The Revision of the eIDAS Regulation: a great opportunity for Europe and its Citizens (and a challenge)
ABSTRACT
The eIDAS Regulation regulates socio-economical aspects of electronic trust services, not their technical functionalities: this is the only way for the legislation to be effectively technologic neutral, not stifling innovation and able to create a single market.
For seizing the great opportunity of pan-European digital identities, the Commission, the Council and the EU Parliament should:
- improve the terminology, properly distinguishing identification from authentication
- enhance authentication services from mere ancillary services to the European Digital Identity Wallets (EDIW), into full blown qualified trust services
- keep (and possibly enhance) the successful conformity assessment scheme introduced since 2015 for qualified trust service providers
- define the security requirements on (qualified) attribute attestations and (qualified) authentication tools
- better co-ordinate the eIDAS Regulation with DMA DSA and GDPR.
1. A proper functional definition of electronic identity – Terminology
A person’s ‘digital identity’ can be defined as the collection of all digital information that can be linked to the person[1]. These days, most of the information about a person is recorded in digital form and can be accessed independently of physical location. A digital identity defined this way consists of arbitrary types of information elements (“attributes”), including the person’s national identity/identities linked to citizenship, residency, rights, and obligations in one or more countries with associated attributes to a national identity.
The concept of identity has completely changed in the digital age[2]:
First, for millennia, in the analogic and oral world, one’s identity was presented by the physical person, and could be verified only through witnesses (family members, friends and other more or less institutional witnesses). Therefore, kings were often born in public.
Then for about a century, in the XX century (particularly under the totalitarian regimes of the first half of the century) identity was verified through physical presence and identification documents, but without recourse to any central database , for the verification of authenticity of the documents through comparison with a specimen.
In the XXI century identity verification mostly happens through access to some central databases, where the proof of identity (passports, username/password, biometric data, etc.) is verified against information (or even profiles) kept in some centralized repository.
Today, vast amounts of identity information are collected, aggregated, analysed, and profiled by different actors, notably the big technology platforms. This identity information has great commercial value as it allows tailoring of commercial information – but also of political and other information. This tailoring of the information a person is exposed to in turn has a feedback effect that forms a person’s opinions and ultimately can enforce or enhance properties of the person’s identity.
Today, citizens are not in control of their digital identity. Gaining control and limiting use and abuse of identity information is the political goal set by Next Generation EU. This goal is different from, but also linked to, data protection and GDPR. While this broad scope of digital identity is outside of what can be regulated by a revised eIDAS Regulation, the measures enforced by eIDAS should contribute towards personal control of identity information.
Identification from a legal and functional point of view, in the context of the eIDAS Regulation has different moments/functions :
- The bestowing by the state upon citizens of their official administrative identity, fixing some person identity attributes, that are represented on one or more identification tools (ID, Passport, Driving license, etc. and, after the amendment of the eIDAS Regulation, the European Digital Identity Wallet), through which a certain degree of unique and persistent identification is achieved. This function is properly named and defined as the generation of the administrative identity of a citizen. In most states it is steered/executed by a public sector body. According to Union law[3] this is an exclusive competence of the member states of the Union.
- The utilization by the citizens of their person identification data, when interacting with platforms, websites, apps and other on-line services. In this case, currently all identities are claimed and the therewith generated user profiles are managed by the relying parties (normally for-profit companies, large platforms, gatekeepers, etc.).
According to Union law citizens, when interacting with any legal entity, have the right not to disclose their full person identity data, and the disclosure of such person identification attributes cannot be mandated, unless there is a legal obligation on the relying parties to perform a full identification of the person they are interacting with (such as for litigation at court, for interacting with a public administration, for KYC, for anti money-laundering, etc.). So, this second legal/functional aspect can be subdivided in two sub-functions that shall be made recognizable for the citizen, to avoid the use/misuse of personal data and/or an undue limitation of the exercise of our fundamental rights:
- The citizen interacts with a public/ private legal entity that has an obligation to perform a full personal identification: here a full personal identification is carried out, and so it must be;
- The citizen interacts with a public/private legal (or personal) entity that has no right to require full disclosure of person identification data: here the authentication of the citizen is sufficient and only some attributes can be asked, and the citizen should be made aware of that according to Union law (GDPR, consumer protection, etc.).
Therefore, to protect citizen from abuses, it is recommended that the identification is neatly and clearly kept separated from the authentication:
- the first (identification) is expression of the public powers of the state towards its citizen, (powers that are restrained only by the fundamental rights enshrined in the Union Treaties and by the national constitutions);
- the second (authentication) is a vastly deployed and intensively used electronic service, that the Commission proposal COM281/2021 partially includes in the trust services (as attributes attestation).
The separation may be done either using different tools, or providing one single tool for doing both, as it is currently envisaged by the COM 281 proposal.
Anyway for clarity, a more linear terminology is recommended:
‘Electronic personal identification means’ is a way to prove unique identification of a person in a given context, using means under the control/responsibility of member states, regulated by Chapter II of the eIDAS Regulation.
‘Electronic personal authentication means” are ways to prove (without necessarily disclosing the personal identity) to have the attributes for accessing a given on-line or off-line interaction/service. Online authentication is practiced daily several billions of times, but only by means of proprietary, opaque, and often insecure authentication methodologies/technologies. Identity theft is rife.
Why are certified personal identification data (or, in short, “eIDs”) one of the pillars of NextgenrationEU?[4] The certification of person identification data is essential for allowing us to be true digital citizens, with all our freedoms, rights and obligations, also in the digital domain, when we authenticate ourselves toward digital platforms.
With current authentication systems our participation in digital transactions is a mere legal fiction, without any phenomenological foundation. We will be able to fully exercise our rights in the digital domain, if we can (also under pseudonym or anonymously) authenticate on platforms and services, providing trusted attributes attestation, if (when) required.
Currently we are defined by the digital domain in which we (physical persons) operate (interact): we don’t own our identity, neither we can control it, and are thus forced to have one electronic authentication for each domain we access. The only function of the current eIDs (normally managed either by the state or by gatekeepers) is to be (passively) identified. The design of the existing eIDs doesn’t consider the aspect of claiming and enforcing rights[5].
