Germany was quite advanced when it came to technology but then the drive to make more of it somehow stopped.
It has always been incredibly sad to me that the German ID card (Personalausweis) has an RFID chip inside with trust zones, certificates, authorization features, and much more and just never had been used. Like at all except for getting cigarettes at vending machines.
12 years after the first RFID Personalausweis had been issued it is only possible to register your car in some cities. Maybe there are other minor uses but it's negligible.
It's a very cool technology with a certificate authority and cryptographically secured claims for various things (proving you are over 18 without revealing your DOB, only giving out the name and address, authenticating as a German citizen, pseudonymity with separate identities for each service you use etc.). All functionality is also available for use over the internet.
Makes a lot of sense with German culture IMO. There's a culture of doing your job very well, but not much of a culture of thinking outside of the box or shaking things up.
Some Herr Doktor probably followed all the best practices to implement "trust zones, certificates, authorization features, and much more" in the ID, doing their job really well. But actually changing the processes to use those features is not anyone's job, and might actually eliminate a lot of jobs, so it never happened.
I think modern political criticisms might be too dismissive of inefficient bureaucratic developments, or we might be taking criticisms too seriously.
They might be slow, complicated, budgeted terribly, unbelievably incompetent by standards of typical for-profit mega corporation, but a lot of those projects work at first try and works for decades, in the end.
SLS capsule came back in one piece on first try. That German ID system probably works too. And that’s great.
>Edit: E.g. see the left opposing voter ids in the US.
FYI, the left wasn't opposing voter IDs. The left was opposing Voter ID laws, which required a voter to have an ID, while selectively providing these IDs to the population.
That's a uniquely American problem. We wouldn't have an issue with a Voter ID law if everyone was guaranteed to have a state ID, regardless of where they live, whether they have a car or not, and whether they have money to pay for it (it should be free).
It goes also with a different aspect of German culture.
They rolled that out together with finger printing.
People value their privacy here and this was overstepping too many boundaries.
Those features have also never been explained to the average Michel here. Even IT interested people are not aware or understand the good things about it.
I think the fingerprinting happens for all the EU chips right? It allows for those automated gates at the airport where you need to verify your fingerprint.
A couple of years ago, I would have concurred. But for some time already you have the possibility to use the e-ID through Postident (https://www.deutschepost.de/de/p/postident/privatkunden/iden...) which is kind of well integrated in many businesses. Moreover you have private / corporate solutions like Verimi (https://verimi.de/) that incorporate functionalities of the e-ID. There is even an alternative (https://www.openecard.org/startseite/) to the official app. (EDIT: The alternative is open-source, but so is the official app. Removed adjective.)
I really like the development that has gone into the e-ID. They even have thought out a safe way to update your PIN (https://www.pin-ruecksetzbrief-bestellen.de/)! The biggest drawback of all is the lack of any marketing, IMHO.
Its hilarious. I recently moved and wanted to update the registration info for my car. My city boasts about having an "online self service for anything you'd usually need" (sad enough that this alone is a rare achievement), so naive me decided to give it a try. I successfully registered and wanted to update the info on my car, but got stopped by a disclaimer saying "if you want to do this online with your eID, you need to attach a picture of your ID to the form"?!. I burst out laughing, wondering what the point of this eID even is. And I still haven't updated my info
You can use the "Online-Personalausweis" for quite some things actually. For example to authenticate at banks, so you don't have to do Video-Ident. Or to do taxes etc. I wrote a post about it earlier this year: https://b.jlel.se/s/59c
I don't speak german, but by video identification do you mean the system in which you turn in the webcam and it checks your face? If so, that is highly vulnerable to real time face swapping attacks (and possibly just recorded webcam footage). I'm sure you're aware, but these systems need to change.
For banking a fairly well known identification provider is "Postident", a service offered by Deutsche Post.
They offer plenty of ways to actually authenticate. The classic one is that you receive a voucher, go to a post shop, the employee there checks your ID and prints you a verification code (iirc). They also added video calls for identification and from my experience, it seems as if they are aware of the potential security implications. They ask you a bunch of questions and require you to do different things (for example hold your ID card right in front of your face, cover one side of your face, etc) presumably to counter this attack vector.
The smoothest way is to use the ID card integration. With that, assuming your ID is already set up for the online authentication, the whole kyc process for a new bank account is done within two minutes. Unfortunately it seems like some banks still disable this option, at least I did recently open an account and did not have this option for use with postident.
> They ask you a bunch of questions and require you to do different things (for example hold your ID card right in front of your face, cover one side of your face, etc) presumably to counter this attack vector.
Give them a little while and the AI will be able to do all that so you can finally prove to the government that you are indeed a panda bear.
Nah it's a web call where they check your passport for authenticity and identity in real time with a real human in order to authorize a new bank account etc.
In The Netherlands, they are implementing a thing which gives the same advantages (i.e. disclose some attributes about yourself without disclosing unneeded data), but uses different technologies. It's called IRMA, you can find an overview here [1]. It can be combined with other applications to do cool stuff, e.g. with PostGuard [2] you can use identity-based encryption to be able to send an encrypted email to someone, but without the need to know their public key in advance, nor having to authenticate it. The drawback is that you have to trust a central server and a third party identity provider.
I'm from the Netherlands but I don't like IRMA. I respect what they're trying to do but they're lowering the barrier.
Right now most platforms don't do ID validation because users hate sharing their details. By making it more privacy-safe more platforms will do it because the barrier is lower. I really hate that, I think the internet should remain anonymous. So I can pick whatever nick and even have multiple.
