In its latest ambitious digital policy announcement, the European Union has proposed creating a framework for a “trusted and secure European e-ID” (aka digital identity) — which it said today it wants to be available to all citizens, residents and businesses to make it easer to use a national digital identity to prove who they are in order to access public sector or commercial services regardless of where they are in the bloc.
The EU does already have a regulation on electronic authentication systems (eIDAS), which entered into force in 2014, but the commission’s intention with the e-ID proposal is to expand on that by addressing some of its limitations and inadequacies (such as poor uptake and a lack of mobile support).
It also wants the e-ID framework to incorporate digital wallets — meaning the user will be able to choose to download a wallet app to a mobile device where they can store and selectively share electronic documents that might be needed for a specific identity verification transaction, such as when opening a bank account or applying for a loan. Other functions (like e-signing) are also envisaged being supported by these e-ID digital wallets.
Other examples the commission gives where it sees a harmonized e-ID coming in handy include renting a car or checking into a hotel. EU lawmakers also suggest full interoperability for authentication of national digital IDs could be helpful for citizens needing to submit a local tax declaration or enrolling in a regional university.
Some member states do already offer national electronic IDs but there’s a problem with interoperability across borders, per the commission, which noted today that just 14% of key public service providers across all member states allow cross-border authentication with an e-Identity system, though it also said cross-border authentications are rising.
A universally accepted “e-ID” could — in theory — help grease digital activity throughout the EU’s single market by making it easier for Europeans to verify their identity and access commercial or publicly provided services when travelling or living outside their home market.
EU lawmakers also seem to believe there’s an opportunity to “own” a strategic piece of the digital puzzle here, if they can create a unifying framework for all European national digital IDs — offering consumers not just a more convenient alternative to carrying around a physical version of their national ID (at least in some situations), and/or other documents they might need to show when applying to access specific services, but what commissioners billed today as a “European choice” — i.e., versus commercial digital ID systems that may not offer the same high-level pledge of a “trusted and secure” ID system that lets the user entirely control who gets to sees which bits of their data.
A number of tech giants do of course already offer users the ability to sign in to third-party digital services using the same credentials to access their own service. But in most cases doing so means the user is opening a fresh conduit for their personal data to flow back to the data-mining platform giant that controls the credential, letting Facebook (etc.) further flesh out what it knows about that user’s internet activity.
“The new European Digital Identity Wallets will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. With this solution they will have full control of the data they share,” is the commission alternative vision for the proposed e-ID framework.
It also suggests the system could create substantial upside for European businesses — by supporting them in offering “a wide range of new services” atop the associated pledge of a “secure and trusted identification service.” And driving public trust in digital services is a key plank of how the commission approaches digital policymaking — arguing that it’s a essential lever to grow uptake of online services.
However to say this e-ID scheme is “ambitious” is a polite word for how viable it looks.
Aside from the tricky issue of adoption (i.e., actually getting Europeans to (A) know about e-ID, and (B) actually use it, by also (C) getting enough platforms to support it, as well as (D) getting providers on board to create the necessary wallets for envisaged functionality to pan out and be as robustly secure as promised), they’ll also — presumably — need to (E) convince and/or compel web browsers to integrate e-ID so it can be accessed in a streamlined way).
The alternative (not being baked into browsers’ UIs) would surely make the other adoption steps trickier.
The commission’s press release is fairly thin on such detail, though — saying only that: “Very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user.”
Nonetheless, a whole chunk of the proposal is given over to discussion of “Qualified certificates for website authentication” — a trusted services provision, also expanding on the approach taken in eIDAS, which the commission is keen for e-ID to incorporate in order to further boost user trust by offering a certified guarantee of who’s behind a website (although the proposal says it will be voluntary for websites to get certified).
The upshot of this component of the proposal is that web browsers would need to support and display these certificates, in order for the envisaged trust to flow — which sums to a whole lot of highly nuanced web infrastructure work needed to be done by third parties to interoperate with this EU requirement. (Work that browser makers already seem to have expressed serious misgivings about.)
“This regulation may force web browsers to accept additional types of ‘trust certificates,’” said security and privacy researcher, Dr. Lukasz Olejnik, discussing the commission’s proposal with TechCrunch.
“This comes with a requirement for web browsers to honor such certificates and change the web browser user interfaces to display this in some way. It is doubtful that such a thing actually improves trust. If this was a mechanism to fight ‘fake news’ it would be a cumbersome one. On the other hand we have an additional precedent here when web browser vendors are required to amend their security and privacy models.”
Web browsers will be forced/compelled to accept authentication certificates. This is to guarantee the proof of the website operator identity. What standards should be used here? Will web browsers implement it? pic.twitter.com/sygngNHyQW
— Lukasz Olejnik (@lukOlejnik) June 3, 2021
Another big question mark thrown up by the commission’s e-ID plan is how exactly the envisaged certified digital identity wallets would store — and most importantly safeguard — user data. That very much remains to be determined, at this nascent stage.
There’s discussion in the regulation’s recitals, for example, of member states being encouraged to “set up jointly sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements.”
And it seems that a range of approaches are being entertained, with recital 11 discussing using biometric authentication for accessing digital wallets (while also noting potential rights risks as well as the need to ensure adequate security):
European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. Using biometrics to authenticate is one of the identifications methods providing a high level of confidence, in particular when used in combination with other elements of authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679.
In short, it’s clear that underlying the commission’s big, huge idea of a unified (and unifying) European e-ID is a complex mass of requirements needed to deliver on the vision of a secure and trusted European digital ID that doesn’t just languish ignored and unused by most web users — some highly technical requirements, others (such as achieving the sought for widespread adoption) no less challenging.
The impediments to success here certainly look daunting.
Nonetheless, lawmakers are ploughing ahead, arguing that the pandemic’s acceleration of digital service adoption has shown the pressing need to address eIDAS’ shortcomings — and deliver on the goal of “effective and user-friendly digital services across the EU.”
Alongside today’s regulatory proposal they’ve put out a recommendation, inviting member states to “establish a common toolbox by September 2022 and to start the necessary preparatory work immediately” — with a goal of publishing the agreed toolbox in October 2022 and starting pilot projects (based on the agreed technical framework) sometime thereafter.
“This toolbox should include the technical architecture, standards and guidelines for best practices,” the commission adds, eliding the large cans of worms being firmly cracked open.
Still, its penciled-in timeframe for mass adoption — of around a decade — does a better job of illustrating the scale of the challenge, with the commission writing that it wants 80% of citizens to be using an e-ID solution by 2030.
The even longer game the bloc is playing is to try to achieve digital sovereignty so it’s not beholden to foreign-owned tech giants. And an “own brand,” autonomously operated European digital identity does certainly align with that strategic goal.
This report was updated with additional comment.
Understanding Europe’s big push to rewrite the digital rulebook
Europe lays out plan for risk-based AI rules to boost trust and uptake
Europe sets out the rules of the road for its data reuse plan
Comment