The eIDs under national control, foreseen in Chapter II of the current eIDAS Regulation, are too different from each other, to allow smooth cross border utilization. Therefore, in Chapter II the Commission envisages a new national identification scheme for each member state. This new identification scheme is bound to use European Digital Identity Wallets (EDIW) and a series of technologies that are currently negotiated between member states and the Commission (so called “toolbox”, following Commission Recommendation 2021/946). Furthermore such identification schemes will be considered by law to be critical infrastructures, according to the proposal of directive European citizens can be provided with eIDs (electronic personal identification means) that have a critical mass of deployment and technologic features that pose a real alternative to the currently available authentication systems. Therefore, the COM 281/2021 Commission Decision proposes that eIDs shall be regulated and issued on a single European framework, that should be “technology neutral”, compliant to the founding principles of the Union (TEU and TFEU), instrumental to proper enforcement of the GDPR, secure, open to any IT system willing to operate using open, transparent, secure, properly assessed technologies.
But if this addresses the needs of the digitalization of the states and the need of the citizens toward the public administration, not only to be identified, but also to have a tool for exercising their rights toward the state, there is still the need to provide citizen with a secure tool for authenticating towards all other platforms (small and large) and towards “gatekeepers”.
In fact, (as stated by both the Evaluation study and Impact assessment study) there is the need for advanced and qualified authentication schemes, for the following reasons:
- There is the need for advanced authentication schemes, because the Union cannot impose on all existing authentication schemes (mostly by username and password) and in particular for long term existing secure authentication schemes (such as on-line banking, payment systems and insurances) to become mandatorily supervised. They are expression of the ingenuity and creativity of enterprises and should be allowed to benefit and capitalize on the creation of a European qualified trust service scheme. As it has been for Trust Services, the existence of non-qualified trust services was essential for extending and bettering the existing qualified services. So, for the success of the European (qualified) electronic authentication, there is the need of an ecosystem where simple, advanced and qualified authentications (eventually based on electronic attribute attestations that match with national identification certified attributes) co-exist in a regulated manner.
- Simple electronic authentication schemes, e.g. as currently offered by facebook, google, etc., do not fulfil the functional requirements for advanced (substantial or high assurance level), set by the eIDAS regulation. Everyone is free to create an electronic authentication scheme. There is no supervision, but such schemes have to comply with GDPR, DSA and DMA.
- Advanced electronic authentication schemes fulfil the functional requirements set by the eIDAS regulation in annexes V and VI (see attachments) and utilize (also) advanced attributes (as defined in annex VI), but cannot use qualified attributes and certified attributes.
- Qualified electronic authentication schemes use qualified identification tools and are the sole allowed to use/access qualified and certified attributes.
- There is the need also for qualified authentication schemes and attributes attestation, because “Qualified” in the eIDAS terminology is an “advanced” trust service with two fundamental add-ons, that are beneficial for users and for the service providers:
- Necessarily provided through a tool whose security is assessed and certified[6] AND
- Necessarily provided by a Qualified Trust Service Provider
The success of European digital signatures and of the qualified certificates is a direct consequence of the proper definitions provided by articles 3 and 26 and by Annexes I and II of the eIDAS Regulation. So, for the success of the European electronic authentication, as it was done for the advanced electronic signature, there is the need to provide a definition of advanced electronic attribute attestation (for advanced electronic authentication) and build on top of it the definition of “qualified” electronic attribute attestation for qualified electronic attribute attestation, determining what security certifications are needed and what are the essential elements of a qualified authentication scheme
- The essential elements that are common in all existing authentication schemes are[7]
- A set of attributes needed for being recognized and authenticated by the system;
- A set of rules against which the attributes are assessed
- A security policy
- One or more formats for the attributes needed/used by the electronic authentication scheme
- A human interface (tool, that may be hardware and/or software) for the users, when physical persons.
Functional requirements for a European secure, transparent, and technologically open[8] electronic authentication in which the founding principles of the Union are respected, are:
- Requirements on the advanced attributes for identification and advanced attributes for personal identification
- They shall explicitly state if they are self-claimed or attested by a third party, specifying what kind of third party (service provider, qualified service provider or authentic source)
- Their form and formats shall be standardized, granting EU wide use/adoption and their usability with the advanced/qualified identification tools.
- Requirements on the authentication services (qualified and non-qualified).
- They should provide the necessary security, and be responsible for it, according to open and disclosed security policies
- They should provide privacy by design and data minimization, supporting their users in understanding and verifying if the request of personal data is eventually illegitimate
- The should be subjected to GDPR conformity assessment according to art. <XX> of GDPR
- A supervisory and conformity assessment scheme for qualified electronic authentication trust service providers.
- Because (qualified) authentication services may be embedded in a physical device (a smartphone or a dedicated device) there should be a set of security requirements and a security certification scheme for qualified authentication tools, similar to those that the eIDAS Regulation provides for signature creation devices and for electronic identification means[9].
Once agreed on this minimal set of functional requirements for private authentication and attribute attestation services, there are some issues with the terminology adopted in the Proposal COM 2021/281.
Terminology in the eIDAS Regulation: should be as consistent as possible, with the technical jargon, but at the same time it has to reflect that the European electronic authentication has the aim to establish and protect also in the digital interactions, the fundamental rights of the European citizens.
In fact the eIDAS Regulation regulates “electronic signatures” and not just “digital signatures”: because the target of the regulation isn’t the technical cryptographic process of creating digital signatures (used for “handshakes” and telecommunication integrity); the target of the Regulation is the human/social activity of (so to say) creating a handwritten signature by digital means.
Not differently the electronic identification and authentication regulated by the eIDAS (Commission proposal of) Regulation isn’t the technical process carried out billion of times every hour online in telecommunication and network security: it is the human/social activity of ascertaining if a physical/legal person is entitled to accesso a digital service (on-line and off-line).
