The EU is right to remove the proposal for an EU-wide, public, unique, persistent identifier. However, this will make the proposed EU identity wallet much less useful.
eIDAS2 and the European Digital Identity Wallet
Insights into the Proposed Regulations and Challenges
The EU Commission is currently preparing a major upgrade of the existing Electronic Identification and Trust Services regulation (eIDAS), which for simplicity is often referred to as eIDAS2. The proposed regulation covers several areas, but from a digital identity perspective the most important proposal is for the creation of EU Digital Identity Wallets.
There is no set date for when the proposal will become regulation, but a good current estimate is that it will happen in mid 2024 at the earliest. This will then be followed by an implementation time for Member states.
The digital wallet is intended to allow individuals to collect electronic versions of their important identity documents and to share them with counterparties. The Commission will set some guidelines for technology and design to allow interoperability, and the wallet is intended to allow all the requirements of the GDPR to be realized.
The proposal stipulates that each Member state becomes responsible for either offering a wallet to the public in their country, or for establishing a process for letting private companies certifying their product as a regulation-approved wallet.
Recently, a very important part of the proposal was struck down. The Commission, in its original proposal, called for an EU-wide, public, unique, persistent identifier that would be used to identify people across services, use cases and transactions.
However, as could be expected, this proposal ran afoul of integrity legislation in several member states (it would be unconstitutional in Germany). At the same time, other countries, such as e.g. Sweden and Belgium, already use this kind of identifier on a national level.
Why is a generally available unique identifier a problem for integrity? If you can track a person across all different interactions and transactions with the same number, it means that you could, in principle, completely map all digital behavior of this person. Monitoring is already a major challenge since many people use a small number of services to authenticate themselves online, and the specific purpose of eIDAS2 is to make this more difficult, not easier.
Why then would the Commission have included this in their original proposal? For the simple reason that if you do not use a persistent identifier, it becomes difficult to impossible to build simple and effective workflows across time and counterparties. You will end up in a situation where each counterparty that a person interacts with will have to manage their ongoing relationship with a technology outside of the actual wallet.
Sweden's Unique Approach to Digitalization and Identity Management
Sweden is a good real-life example of the advantage of a persistent identifier. Sweden uses the “person number”, which is based on the date of birth and four additional digits, as a public, persistent, unique identifier for each person living in Sweden. The number is assigned at birth and is managed by the tax authority.
It is found on all identity documents and in all public registries, as well as in all private companies where identity management is important. This is the major reason why Sweden has been so successful in digitalization, realized through the national digital identification service BankID.
BankID was originally designed as a collaborative technology between the major banks, but is today used in most instances when Swedes need to prove their identity online, both in the public and private sector. In 2021, each holder of a BankID used it on average twice per day, and usage is still growing. Of course, this system is neither completely safe, nor integrity-friendly, and identity theft and fraud using BankID is on the rise.
For cultural reasons, Swedes seem less concerned with the fact that this number can be used to completely map an individual (Sweden also has the Principle of Publicity as part of the constitution, which, among other things, stipulates that e.g. individual taxable income is an information set that is openly available to everyone). Sweden, of course, is quite peculiar in this regard in an international context.
A Closer Look at the Challenges and Solutions of the Digital ID Wallets
What a proper digital identity wallet must do is to overcome the current challenge of a public, unique, persistent identifier. It must allow tracking over time per contact, otherwise it cannot be used to automate identification and authentication workflows.
And it must ensure that these identifiers are not freely available to third parties. At this stage it looks uncertain whether the EU Commission will actually put these twin requirements into the new, proposed regulation. If so, eIDAS2 will likely not deliver what is planned.
Of course, there is nothing stopping private initiatives from building and marketing this technology to the public. As in many other instances, driving technological change through legislation is a high-cost, high-risk effort. And yes, you guessed it, we think we have got a very good workable solution to this problem with Truid.