Echoes from History II: The Dangers of eIDAS

This article, like “Echoes from History: Designing Self-Sovereign Identity with Care”, is drawn from a book I have in process called FOREMEMBRANCE, which chronicles how identity was abused in WWII and how those dangers linger to the present day._

ABSTRACT: eIDAS v2.0, released as a provisional agreement on November 16, 2023, offers the first large-scale codification of digital identity. Unfortunately, it contains not just technical problems but also major philosophical missteps that could make it highly dangerous to its users, especially given the increasing threat of regime change in Europe.

The history of identity is a sobering one. It’s just more than century old in its modern, codified and organized, form but in that time identity has been reponsible for atrocities. In “Echoes from History: Designing Self-Sovereign Identity with Care”, I wrote about one of the worst misuses of identity, when Jacobus L. Lentz supported the Nazis in their use of Dutch identity records during World War II, resulting in the death of 75% of the country’s Jews. It didn’t have to be that way: in France, another identity pioneer by the name of René Carmille had control of a similar trove of identity records, but only selectively disclosed some of his data to the Nazis. Only 23% of the Jewish people in France fell to genocide as a result.

However, the stories of Lentz and Carmille are not mere historical prologue. They are powerful warnings about the care that must be taken in the use of personally identifiable data in the twenty-first century and beyond, as the collection of that personal information multiplies and enters the digital space. These warnings are particularly important today, as the European Union just reached provisional agreement on their next-generation digital-identity regulation, eIDAS, on November 16th. This was despite the fact that it is filled with both technical oversights and poor identity designs that could allow a repeat of the Dutch disaster under Lentz.

It is disturbingly ironic that six days later, on November 22nd, Geert Wilders rose to prominence in the Netherlands in a shock election win¹ after running on a platform of hate and intolerance toward Muslims. What happens when isolationists and nationialists such as Geert Wilders, Victor Orbán, and Marine Le Pen take ahold of a badly flawed identity system? Unfortunately, history offers us dark lessons.

Two Roads Diverged

The digital world is a new frontier, and like all frontiers it has enjoyed waves of migrations. First came the pioneers: rugged individuals who set their own norms and created their own communities. Then came the corporations: companies intent on monetizing that frontier. Last came the governments: existing authorities intent on setting their own rules and regulations for this new world.

Today, the digital world stands at a crossroads. The conflicting ideas of the pioneers and the corporations are already writ large in differing models for identity on the internet. But now, governments are looking to exert their control over digital space, and it will ultimately be they who decide which of those models persists.

Despite the internet being ultimately founded by governments, who enabled the centralized authority of institutions such as IANA, ICANN, and various Certificate Authorities, the users of the internet have always yearned to be free. They’ve long wanted to control their own digital identities, to define their own relationships with other networked individuals.

One of the first clear statements of this was Phil Zimmerman’s development of the PGP software in 1991. Superficially, it was a technology that allowed for the encryption of data so that it could only be read by its intended recipipent. But PGP went far beyond that. It gave each user a personal identifier that they controlled. They could decide what information to release in correlation with their PGP key and to whom.

Following Zimmerman’s initial deployment of PGP, generations of digital pioneers offered their own takes on digital identity. Most of this occurred courtesy of organizations such as the Identity Commons², the Internet Identity Workshop³, and Rebooting the Web of Trust⁴. Their goal has been to allow for the creation of “decentralized identity” that is not controlled by any one entity. It was a very different take from either Lentz or Carmille, with a user in control of his identity information rather than giving it over to the state.

A number of those ideas about self-sovereign identity have become reality with the standardization of decentralized identifiers (DIDs)⁵ and Verifiable Credentials (VCs)⁶ by the IETF. Now users can have personal control of an identifier that says who they are, and they can associate signed credentials with it, from recommendations to licenses to certifications. It’s a model for digital identity that, if deployed correctly, can avoid the worst dangers of identification, because a user can decide what information to release and to whom.

Unfortunately, it’s not the only way.

