Ensuring the safety of gender registration

Cryptography enables data protection-compliant solution for official data synchronisation

2024/10/25 by

A new study by the Technical University of Darmstadt in cooperation with the University of Kassel sheds light on data protection problems in data comparison between authorities, using the example of the Self-Determination Act. The researchers show that the private intersection calculation can serve as a data protection-compliant solution. In this way, the interests of both citizens and security authorities can be protected. This could be of particular importance with regard to the planned reform of the law on names.

The interdisciplinary analysis (opens in new tab) by Cryptography and Privacy Engineering Lab of Professor Thomas Schneider (TU Darmstadt) and the Public Law, IT Law and Environmental Law Group of Professor Gerrit Hornung (University of Kassel) uses the example of the Self-Determination Act (SBGG), which was passed in April 2024, to show the problems that can arise when data is exchanged between authorities. For the first time, the SBGG allows trans*, intersex and non-binary people to change their first name and gender marker through a simple self-declaration, and represents a step towards empowerment. However, a rejected government draft of the SBGG contained a provision on data disclosure which, according to media reports, remains a cause for concern as it may be revisited in a planned reform of the Name Change Act.

Risks for individuals

The originally planned regulation of the Self-Determination Act (Section 13 (5) of the draft)(opens in new tab) provided that all changes of civil status entries would be transmitted to a large number of security authorities, from the Federal Criminal Police Office to the Military Counter-Intelligence Service. Specifically, surname, previous and changed first names, date and place of birth, nationality, previous and changed gender entry, address and date of change were to be transmitted. According to the explanatory memorandum to the Act, the purpose of this measure was to ensure that a person could be traced after changing his or her gender marker and first name.

The Federal Data Protection Commissioner criticised this from a data protection point of view. Those affected saw the regulation as a general suspicion of people who change their name and gender entry, especially as all data on people who are not even known to the security authorities should be passed on. Although such irrelevant data should be deleted immediately, this is technically difficult and not verifiable. A blanket transfer of data would have entailed enormous risks for those concerned: the collection of sensitive data and its possible misuse was partly associated with historical examples such as the so-called 'pink lists' of the National Socialists. These continued to be used by police authorities to persecute queer people even after the Second World War. In view of the current rise in queer-hostile criminal offences and fears of data leaks from security agencies, the unprovoked transfer of data between authorities could have endangered the safety of trans*, intersex and non-binary people.

Cryptography enables selective transfer

Security researchers, such as computer science professor Thomas Schneider from the profile topic Cybersecurity and Privacy, recognise the legitimate interest of security authorities in keeping their registers up to date. However, the legislator assumed that secure, selective data transmission was not possible. In doing so, it overlooked a crucial technical solution: 'Private Set Intersection' (PSI). PSI allows reporting data to be exchanged only if there is a match between the databases of the authorities involved.

This means that the authorities only receive information about people who are already in their registers – without the data of uninvolved or unknown people being transferred. The study now presented by the researchers from Darmstadt and Kassel recommends testing technical options such as PSI for official data comparisons instead of blanket data transfers. They ensure data minimisation and serve the interests of the state in a similar way to blanket data transfers, but reduce the risk of discrimination. However, measures for society as a whole, such as education and open discourse, are also necessary to effectively combat discrimination.

The research was presented on 26 September 2024 by Andreas Brüggemann (TU Darmstadt) andLinda Seyda (University of Kassel) at the workshop 'Law and Technology: Privacy in Discourse' at the Informatik Festival 2024 in Wiesbaden. The study was funded by the German Research Foundation (DFG) as part of the Research Training Group Privacy & Trust and supported by the Collaborative Research Centre CROSSING and the European Research Council through the ERC Starting Grant for the project Privacy-Preserving Services Over the Internet (PSOTI).

Contact:

Andreas Brüggemann
Doktorand*in, Fachgebiet ENCRYPTO

brueggemann@encrypto.cs.tu-…

Publication

Linda Seyda, Andreas Brüggemann, Gerrit Hornung, Thomas Schneider. Multi-Party Computation als Instrument zur Umsetzung datenschutzkonformer behördlicher Datenabgleiche: Eine interdisziplinäre Analyse am Beispiel der Diskussionen um das Gesetz zur Selbstbestimmung über den Geschlechtseintrag (opens in new tab). In: Recht und Technik: Datenschutz im Diskurs (RuT'24), LNI, GI, Wiesbaden, Germany, September 26, 2024