I'm a little surprised we haven't seen governments try offering identity-based encryption as a way to head off encryption that's harder for them to wire-tap.
For the unfamiliar, with identity-based encryption, the recipient's public key is a function of the key authority's public key and some "identity", such as a national ID number or email address. Their private key is a one-way function of their identity and the key authority's private key. So, the recipient needs to ask the key authority one time to generate their private key for them, but there's only one public key to distribute. For the whole system, the sender can calculate the recipient's public key. The private key isn't even necessarily calculated before the sender has sent their message! It's very convenient and flexible!
Of course, the downside is that the private key is deterministic and can always be re-generated by the key authority, so it's fundamentally vulnerable to attack by the key authority. Also, some of the underlying math is less well studied than standard ECDHE/DHE/RSA, so we're less confident about vulnerabilities lurking just under the surface.
> With IRMA it is easy to log in and make yourself known, by disclosing only relevant attributes of yourself. For instance, in order to watch a certain movie online, you prove that you are older than 16, and nothing else.
PostGuard is, as for many users it's way easier than PGP (no key management issues, plus some special case handled better). As I mentioned, the drawback is trust in a central server and an identity provider.
It’s not cool that content would be restricted to people that can prove they are older than 16. It requires very little imagination to see how this could be extended to restrict content to people that have a yellow star on their clothes.
This does not follow, in the same way that the existence of the police does not imply a slide towards a police state. The slippery slope fallacy is a fallacy.
Besides, at least around here they already ask for an ID if you look young enough, for some movies. This is not enabled by new technologies.
I use my Personalausweis to submit tax stuff, to get the current status of the government pension fund (I can know at any time, not just once per year how many Rentenpunkte I have) and to submit local requests for my city (for example changes for the garbage collection service). My phone serves as the card reader using NFC. It works like a charm.
I heard something yesterday about how you can authenticate digitally for tax documents using the NFC chip in your Personalausweis! You just have to download some app.
But yes, in general, we’re SO CLOSE…then you have to go do Anmeldung with a paper form in person
I do all my tax return stuff online with my Personalausweis. Once you got all your PINs and access codes it's quite seamless actually. You can even pair your phone with your PC and use the phone's NFC reader to read the ID-card.
That stuff honestly improved quite a bit in the recent years. Most of these services are just not advertised or integrated enough so far.
I actually use my German ID card to communicate with the Elster service of the German tax offices. My old USB signing stick would need to be replaced next year, but using my ID card was the cheaper option.
You can also generate a certificate. Registering it requires receiving a letter by snail mail and it expires every X years (5 maybe?), but otherwise it's just like your certificate for your server you use to SSH in.
Many more applications will come in coming years. They are being implemented right now, I think this was sped up by some law that municipalities have to provide those services online by 2026? Not sure. Anyway there is a huge backlog and not enough programmers but one way or another this has to be done.
25 years of intentionally slowing down digitalization to protect local SMEs (which make 70-80% of the economy) against US tech companies leveraging economies of scale.
Yes there’s plenty corruption and disastrous bets (ISDN…), but let’s not pretend the situation isn’t intentionally created.
Its fascinating what EU can accomplish, but in my mind drivers licenses and "national IDs" (that are usable when travelling in EU) should be merged and unified over the union. Imagine how much simpler things would be! And this tech used in Germany sounds like a very nice base for it.
I mean I would also make them passports but I think that is impossible.
This may be difficult for an American to understand, but a driver's license is not a core document, and many people may not have it. In most places it'd not come to mind in a discussion about digital ID.
I would imagine that different countries might had slightly different traffic laws or acceptable risk levels, so might want to have their own licensing schemes. Maybe the could have a unified form-factor that gets stamped by the individual countries though.
They do, all IDs are in ID-1 form factor, stamped by the countries and the EU [1].
It's the same for driver's licenses [2], they are accepted in all EU member states and basically look exactly the same, just in different languages and show a different flag.
The scars of WWII have well and truly healed if people are comfortable with this technology. The 1900s accrued a lot of experience with where this will go.
Usually I'll argue for market efficiency over other concerns; but in this case the Europeans are on to something with the GDPR. The role of government is to make this sort of personalised identification hard - not to enable it. The end game is going to be hard times and mass discrimination against minorities.
Unfortunately still many people working in tec jobs do not understand that putting an ID on an official governmental document that you need to carry is effectively the same like a tattoo with a number on your arm.
Despite Germans have made bad experiences with that, the idea survived the 3rd Reich.
The idea that as a human being you need "governmental documents" to identify is an authoritarian core value that is fundamentally against individual freedom.
Jews were forced to always carry their "Kennkarte" with them.
Please do not tell me about positive use cases that are based on the naive idea that "the government is the good guys".
When electronic IDs are not rolled back everywhere then democracy and individual freedom will be lost for a very long time.
As mentioned in the article, the German health services already adopted Matrix for their "TI-Messenger", which is supposed to make secure communication between health care professionals easier. Or, well, possible at all. Right now this is a morass of "don't mention anything private" emails, letters and faxes. I'm surprised that ticker tape isn't involved somehow.
But don't worry, if German health services doing something right is triggering your "the end is nigh!" response: As far as I know, the rollout for patients is still a long way coming and they still don't even have a date set for video chat (right now a cottage industry of anyone involved in HC doing their own WebRTC thing).
And we still have to walk to the doctor's office to get that prescription for the same Asthma medicine you always get every three months. Instead of just getting it electronically to the nearest pharmacy. Now we have to queue up in the doctor's office with sick people, wait for them to print and sign a red piece of paper and then walk to the pharmacy.