Just as users have been building up models for digital identity that give power back to individuals by allowing them to hold their personal data close, corporations have been going in the opposite direction, trying to link together as much information as they can.

You look at a product on Amazon, and suddenly every other site on the internet is trying to sell you on like products. This is a purposeful invasion of your digital privacy that advertising companies celebrate⁷. But, it’s just the tip of the iceberg.

Companies all across the internet collect huge amounts of data and share it with each other⁸, creating the potential for huge honeypots of personal information. Imagine a maleovolent party accessing every single bit of data collected by Google, potentially including what websites you visit, what items you purchase, and even where your Android phone is located at any time. It becomes even worse when internet companies require your real-name, as Facebook⁹ does, potentially creating a real-world connection to that digital data trove. The possibilities are catastrophic if a sufficiently bad actor gets a hold of that information.

These are the two possibilities for digital identity as we enter the third phase of the development of the digital world, where countries and other polities are beginning to lay down their own rules and regulations. We could go the way of the self-sovereign pioneers, who want to minimize information and correlation in a way that would have made Carmille proud, or we could go the way of the corporations that want to collate and correlate everything for their own selfish self-interest, something that Lentz likely would have blindly supported.

Unfortunately eIDAS v2.0, one of the first major definitions of digital identity, could go either way.

The EU’s Unintential Consequences

eIDAS v2.0, the new extended version of the Electronic Identification, Authentication and Trust Services that is a product of the European Union, was released as a provisional agreement on November 16, 2023. The EU has been a major force in proclaiming individual rights on the internet, and they seem to have the best intentions of empowering and protecting their citizens. Unfortunately, their biggest initiatives to date have been mixed successes due to their inability to recognize the unintentional consequences of their regulatory design.

The GDPR ¹⁰ and the EPrivacy Directives¹¹ had laudable goals ¹² but have resulted in endless clicking of buttons to access websites in Europe and have largely benefited large corporations who are able to fulfill the regulations¹³. The EU Directive on Copyright in the Digital Single Market¹⁴ has resulted in countries trying to grab cash from search engines¹⁵ and getting cut off from news as a result¹⁶.

Generally, these digital regulations demonstrate a concerning repetition of unintended consequences and insufficient understanding of the digital space in EU legislation. If those problems were to recur in identity-focused legislation, it could be catastropic.

eIDAS on the March

eIDAS v2.0 details the legal and technical requirements for countries to offer digital identities that can be stored on devices and reused¹⁷. It requires the creation of digital wallets that can be filled with both an identifier and credentials. If you’ve long dreamed of having a driver’s license, university records, or health records that are digitally stored in a portable way, that’s what eIDAS v2.0 does¹⁸.

There’s a lot of theoretically good material built into eIDAS v2.0. It supports interoperable digital wallets with high security standards. It also enables digital signing and can be set up remotely without having to present physical documents in person¹⁹.

There’s also hope that self-sovereign identity (SSI) could still be a possibility with the release of eIDAS. After all, the provisional agreement states that one of its goals is “to provide people with control over their online identity and data”²⁰. One study on the topic thus suggested there was no innate contradiction between eIDAS and the individual-empowering principles of SSI²¹. Another laid out bridge scenarios²². Yet another author noted that “selective disclosure” of information, where users individually decide what identity elements to release, had been a principle since eIDAS 1.0. However, nothing is guaranteed: that final article also notes that the user’s personal, self-sovereign control of data is purposefully limited by the design²³ of eIDAS.

Ultimately whether eIDAS will create new digital honeypots of information will depend on eIDAS’ final deployment and how it’s arbitrated by countries’ laws and courts. Unfortunately, the EU’s record on digital legislation is problematic, and as it’s proposed eIDAS is full of holes that could lead to big problems in our future.

The biggest problem with eIDAS as it currently stands is a worldwide web-security issue. eIDAS mandates that web browers accept security certificates from individual member states and the EU can refuse to revoke them even if they’re dangerous²⁴. The provisional agreement does note that “The obligation of recognition, interoperability and support of QWACs is not to affect the freedom of web-browser providers to ensure web security, domain authentication and the encryption of web traffic in the manner and with the technology they consider most appropriate.”²⁰. However, that’s clearly a contradiction: web browsers can not ensure web security if there’s an obligation to recognize CAs from member states.

