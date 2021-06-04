In its latest ambitious digital policy announcement, the European Union has proposed creating a framework for a “trusted and secure European e-ID” (aka digital identity) – which it said today he wants to be available to all citizens, residents and businesses to make it easier to use a national digital identity to prove who they are in order to have access to the public sector or commercial services no matter where they are in block.

The EU already has a regulation on electronic legalization systems (eIDAS), which entered into force in 2014, but the aim of the Commission with the e-ID proposal is to expand it by addressing some of its limitations and inadequacies (such as obtaining weak and lack of mobile support).

He also wants the e-ID framework to include digital wallets – meaning that the user will be able to choose to download a wallet app to a mobile device where they can selectively store and share electronic documents that may be needed for a specific authentication transaction, such as when opening a bank account or applying for a loan. Other features (like electronic signature) are also expected to be supported by these e-ID digital wallets.

Other examples the Commission provides where it sees a useful harmonized e-ID include renting a car or registering at a hotel. EU lawmakers also suggest that full interaction to verify national digital IDs may be helpful for citizens who need to file a local tax return or enroll in a regional university.

Some Member States already offer national electronic IDs but there is a problem with cross-border interaction, according to the Commission, which noted today that only 14% of leading public service providers in all Member States allow cross-border authentication with an e-Identity system , though also said cross-border certifications are on the rise.

A globally accepted ‘e-ID’ could – in theory – help fatten digital activity across the EU single market by making it easier for Europeans to verify their identity and access trade services or publicly offered when traveling or living outside their home market.

EU lawmakers also seem to believe there is an opportunity to “master” a strategic part of the digital puzzle here, if they can create a unifying framework for all European national digital IDs – by offering consumers not only a more appropriate alternative to carry a physical version of their national identity card (at least in some situations), and / or other documents they may need to show when applying for access to specific services, but what the commissioners billed it today as a “european election” – viz. commercial digital identity systems that may not deliver the same promise of a high-level “trusted and secure” ID system that allows the user to have complete control over who can see which parts of their data

A number of tech giants certainly already offer users the ability to log in to third-party digital services using the same credentials to access their service. But in most cases doing so means that the user is opening up a new channel to get their personal data back into the data mining platform giant that checks credentials, letting Facebook (etc.) show further what I know about that user’s internet activity.

“The new European Digital Identity wallets will enable all Europeans to access online services without having to use private identification methods or exchanging unnecessary personal data. With this solution they will have full control of the data they share, ”is the Commission’s alternative vision for the proposed e-ID framework.

He also suggests that the system could create crucial turns for European businesses – by supporting them in providing “a wide range of new services” on top of the promise of a “secure and reliable identification service”. And fostering public confidence in digital services is a cornerstone of how the Commission addresses digital policy-making – arguing that it is an essential lever to increase access to online services.

However to say that this electronic ID scheme is ‘ambitious’ is a seemingly polite word that seems applicable.

In addition to the complex issue of adoption (i.e. actually getting Europeans in A) know about e-ID, and B) actually use it, running C) getting enough platforms to support it, and D) taking providers on board to create the portfolios needed for the functionality envisaged to be secured and secure as promised), they must also – presumably – convince and / or force web browsers to integrate -ID so that it can be accessed in an efficient manner.

The alternative (not maturing in the browser UI) would certainly make the other adoption steps more complicated.

The Commission’s press release is quite detailed in such details, though – saying only: “Very large platforms will be required to accept the use of European digital identity wallets at the request of the user.”

However, a whole portion of the proposal is devoted to the discussion of “Qualified Certificates for Website Verification” – a provision of trusted services, also extending access to eIDAS, which the Commission wishes to include in e-ID way to further boost user confidence by offering a certified guarantee of who is behind a website (although the proposal says it would be voluntary for websites to be certified).

The result of this component of the proposal is that web browsers will need to support and display these certifications in order for the anticipated trust to flow – which sums up a whole lot of the nuanced web infrastructure work that needs to be done by third parties in interacting with this EU requirement. (Jobs that browser manufacturers already seem to have expressed serious doubts circle.)

Web browsers will be forced to accept certificates of authentication. This is to guarantee the identity of the website operator. What standards should be used here? Will web browsers implement it? pic.twitter.com/sygngNHyQW – Lukasz Olejnik (@lukOlejnik) June 3, 2021

Another big question mark posed by the Commission’s e-ID plan is how exactly anticipated certified digital identity wallets will store – and most importantly protective – user data. This remains to be determined, at this newborn stage.

There are discussions in the recitals of the regulation, for example, of the member states are encouraged to “put together sandboxes to test innovative solutions in a controlled and secure environment especially to improve functionality, personal data protection, security and interoperability of solutions and to inform future updates of technical references and requirements legal”.

And it seems that a range of approaches are being entertained, with recital 11 discussing using biometric authentication to access digital portfolios (also noting the potential rights risks, as well as the need to ensure adequate security):

European Digital Identity wallets must ensure the highest level of security for the personal data used for authentication, regardless of whether this data is stored locally or in cloud-based solutions, taking into account different levels of risk. Using biometrics to authenticate is one of the identification methods that ensures a high level of trust, especially when used in combination with other elements of authentication. Since biometrics represent a unique characteristic of a person, the use of biometrics requires organizational and security measures, in proportion to the risk that such processing may bring the rights and freedoms of natural persons and in accordance with Regulation 2016/679.

In short, it is clear that at the core of the Commission’s big, big idea for a unified (and unifying) European e-ID is a complex set of requirements needed to provide the vision of a secure European digital ID and believing that not only does it languish ignored and unused by most internet users – some very technical requirements, others (such as achieving the goal of wide adoption) no less challenging.

The obstacles to success here certainly look scary.

However, lawmakers are pushing forward, arguing that the acceleration of the pandemic in digital service adoption has shown the urgent need to address the shortcomings of eIDAS – and meet the goal of “effective and user-friendly digital services across the EU”.

In addition to today’s regulatory proposal, they have issued a Recommendation inviting Member States to “set up a joint toolbox by September 2022 and immediately start the necessary preparatory work” – with a view to publishing the toolbox agreed in October 2022 and the start of pilot projects (based on the agreed technical framework) shortly thereafter.

“This toolbox should include technical architecture, standards and best practice guidelines,” the commission added, erasing large cans of worms by splitting sharply.

Still, the pencil in the time frame for mass approval – of about a decade – does a better job of illustrating the scale of the challenge, with the Commission writing that it wants 80% of citizens to use an e-ID solution by 2030 .

The even longer game the block is playing is trying to achieve digital sovereignty, so no attention is paid to foreign-owned tech giants. And an ‘own brand’, autonomously operated European digital identity certainly aligns with that strategic goal.