Data protection rethink. (Photo: Federal Office for Information Security)
For a long time, digital model countries like Estonia have digitized a large part of their administrative procedures so that citizens can conveniently process them using their smartphone or PC. In contrast, the German administration is clearly lagging behind when it comes to digitization. In principle, the Federal Government committed to digitizing public administration by the end of 2022 at the latest with the Online Access Act in 2017. But the ID card app2 of the Ministry of the Interior is not a practical solution for identification on the Internet, even if it at least lays the foundation for dealing with authorities and doing business on the Internet.
Digital proof of identity for visits to authorities
At least parts of the German population are a few steps ahead of the authorities when it comes to digitization and are demanding the rapid expansion of the local digital infrastructure. But administration, especially when it comes to applications, cannot really keep up with this. The focus of the online activities operated by the administration are the digital identity and the possibility of providing evidence. Every conclusion of a contract presupposes that the contracting parties can identify themselves unequivocally and legally. In this respect, the Ausweisapp2 promises to give the paralyzing digitization a welcome boost.
And without a doubt, the population (and companies) could benefit from a digital ID card benefit. Nevertheless, the associated risks should not be underestimated – and in the public debate it has so far been difficult to dispel them. Because there is a lot at stake: the more business is relocated to the Internet, the more profound the consequences of identity theft. Should cyber criminals gain control of someone else’s digital identity, for example, the possibilities for serious abuse are almost unlimited. Initial examples such as the ID data stolen in the Scalable Capital case have shown the risks here – from purchases at the expense of the victim to judicial activities on the Internet. All of this can cause immense damage, which is why a seamless and well thought-out IT security strategy is essential for an app for digital proof of identity.
Confidential Computing from Idgard protects digital identity
Data can be effectively protected by encryption when it is stored and transmitted, but for processing it is currently still inevitable that it to decrypt beforehand. Resourceful cyber criminals are aware of this fact and specifically attack the servers on which the data processing takes place.
To avoid the desires caused by the extensive opportunities for abuse An ID card arise to put a stop to it, the data can be protected against unauthorized access with various approaches. The bottom line is that three techniques have proven their worth here: Confidential computing at processor level is a technique developed by Intel, Google and Co. that outsources code to separate storage slaves on specially designed processors before it is processed. This guarantees secure protection. With confidential computing at the server level, or “sealed computing”, as offered, for example, by the Munich IT security company Uniscon (known for the Idgard cloud service), the data is stored on a sealed server (“sealed cloud”) before it is processed. transfer. There they can be decrypted and processed securely against unauthorized access. With its sealed cloud platform, the secure cloud provider wants to enable a secure execution environment for web applications with high security requirements and high data protection requirements. In this way, manipulation or theft should be excluded from the outset.
Another technology that could revolutionize access protection in the next few years is the blockchain . This approach will be used, for example, in the planned digital proof of vaccination, in which the collected and anonymized data is encrypted and stored on a total of five different blockchains. The fact that the political leaders have recognized that complete data protection must also cover vulnerable data processing gives hope that future projects at federal level will also be provided with comparable security measures.
Trust is at stake
Especially with the central personal data and such a powerful instrument as one digital identification function, no unnecessary risks should be taken. Because the example of the Corona warning app has shown that, especially in Germany, a solution not only has to be superficially data protection compliant, but that it is also important that the population perceive it in this way on a large scale. To this end, all possible precautionary measures should be considered and the most effective techniques for securing the digital identity implemented. If the ambitious Ausweisapp2 project is to become a success story, the sensitive German trust in public digitization projects must be taken into account. Apart from that, when implementing services, for example from insurance companies or banks, one encounters the chicken and egg problem: Companies only rely on such a solution if they can expect that part of society will also ask for it. And consumers will only use something like this if they trust the technology on the one hand and find the solutions offered attractive and useful on the other.
