The State of Digital ID

Digital wallets remain the cutting edge of innovation in the field of digital identity — and Europe is leading the way in terms of policy development, technical innovation, and ecosystem building. On Tuesday the European Commission released the latest draft of the Architecture Reference Framework (ARF), the technical guidance for the standards and protocols that European digital wallets (EUDI) are expected to follow. But the ARF is not legislation, which creates complications — and opportunities — for policymakers, developers, and issue advocates.

At the Digital unConference Europe (DICE), the conversations and sessions were dominated by the EU wallet and its implications. The conference’s focus on building “ecosystems” is an important reminder that digital ID is not a thing or a consumable product, but a tool people use to achieve transaction goals. The key to the value of a digital ID scheme is what you can do with it. And key to what you can do with a digital wallet is who will trust its credentials and rely on it as proof of the claim that you make (that you are who you say you are and can do what you say you can do). This tripartite structure of issuers, holders, and relying parties is the core of an identification ecosystem.

Privacy and security: The EU efforts to develop a digital wallet offer one of the most cutting-edge efforts to implement societal scale digital identity systems — and importantly, one that aims to put users in control of their data. Yet the EUDI is far from perfect, and the tension between political imperatives and technical design remains. The reliance on government-issued personal identification data as the EUDI’s foundational credential has raised concerns about the potential for surveillance through linking usage of the credentials, and thus revealing the identity and/or behaviors of the holder. For example, usage of the credential to prove age might reveal a taste for alcohol, or specific bar or alcohol preferences. As DICE participants noted, the ARF 1.6 has measures on privacy, but has not yet resolved the issue if unlinkability and this traceability.

The exclusion of cryptographic technologies such as Zero Knowledge Proofs (excluded because they are not (yet) included in the list of approved electronic signature technologies) also means that the current specification for the wallet exclude the use of technologies that could mitigate these concerns — an exclusion that persists in the latest ARF. These specifications are critical in determining how user-centric and protective the EUDI wallet will be. They are also going to be significant in their wider adoption and interoperability — the Swiss specification requires the possibility for unlinkability, for example..

Governance vs. technology: One significant theme of the conference was the tension between relying on governance and regulation versus technological solutions, particularly in regard to privacy and protection. The current ARF limits the use of advanced cryptographic technologies, and so relies on regulation to prevent issuers encoding trackers into credentials. This is a weak form of protection. What happens if those rules are no longer followed? Also, what happens when the wallet is adopted in places where the rule of law is weak or authorities surveil users?

Cross-border ecosystems: The question of ecosystem and standards is also significant when thinking about the EUDI in the context of cross-border usage and as part of a global ecosystem of digital identification. The EUDI wallet is currently designed for European citizens and legal residents. While a core use case is intra-European travel, the wallet’s potential is far broader than that. There has already been discussion about its potential to complement European foreign policy and for it to hold an infrastructural “Brussels effect.” This is not just idle speculation — Georgia is already developing its own digital identity wallet using the European framework. But for the European wallet to really function as part of a global ecosystem will require thinking through how to answer cross-border and migration questions such as:

Currently, these verifications are often manual processes — a phone call is made to the issuing medical institution or university, or the individual has to pass national tests to requalify. Digitalizing this broader ecosystem could enable easier migration and access to employment and education.

Digital identity is an ecosystem, one in which issuers, holders, and verifiers are the core actors. Building out these trust frameworks is key to realizing the potential — and mitigating the risks — of innovation in digital identification. If the EUDI wallet is to be an enabler of cross-border movement, and supporter of the migration and expertise that Europe needs, these challenges must be addressed.