Two weeks ago the European Commission announced their proposal for a European Digital Identity framework. The proposal is actually an amendment of the eIDAS regulation from 2014. Here are some initial observations and recommendations.
According to the Commission itself, eIDAS was not a success:
The added value of the eIDAS Regulation with regard to electronic identity is limited due to its low coverage, uptake and usage.
In particular:
There is competition from identity solutions falling outside the scope of eIDAS, such as those offered by social media providers and financial institutions, that raise privacy and data protection concerns. Moreover this leads to fragmentation, also because national eID standards start to diverge.
The Commission states that
With the growing digitisation of cross-border public and private services which rely on the use of digital identity solutions, there is a risk that within the current legal framework, citizens will continue to face obstacles and not be able to make full use of online services seamlessly throughout the EU and to preserve their privacy.
But the question is how many successful, large cross-border services for which a pan-european eID framework is relevant exist. Sure, there are many global online services that require authentication. It is unclear why they would benefit from this EU proposal, and whether they would switch. (The proposal wants to require large online platforms to accept the proposed EU eID - if EU citizens desire to use it for this purpose, that is - as if to create ‘demand’.) And in any case the Commission itself lacks relevant information as it calls (page 9 of the proposal) for surveys to get information on:
This is all not very convincing.
eIDAS already regulated the mutual recognition of national electronic identification (eID) schemes. The idea being that a citizen from one Member State (MS) could use its national eID to authenticate themselves at a (governmental) service offered by another MS. It also regulated the following trust services in the old eIDAS framework:
The most important addition of the new European Digital Identity proposal is the concept of a European Digital Identity wallet, which essentially is a smartphone app, issued by member states, that can be used as national eID, both online and offline, and to both public and private services. The offline use is new, and the use at private service providers seems to be more pronounced. (In fact the proposal is to require large online services like Google and Facebook to accept the new EU eID!)
It also supports the provision and use of electronic attributes (together with allowing users to limit the sharing of identity data). This is great news, but the details matter, so more on that further below.
The proposal also regulates a number of additional trust services, namely
This is the ‘high ambition’ option mentioned in the introduction to the proposal and it is not clear why the Commission prefers this high ambition option. The first two on this list are actually quite surprising. The class of archiving services is extremely broad, and has very little, if anything, to do with digital identity (the core object of regulation). It would be wise to leave them out, and go for the ‘medium ambition’ option that extends eIDAS with electronic attestations of attributes. Unless the scope of this regulation is intended to be so broad that it should be renamed to the European Digital Data framework.
Ledgers are a particular type of archiving service, and similarly out of scope (as the Commission acknowledges with this list of applications):
For example, it creates a reliable audit trail for the provenance of commodities in cross- border trade, supports the protection of intellectual property rights, enables flexibility markets in electricity, provides the basis for advanced solutions for self-sovereign identity and supports more efficient and transformative public services.
In fact electronic ledgers appear to be sneaked in at the last moment (they were not part of the impact assessment, see page 11 of the proposal) and it appears they were included also to make them more tightly regulated. Anyway, the only possibly interesting and in-scope application is of course “self-sovereign identity”. Although the latter can be easily implemented using the proposed attribute attestation scheme, that does not rely in ledgers at all.
Core of the new proposal is a new European Digital Identity wallet, or rather a set of wallets issued by member states according to yet to be agreed upon standard. The wallet is a smartphone app that can be used as a means of (electronic) identification all across Europe, and can be used to link national digital identities with proof of other personal attributes (e.g. driving licence, diplomas, bank account).
The initial mental model the proposal evokes is one of a secure personal container that you always carry with you, and that locally stores, on your smartphone, the essential identity cards and attributes you want to selectively disclose to others. This is how attribute based credential usually work.
However, from the accompanying website a slightly different picture emerges, where the wallet looks more like a safe, that stores all kinds of (potentially large) documents that can be sent to a bank, for example, to open an account. And where these documents may actually not be stored locally within the wallet itself, but where the wallet contains a pointer to the documents stored elsewhere. This is a totally different idea, with important ramifications (if this is in the end how the wallet will work).
Recital 11 of the proposal appears to leave the actual architecture open: both local or cloud based solutions are envisioned. Personally, I favour a local (distributed) approach because of the obvious privacy benefits.
