German authorities strangely schizophrenic about ID Card security

The German Interior Minister, Thomas de Maizière commented in an article for Die Welt yesterday that the new generation of German ID Cards is “100 times more secure” than the Card it replaces. That may or may not be true – but if it is, the parallel announcement is rather puzzling. German ID Card law has been amended so that (as of the beginning of November), it is illegal to request that a card-holder leave their card in your safekeeping.

As the article went on to say, this is going to affect many little personal transactions which have become the de facto norm over past years. Even visitors to the Bundestag, Germany’s legislative seat, have previously been used to swap their ID Card for a visitor’s pass on entry. It is now illegal for them to do so.

It is a strange reflection on the security of the German ID Card implementation, if the cards cannot safely be left with a third party, for fear of being hacked, illicitly read and/or manipulated. That fear is at odds with Mr de Maizière’s bullish assertion of its security.

Here’s the relevant snippet from the article on Die Welt, with translation interleaved:

[Das neue] Personalausweisgesetz, das seit Anfang des Monats in Kraft ist. Darin steht: „Vom Ausweisinhaber darf nicht verlangt werden, den Personalausweis zu hinterlegen oder in sonstiger Weise den Gewahrsam aufzugeben.

[The new]ID Card Act, which came into force at the beginning of the month. It states: “The card-holder may not be asked to leave the ID card behind or otherwise place it in safekeeping.”

Diese Passage bedeutet nach Auskunft zuständiger Behörden ein Verbot – und zwar ganz egal, ob es sich um einen neuen oder um einen alten Personalausweis handelt. Das wird den Alltag nicht weniger Deutscher verändern. Für sie war es bislang selbstverständlich, den Personalausweis als Pfand einzusetzen – etwa am Tresen der Autovermietung oder an der Rezeption des Hotels. Selbst den Schlüssel für den Spind in der Sporthalle bekam man auf diese Weise ohne Kaution.

According to the relevant authorities, this represents a prohibition – and it makes no difference whether you’re talking about a new ID Card or an old one. This will make a difference to everyday life for no small number of German citizens. For them, it has long been commonplace to leave one’s ID Card as a ‘deposit’ – whether at the car-hire counter or at a hotel reception. ID Cards are often left in exchange for a locker key at the sports centre, without anyone raising an eyebrow.

Elektronikexperten vermuten, mit dem Verbot wolle der Gesetzgeber verhindern, dass der neue Personalausweis in aller Ruhe elektronisch ausgelesen oder manipuliert wird. Innenminister de Maizière betont hingegen, das Dokument sei 100 Mal sicherer als die bisherige Ausführung. Warum dann die Hinterlegung verboten wurde, bleibt sein Geheimnis.

Electronics experts suggest that the legislators’ aim, with this law, is to make it harder for the new ID Cards to be electronically read or manipulated by a potential attacker. Nevertheless, Interior Minister de Maizière maintains that the new document is 100 times more secure than the one it replaces. Why, then, one should be forbidden to leave it with someone else remains his secret.

Advertisements

3 thoughts on “German authorities strangely schizophrenic about ID Card security

  1. Are you sure about your interpretation? "Verlangen" in German may mean both "to request" and "to demand". In this context, I would be inclined to interpret it as "to demand". But then again, the native speakers at Die Welt seem to be inclined to the other interpretation.Meanwhile, the ID card software has been hacked within hours of its release to the public, see http://www.automatiseringgids.nl/it-in-bedrijf/beheer/2010/45/student-kraakt-duitse-id-kaart.aspx (in Dutch).

  2. martijno says:

    Couldn't the new cards be used to electronically sign a token/transaction to be kept in safekeeping until check out instead of giving the physical card in safekeeping?P.S. by your reasoning, all applications of defense-in-depth are now signs of schizophrenia.

  3. Dave Walker says:

    So, it’s asserted the new card is “100 times more secure” than the old one. What’s the SI unit of security, by which this is measured? For ID cards (and in particular, these German ones) have they perhaps adopted the rating applied to safes, such that a new card is “uncloneable within 120 minutes, by an expert equipped with tools”?

Comments are closed.