Since June 2021, we have closely followed the reform of the eIDAS regulation, providing numerous inputs to legislators. In February 2024, the EU Parliament adopted the eIDAS regulation, creating the framework for a "European Digital Identity Wallet". This digital Wallet will enable citizens to identify themselves in a legally binding manner, both online and offline, sign documents, login into websites and share personal data about them with others. Recently, the European Commission published the Architectural Reference Framework (ARF) 1.4 for the technical implementation of the Wallet.

The success of the EU Digital Identity Wallet depends on its ability to gain citizens' trust and establish a resilient infrastructure in our current data-driven economy. However, after our analysis, we believe that this goal has been missed. We see severe shortcomings in the ARF that either contradict the regulation or ignore important elements of it. These issues, if left unaddressed, could significantly undermine user rights and privacy. Therefore we urge the European Commission to resolve these critical concerns:

Alleged Pseudonymity

One of the fundamental aspects of user privacy is the ability to use pseudonyms. The eIDAS regulation gives users the right to use pseudonyms instead of their real identities in situations where they are not legally required to disclose their true identity. However, the ARF introduces the concept of a "Pseudonym Provider," which is not mentioned in the regulation. This provider could potentially link pseudonyms back to the user's real identity. The proposed implementation even allows law enforcement to retroactively re-identify pseudonyms with their legal identity. That not only undermines the purpose of pseudonymity but creates a risk of mass surveillance. Crucially, this backdoor for surveilance is not found in the eIDAS regulation and the document detailing it had to be leaked to us.

Relying Party Information Requests

According to the eIDAS regulation, relying parties must register and specify the types of information they intend to request from users. This is to prevent excessive data requests and protect users' privacy. However, the ARF does not enforce this requirement adequately. It allows relying parties to ask for information that is not listed in their registration. This oversight leaves users vulnerable to unauthorized data requests and erodes trust in the digital identity system. For example, we could be asked for sensitive health information when using the Wallet in the supermarket or for public transport.

No Cancelled Transactions in History

The ARF fails to include cancelled transactions in the user's transaction history. According to Article 5a(4)(d)(i) of the regulation, the transaction history should include "all data exchanged," which would logically encompass cancelled transactions. By omitting these, users are denied a complete record of their interactions, which is essential for transparency and accountability. The information requests a user refuses might be the most sensitive ones.

No Standardized Deletion Requests or Complaints

The regulation prescribes a mandatory functionality in the EU Digital Identity Wallet that enables users to request the deletion of their data from relying parties. The ARF does not adequately specify this functionality, leaving its implementation to national authorities without ensuring a standardized, cross-border process. This lack of standardization could lead to inconsistent protection of user rights across different EU countries and make it difficult for users to exercise their rights effectively.

No Unobservability & Unlinkability Measures

Unobservability is a crucial privacy principle that ensures wallet providers do not track or monitor user activities beyond what is necessary for the service. The ARF makes no mention of this requirement, potentially allowing providers to collect and misuse data about how users interact with the Wallet. This omission is a significant privacy risk and contradicts the regulation's intent to protect user data.

The same issue applies on unlinkability. The regulation requires that the wallet supports technologies preventing transactions from being linked back to the user. The current ARF does not meet this standard, as it relies on technologies that do not provide adequate unlinkability guarantees. This failure undermines user privacy and does not align with the regulation's requirements.

Surveillance Risks Introduced by ARF

Disturbingly, the ARF seems to introduce elements of surveillance on its own initiative. The concept of a Pseudonym Provider, which can link pseudonyms to real identities, is one such example. This addition is not prescribed by the regulation and represents an unnecessary and dangerous expansion of surveillance capabilities. It poses a significant threat to user privacy and runs counter to the goals of the eIDAS regulation to establish a trusted environment.

Conclusion

While the eIDAS ARF 1.4 aims to provide a framework for the European Digital Identity Wallet, it must be revised to comply with the regulation and uphold the highest data protection standards. The current draft introduces unnecessary surveillance elements and compromises user privacy. Only by implementing our crucial recommendations, the Wallet can gain the trust of citizens and establish a secure and privacy-respecting digital identity system in Europe.

READ FULL ANALYSIS