E-Rezept was supposed to launch in 2022 but has been postponed until mid 2023. Some regions already tested it. It didn't work out well, so some regions dropped out of the testing phase. I'm pretty sure it won't work well at launch and we will have to rely on printed prescriptions for quite some time until all pharmacies and doctors use the new system.
It is always puzzling to me with how Germany has many cultural similarities with us Nordics and is an advanced science nation, yet is always so much slower in adopting new technologies. In Norway we have used electronic receipts since 2013. That is like a decade.
But I suspect it is a difference in attitude. I think in Scandinavia we are generally far more enthusiastic about new things.
Germany has a different history with surveillance and authoritarian state control.
Not only did the nazis use the resident register to find undesirables, but also the soviet union used any and all avenues to spy and control people.
Privacy and scepticism of making the sate a mandatory middleman is deeply entrenched for historic reasons.
Specifically this cryptographically tight identification, electronic-only payment etc. are very contentious for this reason I believe.
But overall your point is still correct, there is a strong bias towards the status quo and the new thing has a lot of proving itself to do before being accepted.
That's the main reason but not the only one, federalism is the other (unless you consider that also a consequence of certain 20th century events, which in part it absolutely is and in others it absolutely isn't). The ID is clearly federal, but almost everything you might want to implement on top of it is not. The Nordics are small enough to country-wide standards easy.
Germans have diffuse fears of new technology. Many of us are skeptical whenever it comes to new gadgets, especially if the risk of being tracked or spied on plays a role. Eventually most people level out and get it anyway, like the cell phone, the smart phone, credit cards, Google/Apple pay, etc. Not sure if our history has something to do with it so that many feel uneasy about giving away too much control about our personal data, but maybe it does.
> Not sure if our history has something to do with it so that many feel uneasy about giving away too much control about our personal data, but maybe it does.
Germany has seen two dictatorships in the last century. The first one was more brutal, but the second one maintained a gigantic spying apparatus on its citizens, that took a large fraction of the state's budget.
What's your level of comparison here? Japan? New economies?
If you contrast it with the US, you'll find some technologies earlier in use in Germany, like texting, and some stuff that just went different (credit vs. debit cards). And talk to someone from the US or even the UK about mandatory ID cards, and you'll hear different things about privacy.
I think this specifically is mostly to blame on bureaucracy and the federal system, not a reflection of general German luddism.
Nobody really wants fax machines.
«With the examples of surveillance discussed above, we now know why contemporary Germans so highly value privacy and limits on state surveillance. They are reluctant to go back down that road again.»
And was given prime time thanks to covid, same as remote call with doctor, which allowed getting electronically recipe without coming into doctors office.
I did have a video call with my doc the other day and he mailed me a prescription. Which then got scanned by my digital mail box (caya), then it got forwarded in physical form to my house and now I can finally in person go to the pharmacy with the actual paper and get it... LOL.
I wonder how much this is solely technical. Sure, if it's something like asthma medication or insulin, its' completely superfluous. But if I remember correctly, doctors have a few incentives for this. Part of them rather good, like a fear of over-medication, part of them related to budgets with the insurance companies etc.
The health industry is very weird from top to bottom. True for most countries, but Germany certainly adds a few cherries on top. Or at least massively diluted cherry essences…
You can but they'll likely only starting preparing the Rezept when you arrive, and you'll still need to wait 30 minutes. At least that's how my Hausarzt works
In most places it is hard enough to even get an Hausarzt to being with. You might just be lucky to live in a bigger city where you have the ability to choose.
>You should change your Hausarzt. They can be so careless only because enough people tolerate such behaviour.
LoL ok, just that GPs have no shortage of patients, but the other way around so since they're on such high demand and in low supply they can get away with many things. The market is in their favor by far.
Usually in the German health sector the use of existing standards is only there for marking off a checklist I have the feeling. In practice things are so heavily adapted that you often cannot use existing libraries.
6 different sets of definitions by 5 different regulating bodies, with the organizing company Gematik GmbH owned by 9 different stakeholders: https://www.gematik.de/ueber-uns/struktur
Last time I lived in Berlin (until early 2020) my Hausarzt still used Telegram in her practice. Mostly to communicate between the front desk and the examination rooms.
Meanwhile the E-Arztbrief which was supposed to replace FAX is a complete mess. The directory for mail addresses have not been strictly regulated. It's pretty much useless everywhere where big index databases of medical professionals already exist since find the proper mail address is a pain.
A friend working at a big radiology attempted to manage that since there are issues with FAX systems since ISDN technology has been boxed and the E-Arztbrief would have been a good solution. But when he started out comparing their database, he found awful problems. For example there are whole names in the surname field or names of a Doctor's office. You can't properly search and even if you do, you are never sure you got the right one.
I think messaging is an area where Europe could have an impact.
The basic problem with messaging and voice/video comm applications is that clients are not interoperable. It is easy to think that: we've had CUSeeMe, IRC, ICU, AOL Instant Messenger, Tivejo, MSN Messenger, I think more than 10 kinds of Google Chat, Facebook Messenger, Skype, Zoom, Paltalk, Yahoo Messenger, Signal, Telegram, Go2Meeting, Discord, WhatsApp, WeChat, etc.
The average person would be hard pressed to tell the difference between these applications, a cynic would say "Facebook Messenger is no different from AOL Instance|MSN|Yahoo messenger except it is integrated with Facebook". The average person doesn't question that chat programs don't interoperate but because they don't we see a pattern of "try out the new shiny, it's just as good as the old cruddy was back in the day", the new application rides high for a while, then it rots and it is it the new old cruddy before long. The one constant is that you may need to install 10 chat applications to talk to everybody you talk to.