And, again, the EDIW regulated by the eIDAS Regulation isn’t just some technical gadget gathering information and attributes about its holder (like currently the wallets do), but it is “our digital twin” (a stated in a powerful syntesis made by Thierry Breton, Vice President of the EU Commission): so the aim of the Regulation isn’t just to define some tech-specs, but it is to ensure that our digital twin isn’t a digitally crippled version of ourselves. The EDIW, not differently than a joystick, is just a technical human interface: what matters isn’t how many buttons, sensors and flashing lights it has, but what we can (or cannot) activate/verify/handle through it. And how securely and easily we can use it. With a joystick we may simply play a videogame, but with joysticks one may steer a 300.000 tonnes ship, fly an airplane, or control a crane. The EDIW may be just the holder of some cryptotokens (such as person identification data) but it could also be a tool for systematic state intrusion into the private sphere of its citizens. It may be an enhancement of personal data protection, but it also could be the end of any form of privacy. It all depends on what the eIDAS Regulation will state (and not state), on what it will define (and not define).
Ultimately, what an EDIW shall be (or not be) is a political (not a technical) decision; what in an authentication process shall be allowed and what forbidden, is not a technical decision, it is a political decision. Therefore it should be stated by the law, not by any (technical or administrative) body that has no political legitimation and accountability.
So the legislative terminology should not try to re-define technical objects or procedures as such. It should provide a clear definition of the human/social activity that it wants to regulate: electronic signatures (not digital signatures); legal/social authentication, not technical authentication; what a EDIW shall and shall not do (or be used for), not how many interfaces and technical functions it shall provide.
Following this line of reasoning, it becomes quite easy to find proper definitions that help in regulating electronic identification and electronic authentication in a technologically neutral, open, secure, and transparent way.
Let’s have a look on how terminology may be improved:
- attributes and credentials Why the distinction? Attributes is sufficient. Credentials creates confusion. ISO/IEC 29115 terminology[10] applies to technical processes and does not consider that European eIDs are considered by the new legislation in order to establish and protect human/civil rights of European citizens. ISO/IEC addresses only the procedural [11]and functional aspects of authentication and identification. Fundamentally the eIDs in the ISO/IEC context are entities that do not have inalienable rights, but are simply designed/defined in order to participate to technical identification and authentication procedures.
- ‘electronic identification’ means
- the process of uploading/storing person identification data in electronic form into electronic identification means according to the rules of an electronic identification scheme that ensures that the electronic identification means are handed out (on-line or off-line) personally to the digital identity subject (passive identification).
- the use of person identification data in electronic form by electronic identification means, by an electronic authentication trust service and/or by a relying party (active identification).
- ‘electronic identification means’ means a material and/or immaterial unit, including European Digital Identity Wallets or ID cards following Regulation 2019/1157, containing person identification data and which is used for authentication for an online or offline service ‘electronic identification means’ means a material and/or immaterial unit containing person identification data and which is used for authentication for an online service;
- ‘person identification data’ means a set of attributes enabling the identity of a natural or legal person, or a natural person representing a legal person to be established; If the subject of the personal identification data is a physical person,
- the person identification data shall be consistent with the provision of article 3 of Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards, and shall comply with the requirements set out in points (c), (d), (f) and (g) of the Annex to Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954 .
- the person identification data are personal data according to Article 4 (1) of the GDPR, furthermore Article 9.1 of GDPR applies when personal identification data are used for unique identification .
- ‘electronic identification scheme’ means a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons; ‘electronic identification scheme’ means a system for electronic identification under which electronic identification means, are issued to natural or legal persons or natural persons representing legal persons, by means of an electronic identification;
- ‘authentication’ means an electronic process where a natural or legal person[12] present one or more attributes for validation against a set of (legal and/or technical) requirements, in order to access (online or offline) a certain domain or for executing certain electronic interactions. When authentication makes use of a set of person identification data/attributes that are sufficient for a unique identification, the process is equivalent to (active) electronic identification;
- qualified authentication’ is the authentication process executed by tools/services provided by a qualified trust service provider using qualified/certified attribute attestations issued according to ANNEX V
- ‘relying party’ means a natural or legal person that relies upon an electronic identification according to Chapter II of this regulation or any trust service, according to Chapter III of this Regulation, that relies upon an electronic identification;
- validation: means the process of verifying and confirming origin and integrity of:
- electronic signatures, seals, timestamps,
- electronic attestation of attributes,
- generic data.
- attribute is any relevant information about a natural or legal person in an electronic form. An attribute it may be:
- self declared
- attested by a trust service provider
- attested by a qualified trust service provider
- certified by an authentic source;
- electronic attestation of attributes’ means an attestation in electronic form of one or more attributes that allows validation and verification and meets the requirements laid down in Annex V;
- qualified electronic attestation of attributes is an electronic attestation of attributes, which is issued by a qualified trust service provider;
- Subject of the electronic identification/authentication : is the physical or legal person to which the attested/certified attributes belong.
2. What authentication and identification in the context of eIDs are
The current ISO/IEC definitions of authentication and identification are insufficient for a European eID, for the reasons stated above in section one. It is necessary to define identification and authentication in a manner that is consistent with the scope and the needs of electronic identification by the member states and electronic authentication of the citizens, which means: protecting privacy, enforcing GDPR and the other fundamental rights enshrined in the Treaties of the Union.
Above in section I under letters b) to m) we have proposed definitions that are consistent with current technical terminology, but also respectful of the needs of security and sole control by the citizens, that are essential for NextgenerationEU eIDs
‘Electronic personal identification means’ or eID is a way to prove unique identification of a person in a given context, using means under the control/responsibility of member states, regulated by Chapter II of the eIDAS Regulation.
‘Electronic personal authentication means” are ways to prove (without necessarily disclosing the personal identity) to have the attributes for accessing a given on-line or off-line interaction/service. Online authentication is practiced daily several billions of times, but only by means of proprietary, opaque and often insecure authentication methodologies/technologies.
3. Why to separate identification and authentication in the Commission’s proposal and how to do it
The fundamental question is: is it better to have one tool for all citizen’s needs, or is it better to have different tools, one for dealing with the state (public administration) and one for all other needs?
In the physical world, we would be outraged if we would be asked to show an ID at the petrol station, accessing a club, or buying newspapers. And whoever has tried to put on one single remote-control device 5 devices (Stereo, TV, DVD, Recorder, Satellite) knows, that this isn’t always a winning user experience.
