The European Digital Identity: our fight for a private digital wallet and a secure web

The European Digital Identity is a proposal that will allow EU citizens, residents and businesses to identify themselves, access digital services and digitally sign documents through a Digital ID and store and share “attributes” such as personal information, diplomas and licenses safely and easily using a Digital Wallet. It will provide inter-operability across the union; with signatures and attributes recognised in all member states, making it easier to work, study and travel around the Union.

An explainer of the European Digital Identity, with the example of applying for a loan.
The Commission’s proposal could make tasks like getting a loan, applying to study at a university at home or abroad, or renting a house much easier.

But the proposal is also plagued with problematic ideas: with so much personal data in play, there are insufficient safeguards for user privacy, and to make matters worse, the proposal also includes changes to the Commission’s existing rules on QWACs — a special type of web security certificate — that could allow governments to spy on citizens.

As Shadow Rapporteur in the JURI committee, I worked hard to address these issues. Today our committee voted on the final version of our report on the file. The result is a set of changes that would significantly improve the privacy and security of the wallet for end users, and that protects privacy online.

The European Digital Identity: A Problem for Privacy?

Private wallet services such as Google Wallet make use of our data to track us for commercial purposes. I believe a not-for-profit, privacy-first wallet could be a very good thing, but the EU’s proposal is deeply flawed and doesn’t meet those goals.

One of our key concerns was the intent of the Commission to have the wallet adopted as widely as possible. While I do believe a not-for-profit privacy-first wallet system would be an excellent thing, I are concerned that Big Tech may take advantage of this system to force citizens to hand over data, or that worse still, governments might force citizens to use their wallet to sign up in a way that would impact their right to privacy. Finally, the Commission wanted to introduce a single unique and persistent identifier for each citizen, a move that would enable tracing across the EU.

To solve this, the JURI committee drastically rethought the proposal, banning platforms and authorities from forcing citizens to use the wallet or discriminating against users who don’t, and guaranteeing the right to use pseudonyms anywhere where their identity is not mandated by law. We also removed the single and persistent identifier, and replaced it by a system that prevents tracking, puts the user in control, and is used only in exceptional cross-border cases.

Finally, we made sure users have access to a simple dashboard that allows them to share information from their wallet, see with whom they have shared that information, and retract sharing at any time, because we feel that citizens must remain in control of their data, even when they share it, in line with the GDPR.

Accessible and Open for All

The Source Code of Estonia’s digital ID system, one of the best in the world, is publicly available for everyone to audit, modify, improve and reuse.

If we want the wallet to be a success, it has to be accessible for everyone, but unfortunately, the Commission’s proposal was lacking clarity on accessibility for people with disabilities, and contained limitations that may have prevented citizens with older mobile devices, or using alternative operating systems from using the wallet. In addition, there were no stipulations that the wallet should be open source. I believe that software developed with public money should be open source, and that we can’t expect citizens to trust a closed-source wallet.

Our changes ensure wallets developed with public money must be open source, and the wallet must be made available on a wide range of platforms. We also strengthened the accessibility of the wallet for people with disabilities, and specified rules for people under legal guardianship.

Keeping the Internet Private & Secure

Finally, the Commission’s proposal puts at risk encryption on the internet, by making changes to the security architecture of our web browsers.

Firstly, it would force browsers to display QWACs, an expensive, outdated and insecure way of proving that a website belongs to a particular person or organisation. This, just a few years after all major browsers decided to stopped showing QWACs because they are insecure.

Pictured: The front browser window is the real Stripe website, behind it is a fake site, but until recently, Safari displayed both the same way. The Commission wants to bring back this misleading system.

Secondly, it would damage the system used to verify security of connections: browsers have a special list of Certificate Authorities, who are trusted organisations who help check that your connection to a website is secure and hasn’t been intercepted or redirected. Because this job is so important, Browsers have very strict rules over who gets to be in this list, but the Commission’s proposal would have let member states decide who gets to control the list. This would allow member states to create their own Authority and use it to spy on citizens, with no easy way for citizens to detect it.

We sent a strong message to the Commission and other European Parliament Committees by deleting these proposed changes from the text.

What Now?

Our proposals have cleared the first hurdle: they are now the official position of the JURI committee. But there is lots more to do in the lead committee where the final decision will be made. I will continue to fight tooth and nail for a private digital wallet and a secure web for all Europeans!

Kategori:

Leave a Comment