eIDAS: Building Trust or Invading Privacy?
Since June 2021, we have closely followed the reform of the eIDAS regulation, providing numerous inputs to legislators. In February 2024, the EU Parliament adopted the eIDAS regulation, creating the framework for a "European Digital Identity Wallet". This digital Wallet will enable citizens to identify themselves in a legally binding manner, both online and offline, sign documents, login into websites and share personal data about them with others. Recently, the European Commission published the Architectural Reference Framework (ARF) 1.4 for the technical implementation of the Wallet.
The success of the EU Digital Identity Wallet depends on its ability to gain citizens' trust and establish a resilient infrastructure in our current data-driven economy. However, after our analysis, we believe that this goal has been missed. We see severe shortcomings in the ARF that either contradict the regulation or ignore important elements of it. These issues, if left unaddressed, could significantly undermine user rights and privacy. Therefore we urge the European Commission to resolve these critical concerns:
Alleged Pseudonymity
One of the fundamental aspects of user privacy is the ability to use pseudonyms. The eIDAS regulation gives users the right to use pseudonyms instead of their real identities in situations where they are not legally required to disclose their true identity. However, the ARF introduces the concept of a "Pseudonym Provider," which is not mentioned in the regulation. This provider could potentially link pseudonyms back to the user's real identity. The proposed implementation even allows law enforcement to retroactively re-identify pseudonyms with their legal identity. That not only undermines the purpose of pseudonymity but creates a risk of mass surveillance. Crucially, this backdoor for surveillance is not found in the eIDAS regulation and the document detailing it had to be leaked to us.
Relying Party Information Requests
According to the eIDAS regulation, relying parties must register and specify the types of information they intend to request from users. This is to prevent excessive data requests and protect users' privacy. However, the ARF does not enforce this requirement adequately. It allows relying parties to ask for information that is not listed in their registration. This oversight leaves users vulnerable to unauthorized data requests and erodes trust in the digital identity system. For example, we could be asked for sensitive health information when using the Wallet in the supermarket or for public transport.
No Cancelled Transactions in History
The ARF fails to include cancelled transactions in the user's transaction history. According to Article 5a(4)(d)(i) of the regulation, the transaction history should include "all data exchanged," which would logically encompass cancelled transactions. By omitting these, users are denied a complete record of their interactions, which is essential for transparency and accountability. The information requests a user refuses might be the most sensitive ones.
No Standardised Deletion Requests or Complaints
The regulation prescribes a mandatory functionality in the EU Digital Identity Wallet that enables users to request the deletion of their data from relying parties. The ARF does not adequately specify this functionality, leaving its implementation to national authorities without ensuring a standardised, cross-border process. This lack of standardisation could lead to inconsistent protection of user rights across different EU countries and make it difficult for users to exercise their rights effectively.
No Unobservability & Unlinkability Measures
Unobservability is a crucial privacy principle that ensures wallet providers do not track or monitor user activities beyond what is necessary for the service. The ARF makes no mention of this requirement, potentially allowing providers to collect and misuse data about how users interact with the Wallet. This omission is a significant privacy risk and contradicts the regulation's intent to protect user data.
The same issue applies on unlinkability. The regulation requires that the wallet supports technologies preventing transactions from being linked back to the user. The current ARF does not meet this standard, as it relies on technologies that do not provide adequate unlinkability guarantees. This failure undermines user privacy and does not align with the regulation's requirements.
Surveillance Risks Introduced by ARF
Disturbingly, the ARF seems to introduce elements of surveillance on its own initiative. The concept of a Pseudonym Provider, which can link pseudonyms to real identities, is one such example. This addition is not prescribed by the regulation and represents an unnecessary and dangerous expansion of surveillance capabilities. It poses a significant threat to user privacy and runs counter to the goals of the eIDAS regulation to establish a trusted environment.
What needs to be changed?
To align the ARF with the eIDAS regulation and ensure robust user privacy, we at Epicenter.works recommend the following changes:
-
Remove the concept of the Pseudonym Provider and ensure pseudonyms are generated and stored locally without the possibility of linking back to real identities.
-
Enforce strict requirements for relying party registration to prevent unauthorized information requests.
-
Include cancelled transactions in the transaction history to provide a complete record of user interactions.
-
Implement a standardized, cross-border process for deletion requests and data protection complaints to ensure consistent user rights protection.
-
Incorporate unobservability measures to prevent wallet providers from tracking user activities.
-
Adopt state-of-the-art privacy-preserving technologies to ensure unlinkability and zero-knowledge proofs.
-
Eliminate any surveillance elements introduced by the ARF that are not prescribed by the regulation.
Conclusion
While the eIDAS ARF 1.4 aims to provide a framework for the European Digital Identity Wallet, it must be revised to comply with the regulation and uphold the highest data protection standards. The current draft introduces unnecessary surveillance elements and compromises user privacy. Only by implementing our crucial recommendations, the Wallet can gain the trust of citizens and establish a secure and privacy-respecting digital identity system in Europe.
Since you're here
… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!
Become a supporter now!