The eIDAS 2.0 legislation aims to create a harmonized digital identity capability for all EU citizens.
Avast’s views and opinion on the Draft Report on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. Published by the Committee on Industry, Research and Energy, May 31, 2022. Europe is in the early stages of a transformation in the way people identify themselves online and establish digital trust with other people and organizations. New legislation has been proposed, commonly referred to as “eIDAS 2.0”, to create a harmonized digital identity capability for all EU citizens. The proposed legislation is big on privacy, trust and user control. It seeks to rebalance the digital world more in favor of the individual and less towards mega corporations. If implemented well, this result will be beautiful user experiences for people online, no more tiresome form filling, no more wondering who is seeing your data, and possibly the elimination of usernames and passwords altogether. For organizations, the results could be similarly transformative, reducing friction, reducing costs of verifying who people are or what they are entitled to do, while massively reducing online fraud. The proposed legislation is complex, from a legal and technical perspective. There is the potential for gaps or weaknesses to sneak in unnoticed that could have large negative impacts on privacy and security. Great care needs to be taken to ensure attention is paid to the details within the proposal to avoid introducing problems further down the line. This new approach is currently in the review stage. An important set of revisions has just been published. We are very pleased to see the level of care that has been given to these proposed amendments. This article analyzes some of the most important changes and their likely impacts. Romana Jerković MEP (S&D, Croatia) has published her draft report amending the proposed eIDAS 2.0 regulation for European Digital Identity in the European Parliament’s Committee on Industry, Research and Energy (ITRE). The draft report is very comprehensive, containing 139 proposed amendments to the regulation. The level of detail is impressive, as is the technical understanding demonstrated in the amendments. Members of the European Parliament (MEPs) will now debate the proposal on June 27 before a June 28 deadline for amendments and tentatively scheduled committee vote at the end of October. In this article, we will take you through what we regard as the most important amendments and their implications for EU digital identity wallet providers as well as the overall eIDAS 2.0 ecosystem—and most importantly for European citizens. This article builds on our previous analysis of the proposed eIDAS 2.0 regulation and the European Digital Identity Architecture and Reference Framework. (3b) All Union citizens have the inalienable right to a digital identity that is under their sole control and that enables them to exercise their rights as citizens in the digital environment and to participate in the digital economy. A European digital identity should be legally recognized throughout the Union. The emphasis of “sole control” is very welcome. These two words will have a significant impact on the design of eIDAS 2.0 protocols and wallets. “Legally recognized” is also very important as it lays the groundwork for widespread acceptance of digital identity across the EU. (3c) In the context of this Regulation, natural and legal persons can have a digital identity. The implementing technologies and standards developed in the application of this Regulation could be extended to establish digital identities for connected objects in order to develop a trust layer for the development of Internet of Things. We are very pleased to see this addition. Self-sovereign identity has always been designed for people, organizations and things. With the growth of intelligent cars, connected TVs, and smart meters, knowing you are connecting with the right “thing” is increasingly important. If implemented correctly, the same technology used for the European Digital Identity (EUDI) wallet can be used for organizations and things just as it can for people. (4) …allowing citizens, other residents as defined by national law and businesses to identify and to authenticate online and offline in a convenient and uniform way across the Union. The words “and offline” have been added. This has significant implications for the underlying technology design of the EUDI wallet. Entirely offline transactions will imply compromises, for example making real-time checks of revocation status difficult. Offline use is a good thing, but there will be compromises that will need to be accepted. (5) Harmonized digital identity framework has the potential to significantly reduce operational costs linked to identification procedures, for example during the on-boarding of new customers, and to reduce expenditures or damages related to cybercrimes, such as data theft and online fraud, to support innovation and competitiveness, and to promote digital transformation of the Union’s small and medium sized enterprises (SMEs). (5a) A fully harmonized digital identity framework can enable economic value creation for individuals and businesses by fostering increased inclusion, which provides greater access to goods and services, by increasing formalization, which helps reduce fraud, protects rights, and increases transparency, by reducing operational costs, which supports innovation and competitiveness, and by promoting digitization, which drives efficiencies and ease of use It’s really good to see these new sections. There is not enough emphasis on the economic incentives for the adoption of eIDAS 2.0 within the documents published so far. These additions are the start of recognizing that gap. There’s still a long way to go to “sell” eIDAS 2.0 to the high-volume, large scale business owners and to SMEs in the private sector. It is these organizations, and the propensity of their customers to use eIDAS 2.0, that will inevitably determine the success or failure of eIDAS 2.0. We recommend that the Commission increase the focus in the area of economic incentives for all participants in the eIDAS 2.0 ecosystem. (6b) Zero Knowledge Proof (ZKP) allows verification of a claim without revealing