As it is, two-sided markets let applications coast and generally rot without losing market share until things get catastrophically bad. If chat applications interoperated there would be a robust market for better applications and better servers and you'd see developers of old apps to have a reason to keep them working over time and more chances for new apps to get established.
Curiously many of the messengers you mentioned are or were at least initially based on the same protocol, XMPP, some of them even were interoperable for a time[0]. There are still attempts at realising interoperability, notably libpurple[1], but they are fighting a constant uphill battle. Sadly companies usually just have more incentives to either keep their services walled off or extend only theirs in functionality, rather then keeping them interoperable. This would only change through regulation, or I suppose if a federated service gains enough traction to become the de-facto standard, but given the fate of XMPP that seems unlikely.
The impact is not likely to be positive. Nearly every government in Europe will want access to the comms happening, particularly if it's within their borders or with their citizens. Europe is not likely to introduce an end-user-to-end-user encryption. It will be encrypted from end user to the government to the next end user.
and as facebook and governments have taught us, a lot of people consider end to end encryption to include "i can encrpyt between you and my server, decrypt it, read it, encrypt it again and pass it on".
Since Matrix (and thus BundesMessenger?) currently doesn't provide standard security guarantees for its end-to-end encryption (the mitigation to the "Simple confidentiality break" from https://nebuchadnezzar-megolm.github.io/ is still in the design phase; same for the IND-CCA break, but that doesn't seem exploitable in practice) I wonder how much the German government cares about E2EE for its civil servants? The blog post mentions E2EE prominently, but any insights to share on whether that mattered for this particular adoption?
Gematik co-funded the most recent Matrix audit of vodozemac[1], and is poised to fund 3 more (of matrix-rust-sdk-crypto, matrix-rust-sdk and the whole stack end-to-end) to ensure the E2EE is where it needs to be. So I'd say that the German government definitely cares about E2EE for its civil servants, and we're very grateful for them funding security research.
Meanwhile, BWI is helping fund the work needed to address clientside controlled room membership (https://github.com/matrix-org/matrix-spec-proposals/pull/391...) as highlighted in your paper, as well as TOFU... and they're also funding work to provide MLS as an option for E2EE in Matrix too[2].
Unsure why you're talking about the unexploitable IND-CCA break :)
Cool, thanks! That's interesting to know. Do you know how they deal with FOI and auditable communications in this case?
PS: I talked about the seemingly unexploitable IND-CCA vulnerability because it means Matrix can't give you some security guarantees: It should be fine - we don't have an exploit, only a vulnerability - but it is not clear how to reason to arrive at "there cannot be an exploit". If you care about security guarantees, you care about it.
Good question about FOI and audit; unsure for their deployment. In general we use audit bots when needed (which are visible in the member list), and even in a client-controlled-membership world, they would complain bitterly if they saw traffic which they didn’t have the keys for.
Fair enough on IND-CCA; as you know, we are fixing it anyway.
It hasn’t but it’s on the right track. I am working as a developer in one of the federal agencies and have direct contact with the efforts.
It helps a lot that public agencies can now offer a so called IT Zulage of a few hundred euros to 1000 per months that brings salaries on par with the private sector. In my team, this worked wonders and we managed to get some really good people.
On the other hand, the task is enormous, we were discussing last week that if we had double the man power, we would still have the same workload, because we push back on a lot of things. We have about 70 projects that we wrote and maintain and a backlog of another 12 waiting to be started.
BWI has the same problem, I’ve been approached multiple times by them for this project, which from my knowledge is being intensely worked since many years.
German engineers typically point at politicians to blame for projects being late. But they share the blame. Over-engineering and lack of push-back against feature creep seem to be standard. Often times, the feature creep is homemade, by the engineers themselves. Other countries get things done simpler and thus faster. Be a bit pragmatic and boom, it's live and works. In Germany you first need to create a bunch of Arbeitsgruppen in a new Bundesamt fur Warmeluft and protocols and certificates and meetings and Pflichtenheft and by the time this thing has grown to 1000 pages you realize that your team is much too small and you need to hire more people and it just keeps growing.
Meanwhile, other countries have offered a web portal for years with a digital version of the Patsientenakte and all prescriptions in one place. Works. Not in Germany though.
> On the other hand, the task is enormous, we were discussing last week that if we had double the man power, we would still have the same workload, because we push back on a lot of things. We have about 70 projects that we wrote and maintain and a backlog of another 12 waiting to be started.
Yes, see interamt.de for open positions. You have to be fluent, I’m afraid, everything is done in German and you need to understand what’s needed and relay your own thoughts properly. There are many specific terms and processes and abbreviations
I took a quick look at some positions in Munich and the pay did not look very competitive with industry. However, public service has other advantages, and if you prefer to not rent your soul to Capital like so many of us do, I think the salaries looked pretty nice compared to other government jobs. Which is pretty much the deal everywhere, right?
(You can find the rate tables by doing a web search for the code listed next to “Entgelt/Besoldung.”)
I got a kick out of the fact that Street Cleaner came up in my search for “IT and Telecommunication:”
As a user of some public sector German IT Services (provided by dataport to be specific) I have to say that I wouldn't work on them for double my current wage.
The jank was incredible and just using them you could feel the spaghetti code, incompetence and age. My advice would be to stay away as far as possible. As a user and as a developer.
I wouldn’t generalize it. In our agency, we keep everything very modern, especially the tools and infrastructure, but also processes. We go to workshops and conferences and then implement what we learned.
Yes, I’ve seen some creepy stuff like 100kb of information on one line and a definition file saying from which column to each column one can find information, but we don’t do that.
