EU Digital Identity Wallet: A short introduction into the history of digital identity
In June 2021, the European Commission made a big announcement: from 2025 each European citizen should have his own European Digital Identity (EDI) wallet. In this article, I will explain to you the why, what and how of the European Digital Identity.
In order to address the first misconception: “European” in this case does not mean identities is issued by the EU itself. Instead each member state should issue or recognise one or more national EDI wallets. These digital wallets, that you can install on your smartphone, can be compared with classic wallets that contain cards (such as ID or bank cards) that you can use to prove something about your identity. For example, your name, age, your bank account, your diploma, in fact basically anything you can think of. These wallets should be usable throughout the whole of the European Union for access to both online and offline services. This means you should, with your Dutch EDI wallet, be able to interact online with governmental organisations in the EU, collect the diploma of a minor abroad or easily share health data when visiting a hospital abroad. Currently, these kinds of services require a lot of paperwork (which are then scanned and sent through email), require offline attendance or are simply not possible at all.
The development of the EDI is very much in line with Self Sovereign Identity (SSI) thinking, but it has some important differences. So to better understand the EDI, let me first explain to you about Digital Identities and Self-Sovereign Identity.
The rise of Self-Sovereign Identity
With the rise of the internet, more and more services became available online. Soon, organisations realised that there was a need for access control to these kinds of services. Organisations first tried to solve this themselves: each user would get an account with a username and a password. As the number of online services grew, the number of accounts that you had to maintain became unworkable. This is not only bad from a user-experience perspective, but it is also a major security risk as users would start reusing passwords.
This challenge caused the rise of federated identities. Identity federations exist of one or multiple identity providers and multiple relying parties (also called data using services). A user now only needs one identity provider that he can use to login to all relying services within the identity federation. This makes federated identity more user friendly and secure. The federation includes a trust framework so that relying parties know with certainty that they can rely on the identity provider (at a certain level of assurance, we will talk about that later).
Examples include SURFconnext, which students use to login to services offered by their university (or other universities, although most universities don’t allow this last option), DigiD (which allows you to login to governmental services in the Netherlands), but also social logins such as “Login with Google/Facebook/Apple’’ at any service or webshop. This also discloses the downside of federated identities: there is a major privacy risk as the identity provider sees when and at which service you log in. You may trust SURF of DigiD, but I would certainly not trust Google or Facebook with this data.
This privacy risk triggered the rise of Self-Sovereign Identity (SSI). As the name suggests, SSI puts you in control of your own identity and personal data, with whom you share it and under which conditions. Although there is no formally agreed definition, the 10 principles formulated by Allan in 2016 are considered to be the guiding principles [1], but these ideas go back even before 2016. There were already many different initiatives and organisations striving for better self-determination for individuals regarding their personal data, such as MyData Global.
The SSI role model puts the individual in control by separating the direct connection between the identity provider and the relying party by putting the individual in between. The identity provider now becomes an issuer, who issues a credential (a statement or a piece of information) to the wallet of the individual. The individual can now share this with the relying party. This is done in such a way that the issuer does not see with which relying parties (and when) the individual shares the credentials. Due to the cryptographic properties of these credentials the relying party can still verify the authenticity of the credentials. This is why we call them verifiable credentials.
There are already many existing SSI wallets. Most of them, including the Dutch wallet Datakeeper use the W3C Verifiable Credentials standard [2], but there are also other standards such as Idemix used by Yivi (formerly known as IRMA, created by the Dutch professor Bart Jacobs), Solid PODs and some proprietary standards. Although these wallets work technically perfectly well, the adoption is still limited.
The need for EU digital identity wallets
There are multiple reasons for the lack of adoption of these SSI wallets, including a classical chicken or egg situation, a lack of interoperability (currently relying parties only integrate one or two wallets, so often you cannot use the wallet of your choice) and a lack of trust between the different actors in the SSI ecosystem.
On the other hand, the adoption of the first version of the eIDAS regulation, introduced in 2014 to regulate acceptance of national digital identities (eIDs, such as DigiD) between EU member states had not been a great success either. Both the number of member states that had notified an eID as well as the actual cross-border use of eIDs was low. Another downside of eIDAS v1 was that it only regulated the uses of eIDs between government organisations, but that use by private organisations in other member states was not allowed nor regulated.
To realise the true potential of the use of digital identities in the EU, the European Commission announced a revision of the eIDAS regulation. Biggest highlight: a digital identity for each European citizen and the introduction of the European Digital Identity framework.
This revision not only has the ambition to realise the potential of eIDAS, but also has the potential to make SSI wallets work at large scale. I will explain how in the next section.
What will the European Digital Identity look like?
One of the reasons that gives the EDI wallets a better chance of succeeding over existing SSI wallets is that the eIDAS revision includes EU wide legislation and governance.