That obligation not only reverts the web to an outdated model for security management, but it also puts every single transaction on the web at the mercy of the least trustworthy administrator in the least trustworthy EU state, including states such as The Netherlands and Poland, now threatened by nationalists. Potentially, millions of people would have the ability to break web security. Perhaps worse, it allows the surveillance of users at European websites by European governments²⁵.

There are numerous problems with the actual identity model of eIDAS as well.

This begins with the identifier at the heart of the proposal, which is problematic because it’s meant to be persistent²⁶. That allows for extreme correlation of everything a person ever does with their identity, over an infinite amount of time, and thus creates huge honeypots of personal information that will be massive targets for attacks. Earlier proposals even called for the identifier to be unique for each person, which would have multiplied the problem a hundredfold (and violated the Constitutions of some member states)²⁷. The provisional agreement leaves the question of uniqueness up to the member states themselves but at least offsets that somewhat with support for pseudonyms²⁸.

The cryptographic technology used by eIDAS is also at issue because of the very conservative and limited choices of the EU. Modern signature schemes and other cryptography likely to offer better protection for the enormous personal data likely to be compiled under eIDAS are all prohibited²⁹. This leaves it very vulnerable.

eIDAS data is ultimately collected in wallets, which will be government-backed and will use identities provided by corporations. This allows the possibility for either entity to illicitly collect personal data³⁰. Though the current governments and selected corporations might be trustworthy, the same guarantee can’t be made for future controllers of those entities. Thus, the data and app model at the core of eIDAS is just a mortgage for future problems.

In other words, there are problems up and down the entire eIDAS stack, including identity creation, identity assignment, cryptographic protection, web-based security, and app design. Too much data is being collected in one place, it’s potentially available to too many people, and it’s too vulnerable.

The stories of Lentz and Carmille should have taught us the core importance of minimizing data and intrinsically protecting it from misuse.

eIDAS does not.

The problem is that the EU creating a digital identity without understanding modern theories for how to create safe identities that can benefit their users without making them vulnerable.

Identities need to minimize data correlation. Identities need to minimize data correlation. The EU’s original take on a unique identity shows how badly misguided they are on this criterion, and even now the decision is going to get punted to the member states. But there should never be a single identity that correlates your taxes, your transit through different countries, your rental of a bicycle, your usage of digital euros³¹,and whatever else gets jammed into the eIDAS framework. And that data shouldn’t last forever (and in fact doing so goes against the GDPR’s right to be forgotten³²).

Identities need to minimize identification. That same person renting a bike should need to reveal nothing more than their ability to pay to rent and possibly replace the bicycle. A person buying an alcoholic beverage should only need to reveal their age. A person reporting a public-works issue, such as a pothole, should potentially reveal nothing. Ultmately identity is about managing the risk between two parties. The risk to individuals must be minimized by minimizing the identification data they’re required to share.

For eIDAS identities to successfully meet the human-focused goals of the EU, they need to reflect the power imbalance between the state and the individual, and in those situations where their needs are equal, or where the needs of the individual are greater, they need to maximize the power of the individual.

To go back to the example of an individual reporting a pothole, the risk that the state faces for a false report is low: they might waste resources if they schedule a non-existent public-works repair, but they are very large and can easily amortize that loss. In contrast, the risk that an individual faces is much greater. If their identity were revealed, they might be “outed” as a troublemaker or they might face retribution from a worker who had previously failed to fix that pothole. (Obviously, these repercussions would be even greater for a matter of more import, but the fact that they exist for even a small issue is notable.) As a result, despite the power imbalance where the state holds the most power, it must give the most protection to the individual in this situation, by not requiring identification data.