With this approach, it's not likely to ever improve. If they can't get good talent to come in and "fix" things, it will probably only continue to get worse
Indeed. But that only affects me in so far as I can't avoid using the services they offer.
Besides that it is not my problem nor am I in a position to make it my problem.
I actually like the idea of becoming a public servant and bringing innovation to places that really matter for basically everyone around me, but salaries are not even in the same ballpark even with IT-Zulage.
It's not the IT salaries that are the problem, it's that many places working on government IT projects in Germany range from slow, backwards and incompetent to outright toxic. These are not environments that attract the best people but usually clueless YES men.
Yes, that’s what I heard, too. I’d probably give it a try, though, as I know similar structures from my work in FinTech, where we integrated with quite „conservative“ banks as well.
I kind of have a knack with finding the right knob on such people to get to the desired goal.
It bears repeating: this is not the case everywhere and the same principle applies to the private sector. You can usually tell from the job description and the interview
do you happen to know the salary for let's say a senior software engineer working in a big city? I would like to work for the public sector but salary was always ridiculously low
Presumably budgets. Over the last decade or so, German politics developed the fetishization of the "Schuldenbremse", an attempt to reduce the national debt (which is already fairly low) no matter what. Unfortunately the way they went about it was not to reduce overheads or make processes more efficient (if you want to do anything here in Germany, there's a decent chance there is a form for it), instead they basically cut down on any investment. Fundamentally this means that there is a massive investment backlog in the digitalization of the government and education, in internet, rail and road infrastructure etc.
And now every project seems to maximum demands, minimum budgets and zero flexibility. To make matters even more absurd, we have a ridiculous amount of federal levels, each with their own responsibilities and "approaches" to digitalization (and responsibility to save money).
For example, my mom is an office worker on a city level. The neighboring city developed a software for some process related to state law and offered it to our city. Our city, being the genius it is, does approach this state mandated process a little bit different. Instead of using the software the neighboring city developed and adjusting to their (almost identical) process, they choose to make their own software. But because they have basically zero development experience and engineering resources, they are looking to outsource. But because they don't have the budgets, they are looking for government support programs (that apparently even exist).
So yeah, even easy things are over complicated here
It's likely more sustainable to have people long term and not expensive consultants who come in, finish a project and leave again with no knowledge being retained in the team.
I'd also guess that these projects are not very isolated but very integrated with a lot of other processes and internal projects, so it's not just about converting some specs into code in a vacuum and then leaving again.
They absolutely do. I have friends working as private sector IT consultants with federal agencies as one of their clients. These projects lock them into idiotic bureaucratic processes and extensive internal politics (more than in private sector). You can help improve quite a bit but it's like moving a plowing truck through pure molasses instead of snow.
The teams are often led by government officials who will do everything to keep things as they are to protect their position, of course with little to no repercussions.
Things can change. Easy to forget that Alan Turing and a certain German called Konrad Zuse both get credit for having invented the modern computer. Generally, people seem to like to give that honor to Alan Turing and Konrad Zuse does not get a lot of love. Not that it matters either way; but this is a country that co-created modern computing. Pre and post-war Germany featured a lot of rapid change and technical innovation.
I'm based in Germany and I share the sentiment that things have been a bit backwards here in terms of a widespread reluctance to let go of paper based administration. This was awkward 14 years ago when I moved here and at this point it's just beyond pathetic. But things are changing. Germans are well aware that people outside of Germany are noticing how far behind they are and are shaking their heads at those silly naive German paper fetishists. So, there's a lot of domestic pressure to actually start fixing this. The covid crisis in the last few years forced a lot of Germans to do things with their phone that until then were completely unheard off in this country. Like paying for stuff or proving that they didn't have covid. That used to be a thing where paper and rubber stamps were the only acceptable solution.
So, I look at this as something that can change quite rapidly after not having changed much at all for decades. The will and money are there and Germans are starting to remember that they can actually get some stuff done when they put their mind to it. We're also seeing this with the current energy crisis. That crisis has unlocked budgets all over the public sector. And "digitalization" (as it is referred to here) is part of those budgets. Germans love efficiency and people have been pointing out that they haven't been very efficient. Which is embarrassing and annoying. So, they are fixing it now. There are now countless of bureaucrats tasked with actually showing some results for the inflated budgets they've been given. We're talking hundreds of billions of euros here. It's not all going to be spend wisely but some of it will yield results.
>Easy to forget that Alan Turing and a certain German called Konrad Zuse both get credit for having invented the modern computer.
Nobody forgot that, just that past successes are in no way indication of future successes.
Otherwise SV would have been in Germany/UK instead of California. But that hasn't happened.
Same how in the late '80s to early '90s everyone was saying that Japan's tech sector and economy would completely overtake the US's and yet that hasn't happened but the reverse happened. From then on US tech sector steamrolled everything. Will that last? Maybe, maybe not.
From my experiences with DMG Mori and Siemens employees servicing my equipment and managed by a 100% electronic appointment booking and part ordering systems, German society is wholly and irrevocably doomed by the move away from physical paperwork.
All German productivity will end and even German language itself will be replaced by grunts and shrugs.
In the end, I got rid of my DMG Mori machine with its Siemens control and replaced it with a Taiwanese machine that functions reliably.
The large degree of federation in the German government is something that has traditionally shown some of its ugliest sides when in comes to digitalization (e.g. every state comissioning their own underpowered solutions which are 95% identical in spec instead of pooling resources).
I think that's exactly why Matrix might be a good fit, as the technical federation aligns well with the pre-existing social federation. I'm really optimistic for that project!
