German Federal Ministry of the Interior 20 August / 6

Similar documents
The electronic ID comes to Germany

Identity Documents Act

Act on Identity Cards and Electronic Identification (Personalausweisgesetz, PAuswG)

Ad-Hoc Query on identity documents issued by EU Member States. Requested by EE EMN NCP on 2 nd June Compilation produced on 9 th August 2010

13462/18 BN/cr 1 JAI.1 LIMITE EN

FAQ: Proof of arrival for asylum-seekers

Second wave of biometric ID-documents in Europe: The Residence Permit for non-eu/eea nationals

Identity Documents Act

STRATEGIES AND USEFULNESS OF ID-e (DNI-e) Benito Fernández Fernández, Head secretary at CNP Identification Department.

Application Details (to be completed by the Authorised Signatory)

MARYLAND Maryland MVA Real ID Act - Impact Analysis

Changes in Schengen visa application process

Visa Information System (VIS) FAQs

Compendium of Good Practices in Identity Management

Kane County Local Rule

RIGHT TO WORK GUIDELINES

Ad-Hoc Query on Implementation of Council Regulation 380/2008. Requested by FI EMN NCP on 10 th September 2009

ID Checker Guidance Notes. DBS Online Disclosure Guide (ebulkplus)

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

An employer s guide to acceptable right to work documents

NASS Resolution Reaffirming Support for the National Electronic Notarization Standards

CASE STUDY 2 Portuguese Immigration & Border Service

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

SKV 721 edition Identity card for people registered for population purposes in Sweden

The Philippine Department of Foreign Affairs began the issuance of the Philippine epassport (electronic passport) on 11 Aug 2009.

EMN Ad-Hoc Query on SI NCP AHQ on form of format of residence permits for beneficiaries of Directive 2004/38/EC Residence

LIMITE EN/FR COUNCIL OF THE EUROPEAN UNION. Brussels, 15 May /09 ADD 2 LIMITE FRONT 28 COMIX 294 NOTE

Digitalisation of judicial procedures (e-justice) important requirements

NASS Support for the Revised National Electronic Notarization Standards

BIOMETRICS - WHY NOW?

FA4. Application form. Application for extension of a residence permit on the grounds of family reunification for children

for fingerprint submitting agencies and contractors Prepared by the National Crime Prevention and Privacy Compact Council

PA1. Application form. Application for passport for aliens

Printed: 8. June THE ALIENS ACT

Application for residence and work permit under the Greencard scheme

Biometrics: primed for business use

1. Electronic means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

fraud prevention done right

Application form ST1_en_ Application for a residence and work permit for students incl. PhD students

SG3. On newtodenmark.dk you can find more information about who can submit an application in Denmark.

Immigration, Asylum and Nationality Act 2006

Ad-Hoc Query on Documentation Issued for Asylum Seekers. Requested by FI EMN NCP on 9 th September Compilation produced on 27 th September 2012

Policy Framework for the Regional Biometric Data Exchange Solution

Application for a visa for a long stay in Belgium This application form is free

Switching from Tier 4 to Tier 2 Online from Inside the UK

PE-CONS 71/1/15 REV 1 EN

Instructions for the Conditions and Procedures of Bringing and Employing Non-Jordanian Workers in the Qualified Industrial Zones

Why Biometrics? Why Biometrics? Biometric Technologies: Security and Privacy 2/25/2014. Dr. Rigoberto Chinchilla School of Technology

Identity management in Belgium

THE ALIENS ACT (Official Gazette 130/11) I GENERAL PROVISIONS. Article 1

A combined file and information system description and information document regarding the Data System for Administrative Matters

THE FREEDOM OF INFORMATION LAW, 2007 (LAW 10 OF 2007) THE FREEDOM OF INFORMATION (GENERAL) REGULATIONS, 2008

SMART VOTING. Bhuvanapriya.R#1, Rozil banu.s#2, Sivapriya.P#3 Kalaiselvi.V.K.G# /17/$31.00 c 2017 IEEE ABSTRACT:

CHAPTER Committee Substitute for Council Substitute for House Bill No. 105

TERMS & CONDITIONS 1. DEFINITIONS 2. AGREEMENT 3. PLACING AN ORDER 4. PRICING AND PAYMENT

Country Profile: Denmark

Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

EU Information Systems

TRAVEL DOCUMENTS ACT, official consolidated version, (ZPLD-1-UPB3)

Employers are required to carry out certain document checks on employees and prospective employees:

5/6/2009. E toll Database. Census Database. Database. Database. Consumer Balance and Bill Subscriptions. Mobile Connections.

