Does a centralised eID service in the German eID system pose a privacy risk?

February 7, 2013

Ideally, a relying party that needs to verify certain attributes of a user would do so all by himself. However, in the new German eID system there are currently 7 so called eID service providers that handle this task on behalf of many relying parties. The Germans did this to allow service providers to quickly adopt the new eID system, because they can simply contract an eID service provider instead of implementing the functionality themselves. However, this creates a hotspot. For all users the eID service provider sees all attributes verified for all relying parties it services. The eID service provider is therefore in principle able to link a user to all the relying parties it visits, together with the relevant attributes. This appears to be a serious privacy risk. Or isn't it?

Why have the Germans taken this approach, while on the other hand they quite fanatically tried to make the chip side of their eID system as privacy friendly as possible? Could it be that the privacy risk is only limited?

First of all, eID service providers are not allowed to store any data they process in the German system, and they are audited yearly for this. If they do, they will be kicked out of the system. One may question how this works for a large, state owned, eID service like the Bundesdrückerei. And one may question what happens if law enforcement at some time tries to change the law and extend data retention laws to cover also eID service providers. Then again there is nothing (barring the investment) stopping relying parties to in-source the verification and implement it all locally on their own systems. And there the number of eID service providers is steadily increasing.

Secondly, eID service providers operate under the responsibility of the relying parties they service. Both are covered by data protection laws. In particular the relying party must ensure compliance with these laws by properly establishing service level agreements with the data processors it subcontracts.

Thirdly, an analogy with web hosting is instructive. Many many websites may currently be hosted on the servers of the same hosting provider. The largest hosting provider hosts 900.000 sites. In this case, this hosting provider can also see all the websites a user visit (for which it is a host). If the communication is not encrypted, it may even observe all the data I enter in this site. Looking from this perspective, an eID service provider does not incur a new risk. Although it should be said that the eID service provider by definition explicitly handles sensitive personal information (name, address, age, etc) that a hosting provider does not directly deal with. The hosting provider would have to go through quite some trouble to obtain such information from the data streams it serves.

In case you spot any errors on this page, please notify me!
Or, leave a comment.