Inside Germany's Plan To Kill Online Registrations

An anonymous reader writes: Germany's corporate giants are promising a brave new future in the form of a single account -- one that will let you do your online shopping, get a flight and rent a car, all with no more registrations or repetitive passwords. Deutsche Bank (DB), Germany's biggest bank, announced Monday it's teaming up with other big firms to create a new company that will create the service. Users would enter their ID details just once before they can make all their online purchases across multiple sites. The partners -- which include Mercedes-Benz maker Daimler, insurer Allianz and publisher Axel Springer -- hope other firms will sign up to their vision. They're calling it a "pan-industry platform for online registration, e-identity and data services." The program could eventually be expanded to include government services. For example, drivers could apply for a new license through the system before their old one expires. The partners expect the program will be running in Germany by mid-2018, and they stressed it will be "secure" and comply with all European Union data protection rules.

Great idea...

And then once you have universal registration - you can be tracked all over the internet with ONE ID - including all your political commentary!

Re:Great idea...

At least they said it will be secure. That's a relief.

Re: Great idea...

[ArmoredDragon]

Germany has never had any problems with overbearing governance, so stop the fear mongering and show me your papers, please.

One Ring to Rule them All

[evolutionary]

And the Great Eye of fire sees all. Come to think of it, this was discussed in the film "The Circle". Not a great film, but it puts these ideas into a realistically scary context. Does this idea of removing choice from whether or not we WANT to be registered concern anyone else?

obligatory xkcd

[green1]

https://xkcd.com/927/

Who actually believes that any of these "one standard" things REDUCE the number of different accounts you have to have?

Re:obligatory xkcd

[grumpy_old_grandpa]

The good old 927. Anybody who've been in IT for a few years probably know that number by heart by now.

Re:obligatory xkcd

[batukhan]

Estonian ID card / mobile identification works pretty well. Any service can do an API call to the national system, which authenticates the user and sends back first+last name and social security number. The ID cards are smart cards. Most people have smart card readers (€10 a piece), or the mobile identification thing (special SIM card with certificates, asks for your PIN number upon authentication). Log in to any state institution website or any supporting 3rd party website. Banks, telecom companies to pay bills etc.. Most buy/sell forums demand ID card identification to avoid fraud. So i'm thinking the Germans are doing something similar

Great!

[frank_adrian314159]

I'll put it in a pile with all my other pan-industry platforms for online registration, e-identity and data services.

Obligatory XKCD link omitted because everybody's seen it. Really. Everyone on the internet. Don't bother.

What's so wrong with OpenID

[Marxist+Hacker+42]

Haven't we been down this road several times before?

How come no one thought of this before?

[Attila+Dimedici]

How come no one thought of this before?
Oh wait, they did. It didn't work out because it is not as great of an idea as it sounds at first.
You have one logon for ALL of your online accounts. That's great only one ID and password to remember to get access to everything you do online. Of course, that also means only one ID and password to hack for someone ELSE to get access to all of your online accounts. Then once they do, aside from the losses you might take from the hack, how do you get your account back?

Re:How come no one thought of this before?

[green1]

That's not actually the biggest obstacle to this. The real problem is that too many websites think they're more important than that. In fact, many think they're so important that they have their OWN single sign on for other websites to use.

The end result is that there is never wide enough adoption of this for it to actually work out the way it's planned, and the average person never finds a "single sign on" that works for more than 1-2 sites out of the dozens upon dozens that they use.

Re:How come no one thought of this before?

[Attila+Dimedici]

The problem you are pointing out is not so much that they think they are more important than they are (although that is an element to it). The problem is that everybody who comes up with this idea thinks, "I can make money doing this." Which leads everyone else to think, "Why should they make the money? Why not me?"
A related problem is that whoever sponsors the single sign one that become THE single sign on will forever after have a competitive advantage over their direct competitors in whatever their business is. The result being that those competitors will not sign up for it (for good reason).

