Civil liberties aspects of the European Digital Identity Framework.

Jaap-Henk Hoepman
January 31, 2022
1

Last year, the European commission proposed to update the eIDAS regulation to create a European Digital Identity Framework. This proposal is currently being discussed by European Parliament committees. I was asked by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) to provide a written contribution on the eID proposal, focused on aspects related to privacy and data protection. Below you’ll find my input (that builds on my earlier comments that I published on this blog).

First observations

The amended regulation introduces the concept of a European Digital Identity Wallet (to be called ‘wallet’ from now on) that is in principle attribute based and works in principle in an off-line fashion (Art. 6a.4.(a).(3)).

As a result the issuers of any attributes (called ‘trust service providers of qualified attestations of attributes’ in eIDAS parlance) do not receive any information of the use of these attributes (Art. 6a.4.(b)), and similarly (Art.6a.7)

the issuer of the European Digital Identity Wallet shall not collect information about the use of the wallet which are not necessary for the provision of the wallet services.

Both principles are a necessary condition to implement a privacy friendly digital identity framework. But they are not sufficient (as will be explained further on).

We welcome the fact that the amended regulation proposes to also cover qualified electronic signatures and requires the wallet to be able to create such signatures on behalf of the user. The proposal does not explicitly state this, but the apparent intention is that such signatures are always linked to a particular natural person through a certificate for an electronic signature. This is a significant step as this allows citizens to sign documents in a much more trustworthy fashion as the signature is generated on the citizen device itself. However, the proposal misses the opportunity to generalise the concept of an electronic signature to so called attribute signatures that cannot be linked to a particular natural person, but that guarantee that the signature was created by a natural person to whom a qualified attestation of that particular attribute was issued. For example, the person to whom the attribute ‘licensed general practitioner’ was issued could then sign a prescription for a particular medicine using this attribute, and any pharmacy in Europe would then be able to verify the validity of this prescription (without relying on and having to consult a European wide registry of licensed GPs). This could even be combined with a traditional, ‘identifying’, qualified electronic signatures if necessary for accountability purposes. This is reminiscent to mechanisms that underlie role based access control schemes.

We also welcome the effort by the commission to preempt the growing influence of Google and Apple in digital identity landscape, as witnessed by the increased use of their wallet offerings for official identification purposes (storing electronic identity cards and electronic drivers license for several US states). It would be a very grave situation indeed if a future European digital identity framework would critically depend on these large, foreign, companies. The current proposal does not fully achieve independence from these companies however, as the proposed wallet is a smartphone app, and most smartphones have either Android (Google) and iOS (Apple) as their operating system. We will discuss this further on.

Another driver for the proposal appears to be the EU Digital COVID certificate. One of the benefits of the wallet is that such a COVID certificate can easily be implemented by representing it as a qualified attestation of the attribute ‘having a valid vaccination against COVID’. This advantage can also be seen as a disadvantage: as discussed in more detail below in the context of the ‘risk of over-identification’, there is a risk that an exceptional temporary measure (restricting travel within Europe based on the health status of a citizen) no longer is exceptional nor temporary: with a European Digital Identify Framework in place and citizens having a corresponding wallet installed it becomes much easier to issue other, similar, health related certificates and enforce similar health related travel restrictions. It should also be noted that because of this link, the current resistance among a small but vocal fraction of citizens in member states against the mandated use of COVID certificates (not only for cross border travel but also for national restrictions) is already creating significant push back against this proposal for an European Digital Identity Framework.

Main areas of improvement

There are several issues with the current proposal from a civil liberties perspective that deserve attention.

The proposal is too broad

The proposal should focus on core identity related services, and on trust services immediately related to identity. It should specifically not extend its scope to archiving services and electronic ledgers that do not necessarily fit the same regulatory regime as their function is significantly different from identity related services. The risk is that this weakens the protection of civil liberties as such a broader focus necessarily renders any safeguards less specific.

The proposal creates a unique European citizen identifier

As it stands, the proposal creates a unique pan-European citizen identifier (see p10, recital (17), and Art. 11a.2) that (according to Art. 6a.4.(e) combined with Art. 6a.4.(a).(2)) is always present on the wallet and must be available for presentation to relying parties.