Certainly, there are technical solutions that can resolve some of the most extreme problems remaining in eIDAS. The state-mandated CAs need to be removed, identifiers must be required to be non-persistent and non-unique, cryptography must be expanded, and the creation of identifiers and wallets must be decentralized.

However, the philosophical issues are just as important. The minimization of data collection, data correlation, and personal identification must be incorporated into eIDAS as actual regulations or the very strongest of recommendations. eIDAS ultimately must say not just what things must be done for compliance, but what things must not be done to preserve the privacy of user data.

Conclusion

In order to protect our human rights, we need to ensure that modern-day information systems protect our data in meaningful ways. As we learned through the lessons of Lentz and Carmille, there are two paths before us.

On the one hand, we have the path of Jacobus Lentz. He maximized the information that he collected, he happily stored it all together, and he thought merely about the efficiency of its use. His information thus wasn’t protected against a regime change, and the Nazis used it to commit genocide against 75% of the Netherlands’ Jewish population.

On the other hand, we have the path of René Carmille. He collected very similar information to Lentz, but he was aware of the sensitivity of some information, so he ensured that it couldn’t be correlated with other personally identifiable information. A third as many Jews died in France as The Netherlands (by percentage), and it seems likely that Carmille’s protection of personal records was a major factor.

Moving across the 20th and 21st centuries, we’ve unfortunately more frequently cleaved to the path of Lentz than Carmille. The Census Bureau turned over records of Japanese-Americans to President Roosevelt and thousands died and tens of thousands more were deeply scarred. Records of young DACA immigrants passed from President Obama to President Trump and their lives were thrown into grave uncertainty. The smaller stories of individual people whose lives were destroyed due to the theft or sharing of data (legal or not) are uncountable. Lentz remains ascendant; his lessons unlearned.

But the digital frontier offers a new opportunity to do things right. We can ensure that identities are controlled by people and used to benefit those people and society as a whole. We can protect people and their identities against regime change, which has become all too much of a possibility in Europe, as demonstrated by Poland and the Netherlands. We just have to do so before it’s too late.

The biggest danger and the biggest opportunity in the current day remains eIDAS. With the release of a provisional agreement, it might already be too far along to prevent its ratification in that form. But either now or afterward we must take the opportunity to legislatively minimize the data collected and correlated for identities.

We must give individuals the ability to control their personal identity as much as is possible in a shared society.

---

Two paths signboard Image by rawpixel.com on Freepik.

Footnotes

1. “Populist Rage Gives Dutch Far Right a Worrying Shot at Power”. Foreign Policy. https://foreignpolicy.com/2023/11/27/netherlands-dutch-election-coalition-geert-wilders-pvv-far-right/. ↩

2. The Identity Commons. https://www.idcommons.org/. ↩

3. Internet Identity Workshop. https://internetidentityworkshop.com/. ↩

4. Rebooting the Web of Trust. https://www.weboftrust.info/. ↩

5. “Decentralized Identifiers (DIDs) v1.0”. IETF. https://www.w3.org/TR/did-core/. ↩

6. “Verifiable Credentials Data Model v1.1”. IETF. https://www.w3.org/TR/vc-data-model/. ↩

7. “What is ReTargeting and How Does it Work?”. ReTargeter. https://retargeter.com/what-is-retargeting-and-how-does-it-work/. ↩

8. “The Data Big Tech Companies have On You”. Security.org. https://www.security.org/resources/data-tech-companies-have/. ↩

9. “How Facebook’s real-name policy changed social media forever”. Protocol. https://www.protocol.com/policy/anonymity-real-names-jeff-kosseff. ↩

10. “General Data Protection regulation: GDPR”. Intersoft Consulting. https://gdpr-info.eu/. ↩

11. “Cookies, the GDPR, and the ePrivacy Directive”. GDPR.eu. https://gdpr.eu/cookies/. ↩

12. “The EU General Data Protection Regulation: Questions and Answers”. Human Rights Watch. https://www.hrw.org/news/2018/06/06/eu-general-data-protection-regulation. ↩