But besides debatable user experience issues (that still are substantial) there are more fundamental issues at hand, if attributes must (or can) be handled through national identification schemes and their tools (EDIWs). Here there are some of the most relevant tenets:
- If the single market for European trust services shall be accessed through 27 national (monopolistic) identity schemes[13], it is almost certain that there will be further market fragmentation. It never was tried before to enhance a single market, by means of 27 monopolies[14];
- If even some member states allow market competition in the identification scheme, still the players will be per definition “national champions”: such national champions, if they are also qualified trust service providers (as it is very likely) will have an undue competitive advantage in the European market, because they not only will be qualified trust service providers, but will be able to claim to be running a national identification scheme (and a European critical infrastructure). All other market players will be at disadvantage and innovation, for sure, will be hampered if not completely annihilated;
- There are conditions set by the Commission and the ECG for creating a national monopolies. Meanwhile they are met with respect to handling national state identification schemes, linked to identification documents[15], such conditions are not met[16] if we consider the authentication market, that is a multi-billion market, where hundreds of thousands of companies are globally involved, from very small enterprises, to large platforms and gatekeepers.
- The security requirements and the conformity assessment procedures according to Chapter III of the eIDAS regulation are more specific and demanding, if compared to the current requirements of Chapter II for electronic identification schemes. The NIS2 Directive needs at least 3 years for building the new supervision and reporting procedures for the notified identification schemes. A merger or extensive interactions between the operations of providers under Chapter II and providers under Chapter III can pose significant security issues and unsurmountable competition issues: there isn’t currently (and not in the foreseeable future) a level playing field between notified providers according to Chapter II and qualified trust service providers according to Chapter III of the eIDAS Regulation. This means that the only available qualified providers of electronic attestation of attributes will be the entities that will be in charge of the national identification schemes. Providing the residual attributes such as academic titles, or professional qualifications, has never been a market, and it will not become a market, if decoupled from the electronic authentication services.
- The data protections problems highlighted by both the Evaluation study and the Impact assessment study[17] would be even aggravated, because eIDAS does not explicitly support so called “zero-knowledge claims”, that are essential according to the GDPR. The way the national identification schemes (and their wallets) are regulated by the amendment proposal and “zero-knowledge claims” are incompatible. For “zero-knowledge claims” it is necessary that the attribute attestation provider is allowed to issue tokens that allow the assertion of “zero-knowledge claims”. “Zero-knowledge claims” are a privacy enhancing private services that can be provided by attribute attestation service providers (qualified and not) when users are interacting with private (and, why not, public) relying parties.
In fact both, Evaluation study and Impact assessment study have considered only the case of national identities (issued according to Chapter II of the Regulation) to be handled by qualified service providers supervised according to Chapter III of the regulation[18]. The current proposal has turned upside down the findings of both the Evaluation study and Impact assessment study!
In fact, one can read that the COM281/2021 proposal has put the (qualified) attributes attestation service providers at the service of the monopolistic national identification schemes and their European Digital Identity Wallet, in several ways:
- 45b: prohibiting the use of qualified attestation of attributes for authenticating towards an online service provided by a public sector body
- 45e Providers of qualified electronic attestations of attributes shall provide an interface with the European Digital Identity Wallets issued in accordance in Article 6a. An incomprehensible provision, because it is not clear if that may mean 26 different additional interfaces, it is not clear if it must be free of charge
- article 6a (4.a.1) Digital Identity Wallets shall, in particular provide a common interface to qualified and non-qualified trust service providers issuing qualified and non-qualified electronic attestations of attributes or other qualified and non-qualified certificates for the purpose of issuing such attestations and certificates to the European Digital Identity Wallet;
- article 6a (4.a.2) Digital Identity Wallets shall, in particular provide for relying parties to request and validate person identification data and electronic attestations of attributes
- article 6a (4.a.3) Digital Identity Wallets shall, in particular provide for the presentation to relying parties of person identification data, electronic attestation of attributes or other data
- article 6a (4.b) Digital Identity Wallets shall, in particular ensure that trust service providers of qualified attestations of attributes cannot receive any information about the use of these attributes.
So in the current proposal COM281/2021 the provision of (qualified) attributes attestation is an ancillary service to the national identification schemes and their (national) European Digital Identity Wallets. This option wasn‘t considered neither in the Evaluation study, nor in the Impact assessment.
Considering the long and extensive contacts between the Commission and the member states (there were no further contacts between Commission and stakeholders, beyond what reported in the Evaluation study and Impact assessment study), one should assume that for (the majority of) the member states it inacceptable to have national identity schemes presented through market tools.
Upon this assumption, the most reasonable and viable solution at hand (as already suggested by the Evaluation study and the Impact assessment study), is to keep the separation between Chapter II and Chapter III services, recognizing as (qualified) trust services:
- the provision of authentication tools/services,
- the provision of attributes attestations and the support GDPR compliant authentication to platforms, with data minimization and privacy by design
- electronic archiving services
- electronic ledgers.