Re:How come no one thought of this before?

[parkinglot777]

Of course, that also means only one ID and password to hack for someone ELSE to get access to all of your online accounts

The advantages of centralizing credential validation far outweighs the disadvantages you mentioned:
1. Most people already use the same username and password for most of their accounts
2. Currently these 3rd parties are getting their databases hacked hence, accounts are hacked. With centralized account management we can apply very strong security to minimize such instances.
3. With only one service to cater to, devices can run anti logging software (such as what some banks have you install to avoid account theft via key logging)

Off course having your account stolen is going to be a huge problem but it already is for most as mentioned in #1.

Err... I have to disagree...

• 1. Your answer is not relevant. Even though most people already have the same username and password, it does not mean all people do. Also, you exaggerate the number of "most people" by the way. If you said "more than half" then I could agree with, but it is still irrelevant. Because majority of people do not follow or understand security, does not mean we all have to adjust to their less secure way.
• 2. How do we apply "strong security" when users themselves don't understand or even care about security (look at #1 why they keep repeatedly use the same username & password)? Let say you have implemented an unhackable system. Let's say a mother gives her ID and password (and whatever your system requires) to her daughter to do some online shopping for her. Then later on, the daughter does the online shopping without the mother's permission. How could your unhackable system prevent that? I'm not talking about how to catch her misbehave, but I'm pointing directly to your argument about "strong security" perspective. There is no minimize risk here because it is still the same old scenario.
• 3. Please look back at #2. If someone could steal crucial information to log in, it is extremely difficult to distinguish who is who. Sometimes, you may be able to find out, but it is usually too late because all other information/asset have been stolen/sold already.

Centralized data is good for convenience, but it goes opposite way of security. You have to pick the right proportion of convenience and security. If you want pure security, you have to let go convenience, and vice versa. If you believe they both can coexist at the same extreme level, you may need to learn more about the real world (practical) because you seem to watch too much of sci-fi movies...

What could possibly go wrong?

[GameboyRMH]

Talk about too many eggs in one basket! This is hoarding everyone's most precious eggs into one giant egg silo!

Not to mention this is almost THE nightmare account in terms of online privacy: one account for everything, linked to your real name through government ID. It could only be worse if it were controlled by a corporation rather than a government...at least you should be able to vote to keep marketers out!

Commercial use

[DrYak]

you can be tracked all over the internet with ONE ID - including all your political commentary!

Technically, this effort (like lots of other similar efforts in the past) aren't targetting forum, but mostly on-line shops, and e-government platforms.
- i.e.: things where you already need to identify with your real-world ID for obvious reasons. (e.g.: Because the goods need to be delivered to you in person).
They are all platform who already know you, and could (if they wanted to put the effort and collude together) trace you.

You're confusing with OAuth and OpenID platforms (like Google, Facebook, etc.) which are targetting forums.

Re:Commercial use

Sure.

Technically it never starts out that way. Just some good intentions. That's how these laws work. A frog will always jump out of a hot pot - you just put the frog in cold water and turn the heat up slowly over time.

Nobody would buy into an internet ID # scheme that would track you everywhere because nobody wants to be traced. You just start with a government ID used for shopping and eGovernment. How could that possibly be evil? It's just one ID for all your government services. And shopping. It'd be really great to use this for shopping. And health services. We already need a central repository for our health records so it should be there too. Oh and hey all of our banking accounts should tie into this too. Its convenient and it really helps government crack down on crime. Well now that we have you spending habit it'd be a good idea to give you tax credits on your health if you eat buy healthy food instead of junk food. While we're at it you should use your to register your car too and the auto insurance associated with it. Oh hey, your driving record says you speed so that should affect your government health tax credits too. In fact now that 80% of the internet uses your ID we should roll it out for Hulu and forum services too, as a convenience and let Facebook tie your account to it too.