13. “Unintended Consequences of GDPR”. Regulatory Studies Center (George Washington University). https://regulatorystudies.columbian.gwu.edu/unintended-consequences-gdpr. ↩

14. “Directive on Copyright in the Digital Single Market”. Wikipedia. https://en.wikipedia.org/wiki/Directive_on_Copyright_in_the_Digital_Single_Market ↩

15. “French Regulator Says Google Must Pay to Link to News Sites”. Wired. https://www.wired.com/story/french-regulator-says-google-must-pay-to-link-to-news-sites/. ↩

16. “Google News to relaunch in Spain after mandatory payments to newspapers scrapped”. The Verge. https://www.theverge.com/2021/11/3/22761041/google-news-relaunch-spain-payments-publishers-eu-copyright-directive. ↩

17. “eIDAS 2.0 - Explained in 90 seconds”. IDNow Youtube Channel. https://www.youtube.com/watch?v=W14StXJPB-U. ↩

18. “EIDAS 2.0 – WHAT’S NEW?”. Cryptomathic. https://www.cryptomathic.com/news-events/blog/eidas-2.0-whats-new. ↩

19. “eIDAS 2.0 and its potential impact on online security and fraud prevention”. Rupanjan Mukherjee on LinkedIn. https://www.linkedin.com/pulse/eidas-20-its-potential-impact-online-security-fraud-mukherjee/ ↩

20. “European Digital Identity - Provisional Agreement”. European Parliament. https://www.europarl.europa.eu/committees/en/european-digital-identity-provisional-ag/product-details/20231116CAN72103. ↩ ↩²

21. “Self-Sovereign-Identity & eIDAS: a Contradiction? Challenges and Chances of eIDAS 2.0*”. European Review of Digital Administration & Law - Erdal. https://www.erdalreview.eu/free-download/979125994752910.pdf. ↩

22. “SSI eIDAS Legal Report”. European Commission. https://joinup.ec.europa.eu/sites/default/files/document/2020-04/SSI_eIDAS_legal_report_final_0.pdf. ↩

23. “Digital Identity in Germany a winter`s tale?”.https://medium.com/@schwalm.steffen/digital-identity-in-germany-a-winter-s-tale-ce7ced9f7635 ↩

24. “eIDAS 2.0 Sets a Dangerous Precedent for Web Security”. EFF. https://www.eff.org/deeplinks/2022/12/eidas-20-sets-dangerous-precedent-web-security. ↩

25. “Could Big Brother EU Digital Identity Laws Impact Digital Euro Privacy Claims?”. Ledger Insights. https://www.ledgerinsights.com/eu-digital-identity-laws-impact-digital-euro-privacy-claims/. ↩

26. “Commission says single identifier in eIDAS reform ‘not necessary’”. https://www.euractiv.com/section/digital/news/commission-says-single-identifier-in-eidas-reform-not-necessary/ ↩

27. “A Unique Identification Number for Every European Citizen”. Verfassungsblog. https://verfassungsblog.de/digital-id-eu/ ↩

28. “9 facts about the EU Digital Identity Wallet”. IDEMIA. https://www.idemia.com/insights/9-facts-about-eu-digital-identity-wallet. ↩

29. “Electronic Signatures and Infrastructures (ESI); Cryptographic Suites”. ETSI. https://www.etsi.org/deliver/etsi_ts/119300_119399/119312/01.02.01_60/ts_119312v010201p.pdf. ↩

30. “Understanding the eIDAS 2.0 and its implication for Individual’s Privacy and Data Protection Rights.” Medium. https://medium.com/datafrens-sg/unerstanding-the-eidas-2-0-and-its-implication-for-individuals-privacy-and-data-protection-rights-df0ae62eaafa. ↩

31. “The ECB Moves Forward on Digital Euro Development”. Fintech Nexus. https://www.fintechnexus.com/the-ecb-moves-forward-on-digital-euro-development/ ↩

32. “Art. 17 GDPRRight to erasure (‘right to be forgotten’)”. Intersoft Consulting. https://gdpr-info.eu/art-17-gdpr/. ↩