From September onwards, German citizens should be able to save the electronic ID (eID) linked to their ID card directly on their smartphones or tablet computers – if they have one of the few portable devices currently suitable for this purpose. According to a similar bill passed by the Bundestag on Friday at 12:27 am, it will be easier to use an ID card online. Its acceptability, which has not yet lived up to expectations, will be improved and utilization increased by at least 50 percent.
For the initiative The government factions voted from the CDU / CSU and the SPD, and the AfD and the Left opposed it. The Freedom Party and the party abstained from the vote.
Identity verification with a smartphone
So far, electronic proof of identity has been guaranteed by two factors: knowing the six-digit password and obtaining an identity card, an electronic identity card, or an electronic residence permit. Now Smartphone and AusweisApp2 status will be added as “Property Item”. For this purpose, the data for the identification process is transferred from the storage and processing component to the station according to the plan in a safe operation.
Citizens should be able to request the transfer of the necessary keys from the ID card memory to the mobile phone over the Internet, as they have to identify themselves by means of electronic identity. The ID card manufacturer must take measures to prevent data misuse, for example by means of a new blocking key. The card holder must be able to delete the eID data on the smartphone or tablet itself.
The federal government estimated in its original draft that electronic identification proof on mobile devices would exempt citizens from a total of 11,806 hours per year. The Ministry of the Interior and the Federal Office for Information Security (BSI) bear one-time development costs of 19 million euros and annual operating costs in excess of 25.4 million euros. Each hour saved costs the taxpayer around 2,200 euros if production expenses are omitted. Applications for e-ID are still manageable.
A suitable smartphone is required
A smartphone needs a built-in security architecture at a high level in order to be able to use the system. At the moment, only Samsung Galaxy S20 devices can do that, thanks to the state-funded Optimos 2.0 project.
Bundesdruckerei points out, however, that necessary security elements such as an integrated “secure element” or an eSIM do not “restrict smartphones” in principle. In principle, the technology is widely applicable, but device manufacturers and mobile phone providers should enable it to use it.
The Federal Ministry of Economics funds up to four large IT projects at the “Secure Digital Identities Exhibition” with a good sum of 50 million euros to demonstrate the potential of digital ID functionality on new generations of mobile phones. In addition to the Bundesdruckerei, one of the pilots is Vodafone and Giesecke + Devrient, while a second pilot heads Commerzbank’s R&D unit.
Central register for passport copy and signature
Federal states should also be allowed to create centralized photo records and vital signatures to implement an automated retrieval process. Early in 2017, the Bundestag passed a law under which police, secret services, tax investigators, customs and regulatory authorities could automatically request passport photos from registry offices. However, due to lack of communication standards, this has not yet worked.
Therefore, authorized bodies must request a passport photo by phone from identification authorities and then receive it “regularly by fax,” and the grand coalition justified the initiative on centralized biometric databases: “The quality of the transmitted image is correspondingly poor.”
Experts raised massive data protection concerns against the project at a hearing on Monday. So Schwartz Root added a clause according to which federal states must ensure that central passport records are “protected” from unauthorized access. It is necessary to exclude linking the data to be saved with features other than those required to retrieve images and an automatic signature.
Meanwhile, the Federal Ministry of the Interior is developing its “Passport and Identity Card Data Retrieval Law” with the aim of regulating nationwide requirements for automated access to biometric images. The Transportation Committee has also called on the government to ensure that the “high” level of security in accordance with European Union eIDAS regulations is also achieved for online identity cards on mobile phones. The validity of this certificate must be initially determined for a period of two years and the statutory maximum of five years must be exhausted only if it is ascertained that the security elements in the peripheral devices are appropriate for this. The economy should also be brought further with eID applications.
“Devoted gamer. Webaholic. Infuriatingly humble social media trailblazer. Lifelong internet expert.”