To avoid that private authentication services will not be established before 27 member states will agree on a European Digital Identity Wallet, the separation between European (qualified) electronic authentication services and national electronic identification schemes should be preserved for the time necessary for the member states to establish such new schemes[19]. Despite the very stringent (and possibly over optimistic) provision of twelve months, it is most likely that much more time will be needed for establishing the new additional national identification schemes, for whose completion it is also necessary that the NIS2 Directive has come into full effect.[20]
The legal requirements set by the COM281/2021 proposal for the national identification schemes are the following:
a) According to the NIS2 Directive that is extensively referenced in Chapter II[21]:
- a strategy on the resilience of critical entities (art. 3)
- the thereto related risk assessments (art. 4)
- the identification of critical entities (art. 5)
- the establishment of the competent authorities (art.6)
b) According to the amended Chapter II identification schemes having all requirements set by articles 6a to 12c, such as:
- European Digital Identity Wallets
- with a common interface (art. 6a (4a))
- meeting the requirements set out in Article 8 with regards to assurance level “high”, in particular as applied to the requirements for identity proofing and verification, and electronic identification means management and authentication (art. 6a (4c))
- ensuring that the person identification data referred to in Articles 12(4), point (d) uniquely and persistently represent the natural or legal person is associated with it ((art. 6a (4e))
- validation mechanisms for the European Digital Identity Wallets ((art. 6a (5))
- made accessible for persons with disabilities in accordance with the accessibility requirements of Annex I to Directive 2019/882 ((art. 6a (10))
- properly communicated relying parties[22] (art. 6b)
- the certification of European Digital Identity Wallets (art. 6c)
- the publication of a list of certified European Digital Identity Wallets (art. 6d)
- the notification to the Commission of the national identification schemes (art.7 and 9 (2) (3))
- a unique identifier (art. 11a)
- the establishment between member states of an exchange of information, experience and good practice as regards electronic identification schemes and in particular technical requirements related to interoperability, unique identification and assurance levels (art. 12 (6a))
- the certification of identification schemes (art. 12a)
- the establishment of technical interoperability between a European Digital Identity Wallet issued by one member state and the service provided by another and of codes of conduct (art. 12b)
- a Toolbox for a coordinated approach towards a European Digital Identity Framework, following Commission Recommendation 2021/946
Keeping the current proposal (where authentication services are ancillary to national identification schemes and national European Digital Identity Wallets) it is highly unlikely, if not simply impossible, that any provider of attributes attestations and of authentication services will start operating or requiring the accreditation as qualified, before all national schemes will be established. So, the current proposal risks to freeze these existing market of trust services, imposing them de facto to wait for the establishment of the national schemes.
But even once the national identification schemes will be all established, if the (qualified) authentication and attributes attestation service providers will be considered ancillary to the national schemes (and Wallets), clearly there will be no single market for authentication and attribute attestation services. Which defeats the purpose of the establishment of such services.
4. The establishment of a set of hard functional and technical requirements that ensure that citizens have full and sole control on their personal attributes
The precise definition of “sole control” of the advanced and qualified signatures, was essential for their successful adoption worldwide. The same is true for the electronic identity: but not only for reasons related to the (technical) needs of cybersecurity; it is evident that flaws in the functionalities of the eID may impact directly the fundamental rights enshrined in the TEU and in the other treaties of the Union.
eIDs are extremely more complex than signatures and certificates. Still, there is another analogy between eIDs and advanced/qualified electronic signatures: they can be under the sole control of the citizens both remotely or locally and, also, through a hybrid solution, e.g. where a RFID token activates the identification/authentication tool.
Therefore, further security targets should be set in Annex V and VI of the Regulation.
Let’s see how.
Annex V
Functional and Security Requirements on Advanced/Qualified Electronic authentication Tools
Advanced Electronic authentication/identification Tools shall:
- Advanced electronic authentication tool shall ensure, by appropriate technical and procedural means, that at least:
- the confidentiality of the authentication data is reasonably assured;
- authentication by use of the electronic authentication data can practically occur only once; NOTE: As for electronic signatures implies a cryptographic operation on a challenge resulting in a unique value.
- the electronic authentication data used for authentication cannot, with reasonable assurance, be derived using currently available technology.
- the authentication data used for authentication can be reliably protected by the legitimate person against use by others.
- the therein stored data can be created, modified and deleted only with the explicit consent of its owner
- The advanced electronic authentication tool be uninstalled only by its owner
- Accept all formats of Advanced electronic attestation of attributes
- Provide only to a legitimate user a seamless history of all identification/authentication processes carried out with the Advanced Electronic authentication/identification Tool
- Be able to provide person identification data as determined by the applicable Member State
- (other requirements ?)
- Qualified electronic authentication tools, are advanced authentication tools that
- Are issued by a Qualified Trust Service Provider
- Conformity of qualified identification tools with the requirements laid down in this Annex shall be certified by appropriate public or private bodies designated by Member States. Article 29 sections 2 and 3 apply[23].
- (other requirements ?)
Annex VI
Requirements on advanced electronic attestation of attributes
Advanced electronic attestation of attributes shall contain:
(a) an indication, at least in a form suitable for automated processing, that the attestation has been issued as an advanced electronic attestation of attributes;
(b) a set of data unambiguously representing the trust service provider issuing the electronic attestation of attributes including at least, the Member State in which that provider is established and:
– for a legal person: the name and, where applicable, registration number as stated in the official records,
– for a natural person: the person’s identification data, according to Regulation 2019/1157;
(c) a set of data unambiguously representing the entity which the attested attributes refer to; if a pseudonym is used, it shall be clearly indicated;
( d) the attested attribute or attributes, shall clearly and explicitly state if the attributes therein attested are:
- self declared (claims)
- attested by a trust service provider (attributes)
- attested by a qualified trust service provider (qualified attributes)
- certified by an authentic source (certified attributes).;
(e) details of the beginning and end of the attestation’s period of validity;
(f) the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
(g) the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (f) is available free of charge;
(h) the information or location of the services that can be used to enquire about the validity status of the qualified attestation.
(i) have a format that is compliant to the standards referenced according to art. 45c section 4.
Qualified electronic attestation of attributes shall additionally contain :
(j) the attestation identity code, which must be unique for the qualified trust service provider and if applicable the indication of the scheme of attestations that the attestation of attributes is part of.
5. Coordination with relevant legislation – Open questions
1. eIDAS is a working European Cybersecurity accreditation scheme: how to co-ordinate it with the European Cybersecurity legislation?
Currently eIDAS provides a EU-wide system of supervision that uses a common set of standards and of accredited evaluation facilities.
The creation of this conformity assessment scheme was successful, can be improved still, but is an asset on which one should capitalize.
The scope of the eIDAS conformity assessment is broader than the Cybersecurity assessment and is also more specific to the security needs of Trust Service Providers.
The reason why it was set up, is that the different national accreditation schemes and supervisory rules were an insurmountable obstacle to a single market for trust services. It should be carefully considered, if it makes sense to discard what has been built so far, for re-starting from scratch with a system of national cybersecurity supervisions, whose scope and practical experience (with respect to TSPs) is limited or non-existent.
We recommend to funnel the needs of the national/European cybersecurity to TSPs and QTSPs through the eIDAS supervisory/accreditation schemes and through ENISA, meanwhile leaving the national cybersecurity authorities to deal with the cybersecurity issues of (other) critical infrastructure.