The wallet is attribute based, with selective disclosure. Good. We have some experience in that ;-)
Luckily, article 6 requires that Digital Identity Wallets shall, in particular:
ensure that trust service providers of qualified attestations of attributes cannot receive any information about the use of these attributes;
Note: the European Commission uses the very complex term “qualified attestations of attributes” for “attribute based credentials” (presumably because the term “credential” is already reserved for something else, and so is probably the term “claim”) and the even more complex phrase “trust service providers of qualified attestations of attributes” for issuers of such credentials.
In other words, article 6a.4.b (sic) requires some kind of issuer unlinkability, but only as enforced by the wallet. It would have been stronger if full issuer unlinkability had been required instead, guaranteeing that the issuer is simply unable to see if and where any of the attribute attestations it issued were used (even with the cooperation from the wallet and any services at which the attestations of attributes have been used). Moreover, service unlinkability should also be guaranteed: this prevents different (online) services to profile otherwise anonymous users across different websites.
Article 6a.4.d states that the wallet should
provide a mechanism to ensure that the relying party is able to authenticate the user and to receive electronic attestations of attributes;
In other words, the EU eID wallet combines a very identifying, privacy invasive, function with an attribute attestation function that is more very privacy friendly. However, the proposal does not very clearly separate these functions. One, admittedly far fetched, reading of article 6a.4.d. cited above implies that any attestation of an attribute is preceded by a step that fully identifies and authenticates the user. This would throw the whole idea of a privacy friendly use of attributes to prove certain properties without revealing ones full identity out of the window. Surely this can’t be right. To avoid any confusion, the proposal should explicitly require that attribute attestation is possible without a full identification step. (See also the next paragraph on attribute revocation, and later the discussion on wallet validity, on why such a far fetched reading might not be as far fetched at all.)
Attributes can be revoked, and revocation should be immediate (article 45c). This is a very strict requirement, and it is not immediately obvious how to square that with the requirement mentioned above that issuers of attributes cannot receive any information about the use of these attributes. Unless, of course, privacy is no consideration at all and identification precedes attribute attestation, so that issuers can broadcast lists of users whose attributes have been revoked.
Article 45d seems to imply that any qualified provider of electronic attestation of attributes can attest any attribute as long as it has access to the authentic source. This is hugely problematic, because typically relying parties decide which issuers to trust for which types of statements: my doctor can say something meaningful about my vaccination status, but not of my college degree. And similarly, my university is not supposed to be trusted with claims about my health. In other words, the proposal should make clear that issuers are only allowed to issue attribute attestations for attributes of which they are an authentic source themselves.
The proposal aims to greatly expand the use of the EU eID wallet, also to private services. For example, article 8 requires the following parties to accept the EU eID wallet:
Other sectors will be pushed to use the EU eID wallet through ‘codes of conduct’.
This glosses over some important fact: that not every EU citizen owns a relatively recent smartphone, or doesn’t even own a smartphone at all. Some people may share their phone with other members of their household. Implementing the wallet solely as a smartphone app therefore excludes a significant number of European citizens, or exposes them to particular risks.
Recital 8 states that
service providers should communicate their intent to rely on the European Digital Identity Wallets to Member States. That will allow Member States to protect users from fraud and prevent the unlawful use of identity data and electronic attestations of attributes as well as to ensure that the processing of sensitive data, like health data, can be verified by relying parties in accordance with Union law or national law.
And indeed article 6 demands that relying parties will be authenticated by the wallet, for which member states must implement a common mechanism. But how does that work for relying parties that are not based in a member state?
There is a step missing though: mere authentication of the relying party is not enough to prevent fraud and to prevent unlawful use of identity data and attributes. This can only really be stopped by supplementing the authentication of relying parties with a so called access certificate that specifies which data the relying party is allowed to request from the wallet. The wallet then enforces these restrictions and only reveals data explicitly allowed by the access certificate. The access certificate is normally issued by the ‘scheme authority’ (an important role that appears to be missing from the proposal).
I really do not understand the requirement to force platforms like Google and Facebook to accept the EU eID wallet (while making the use of the EU eID wallet voluntary for users). The claim (recital 28) that this is necessary to increase the protection of users from fraud and secure a high level of data protection does not make sense to me. To the contrary, when access to identity and attributes is not strictly enforced by access certificates (and see also the discussion on trust further on). There are many reasons why people do not want to be formally verified when using online platforms, and the forced acceptance also gives platforms like Google and Facebook access to formally verified attributes (like health status and education level). To be clear: use of the EU eID wallet at platforms like Google and Facebook is completely voluntary. Still, this seems like a bad idea to me.
