EU Digital Identity Reform: The Good, Bad & Ugly in the eIDAS Regulation
After over two years of negotiations, the big digital identity reform of the European Union will be concluded this week on Wednesday 8 November 2023. The so called “eIDAS regulation” will establish a fully harmonized framework for a legally binding identification of people, proving attributes about them and logging into websites or apps. By 2026 all 27 EU Member States will have to offer their citizens and residents a so called “European Digital Identity Wallet” (in short: “Wallet”). The big change is that this system will not just be for eGovernment, but the private sector will also be able to ask their customers or visitors for information about themselves. Public eGovernment websites and Big Tech companies like Google, Facebook or Amazon will have to offer the Wallet as a way of logging into their services.
From the first day we were very worried and vocal about this bill and its potential to undermine anonymity online, abuse scenarios against vulnerable groups of society and the risks of tracking and spying. We published five position papers, gave testimony in two committees of the European Parliament, drafted amendments, were in constant contact with lawmakers from Parliament, Council and Commission, gave public speeches on the law, answered endless media requests and sent threeopen letters, the last of which was signed by over 400 academics and 30 NGOs. What was it good for? Let’s look at the final text.
A core pillar for protecting freedom of choice and inclusion of all groups in society is the non-discrimination protection. This goes beyond the voluntary nature of the Wallet that was already enshrined in the original proposal. All four committees of the European Parliament adopted with a huge majority that access to public and private services, access to the labour market and the freedom to conduct business shall not in any way be restricted or made disadvantageous for natural or legal persons not using the Wallet. The final text ensures that everyone who decides not to use the Wallet in any particular situation cannot be demanded to pay a higher price or be excluded from access to any service or good. This provision was one of our core demands, so as to protect, for instance, people without smartphones and their participation in society (elderly, kids, etc.), people who want to avoid the risks of the Wallet, as well as anyone who’s official records don’t align with their real identity (e.g. trans people).
Use Case Regulation
The big change of the eIDAS reform is that the private sector can also use the Wallet to ask customers, users or visitors for their personal information. That information can be issued by the government, like one’s real name, birth date, educational degree, vaccination certificates, public transport tickets or driver’s license, but it can also come from the private sector, like in customer royalty programs or credit scoring. We have to assume the worst types of surveillance capitalism in this context and attempts by companies to obtain trusted information about a person, that can be really damaging for them to hand over. Being realistic about this risk, we demanded the information that companies can ask from people to be restricted.
The current text ensures that all relying parties register in the country they are established in, identify themselves with contact details, provide information about the use case for which they want to use the Wallet and the concrete information they want to ask from the user. The Wallet then limits the information the relying party can ask for to what’s in their registration. If, for example, a liquor store registers for age verification, they can’t ask for any other information that might be in the Wallet, like health information. Furthermore, the list of registered companies, their use cases and the information they intent to request needs to be publicly available online. Whenever a user is asked via the Wallet to hand over information about themselves, they first see the identity of the company that’s asking. The user can then refuse to share individual or all of the pieces of information they are asked for. If a relying party misbehaves, the user can revoke consent to them having the user’s data and can complain to a national regulator. This in turn might lead to the company being kicked off the system (see privacy cockpit and forum-shopping below).
The original proposal included a serial number for all humans by mandating a unique and persistent identifier for everyone. Such a number would have allowed for the correlation of everything a user does in all areas of society (health, transport, finance, commerce, etc.). Tracking and profiling online and offline would have become easier than ever before. We started our work on this file with the primary goal to prevent this serial number and we won. The final text doesn’t mention a unique and persistent identifier anymore and even includes additional privacy safeguards that should prevent tracking.
Right to Pseudonymity
Many people need anonymity online in order to exercise their human rights, particularly freedom of speech. The Wallet creates a technical infrastructure that could make it easy and cheap to identify everyone online and offline on a massive scale. In many online interactions this is exactly what companies would love to have: government certified identity information about us, particularly in surveillance based advertisement. The final text of the eIDAS regulation counters this with a right to pseudonymity. It allows users to use a pseudonym generated by the Wallet and that is only stored locally. However, this right can be restricted by national and EU law.
Selective Disclosure, Zero-Knowledge and Unlinkability
When a company asks for information in the Wallet, the user can agree to hand over everything, nothing or “selectively disclose” only parts of what they have been asked for. The Wallet should also include the possibility to prove that a certain attribute about oneself is true, without revealing the actual underlying information. This is called “zero-knowledge”. An example for this is to prove that a person is above 18 years old without revealing their birth date. Sadly, “zero-knowledge” is only demanded from member states in a Recital so it might not be available in all countries.
Whenever a company is not asking for the identification of a user, but only for a certain attribute about them, this has to be done in a way that makes multiple proofs of attributes “unlinkable” with each other. “Unlinkability” means that several interactions with the same or different companies cannot be linked together, thereby preventing the user to be tracked and profiled. In practice, this means if a person proves their age with the Wallet every Saturday night in a club, the digital records prevent the owner of the club to know that it’s the same person coming every week. While, generally, online age verification is often a bad idea, these privacy preserving techniques at least limit the risk.
The Wallet will have a full transaction history of every request for information the user ever received, the information about the companies requesting the information and potentially the information the user has shared with them. Furthermore, according to the final text, the Wallet will have to offer the possibility to request the deletion of any personal data from the company’s records and also to file a complaint about them to the national data protection authority.
