German Federal Ministry of the Interior 20 August 2008 1 / 6 KEESING Journal of Documents & Identity Issue October 2008 Andreas Reisen As Head of Biometrics, Travel & ID Documents, Registration Division within the German Federal Ministry of the Interior, a position he has held since September 2005, Andreas Reisen s responsibilities include the Federal biometrics strategy, the government s e-card strategy and current projects as the introduction of e-passports and electronic ID cards. Against this background, Andreas Reisen is member of the Standing Committee of the International Forum for Travel Documents. The reorganization of the German registration, which became subject of Federal regulation in 2006, is also among his duties. Andreas Reisen took up his current post having headed the project group relating to the Bund Online 2005 Federal egovernment initiative from 2002 and 2005. Andreas Reisen is a physics graduate with a master s degree from Aachen University of Technology. Towards a multifunctional ID card in Germany Introduction The planned new electronic ID card is a modernization and security project of the German government. On the one hand, the multifunctional card is intended to make e-government and e- business applications more secure and more convenient to use. On the other hand, the new biometric ID card will allow citizens to use it as a travel document in the Schengen area and for specific destinations outside the European Union also in the future. Whereas the solutions found for the electronic passport may be used also for the new ID card s biometric function, the Internet function, i.e. electronic authentication and signature, is a completely new challenge. An important feature of these technical innovations is that they can only fully develop their potential if citizens trust them and use them in everyday life. Data protection and data security have therefore always been essential when preparing the amended ID card act and technical specifications.
German Federal Ministry of the Interior 20 August 2008 2 / 6 Functions Traditional ID card Electronic functions Always (obligatory): Digital photograph (only for police and border controls) Upon request (included in the price): Internet ID card (name, address, date of birth, place of birth, expiry date) Two fingerprints (only for police and border controls) From 1 November 2010: credit-card-size ID Upon request (extra costs): Qualified electronic signature Source: Federal Ministry of the Interior The future ID card will combine three functions: 1. The traditional ID card function will be enhanced as has been done for the electronic passport by integrating biometric data including a digital photo and, upon the citizens request, two fingerprints into the document. All ID cards will thus comply with the International Civil Aviation Organization s recommendations according to which a photograph must be included in any travel document. As with the epass, access to biometric data will be restricted to specific official control purposes. To implement this requirement not only legally but also technically, there are several instruments developed by the Federal Office for Security in Information Technology including Extended Access Control and the new PACE protocol (Password Authenticated Connection Establishment). 2. With the electronic ID card identity features (not including biometric data) can be electronically transmitted to be used for online applications and local appliances (such as vending machines). Thus, it is possible to provide satisfactory proof of identity in electronic communications. Contrary to the biometric function, this type of authentication including the name, address and age of the card holder and the validity of the document will be used for numerous e-business and e-government services. Thus, both the public and private sector will be able to provide services on the Internet which require secure identification for authentication or security reasons and therefore have not been provided online so far. In addition to completely new services, the electronic ID card will facilitate registration and login procedures because users will no longer have to remember dozens of PINs and passwords for different services but ideally will be able to use all services with their ID card and one
German Federal Ministry of the Interior 20 August 2008 3 / 6 single PIN. With the ID card, fully electronic transactions will be possible also for those services which today require the written form and are not offered online for lack of nation-wide electronic signature schemes. Against this background, the range of services for which the electronic ID card can be used in future seems to be unlimited. In e-government, the ID card can be used for mass procedures such as changing registration details for persons or vehicles or applying for state benefits online. In e-business, it may be used for online banking, online shopping or online auctions. The private sector could benefit not only from the high reliability of identification procedures but also from the new function for the protection of young people: By transmitting the age, the ID card is a reliable tool to restrict access of young people to harmful contents, e.g. online forums or video-on-demand via the Internet. This option will also be useful outside the Internet, e.g. for tobacco and slot machines. Apart from the Internet, electronic authentication with the ID card may be used also in areas where it is already being used for identification, e.g. checking in at a hotel and collecting registered mail or parcels at the post office. 3. Moreover, there will be the option to include a qualified electronic signature on the ID card in line with the German Digital Signature Act, thus creating a uniform tool for various forms of binding, personal action in electronic legal relations requiring the written form and an electronic signature with the same status as a handwritten signature. The optional signature function of the new ID card will end the era of PDF applications and contracts which can be downloaded but then usually have to be signed manually and sent by mail. Data protection precautions Informed, targeted action Regarding the ID card s electronic authentication function, data protection law requires that the card holder is able to decide on the use of identification, i.e. the transmission of personal data to third parties, in an informed and targeted manner. This was taken into account when developing the authentication function; for this reason the ID card must be physically available and a personal identification number (PIN) must be entered to transmit personal data to third parties. Hence, action by the card holder is always required. However, card holders can reasonably decide on the transmission of personal data only if they are sufficiently informed about the kind of data to be transmitted and the conditions of this transmission. This in particular includes valid information on who will receive the data, which personal data are to be transmitted and for which purpose.
