The EU’s electronic ID scheme is QWACers

• The EU’s digital identity card plans formalized.
• Framework opens way to state-sponsored surveillance.
• Multiple organizations push back, including Mozilla and CDNs.

Holding a national identity card has been a normal part of life for many EU citizens for decades. Thanks to the close cooperation between the 27 member states, travel between EU nations rarely requires a passport, and access to many public and private services by any EU citizen is possible in any state.

However, with many organizations digitizing their operations, there has been an increasing need for a digital identity card for citizens and a version of the same card for organizations. That explains the agreement on a framework for just such a card, reached on November 8 between the European Council presidency and the European Parliament, describing the eID (European digital identity).

By 2030, it’s hoped that most European citizens will hold a digital wallet linked to their national identity records, plus other personal documents, such as driver’s license, bank account details, and educational qualifications. With a smartphone app, citizens will be able to provide proof of identity, qualification for services, credentials for employment, and much more.

Part of the impetus for the agreed framework is the EU’s apparently more stringent approach to the unauthorized use of its citizens’ data, and it’s hoped that individuals will have greater control over what information about them is shared with third parties. The detail of the framework, however, reveals a number of flaws in the ways that the EU is approaching the project, despite the benign nature of the EU digital identity card at first glance.

How will the EU Digital Identity Card work?

Member states will provide authentication services (and the eID mechanisms, including smartphone applications) for free in the case of individuals, stating that “the free-of-charge use is limited to non-professional purposes.” The burden of validating the identity of “relying parties” will also fall to the individual states; that is, the bodies requesting citizens’ information will also have to prove their veracity, with their validity proven by holding digital certification issued by EU governments. If that’s to be achieved on the basis of domain ownership, the detail of the eID framework uncovers some implementation issues.

The software behind the eID scheme will be partly open source, allowing widespread scrutiny and security checking by any interested party, but the framework also notes that “for justified reasons,” individual member states will not have to disclose additional “specific components” that are added to the wallet apps or the mechanisms behind them, that will be used daily by citizens.

That adjunct may prove problematic for some users, as it theoretically allows a nation the type of access to user data that would be a paranoic’s worst nightmare. The eID framework clause highlights the potential issue that transparently-implemented authenticity software can be compromised by hidden, opaque elements. Compromised authenticity smacks of the UK government’s ill-conceived Online Safety Bill (which compels backdoor access to encrypted systems). In that case, weakened encryption negates the encryption. With an eID, citizens won’t know whether their private use of their own identity is private at all.

There is a recurring trope of national (or intra-national) governments mis-stepping on technology legislation. The EU’s implementation of the GDPR and its partial success (it shows, at least, a move in the right direction that’s now a relatively-bright beacon of hope for data privacy advocates) does give rise to optimism that a secure and open identity mechanism can exist outside the interests of big tech. The addition of closed-source elements by individual governments will undermine trust in the scheme at a basic level, however.

Identity card based on state-issued certs

The framework will also define the extent and further implementation of QWACs (qualified web authentication certificates), a certification for domain owners issued by governments who bestow the label of “Trusted Service Provider” (TSP) on recognized domains. QWACs exist alongside the extant certificate authority system, meaning browser authors not only have to implement two systems of authority certification but, under eIDAS regulations (electronic IDentification, Authentication and trust Services), have to give users a “strong indication” that the domain is a TSP. Most web browsers barely acknowledge the presence of an EV (extended validation) certificate, largely because such indications have been shown to have a negligable effect on user behavior.

There’s also the issue fueling privacy-focused backlash from the likes of the Fastly, Cloudflare, the Linux Foundation, and Mozilla, makers of one of the last few web browsers not designed to give away users’ information to advertising agencies. The pushback focuses on the idea that if governments issue TSP status via certification, governments can decrypt TLS-protected web traffic (the https prepended to the majority of website addresses, for example) because they will hold the private part of the encrypted key behind the certificate. That gives secretive agencies (acting solely, naturally, to “protect children” and “prevent terrosism”) access to internet traffic that users assume is secure.

The seemingly secondary mention of QWACs in the broader statements covering the agreed framework for electronic identity records fuels the fire of suspicion that EU governments are moving towards legislation that entrenches digital surveillance at a state level.