Electronic identity card apps are fat prey for identity theft, warn civil rights activists. Blockchains don’t help either. Bitkom hopes for ecosystems.
Citizens should digitally identify themselves to third parties with official IDs the Federal Government has wished for twelve years. Success is waiting. The “next big and necessary step for the overall digitization of our country” would be a successful ecosystem for electronic identities (eID) with an online ID function, says Rebekka Weiß from the digital association Bitkom. The Chaos Computer Club (CCC) counters that wallet apps violate the security of smartphones.
The federal government should therefore end its eID project, recommended CCC representative Carl Fabian Lüpke (aka Flüpke) on Monday at a hearing in the Bundestag. The installation of a security chip (smart element) on which the smart eID solution for the online ID on the mobile phone is based could help. However, this is “only available in very few models”.
Protection against the tapping of sensitive data should not be a question of money, said Flüpke. With a universal wallet, the receipt data is also accompanied by a “state-signed ID copy”. This could later be copied in the event of data theft – the copy would then continue to be recognized as genuine. This makes the data even more valuable and creates incentives to “collect and steal it”. Ultimately there is a risk of “cross-profile tracking”,
Kelber warns of behavioral profiles
Federal data protection officer Ulrich Kelber raised similar concerns. According to him, the need for reliable identification has grown. In principle, it is also compatible with data protection and is even preferable to the analogue presentation of ID, “if it is done well”. It should be noted, however, that the right to informational self-determination is always in conflict with state and private identification, which could be misused to create behavior and movement profiles.
Kelber criticized wallets as an accumulation of different attributes as “new Gateway to online profile building”. In addition, “over-identification” could occur if pseudonymous uses were reduced at the same time. Ultimately, a “new quality of identity theft threatens if a high level of protection is not achieved”. With the eIDAS reform, special attention should therefore be paid to ensuring that it is “not linked to uniform personal identifiers”. His authority is not involved in relevant wallet pilot tests – despite the obligation to advise. If necessary, data protection and IT security would have to be installed later.
EU Commission is working on EuID
The project of digital identities is in transition, stated Isabel Skierka, program manager at the European School of Management and Technology (ESMT) in Berlin. With the EuID as a wallet solution for smartphones, the EU Commission is planning an approach that citizens can use to manage additional documents such as vaccination cards or library cards. Bundling with the electronic tax return (Elster), citizen accounts or the health card would be an option.
Skierka referred to large technology platforms such as Apple and Google, which also integrate state identities such as driver’s licenses into their existing wallets. Some of these corporations held market dominating positions, so that solutions propagated by the state would at least have to be competitive, especially in terms of user-friendliness and range of applications. In principle, “cooperation” with these providers could be enforced via the planned relevant new eIDAS regulation and the Digital Markets Act (DMA) at EU level.
First German attempt failed
Um To solve the chicken-and-egg problem with the now twelve-year-old eID in the identity card, Bitkom recommends “merging all levels” and combining the “master ID” from the national document with a digital driver’s license document, for example. The experts were largely in agreement that the eID in the ID card is a good and secure option, but it is still little used.
Behind universal wallet applications with eID there is often the concept of “self-determined Identities” aka “Self Sovereign Identity” (SSI). The old federal government also relied on this process with the quick start for an “ID wallet” with a digital driver’s license. However, it failed miserably and trust was lost: Security researchers found out that no protection against the access of personal data by attackers was implemented.The Federal Office for Information Security (BSI) had even drawn the federal government’s attention to a security gap before the app was published.
Insufficient usability, blockchain useless
The current AusweisApp2 is lacking nor in terms of user-friendliness, criticized Christian Kahlo, an expert on digital identities from civil society on the internet. Above all, communication about the government’s former prestige project was neglected, and existing procedures were not adapted. The focus on the ID, the cell phone and SSI is too narrow. Kahlo recommended security functions in SIM cards and wearables.
Kahlo dismissed the blockchain, which is usually linked to SSI, as hype that “makes no sense at all” for the eID. Not anchoring your own identity in such complex databases or even spreading them about it is undesirable. According to Flüpke, too, there is “no technical necessity” for using a blockchain.
Please copy certificates, no ID cards
Proponents of SSI often made no distinction between digital identities and “authentications” like certificates, stated Marian Margraf from the Fraunhofer Institute for Applied and Integrated Security (AISEC). However, both concepts would have to be implemented very differently. With online acknowledgments, “I don’t prove that I am that person as the presenter,” the researcher explained. Certifications could and should be copied, but not an eID, in order to prevent identity theft. Margraf also advised making a government solution for online ID cards “as an open source project right from the start” and discussing the concepts with the community.
The reference software should be available as open source , also recommended Flüpke. In addition, the ID app needs to be “pretty” and the authorization certificates needed to integrate the eID reduced. The issuing Bundesdruckerei currently has a “monopoly position”.
Thousands of euros for a D-Trust certificate
Kim Nguyen from Bundesdruckerei’s certificate service provider, D-Trust, preferred a model that was open to the market talk to currently only one participant. The prices for the permissions are “customary in the market”. They consist of an initial fee of “a few thousand euros” and ongoing annual costs of a similar amount. He campaigned for a national sovereign wallet with the eID as the core and open interfaces to stand up to Apple and Google.
Peter Parycek spoke in favor of “free use” of the certificates for the public sector and business from the Fraunhofer Institute for Open Communication Systems (Focus). No one cares about high-security elements that are not widely used. The current ID app with an NFC interface, which enables a second authentication factor, is a viable solution. Now the “time window of maybe two years” has to be filled in order to increase user-friendliness and make more applications available. There will probably not be a single eID solution via the EU either, Parycek expects mutual recognition of national systems.
Weiss from Bitkom admitted that the SSI concept along with blockchain was “not yet fully standardized”. . Nevertheless, it is basically about technology “that we urgently need”. The economy needs more than the identity card, since it does not contain certain information.