the data that proves it, based on cryptographic algorithms. The European Digital Identity Wallet should allow for verification of claims inferred from personal data identification or attestation of attributes without having to provide the source data, to preserve the privacy of the user of the European Digital Identity Wallet, while presenting a proof with legal effect… (31 point 5a) ‘zero knowledge proof’ means any cryptographic method by which a relying party can validate that a given statement based on the electronic attestation of attributes held in the user’s European Digital Identity Wallet is true, without conveying any data related to those electronic attestation of attributes to the relying party; It is extremely encouraging to see the inclusion of zero knowledge proof (ZKP) functionality within this document. In some quarters, ZKPs are seen as “exotic”, but in reality they are based on very well-proven cryptography. Use of ZKPs will be a major benefit for the EUDI wallet and will enable new types of transactions that avoid over-collection of data. (9) …European Digital Identity Wallets should benefit from the potential offered by tamper-proof solutions such as secure elements and state of the art encryption… There has been reported reluctance from some of those in the Member State group defining the EUDI wallet specification to utilize the encryption methods, including technology such as zero knowledge proofs and link secrets. Some have voiced a desire to stick with older techniques. This addition opens the door to newer capabilities which in turn will enable new and innovative ways of handling data and securing connectivity. (11) …Biometric data used for the purpose to identify and authenticate a natural person in the context of this Regulation should not be stored in the cloud. And Storing information from the European Digital Identity Wallet in the cloud should be an optional feature only active after the user has given explicit consent. Where the European Digital Identity Wallet is provided on the smartphone of the user its cryptographic material should be, when available, stored in the secure elements of the device. A small but very important addition. There are several different ways to architect an EUDI wallet. An “edge” wallet with all data, keys, and biometrics held on the device (e.g., mobile phone). A “hybrid” wallet where some data (e.g., a master key) is on device and other data is held in cloud storage. And a full “cloud” wallet where the device is just a conduit to the data, keys, etc. that are all stored in some cloud storage. This addition indicates that a full cloud wallet will not be permissible where any biometrics are utilized. Seeing as biometric data is likely to be a “recommended additional optional attribute” of the PID (Personal Identification Data) in the form of a digitized photograph (except in some jurisdictions like Germany), it implies that wallets will need to be primarily “edge” by default, and “hybrid” if explicitly requested by the user. The use of digitized facial portraits in the form of “templates” will likely bring great value to many of the main use cases as described by the commission, including travel and in-person identification. (21a) This Regulation seeks to facilitate creation, choice and switching between different European Digital Identity Wallets. In order to avoid lock-in effects, the issuers of the European Digital Identity Wallets should at the request of the user of the Wallet, provide for effective portability of data, including provisions of continuous and real-time access to services, and not be allowed to use contractual, economic or technical barriers to prevent or to discourage effective switching between different European Digital Identity Wallets. Avast is very encouraged by this text. Data portability and avoidance of proprietary wallet gardens is vital for the success of eIDAS 2.0. This is also extremely significant from the viewpoint of existing inbuilt operating-system level wallets provided by Apple and Google. Currently it is not possible for you to move your Apple Wallet contents into your Google Wallet or vice versa. Artificial barriers have been put in place to lock users into a particular ecosystem. If Apple and Google want to participate in eIDAS 2.0, they will have to open up their ecosystems to allow portability and interoperability. (30a) Authentic sources that are users of a European Digital Identity Wallets should be able to issue non-qualified electronic attestation of attributes directly using the European Digital Identity Wallets. …they provide the potential for many use cases (e.g. fidelity credentials, club membership credentials, coupon credentials, etc.) providing for the necessary flexibility and anticipating future evolution of the framework, including increasing the overall usability of the framework for the users of the European Digital Identity Wallets. It is excellent to see this addition. In our previous analysis of the proposed regulations, we have pointed out how important it is for non-government bodies to be able to issue attestations into EUDI wallets. This is the flexibility that is required to make eIDAS 2.0 a success. Enabling any organization to easily issue any attestation for any purpose is likely to trigger a new wave of innovation across the private sector, and ensure whole ecosystems can benefit from eIDAS 2.0. Without prejudice to the legal effect given to pseudonyms and self-sovereign identities under national law, their use in electronic transactions shall not be prohibited. It’s good to see the explicit use of the term self-sovereign identity (SSI) being added. There has been a lot of confusion about what SSI is, with some commentators believing that it means that people make up their own identities which is a major misreading of the term. SSI will result in a rebalancing of the power in digital relationships, enabling people to gain control over the use and management of their own data. (aa) [EUDI wallets shall enable the user to] securely authenticate, identify, receive and exchange electronic attestations of attributes directly from other European Digital Identity Wallets; This new addition indicates that person-to-person proving is now in scope. In most digital credential implementations to