The EDI wallets should be issued at level of assurance (LoA) High. The EU recognises three different levels of assurance: Low, Substantial, High. The higher the LoA, the better the identification of the individual has been done once issuing the eID and the more effort an attacker should need to compromise the eID. It also means that eIDs with a higher LoA may be used for accessing even the more (privacy) sensitive services. For opening a bank account you need at least Substantial. For accessing your health records you should need an eID with LoA High. As the EDI wallet is issued at LoA High, it means you can use it to access any service.
The number of online services that accept the EDI wallets is also expected to be high. All government services and services from essential sectors are required to accept the wallet for use-cases where strong user authentication is required by law. Any other organisation may decide to accept the EDI wallets as well. On the other hand there should always be another alternative for an individual if (s)he does not wish to use his EDI wallet for a service. One of the downsides is that this alternative does not need to be the better or easier option. So in practice you might still be ‘forced’ to use the EDI wallet.
Another reason that gives the EDI wallets a bigger chance of success, is the use of the PID: Personal Identification Data includes your name and date of birth. The PID makes sure that you can be uniquely identified. This does not mean that you will always need to share the PID. Most of the time you will probably only share a part or nothing of your PID at all. The PID is the first thing you need to retrieve to activate your EDI wallet once you downloaded it.
In the Netherlands, you will probably do so by logging in with DigiD and retrieving your PID data from the Basisregistratie Personen (BRP). After you retrieve your PID, you can start collecting other credentials. You do this by showing (part of) your PID. At the moment you share a credential, the relying party can be sure it was issued to the right person. This is a big change compared to the classic SSI wallets where it was quite easy to issue your credential to your friends wallet.
Besides the regulation of the wallet itself, the issuers and wallets are also governed and regulated, which gives more trustworthiness to the whole EDI ecosystem. This makes it easier for all actors in the ecosystem to rely on the EDI wallets and the credentials that you have collected in them.
How are the developments going and when can I have my EDI wallet?
It was already two years ago that the European Commission announced the EDI. This announcement came with a very ambitious timeline and it was expected that each member state should have an EDI wallet issued or recognised by July 2024.
It now seems that that timeline was too ambitious, but a lot of work has already been done. Both the European Council (member states) and the European Parliament have discussed the proposed revision of the regulation. Currently the negotiations, the so-called trilogue, between these three institutes have come to an end and a definitive version is expected in the upcoming months.
In the meantime, the European eIDAS expert group has started working on the Architecture and Reference Framework (ARF). The ARF will define actors in the ecosystem, functional and non-functional requirements to both the wallet and the other actors in the ecosystem and potential building blocks. In February 2023, version 1.0.0 of the ARF was released. This first version already gives some interesting insights on how the EDI wallets will work. For example, the wallets will use W3C Verifiable Credentials and mobile Driver Licenses (mDL) specifications. Some other questions still stay open, including how to make sure that relying parties do not ask for more data then they strictly need or are allowed to ask.
Recently, the first experiments have started to test how the EDI wallets will work in practice. The EU has funded four large scale pilots (LSPs) to validate and learn how the wallet works around different use-cases. In the meantime, the Dutch government is also building its own demo-wallet. This seems to be both to learn how this wallet could work in the Netherlands as well as to influence the EU regarding some values that the government thinks are important. These include open source and privacy-by-design. The Dutch demo-wallet is supposed to be (partially) ready somewhere this year. Current versions of the source code are published via Github [3].
Other developments are still unclear. The timelines initially announced by the European Commission have shifted and it seems that we can expect the EDI wallets to be ready earliest somewhere in 2025, but most likely 2026. In the meantime, we also need to start working on the EDI-NL ecosystem, which regulates EDI wallets, issuers and relying parties within the Netherlands. The governance of this ecosystem might be even more important than building the wallets itself. It will make sure that all the actors will keep up to the values and rules we find important in the Netherlands such as privacy, prevention of over-asking and voluntary use of the EDI wallet. It is important to understand the importance of this ecosystem. A wallet in itself is useless. It is a means rather than a solution. The actual value for the individual is in the ecosystem in which the wallet operates and the services that can be accessed by it.
If you want to learn more about the EDI or want to contribute to the development of the wallet, the LSPs or the ARF, make sure to visit edi.pleio.nl: A wiki by team of the Dutch Ministry of the Interior working on the implementation of the European Digital Identity in the Netherlands. They also organise monthly meetups and heartbeats.
About Koen de Jong
Koen de Jong is an expert in the field of digital identities and personal data management. He finished his master in the Cyber Securtiy specialisation at the University of Twente in 2019. His interest is in the interaction between technology, legislation, ethics and the impact of technology on the end-user.
At InnoValor Advies he helps governmental and other public organisations to better understand the impact of innovation in his fields of expertise. He also runs the MyData Operator group where wallet providers and other personal data management solutions work together on interoperability and empowering individuals regarding their personal data. If you want to learn more about digital identity or the EDI, you can reach out to him via koen.dejong@innovalor.nl or visit innovalor.nl.