New secure identity card or driver for the digital economy?
The German e-ID card was launched in November 2010 after four years of preparation, with particular attention paid to the conditions for success and take-up.
More than 21 million new-generation identity cards are now in circulation, the national digital identity infrastructure has been built and its legal framework is now clearly defined.
The vision of this governmental modernization program is based on a strong idea: to extend all traditional uses of identity cards to the digital world, as well as to generate all the benefits in terms of increased competitiveness, responsiveness, ubiquity, potential for improvement and innovation of public services which online transactions can provide to the socio-economic activity of a country.
Public acceptance, measured by the use of the electronic identity, had however not met expectations by the end of 2013.
Nevertheless, the time needed for this type of project has to be taken into account, and one must not under-estimate the scale of political, cultural and legal changes involved.
The real value of this programme only becomes apparent when one considers the contribution made to society, the strengthening of the values of trust and cohesion within communities, and its overriding purpose of social cohesion. The modernization of society will lead to a multitude of digital platforms and uses requiring the deployment of electronic identities secured by this new equipment.
The benefits of a transformation of this kind are more political in nature than solely economic. Without this holistic vision, it is nearly impossible to justify the considerable efforts required to undertake such a change.
Germany has first-hand experience of these issues. By taking the initiative, Germany has learned that although this project stemmed from the fields of technology and law, it is far from being a purely technological endeavor.
This winter trip to Germany in 2013 therefore provides us with the opportunity to take stock of the lessons learned over more than 10 years of e-ID programs in Europe.
An audacious national program and a willingness to innovate
Out of all the major European countries, Germany has been particularly audacious, with strong political will at the highest levels of government to modernize the country and provide its population with the tools to improve society in terms of competitiveness, well-being, and living conditions.
In 2006 Germany deployed its ambitious governmental digital modernization program with the implementation of the e-Gov 2.0 platform in Berlin within a framework of exemplary security and trust, enabling the German public authorities to ensure a seamless continuity between the physical and digital worlds.
Facts and figures of the program*
- 21 million new contactless identity cards and 2.2 million electronic residency permits had been issued by the end of 2013.
- Authorization certificates for 147 services from 106 suppliers were also granted: 40% are for e-Government services, and 60% for e-Business services.
- The rate of implementation, in other words the activation of the online identification function, stands at around 28% after three years in operation.
- This program is considered to be one of the largest IT projects of the German public authorities. A new IT infrastructure has been created for more than 60 million federal citizens. In total, 23,000 employees of more than 5,300 public bodies have been trained in the new working processes.
- Card readers were distributed free of charge during the start-up phase to speed up the use of online identification.
Online services were offered from the launch of the new identity card thanks to a programme to support service suppliers from the private and public markets.
- The State chose a policy of making the e-ID an official identity card with an online identification function rather than an electronic identity solution issued to citizens and which could be integrated into other cards (bank, healthcare, town cards, etc.), like in Austria.
- The data protection framework is very comprehensive, and the identity card holder can control and check which data is transmitted.
- Identification only: The e-ID Card cannot be used for any other service; the electronic component contains no memory space for other data.
- The Card does not contain official X.509 authentication certificates (certified electronic signature) for data protection reasons, and to ensure data on the identity of an individual may not be sent to third parties as "authenticated".
- The decision was made to not create a centralized database (decentralized architecture).
- The digital use of the e-ID is voluntary in nature: citizens may activate or deactivate the online identification function at any time.
(*) Source Kompetenzzentrum Öffentliche IT, Fraunhofer-Institut für Offene Kommunikationssysteme FOKUS, October 2013
A techno-centric vision, positively obsessed with legal and security concerns
This vision of the future was derailed by the belief that technology alone is the source of progress. The disproportionate focus on technological innovation in Germany, and the fear of being unable to control the multitude of effects in all administrative, social and economic fields led to the project being led by legal and security experts.
With a focus positively obsessed with the idea of zero fault and zero risk, the German e-ID was therefore created within a framework of extreme security for exchanges and personal data, subject to complex legal constraints.
In 2012, a number of legal issues were ironed out: various legal adaptations were required to enable the use of the online identification function. Apart from the law on documents, the framework law on the right to online declarations, the order on signatures and the law on money laundering were adapted to enable the new identity card to be used. In particular, the online identification function of the new identity card and the electronic residency permit as an electronic equivalent of the physical form only came into effect in 2013, with the law on e-Government.
