While Germany and Europe in general have some of the strictest rules
regarding the use and storage of personally identifiable information,
the last few months have seen rather extreme data security breaches.
Today, the German media is reporting about a new installment of
irresponsible negligence government incompetence:
According to the SPIEGEL ONLINE
a spokesperson for the software company HSH admitted that the personal
information of more than 500,000 residents of at least 15 cities and
towns were readily available on the internet for at least 3 months [1].
According to a investigative news program (Report aus München),
this problem actually affected more than 200 municipalities for more
than 3 years. The alleged cause for this blunder was rather simple: the
software used by the cities to manage these huge data collections had
at least one default/demo account that was not disabled by the IT staff
of the authorities. These credentials were inadvertantly published by
the software maker on their web site and thus available to every one.
While
problems like this can happen, it seems odd that this massive security
breach has not caused a major uproar with the various highly paid
privacy guardians. In fact, there i svirtually no report on this
incident in any language but German. One might get the impression that
there is a strong desire with a rather large number of people to keep
this incident on the q.t. and avoid further investitigations and public
disclosures.
Germany has (or had?) after the horrible
experiences with two dictatorships and their respective secret police a
tradition of resistance against data collection and privacy invasion.
The proposed general census of 1983 was stopped by the German Supreme
Court in a decision that laid the foundation of what has recently been
termed “Informationelles Selbstbestimmungsrecht” (right to
informational self-determination).
So far, Germany has not
seen a large number of identity theft cases: until last year, there was
no unique ID in use and most electronic transactions are currently
handled through a European debit card system that is less exposed to a
number of frauds. Also, while the various branches of government had
been busy collecting large amounts of data on German citizens and
residents, there have been only a few federal databases. When talking
to people on the street, I found a growing indifference to the German
governments extended data collection and linking programs. The general
attitude seems to be that “we do not have anything to hide”, and if a
little (or even more than just a little) loss of privacy leads to a few
high profile tax evasion prosecutions, everyone is happy.
[1]
Germany has a national ID law that requires citizens to register with
city hall and disclose persoanlly identifyable information such as
names, current and former addresses, religious affiliation, birth date
and place, children, current and former spouses, tax information,
serial numbers of the national ID card and passport, and more. Since
last year’s July, this data also includes a tax ID, the German
equivalent of a social security number.