Ad-Hoc Query on documents issued to EU citizens and their family members (TCNs) in EU MS. Requested by LT EMN NCP on 22 nd of February 2010

SECURE REMOTE VOTER REGISTRATION

Ad-hoc query on fingerprint biometry and facial image in identity documents. Requested by EE EMN NCP on 19 th February 2014

COUNCIL OF THE EUROPEAN UNION. Brussels, 6 September /11 SIRIS 80 SCHENGEN 25 ENFOPOL 271 COMIX 518 NOTE

Additional Case study UK electoral system

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

SAUDI ARABIAN BUSINESS VISA

Digital Signature and DIN

One set of photocopies of all documents submitted

THE STATE OF NEW HAMPSHIRE SUPREME COURT OF NEW HAMPSHIRE ORDER

Application for Schengen visa

Government of Pakistan NADRA Headquarters, Islamabad

Application for Airport AOA Identification Media

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 20 December /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Visa and Stay in Korea

LAW ON FOREIGNERS CHAPTER I GENERAL PROVISIONS. Subject of the Law. Article 1

Visa Services FAQs. Table of Contents

eidas-regulation - Electronic Identification and Trust Services for Electronic Transactions in the Internal Market

A brief guide to Residence Permits for real estate owners in Greece

IMPORTANT INFORMATION REQUIRED DOCUMENTS

FREQUENTLY ASKED QUESTION

Syllabus: Restricted Grade: Basic Electronics, Rules & Regulations General Grade: Basic Electronics, Rules & Regulations, Morse Code at 8 wpm

MARITIME SECURITY IDENTIFICATION CARD

FA8_en_ Application for residence permit for a family member of a foreign national who is to work or study in Denmark

Application for Schengen Visa

REQUIREMENTS TO APPLY FOR A SCHENGEN VISA

STANDARDS & SPECIFICATIONS. General Manager, New Zealand Passports Chair, ICAO ICBWG

8793/09 MIK/SC/jr DG H 1 B

Extending Your Tier 2 Visa Online from Inside the UK

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 11 January /07 Interinstitutional File: 2004/0287 (COD) LIMITE VISA 7 CODEC 32 COMIX 25

Application form ST1_en_ Application for a residence and work permit for students

1/12/12. Introduction-cont Pattern classification. Behavioral vs Physical Traits. Announcements

EMN FOCUSSED STUDY Establishing Identity for International Protection: Challenges and Practices. National Contribution from Sweden

UKHCA Data Capture Form

Application for residence permit for accompanying family member of a religious worker

GOVERNMENT SERVICES OFFICE Client Handbook

Ad-Hoc Query on documents issued to EU citizens and their family members (TCNs) in EU MS. Requested by LT EMN NCP on 22 nd of February 2010

CHARLESTON COUNTY AVIATION AUTHORITY APPLICATION FOR AIRPORT AOA/PUBLIC AREA BADGE

Transcription:

German Federal Ministry of the Interior 20 August 2008 1 / 6 KEESING Journal of Documents & Identity Issue October 2008 Andreas Reisen As Head of Biometrics, Travel & ID Documents, Registration Division within the German Federal Ministry of the Interior, a position he has held since September 2005, Andreas Reisen s responsibilities include the Federal biometrics strategy, the government s e-card strategy and current projects as the introduction of e-passports and electronic ID cards. Against this background, Andreas Reisen is member of the Standing Committee of the International Forum for Travel Documents. The reorganization of the German registration, which became subject of Federal regulation in 2006, is also among his duties. Andreas Reisen took up his current post having headed the project group relating to the Bund Online 2005 Federal egovernment initiative from 2002 and 2005. Andreas Reisen is a physics graduate with a master s degree from Aachen University of Technology. Towards a multifunctional ID card in Germany Introduction The planned new electronic ID card is a modernization and security project of the German government. On the one hand, the multifunctional card is intended to make e-government and e- business applications more secure and more convenient to use. On the other hand, the new biometric ID card will allow citizens to use it as a travel document in the Schengen area and for specific destinations outside the European Union also in the future. Whereas the solutions found for the electronic passport may be used also for the new ID card s biometric function, the Internet function, i.e. electronic authentication and signature, is a completely new challenge. An important feature of these technical innovations is that they can only fully develop their potential if citizens trust them and use them in everyday life. Data protection and data security have therefore always been essential when preparing the amended ID card act and technical specifications.