This creates significant risks if this unique citizen identifier is not properly secured and access to this unique citizen identifier is not severely restricted to clear, exhaustively listed cases. The proposal should define this exhaustive list. The mechanisms discussed in the next section on the risk of over-identification must be applied to protect this citizen identifier as well.

The risk of ‘over-identification’ and ‘under-representation’

Digital Identity Frameworks, even when based on attributes to improve their privacy properties, create risks of over-identification and under-representation. In particular

  • Given a ubiquitous and easy-to-use identity infrastructure (as envisioned by the proposal), more services may ask for the use of the wallet and the presentation of attributes contained therein (whereas they would have refrained from doing so before, as the benefit might not have been worth the hassle). The end result is that the use of wallet becomes mandatory in the daily life of a citizen, and that she has to prove certain properties about herself in a context where this is currently deemed unnecessary. Instead of increasing the privacy of the citizens, this function creep actually creates more opportunities for tracking and profiling.
  • For the same reason, in the future services will be able to securely verify the personal information people provide in forms, while at the moment citizens can exercise some form of personal discretion in not offering the correct information (like email addresses or phone numbers) when they deem that information irrelevant for the service they are signing up for.
  • This also limits the discretionary space that currently exists to ‘lie’ about certain personal characteristics (like age) to bypass overly restrictive access conditions that should really not apply, like for example Facebook restricting access to people that are over 13 years old because a United States Children’s Online Privacy Protection Rule imposes certain requirements on operators of websites or online services directed to children under 13 years of age.
  • The available range of attributes and their values is determined by the issuers; useful values are further restricted by the access conditions imposed by service providers. This ignores the fact that there is an –often spacious– gray area between extremes, in which many factors play a role in self-interpretation. For instance, if the only option to express gender is to use the attribute ‘female’ or ‘male’, individuals with gender X are limited in their identity-construction.

Now the proposal is somewhat ambivalent on this topic. Recital 29 mentions selective disclosure of attributes as an important mechanism for personal data protection including minimisation of processing of personal data. The introduction has a short paragraph on fundamental rights mentioning that the wallet allows its user to control the amount of data provided to relying parties (i.e. the onus is on the user), and that service providers shall inform Member States of their intention to rely on a European Digital Identity Wallet, which would allow Member States to control that sensitive data sets are only requested by service providers in accordance with national law.

But apart from that the proposal appears to be silent on the topic. On the other hand Recital 28 states:

Where very large online platforms […] require users to authenticate to access online services, those platforms should be mandated to accept the use of European Digital Identity Wallets upon voluntary request of the user. Users should be under no obligation to use the wallet to access private services, but if they wish to do so, large online platforms should accept the European Digital Identity Wallet for this purpose

even creates an obligation for large online platforms to accept the wallet, while at the same stating that users should not be obliged to use their wallets there. This is naive. Such platforms will nudge their users to use their wallets anyway. This requirement to accept the European Digital Identity Wallets by such large online platforms should be scrapped from Art. 12b.2; in fact the opposite policy — making it illegal for such large online platforms to even use the wallet — should be considered.

The mandatory notification scheme for relying parties wishing to use the wallet set out on article 6b should be strengthened in several ways. It should be made clear that

  • such notification should be submitted to the supervisory body; this notification should clearly describe the purpose for which the use of the wallet is required, and a complete list of identifiers and attributes the relying party wishes to request from the wallet for this purpose,
  • access to the wallet is forbidden until after the supervisory body has agreed to this access,
  • the supervisory body checks whether the requested access and the requested identifiers and attributes are compatible with national and European law,
  • the supervisory body in particular checks whether the requested access and the requested identifiers and attributes are necessary for the provision of the service
  • access to the wallet is only allowed when all these conditions are met.

Supervisory bodies are required to regularly check whether the relying party is using its permission to access the wallet of users in accordance with the notification: whether the purpose has not changed, and whether not any other attributes or identifiers are being requested in the meantime.

Further technical safeguards should be considered to prevent relying parties from asking for more attributes or identifiers than permitted by letting the wallet check access certificates (issued a the supervisory body) that clearly specify which attributes a particular relying party is allowed to access.