Despite this, the identity card cannot always be accompanied by a signature. Online activation of the electronic signature, which was planned initially, is still in the testing phase.
All these setbacks have fostered a feeling that the programme is not yet mature, and the time for widespread acceptance of this innovation has not yet arrived.
Failure is not an option
In fact, the legal and security fears surrounding the project should be considered in light of the initial technical issues related to the project, and, on a deeper level, in light of the traumas of German history and sensitive topics related to the program: central administration, the uncontrollable digital world, as well as the files and potential traceability that would go with it.
Some security failures immediately following its launch*, dependency on certain operating systems, browsers and certain browser versions, and several delays before the AusweisApp was also made available for Linux (after seven months) and MacOS (after more than a year) also undermined trust in the software and its use.
These teething problems, widely reported in the press, hardened citizens' fears, mistrust and scepticism with regards to this federal government system.
The German government therefore had a cultural duty to respect these feelings amongst its citizens. The data protection and privacy framework was thus strengthened, making the e-ID even more complex to use
(*) Source : same document from the Fraunhofer Institut FOKUS, October 2013
The search for a flagship application
This initiative is a real program of social transformation, which enables a seamless connection between the physical and digital worlds for citizens, companies, and authorities, within a secure legal framework which can be traced and audited if necessary. It is therefore a tool designed to bring the country into the modern digital age.
There is no flagship online application that is itself deserving of investment any more than there might be services on a motorway connecting an entire region which would alone be sufficient to provide justification for its creation and to guarantee its profitability right from the word go. Efficiency, time gains, security and proximity are the initial drivers. Services come next, slowly but surely.
Germany strove to convince major publishers and suppliers of e-Commerce services around the world to accept German e-ID as a means of identification for their services, arguing that this would open up a potential market for them. But these suppliers showed little interest in integrating a German solution into their portfolio, since the target market seemed too small to them.
In addition, banks also declined the government's invitations to use the e-ID in their online services, since they had already implemented various secure identification solutions for their online banking services.
As a result, the energy expended to find initial partners undoubtedly stalled the opportunity to stimulate the market through the intense marketing of products related to the e-ID, and the packaging of services which the private sector could have used within a co-branding system, enabling operators and publishers to benefit from the State's image of trust. This choice was successfully made in Belgium, Estonia and Austria, however.
The difficult choice between movement and security
The German experience may shed light on the reasons for relatively disappointing take-up at the start of this project in a number of countries.
The vision of this ambitious governmental modernization program rests on extending all the traditional uses of identity cards to the digital world, for increased competitiveness and improvements for all a country's stakeholders.
This potential will be fulfilled if the main weakness of the digital world is duly made secure; remotely, one cannot be sure of the identity of the counterpart in a transaction. We can deduce that at its heart, the digital modernization programme rests on the security of identity and the framework of trust which provides a guarantee for this highly promising digital world. There is no one better than the State to guarantee this trust in a permanent and universal manner, at the highest levels of a country.
- Is the aim to guarantee sovereign trust and protect identities in the digital world, or in other words the inviolability of social cohesion, which universally links citizens with public authorities?
- Or is the aim only to modernize the means of identification, the National Identity Card, and make it electronic?
They key to success lies in fully understanding this question. Estonia and Austria placed their faith in the first option, with successful results which we have noted. The government creates an identity token that the citizen can use through various means, including mobile phones, thereby multiplying the use of the sovereign secure identity link for all forms of exchanges with public authorities (including e-ticketing in Estonia).
Belgium, by seamlessly unifying the framework of trust into a single platform, with an audacious policy of transparency and intense marketing efforts among service suppliers and the general public, has to some extent made up for the media restrictions caused by the rigidity of an approach too constrained to an "Identity Card" vision.
However, it is not easy for public authorities to admit that risk is a permanent feature, not only of innovation, but of life itself. Should the adaptability of citizens be fostered by placing trust in them, or should they be overprotected, which would seem to lend force to any mistrust they may have?
Since 2012, Germany has conducted an in-depth review of its legal provisions, and made its security framework more flexible. The project has gained momentum once again, and the rate of usage for German e-ID increased in 2013.
Nobody can climb into the unknown four steps at a time. The art of change lies in combining forward momentum with intelligence gained over time.