The Limited Times

Now you can see non-English news...

»ID Wallet«: What happens to the digital driver's license after a false start

2021-10-12T11:51:35.780Z


The "ID Wallet" for the digital driver's license is not only technically immature. Government data show: the allocation was not transparent, security checks were incomplete - and the possible direction is questionable.


Enlarge image

Withdrawn app »ID Wallet«: trust »massively gambled«

Photo: Christoph Dernbach / dpa

The "ID Wallet" for the digital driver's license had a digital accident: a week before the federal election it was presented to the public by Transport Minister Andreas Scheuer (CSU), and just under a week later it had disappeared from the Apple and Google app stores .

Among other things, this was due to security concerns expressed by members of the Chaos Computer Club (CCC): On the one hand, attackers could have demonstrably taken over a subdomain of the "ID Wallet" operator and thus pretended to be the latter.

This would have resulted in further attack and threat scenarios, says the security expert, who analyzed the app together with Lilith Wittmann.

The problems indicated "poor system administration."

On the other hand, data and identity theft may have been possible, as Lilith Wittman describes.

However, this did not apply to the driver's license check, but only to other application scenarios for the “ID Wallet”, such as digital check-in at the hotel.

Nevertheless - together with an overload problem - that was enough to temporarily take the app off the market, even if the federal government that was still in office initially wanted to start small.

With the digital driver's license stored in the “ID Wallet”, she wanted to make it easier for now to rent a car or use car sharing offers.

In the long term, the digital image of the driver's license on the smartphone should be able to completely replace analogue identification documents.

The Minister of State for Digitization, Dorothee Bär (CSU), campaigned for this.

"Maximum non-transparent"

For Anke Domscheit-Berg, network policy spokeswoman for the left parliamentary group, the issue is far from over with the announced improvements.

"It's not just a temporary setback and another individual example of a failed digitization project," she told SPIEGEL.

Rather, the federal government had "massively gambled away" the trust of the population that was necessary for such projects.

She is not concerned with the inadequate IT security of the "ID Wallet", but also with the government's awarding practice and the future organization of the project.

Domscheit-Berg had asked the federal government several written questions about it.

The as yet unpublished answers from Dorothee Bär are available to SPIEGEL, Domscheit-Berg considers them alarming.

When asked, for example, how many providers had applied for the "ID Wallet" project in the tender, Bär replied that there was no tender. She put it this way: The federal government decided to use an existing framework agreement with System Vertrieb Alexander GmbH (SVA), "in which IBM Deutschland GmbH and Esatus AG are subcontractors in the project": "Digital Enabling As a subsidiary of Esatus AG, GmbH is the publisher of the ID Wallet developed by Esatus AG. "Domscheit-Berg considers the practice of making a" completely unknown "subsidiary of a subcontractor the publisher to be" maximally non-transparent ".

She is also surprised by the possible future role of the company. Because Bär wrote: "Talks are currently underway between BReg

(Federal Government - editor's note)

and the companies involved in the overall project about permanent governance for the overall ecosystem of digital identities." To this end, "the establishment of a public-private joint venture is being considered, 50% owned by the public sector on the one hand and the private sector on the other hand, and which is to assume operational responsibility for the ecosystem."

Domscheit-Berg considers the planned establishment of such a Public Private Partnership (PPP) to be "a serious mistake".

Because in PPP companies "risks are often unilaterally distributed to the public partner and profits unilaterally to the private partner."

For the MPs it is clear: "Verified driver license data or comparable data from government documents should be treated like official documents, they do not belong in the control of private companies in which the state does not even hold shares."

"No consideration or examination of the specific implementation"

Domscheit-Berg also wanted to know whether the Federal Office for Information Security (BSI) and the Federal Data Protection Officer had checked the app before it was published. Bär's answer: The BSI only checked another application of the "ID Wallet", the digital hotel check-in. "In this context, numerous improvements have been implemented," it says. »In addition, the need for further development of the system concept was identified before the pilot application goes into open operation. We are working on it. "

For the digital driver's license, only the documentation was made available to the authorities and "explained in several rounds of questions".

The BSI, however, »did not examine or check the specific implementation because it was not asked to do so due to its responsibility«.

The Federal Data Protection Commissioner, in turn, advises the Federal Government on the overarching project »secure digital identities«.

But he offered "no testing or certification of isolated apps, especially not from private publishers."

Anke Domscheit-Berg considers the fact that the hotel check-in, but not the driver's license application, was checked by the BSI to be “completely incomprehensible”: “That the federal government excuses itself that the Federal Data Protection Officer did not check the app because it did being a 'private app' is irresponsible and dangerous «.

The app should be available again in a few weeks.

Source: spiegel

All tech articles on 2021-10-12

You may like

Trends 24h

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.