It plainly evident that if on trust service providers are put requirements that apply to utilities (such as airports or nuclear reactors), there will be no startups and innovation in the field of eIDAS and most of the existing providers will be forced out of the market.
NIS2 Directive can be helpful to force (in a time frame of three years 2023-2025) all member states to adopt similar security requirements and incident reporting schemes for their national identification schemes. But it has for sure a negative impact on an existing and fully functional accreditation and conformity assessment scheme that has been set up by the eIDAS Regulation in 2014, as extensively stated in the Evaluation study and in the Impact assessment study[24]:
- After the approval of the Directive, Member states have three years for defining a Strategy on the resilience of critical entities (art. 3) and for identifying critical entities (art. 5): the eIDAS conformity assessment is already up and running, with no whatsoever problems, so far.
- NIS2 Directive addresses to the security of infrastructures that are operating (almost exclusively) at national level
- NIS2 Directive addresses very large legal entities that are already under supervision by member states: if applied to qualified trust services, most existing providers would be forced out of the market
- Critical infrastructure security criteria are mostly about business continuity and incident reporting. The requirements set on QTSPs are much more specific and also broader.
- Critical infrastructure security is not concerned with innovation and technologic neutrality, that are two important hallmarks of the eIDAS Regulation.
- eIDAS aims at establishing new electronic trust services in Europe: per definition new services cannot be (always) provided by large corporations. Considering that QTSPs are already supervised and audited, additional obligations should be put on the QTSP, only if it is evident that an incident may have significant disruptive effects. This is why it is recommended to require that member states are specific on the reasons why they put additional specific requirements on a QTSP, in consideration of the systemic impact of a possible incident.
2. eID is the necessary complement to GDPR: how to better co-ordinate it with GDPR?
It should be verified, if there are possible exemptions that may be granted to whoever uses advanced and qualified attributes, under the sole control of the citizen: again such exemptions may entice whoever accesses personal data, to use advanced/qualified attributes. In the definition of authentication services, it is necessary to clarify that it is the responsibility (at least) of qualified trust service providers to ensure data minimization and privacy by design authentication systems. Which means the adoption of “zero knowledge credentials” or “ABC4Trust” solutions.
3. electronic identification/authentication is a key tool for enacting the DSA and DMA: how to better co-ordinate it with them?
It should be considered if the holders of European Digital Identity Wallets or using qualified authentication systems may have a possibility to self-enforce their rights against gatekeepers.
The possible overlaps between DMA, DSA and eIDAS are not regulated. Gatekeepers and other entities that follow eIDAS may use the weak co-ordination in order to claim exemptions to some obligations and/or claim that EU legislation is putting on them conflicting obligations.
It should be clarified if a TSP or a QTSP are exempted by some requirements of the DMA and DSA.
If such exemption is not foreseen. It should be properly analysed if the some DSA/DMA obligations are redundant for qualified providers of electronic attributes, given the fact that such attributes are under the sole control of the citizens. Such (reasoned!) exemption may entice gatekeepers to use advanced or qualified attributes, instead of their current proprietary (and monopolistic) solutions.
On the other side, there are some obligations on large platforms and gatekeepers that shall always apply also to QTSPs.
- Proposals for DMA
- Amend recital 40: Add at the end: “Under no circumstances shall a gatekeeper refuse without a just cause the authentication/identification tools provided by electronic identification schemes following Regulation (EU) 2014/910, and in particular qualified website authentication certificates, qualified signatures, qualified seals, qualified identification attributes or qualified electronic identification tools.
- Amend article 5 paragraph 1 letter (e) as follows: “(e) refrain from rejecting without just cause any of the authentication/identification tools provided by electronic identification schemes following Regulation (EU) 2014/910, and in particular qualified website authentication certificates, qualified signatures, qualified seals, qualified identification attributes or qualified electronic identification tools. Furthermore, refrain from requiring business users to use, offer or interoperate with an identification service of the gatekeeper in the context of services offered by the business users using the core platform services of that gatekeeper;”
- Amend article 6 paragraph 1, letter (c) as follows: “(c) allow the installation and effective use of qualified electronic identification/authentication means following Regulation (EU) 2014/910 and in particular qualified electronic authentication/identification tools, or other third party software applications or software application stores using, or interoperating with, operating systems of that gatekeeper and allow these software applications or software application stores to be accessed by means other than the core platform services of that gatekeeper. The gatekeeper shall not be prevented from taking proportionate measures to ensure that third party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper;”
- Amend article 7 pargraph 1 as follows: “The measures implemented by the gatekeeper to ensure compliance with the obligations laid down in Articles 5 and 6 shall be effective in achieving the objective of the relevant obligation. The gatekeeper shall ensure that these measures are implemented in compliance with Regulation (EU) 2016/679, Regulation (EU) 2014/910[25] and Directive 2002/58/EC, and with legislation on cyber security, consumer protection and product safety.”
- Proposals for DSA
It is a problem of coordination between regulations, that the DSA doesn’t consider the eIDAS website authentication a tool for proper identification of a trader. Qualified website authentication certificates are successfully used in the PSD2 payments, properly identifying the transacting banks and payment services. Letters (a) to (f) of Article 22 paragraph 1 in fact repeat the requirements set already in Article 45 and in Annex IV of Regulation (EU) 2014/910, as implemented by ETSI 119 495.
Amend Article 22: Amend article 22 paragraph 1 as follows: “Where an online platform allows consumers to conclude distance contracts with traders, it shall ensure that traders can only use its services to promote messages on or to offer products or services to consumers located in the Union if, prior to the use of its services, the online platform has either verified that the trader is identified by a qualified certificate for website authentication, according to article 45 of Regulation (EU) 2014/910, or obtained the following information[26]:
(a) the name, address, telephone number and electronic mail address of the trader;
(b) a copy of the identification document of the trader;
(c) the bank account details of the trader, where the trader is a natural person;
(d) where the trader is registered in a trade register or similar public register, the trade register in which the trader is registered and its registration number or equivalent means of identification in that register.