One of the bright lights on horizon is that the Bundeswehr opted for a open-source, federated, multi-platform and secure messaging framework. Instead of some proprietary, closed-source piece of crap from a Big-IT vendor which make same depending in a negative way.
This is interesting. Being German, when I read the headline I had a "not another public IT project destined to fail" moment. But this actually makes sense. The government and military need a secure communication tool, it is not a pie in the sky, but built on existing software, and they start with a well defined user base. My guts feeling is that this will be a successful project.
That is sad to hear. You hear criticism of public IT stuff here in Norway too, but it mostly works. Like I got e-receipt since 2013. Can order new prescriptions, book appointments , look at test results online online. Well the latter doesn’t always work. But everything with taxes and banking had long been all electronic and working fine.
German officials have had a whole lot of groundbreaking visions for as long as I can remember. The visions were never the issue but the delivery. I remember Peter Altmaier claiming in 2017 that in 2021 any government service will be accessible online lmoa. To this day I regularly have to print out PDFs and send them via registered snail mail or fax (yes, I actually have a fax)
In the 2000/2001 the defense minister (Rudi something) wanted to have a direct communication channel to all officers of the army. They contracted the Telekom (aka T-Mobile). The result was a parallel modem line network with extra PCs next to the well established communication network of the army. It was called Rudiphone and a the most stupid project ever.
So yes, visions where always there but the implementation was indeed always a story
I'm happy to see this. I came out embarrassingly that Germany was spied on by the "ally" US. They already did not trust MS Exchange, probably for good reasons. So they either trust the Swiss (Signal), the Russians (Telegram, prolly not), the ..., or they roll their own, or they use open source. I'm stoked to see they seem (yes: seem) to be doing the latter.
Why do I emphasize "seem". Well there have been several German initiatives for using open source, but non of them stuck very well. Munich's going Linux comes to mind, but there were others. And I'm afraid that this may be another such "attempt", while I hope it this time different as their national security is a at stake.
Telling everyone to communicate with GPG-encrypted emails has shown to be too hard on users, who then simply use one of the many less-secure channels. You have to do something, or you know they --the US mostly (WhatsApp, Twitter, GMail/Chat) -- will listen along with everything.
I don't know why the person who was first to respond to you is "dead" but set aside his value judgement; all he wrote is factually correct.
The embarrassment you speak of lies in the fact that it became public knowledge, not in the act itself, depending on the perspective of specific institutions.
Furthermore, disregarding the fact that signal is in Israeli hands, i'm fairly certain they don't even trust themselves and simply calculate and spread risks as they see fit.
Regarding your Munich example, the most significant factors for the outcome of that debacle where at one end incompetent people backed by powerless competent people and on the other end Microsoft with millions of lobby money backed by a powerful state actor. Both can easily be regarded as both a risk and opportunity for state security.
Your closing statement is of course indisputable, never the less we should not forget that despite the fact that times change; old adagia such as "Something you have, something you are, something you know" are not only easily understood by everyone but we are also getting there with for example the advent of cheap FIDO2 keys, fairly invisible network access control & encryption at device enrollment, infrared cameras, privacy respecting / agnostic AI driven real-time analytics & heuristics at scale and so on.
In other words, we are slowly getting there but not due things such as "having a BundesMessenger" unless it's weaknesses contribute to the drive for improvement ~ including replacing American cloud services ~ ; something it's open source nature definitely does.
> [The] Munich example, the most significant factors for the outcome of that debacle where at one end incompetent people backed by powerless competent people and on the other end Microsoft with millions of lobby money backed by a powerful state actor.
How is that different when it comes to Matrix/Elements vs proprietary apps? Maybe this time there's not so much lobbying and more "user just choosing a different communication channel" than they are told to use (as it's UX is so much worse).
The power of any State regarding such things usually works by exercising control & influence over entire networks of people. Not so much by brute (legal) force applied at who or whatever holds the formal power. Quite often, such firms / owners / networks of people don't even fully realize what is going on if at all.
Often it's even more than one State trying to achieve the same without it being "visible". TL;DR We don't know shit by just observing media reports & firm/executive behavior.
But if you did a actual "Follow the Money" on Durov, i'd love to see it !
( Although I do like what he seems to be doing. )
I know someone who works in the digital id space, and the businesses pushing this stuff at the governments are far more interested in their business than your rights. And governments have a habit of slipping in things they find convenient. With some insider insight I'd suggest pushing back very hard against this sort of thing.
@Hamuko I have been on matrix several years, and lately I've been really liking Schildi Chat [https://schildi.chat]. Also, many other users that i know really like Fluffy Chat [https://fluffychat.im/]. In any case, there are several more options nowadays.
There are really no options outside of Element, unless you're a Linux user - then maybe you have a few ones.
All alternative clients on iOS, macOS, and arguably Windows are an absolute clusterfuck of UI/UX, broken features, and varying stages of completion. I say this as someone who wants Matrix to work: people need to demand more from client apps, and client apps need to stop being okay with barely hitting the bar.
Element also needs to set the bar, which I frankly don't think it currently does - but that's supposedly being rewritten, so I'm hopeful for what they produce.
Interesting. I actually have never tried any clients on macOs or iOS. I don't have apple products. On Windows i only use web Element. I don't disagree that it's early days for all clients, and they all could use improvement. But, Element does offer an Electron app, which would run equally on all platforms (if i recall correctly). Now, i myself am not a fan of electron apps. But that would at least provide a consistent experience across different platforms. Regardless, i find myself quite hopeful on all this. There's no shortage of clients who i hope all improve over time. The more that matrix gets popular, the more it attracts devs and UX designers whose ideas will float all other "boats". ...At least i hope! :-)
Element does run on all platforms, yes - but it's not a well executed application and people often find it confusing.
