Smart cards provide hurdles, opportunities for Free Software

Smart cards and digital signatures are presented as among the most important components of e-government in Europe, but they are still far from being an effective, Linux-friendly solution to reduce administrative and business costs. But the same tools may become a way to make the general public use or support Free Software.

Almost 10 years ago, European Community directive 1999/93/Ce stated the principle that, in certain cases and under certain conditions, a digital signature can be just as reliable and legally binding as one on paper. “Qualified electronic signatures,” which are generated with a secure device and validated by an official certificate, belong to this category. For this reason, digital signatures and identification through smart cards are considered one of the main tools to reduce costs and increase efficiency in European e-government and public administrations. The Italian newspaper Corriere della Sera reported in March that Italian economy as a whole saved €260 million since some procedures to create a new company went entirely digital, and that, country-wide, online tax filings cost €90 million less every year than doing them with paper documents.

Back in 1997, Italy was the first EU country to acknowledge the legal validity of electronic documents. The Code of Digital Administration that followed in 2005 laid down the official rules for using digital signatures and smart cards in the country. As a result, as of June 2007 Italy was also the EU country with the highest number of smart cards — almost three million — released for official purposes. In the coming years this trend will grow, due both to the need to comply with national and EU regulations and, above all, to reduce costs.

In spite of all this, however, inertia, as well as lack of information and coordination, still limit the benefits of smart cards in Italy, especially for GNU/Linux users. Many procedures and tools are either redundant, obscure, or far from being technically and legally interoperable, even when they are open source.

The Regional Services Card (CRS) of Friuli Venezia Giulia, the northeastern Italian region, is a good example of these problems. This smart card is issued to allow online access to health care and other regional public services online. Technically speaking, it is the same card, with the same software interface, that is used both in other regions and, under the name of National Services Card (CNS), for other public services in all of Italy. However, while you can find non-Windows drivers for CRS cards online on some regional Web sites, the CNS manual basically says, “if you need such drivers for your CNS, please go find them by yourself”.

In October 2007 the Linux User Group of Trieste found out that, at least according to official documentation and local public officers, their CRS was only usable under Windows. The smart card reader provided by the region worked all right under Linux, and instructions to configure it were available, but the drivers to talk with the chip inside the smart card were distributed only as a .dll Windows file.

Linux versions of the drivers were released two months later, but only after repeated pressures from the LUG. Eventually, it also turned out that the Friuli region, or anybody else for that matter, could have written and released open source drivers for the CRS smart card (instead of purchasing them) because all the needed specifications could be obtained without restrictions.

Diego Zanga, a developer of open source software and services for legal applications, complained last January about how unnecessarily hard and expensive it is to use the smart cards under Linux. Earlier, he had already pointed out a more serious side of the problem: these days, a lawyer working in Milan, Lombardia region, would need to “carry along every day five different smart cards for his private and professional life”: one to access public health services, one to certify budgets of his corporate clients, one to get discounts on eco-friendly car fuels, one to file injunctions and, finally, one to just demonstrate his identity.

All these stories prove that, at least when it comes to smart cards, FOSS or open standards do little, in and of themselves, to reduce total costs and improve efficiency of public services. This is something that FOSS advocates should never overlook when they lobby for alternatives to proprietary ICT technologies: saying “we’ll surely save money if we just switch to FOSS” can be a dangerous strategy. The reality is that the bigger savings probably happen through reorganization and coordination of public administrations and procedures, and reuse of software and other technologies. Italy, for example, already has an official portal for cooperative development of open source software for public administrations, but little is done to guarantee that all the software used by these organizations is open source and published on that site.

There are still too many procedures and systems that are incompatible with each other at the legal, administrative, and methodology levels, before even starting to consider what software should be used or reused. However, there is reason to hope; providing technical support to fix this kind of interoperability problems to all EU countries is one of the things the members of the Qualipso consortium are planning to do.

Even with these caveats, smart-card-based authentication may become an avenue for Free Software to gain support from more people in Italy and other EU countries. All citizens, including those who may have no interest nor need for computers, must use public health care, file tax forms, or interact with national pension systems — all services which require smart cards support or soon will, even in places like senior citizens clubs, parishes, schools, and nonprofit organizations.

In all these scenarios, any barebones GNU/Linux desktop or live CD preconfigured to use smart cards and their readers could become much more popular than one that simply provides customized menus and window managers.