The online platform shall anyway always obtain following information:
(e) the name, address, telephone number and electronic mail address of the economic operator, within the meaning of Article 3 and Article 4 of Regulation (EU) 2019/1020 of the European Parliament and the Council or any relevant act of Union law;
(f) a self-certification by the trader committing to only offer products or services that comply with the applicable rules of Union law.”
FOOTNOTES
[1] As we can see in the “identity” provided to users by large platforms and gatekeepers (FAANGS and similar).
[2] Marit Hansen, Henry Krasemann, Martin Rost, Riccardo Genghini: Datenschutzaspekte von Identitätsmanagementsystemen; in: DuD 2003, 551 (Aufsatz)
Identity Management Systems (IMS): Identification and Comparison Study Independent Centre for Privacy Protection (ICPP) /
Unabhängiges Landeszentrum für Datenschutz (ULD) Schleswig-Holstein and Studio Notarile Genghini (SNG) 2003-09-07
Contract N°19960-2002-10 F1ED SEV DE
A Network-Economic Policy Study of Identity Management Systems and Implications for Security and Privacy Policy
Repkine, Alexandre and Hwang, Junseog (2004): A Network-Economic Policy Study of Identity Management Systems and Implications for Security and Privacy Policy.
[3] Pursuant to Directive 2004/38/EC, Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.
[4] State of the Union Address by President von der Leyen at the European Parliament Plenary 16th September 2020 https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_20_1655
[5] This is why the European Digital Identity Wallet is so important: it not only allows us get an identity certified by the state, but subsequently allows us also to present such identity to the state in a manner that protects our fundamental rights and allows us to exercise our rights toward the state, accessing and using its services online.
Average OECD state expenditure are: 18% for public health, 47% for pensions, 25% for running expenses. This means that the European member states through the eID and the European Digital Identity Wallets can simplify, streamline and control about 5 trillions of expenditures yearly. It is about 25% of the European GDP. The advantages for the states and for the citizen are immense. More transparency for the citizen, more accountability by the state and more control by the state.
[6] Such as the “token” (USB/smartcard) signature creation device or the remote signature creation service (remote/cloud signature).
[7] See ETSI TS 119 461 V1.1.1 (2021-07) Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects https://www.etsi.org/deliver/etsi_ts/119400_119499/119461/01.01.01_60/ts_119461v010101p.pdf
ETSI TR 119 460 V1.1.1 (2021-02) Electronic Signatures and Infrastructures (ESI); Survey of technologies and regulatory requirements for identity proofing for trust service subjects https://www.etsi.org/deliver/etsi_tr/119400_119499/119460/01.01.01_60/tr_119460v010101p.pdf
For a short presentation of both ETSI deliverables read: file:///Users/rgenghini/Downloads/ETSI%20standards%20for%20trust%20services%20and%20digital%20signatures%20-%206%20identity%20proofing%20SL%20v3%20(2).pdf
[8] For eSignatures to be technologically neutral is a tall order, but not impossible, because there is only one advanced electronic signature known: the digital signature generated with asymmetric cryptographic keys.
There are at least three technologic families of eIDs. So eIDs cannot be truly “technologic neutral”: the best they can be is “technologic open”. It means that they are designed and projected in a way that is compatible with most, if not all, the existing families of eIDs.
[9] There are no obvious reasons for prohibiting the creation of secure authentication tools as means to perform a secure authentication procedure. Particularly after the compromise proposal of the French Presidency (where the EIDW becomes a more passive, simple tool that mainly protects the integrity of certified person identification data), it has become necessary that the EIDW is supported by smart and secure authentication services. In fact, a more simple (and therefore more secure) wallet, needs to be supported by smart authentication services or tools.
[10] ISO/IEC 29115 in a purely technical perspective provides the following definitions:
“3.1 Assertion: Statement made by an entity without accompanying evidence of its validity [ITU-T X.1252]. NOTE – The meaning of the terms “claim” and “assertion” are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this Recommendation (International Standard), an assertion is considered to be a stronger statement than a claim.
3.3 Authentication: Provision of assurance in the claimed identity of an entity [ISO/IEC 18014-2]”.
3.5 Authoritative Source: Repository which is recognized as being an accurate and up-to-date source of information.
3.6 Claim: Statement that something is the case, without being able to give proof [ITU-T X.1252].
NOTE – The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with
slightly different meanings. For the purposes of this Recommendation | International Standard, an assertion is
considered to be a stronger statement than a claim.
3.8 Credential: Set of data presented as evidence of an asserted identity and/or entitlements [ITU-T X.1252].NOTE – See Annex A for additional characteristics of a credential.
3.11 Entity Authentication Assurance: Degree of confidence reached in the authentication process that the entity is what it claims to be or is expected to be [X.1252].NOTE – The confidence is based on the degree of confidence in the binding between the entity and the identity that is presented.
3.12 Identifier: One or more attributes that uniquely characterize an entity in a specific context.
3.13 Identity: Set of attributes related to an entity [ISO/IEC 24760]. NOTE – Within a particular context, an identity may have one or more identifiers to allow an entity to be uniquely recognized within that context.
3.14 Identity Proofing: Process by which the Registration Authority (RA) captures and verifies sufficient
information to identify an entity to a specified or understood level of assurance.
[11] Such an authentication is compliant to the GDPR only if there is a legal obligation on the relying party to request full identity disclosure.
[12] I.e. a European citizen, not just an “entity”.
[13] The current Commission Proposal foresees that only (?) national “European Identity Wallets” shall be allowed to handle qualified attribute attestations. The business model is unclear, at least: should the national identity schemes pay the qualified providers of attributes attestation? Or should any third party do it, and if so for want reason?
[14] Reading the Evaluation study of the Regulation no.910/2014 (eIDAS Regulation) SMART 2019/0046 Final Report and the Study to support the impact assessment for the revision of the eIDAS regulation Final Report Contract number: SMART 2019/0024 VIGIE number: 2020/666 it is evident that the solution of the eWallet is foreseen as a tool created by the qualified service providers made available for electronic identities provided by the states. The Impact assessment study further recommends to mitigate the market solution with a proper integration between Chapter II and Chapter III services. If further states that
In the Evaluation study one can read at page 133 as recommendations for a fundamental review of the eIDAS:
<<• Consider the possibility for the private sector to be more involved as identity providers in the eIDAS ecosystems without relying on the notification of a Member State
- Consider the possibility to replace the current governance framework with a standard and certification-based system managed by a supervisory body>>
[15] Pursuant to Directive 2004/38/EC, Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.
