Overidentification, unobservability and super cookies: privacy issues ahead for EU digital ID
The European Union’s Data Protection Supervisor brought together experts on digital identity and digital wallets to appraise the current situation of the EU’s digital identity plans, future possibilities, plus comparisons to other systems and problems already evident.
The Internet Privacy Engineering Network (IPEN) Workshop on Digital Identity described its aim as “understanding the challenges and identifying the state of the art of the available options for compliant and privacy-enhancing solutions.”
Thomas Lohninger, vice president of digital rights umbrella group European Digital Rights (EDRi) and executive director of the digital rights NGO Epicenter.Works in Vienna, outlined the major privacy issues the European project entails, and in particular the current reforms to plans, in his presentation entitled ‘Orwell’s Wallet: Missing Privacy Safeguards in the EU Digital Identity System.’
“The 2014 eIDAS regulation was actually ahead of its time because it enshrined in law the principle of privacy by design for the interoperability framework in Article 12 paragraph 3.c. Sadly that principle was deleted by the Commission in the reform we are currently looking at,” began Lohninger.
The breadth of the scheme is not yet fully clear as all the attributes are not yet known, but it is set to cover most aspects of life and the organizations and companies with which people interact. COVID passes will be built in, indicating the potential scope of use cases given the requirement to show the passes at public venues visited. By 2030, the Commission is aiming for 80 percent penetration across the EU for its ID scheme, reminds Lohninger.
The implication of the scale of the project is that the cost of identifying or authenticating a person will drop to zero and the cost factor currently preventing the need to identify oneself at present will disappear, says Lohninger.
The ubiquity of the technology will threaten the “unobservability” of life: “If the transactions are observable, we are talking about an abundance of data on user behavior that we have not seen before.”
Architecturally, for the system to be deserving of people’s trust, the scheme should be “unobservable by design.”
“It needs to be technically impossible for any issuer or provider of attributes to observe how the wallet is used. Only such a system would qualify, in my opinion, for the high data protection safeguards that Europe should stand for,” says Lohninger, adding that the European Parliament stepped in to ensure that the COVID pass system was designed to be unobservable.
Lohninger describes the unique, life-long identifiers (Article 11a) planned as “outrageous” and as “super cookies.” It would also be illegal in the Netherlands and Austria and unconstitutional in Germany. He hopes for this part to be dropped, while pseudonymization be strengthened further to allow for anonymous purchases and social media comments.
“The underlying problem of the whole reform is that we have one piece of technology that tries to encapsulate many different use cases,” he says, accepting the need to identify oneself for government services, but questions the need when it comes to checking into hotels, buying tobacco, subscribing to newspaper.
Lohninger warns of a legal shift in fraud cases where individuals will have to be able to prove that they were not in control of their smartphones if contracts are fraudulently yet cryptographically signed by them in a hack or identity theft.
As the cost of identifying individuals falls, the risk of “overidentification” grows, says Lohninger. There could be nothing stopping a relying party asking for swathes of information, such as for a late-night hotel check-in.
“We should put limits on the private-sector use cases of the wallet to legal know-your-customer requirements,” or make pseudonyms or selective disclosure available, recommends Lohninger.
As more digital applications of age verification emerge, there could be particularly high overidentification of youths and teenagers.
The EU’s digital identity may be positioned as giving users control over their data, but Lohninger points out that this control can be illusory, such as with cookie permission requests. He states that one of the few things Google may know about a person is their legal name, but with EU ID and advertising preference schemes, the EU may be handing the last piece in the jigsaw to Google or others.
Lohninger is optimistic that a good legal framework for eIDAS will emerge eventually, but is concerned about the Council’s Expert Working Group. He claims it is full of government officials, all facing pressure from their countries’ vendors. He sees the group as leaking information, but only in the direction of the private sector rather passing on details to academia or civil society.
“It’s basically a way for Thales and other big vendors to influence the negotiations and discussions in Council and I’m sorry to say that what we’ve seen so far is also very incoherent and we’re not convinced that this actually leads to a meaningful reference architecture framework,” says Lohninger, before finally criticizing the fact there is only one quarter (Q4 2022) given over to assessing the digital wallet in the EU timeline.