In June 2021 the European Commission launched a reform of the 2014 eIDAS Regulation to overhaul Europe’s framework for electronic identity (eID) systems. This ambitious reform tries to create a counterbalance to the widespread login systems of Google, Facebook and Apple, as well as to provide widely-adopted eID systems for eGovernment and eCommerce applications to the population. Under this new draft Regulation member states would be obliged to offer a software called “European Digital Identity Wallets” (Wallet App) that allows for the online and offline identification of citizens and residents, as well as allowing them to attest attributes like age, driving licenses or student IDs. The draft Regulation tries to ensure the proliferation of this new European Digital Identity Wallet by forcing Very Large Online Platforms like Facebook and Google to support this European Wallet as a means to log in to their services. Similarly, member states are obliged to use this system for the identification of citizens when offering eGovernment services already under the old 2014 eIDAS Regulation. Smaller internet companies can be forced by the Commission via a delegated act to also support the new Wallet App.
The new eID system based on a Wallet App on our smartphones has to be seen as general-purpose infrastructure to identify citizens and check attributes about them. The identity that is exposed via this system has the highest degree of certainty since it is government issued. The list of attributes this system can hold and verify is open ended. Attributes can be provided by public bodies – for example age, disability status, vaccination status – or private companies and institutions – for example medications, memberships or bonus clubs. The biggest change to the existing 2014 eIDAS Regulation is that this new Wallet App will be open for private companies (called relying parties) to check the identity or any other attributes about their customers or users. There are no regulatory safeguards against abuses of this system for tracking, profiling or targeted advertising. The national eIDAS regulator approves a relying party established in their country – an approval valid throughout the EU – based on an unclear procedure that will be specified via a delegated act after the law is already adopted. As most Big Tech companies have their European headquarters in Ireland, they can be expected to gain unregulated access to this system. What is more, if a relying party misbehaves, there is no possibility for any eIDAS regulator to exclude them from the system.
One of the core functionalities of the Wallet App, to identify a user by exposing their legal name to a third party, is complemented in Article 11a by requiring member states to uniquely identify every person with an alphanumeric string that stays with them for the rest of their lives. This persistent and unique identifier for all European citizens and residents will be shared by the Wallet App with private and public third parties. The user still has to allow for his or her identification with an interaction on the app, but since the user very often is subject to an imbalance of power in situations of identification and this functionality is moreover limited to cases in which identification is required by national or European law, it is doubtful that this consent is freely given. Additionally, it is unclear how the Wallet App can distinguish between cases where identification is legally required and where it is not. These cases can vary between member states, as for example a Hungarian law could mandate identification at demonstrations or an Austrian social media law could require Facebook to identify their users. Generally speaking, Facebook and other companies are expectantly waiting to add such an official unique, lifelong identifier to their users’ identities and will find a way to trick users into doing so. To prevent these unique, lifelong identifiers from massively increasing the data-driven power of Facebook and others, they should not be created in the first place.
Although the Regulation acknowledges “selective disclosures”, which is a standard feature of modern identity solutions that would for example allow age verification without exposing the individual’s name and date of birth, under the Commission’s plan all verification of attributes must happen after the user has been authenticated with a trackable identifier to the relying party. That defeats the purpose of selective disclosures as a privacy preserving feature. Both Vice President Vestager and Commissioner Breton have argued that users should decide what they share via their Wallet App. It is hard to reconcile this claim with the lack of essential safeguards in the Commission’s proposal.
The eIDAS Wallet App is likely to become widely used in the coming years as the COVID-19 pandemic has led to an increase in eGovernment services. Big online platforms will be mandated by the regulation to support the Wallet App and many businesses will have an incentive to rely on the Wallet App for speed and efficiency gains when dealing with customers or users. Rollout towards the population could be fast, as can be seen in Austria, where a precursor of the eIDAS Wallet App, called “ID Austria" is handed out with every new passport or ID card unless the citizen explicitly chooses to opt out. Given this openness for authentication, identification and attestation of attributes in a variety of contexts, the observability of all these transactions becomes a problem. Such behavioral data on user interactions has to be retained by the provider of the Wallet App in certain circumstances, although it needs to be stored separately from other user data. It is vital from a privacy perspective that the design of the system prevents any central entity from knowing how and where the Wallet App is used. Such unobservable standards exist and would be far less invasive than the model the Commission is proposing.
A full risk assessment of this proposal is almost impossible, because in 28 occasions within the Regulation, the Commission is empowered to issue statutory instruments. These 28 implementing and delegated acts will only be known months after the law is adopted and will decide crucial questions like procedures to accept new relying parties into the system, certify the security of the Wallet App and which smaller online services might be forced to support the Wallet App. Similar to the Commission’s proposal for an EU Covid-19 Digital Certificate it is now the job of Parliament and Council to clarify the legal text and include the safeguards and design principles that are missing. This has to include a requirement for the technical architecture of the Wallet App to operate on a zero-knowledge and unlinkability paradigm, which prevents by design any centralised observation of user behavior.
These are only some of the problems that our recent policy analysis of the eIDAS proposal has identified. In the full paper we also explain how the proposal could break web security by forcing government access to the security systems of web browsers, which would have devastating consequences.The last blind spot worth mentioning is that this Regulation assumes that everybody in the EU has a smartphone with adequate security to operate the Wallet App safely. Since this is not true, particularly for low-income households, they might find themselves paying more to use eGovernment services or even worse become victims of identity theft.
The Industry Committee of the European Parliament will soon hear expert testimony on this dossier and we hope to create awareness for the problems raised in our paper. It will be up to the European Parliamentarians and the member states represented in the Council of the EU to enshrine proper safeguards so that the European Digital Identity Wallet becomes a tool deserving of citizens’ trust.