According to the press release “wallets may be provided by public authorities or by private entities, provided they are recognised by a Member State.” The Dutch government decided to leave the implementation of a framework for a national eID scheme to private entities, under the assumption that the market drives innovation and reduces costs. Both assumptions turned out to be wrong: years of development were wasted, and we still have no real national eID scheme supporting attributes (as was intended almost a decade ago) for use at both private and public services. I personally think that identity is such a core part of the digital infrastructure, that its construction should be similar to the traditional physical infrastructure like roads, electricity networks, etc: as a public good it’s construction should be controlled, steered and paid for by the government.
Even though the wallet is issued by member states, it will show a EU Digital Identity Wallet Trust Mark. This made me wonder at some point to what extent the proposal lays the groundwork for a EU passport or drivers license. In any case to citizens using the wallet it may quickly start to feel like an EU passport of sorts anyway.
See also articel 11a:
Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request in those cases where identification of the user is required by law.
This introduces a union-wide citizen identification number (easily created using the unique and persistent identifier in the article, prepended by the two-letter abbreviation for the member state).
A complex system like a European eID system consists of many components, each of which impact the overall security, trust and resilience. As security depends on the weakest link, central coordination and oversight is crucial. In that regard the proposal could and should be strengthened.
It is worrying that recital 10 states that conformity to the overall requirements laid down in the proposed regulation is certified by individual Member States. Article 12 rules out peer-review for example. And recital 14 and 15 call for simplification, acceleration, and streamlining of the notification processes. It is important to stress that if one Member State takes the security and certification process less serious, all Member States and all citizens suffer the consequences. This holds true for the wallet (that serves as the source for the core identity), as well as the attribute attestation services (that determine how secure and trustworthy the attributes they issue really are).
Article 6 states wallets can be validated, and article 10 claims that wallets can be revoked. It is unclear whether this implies individual wallets can be revoked, or a class of wallets (certain app versions, or one that is issued by a particular member state). In any case this means that some information about which particular wallet is being used must be revealed to the relying party, in order to check revocation status. This can still be done in a privacy friendly manner, but the proposal does not require this. This could be improved.
The actual intended behaviour might actually be the ability to revoke individual wallets, given the observation made earlier (when discussing article 6a.4.d) that the proposal does not explicitly forbid that an attestation of an attribute is preceded by a full identification and authentication of the user. In fact, the proposal sometimes seems to conflate the concept of identity with that of a wallet (which is technically speaking merely a carrier of an identity attestation, along with other attribute attestations). The distinction could and should be made much clearer.
Trust is of paramount importance of any eID scheme both for users (that need to trust the scheme to protect their identity, both in terms of privacy and in terms of identity theft) and for relying parties (that need to be able to rely on the identity and attribute attestations provided by the eID scheme). This is at odds with aiming for a very diverse set of online and offline, public and private services that should or could accept the eID scheme as a means of identification, as the current proposal does. In the offline world we are used to using different means of authentication in different contexts: we do not expect that the bank would accept our loyalty card as a means of identification. We are bound to be less careful using our identity in the shopping mall then when logging in to our online bank account. Using the same means of identity in both contexts increases the risk of identity fraud. This (and many other important aspects of identity management the proposed regulation should take note of) is explained in much more detail in this paper and blog posts. I am not saying such a broad scope is impossible, but it does require extra care in the security design of the scheme.
Trust would also benefit from requiring all components of the European Digital Identity Framework (like wallets, the services offered by trust providers, and the components used by relying parties to verify identities and attribute attestations) to be open source. This is unfortunately not mentioned, let alone being required, in the proposal.
There are three other relevant security issues the proposal does not address at all: binding, sovereignty, and resilience.
Binding is a problem that plagues all digital identity schemes: how can we be sure that the person using the digital identity is actually the one to which it belongs? In the offline world, passports and drivers licenses have a picture of the bearer to allow this to be checked (although this is also not necessarily very reliable). In the online world we lack this possibility. So how do we ensure that an adult shares his account with a minor? How do we ensure that the owner/bearer of the EU eID wallet does not allow someone else to use their smartphone to log in to a service? How do we prevent identities or attributes to be pooled or shared? The proposal seems to implicitly trust the authentication mechanisms offered by the smartphone vendors on which the wallet runs. This needs further elaboration.
The second issue is digital sovereignty. The wallet is a crucial component of the whole proposed identity framework. Without it, the whole system collapses. But the wallet is a smartphone app, that needs a smartphone to function. Problem is: the European Union does not (really) produce smartphones itself. What if Google or Apple decide to kick the wallet from their app stores? What if they change the terms and conditions? The proposal puts the core of the framework in the hands of the Silicon Valley tech behemoths, while at the same time the whole digital agenda of the Commission aims to increase our digital sovereignty. The current proposal is irreconcilable with that (important) ambition.