Oh hey since we have IDs tied to facebook we can finally solve this troll problem. In fact we should require your government ID to be used to login to Facebook to verify it because everybody agrees hate speech needs to be properly penalized.

And that's how it works Charlie Brown.

Re:Commercial use

[thsths]

And then there is paypal for payments. So it all exists, and I am not really sure what is novel in this approach, except that it is happening in Germany (and supposedly linked to your government issued ID card).

Re:Commercial use

[mi]

Sell it as a way to prevent 'hate speech' and German government will be all over it.

And so will the American Left — fans of German government since 1930-ies.

Re:Commercial use

[mi]

political ideology is now measurable exclusively along the axis of individualism/statism

What other dimension would you propose? The second it becomes Ok for the Glorious/God-fearing/Hardworking Collective/Commune/Community to trump the Weird/Apostate/Cantankerous Individual, oppression flourishes and life begins to suck. For everyone.

Really evil idea

[gurps_npc]

This isn't killing registration, it's REQUIRING one. A really horrible one.

It is like facebook, only forcing people to use it - FOR EVERYTHING.

It's not just the end of online anonymity, it's the total destruction of what remains of privacy.

Look, I do NOT want to use the same ID for my Medical history for ANYTHING. No one should be able to know what ointments I am getting or for what, just because I sent them an email.

People have a right to privacy, even if most morons ignore it.

Only a Matter of Time

[WheezyJoe]

Gonna happen eventually. Trusting your online identity to Google or Yahoo or some outfit that may go bankrupt someday is becoming more and more stupid, in a world where having a persistent, secure, accountable and trustworthy e-mail account unique to you is becoming essential to pay your bills, do your taxes, get your Medicare, and other plain life stuff. People are afraid of government, sure, but Google or Microsoft or AOL/Verizon do not owe you an e-mail account, and can probably shut it down any time they want (you ain't paying for it, for example, and if they go bankrupt, who ya gonna sue to pull it back from backups?) Smart guys can roll their own servers, of course, or work for a university their whole life. But that's still no guarantee that their e-mails are coming from then - the server gets hacked and someone uses it to steal your tax return, there's nobody to turn to.

I see a national e-mail account as an inevitability, like getting a passport, run by the Post Office for example, as soon as government don't wanna pay for letting people do business any other way (like paper). Just a matter of when. Maybe not soon, but someday.

That's bullshit

[allo]

Hello from Germany here.

It's the first time ever i heard from it. So i believe there is some initiative, but that does not mean, that this is "Germany's plan".
It's just another corporate dream. Or like our politicians tell us "the internet is new land for all of us" (Angela Merkel).

We have a thing, which is the ePerso (electronic identification built into our identity card), which nobody uses either.
In theory it can do a lot of cool stuff, including ideas like providing a pseudonymous identity to websites which is backed by a real identity you do not need to reveal, which should be able to be used to authorize for official tasks for tax and others and provide some more things.
In reality nobody is using it, nobody is implementing it and the people able to use such techie-stuff know the problems with it and are a bit paranoid (they may have a cause) about what the government may be able to do with it, when it gets established.

Back to the article: BULLSHIT. Nobody is killing online registrations, some companies are just trying to reinvent something again in ambitious ways. They may be soon some headlines about it then everybody forgets it again.

Sounds like a poor version of the Dutch system

[thegarbz]

The banks in the Netherlands use a system called iDEAL which is used for online transactions. It is run through banking website and uses a challenge and response system combined with the presence of a user's bank card.

They branched out recently to create a new side system called iDIN. The premise is also simple: If a bank can already authenticate a person for the purposes of transactions, why not also do it for web logons? I'm starting to see many services adopt it, starting with the government and tax department which now give you the option of logging in with your government login (DigiD) or iDIN.

All that is fine providing it's restricted to services who absolutely have to positively identify me. Facebook and the like can fuck right off if they are thinking of adopting something similar.