Hacker News new | ask | show | jobs
by null_object 1928 days ago
I think pride and patriotism means you’re overstating your case here.

Indeed as you say, a subgroup of the largest Swedish private banks own the ID system in Sweden - for profit, and without any serious democratic oversight.

Edit: I forgot to add that the system allows these private banks to see into almost every aspect of a person’s life: where they shop, where they are, who shares their household and so on. Almost every aspect of a Swede’s life can and is tracked by this system.

Every time someone identifies themselves with this system, it costs the retail merchant or service a non-trivial amount of money. Because it’s effectively a private monopoly, that price is set by the banks, and often involves a lot of secret horse-trading behind closed doors (I’ve been involved with some aspects of this in the past).

The secret negotiations also include terms that are not open to public scrutiny. One example, is that the merchant or service isn’t allowed to blame BankID for any problems such as downtime or any other technical problems.

btw I’m curious how you get all your receipts digitally. There are some services such as Kivra in Sweden, but they definitely don’t cover all stores.
4 comments
lbschenkel 1928 days ago
I definitely agree. The system could certainly be improved.

My gripe with BankID is that it's a monopoly and it's tied to having a bank account. It's easy to fall into the cracks. For example, I know first hand more than one foreigner that moved to Sweden and couldn't do basically anything online because they didn't have BankID and couldn't get one because they needed to visit a bank branch and have an appointment, and they couldn't get one without having to wait for 2 months or more (partly due to COVID-19).

The system could be much better if there were many accredited providers of digital ID (this is somewhat already the case, there's Freja now) and there was a mandated standard protocol that the accredited providers implement, so you could have the ID from any provider and that ID would work on any site. The latter is not the case to the best of my knowledge: although many government websites are supporting Freja, most private ones like Kivra or Klarna and of course the banks only support BankID. This is not great.

It also forces you to have an Android or iPhone, and basically have a relationship with these foreign tech giants and accept their policies in order to be a "digital citizen" in your own country. If they ban your account for any reason, and you lose access to the store without any recourse, and you can't install the app, you are basically SOL. This is a trickier problem to solve, and it's not exclusive to BankID by any means, but if there was competition it would be more likely (at least on paper) that somebody might provide an alternative.

My take is that indeed: the system mostly works, it is convenient, but it's not perfect by any means. There's plenty of room for improvement. Just having real competition instead of a de facto monopoly would fix most issues.

link
dmitri_ravinoff 1927 days ago
> It also forces you to have an Android or iPhone, and basically have a relationship with these foreign tech giants and accept their policies in order to be a "digital citizen" in your own country. If they ban your account for any reason, and you lose access to the store without any recourse, and you can't install the app, you are basically SOL.

For me this is mind-boggling. Could you please elaborate or link to a resource on that? Do the respective apps work on rooted phones? Regarding the Bank ID: I worked as an intern in Sweden in the 2002 and this sucked already then. As a foreigner you got an ID that somehow "almost" matched the normal way the number was generated (an offset on the YOB if I remember correctly). It was always an interesting experience to find out if an office/application supported such foreigner ID or not. Hopefully this got fixed in the meantime. After all my yearly letter from pensionsmyndigheten is at least partially translated in multiple languages. Good for me as I lost almost all my Swedish.

link
lbschenkel 1927 days ago
Maybe you got a "coordination number" instead of a "person number"? You only get the latter if you are expected to live in the country for longer than a year. The former "confuses" a lot of people and websites, which are not fully prepared to deal with it.

> Could you please elaborate or link to a resource on that?

Not sure what exactly you're looking for. There are 3 types of BankID: "on file", "on card" and "mobile". The first two are seldomly used and not all banks offer it (mine doesn't). I believe that most sites only support the mobile version. The mobile app cannot be sideloaded on iOS, and requires Google Play Services on Android. (For now it works on rooted phones. For now.)

Although technically minded people can still find a way to sideload the Android app without having to have a Google account, this is far from being mainstream. For most people you have to agree with Apple or Google's terms and have an account with them. If you're banned and lose access to the store, you can't install BankID any longer. It's not fun to live in Sweden and not have access to BankID.

I don't like the idea that you have to establish an asymmetrical relationship with a foreign conglomerate to be able to identify yourself in your own country and use digital services.

I think that having competition at least opens up the possibility that one of the players will introduce a mechanism that does not rely (solely) on Apple/Google technology. For example, a simple hardware token could work.