German Federal Ministry of the Interior 20 August 2008 4 / 6 Certificates for service providers So far it has not been clear who requests data of citizens online. Although websites, for example, need to include the details of the one responsible for the website, it is still possible to (illegally) enter random data. In case of foreign websites if there is such an obligation at all these data often cannot be verified. How relevant this issue is in practice is also demonstrated by the phenomenon of phishing where citizens are misled about the entity requesting data. The authentication function of the ID card is intended to prevent any misuse by allowing access to valid personal data from the ID card only if the service provider has an electronic certificate. This certificate shown to the card holder includes verified information about the certificate holder. The transmission of personal data to a body with a false identity will thus be much more difficult. Data categories and purpose of the transmission The access certificate will include information on the data categories (e.g. name, address, date of birth, etc.) requested by the service provider and to be submitted by the ID card holder. However, to be able to make a sound decision on the transmission of personal data, it is crucial that the holder is aware of the purpose of the data transmission. Therefore, the access certificate will include a short, concise explanation on how the data will be used. On this basis the ID card holder can decide whether to transmit the requested data to the service provider for the stated purpose. If so, the holder may authorize access to the data by entering a PIN. If the card holder does not wish to transmit data, he/she may request further information (e.g. on data protection notices) from the service provider. Data economy In line with Section 3a of the Federal Data Protection Act the authentication function should be designed in such a way that access certificates are issued only for those data categories which can be used regularly, reasonably and legally in the intended e-government and e-business scenarios. This includes the following categories: name, first name, address and date of birth, and the expiry date of the ID card to verify its validity. The following categories are not included: digital photo, fingerprints, height and eye colour because these data only serve to clearly link the document to its holder. During online authentication, this link is established by producing the document and entering the PIN. As described above, the electronic ID card should also be used to protect young people and prevent addiction. Especially in these contexts, however, a complete proof of identity is often not required or desired, but only proof of a certain minimum or maximum age. The service provider
German Federal Ministry of the Interior 20 August 2008 5 / 6 will be entitled to request only whether a certain age has been reached or exceeded. The ID card will then simply submit yes or no. Data necessity For many people there is no easy answer to the question whether certain data really need to be transmitted for a certain purpose since this would require knowledge about the further processing and business procedures. Whereas everyone understands that an address is necessary to ship goods, the verification of the age when entering a cigarette manufacturer s website might not necessarily be considered common sense. In such situations the government should support citizens by carrying out a plausibility check of the requested data categories and of the indicated purpose when issuing access certificates to service providers. This approach may give ID card holders the certainty that the transmission of verified ID card data really serves the indicated business purpose. Key in line with data protection law Numerous online services are based on a registration with the users personal data. If the users return to the service, they usually log in using a name and a password. Such a login becomes more secure, and the misuse of user accounts can be reduced if the ID card is additionally used in its physical form. However, a repeated login requires a unique identifying feature since account data are not to be disclosed to persons with the same name or address, for example. But it is neither permissible nor desirable that citizens use a uniform identifying feature for all sectors and transmit it via the authentication function to the service provider. When opening an online account, the ID card holder should therefore be able to use a key generated from a parameter of the service to be used and a parameter of the ID card. On the one hand, this procedure allows for repeated logins to a specific service, on the other hand it prevents the identity of the ID card holder from being revealed through the key. The key can be used only by the ID card holder for an individual service. Such a key in line with data protection law contributes to meeting existing demand without having to resort to solutions which are unlawful in Germany such as the use of serial numbers or key certificates. At the same time it can be ensured that the legal bans on serial numbers and the planned legal protection of the technically required key certificate are implemented in practice. The service- and card-related key also allows for communication under a pseudonym so that personal data do not have to be transmitted when using the service for the first time and if the service only needs to recognize the same user again (e.g. if the user paid a fee for a certain period when using the service for the first time).
German Federal Ministry of the Interior 20 August 2008 6 / 6 Proof of identity in an international context It may be expected that service providers in Europe and in third countries will also be interested in using the electronic proof of identity via ID card. For reasons of equal treatment, especially companies and authorities within the European Union will have to be authorized to use the authentication function also with regard to the EU Services Directive. Due to the EU Data Protection Directive, it may be assumed that the level of data protection is the same as in Germany. The directive also includes provisions on data protection supervisory authorities which may assume a similar monitoring and implementing function. The use of the authentication function for service providers from outside the European Union should depend on the mutual recognition of adequate data protection standards in line with the European data protection directive in these non-european countries or companies (e.g. members of the Safe Harbour Agreement). However, German authorities and companies will also be required to use electronic ID cards of citizens from other countries, in particular from EU Member States, for a similar electronic proof of identity. A working group composed of representatives of authorities and renowned IT companies of EU Member States is currently developing a framework for the future interoperability of the various e-card solutions. Conclusions In the coming weeks and months, the presented plans on the electronic ID card will be discussed at two levels in Germany: in the course of the parliamentary procedure for adopting the new ID card act and in a dialogue between data protection stakeholders, consumer associations and potential providers of online services, i.e. e-government and e-business. If in 2009 the law is adopted and the tests and trials of the new ID card functions are successful, the first electronic ID cards will be issued on 1 November 2010.