[Dave Birch] The German personal identity card is being introduced with an online framework. The eCard-API framework — which is essentially collection of standards for services including e-passport, e-health and so on — means that e-commerce, e-banking and e-government will be able to use the card to provide secure services to the public (although note that these third-party service providers will not have access to the on-card biometrics). The cards have a contactless interface: to use them online, customers will have to buy a USB contactless reader to plug in to their PC and then download the free “Burgerclient” software. Service providers who want to access data on the card have to mutually-authenticate, which means that they must present the card with a valid permission certificate (they get these from accredited certificate service providers, known as “Trust Centres”). If service providers want the use the card in a transaction, the customer must first confirm what data is beign read from the card then authenticate with a six digit passcode, thus providing convenient 2FA for online services.
SCM’s RFID-based contactless card readers form the core of Secure IT Kits that the German government will make available without charge to citizens, through its suppliers, to encourage the use of the electronic ID cards.
For Martha’s sake! Germans not only get a useful ID card but they get free card readers for their PCs as well. Now that’s what I call a networked nation. Germany has over 70% Internet penetration and, according to BITKOM (the German Federal Assocation for Information Technology, Telecommunications and New Media), five months before the official launch of card more than half of them had already stated that they wanted to use the card for home banking and access to public services. The Brundesdruckerei (Federal Printing Office) has already put forward a plan to allow citizens to load their electronic identities on to NFC-capable mobile phones in the future.
I particularly like the way in which the cards generate per-service provider pseudonyms, so that everytime the customer logs in to, say, Amazon, they would have the same “ID number”, but the bank would see a different number and so would the tax authority or another store or anyone else. This basic partitioning was precisely the kind of intelligent design decision that I would have advised the UK Home Office to adopt, had they asked me.
Germany’s new contactless National Identity Card… sounds rather like what the UK ID card was meant to do, but the policy and politics surrounding it were so poorly conceived and communicated that the concept was never likely to be a success.
No! It was not an issue of policy and communication. The UK card was rubbish: it was just a different-shaped passport. You couldn’t use it for e-business or e-commerce or, for that matter, business or commerce. The German card has been designed by identity experts and engineers, not by politicians and management consultants. We Brits didn’t get an API or even a published interface.
Why was the UK scheme so rubbish? It’s a question that I’m asked from time to time and still have difficultly in answering. After all, a great deal of our public sector IT is rubbish, so it’s difficult to figure out what was especially rubbish about the ID card scheme. But I think a great deal of the problem goes back to the very earliest days of the scheme. I went along to the first “consultation” with the industry, and it was very clear from the beginning that the Home Office and the management consultants that they had appointed had no interest in consultation about national identity management schemes and what might be the best choices for the 21st century, but only about the procurement process. Together with colleagues from Consult Hyperion, we were invited to make a couple of presentations about what we had learned from our work with, for example, the Hong Kong national ID card and to explain some of our suggestions, but none of this information (to the best of my knowledge) was ever used in the design of the scheme. But back to the point. One very particular problem was that the ID card was deliberately jumbled up with the passport, not for engineering reasons but for procurement reasons.
CSC is operating the 10-year, £385m application and enrolment contract. A Home Office spokesman told The Register that because the technology will be used for passports and in issuing ID cards to foreigners – which will go ahead – the firm will not be affected.
Likewise there will be no significant impact on IBM’s seven-year, £285m National Biometric Identity Service deal. It will now only need to store biometric data relating to passports and asylum applicants, however.
There are many reasons to be against ID cards, not all of them related to the design and implementation of the technology…
A school safety officer in Brooklyn is awaiting damages from her 2007 suit against the city for making her wear an ID card at work. Velma Craig, 48, was fired from her job at P.S. 235 for refusing to wear the card, and claimed religious discrimination because she believes the fingerprints and computer chips in the card were “the marks of the beast.”
…bit I’m not. My position remains unchanged: a well-designed ID card for the 21st century is a significant net benefit to society. But it is almost impossible see how such a card might arise from the UK’s public sector.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]