With the rise of an increasingly digital business and social world, having a trusted, global identity can serve many purposes and benefit individuals and businesses alike.
European regulators are increasingly aware that such an identifier must preserve the control and confidentiality of the user. To that end, they are looking to self-sovereign identity technology to establish a framework that brings such a system to the entire European Union. Moreover, all of this is made possible through the use of blockchain and other cryptographic technologies.
History of eIDAS
Electronic Identification, Authentication and Trust Services (or eIDAS) is an EU regulatory framework that governs electronic identification as well as general trust services with respect to electronic transactions. Originally created in 2014, eIDAS is part of the European Commission’s (EC) focus on Europe’s ‘digital agenda’ and the overall aim is to drive innovation in the EU. Within this regulatory framework, organizations are required to employ higher levels of information security, emphasizing both interoperability and transparency.
Specifically, eIDAS calls for the adoption of a European digital identity system that would give every citizen and business unique and fully verifiable credentials. These can then be stored digitally, accessed and used for a wide variety of interactions both online and across the EU.
A first attempt to deploy such an ID has already begun, but the initial deployment has been met with lackluster acceptance and the adoption rate is quite low. Currently, only around 59% of the EU population is able to access these identifiers, as not all countries have implemented them yet. There has also been vocal backlash over concerns about user autonomy and privacy, further hampering progress.
All of this, along with some of the notable changes the world has seen in recent years, has underscored the need for these regulatory guidelines to be revised so that they are more flexible, protect users’ rights and ultimately open up the path for a much wider adoption of these identifiers by the end of the decade. To do this, the EC needs to learn from the shortcomings of eIDAS 1.0, leverage its potential and move to eIDAS 2.0.
The shortcomings of eIDAS 1.0
Various elements of the initially proposed regulatory framework were specifically cited as grounds for rejection by many institutions and observers. On the one hand, the legislation required persistent and unique identifiers that could rigidly follow an individual for their lifetime. This practice was said by many to be too global and ultimately reckless and dangerous, prone to abuse by governments and corporations.
Along the same lines, the original eIDAS wanted governments to have the ability to remotely disable an ID to prevent an entity from accessing its funds in the name of combating illicit activity. Again, critics were quick to point out how dangerous this would be, effectively allowing a government to “remove” someone from the system.
eIDAS 1.0 is also not well designed for the private sector. There are too many complexities and barriers to entry for many private industries. If this eID can’t be more ubiquitous, it will again lead to low adoption rates because the public doesn’t want to have an ID that’s applicable to things like boarding a plane or paying taxes and another entirely to interact with the trade.
Fortunately, EC understood that a new version of eIDAS had to be proposed. Therefore, he is currently developing eIDAS 2.0 to solve the existing problems and create a much more functional and attractive digital ID solution.
Benefits of eIDAS 2.0
The new proposal will build around some of the biggest issues that held back the original framework. For example, instead of enforcing a single, rigid identifier that openly reveals everything about an individual indefinitely, the eIDAS 2.0 framework can now potentially use a flexible, self-sovereign identity (SSI) that places control of all information entirely in the hands of the end users for whom they are intended, within the framework of public and private partnerships.
By leveraging the use of cryptographic evidence, these SSIs can verify only certain relevant elements of an individual necessary for a given transaction, without the need to reveal all of their information. This proposal will provide a high level of authenticity sought by existing eIDAS, while protecting consumer privacy. Combining this with the decentralized ethos of the blockchain, eIDAS 2.0 is representative of the pinnacle of consumer privacy and security.
Speaking of privacy, the EC also appreciated the need to put controls in place to prevent social media platforms from gaining access to any information except the bare minimum necessary to confirm access. . This is in response to the well-documented abuses that Facebook and other platforms have participated in when it comes to harvesting their customer data.
The ability for consumers to control what information others are allowed to access is extremely important as eIDAS 2.0 also allows a wide variety of different types of data to be stored with this eID. Current legislation already requires information such as name, address, age, sex, marital status, family composition, nationality, diplomas, titles and licenses, professional qualifications, public permits and licenses and financial and corporate data.
However, the EC predicts that there is also a much wider potential for these IDs to handle much more, such as medical information, travel history, bank account information, past transactions and much more. Again. As long as these types of information are secure, this identity system can actually make things much more convenient and secure for each party.
Another area where this becomes critical is in person-to-person interactions. Individuals should also benefit from this system by being able to verify who they are, for example, by speaking in a chat group or purchasing an item from an auction website. As long as privacy protections are built in, any user can be confident that the person they are dealing with is legitimate, adding yet another layer of protection.
One of the most important parts of all of this, again, is putting full control of all information in the hands of users. Ensuring they have exclusive access to their own personal information is critical as this will drive adoption and engender trust. The same level of authenticity can be achieved without having to intrude on the privacy or autonomy of individuals. By focusing on this, the general public and businesses will be much more willing to adopt such a framework.
New techniques to move forward
Since virtually any industry can benefit from some aspect of the proposed identification system, some key elements of implementation have yet to be worked out. On the one hand, this new eID must be completely ubiquitous throughout the European Union. Regardless of the country from which the resident registers, their credentials must be equally valid and accepted in all nation states. This will be essential for wider adoption, as interoperability was a major stumbling block in the previous version.
Additionally, safeguards must be in place to prevent third parties from continuing to create user profiles under this new system. As mentioned, users will be able to control what information is available to other entities, but that does not necessarily preclude those parties from maintaining and gathering all the information they can gather. This would, over time, erode the privacy and autonomy these identifiers are meant to preserve.
One of the ways to combat this would be to ensure that the information always remains encrypted, acting only as an access key, but never human readable. Zero-Knowledge (ZK) proofs can be useful for this purpose, as they allow independent verification of information without revealing what it is, and many proposed methods for implementing SSIs heavily leverage this technology. These can give absolute assurance that an identifier is legitimate without even giving any entity the ability to see, let alone mine, the user’s data.
Finally, biometric information is the cornerstone to allow secure and tamper-proof access to a given account. Fingerprints, iris scans and other forms of unique physical identifiers can serve as a means to confirm ownership or access and, when combined with the privacy protections we already have described, can mean that literally only the authorized person will be able to use his or her unique SSI.
Ultimately, when properly configured, this form of ID system should be able to simultaneously replace everything from basic logins for day-to-day website access to driver’s licenses and passports. Although everything is tied to a single identity, it will still represent a huge step forward in privacy, security and user control. The first stint at eIDAS started the conversation and allowed community voices to express what they thought was not fair about it. Fortunately, EC listened and came up with a new framework that addresses key concerns. If adopted, eIDAS 2.0 could be the start of a revolution in how identification and verification works and could spread to other jurisdictions around the world.