This long-running ‘game’ being played is trying to achieve digital sovereignty so that it doesn’t fall into debt to foreign-owned tech giants. And an autonomously operated “own brand” of European digital identity certainly aligns with this strategic objective.
The EU already has a regulation on electronic authentication systems (eIDAS), which came into force in 2014, but the Commission’s intention with the electronic identity proposal is to expand this by addressing some of its limitations and inadequacies (such as low acceptance and lack of mobile support).
In its most recent and ambitious digital policy announcement, the European Union proposed the creation of a framework for a “trusted and secure European e-ID” (also known as digital identity) – which it said today that it wants to be available to all citizens , residents and companies to facilitate the use of a national digital identity to prove who they are, so that the public can access sectorial or commercial services, regardless of their location in the block.
It is also desired that the e-ID framework incorporate digital wallets – meaning that the user will be able to choose to download a wallet app to a mobile device where they can selectively store and share electronic documents they may need for a specific identity verification transaction , such as when opening a bank account or applying for a loan. Other functions (such as electronic signature) must also be supported by these e-ID digital wallets.
Other examples the Commission gives, and where it sees a harmonized e-ID being useful, include renting a car or checking into a hotel. EU lawmakers also suggest full interoperability for authenticating national digital IDs could be useful for citizens who need to file a local tax return or enroll in a regional university.
Some Member States already offer national electronic IDs, but there is a problem of interoperability across borders, according to the Commission, which today noted that only 14% of leading public service providers in all member states allow cross-border authentication with a system of electronic identity, although authentication is also said to be on the increase.
A universally accepted ‘e-ID’ could – in theory – help to boost digital activity across the EU territory market, making it easier for Europeans to verify their identity and access commercial services or public services when traveling or living outside your home market.
EU lawmakers also seem to believe there is an opportunity to “own” a strategic piece of this digital puzzle, if they can create a unifying framework for all European national digital IDs – offering consumers not just a more convenient alternative to carry. a physical version of their national identity (at least in some situations) and/or other documents they may need to show when signing up to access specific services, but what commissioners bill today as a “European choice” – that is, against commercial digital identification systems that may not offer the same high-level promise of a “trusted and secure” ID system that allows the user to fully control who sees and which bits of their data.
Of course, several tech giants already offer users the ability to log into digital networks of third-party services using the same credentials to access their own service. But in most cases, this means the user is opening a new channel for their personal data to flow back to the data mining platform giant that controls the credential, allowing Facebook (etc) to provide more details about what you know about the user’s Internet Activity.
“The new European digital ID cards will allow all Europeans to access online services without having to use private identification methods or needlessly share personal data. With this solution they will have full control of the data they share”, is the Commission’s alternative vision for the proposed electronic identity structure.
It is also suggested that the system could create substantial advantages for European companies – supporting them to offer “a wide range of new services” over the associated promise of a “safe and reliable identification service”. And increasing public trust in digital services is a key element of how the Commission approaches Digital policy-making – arguing that it is an essential lever for increasing the acceptance of online services. However, to say that this e-ID scheme is “ambitious” is a polite word for how viable it appears to be.
Besides the complicated issue of adoption (ie getting Europeans A) to know the electronic identity and B) actually using it, also C) getting enough platforms to support it, as well as D) putting the conditions on suppliers to create the wallets necessary for the intended functionality to expand and be as robust and secure as promised), they also – presumably – need to E) convince and/or force web browsers to integrate e-ID so that it can be accessible in a simplified way.
The alternative (not being embedded in browser UIs) would certainly make the other adoption steps more complicated. The Commission’s press release is quite limited in such details, though – saying only that: “Many of the great
platforms will be required to accept the use of European digital identity cards upon user request. ”
However, an entire part of the proposal is devoted to the discussion of “Qualified Certificates for Site Authentication ” – a reliable service delivery, also expanding the approach taken in eIDAS, which the Commission wants electronic identity to be incorporated in order to increase further user confidence by offering a certified guarantee of who is behind a site (although the proposal says it will be voluntary for sites to obtain certification).
The result of this component of the proposal is that web browsers would need to support and display these certificates in order for the predicted trust to flow – which adds up to a lot of nuanced web infrastructure work that needed to be done by third parties to interoperate with this EU requirement. (Work about which browser makers already appear to have expressed serious doubts.) “This regulation may force web browsers to accept additional types of ‘certificates of trust,'” said security and privacy investigator Dr. Lukasz Olejnik, discussing the Commission proposal with TechCrunch.
“This comes with a requirement for web browsers to honor these certificates and change the browser’s user interfaces to display this in some way. It is doubtful whether such a thing actually improves confidence. If this was a mechanism to combat “false news-fake news”, it would be complicated. On the other hand, we have additional precedent here when web browser vendors are required to change their security and privacy models. ”
Another big question mark raised by the Commission’s electronic identity plan is how exactly the planned certification will be. Digital ID cards would store – and, more importantly, protect – user data . That remains to be determined at this nascent stage.
There is discussion in the regulation’s recitals, for example, of Member States being encouraged to “jointly establish sandboxes to test innovative solutions in a controlled and secure environment, in particular to improve the functionality ‘personal data protection, security and interoperability’ solutions’ and inform future updates of technical references and legal requirements”.
And it appears that a number of approaches are being considered, with point 11 discussing the use of authentication biometrics to access digital wallets (while noting potential rights risks as well as the need to ensure adequate security) . European digital identity cards must ensure the highest level of security for personal data used for authentication, regardless of whether such data is stored locally or in cloud-based solutions, taking into account different levels of risk.
Using biometrics to authenticate is one of the identification methods that provide a high level of trust, in particular when used in combination with other authentication elements. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organizational and security measures, proportional to the risk that such processing may entail to the rights and freedoms of individuals and in accordance with Regulation 2016/679.
In short, of course underlying the Commission’s big, huge idea of a European (unifying) e-ID, this theme is a complex mass of requirements needed to fulfill the vision of a secure and reliable European Digital ID that is not simply ignored and not used by the majority of web users – some highly technical requirements, and others (such as targeting for widespread adoption) no less challenging.
The impediments to success here certainly seem daunting, however, lawmakers are moving forward, arguing that the acceleration of digital service driven by the pandemic, and its adoption has shown the pressing need to address the shortcomings of eIDAS – and meet the goal of “efficiency and easy-to-use digital services across the EU”. In conjunction with today’s regulatory proposal, a recommendation was issued, calling on Member States to “establish a common toolbox by September 2022 and to start the necessary preparatory work immediately” – with a goal to publish the toolbox agreed in October 2022 and start pilot projects (based on the agreed technique framework) some time later.
“This toolbox should include the technical architecture, standards and guidelines for best practices,” adds the commission, omitting the big questions still open. Still, the timeline set for mass adoption – about a decade old – does a better job of illustrating the scale of the challenge, with the Commission writing that it wants 80% of citizens to use an eID solution by 2030.
Want to know other news? See below for our Suggestions
Want to know other news? See below for our Suggestions