Regarding IDs for foreigners, I believe that the EU cracked down on Sweden and at least the government websites allow other European digital IDs nowadays. At least the option shows up in the list of authentication choices, but since I can't use that flow I cannot state how well it works in practice.

link
dmitri_ravinoff 1927 days ago
Tack så mycket! Your detailed explanation cleared things up.

>I don't like the idea that you have to establish an asymmetrical relationship with a foreign conglomerate to be able to identify yourself in your own country and use digital services.

The general acceptance of this in Swedish society boggles my mind. But hey, I am not a Swedish citizen, so it's not my job to tell people what to do.

link
jariel 1928 days ago
Neither of the points you made I think are existentially problematic, especially in light of the fact that Sweden is 1) ahead and 2) it works for them.

'Cost' is going to be a part of the equation, there is no avoiding that, but access can be regulated, as can oversight (i.e. transparency) with respect to transactions.

And: "merchant or service isn’t allowed to blame BankID for any problems such as downtime or any other technical problems"

Will Swiss private individuals or businesses be able to 'sue' the Swiss government for downtime? Like late trains? Invariably not. They'll just get the service they get and that's it.

Sweden provides a pragmatic demonstrable example of what can work, it shouldn't be dismissed.

link
Guthur 1928 days ago
Democratic oversight?

Once these systems are in place they will be under the control of the great unelected, the civil servants, it will not be the subject of any political party policy again and so how exactly will you assert the voting based democratic control upon it?

link
nickez 1928 days ago
I guess I only shop with stores that use Kivra.

BankID doesn't store any information, and I have no problem that the stores I'm a member in store my shipping history.

I think you are overstating the scale of the surveillance. I don't think the different entities share data with each other.

Edit: try live in a country like Switzerland once you have gotten use to all interaction being online. It's horrible.

Edit2: actually other stores provide digital receipts without Kivra. You just have to be a member.

Edit3: This has nothing to do with patriotism, there are many things that I don't like about Sweden. But the fact that we have taken digitalisation seriously since the 90s is something I think is great.

link
null_object 1928 days ago
> BankID doesn't store any information

I work with systems that use BankID identification, and know for a fact that you are wrong, because many (though not all) of the data-points collected by the banks can be retrieved for payment.

For instance, if you just logged-in with the service I work with, I can retrieve your full-name, birthdate, your marital status, name of your spouse, their birthdate, any children and their IDs and names, where you live, your home and cellphone number, and many many other data points.

From a service owned by a small group of private banks.

link
nickez 1928 days ago
That is all public data. You can get that through open channels like birthday.se as well. I've been at BankID and I know for a fact exactly what information they store. They store only what is necessary from a regulatory standpoint.
link
caskstrength 1928 days ago
Are personal mobile phone numbers considered public information in Sweden?
link
viceroyalbean 1928 days ago
You can get a phone number without registering it to your name, but otherwise yes. Most people's phone numbers can be found online, as well as reverse (find someone's name by phone number) .
link
croes 1928 days ago
A paradise for identity theft
link
kalleboo 1928 days ago
Requiring strong ID verification (from government ID or the digital ID we're discussing) helps protect against identity theft. Other countries I've lived in that use very weak forms of ID ("a utility bill in your name") seem like much bigger paradises for identity theft.
link
croes 1928 days ago
I'm talking about cross border identity theft. The public data of swedish citizens is sufficent for weaker identity systems in other countries.
link
2rsf 1928 days ago
Practically identity theft the way you think about are very rare in Sweden, more common are social engineering attempts like calling people and asking them to use their MobilBank ID while the caller logs in in their name.

Remember that personal ID numbers are not a big secret in Sweden as well, and still we don't see any big problem with that.

link
kalleboo 1928 days ago
> your full-name, birthdate, your marital status, name of your spouse, their birthdate, any children and their IDs and names, where you live, your home and cellphone number, and many many other data points

Those things have nothing to do with BankID and everything to do with the government person-number database. They were available as open data before BankID existed

link
dagw 1928 days ago
But surely if someone has your person number then they can retrieve all that information from companies like Ratsit and the like. Is there specific information you can get via BankID that isn't generally available from other 'open' databases?
link
2rsf 1928 days ago
What information do you think about? you can get a person's yearly tax statement without BankID but you can't see their bank account details
link
yawniek 1928 days ago
i live in switzerland. the only cases i had to be physically present at an official place was when i "adopted" my own son (due to not being married) and when i funded companies. 4x 15min in the last 4 years.

i think the state of things is just already quite efficient without such an id. thus people are not willing to give that data away to a private monopoly. imo for good reason.

link