That's "propaganda" by the ministery, not answering many questions. They only claim that all government administration will become digital, smooth, and much cheaper.

Is it allowed to use the Steuer-ID for non-government purposes?

An enacted law is not "propaganda", it's the law. You can ignore all the fluff around the factual statements if you like.

The number is only intended to be used by government entities. The law restricts usage to census and communication with government entities (as well as already established tax-related use).

The law is not. But the press release you linked just promised bright future without giving any somewhat nuanced information. Mentioning the number of 584 (whatever it was...) authorities might sound like detail. But it it's completely useless for a single citizen. These are authorities all over the country, no citizen will ever interact with most of them. What I wnat to know how far does it reach for a single resident and where are the limits. The press release does not take citizens into account at all, it's just poor, that's why I called it "propaganda".

(At the moment I am citizen, but not a resident so I have no Steuer-ID yet. But a) it might become a resident some day again and b) as a citizen I occasionally have interact with various authorities anyway. So on top of being interested what happens in Germany in general it might affect me personally.)

An increasing number of previosly public administrative functions have been privatized. Does that immediately mean that data exchange stops there?

The number mentioned is of services, not entities supplying them (there are far more as many are rendered on a local level). A typical citizen uses a few dozen of those although often only once a decade or so. The text probably doesn't go into detail as that is part of another set of legislation.

I can't think of a service like the ones on the list that has been privatized. The law as written would not extend to that but who knows what would be enacted in that case.

Anyway, this is all theory so far as they are still in the stage of drawing up a technical architecture.

Which makes it completely useless for applications like credit scoring.

Absolutely. Credit scoring is a shady business and as a person educated in Germany I think shady business should be kept away from government information as much as possible.

A unique identifier is hardly "government information".

In any case, Germany does not have one, yet Schufa (the German credit scoring agency) still exists and still is able to build profiles on everybody living in Germany. So what's the gain?

Data mining operations like them will be able to perform good-enough matching based on fuzzy data like current and previous address; it just makes it more likely for errors to happen due to non-unique names and incorrectly merged or split credit profiles, and makes legitimate requests for your own data more difficult than necessary.

In Germany it is. Nobody else but government offices (federal, state, county, municipal) is allowed to use them. E.g. employers have access to them, but still they are legally required to only use an internal employee number for their internal operations.

Creating one that is shared between private instances would require explicit consent by the citizen to every company to use it according to GDPR. Well, of course Schufa requires consent too, which is not truly a decision a citizen can make. If you don't agree I don't think you'd find any bank opening an account. But I do hope there will such a public outcry if anybody tried to start such surveillance again today, it would fail in the beginning. Like Google Streetview did.

I am not convinced the Schufa score data quality is always very good. (Not living there I cannot request my own one, just a feeling.)

> In Germany it is. Nobody else but government offices (federal, state, county, municipal) is allowed to use them.

That still does not make it "government information". It's a primary key that (currently) may not be used by the industry. But by itself, it does not identify anything or anyone. In that sense, it's even less sensitive than a name; realistically though, if it's widely stored next to the associated name anyway, it's effectively the same as a name in terms of sensitivity.

A credit score is effectively a database shared across the financial industry. As such, it needs some sort of primary key. That can be either be something globally unique, like an SSN or equivalent, or a wonky composite primary key (first_name, last_name, date_of_birth, last_known_address) which will cause lots of false positives and false negatives:

What if you change your name? What if you move? What if there's somebody with the same name born on the same day in the same city? What if the spelling of your city has changed between your birth and your time of requesting a loan/credit card?

You may object to the idea of credit scoring in general, but being ok with credit scoring, yet objecting to the usage of a sane primary key to do it, makes no sense to me.

If a reliable primary key exists, it can easily be misused for many purposes: On the more benign side replace the Android Advertisement ID. On the malign side registering political opinions of citizens.

I don't want to live in such society. Yes, bad things can and have be done before. But making them simpler, cheaper, and more scalable needs to be avoided.

Fuzzy primary keys might have been a deterrent in the past century, but I seriously doubt that they'd stop anyone today from creating detailed user profiles. Not having reliable primary keys is a technical non-solution for a regulatory problem.

The much more effective solution here is to regulate businesses in when they can request/use somebody's primary key and/or other PII, and to simply not allow it in any case where a pseudonymous identifier or partial information (e.g. only somebody's approximate age rather than their full date of birth) would do just as well.

I live in a country where a unique identify number exists (social security number). People that understand something about information security would know that knowledge of a primary key is not authentication. It has not deterred the government or the courts to accept that knowledge of the social security number makes any contract valid. Example: If someone takes a loan with your number, you pay it back. You could argue that's not the fault of they key, that's the fault of the government and the courts. I have seen so much stupidity here that I am convinced that the traditional West German standpoint that a unique identifier violates human dignity makes sense. That Germany forgets their history is a pity.

So your actual objection to SSN-like numbers isn’t that they’re bad for privacy but rather that they’re a poor bearer token authentication mechanism? I think nobody was ever arguing that.

And Germans arguably aren’t “forgetting their history”, they are just regulating to achieve desired outcomes (no government and corporate privacy invasion; strong authentication where necessary), not mechanisms (no unique identifiers).

Times and technology change, so why uphold an old (interpretation of) law that is neither necessary nor sufficient to achieve the desired outcome in the present day?

> A unique identifier is hardly “government information”.

An identifier is issued by the government for legally-specified government uses is government information.

Other identifiers may or may not be, but other identifiers aren’t the issue here.

Overgeneralizing the issue in dispute to obscure relevant context is not productive.