German Federal Ministry of the Interior 20 August 2008 2 / 6 Functions Traditional ID card Electronic functions Always (obligatory): Digital photograph (only for police and border controls) Upon request (included in the price): Internet ID card (name, address, date of birth, place of birth, expiry date) Two fingerprints (only for police and border controls) From 1 November 2010: credit-card-size ID Upon request (extra costs): Qualified electronic signature Source: Federal Ministry of the Interior The future ID card will combine three functions: 1. The traditional ID card function will be enhanced as has been done for the electronic passport by integrating biometric data including a digital photo and, upon the citizens request, two fingerprints into the document. All ID cards will thus comply with the International Civil Aviation Organization s recommendations according to which a photograph must be included in any travel document. As with the epass, access to biometric data will be restricted to specific official control purposes. To implement this requirement not only legally but also technically, there are several instruments developed by the Federal Office for Security in Information Technology including Extended Access Control and the new PACE protocol (Password Authenticated Connection Establishment). 2. With the electronic ID card identity features (not including biometric data) can be electronically transmitted to be used for online applications and local appliances (such as vending machines). Thus, it is possible to provide satisfactory proof of identity in electronic communications. Contrary to the biometric function, this type of authentication including the name, address and age of the card holder and the validity of the document will be used for numerous e-business and e-government services. Thus, both the public and private sector will be able to provide services on the Internet which require secure identification for authentication or security reasons and therefore have not been provided online so far. In addition to completely new services, the electronic ID card will facilitate registration and login procedures because users will no longer have to remember dozens of PINs and passwords for different services but ideally will be able to use all services with their ID card and one

German Federal Ministry of the Interior 20 August 2008 3 / 6 single PIN. With the ID card, fully electronic transactions will be possible also for those services which today require the written form and are not offered online for lack of nation-wide electronic signature schemes. Against this background, the range of services for which the electronic ID card can be used in future seems to be unlimited. In e-government, the ID card can be used for mass procedures such as changing registration details for persons or vehicles or applying for state benefits online. In e-business, it may be used for online banking, online shopping or online auctions. The private sector could benefit not only from the high reliability of identification procedures but also from the new function for the protection of young people: By transmitting the age, the ID card is a reliable tool to restrict access of young people to harmful contents, e.g. online forums or video-on-demand via the Internet. This option will also be useful outside the Internet, e.g. for tobacco and slot machines. Apart from the Internet, electronic authentication with the ID card may be used also in areas where it is already being used for identification, e.g. checking in at a hotel and collecting registered mail or parcels at the post office. 3. Moreover, there will be the option to include a qualified electronic signature on the ID card in line with the German Digital Signature Act, thus creating a uniform tool for various forms of binding, personal action in electronic legal relations requiring the written form and an electronic signature with the same status as a handwritten signature. The optional signature function of the new ID card will end the era of PDF applications and contracts which can be downloaded but then usually have to be signed manually and sent by mail. Data protection precautions Informed, targeted action Regarding the ID card s electronic authentication function, data protection law requires that the card holder is able to decide on the use of identification, i.e. the transmission of personal data to third parties, in an informed and targeted manner. This was taken into account when developing the authentication function; for this reason the ID card must be physically available and a personal identification number (PIN) must be entered to transmit personal data to third parties. Hence, action by the card holder is always required. However, card holders can reasonably decide on the transmission of personal data only if they are sufficiently informed about the kind of data to be transmitted and the conditions of this transmission. This in particular includes valid information on who will receive the data, which personal data are to be transmitted and for which purpose.