The wallet is under-specified

The European Digital Identity Wallet is at the core of the proposal, yet what this wallet exactly is is not entirely clear. A promotional website accompanying the launch of the proposal envisions a wallet as a digital safe that can contain all kinds of documents and certificates. The website presents the example of getting a bank loan, where the wallet contains all necessary documents to apply for the loan. The proposal itself appears to be slightly more focused, mostly describing how the wallet can be used for identification and attribute attestation purposes. Yet recital 11 of the proposal appears to leave the actual architecture open: both local (where all data is stored in the wallet) or cloud based solutions are envisioned. A local approach has obvious privacy benefits, but this means that the functionality of the wallet should be restricted to offer only basic identification and attribute attestation functionality. Trying to make the wallet a Swiss Army knife that can be used for all identity related use cases will make it overly complex, and thus less reliable, less secure and less trustworthy.

The regulation should be more strict in requiring that the wallet can be used in a completely anonymous, untrackable, form when presenting the electronic attestation of an attribute that itself is not identifying (like a person’s age, for example). For example, Article 6a.4.(d)

provide a mechanism to ensure that the relying party is able to authenticate the user and to receive electronic attestations of attributes;

could perhaps be rephrased and split into two separate items

  • provide a mechanism to ensure that the relying party is able to authenticate the user (when appropriate and allowed by the EDIF authority)
  • provide a mechanism to ensure that the relying party is able to receive electronic attestations of attributes (when appropriate and allowed by the EDIF authority) while ensuring at the same time that the relying party does not receive information in the process that allows the relying party to identity or single out the user (possibly at a later stage).

This also requires Article 6a.5 to be more carefully worded. The current wording seems to suggest that a relying party should verify the wallet every time it interacts with it. A standard mechanism to validate wallets (like a signature or certificate) might leak unique identifiers or allow them to be singled out. It is therefore important to require that such a validation mechanism does not leak information that allows the relying party to identity or single out the user. (Properly implemented remote attestation mechanisms fit this requirement, for example.)

Similarly, Art.6a.7 should be strengthened further to require that ‘the issuer of the European Digital Identity Wallet shall not collect any information about the use of the wallet or the information contained therein’.

Revocation of attributes

According to Art 45c.3, attributes can be revoked, and revocation should be immediate. This is a very strict requirement, and it is not immediately obvious how to square that with the requirement that issuers of attributes cannot receive any information about the use of these attributes. Privacy friendly revocation of attributes is possible, but is not necessarily immediate. Therefore to require that revocation is immediate may negatively impact privacy. Therefore, it should be considered to relax this requirement somewhat, and instead require

Where a qualified electronic attestation of attributes has been revoked after initial issuance, it shall lose its validity as soon as possible from the moment of its revocation, and its status shall not in any circumstances be reverted.

The wallet is a single point of failure

As the number of service that require the use of the wallet in order to access or use the service increases, the more the wallet becomes a single point of failure. If the wallet stores our electronic identity, our drivers license, all our login details and is used to approve all our financial transactions, then loss or malfunction of the wallet will have disastrous consequences: you will be locked out of all online services, will be without access to your money, will no longer have a digital identity, and may as result have significant problems restoring access to your services and get your identification and attribute attestations restored. This is particular a concern given the fact that Art 10a explicitly allows the validity of a whole batch of wallets to be revoked.

The consequences of such a revocation, and the consequences of a wallet getting lost or malfunctioning, need to be much more carefully considered and appropriate safeguards need to be specified in the proposal itself. In fact, the proposal seems to focus on the ‘happy flow’ (the normal functionality of the overall identity framework). Although it mentions security breaches and the need to revoke compromised parts, the consequences of such acts appear not be thought through.

Points to consider are to specify emergency procedures that would allow citizens to regain access to core services, or perhaps allow backup of all identifiers and attribute attestations stored in one wallet to be restored on another. A sensible approach might be to allow citizens to have several wallets, each containing a subset of their identifiers and attribute attestations. This is similar to how many people travel with several bank or credit cards (stored in different pockets or bags), or the precaution to store a copy of the key to your house at the neighbours. This way, citizens are not forced to store all their eggs in one basket.

Risk of exclusion

There is a significant risk of exclusion given that the current proposal is heavily based on a European Digital Identity Wallet that runs as an app on a smartphone.