That said I'm hopeful for the rewrite and I trust they've got the best interests in sight. I just mostly wanted to chime in on the "several more options" because this is unfortunately commonly said but disregards the sheer amount of work it takes to build a modern chat application.
Yes, i remember there have been early experiments leveraging the matrix protocol for many scenarios including blog platforms and social media...But i don;t think its popular to do so. Most people interested in federated social media tend to use ActivityPub (protocol), and use servers and clients already optimized for such a social media use case on the Fediverse (mastodon is a recent popular software stack, but there are many, many others).
Where can I find information about how the German government came to this decision? Does this involve contracts to outside companies for development and consulting or will that all be done by the government? If the former, when and where did the bidding process take place? What alternatives were considered? I don't speak German, so I need some help understanding this. Precise links would be appreciated.
What angle is in your question? Matrix is the best choice i could imagine. And the lobbyists of Google, Microsoft and Apple surely had better funding than anyone touching matrix.
If your ask whether a consulting agency earned something between 10 and 100 million on that decision you are most likely right. But I guess overall it was probably the CCC influence on the politics and the population. The club and their members are much more influential than you would expect.
The classic obligation of the state to testify who someone is -empowering citizens- ( by whatever means, including passports ) seems to be silently converted into the obligation of the citizen to proof who they are, taking power from them without their consent and potentially causing future abuse on a scale larger than the 1933 Reichstag fire.
It's really awesome to see the public sector being able to experiment with new technologies to see what works. Rather than a top-down approach imposed on everyone all at once, the trial-and-error approach seems to work better. If it succeeds, then try to scale it up. If it doesn't, then it doesn't bring everyone else down with them.
It's incredibly cool to see New Vector finding revenue streams working with governments and large companies on frontend and integration etc, whilst still maintaning open source, federated software.
It must be a very hard slog to get there whilst also upholding your ideals, so kudos to you!
Very cool. I’ve long thought that global government spend should be more than sufficient to build robust open source solutions.
But it requires some degree of technical expertise on the ground to weave together solutions, instead of just buying the Microsoft package with AD and Office.
Some of these EU governments are authoritarian, will capture captive citizens and intercept communications. In addition to surveillance, the quality of the government services has been often low.
That's the advantage of choosing Matrix: it is compatible with a multitude of clients and servers, so take your pick. No need to install the BundesMessenger frontend. No need to trust the government, how very un-German.
*most convenient. The best option is obviously coming in person, with a ring binder containing all relevant documents as well as written records of all previous communication
Be sure to queue up 2h before opening time of the office you want to visit because everyone else is also dropping by in person too and the office closes for public service at 12:00.
Given that the protocol is E2EE, how do they handle data retention / transparency requests? Does each agency centrally store copies of their employees' encryption keys?
Funny you ask this, I remember actually having a discussion about doing this, but for another reason - to avoid users losing their messages because they lost their keys. We ended up not doing it of course, it makes no sense to have e2ee if you're going to bypass it anyway... If you need to be able to access the data I think you should probably force your users to not use e2ee rooms...
Honestly, chat is the equivalent of a person to person regular mouth to ear communication. Some stuff needs to be off record. Which effectively means, nothing in chat and not on a formal document is just coordination. Like it was for centuries.
Did the German language ever have a 'proper' German word for messenger? I seem to recall a computer message was a "nachricht", but I have forgotten so much...
"Real time collaboration systems such as Microsoft Teams, Slack, Mattermost, Wire, Threema, WhatsApp and Signal are currently all closed proprietary systems - meaning they are walled gardens whereby all parties have to use the same vendor."
I wrote this sentence. “closed proprietary” here means that it’s not an open standard, and it’s not an open network you can connect your own clients to, and so it’s vendor-locked, and in the case of Signal there are gaps of years when they don’t release opensource code on the server.
I guess it's a bit debatable. It's more or less open source - apparently there have been long periods when it was closed source (I think when they added cryptocurrency nonsense) and also it's centralised so you have to use their servers.
I would say it's a bit disingenuous to put it in the same list as Teams, Slack and WhatsApp though.
Element feels a lot like Slack/Teams/Discord. It has a few distinct features (federation and such), and a few are, as far as I'm aware, missing or "different enough" such as Slack's whole "We'll replace Email, why don't you write your longer documents in here as well"-thing.
Its indeed a brave new world. With governments getting ever more interested in what you do online, some not quite so mentally stable people have an audience for their mental diarrhea for the first time.
If you ever asked yourself the famous "who is supposed to read that", well now somebody is payed to. I hope they do the nice thing and upvote
It certainly hasn't been w/o growing pains or detractors.
I still occasionally get rooms or spaces borked, and that frequency increases if E2EE is enabled.
The current server implementation is not svelte in the least, but that's a problem that's being solved with new server implementations that are already 90% of the way there (look-up Dendrite and Conduit if you haven't heard of them).
To be clear, GrapheneOS was running on much older matrix room versions and the bugs that were causing the issues have (to my understanding) largely been mitigated in the later room versions. Of course it's not ideal it happened, but I wouldn't expect the same set of issues to persist after the upgrade, the mitigation has already existed it's just GrapheneOS (understandably) wanted to avoid the disruption of an upgrade if possible.
That makes sense... I was having trouble with E2EE rooms with my friends back when Element was (regrettably) called Riot, but we also chalked that up to being (somewhat) early adopters. That didn't stop us from migrating to Discord, sadly.
It's why I characterised them as growing pains... I'm sure it'll all work out eventually and I've no doubt it's more stable than it has been.
