With the new German ID card and the IT systems working in the background, electronic identities have become the key to trustworthy activities on the internet. In an effort to establish the online ID card and what it has to offer in the minds of the public and in everyday activities by administrations and private companies, many new processes and applications were launched last year. Today, the German e-ID system has reached an important milestone, also in international terms, on the way towards greater ID security in the digital world.
Launched on 1 November 2010, Germany’s new ID card provides around 60 million German citizens for the first time ever with an e-ID management system that allows them to identify themselves in digital worlds and verify the identity of their communication and business partners. Administrations and commercial enterprises whose online services require reliable ID and age information can now finally trust the secure data, organise media-consistent business processes and ensure much more efficient operations. Furthermore, every internet user who wishes to use the online ID function now receives clear information about registered service providers and they can use the pseudonym function to log on, even anonymously, to the member sections of certain websites. The new ID card with its electronic functions presents its holder with a completely new technical instrument that serves the constitutional right of informational self-determination in Germany – an instrument that is at every citizen’s disposal.
Equal give and take
In order to guarantee the double function of secure provision and verification of confidential data, the German e-ID management system was based on the principle of ‘mutual authentication’. On the one hand this is ensured by the reliable ID data contained in an official document, and on the other by so-called authorisation certificates which confirm that institutions and companies are trustworthy service providers. This equal give and take of sensitive information is secured and supported by a security chip that forms an integral part of the new ID card and supports a total of three electronic functions:
1. the online ID function;
2. the qualified electronic signature;
3. the official biometric function.
Online ID function
The so-called online ID function (or in short: e-ID) is entirely new for the ID cardholder. By using their PIN, the cardholder determines which data are to be disclosed to digital communication or business partners who, for their part, must identify themselves using a valid authorisation certificate. The document-based data and certificates can be read out via the interface of an e-ID service. The most recent use of
this function is the online platform openpetition.de.
German citizens can use this platform to initiate electronic signature campaigns without having to go out and collect actual signatures in shopping centres. Each person signing a petition identifies themselves unambiguously using the online ID function. This means that the signatures are clearly verified and can be collected online and passed on.
In addition to this, there are also a growing number of new applications, especially in e-Government. Online application services for civil status certificates or land register extracts, the use of library services or the registration of dog licenses are just some examples of the many other services available. Confidential information on for example child benefit from the Federal Employment Agency can also be accessed. At the same time, interest is growing among private companies. Apart from the data registration being far simpler, for them it’s much more important to know for sure that the person intending to buy their goods or services does in fact exist and that personal data cannot be deliberately manipulated. In an effort to provide effective protection against identity theft and online crime, the German insurance company Gothaer Allgemeine Versicherung has been supporting the use of the new ID card since 2010. The German Pension Insurance Association also allows users of the new electronic authentication processes to access their pension forecast or current pension account.
Qualified electronic signature
The qualified electronic signature (QES) can replace a handwritten signature. This additional function can be provided separately and activated by a state-accredited trust centre. It enables citizens to digitally sign contracts, issue a power of attorney and submit official applications recognised by law. At last year’s CeBIT, the world’s largest and most international computer expo, the federal state of Hesse, Bundesdruckerei and SAP demonstrated how, in a matter of minutes, an ‘ad-hoc QES’ can be uploaded onto the new ID card and subsequently used to do business. Concepts such as these, which are much faster and far more convenient than previous QES methods, are quickly paving the way for new applications and online public agency services.
Official biometric function
In order to continue to serve as a secure ID and travel document, the new ID card, just as the German e-Passport, has additional biometric security features that can only be used by authorised bodies. Certain data from the front and back of the ID card, as well as a digitised facial image of the holder are stored on the security chip. The citizen can opt to have two fingerprints stored on the chip, which improves identification even further. Unlike the online ID function, the biometric data, which are especially protected by additional security protocols, cannot be accessed for private applications.
Format and physical appearance
In addition to the technical innovations, the appearance of the new ID card is also different from its predecessor. This is obvious from the credit card size (ID-1) that replaces the ID-2 document size previously used.
Other changes that have been made (the numbers refer to figure 1):
1. the postal code in the address field;
2. an empty line for the order name or pseudonym;
3. a six-digit access number which allows official bodies to access the data stored on the security chip, for example during police or border control checks.