The risk of exclusion towards persons with disabilities is at least acknowledged: the wallet shall be made accessible for persons with disabilities (recital 18, art 6a.10). However, it is unclear how, and how well, this will work, especially given the specific and strict privacy and security requirements that govern the use of the wallet. It will already be challenge to ensure that people without any disabilities will notice any signs of identity fraud or privacy infringements when using their wallets, let alone that this is properly ensured for people with disabilities.

However, the proposal entirely ignores the fact that a significant number of people do not own a smartphone, either because of age (younger children, elderly people), because of costs, or out of principle. These people therefore cannot run the wallet and therefore have no access to the proposed identity framework. This should be remedied with a clearly specified alternative system with a similar focus on protecting the fundamental rights of the European citizen.

In particular, the proposal should much more clearly address the risk of excluding the digital ‘illiterate’ (especially, but not limited to, elderly people) that are unable (or feel uncomfortable or uncertain) to use a smartphone based digital identity wallet. These people run a much higher risk of falling victim to identity fraud, or getting their life savings stolen.

Dependence on Google and Apple

The wallet is a crucial component of the whole proposed identity framework. Without it, the whole system collapses. But the wallet is a smartphone app, that needs a smartphone to function. Problem is: the European Union does not (really) produce smartphones itself. Almost all smartphones run an operating system offered by either Google (Android) or Apple (iOS). What if Google or Apple decide to kick the wallet from their app stores? What if they change the terms and conditions? What if changes to their platform break a particular wallet and prevents it from running? Given the aim of the commission to increase our digital sovereignty, and the clear aim of the proposal to preempt the growing influence of Google and Apple in digital identity landscape, we note that the current proposal does not achieve these aims. Reading recital 21, it appears the commission is aware of this issue. The question is whether reliance on the Digital Markets Act alone is enough to mitigate these risks.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
“Joosten, H.J.M. (Rieks)”
, 2022-02-01
(reply)

Als ik wat verder kijk dan alleen de eIDAS 2 veranderingen, dan doemt het beeld op dat e.e.a. vooral bedoeld is om elektronische transacties verder te stroomlijnen. Dat het dan allemaal sneller, goedkoper, ‘cross-border’ enz. gaat is allemaal niet per se verkeerd. Maar tegelijkertijd betekent dit wellicht ook dat de frauduleuze transacties sneller, goedkoper, ‘cross-border’ gaan worden, zoals het kopen van spullen op een maffia-site.

Ik zou het aardig vinden als de EU commissie c.q. het parlement in overweging zou nemen om niet alleen elektronische faciliteiten te regelen die elektronische transacties vergemakkelijken, maar tegelijk ook te regelen dat er tegelijkertijd elektronische faciliteiten worden geregeld die het frauduleuze of anderszins misplaatst gebruik voorkomen, of als dat niet kan dan toch tenminste detecteren, en het voor de burger (en bedrijven) even gemakkelijk maken om het daarbij geproduceerde bewijsmateriaal te kunnen gebruiken om hun recht te kunnen halen.

Voorbeelden/ideeen:

  • Als een verifier jou om gegevens wil vragen, dan moet hij in een register (bijv. bij de autoriteit, of elders) aangeven welk soort gegevens hij gaat vragen voor welk(e) doel(en), en wel zodanig dat als hij zulke gegevens daadwerkelijk elektronisch vraagt (en het doel daarbij dan ook moet opgeven), de wallet deze vraag kan vergelijken met het publieke register, en de verifier aangeven bij de autoriteit als dit niet matcht (die kan dan een naming & shaming website bouwen waarop dit soort (geauthenticeerde!) meldingen dan terecht zou kunnen komen). Merk op dat dit publieke register dan ook voor openbare review beschikbaar is zodat we iets aan feitelijke data-minimalisatie kunnen doen.
  • De wallet zou niet alleen om gegevensvragen antwoord moeten hoeven geven, maar zelf ook om gegevens van de webserver kunnen vragen. Zo zou een burger die naar een webshop gaat zijn wallet moeten kunnen laten vragen naar de legitimiteit van de webshop, bijv. een KvK credential. De precieze ‘policies’/‘vragen’ die de burger dan zou kunnen stellen kunnen door burgerorganisaties of consumentenorganisaties gemaakt en beheerd worden. Da’s vergelijkbaar met een keurmerk, maar dan net anders. Zo kan fraude worden voorkomen.

Wat vind je daarvan?