The final security issue is resilience. The wide scope of the proposal, aiming for acceptance of the EU eID for a broad set of services, risks putting all our eggs in one basket. I currently have several keys to my house. I have a passport as well as a drivers license. I have separate bank passes. I sometimes carry my drivers license, but usually keep my passport at home. If I lose one, I still have the other to prove who I am. What if I ‘lose’ my future EU eID wallet? Then what? Can I at least make a ‘backup’?
The regulation is accompanied with a recommendation for a common toolbox. The very first recital reads
In just one year, the COVID-19 pandemic has radically changed the role and relevance of digitalisation in our societies and economies, and accelerated its pace. In a response to the increased digitalisation of services, the demand by users and business for means to identify and authenticate online, as well as to digitally exchange information related to identity, attributes or qualifications, in a secure way and with a high level of data protection, has increased radically.
This shows the intention of the proposal is a push for more identification and authentication, both online and offline, and is linked to the proposal for the COVID-19 Green Certificate. The proposed wallet would be the perfect carrier for this attribute.
The toolbox itself “should lead to a technical architecture and reference framework, a set of common standards and technical references as well as best practices and guidelines as a basis for the implementation of the European Digital Identity framework.” The recommendation “sets up a structured process of cooperation between Member States, the Commission and, where relevant, private sector operators to develop the Toolbox.” to be coordinated by the eIDAS expert group.
Very conspicuously absent from this list of stakeholders are civil society, and the technical and academic research community. If the history of the development of a national eID scheme in the Netherlands has taught us anything, is that leaving this up to only the government and the private stakeholders is a recipe for disaster.
Given the observation earlier that this proposal seems to push for more identification, it is especially important to think of the broader ramifications and have civil society and the social sciences on board as well. Even privacy friendly designs of identification or attestation may have undesirable, privacy unfriendly, consequences.
Further and deeper analysis of the proposal is necessary, as well as closely monitoring the standardisation and policy making process. The proposal contains some good elements (the addition of attribute attestation with selective disclosure, for example). The proposal should make very clear however that these attributes can be used without any form of identification.
In general the proposal breaths a desire to impose more, tighter, identification on European citizens: a European wide unique and persistent identifier is required, creating a European social security number. And the inclusion of a EU Digital Identity Wallet Trust Mark on every wallet will create the illusion of a EU identity card.
The scope of the proposal is unnecessarily broad, including new trust services like archiving and ledgers that have little if anything to do with identity. These should be left out.
The proposal weakens EU digital sovereignty: the proposed European Digital Identity Wallet is an app that needs to run on a smartphone. In other words our EU eID critically depends on access to and functioning of technology completely controlled by either Apple or Google. Digital identity is a core part of the digital infrastructure. Identity defines citizenship. Do we really wish to relegate control over those to others?
Finally, the reliance on an app excludes large groups of European citizens that do not personally own a smartphone. And by putting all identity eggs in one smartphone basket, the overall resilience of the proposed European Digital Identity Framework is extremely poor. Because of the large scope of the proposal, if our wallets stop functioning, we are pretty much disconnected from all our digital services. And Europe would come to a standstill.
Acknowledgements: I thank Bart Jacobs for useful comments and suggestions.
Hi Jaap-Henk
Great article. Many thanks for articulating many of my own thoughts.
One issue you state is about the unlawful use of identity attributes “This can only really be stopped by supplementing the authentication of relying parties with a so called access certificate that specifies which data the relying party is allowed to request from the wallet.”
There is an alternative, which we have already implemented (and I believe that ToIP is veering towards as well). Namely, the RP has to publish it attribute requirements in a public registry, and the wallet picks up the policy from there and returns the attributes that it requests to the RP. A public registry has a number of advantages
The ICO can inspect them
Multiple RPs can use a common policy e.g. all nightclubs can point to the same Over 18 policy
Supports different policy languages/syntaxes for the same semantic policy.
OIDC already supports something similar to this by supporting claims by inclusion and claims by reference.
Kind regards
David
Dear David,
Nice! Hadn’t heard of this idea before but that seems to work as well, and appears to be more flexible and transparent (especially point 2). Point 1 is essential of course. But could be supported by some reporting functionality that people can use when they believe a service is asking for too many attributes. This could even be implemented by a consumer watchdog.
Best, Jaap-Henk