The changes made are underpinned by a new logo (figure 2) showing two opposing semi-circles that symbolise the fusion of offline and online applications, and an extremely clear photo.
Approximately two years of preparation under the leadership of the Federal Ministry of the Interior went into the establishment and implementation of the new e-ID system in Germany. On 18 June 2009, the German Parliament adopted the law on ID cards and electronic ID (Gesetz über Personalausweise und den elektronischen Identitätsnachweis), and 1 November 2010 was agreed as the date for the first documents to be issued, which was quite a tight timeline for such an ambitious project that required the creation of completely new infrastructures and which could only be mastered through the joint efforts of many competent partners.
Berlin-based Bundesdruckerei assumed an important role in the project preparation and during the first months of operations. The company is not only responsible for the central document preparation but also for providing the secure public key infrastructure (PKI) and for the hardware and software components at the approximately 5,500 passport and ID card offices (figure 3). In addition to powerful fingerprint scanners, these also include around 20,000 newly developed update terminals.
e-ID service interface
In order to successfully implement the new ID card, centrally coordinated tests for e-Business and e-Government were launched in the autumn of 2009. Close to 300 companies and institutions participated in these tests which lasted until November 2011. Again, Bundesdruckerei played a large role in these processes, especially in establishing Germany’s first-ever e-ID service that the company implemented in cooperation with its trust centre D-TRUST. The platform, a communication interface between web service providers and their customers, was especially developed for the online ID function in order to manage and verify authorisation certificates and revocation lists as well as to guarantee highly secure data exchange to every authorised user of the e-ID.
At the same time, the new application processes were put to the test at the public agencies. These processes included:
• data capture;
• data transfer to central document production;
• checking and issuing the new documents;
• the use of the update terminals to activate and deactivate the online ID function.
With the help of some 200 Bundesdruckerei support employees, all passport and ID card offices were invited to take part in the test scenarios, in order to help improve the new public key infrastructures. This has resulted in a new system for issuing ID cards that is unique in the world today.
Secure ID for everyone
With new methods and technological concepts, Germany has successfully implemented the European e-Passport project, once again underpinning its pioneering role on the international high-security market. The new ID card system has opened up entirely new ways to protect and use electronic ID. Unlike internationally valid travel documents, the new ID card no longer ‘merely’ involves the transfer of data within limited communication structures (for example during ID verification at international borders or during national ID checks), but is part of an e-ID system that can be used by everybody. The online ID function guarantees that when e-Government and e-Business applications are used, personal data can be transmitted securely, and released for use within certain business processes in a manner that up to now was only possible in official identification processes.
Future market of secure ID
With the changes made within the context of the new ID card, the German government and all the project partners involved have implemented an enormous restructuring process. This applies in particular to the growing online market. While web suppliers benefit from the availability of reliable customer data, users can now rely on much improved ID protection: a win-win-situation that has made many German e-Government and e-Business applications much more secure and efficient to use, something that members of the public are becoming increasingly aware of. Last year, demand for valid authorisation certificates for new e-Government and e-Business applications were continuously on the rise. Online platforms, such as personalausweisportal.de, inform citizens about new offers and services that can be used in conjunction with the online ID function.
However, there was also a lesson to be learned during the first year: the stakeholders realised that changing to such a multi-layer system calls for generously planned lead times. New applications have to be developed by the online sector, infrastructures adapted, and modified IT architectures integrated. These processes are being vigorously pushed ahead because demand for secure identities is growing and the added value potential in the global secure ID market is vast.
A digital future
What we have to do now is respond to this development with future-enabled technologies, user-friendly applications and electronic ID documents and e-ID systems that can be used on an international scale. A growing number of EU member states already have their own e-ID concepts. At the same time, there is an increasing call to bring national solutions on par with each other, thus making them accessible for cross-border electronic services. This is the reason why European initiatives such as STORK (Secure idenTity acrOss boRders linKed), are now already promoting the widespread harmonisation of national e-ID solutions. This is without doubt the right approach and the only way in which the old question of ‘Who are you?’ can help to create greater security as well as a new quality of trustful interaction in the digital information world.