[16] EU Treaties pose very strict limitations on (new) monopolies: they are set in (COM 2004C-101-08) and have been enshrined in the jurisprudence of the ECG: Judgement 14/68, Walt Wilhelm and a./Bundeskartellamt (Walt Wilhelm), and more recently, Judgement Case T-203/01, Manufacture française des pneumatiques Michelin / Commission of the European Communities (Michelin II).
[18] The Evaluation study of the Regulation no.910/2014 (eIDAS Regulation) SMART 2019/0046 Final Report in the Executive summary one reads: << One important modification could take place in a revision of the current regulatory framework. This would include the definition of trust services supporting the provision of identity attributes and remote authentication verification procedures, among others. Such modifications would not affect Chapter II (on eID) of the regulation but only Chapter III (on trust services). It would build on the pre-existing mutual recognition principle of notified eID scheme and extent use cases to the private sectors thanks to the adoption of new trust services. A more radical intervention in the domain of eID could also be foreseen. The provision of eID could be based on a principle of certification, where Member States could become authoritative sources for a series of legal identity attributes, while private sectors stakeholders could also become attribute providers for different sectoral needs (e.g. KYC information, address of residence, etc…). The functions of attribute provider, identity providers, identity broker, authentication providers could be clearly differentiated under a general federation. >>.
The Study to support the impact assessment for the revision of the eIDAS regulation Final Report Contract number: SMART 2019/0024 VIGIE number: 2020/666 suggests that the 3rd option (Establish a European Digital Identity personal Wallet App ecosystem) is preferrable. It further specifies (page 162 ff.):
<< • Establish a European Digital Identity personal Wallet App ecosystem by:
o Entrusting Member States or qualified trust service providers to deploy it (Measure 1/PO3 Sub-Options 1 or 2);
o Setting common standards for the European Digital Identity Wallet with the aim to ensure interoperability with credential issuers (QTSPs under Option 2) and service providers. In addition, reference standards would be required to ensure compliance with the security and functional requirements to be set in the revised Regulation (Measures 2&3/PO3).
Study to support the impact assessment for revision of the eIDAS Regulation
Final Report
164
- Enable the free flow and exchange of digital identity data across borders and a strong, trusted link between them and the Wallet App by:
o Extending the scope of the Regulation with a new Qualified Trust Service for the secure exchange of data linked to identity (Measure 1/PO2)
o Requiring Member States to make available data stored in authentic sources, under the full control of the user, for the secure exchange of data linked to identity (Measure 2/PO2). This is a pre-requisite for the provision of attributes and credentials by qualified trust service providers.
o Setting security requirements and common technical standards for the secure exchange of data linked to identity (Measure 3/PO2)
o Defining the legal effect of digital identity ensuring that digital identity credentials are recognized across borders and are not denied legal effect (Measure 4/PO2)
o Requiring regulated sectors to rely on qualified digital credentials in order to improve the cross-border use of qualified certificates (Measure 5/PO2)
o Strengthening security requirements for mutual recognition (Measure 5/PO1) and ensure that components essential for the security of the wallet are certified in line with the state-of-the-art cybersecurity standards
o Extending the person identification data set recognised cross border (option 1, measure 5) to multiply the opportunities of the users to rely on the wallet (Measure 5/PO1)
- Ensure cross-border trustworthiness of the Wallet App by linking it to the eIDs notified by the Member States:
o Establish an obligation for Member States to offer eIDs and to notify them under eIDAS, facilitated by a streamlined notification procedure (measure 1/PO1)
- Ensure data protection and full user control over identity data by:
o Establishing legal requirements to ensure the protection of personal data (Measure 6/PO2) – the rules applicable to the issuers of qualified credentials would guarantee the user-centricity of the wallet and the protection of personal data.
o Strengthening security requirements for mutual recognition (Measure 5/PO1) would ensure that the Wallet App is equipped with the highest level of security to cover online use-cases at all levels of assurance.
Measures 2 & 3 of Option 1 are not retained under the preferred option, as they would >>
[19] The new identification schemes will be established even in addition to the existing schemes (notified and not notified to the Commission).
[20] The NIS2 Directive proposal is referenced extensively in Chapter II, according to the Commission’s proposal.
[21] Whose full implementation needs further three years at least.
[22] That not necessarily are trust service providers, so their process of communication to the national identification schemes has to be entirely created from scratch.
[23] Article 30
Certification of qualified electronic signature creation devices
- Conformity of qualified electronic signature creation devices with the requirements laid down in Annex II shall be certified by appropriate public or private bodies designated by Member States. 2. Member States shall notify to the Commission the names and addresses of the public or private body referred to in paragraph 1. The Commission shall make that information available to Member States.
- The certification referred to in paragraph 1 shall be based on one of the following:
(a) a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in the list established in accordance with the second subparagraph; or
(b) a process other than the process referred to in point (a), provided that it uses comparable security levels and provided that the public or private body referred to in paragraph 1 notifies that process to the Commission. That process may be used only in the absence of standards referred to in point (a) or when a security evaluation process referred to in point (a) is ongoing.
The Commission shall, by means of implementing acts, establish a list of standards for the security assessment of information technology products referred to in point (a). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
- The Commission shall be empowered to adopt delegated acts in accordance with Article 47 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 of this Article.
[24] The Evaluation study, in fact did not propose to change the eIDAS conformity assessment scheme.
[25] Very important to mention here Regulation (EU) 2014/910, because of article 11 (Anti-circumvention) of the DMA: it includes the circumvention of European qualified trst services as a prohibited conduct of the gatekeeper.
[26] Letters (a) to (d) are information provided anyway by qualified website authentication certificates (QWACs), issued according to article 45 of Regulation (EU) 2014/910. The DMA should capitalize on the eIDAS infrastructure created by the regulation (EU) 2014/910.