on nemid.nu is not clear but replies “Record created on 2008-Nov-12”. Nets DanID has also registered NemID (nemID) as a trademark. They have done that before Assemble and protested against Assemble’s trademark registration of nemID. So what will happen with ‘NemID’. It seems that Assemble has used it somewhat before Nets DanID, so there might be some priority. The .nu domain is handled by the Niue island nation. It would seem strange that a site that is endosed so much by the government of Denmark chooses to rely on a foreign country on the other side of the planet. Libyan ly-domains have run into problems and the vb.ly domain has been closed as Libya didn’t like the pornography linked from this URL-shortener service Dorte Toft says. Could Niue close Danish nation-wide authentication? The company Nets DanID has run into further problems with the domain nets.dk. They want it! Sten Axelsen who writes his first name backwards in the domain owns it. Poor Sten has had a great deal of stress since the lawyers of Nets DanID have attacked him. PBSNets, a fake Twitter account, has written funny tweets about the case. Letters with first time access code and letters with the ‘papkort’ with the one-time pad are not suppose to be send on the same day. Two times DanID has not done that and had to block the account for several thousand people. In October a 15 year old boy received NemID even though he had not requested one, and he dit not have an internet banking account (which would have meant that he got NemID automatically). Neither the Bank nor DanID seem to know why the boy had received NemID. It turned out the Internet banking solution provider for the Bank, Skandinavisk Datacenter, had send the information to DanID. You can download a iPhone application that can store images encrypted on the iPhone. The developer Daniel Bahl has called the application GemID and the reason why he developed it was that he was “unbelievably tired” of the NemID papkort. This is of course unsafe, and DanID says it is really a no-no. Bahl says that he has plenty colleagues and friends that store an image of the papkort unencrypted on their mobil. That it is so easy to copy the card is a weakness of NemID. European Union pilot project Secure idenTity acrOss boRders linKed (STORK) attempts to see if digital signatures can be used across European nations.
NemID is not part of that. And now for a couple of crashes and other troubles:
- An afternoon in late September users could not login due to a server error.
- 21. October 2010 NemID had a several hours long breakdown. DanID did not want to reveal the details of why it happen. It is unfortunately that such systems of national importance can be “hidden” in private companies where the scrutiny of democratic institutions cannot get to them.
- On 28. October 2010 a Java error caused Danish banking tied to NemID to get into troubles.
- In the last weekend of October there were besides the Java problem, a login problem as well as a two-hour breakdown