Feedback for EU digital wallets as Switzerland explores digital ID ecosystem
The EU is continuing to progress towards its goal of not just digital ID but a digital wallet for all with its eIDAS project. Feedback on a draft framework finds pros and cons so far in plans for implementing it. Finland looks set to go ahead with its national digital ID, to be compliant with the EU vision, while Switzerland – a non-EU island in a sea of member states – contemplates its own digital identity ecosystem.
Initial scores for implementing eIDAS
Digital identity firms, specialists and academics have been providing feedback on the documentation created by the eIDAS Expert Group on how digital identity and wallets could be integrated and trusted across the European Union. The feedback on the draft Architecture and Reference Framework (ARF) document has been collated by digital transition advisory SGM Consultancy, as announced by its president Stephane Mouy in a LinkedIn post.
The assessments are wide-ranging and thorough, from recommendations to change single words or diagram arrows in the draft ARF, to tackling fundamental issues for digital wallet rollout and asking questions such as who is going to verify the verifiers. As a collection of feedback it may be useful beyond the EU’s eIDAS project for similar schemes around the world, as could upcoming pilots of real-world use cases of digital wallets.
The sections on qualified electronic signatures, seal providers or qualified trust service providers and their interaction with non-qualified providers has been particularly well received.
Evernym, whose full comment and feedback can be found on their site, believes it a missed opportunity that there is not a single wallet certification scheme to work across the whole bloc, meaning a wallet would only need to be certified once.
“To rely on the EUDI Wallet, relying parties would need to inform the Member State where they are established and their intention for doing so” has proved controversial with multiple experts asking whether this will block the private sector from participation.
Eric Verheul believes the draft’s suggested use of Trusted Execution Environments hints at Apple Secure Enclave and Android hardware-backed keystores. Yet there is no clarity on how the eIDAS High Authentication Mechanism would work with this.
Nick Mothershaw of the Open Identity Exchange (OIX), itself trying to establish a global trust framework through GAIN, states that the ARF does not cover data standards which are necessary for each attribute covered.
“The EUDI Wallet Architecture and Reference Framework is well aligned to OIX’s new Trust Framework for Smart Digital ID, and so is well on the road to success,” Mothershaw told Biometric Update in an email. “A key area that needs adding to the ARF is that of data standards. If EUDI Wallets from different member states have diverse data formats with different permitted values, seamless interoperability will be impossible. OIX is working on recommendations for global data standards for Digital ID, and invites representative of the EU Expert group to join us as we finalise this key piece of work.”
Mastercard also hopes that EUDI will be fully interoperable with international standards.
In any field, experts providing opinions on the opinions of other experts can continue in perpetuity. However, the feedback is constructive and brings to light potential errors in the draft and certainly does not leave any loose threads or generalizations.
The community of experts wants far more clarity, detail, examples and ultimately more standardization at the EU rather than country level if 27 member states are going to harmonize their digital identity programs. Cybernetica also proposed changes to the text to ensure that new technologies could be incorporated as they emerge.
Meanwhile, the community will also have to help explain the system to the European population, another challenge entirely.
Finland’s CSC backs government proposals for national digital ID
The influential CSC, the Finnish IT Center for Science, considers proposals by the Finnish government for national digital identity to be generally justified and supportable but users will need to understand the mechanisms for control of the data they share and there must be clarity on who pays the fees for transactions, according to a statement for which there is a short summary available in English.
The CSC cautions that the plan must adhere to national regulations and also be inline with the EU’s eIDAS regulation.
Self-sovereign aspects of the digital identity scheme are welcomed, but the organization warns that users will need support to understand this and make informed decisions on sharing their information.
Foreigners involved in transactions in Finland may be charged a fee for identifying them. The CSC warns that in cases such as foreign researchers interacting with universities or potential students going through the application process maybe be put off by the fees and worker mobility could be hindered. People more generally could become the only billable entity in transactions handling their information, it warns.
The CSC also recommends that the authority that writes a credential to the digital identity wallet should cease to be the data controller at the time of that writing, a mechanism it believes it should be adopted by the entire EUDI scheme.
Switzerland considers how it might launch an e-ID trust ecosystem
The Swiss Federal Council agreed in December 2021 to work on draft regulation on decentralized digital identity that would grant citizens control of their data to be ready for consultation by summer 2022.
The development collaborative digitalswitzerland has brought together the government, private sector, civil society and academia to discuss and strategize the transition to an ecosystem of digital credentials.
A report has been produced as a first look at the possibilities, issues and how to introduce an overall ecosystem and ensure a significant level of take-up and interaction. The report considers that the larger the ecosystem at launch, the more likely it is to be adopted. The government providing the verifiable data registry as a public service will keep down costs for its users, also improving take-up.
The authors understand from systems being created elsewhere that making adoption compulsory for accessing e-government services will significantly increase sign-up, and that not making services available electronically with the e-ID undermines trust in the e-ID ecosystem.
They recommend launching not just with the e-ID but e-ID-backed digital signatures. Digital and mobile driving licenses are also coming, in something of a side development. The government is piloting both government-issued and externally-issued verifiable credentials for accessing e-government services.
This post was updated at 11:53am Eastern on May 6, 2022 to include comment from OIX’s Nick Mothershaw.