Germans became the best-protected users of computers and the Internet today when the Federal Constitutional Court set out strict rules for government agencies anxious to spy on their hard disks. The decision was widely viewed as a slap in the face for Wolfgang Schaeuble, the hard-liner Interior Minster who has been proposing that law enforcement agencies be given broad powers to monitor the computers and e-mails of suspects on their own authority. No, the court said, you have to ask a judge first. And if during the course of an authorized surveillance the police also happen to stumble across highly personal data, then it is their obligation to erase it “immediately”.

Surprisingly, German turns out to be a rather imprecise language. Forget their perfectionist image: “unverzueglich”, the word used in the court decision, can also mean “promptly”, “unhesitatingly” or even “instantaneously”, depending on context. So that leaves the cops quite a bit of leeway and doesn’t exactly please the digital rights crowd, either. Still, better than nothing, supporters say. Especially since the court also severely limited the use of one of Schaeuble’s favourite high-tech toys, the so-called “Bundes-Trojaner”, or “federal Trojan”; a piece of software allegedly under development at the BND, the German equivalent of the FBI, and designed to sniff out suspicious correspondence between terrorists. Never mind that nobody seems to have figured out how to sneak the state-sponsored malware past a simple virus detector, much less how to get the bad guys to click on the self-extracting application. And never mind that nobody in the Berlin government seems to have heard of PGP or other easily available encryption tools.

The historical dimension, if there is one, lies in the high court’s recognition of the individual’s basic right to being able to use a computer without fear of being observed. Collecting data stored or exchanged on a personal computer “directly encroaches on a citizen’s rights”, the judges decreed, given that fear of state-sponsored snooping could prevent “unselfconscious personal communication” which they deem a human right.

While lawmakers will be able to pass legislation on computer spying as planned, the court has laid down strict ground rules that are intended to limit the number of cases in which it will in fact happen. The greatest hurdle is the requirement of judicial approval in each and every case, with the burden of proof of “clear evidence of a concrete threat to a prominent object of legal protection” (e.g. life, liberty, or property) clearly lying with the authorities.

Unfortunately, the federal judges did not answer a number of basic questions, such as whether hacking personal data stored on another computer is to be considered a crime. This is especially interesting in view of recent German legislation that compels Internet Service Providers to keep records of all e-mail transactions for at least six months in case the police decide they want to see what a delinquent was doing. And while the judges do recognize the danger stemming from cache storage by programs like web browsers on an individual’s machine, it does not discuss caching by providers or search engine operators. Neither is their any mention of personalized portable devices like PDAs or Smartphones, leaving some confusion as to whether these are also covered by the definition “personal computer”. In fact, the brief specifically singles out PCs “such as those in many homes”, so conceivably it’s okay for the bulls to spy on your Blackberry once you leave the house.

Foreigners have long struggled with the concepts behind German privacy law which many, especially Americans, find exaggerated and contra productive. If so, they will have to make an extra effort to get their head around the idea that hard disks, like homes, can be castles. But of course, anyone who has ever taken a boat ride down the Rhine is familiar with the German penchant for castle-building, so maybe it shouldn’t really come as a surprise.

Tom Noonan of IBM ISS talks a mean speech. Yet somehow I came away slightly unconvinced from a press and analyst briefing he gave on Monday at ISS headquarters in Atlanta.

Maybe one reason was that he hardly used the term “identity” as he described in some detail how he perceives the world of IT security and threat management. Instead he has a lot to say about security becoming a utility, about disconnected parts and the need for a “security ecosystem” where the products of each and every vendor can work together to provide seamless and coherent protection of both data (the “new currency”, he call it) and applications.

I was very excited about this vision of a kind of “security open platform” which would bring together the currently deeply fractured worlds of logical IT security and Identity Management (along with physical security, just to round things off; after all, the surveillance cameras all speak IP nowadays, so why not integrate them as well?)

A sentence like “Security will be the control system that creates policies across all applications” sounds great, but where’s the beef, Tom?

In fact, as his VP Tim McCormick later explained to me during an interview I did with him (see “In Our Ecosystem, Anyone Can Play”), the only one’s who will really be able to participate are those that IBM and ISS (still two very different animals, even after a full year of integration) already have existing relationships. Okay, that’s a lot of partners, over 200 at last count. But it is a far step from an industry standard, which is what Tom obviously believes is necessary.

