acm-header
Sign In

Communications of the ACM

ACM News

Europeans Wary of New Digital Identity


A European Digital Identity, in the vision of the European Commission, would provide every EU citizen with a digital wallet ID that can perform selective disclosure on many more attributes.

Credit: Electronic IDentification (Spain)

Europeans now need a digital QR code verifying their coronavirus immunization status in order to cross borders. Critics say the new European Digital Identity (EDI) framework tries to capitalize on that requirement to strangle the privacy of its citizens; others say the EDI could actually benefit privacy, if done right.

To buy alcohol in the European Union (EU), you need to prove that you are at least 18 years old, typically by handing a photo identification card to the cashier. But why should the cashier be able to read your full name, date and place of birth, and Social Security or driver's license number, before selling you a bottle of wine?

Unlike a physical ID, a digital ID can perform selective disclosure: it only shows the relevant attribute (in this case, verifying that the holder is 18 or older) and nothing else. 

This is how the European CoronaCheck app is set up: after scanning the QR code, the app displays a green flag if the app confirms the person being tested has been vaccinated, or was infected with the virus and can show proof of recovery, or detects proof of a recent negative PCR-test (or any combination of the three).  If none of those three conditions (or combination of them) is detected, the app displays a red flag.

A European Digital Identity, in the vision of the European Commission, would provide every EU citizen with a digital wallet ID that can perform selective disclosure on many more attributes. The wallet will contain personal data like one's fiscal number (in the U.S., this would be a Social Security number; in the Netherlands, it is the BSN number), but also detailed information on health and education; almost anything the owner wants to put in the wallet.

It will typically reside on the owner's smartphone, and the owner has to give permission for it to display specific attributes. A doctor might be allowed to see all the medical information, while a university in Italy would only be allowed to verify whether the owner really received her bachelor's degree from Oxford University.

In February, the European Commission released a call for proposals to develop an app for such a wallet ID. While the Commission does not have the authority to demand that all 27 EU member-states use the same app, it can enforce certain data and privacy standards.

The initiative has caused concern among privacy advocates, and an uproar among more-extreme anti-EU activists, who see the European Digital Identity as a decisive step towards total, CCP-style control of EU citizens.

Bart Jacobs, a professor of security, privacy, and identity at Radboud University in Nijmegen, the Netherlands, says he is in favor of an EDI "within the right boundary conditions." He is adamant that EDI apps must be open source and decentralized, so he thinks it is unfortunate the call for proposals left that open. Open source means the big tech companies can't copyright such products, so they have no interest in making and marketing them. Also, if the information resides only in the wallet ID and not on a central server, a lot of security and privacy issues can be avoided.

Current practice is the opposite: people now use their Facebook or Google identity to log in to online retail sites, which allows them to be tracked and their personal and commercial data absorbed, while they themselves have no control over their data at all. Said Jacobs, "It is strategically important not to leave this to the Americans or the Chinese."

In fact, Jacobs and his group at Radboud University already have developed an open-source decentralized wallet ID called IRMA. Despite its early stage of deployment, it now has 70,000 users and about a dozen governmental and business partners that will accept it as identification. It can also be used for videoconferences in which participants have to prove who they are.

CoronaCheck QR codes cannot be faked, because they contain the digital signature of a country's authorized health authority. This signature has been encrypted with their secret key, while anyone who scans a QR code automatically decrypts it with the public key. The fact that decryption produces a readable message, not gibberish, proves that the signature is authentic.

IRMA uses a similar system to authenticate certificates issued to users by trusted parties, for instance a local government. Web retailers who adopt IRMA agree to accept appropriate selective disclosures by the user as identity verification. IRMA uses the more advanced protocol of Camenisch-Lysyanskaya signatures for additional privacy and anonymity.   

Jacobs has been in consultation with the Dutch government about digital identity for years. He intends to submit IRMA to the European call for proposals, but says that "personally, I'm disappointed in the Dutch  government. They could have said, 'we have IRMA already, this can be a model for a European wallet-ID', but they did not do that."

Seda Gürses, associate professor of multi-actor systems at the Netherlands' Delft University of Technology, is convinced a cellphone-based wallet ID, open source or not, cannot be implemented entirely independent of Google and Apple's mobile platforms. Even if that were possible, she is opposed to a European Digital Identity on principle: "Such apps are okay to open doors in your own university department or similar, because the possibilities for repurposing and abuse are very limited, not for a global identity." 

Part of the problem is that the EDI will be used not only for government services, but also for banking, online retail, and social media, so many stakeholders will have the power to set policies to verify certain attributes. Today, individuals must be checked for coronavirus in order to cross a border; tomorrow, critics argue, your EDI might prevent you from using the metro at rush hour because you are unemployed. That attribute—being unemployed—could be required to collect social benefits, but a policy based on that attribute grows highly questionable. 

Proponents of a European Digital Identity argue that the democratic checks and balances present in the EU will prevent that sort of mission creep. Says Gürses, "This is not mission creep; this ís the mission!"

Gürses does not dispute that an EDI app can be made to preserve privacy, but once such a digital infrastructure is in place, she says, governments and commercial stakeholders can change their restrictions based on these attributes at a moment's notice. "Who gets to set and enforce policy for the EDI, that is the issue."

 

Arnout Jaspers is a freelance science writer based in Leiden, the Netherlands.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account