The biggest disgrace of this reform is the fact that there are absolutely no safeguards that prevent the governments which provide the Wallet from surveilling everything its users do with it. Given that this tool may be used in all areas of life (health, transport, finance, online, etc.) the amount of information a government can obtain about people’s life is on a panoptical level. Users of the Wallet could find their whole life reflected in this one data set about how they use the Wallet. This was totally avoidable with technical standards that ensure unobservability. The European Parliament adopted a great text that would have done exactly that. Sadly, the final text includes very broad provisions that allow governments to know everything a user does even without their consent. It is only a question of time until law enforcement will demand access to this information.
UPDATE 2023-11-14: After the agreement was reached, there were still changes in Recital 11c that oblige the Wallet provider to "ensure unobservability by not collecting data and not having insight into the transactions of the users of the Wallet. This means that the providers should not be able to see the details of the transactions made by the user." This can be exempted where necessary for the provision of particular services when the user has given their explicit consent for that particular service (backup, complaint handling, etc.). This is actually a meaningful improvement that could give us a fighting chance for an unobservable architecture, but how much weight it carries will totally depend on the implementation (see technical blueprints below).
The idea of having the owner of a domain name being visible in the web browser was shelved by every browser in the world in 2009. In 2021 the Commission deemed it a good idea to force the whole world to reintroduce this mid 2000 idea of “extended validation” under the new name “Qualified Website Authentication Certificates (QWACs)”. While nobody will use this, the real damage done by this system is that every web browser in the world will be forced to trust the root certificates from all European Trust Service Providers, regardless of them being actually trustworthy or not.
In response to the revelations of government mass surveillance by Edward Snowden, the share of encrypted web traffic jumped from less than half to 95%. The security of this encryption depends on lists of trusted certificates by browsers and governments around the world have repeatedly tried to attack this system. With the original proposal, the EU would have broken the complete trust architecture of the world wide web and even if a certificate would have been found to be used for surveillance, there would have been nothing in the law to allow the browser to kick it out.
The final twist of this story is that only days before the final deal the negotiators agreed to a change in the text that ensures browsers’ freedom to protect domain authentication and the encryption of web traffic in a manner and with the technology they consider most appropriate. In practice, this means browsers will have a way to resist QWACs undermining encryption, by separating them from TLS. Thus, at least we can expect browsers like Mozilla’s Firefox to fight against the undermining of the trust architecture of the web. For others like Microsoft’s Edge we have less hope.
Some countries in the EU made a business model out of not enforcing EU laws against big corporations. As far as the new European digital identity is concerned, Facebook Ireland or online gambling companies in Malta will be under the sole regulation of their national public authorities. While other EU laws like the GDPR or the DSA tried to reckon with this problem and attempted solutions, this eIDAS law is not even trying to solve it. When Facebook Ireland suddenly demands the real name, financial or health information from a person, even though they’re not allowed to, no complaint against them will be handled with diligence, because the Irish Data Protection Authority ironically sees it as its job to protect Facebook and not us and our data. Thus, in such cases, the regulatory agencies of other EU countries have no possibility to kick a company off the Wallet ecosystem if they are located in one of these safe havens. The only safeguard against this is: to not use the Wallet to share data when the company requesting the data comes from one of these countries.
Security and Certifications
The Wallet will be issued by an EU Member State. The same Member State will have to appoint certification bodies that will check if their national Wallet is actually safe and according to the law. Moreover, for the first few years, there will be no EU-wide security standard, but only national security certification schemes. Those schemes will be discussed between Member States, but in practice we will see widely different security levels between Member States, which will potentially put many users at risk. The backend of the Wallet might not receive a security certification at all. Originally, the Wallet was also supposed to be certified if it adheres to privacy standards and the GDPR. But since Member States successfully lobbied against this, it’s now up to them to decide whether their national Wallet will be certified for privacy compliance or not.
The program code of the Wallet App has to be open source licensed and available to public scrutiny. Sadly, this obligation was fought heavily by Member States and watered down last minute to not include the software of the back end. Thus, in its current form, the regulation gives Member States the possibility to keep the source code in the back end closed for “duly justified reasons, especially public security purposes”. This not only prevents public scrutiny. It also deprives the public of a huge piece of software, paid by public money, that – with an open or free license – could have benefited the development of countless other IT applications.
Six months after the law will have been adopted, the Commission will have to announce the technical specifications about how the Wallet is supposed to work. Hence, for the past two years, a group of representatives from Member States have met in complete secrecy and with lots of influence from industry groups to prepare this technical standard. The document they produced is called the “Architecture Reference Framework” (ARF) and was last released in January 2023 as version 1.0. The most recent internal version 1.2 is from June 2023 and both of them couldn’t be further away from the democratically agreed legal text: Almost all the safeguards in the legislation that we explained here are missing in the ARF. Without a lot of work, either the timeline will not hold or the Wallet will be met with mistrust because it’s in breach of the law.
Support important digital reforms
Finally, it’s important to say that we would have wished for more attention on this whole reform. We were the only civil society organization working on eIDAS, and also our colleagues from the much bigger consumer protection world had to de-prioritize this file early on. We worked on this complex, technical issue for over two years without any dedicated funding or projects. As a watchdog, we are guided by the risks we can avoid for the population and not by the reward we might gain or permissions others give us. We can only do this because we have over a thousand supporting members that finance this fight for freedom with their recurring donations. Please consider joining!
On Wednesday 8 November 2023 negotiators met for the last political trilogue and agreed to the text that is the basis of this blogpost. There will be one last technical meeting to cleanup language, but substantial changes in trilogue are not planned. Member States are scheduled to vote in the Council of the EU in December 2023 and Parliament to vote in ITRE Committee on 28 November and in February 2024 in plenary. Ultimately, changes depend on the political majority. We based this analysis on the final text for the political trilogue that we expect to become the law. In the meantime, the final legal text has been published on the website of the ITRE committee.
Since you're here
… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!Become a supporter now!