German Federal Ministry of the Interior 20 August 2008 4 / 6 Certificates for service providers So far it has not been clear who requests data of citizens online. Although websites, for example, need to include the details of the one responsible for the website, it is still possible to (illegally) enter random data. In case of foreign websites if there is such an obligation at all these data often cannot be verified. How relevant this issue is in practice is also demonstrated by the phenomenon of phishing where citizens are misled about the entity requesting data. The authentication function of the ID card is intended to prevent any misuse by allowing access to valid personal data from the ID card only if the service provider has an electronic certificate. This certificate shown to the card holder includes verified information about the certificate holder. The transmission of personal data to a body with a false identity will thus be much more difficult. Data categories and purpose of the transmission The access certificate will include information on the data categories (e.g. name, address, date of birth, etc.) requested by the service provider and to be submitted by the ID card holder. However, to be able to make a sound decision on the transmission of personal data, it is crucial that the holder is aware of the purpose of the data transmission. Therefore, the access certificate will include a short, concise explanation on how the data will be used. On this basis the ID card holder can decide whether to transmit the requested data to the service provider for the stated purpose. If so, the holder may authorize access to the data by entering a PIN. If the card holder does not wish to transmit data, he/she may request further information (e.g. on data protection notices) from the service provider. Data economy In line with Section 3a of the Federal Data Protection Act the authentication function should be designed in such a way that access certificates are issued only for those data categories which can be used regularly, reasonably and legally in the intended e-government and e-business scenarios. This includes the following categories: name, first name, address and date of birth, and the expiry date of the ID card to verify its validity. The following categories are not included: digital photo, fingerprints, height and eye colour because these data only serve to clearly link the document to its holder. During online authentication, this link is established by producing the document and entering the PIN. As described above, the electronic ID card should also be used to protect young people and prevent addiction. Especially in these contexts, however, a complete proof of identity is often not required or desired, but only proof of a certain minimum or maximum age. The service provider

German Federal Ministry of the Interior 20 August 2008 5 / 6 will be entitled to request only whether a certain age has been reached or exceeded. The ID card will then simply submit yes or no. Data necessity For many people there is no easy answer to the question whether certain data really need to be transmitted for a certain purpose since this would require knowledge about the further processing and business procedures. Whereas everyone understands that an address is necessary to ship goods, the verification of the age when entering a cigarette manufacturer s website might not necessarily be considered common sense. In such situations the government should support citizens by carrying out a plausibility check of the requested data categories and of the indicated purpose when issuing access certificates to service providers. This approach may give ID card holders the certainty that the transmission of verified ID card data really serves the indicated business purpose. Key in line with data protection law Numerous online services are based on a registration with the users personal data. If the users return to the service, they usually log in using a name and a password. Such a login becomes more secure, and the misuse of user accounts can be reduced if the ID card is additionally used in its physical form. However, a repeated login requires a unique identifying feature since account data are not to be disclosed to persons with the same name or address, for example. But it is neither permissible nor desirable that citizens use a uniform identifying feature for all sectors and transmit it via the authentication function to the service provider. When opening an online account, the ID card holder should therefore be able to use a key generated from a parameter of the service to be used and a parameter of the ID card. On the one hand, this procedure allows for repeated logins to a specific service, on the other hand it prevents the identity of the ID card holder from being revealed through the key. The key can be used only by the ID card holder for an individual service. Such a key in line with data protection law contributes to meeting existing demand without having to resort to solutions which are unlawful in Germany such as the use of serial numbers or key certificates. At the same time it can be ensured that the legal bans on serial numbers and the planned legal protection of the technically required key certificate are implemented in practice. The service- and card-related key also allows for communication under a pseudonym so that personal data do not have to be transmitted when using the service for the first time and if the service only needs to recognize the same user again (e.g. if the user paid a fee for a certain period when using the service for the first time).

German Federal Ministry of the Interior 20 August 2008 6 / 6 Proof of identity in an international context It may be expected that service providers in Europe and in third countries will also be interested in using the electronic proof of identity via ID card. For reasons of equal treatment, especially companies and authorities within the European Union will have to be authorized to use the authentication function also with regard to the EU Services Directive. Due to the EU Data Protection Directive, it may be assumed that the level of data protection is the same as in Germany. The directive also includes provisions on data protection supervisory authorities which may assume a similar monitoring and implementing function. The use of the authentication function for service providers from outside the European Union should depend on the mutual recognition of adequate data protection standards in line with the European data protection directive in these non-european countries or companies (e.g. members of the Safe Harbour Agreement). However, German authorities and companies will also be required to use electronic ID cards of citizens from other countries, in particular from EU Member States, for a similar electronic proof of identity. A working group composed of representatives of authorities and renowned IT companies of EU Member States is currently developing a framework for the future interoperability of the various e-card solutions. Conclusions In the coming weeks and months, the presented plans on the electronic ID card will be discussed at two levels in Germany: in the course of the parliamentary procedure for adopting the new ID card act and in a dialogue between data protection stakeholders, consumer associations and potential providers of online services, i.e. e-government and e-business. If in 2009 the law is adopted and the tests and trials of the new ID card functions are successful, the first electronic ID cards will be issued on 1 November 2010.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback