Balancing ambitions on putting the user in control with public administration realities
In June 2021, the European Commission announced its plans for (a framework for) Digital Identity Wallets. Also, over the past few years, the concept of Self-Sovereign Identity (SSI), a new way of thinking about digital identity, has emerged in the market. As a result, the question arises: to what extent is the EU Digital Identity Wallet an implementation of SSI?
In June 2021, the European Commission announced its plans for (a framework for) Digital Identity Wallets for everyone in the European Union (EU) as part of the revised eIDAS regulation. The commission proposed that each member state will be required to make at least one wallet available to their citizens. The wallets will be free of charge for citizens and both the public and (parts of the) private sector are expected to be subjected to mandatory acceptance. To ensure pan-European usage, each member state must accept the wallets of all other member States. The possible use cases of the EU Digital Identity Wallet are diverse, think of onboarding, attribute sharing (e.g. age or address), signing, and authorisation / mandates.
The European Commission and member states are currently working on the development of the necessary common standards for the EU Digital Identity Wallet. The aim is to test these standards in pilot projects from October 2022 onwards. The intention is to develop a solution that is decentralised, privacy-preserving & secure, and thereby puts the user in control of their digital identity.
Over the past few years, a new way of thinking about digital identity has emerged: Self-Sovereign Identity (SSI). SSI is based on the principle of putting users in control of their digital identity and their related data. It is difficult to give a clear and unambiguous definition of Self-Sovereign Identity (SSI) – there is still no consensus on this in the market. The definition ranges from principles on SSI (Christopher Allen) to decentralised solutions based on blockchain.
Self-Sovereign Identity and the EU Digital Identity Wallet have common ambitions around putting the user in control and creating a decentralised , privacy-friendly, and secure identity solution. But will the EU Digital Identity wallet also be fully SSI? For this article, we base our analysis on the ten original principles from the vision on SSI by Christopher Allen (figure 1). As the details and technical architecture of the EU Digital Identity Wallet at the time of writing are still unknown, this analysis is based on what is currently known or can be assumed.
Figure 1: SSI Principles by Christopher Allen, 2016
The SSI principles of existence, access, interoperability, consent, minimalization, and protection will likely be fulfilled by the EU Digital Identity Wallet. It will allow citizens to have an independent existence. It is likely that the wallet will give users access to all its claims and data and that users can retrieve the claims and other data within their wallet. Data will be stored in a decentralised manner in the wallet of the user. The European Commission intends to allow or even force acceptance in a wide range of sectors in the public and private domain and thereby create identities as widely usable as possible (interoperability). The principle of consent will also be met, as it is already fulfilled with current eID-solutions notified under eIDAS and other EU regulations, such as GDPR and PSD2 also incorporate the principle of consent. One of the explicit requirements of the proposal is selective disclosure and is in line with GDPR’s rules on data minimalisation. The rights of users will be protected, as the proposed regulation includes multiple explicit statements about privacy, security, and protection of personal data.
The principle of transparency could be fulfilled; however, this is still uncertain. The principle requires systems and algorithms to be free, open-source, well-known, and as independent as possible of any architecture. The principle also requires management and updates to be transparent. The generic technical framework as described in the proposal will likely be transparent, but since it is intended to also allow for market parties to deliver their services, it remains to be seen if systems, algorithms, management, and updates of all individual wallets will be fully transparent.
The degree to which the principles of portability will be fulfilled by the EU wallet remains to be seen. The principle requires information and services about identity to be transportable and requires that identities must not be held by a singular third-party entity. The proposed regulation allows member states to develop and implement their own government-operated EU Wallet or to select an external organisation to develop and implement the EU Wallet on behalf of the government or a combination of both. This freedom in implementation could result in an impossibility to transfer information and services to other wallets, as alternatives might not exist in a single member state. Within a member state, the Digital Identity can still be locked down to one single solution.
The principle of control cannot be fulfilled by the EU wallet to the full extent. The principle requires the user to have the ultimate authority over his/her identity, including the ability to hide his/her identity. In general, public or compliance heavy use cases, this is impossible. Think of doing a tax declaration, pressing charges, registering as a donor, or opening a bank account. In these circumstances, the verifier requires a certain level of assurance, and the user will not have control over which attributes he/she provides. In many European countries, there is a central registration of persons which is used for many of these use cases. There are also legal obligations in place for these use cases that do not allow the user to have the ultimate authority over his/her identity.
The principle of persistence will also not be fulfilled to the full extent. The principle requires a user to be able to dispose of his/her identity if he/she wishes claims should be modified or removed as appropriate over time. This requires a firm separation between identity and its claims. In many use cases in a public setting, such as doing a tax declaration, this is impossible. The tax authority needs to know who did the specific tax declaration. Disposing of identity should be within legal constraints. A user cannot undo a criminal record because he/she wants to be forgotten. These use cases do even require a relation between identity and its claims.
By design, not all SSI principles can be fulfilled with the EU Digital Identity wallet. In a public setting, users must provide identity attributes to relying parties and firm separation between identity and its claims is impossible as legal constraints exist. Because of that, the EU Digital Identity Wallet requires balancing the ambitions of putting the user in control with public administrator realities. How this is balanced remains to be seen and will depend on choices that still need to be made in the eIDAS revision. The revision seems to be an attempt to move towards putting the user in control. This is a positive change compared to the current situation.
This editorial was first published in our Financial Crime and Fraud Report 2022, which showcases the innovation and development of the best practices and instruments used by financial institutions in their fraud prevention activities, to improve the digital onboarding process of their customers while fighting against financial crime.
About Jorrit Penninga
Jorrit has a professional background in Systems Engineering, Policy Analysis and Management. Jorrit is keen on helping organisations with innovation and digitisation in a multi-stakeholder context.
About Eefje van der Harst
Eefje is an experienced project manager with a history of working in complex multi-stakeholder projects on data sharing, digital identity, AI, and Trust Frameworks in logistics, higher education, and the financial services industry.
About Vincent Jansen
About INNOPAY
INNOPAY is an international consultancy firm specialised in digital transactions. We help companies anywhere in the world to harness the full potential of the digital transactions’ era. We do this by delivering strategy, product development, and implementation support in the domain of Digital Identity, Data Sharing, and Payments. Our services capture the entire strategic and operational spectrum of our client’s business, the technology they deploy, and the way they respond to local and international regulations.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now