Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.6: Study on ID Documents
 |
Title: AUSTRIAN “BÜRGERKARTE” |
 |
Introduction and description of the citizen card solution
Since February 2003 the “Bürgerkarte” (citizen card) is being introduced in Austria and has subsequently until January 2005 been developed to the concept we know today. The current implementation is based on the signature law and the corresponding decree in the version from December 2004. The “Bürgerkarte” is not a card with the same features for each citizen, such as e.g. a passport, but it is rather a concept that allows designing secure electronic public administration services. Primarily the “Bürgerkarte” is a procedural signature solution that can include additional functions. For instance it can be used for the identification of the Austrian citizens in the public sector or for their identification in the social national security system, as members of chambers, officers in the public administration or students. Furthermore it can serve for payment functions (so-called Bankomaten Karte). The “Bürgerkarte” can be implemented using various technological platforms for example chip cards or USB token.
Examples of implementations are:
National ID card
Social security card (so-called e-card)
Students card for two regions, in which universities and subsequently students are organised
Banking card including electronic signature
Service card for officers in the Austrian public administration
Signature implementations for mobile devices (smart phones and PDAs) and USB token
Main motivation for the launching of the “Bürgerkarte” was the introduction of e-government in Austria. In order to promote this initiative the Austrian “Bundeskanzleramt” (office of the Chancellor) provides all basic software and needed licenses free of charge. As certificate authorities (CA) and registration authorities (RA) private providers such as A-Trust for chip card bound signatures or the Austrian Telekom for mobile signatures (so-called A1 signature) are used.
Sector specific personal identifier
Basing on the requirements of the Austrian data protection act for authentication purposes in the public sector the certificates for the electronic signatures are not being used to avoid linkability in cases no signature is needed. Instead a specific personal identifier, the so-called sector specific personal identifier (ssPI), is being used in addition to name and date of birth for processing and data storage purposes. The ssPI is calculated from data stored on the “Bürgerkarte”. The calculation procedure for the ssPI is the following:
For each citizen a registration number (zentrale Melderegisterzahl, ZMR) is stored in a central database at the Citizens Register of Residents (CRR, zentrales Melderegister). This is used as basic data for the calculation of a so called source PIN (sPIN). In cases where no data in the Citizens Register of Residents is available, data from the Supplementary Register (SR, Ergänzungsregister) is used as basic data (see ).
The source PIN is stored only on the “Bürgerkarte”, not in the registration office (Stammzahlenregisterbehörde, StZRBeh). In cases this number is needed by public authorities or the citizen it has to be recalculated under the supervision of the Austrian Data Protection Commission.
Figure : Calculation of the source PIN
The public sector in Austria is divided by law (Bereichsabgrenzungsverordnung, issued 2004) in 26 sub sectors and 9 sector spanning activities; each division of a public office is assigned to one of these sectors or sector spanning activities. In cases a citizen starts communicating with a public office, his source PIN (sPIN) is one-way-hashed with the sector identification taken from the “Bereichsabgrenzungsverordnung”, resulting in sector specific PIs (ssPI). It needs to be noted that the multiple ssPIs of the citizen can not be linked across the borders of these sectors (see ). In the private sector the enterprise registration number can be used instead of the sector number to hash an ssPI.
Figure : Conversion between Souce PIN and ssPI
In cases of inner-sector workflows the sector specific PI (ssPI) must be stored encrypted. In this case the ssPI can be used as symmetric key (see ).
Figure : Use of the ssPI for secure data storage
Take up and Response
The “Bürgerkarte” today is mainly used in the public sector for identification and authentication purposes. The most common examples are the request for an attestation concerning data from the criminal record or public registration data, tax declarations and electronic signing (G2G) and receiving (G2C) of official documents.
The concept of the “Bürgerkarte” has gained positive recognition concerning data protection in the public sector by civil right and other non-governmental organisations, . Furthermore, in December 2005 the first prize for data protection in the category of European public authorities was awarded to Austria for the concept of the “Bürgerkarte” by the Data Protection Agency of the Community of Madrid.
However some issues remain still open. In addition to the unlinkable ssPI, name and date of birth are used which are in most cases unique and thus create linkability. In case an electronic signature is needed for private or e-governmental transactions, linkability can be established via the single certificate stored on the “Bürgerkarte”, as this concept does not include sector specific or pseudonymous certificates for electronic signatures.
From an economic perspective the number of issued digital signatures is still limited. Until end of 2005 only 56,000 electronic signatures (0.7% of the population of Austria) were issued.
| |
   |
|
| Denis Royer | 31 / 56 |