date, a person is proving something about themselves to an organization. With this addition, EUDI wallet functionality will need to include the ability for one wallet holder to request data from another, and to then verify the authenticity of that data. This is an important consideration for wallet providers to take into account as they design their wallets. Existing text in the proposed regulation and Architecture Reference Framework includes a requirement that verifiers register with their Member State and confirm what data they will be asking for and why. If every wallet holder is allowed to ask for and verify data from any other wallet holder, that means that every wallet holder will be a verifier - will they need to register as a verifier with their Member State? And will they only be allowed to ask for certain data, or will they be able to create free-form data requests for their specific need? There is some further detail in Amendment 75 but the situation remains far from clear. The user interface for this functionality will also need careful consideration - how will a user be informed that the person asking for their data is legitimate? How will a person be able to see that the data they have received is authentic. (ab) [EUDI wallets shall enable the user to] easily report to the competent national authority where a relying party is established if an unlawful or inappropriate request of data is received; Another interesting new addition. How will a user know that an unlawful or inappropriate request has been received? Who and what determined this? It implies that EUDI wallets will need some rather sophisticated process to enable them to determine legal correctness for requests from possibly millions of verifiers across the EU and beyond. These verifiers will exist in different countries with different legal regulations. This small addition triggers a highly complex new ecosystem of trust registries that will need to be analyzed in milliseconds as transactions take place in real time. This amendment implies that eIDAS could be extended to include organizational digital identity, which would be a very interesting opportunity. Organizations need identity as much as people do, and such a facility would enable organizations to prove that they are allowed to ask for certain data and that they are approved verifiers under the eIDAS 2.0 scheme. This will create a whole new set of challenges for wallet providers to tackle. (ae) [EUDI wallets shall enable the user to] transfer own electronic attestation of attributes and configurations to another European Digital Identity Wallet belonging to the same user. This reinforces the portability requirement added in Amendment 21a mentioned above. Portability of data across wallets, and possibly the real-time synchronization between wallets belonging to the same user but on different devices, will pose some unique challenges for wallet developers. Existing ecosystems such as those provided by Google and Apple enable cross-device real-time synchronization but that comes with lock-in to their ecosystems. It will be uniquely challenging for cross-ecosystem portability to be enabled for EUDI wallets, but also highly empowering to the end-user. Removal of this text from the original proposal: (b) ensure that trust service providers of qualified attestations of attributes cannot receive any information about the use of these attributes; Ensuring that issuers of attestations cannot trace where they are being used is very important. Currently a person can use their physical passport anywhere they want, to prove their age, name or nationality in non-international travel situations, and the recipients do not “report back” to the person’s passport office that they have received that data. Why should it be different because the data is digital? It should not be possible for attestation issuers to track where people use those attestations. Thankfully, this clause is reinstated lower down in the revision (b) for issuers of the electronic attestation of attributes it shall be technologically impossible to receive any information about the use of these attributes and about the use of the European Digital Identity Wallet; This implies that online use of certain protocols such as ISO 18013-5 (used for mobile driving licenses) will need to be carefully considered as these protocols can involve the verifier directly contacting the issuer to retrieve the data of a person, enabling the issuer to see where and when the person is using their data. 1. Where European Digital Identity Wallets…are breached or partly compromised in a manner that affects their reliability and the confidentiality, integrity or availability of user data, or the reliability of other European Digital Identity Wallets, the issuer of the compromised European Digital Identity Wallet shall, without delay, suspend the issuance and revoke the validity of the European Digital Identity Wallet and inform single point of contact pursuant to Article 46a and the affected users. There is nothing significantly new in this amendment. We have highlighted it because it refers to wallet revocation. Revocation of a wallet needs to be very carefully considered because that wallet may contain a large number of varied attestations from many different sources, both “qualified” and “unqualified”. It could contain the equivalent of a person’s digital life. Loss of it due to revocation would be equivalent to one’s filing cabinet and physical wallet catastrophically catching fire and burning down. Having a person’s EUDI wallet suddenly revoked without notice or ability to instantiate a new one containing the same data would be equivalent to erasing that person’s digital existence. There needs to be substantial thought on this topic of wallet revocation, the consequences of inadvertent or malicious wallet revocation, and the user experience in the event of revocation. Further reading:Introduction
Proposed amendments
Addition 3b
Addition 3c
Amendment 4
Amendment 5 & 5a
Addition 6b & Amendment 31
Addition 9
Addition 11
Addition 21a
Addition 30a
Amendment 37
Amendment 42
Amendment 42
Amendment 42 & 52
Amendment 56 & 70
Amendment 87
The impact of self-sovereign identity on the cybersecurity world
SSI and FIDO2: Different approaches for a passwordless world