Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing – there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020.

There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don’t understand anything of what they are talking about. No big surprise, you might claim – they are politicians. To provide my view on this:

1. Yes, the eID card costs a lot of money. However, new things typically aren’t for free. And given that the eID card is a government project, there is a lot of politics and lobbying in, which never ever saves money. Anyhow, it doesn’t appear to be excessively costly.
2. The concept of the German eID card might not be perfect, but it goes beyond most other approaches when looking at principles like “minimal disclosure of information” and the supported use cases as well for public as for private use.
3. Security is well solved. There are some people claiming that fingerprints aren’t secure. Yes – there might be some fraud. But the eID card is way beyond the alternatives we have today and which could be used in a mass market. I personally think that it is much better to do some (significant) step forward in security instead of staying still and looking for the Nirvana.
4. The concepts have to be explained to the public. That is an educational effort which will take time and which will cost money. However, we should look not only at potential downsides but might concentrate on the positive things – and there are many interesting use cases. There is a lot of potential within the German eID card.
5. There are experts (I thought about putting the term into quotas…) – no surprise, you will always find experts which support your opinion, especially as a politician.
6. You definitely can wonder about why we need a health card and an eID card on a national basis – one card might be sufficient (especially given that you have to educate people on the privacy concepts for both cards and thus you might reduce the efforts on this…).

I could add many more points to that list. However, I think that this is just another example of politicians talking about things they don’t understand at all. There is some value in the German eID card. It is based on a well-thought concept. There are things which might be improved – and many of the shortcomings we might observe at the beginning will be solved. It will take some time for the mass adoption – again no surprise. But overall, it is absurd to stop this project now and to restart it in some ten years. That would mean that much more money then it will ever cost to bring the project to an successful end will be destroyed and will have to be spent again in some years. Thus, there is definitely no sense at all in stopping this project now. But there is a lot of sense in spending some extra money in education of the citizens, to make it successful.

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.

For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued - and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.

Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).

It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.

OK, everyone has used that claim “yes we can” right now. But it fit’s pretty well to the German project ePA (Elektronischer Personalausweis) which is one amongst several projects in different European countries for a new type of personal identification card. It’s not an ePassport but an personal identification card – you have to have the latter in Germany, you can obtain the first if you require it for international travel.

In contrast to some other countries like the USA and the United Kingdom, a personal ID card is mandatory in Germany. Currently it is an “old-school” type of printed document. The ePA will replace this with an electronic ID card which will be issued by the German state -  using the same deployment mechanism with the so called “Meldeämter”, e.g. registration offices (local offices run by cities where every address change and so on has to be registred). Thus there is a personal identification included when requesting and deploying the ID card.

For a long time I have been a little sceptical regarding German eGovernment initiatives. Many of the didn’t convince me, either due to their obvious lacks of identity management (like in the area of tax declarations with the ridiculous ELSTER project) or because there was far too much ideology in (Linux vs. Microsoft). But the ePA proves that Germany is able to really run a leading-edge project not only in the manufacturing industry, but as well in eGovernment.

The ePA supports different use cases, from the identification at border controls, the police, and in other situations up to several public use cases. The interesting point is that these use cases will then be supported by a strong authentication, based on the ePA and readers for that ID card. It will be possible, to give an example, to provide age verification – while enforcing the concept of “minimal disclosure”. For example, the answer might be “yes” when asking for age verification above 18 years instead of supplying the full birth date. The ePA will as well provide the capability to store the qualified electronic signature which can be used to sign contracts and official documents as well in the private as governmental use.

All these features are implemented in a well-thought way, based on distributed stores on the ID card. And they are backed by valid business models as well for providers of digital certificates (qualified electronic signature) as for relying parties, e.g. service providers which plan to support the ePA as a means for strong authentication, age verification, or other purposes.

For sure there are still some open questions: What about foreigners (there will be interoperability, there will be other solutions)? How long will it take for the critical mass (the old ID card has a validity of ten years thus replacement will take some time)? How about integration with concepts like Information Cards (some companies are working on that)? But despite open questions, the concept of the ePA is a promising one which might as well support eGovernment concepts as the strong authentication for private use cases. I expect that we’ll see a lot of interesting use cases and applications around ePA soon – and some things you might learn as well at our European Identity Conference 2009 in Munich.