These guys keep pushing the idea that if it's not federated, it's closed and proprietary. In at least the cases of Signal and Threema that's just not true.
Signal and Threema are proprietary, in that the protocol they speak is vendor-specific and not openly standardised. You are literally locked to that system, and neither of them allow 3rd party clients to connect.
Moreover, Threema's server is closed-source and so completely proprietary - and you could argue that Signal's server is often closed-source too, given years occasionally go by without public code releases.
Signal publishes its protocol spec and allows other applications to use it. Not on their network, but again, that's an issue of federation, not openness. The license allows you to modify it, so you could roll out your own implementation. So you are literally not locked into that system and that's not proprietary.
As for Threema, true enough as it's useless without a server. But again, federation isn't a necessary condition for being open.
Signal clients may be open source, but as far as I know the network is very much closed and proprietary.
Correct me if I am wrong, but as far as I understand you can't make any changes to the Signal client, compile it yourself, and connect to the Signal network. You have to use the binaries from the app store.
IIRC you are allowed to get the Signal client from the git master branch and install it yourself, but not sure if that extends to local modifications of the client. They don't want you to distribute binaries however that are connecting to the official Signal network, even if those binaries are the official ones. You are not supposed to find Signal anywhere else than on Google play and the app store.
The server is open source technically, but it's not federated. They have also not published updates in the past for months while deploying them on the server (probably to prevent people from finding out that they were testing some feature).
[..]Real time collaboration systems such as Microsoft Teams, Slack, Mattermost, Wire, Threema, WhatsApp and Signal are currently all closed proprietary systems - meaning they are walled gardens whereby all parties have to use the same vendor. That’s impractical, creates vendor lock-in and stifles innovation. There’s simply no way that a government entity using, say, Microsoft Teams would be able to have secure real time communication with another government entity using, for example, Slack, Mattermost or Wire.[..]
Mattermost is great, but it's not decentralised, it doesn't federate, it's not end-to-end encrypted, it's not based on an open standard, it's vendor-locked to Mattermost, only has one usable client implementation, and is rather aggressively open core (unlike the BundesMessenger distribution which is entirely apache-licensed FOSS). I'm also not sure that whether deployments easily scale up to million+ users like a big Matrix deployment can.
It's worth noting that if Mattermost adopted Matrix, like Rocket.Chat has[1][2], the vast majority of these limitations would fall away :)
I prefer cash and would at the same time use an encrypted messenger to communicate with the government.
While cards are certainly convenient, they have failed me at very inopportune moments. I’ve also recently witnessed how someone could not book a ticket for a ferry in one of the mostly cashless European states - cash wasn’t an option and they didn’t have a card. This was at the official counter at the harbor.
A few month ago, card terminals of a widely used type failed hard in Germany, only cash payment was possible.
Being able to do some purchases anonymously is also a good thing - even if it’s only my wife’s birthday present.
I prefer a society where cash is an option for all (in-person) transactions. And preserving that requires exercising the use of cash.
Encrypted secure communication with (and within) the government, or my medical provider is entirely orthogonal to that.
I am not a young person anymore & card payments have almost never failed for me (unless it was for a specific/resolvable reason).
> A few month ago, card terminals of a widely used type failed hard in Germany, only cash payment was possible.
This exactly is part of my point.
> or my medical provider is entirely orthogonal to that.
I prefer a medical provider that does a good job & shares my data, rather than incompetent medical staff that adhere to privacy policies. I expect my doctor to be a good doctor, not a good data policy keeper.
I have had cards expire and the new cards sent to an outdated address, and when that was discovered, the bank blocked all cards since they could have fallen into the wrong hands. I happened to be traveling at that time. I’ve had cards be blocked due to random fluctuations in the usage pattern. Calling usually helps a to resolve this, though it usually takes time. I’ve had an ATM eat my card and not return it. I have entered the wrong pin once too many. I’ve had my bank replay all transactions from at the beginning of the month twice, debiting the rent and all payments twice, and overdrawing my account, blocking my cards. Shit happens. Cash was always an option to solve this.
> > A few month ago, card terminals of a widely used type failed hard in Germany, only cash payment was possible.
> This exactly is part of my point.
I don’t understand how this is part of your point. It was a bug that required exchanging the terminals - either some kind of hardware or a borked software update that left the terminals unable to function. Shit happens, in hardware, too. It’s not like other countries are magically exempt from failures of their digital infrastructure.
Other countries aren't exempt, but other countries also don't write case studies on how everyone else should operate.
It's absolutely baffling to me that Germany touts a more secure messenger, but can't get card payments working seamlessly / consistently. To your point, I was visiting there earlier this year & card payments were completely offline for 2 - 3 days.
Yes, the broken terminals happened earlier this year. You were unlucky.
I don’t get your point about “writing case studies how everyone else should operate.” - where does Germany write case studies about how payment systems in other countries should operate?
It has always been incredibly sad to me that the German ID card (Personalausweis) has an RFID chip inside with trust zones, certificates, authorization features, and much more and just never had been used. Like at all except for getting cigarettes at vending machines.
12 years after the first RFID Personalausweis had been issued it is only possible to register your car in some cities. Maybe there are other minor uses but it's negligible.
It's a very cool technology with a certificate authority and cryptographically secured claims for various things (proving you are over 18 without revealing your DOB, only giving out the name and address, authenticating as a German citizen, pseudonymity with separate identities for each service you use etc.). All functionality is also available for use over the internet.
The German Wikipedia has a good overview: https://de.m.wikipedia.org/wiki/Personalausweis_(Deutschland...