The foundations for a Europe-wide digital identity system are just about to be laid. Will Europe get it right and lead on this important topic? Will the EU set a global standard for the protection of sensitive user information and digital identities? Unfortunately, in contrast to early promises, privacy groups had to issue a strong warning about the unprecedented risks and shortcomings of the new European digital identity system, in December last year. This was because the member states with their position, represented by the Council of the European Union, failed to protect the sensitive health, financial and identity data of all European citizens. The Council’s proposal would thus make it impossible for anyone to use the digital ID safely.
There is Still Hope
There is however still hope for an inclusive, safe and secure digital ID system; and it lies with the European Parliament. To achieve the protection of fundamental rights, the Parliament has to continue its strong stance on privacy safeguards in the regulation that civil society and academics have long called for. In order to emphasise the possibly huge negative impact of the digital ID – when done the wrong way – and thus the importance of these safeguards, 39 NGOs, academics and independent experts from all over the world have written an open letter to Members of the European Parliament. In this letter they call for the EU to assume its responsibility for the proper protection of some of the most sensitive data of all Europeans.
Real Choice & Data Safety
First of all, it is essential that every potential user has a real choice about using or not using the new digital ID. Without strong non-discrimination protections in the law, those who don’t want or aren’t able to use the new digital ID will be left out. Nobody should be at a disadvantage for example just because they don’t have a smartphone. Those who choose to use the new ID, on the other hand, should be able to rest assured that nobody spies on which services they use and whatever information they share with this digital ID – neither governments nor private enterprises.
Privacy by Design
The NGOs and experts therefore call for the MEPs to respect the principles of privacy by design and by default. According to those principles it must be technically impossible for companies or authorities to observe when and where every single person is using their ID or what other information it contains; e.g. about their financial or educational life. Otherwise the new ID runs the risk of becoming an unprecedented panopticon for some of every citizens’ highly sensitive data. A good example the EU should follow in this regard is the EU Digital COVID Certificate. This well-crafted service includes the necessary privacy safeguards to protect its users’ behaviour from being observed by anyone.
You don’t want Big Tech and governments to track everything you do with your new ID? Neither do we. This is why, besides and because of privacy by design, the new European Digital Identity Wallet must strictly prohibit the creation of a persistent and unique identifier for every user. Besides undermining privacy in very sensitive areas of daily life, such a universal identifier would also raise severe constitutional concerns in several EU countries. Only without this serious threat the new ID has the potential to provide for a secure and privacy-friendly alternative to the dominant log-in services of Big Tech companies for multiple websites.
Access Regulation & Web Safety
To prohibit excessive collection of data by companies or government entities, the Parliament must also stand up for a strong regulation of use cases and strict authorisation mechanisms – i.e. regulation of who may ask an individual to provide what information in their ID wallet. However not only lawful requests must be considered but also sufficient protection against illegal attacks on this massive collection of identity, financial and health information as well as effective redress mechanisms to handle possible fraud complaints.
The organisations and experts also warn against the high security risks of Qualified Website Authentication Certificates. These certificates have already failed in the past and will enable government surveillance of internet traffic on a large scale. Moreover they undermine the security architecture of the global world wide web.
It Can Be Done
The European Digital COVID Certificate shows that a privacy friendly proof of personal attributes like age is possible and civil society has made it crystal clear what is necessary for a European digital ID system to properly protect the highly sensitive user data it contains. We therefore urge the European Parliament to go for nothing less than a digital identity of which every European knows their personal data will not be misused and can hence genuinely embrace the ID as a safe and secure part of the modern digital life.
Agreement in ITRE Committee
Meanwhile, on 1st February, the lead ITRE committee has reached a conclusion on the big EU digital identity reform (#eIDAS regulation). Here is our hot take on the compromise agreement that will be voted on on 9. February.
✅ Discrimination protections are strong and cover public & private services. No natural person can be worse off for not using the digital identity, also in the labour market or commercial sphere.
✅ The European Digital Identity (EUID) Wallet has to be open source.
✅ Governments & attribute providers are prevented by technical means from observing concrete user behaviour. This provision was exclusive LIBE competency.
❓ Although, a privacy dashboard is to contain all user transactions and with explicit consent there can be cloud backups.
✅ Relying parties must register their use cases & identify before being allowed to ask users for info via the wallet. The list of relying parties is public.
❌ Those registrations only need to be ex-ante approved when asking for special categories of data (e.g. health).
✅ Intermediaries that stand between users and relying parties shall not obtain knowledge about the contents of the transaction.
❌ No technical assurance that relying parties can’t go beyond their registered use case.
✅ Users can complain about overreaching info requests. Explicit mention of data minimalism.
❌ Complaints ONLY go to the to the national authority of the relying party’s member state.
✅ Users have a right to pseudonymity in cases where identification is not mandated by law.
✅ Users have the right for data portability between wallets. But wallets need to be issued on behalf of a member state.
✅ Unique identifiers are no longer persistent – also in the PID minimum data set. That is a huge win!
✅ They are limited to cross-border cases for public services that have a legal KYC requirement.
❌ They can also be sector-specific instead of only relying-party-specific.
❓E-government services & Very Large Online Platforms (Google, Facebook,…) are obliged to support the wallet.
✅ Only companies with legal KYC requirements are forced to use the wallet, TOS are out. SMEs will be under a self-regulatory regime, but that‘s no longer binding.
✅ Zero knowledge proof & selective disclosure are core functions of the wallet.
❌ Nothing besides the principle of data minimalism obliges relying parties to use these privacy friendly methods instead of asking for full date of births, addresses, etc.
❌ QWACs are still in the text & every web browser must include TSPs in their root CA store. That enables www traffic interception & mass surveillance.
❓ Browsers can exclude individual certs in cases of substantiated breaches of security or privacy. That’s not sufficient!
✅ Articles giving legal effect to distributed ledgers (blockchain) have been removed.
✅ Minimum penalties for offences of TSPs are 7-10 million or %-revenue of global turnover.
❌ Some penalties can be freely set by states, those will be disproportionate & not dissuasive.
✅ A European Digital Identity Framework Board will help with harmonised enforcement.
❌ Regulators don’t have to be independent agencies.
❌ Their mandate is unclear. Not enough lessons are drawn from the GDPR enforcement failures. The “Irish-problem” is not resolved.
❓ Security hinges strongly on certifications. Gov issued wallets are certified by other branches of that same government. If there ever is a breach, the damage will be enormous. We’re sure many will try. Privacy breaches oblige the wallet to be put out of service.
Once this compromise passes ITRE, the plenary will vote in March. We hope, some of these points can be addressed with amendments. There is still room for improvement before Trialog begins later this year.