Data sovereignty: the race for the digital I – digital


In the analogue reality, it is not too strenuous to identify yourself. You open your wallet, there are lots of plastic cards that you can use to identify yourself as a citizen, patient, account holder and customer. On the Internet, on the other hand, you create a separate account with username and password for each web service – a separate wallet for each electronic customer card, if you will. But it should get easier soon. Citizens should have a uniform digital identity. An electronic wallet for all important personal data and documents, from birth certificates to wills.

A master key to the digital self. But, as is the case with master keys: What if it falls into the wrong hands? And who will get a spare key? Such questions revolve around one of the most important digital policy projects of the year. The federal government has ambitious plans, the chancellor is putting pressure on behind the scenes. And that’s just as well. Because there is competition.

This master key will be needed at the latest when more and more official services are to be available online in the future. In order to digitally certify something for its citizens, the state needs a digital copy of the citizen, i.e. a digital identity to which they can assign these certificates. However, most people do not want to be copied, especially not digitally. So far, the authorities have circumvented this problem by only laboriously communicating on paper and calling this data protection. However, the further digitization advances, the more the state becomes a bottleneck in potentially automatable processes. Requesting, scanning and uploading paper certificates, the confirmation loops through offices, the time burned in waiting rooms – all of this is nerve-wracking. It costs the German economy high billions every year. A study by the consulting group McKinsey sees the potential savings possible in 2030 at three to 13 percent of the gross domestic product for different countries.

It took 16 years to create a coherent digital identity for the health care system with the electronic patient record – but for the time being the dispute over it continues. Also because, from the perspective of the Federal Data Protection Commissioner, the authentication process is not secure enough. The problem is that this partial identity is not linked to a secure digital wallet either. The tax offices in turn develop their own tax identity solution with “Elster”. And the students should get a digital student ID – probably at the end of 2024. All these isolated solutions urgently need to be linked together so that not every sector reinvents the wheel and in the end many half-good solutions come out. If at some point you have 15 apps for government services on your cell phone, eight of which have user guidance designed by German authorities, while five others would first have to have the forgotten access data sent to you by post, then many people will probably prefer to go to the office personally .

Or they use an identity service provider to identify themselves. They show their employees their ID cards, documents and evidence once via the webcam instead of having to do it again and again, as is the case today. The company stores this information and from then on authenticates it when the customer has to show it. In addition to the login button for the online account with the respective authority, there would then be other buttons to identify yourself via various identity service providers. The names of the major digital corporations could also be found there. Almost everyone has an Apple ID, a Google or Facebook account. You can identify yourself with these accounts on more and more websites in order to save yourself the annoying registrations and juggling passwords. Perhaps at some point you will click on “Login with Google” when you go to the digital authorities and, who knows, when you dial.

No job should get an overview

So it’s about elementary questions: What role does the state have in the digital age? At the end of last year, the Federal Chancellery brought together representatives from the railways, Lufthansa, banks, Telekom, mobile phone providers, hotel chains and online retailers. According to the wish of the Chancellor to the assembled business leaders, they should develop an “ecosystem of digital identities” – a common technical interface through which one can digitally identify oneself as a user of their various services. The state also wants to integrate its ID cards and certificates into this electronic wallet. The treasure trove of data generated during logins – who identified themselves and when and where? – but should not be handed over to the care of a single company, not even an authority. The “ecosystem” as a whole should establish itself as a trustworthy alternative to the super services from Silicon Valley. A decentralized system against the data streams converging centrally on the corporate servers.

The Federal Government is thus committed to a vision that network activists have been promoting for years: the digital “Self-Sovereign Identity”. The idea is that no one has an overview of the system in which proofs of identity and certificates circulate between people, companies and, at some point, things. Schufa, for example, receives selected numbers from the bank when the person in question releases them, but does not need to know anything about their customer account with an online erotic shop or their points in Flensburg. Everything only comes together in the electronic wallet. For this purpose, the Federal Chancellery is relying on specially secured memory chips in future cell phone models, as well as on distributed ledger technology, commonly known as “blockchain”. It enables data to be signed so that it cannot be forged later. It would be the first time this hype technology comes into contact with the masses of people.

Because everything should go pretty quickly now. A pilot project with the Motel One, Steigenberger and Lindner hotel chains will start in spring, and the first business travelers will then be able to identify themselves at check-in using the app and QR code. Further use cases are to be added in the second half of the year. At the same time, a field trial by the Federal Ministry of Economics will start in June. With a total of 45 million euros, it funds three model projects from different public-private consortia, which are to test local ecosystems of identities in so-called “showcase regions”. They all follow the principles of “Self-Sovereign Identity”. And they should be technically interchangeable: As soon as a standard becomes established, users can move there with the contents of their electronic wallets.

The system gets to know its users

The subject is also being dealt with in Brussels. In her State of the Union address last September, EU Commission President Ursula von der Leyen announced a “secure European identity” that one should be able to use in everyday life “from paying taxes to cycling”. Citizens should “be able to control for themselves which data is exchanged and how it is used” – that sounds a lot like the ideas from the Federal Chancellery. Public-private partnerships for exchanging digital identities already exist in several other Member States. Germany has taken its time, but now apparently wants to set the standards for data protection and individual data sovereignty.

Otherwise others will do it. For example “ID2020”, an alliance around the Microsoft group, supported by the US government. She is working on a transnational digital identity that may be issued in connection with vaccinations. Or the “Known Traveler Digital Identity” project, a consortium of airlines and airports supported by the Canadian and Dutch governments. Its plan is that from the summer up to ten thousand air travelers can “seamlessly” identify themselves digitally – with their face. They only show their passport once, an officer saves the data on it. Also the biometric data.

From now on, the traveler can pass the passport control because the system already knows him. With every trip he collects more digital passport stamps, so the system gets to know him better and better. At some point further documents such as registration certificates, university degrees and vaccination certificates will possibly be integrated into it, the system of transnational “trust” will change into a more comprehensive concept “how security decisions are made”, so it vaguely says in the project description.

“Getting usable police information, including biometric data, into the right hands at the right time is Interpol’s priority,” said Interpol General Secretary J├╝rgen Stock. In addition to his authority, the US Department of Homeland Security and the British National Crime Agency are also behind the project.

Biometric information integrated into government surveillance systems is extremely dangerous. The laws they are supposed to oversee can change. Nevertheless, the “Known Traveler Digital Identity” is also committed to giving users control over their data. The data should be stored decentrally on a blockchain database, in encrypted form, so that their owner retains control over them. In theory, he could refuse to hand them over if an officer asks. In practice, however, he could get himself into trouble with this – once the system has been established that knows him, but would like to get to know him a little better. Blockchain technology, which is often hailed as a savior, is no guarantee for a digitally self-determined world. The question is much simpler, more political: who confirms that you are who you are?

There is no reason to fear that technical answers to this question could be found all too hastily with a group of German authorities on board, and that the electronic wallet could end up in the wrong hands. The question remains whether this is really a cause for reassurance. If other standards prevail faster than those of the German state, the parliaments no longer decide on the digital citizen.

Leave a Reply

Your email address will not be published. Required fields are marked *