I do too, by the way, so I’m rather concerned that Tom and Tim are not taking the ball as far as they could. Why not assemble an industry-wide gathering of competitors from both IT Sec and IAM, maybe under the auspices of Oasis or some other stands body, and put your chips on the table. Everybody stands to profit from cooperation – because customers will not stand much longer for being forced to deal with a whole host of vendors, each offering some important part of the puzzle, but not the whole picture.

On paper, IBM looks like a pretty likely candidate to lead the way. After all, with the ISS acquisition they are now the market leader in managed security, which is the way to go. And with Tivoli busily buying up companies like Console, Watchfire and the likes, they can play a pretty mean game of business process protection as well as becoming a force to reckon with in the identity & access management space.

Just bringing all that together within the folds of IBM remains a daunting challenge. Taking the concept to its logical end, a security and identity ecosystem that will revolve around the customer and his needs – something where this industry, as Tom Noonan freely admits, has hitherto not really done a very good job – is a different kettle of fish.

Let’s see if, in the end, Tom can do more than just talk the talk.

Anyone know where the biggest identity project in the world is going on today? Would you believe Germany?

It’s true, though. The “Electronic Healthcard” or “elektronische Gesundheitskarte” (known as the “eGK”) will soon be issued to some 80 million citizens, providing them for the first time with a digital identity aimed at reducing healthcare costs and improving the quality of service for patients. It may actually save some lives, too, by giving doctors a way to track patient histories and avoid possible side effects or drug allergies.

Of course, simply handing out 80 million chip cards isn’t going to transform the German healthcare system. First, some 120,000 family physicians and specialists, 65,000 dentists, 21,000 apothecaries, 2,200 clinics and 260 health insurance providers need to be hooked up, too. And this is turning out to be an identity management nightmare of truly historic dimensions.

Scheduled to go online in 2006, the project has been held up by bureaucratic hassles and technical glitches. The next round of tests are now set to begin sometime in 2008, roughly two years behind schedule. And it’s anybody’s guess when the system will really be up and running.

Even then, hopes are low that the initial goal of lowering the costs for Germany’s compulsive healthcare program will materialize. Experts agree that things like digital patient records and telemedicine can streamline the clunky system now in place. Unfortunately, that isn’t going to happen anytime soon.

Instead, government has chosen prescribe only the first step of the project which will focus only on the administrative side and designed to reduce paperwork. Okay, better than nothing, proponents say. But this could have been achieved by pimping the current system of insurance cards (”Versichertenkarte”) which already have chips baked into them but lack a photo of the patient. This, along with the fact that there is no way to quickly crosscheck to see if the patient is already being treated somewhere else, is an invitation to insurance fraud. “We get whole families of Turkish guest workers coming in and using mommy’s card to get free treatment”, a doctor recently told me.

All the goodies that might really make a difference in healthcare costs have been classified as “voluntary”. In the case of Germany’s cash-strapped clinics, many of which are tottering on the brink of bankruptcy, this probably means never. So much for telemedicine and the future hospital.

Identity management vendors face an uphill fight in pursuading German healtcare officials and clinic IT admins to invest in hot new technology. Especially so since in typical German fashion the so-called “service providers” (read: insurance companies) and the German government have formed a bureaucratic monster called “Gematik”, a joint venture charged with developing the infrastructure framework and setting the standards for things like card readers and network interfaces.

Since most IdM vendors are from the U.S., they of course don’t have a say in the internal deliberations of Gematik and the German government. Instead, they are currently attempting to pursuade individual public and university hosptials and private clincs to buy their products. Good luck, I say! Since Gematik takes it’s cues from the Delphic oracle, no purchaser or decision maker in his or her right mind will go out on a limb today and sign a check, since they may have to mothball the system in a year or two when Gematik finally draws back the curtain and reveal - surprise, surprise! - something completely different than expected.

Safe to say, therefore, that Germany’s eGK is not only the biggest identity project in the world, but one of the most enigmatic, too. Many clinic operators will use this as an excuse to keep their heads down and wait for Gematik to get its act together. Smart operators should focus on things like standardizing their systems, beefing up their infrastructure and doing identity data housecleaning, all of which will pay off some day no matter what technical framework Gematik finally comes up with.

IdM Vendors should up the pressure on Gematik to force them to provide a better glimpse of the direction they are thinking in, while touting schemes like identity federation based on open international standards as an alternative to a national German solo effort. They might also casually suggest that the German penchant for cramming everything they can possibly dream of into a single bloated solution may not be the best way to solve the cost crisis in healthcare. They might want to use a quaint German expression to describe the worst-case end result: It’s called “eierlegende Wollmilchsau” - an egg-laying, wool-growing, milk-giving pig.