The BigBrotherAward 2008 in the category “Politics” goes to the Ministry of Economy and Technology, represented by Minister Michael Glos, for passing the law about the ELENA procedure und the associated forced introduction of the electronic signature.
A central file for storing all data about the income of every employee in Germany – unthinkable? So one would like to think, but the new registration procedure for the “electronic income statement” (elektronischer Entgeltnachweis, ELENA) makes it a reality.
This June the federal government decided to introduce an electronic registration procedure, requiring all employers to transfer all their employees’ salary data to a central location. The registration procedure is called “electronic income statement.” This is accompanied by the introduction of an admission card for state benefits, which had been planned since 2002 by the then Social-Democratic/Green government under the name “Jobcard”.
The goal of the project is to reduce bureaucracy and costs. It is to be achieved by requiring employers to transfer all their employees’ salary data to a central storage location, where it can be accessed by the relevant government agency when an employee applies for certain social benefits. This eliminates the previous need for paper salary slips and their manual processing by the agencies.
Seen from a privacy perspective, this procedure has the advantage that the employer does not necessarily know about his employees applying for social benefits, since the employer no longer needs to write out salary statements specifically for this purpose. On the other hand this will create an extensive central database, of which only a small fraction will eventually be used for the intended purpose. This is large-scale data retention. The records will include name, address and date of birth; the salary, the amount of social contributions and of income tax and church tax; and additionally the social security number (Rentenversicherungsnummer), duration of employment, the employer’s address and standard company number. Even though many employees will never receive social benefits or register as unemployed, all employees’ data is retained for at least one year. This will create a data pool which is not only interesting to the social agencies, but will also create a desire for access e.g. in the tax authorities. The case of the German highway toll data has shown how quickly such an appetite may arise once the data is available.
What kind of protection is there against unauthorised access?
The legal provisions for such protections are weak: a passage allowing for the possibility of further use of the data by regulation (Rechtsvorschrift) is cause to worry that other agencies may gain access to the data “by acclamation” of the ministry in charge, without the complications of the legislative process.
There is a complex technical procedure for gaining access to the data, requiring the electronic signatures of both the applying citizen and the agency official. The electronic signing is accomplished via a chip card and associated PIN. This chip card has been called the “Jobcard”. The applicant uses the Jobcard to unlock the salary data in the central database for use by the inquiring agency. The catch is that there will be a backdoor for accessing the data without the citizen’s signature. Although this backdoor is only supposed to be used when a citizen has lost his Jobcard, no-one can assure that this will always be guaranteed. From a data protection point of view this is a severe weakness.
There is another cause for concern: the procedure assumes that all recipients of social benefits have a chip card with signature functionality. Beginning in 2012, there will be no more paper forms for applying for benefits such as unemployment compensation (Arbeitslosengeld I), child-raising support, and housing subsidies. Making this kind of chip card de-facto compulsory will probably be the crucial step towards the large-scale introduction of a digital signature in Germany. The card will also allow signing other electronic documents or conduct legally binding business electronically. This makes the “Jobcard” a mosaic piece in a potential strategy of the government for advancing the use of the electronic signature when dealing with government agencies and doing private business. But has this really been thought through?
Undoubtedly the electronic signature has its advantages for business. Its digital nature, however, is also its dark side: every single signature contains a globally unique certificate identification number. Little effort is required to use this number for an automated retrieval of all documents and contracts signed by an individual person. It is technically feasible to match this certificate number across various agencies and companies. It thus becomes imaginable that “with the increasing spread of signature procedures, these numbers will be used as sorting criteria in many areas of everyday life”
In plain language: the nationwide introduction of the electronic signature opens up the possibility that the state will use this technological backdoor to obtain a comprehensive overview of all documents ever signed by a person with his signature card.
This is not as far-fetched as it may sound. By using the federal government’s standardised programming interface, the so-called eCard API, agencies will be able to read the electronic signature not only from the Jobcard, but also from the electronic ID card. According to the federal government, the ID card is set to become a universal access card for all public services. This will make correlation of data easier still.
Mr. Glos, the ELENA procedure is probably well-intentioned, but do you really want to create such a data collection, literally pre-programming abuse?
For introducing yet another central collection of highly sensitive information, and for the compulsory use of a signature chip card for applying for social benefits, your ministry today receives the BigBrotherAward.
Congratulations, Minister Glos!