|
|
|
@ -0,0 +1,52 @@ |
|
|
|
--- |
|
|
|
title: Paper Passwords, Patent Trolls, and Progress - The Road to ID Austria |
|
|
|
tags: [ID Austria,Austria, Österreich, NEOS, SPÖ, ÖVP, 2025, Koalition, Wahlen, Bundestrojaner, Handy-Signatur, Bürgerkarte, Digital Identity, E-Government, Privacy, Cybersecurity, Austria Tech, Digital Transformation, Public Sector IT, A-Trust, UX Fails, European Digital Identity] |
|
|
|
thumbnail: thumbnail.png |
|
|
|
featured_image: thumbnail.png |
|
|
|
|
|
|
|
--- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Austria’s journey toward digital identification has been anything but smooth. From ambitious plans to questionable implementations and some embarrassing slip-ups, let's take a brief, somewhat skeptical look at how we ended up with ID Austria. |
|
|
|
|
|
|
|
{% asset_img thumbnail.png ID-Austria / Handysignatur Österreich%} |
|
|
|
|
|
|
|
## [2003] Bürgerkarte |
|
|
|
|
|
|
|
Back in 2003, Austria first dipped its toes into digital identities with the [Bürgerkarte](https://web.archive.org/web/20200919060831/https://www.oesterreich.gv.at/lexicon/B/Seite.991525.html), an electronic ID stored on smart cards. On paper, it was a clever concept that promised secure online authentication, electronic signatures, and the digital handling of legal matters. No more queues at government offices, at least in theory. |
|
|
|
|
|
|
|
Instead of creating a whole new physical ID, the Bürgerkarte was designed as a flexible concept. It could live on existing smart cards like the national [e-card](https://www.chipkarte.at/cdscontent/?contentid=10007.678532&portal=ecardportal), bank cards, or special signature cards issued by trusted authorities such as A-Trust. The plan was simple enough: embed a cryptographic private key directly onto the card, protect it with a personal PIN, and let citizens finally move their bureaucracy online. |
|
|
|
|
|
|
|
In practice, though, things quickly got messy. To actually use the Bürgerkarte, you needed a dedicated smartcard reader, specialized software called a [Bürgerkartenumgebung (BKU)](https://de.wikipedia.org/wiki/B%C3%BCrgerkartenumgebung), and a web browser that could talk to the system through a standardized Security Layer protocol. Much of this software ran on Java applets, which meant setup often involved wrestling with installation errors, browser compatibility issues, and the kind of cryptic error messages only an IT helpdesk could love. |
|
|
|
|
|
|
|
Security-wise, the Bürgerkarte was surprisingly solid. The private key never left the card, and all sensitive operations happened directly on the chip. But convincing the public to trust a complicated system they barely understood? Not so easy. Especially not when [vulnerabilities were found in Austria’s E-Voting pilot project](https://web.archive.org/web/20090522133700/https://papierwahl.at/2009/05/18/weitere-fehler-im-e-voting-system-gefunden/), further fueling skepticism toward anything digital coming out of the government. |
|
|
|
|
|
|
|
{% asset_img ablauf-buergercard.png Usage of the Buergercard %} |
|
|
|
|
|
|
|
*How to use / "Ablauf einer E-Government Sitzung" from the [official Instructions](https://rechtsprobleme.at/doks/burgerkarte-gerstbach.pdf)* |
|
|
|
|
|
|
|
|
|
|
|
Despite its strong technical foundations, the Bürgerkarte never caught on with the wider public. It found its niche among tech enthusiasts, public employees, and a few brave early adopters willing to jump through the hoops. Everyone else quietly waited for something simpler (or never knew abaut it at all, it's still the early 2000s). |
|
|
|
|
|
|
|
Looking back, the Bürgerkarte feels like one of those projects that was technically ahead of its time but practically stuck in the wrong decade. Still, it laid important groundwork for what came later |
|
|
|
|
|
|
|
## [2009] Handy-Signatur |
|
|
|
|
|
|
|
In response, we got the [Handy-Signatur](https://www.a-trust.at/de/produkte/Qualifizierte_Signaturservices/Handy-Signatur/) in 2009, courtesy of A-Trust. No more card readers! Just your mobile phone and SMS-based verification. Practical? Yes. Secure? Surprisingly, also yes, as long as you didn't do everything on the same device. But usability? Let’s just say people weren’t exactly lining up. |
|
|
|
|
|
|
|
Things seemed stable enough until 2015, when a patent dispute added some drama to A-Trust's story. German entrepreneur [Daniel Giersch](https://biographyhost.com/p/daniel-giersch.html) filed a lawsuit against A-Trust, claiming the Handy-Signatur was built on technology covered by his patent without paying any licensing fees. [He demanded €8.5 million in damages](https://www.derstandard.at/story/2000012725987/buergerkarte-klage-aus-deutschland-a-trust-gelassen). A-Trust denied the claims, stating their solution was a completely independent development and promising to handle the case calmly and professionally. The lawsuit created some headlines, but eventually faded without any public resolution or known consequences for the Handy-Signatur. |
|
|
|
|
|
|
|
Then came 2018, bringing along a bizarre security lapse that felt straight out of the analog age. At certain registration points, users signing up for the Handy-Signatur were asked to write their personal passwords down on actual paper forms. Yes, paper forms. Staff would then manually enter these handwritten passwords into the system. Obviously, not the brightest idea from a security or privacy standpoint, but pretty on-character for Austria, given its horrendous bureaucracy. Fortunately, A-Trust quickly clarified that this was definitely not their official policy, advising users to politely decline or choose another registration office instead. While the risk remained low due to the additional phone-based verification step, it was still an embarrassing episode that showed how easily security can slip, even with something as supposedly sophisticated as digital signatures. |
|
|
|
|
|
|
|
Fast forward to 2021, when the COVID-19 pandemic catapulted the Handy-Signatur into popularity. Finally, a digital breakthrough! Thousands activated their digital IDs to access the Green Pass. Just one small hiccup: A-Trust's public directory of certificates unintentionally exposed personal details like names and birthdates. Technically, it was part of the system's design for certificate verification, but most users had no idea their data could be publicly searched. Not a great look for a trust provider. Thankfully, newer implementations dropped this practice and improved transparency significantly. |
|
|
|
|
|
|
|
## [2023] ID-Austria |
|
|
|
|
|
|
|
Today, we have ID Austria, the "next generation" digital ID. Introduced in 2023, it offers great new features like digital driver’s licenses and eIDs, conveniently scattered across multiple apps because, of course, simplicity would have been too easy. As anyone who’s had the pleasure of dealing with the Digitales Amt and Digitale Ausweise apps knows, UX clearly wasn’t priority number one. |
|
|
|
|
|
|
|
That being said, ID Austria has come a long way. It’s fast, relatively smooth to use once set up, and finally feels like a somewhat modern solution for a digital society. Sure, there were (and still are) growing pains, but honestly, it’s impressive how far things have come considering where we started. |
|
|
|
|
|
|
|
And hey, at least we keep things entertaining. Would'nt be Austria, right? |
|
|
|
|
|
|
|
|
