Flashback: Germany Issues RFID National ID Cards to Its Citizens

Germany Gets Set to Issue RFID ID Cards and Readers to Its Citizens

The government hopes its new national ID cards will foster Internet-based commerce, by enabling citizens to use the cards and readers at home to carry out online transactions without putting their personal or financial data at risk.

October 6, 2010

RFID Journal - In an ambitious project designed to provide citizens with a more secure form of identification, as well as a secure method for conducting business via the Internet, Germany will begin issuing RFID-based national identity cards on Nov. 1, 2010.

With the rollout of the new ID cards, Germany will become the first country to outfit its national ID cards with the same technological features of a passport—such as biometric photos, RFID chips and optional digital fingerprints—according to Andreas Reisen, who heads the division of the German Ministry of the Interior responsible for introducing the cards.

Germany's new RFID-based national identity cards contain a passive 13.56 MHz SmartMX chip from NXP Semiconductors.

The RFID-based card, approximately the size of a credit card, will replace the nation's current national ID card, which is slightly larger than a credit card and lacks an RFID chip. It will be mandatory for all citizens receiving an ID card for the first time, or who are replacing older ID cards. Those who do not need to renew or replace their ID cards will continue to be able to use their non-RFID version until their cards expire—typically, within 10 years. Beginning in May 2011, foreigners living in Germany will have the opportunity to use similar cards, in the form of an electronic version of their residency permits.

In 2008, the German government passed a law paving the way for the new ID cards. One motivation for issuing the cards was to help reduce the misuse of personal data over the Internet. Many Germans are still reluctant to make online purchases, due to worries that their personal data or financial information could be misused.

By installing an RFID card reader on their home computer, citizens can use the card to positively identify themselves online, via a USB connection. This enables vendors and online organizations to know for certain whom they are dealing with. If a business wants to offer residents of a particular city a discount on a product or service, for instance, that company can verify an individual's address on his or her ID card.

As part of the project, each citizen will be able to download free software developed for the national ID cards, starting on Nov. 1. The software, formerly known as Buerger Client, is now called AusweisApp (which, translated to English, means ID App). AusweisApp was developed by OpenLimit on behalf of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI). According to Reisen, the software will allow citizens to identify themselves using their ID card at their PC, as well as execute an electronic signature, if they opt to have their electronic signature stored in the card's memory. If a citizen wants to employ the signature function, he or she must first obtain a signature certificate from an authorized certification-service provider (a list of such companies is available on the Web site of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway).

Before carrying out a transaction online, an ID cardholder must place his or her card on the RFID reader and input a PIN in order to authorize the transmission of specific data stored on that card. At the same time, only those organizations that have obtained a certificate from the government will be able to collect the information from the electronic ID cards, such as a person's name, address and birth date. This offers a cardholder the security of knowing he or she is dealing with a legitimate organization, and can speed and ease the process of registering for an account online, conducting online banking or filling out forms.

"Germans place high value on data self-determination," Reisen says. "This project is mainly about data security, and we involved citizens in developing the concept from the beginning."

Some citizens have rallied against the cards, claiming that anyone with an RFID reader could collect the data stored on them at any given time—but the government has been able to quell such fears by pointing out that only certified organizations can request such information and by citing proprietary security controls. If a person loses his card, he can call a government hotline and have the card blocked from network use. Officials will then list the card as blocked on a central server accessible to licensed participants—which will be required to update their own lists of blocked cards by retrieving the official government list. If a thief attempts to conduct a transaction using a blocked card, that transaction will be denied because the card will not be authenticated. What's more, a person can choose to have the RFID tag deactivated upon the card's issue.

Aaron Russo 2007 Interview - RFID Human Implant Chip


The ID cards were tested by the Technical University of Darmstadt, together with the Fraunhofer Institute for Information Security. Students utilized the cards to identify themselves for e-services offered by the school, such as downloading e-books, checking grades online or submitting homework. The card's designers hope citizens will use their own cards much in the same way for commercial services conducted via the Internet, or for certain government services, such as submitting tax returns. During the next 10 years, the German government expects to issue some 60 million ID cards.

Reisen declines to reveal how much the government is investing in the cards' production. He does indicate, however, that all development and production costs will be covered by the €28.80 ($40) fee each citizen will pay to receive the ID card; €22.70 ($32) of that amount will be forwarded to Bundesdruckerei, the private company producing the cards.

In addition, the government will distribute roughly 1.2 million ID card readers, with which citizens can positively identify themselves online. Citizens will not have to pay for these devices; instead, they will be made available for free, and paid for from €24 million ($33 million) provided to the government's ID division, as part of the country's economic stimulus package.
These devices, called "basic" readers, can be used only for reading the ID cards. Officially approved companies will distribute the free devices as part of their marketing efforts—that is, a move by these businesses to get citizens to use their online services via the new USB readers and ID cards. "Basic" readers not allotted for free distribution by an officially approved firm will be available for purchase at electronics stores, as well as other retail establishments.

Through an open tender, the government selected the following organizations to distribute the reader infrastructure, starting on Nov. 1, as part of promotional or commercial activities: CHIP Communications, Cosmos Lebensversicherungs, Deutscher Genossenschafts-Verlag, Impuls Systems, KKH-Allianz, Multicard, SCM Microsystems and T-Systems International. Reiner SCT Kartengeräte GmbH & Co. KG and SCM Microsystems will produce many of the interrogators used, but any company can do so if they comply with the technical guidelines (TR-03119) published by the Federal Office for Information Security.

In addition, the German government will distribute another 230,000 so-called "comfort" readers that can be used for signature applications—programs allowing individuals to provide authenticated digital signatures. These readers will be available at government-subsidized prices, in order to increase data security on the Internet, and to make sure the devices are available to a wide number of citizens.

"The idea of the stimulus package was to boost the economy by creating new infrastructure," Reisen says. "That's exactly what we're doing here, by subsidizing these RFID readers."

Each ID card will contain a SmartMX passive 13.56 MHz RFID chip manufactured by NXP Semiconductors. NXP reports that its SmartMX chip platform incorporates a number of unique security features to guard against reverse-engineering and attack scenarios with light and lasers, as well as a dedicated hardware firewall to protect specific sections on the chip. According to NXP, the version of the SmartMX chip being used was designed specifically for Germany's ID card, and is 100 percent compatible with the ISO 14443-A RFID standard.
Reisen says Germany is a technology leader with its electronic passports, and hopes to set technological and data-security standards with the new ID cards.

"I have many contacts in other countries who are looking closely at what we're doing," he states. "They'll surely adapt the concept for themselves after our launch."

According to press reports, France, Poland and Holland are also planning to introduce new national ID cards in the coming years. 

Proof RFID Microchip Is In Obama Health Care