|
[To Eurosmart members only]
Take-aways from the public hearing on eIDAS
On 3 February, the President of Eurosmart took part in a public hearing organised by the European Parliament. Alban Feraud presented Eurosmart’s views on the revision of eIDAS as part of a panel of experts. The leading MEPs in charge of the file were present and reacted with comments and questions.
Please find below a summary of the exchanges.
Panel of experts:
Wojciech Wiewiórowski, European Data Protection Supervisor, explained that the European Digital Identity Wallets could bring benefits to citizens in terms of data protection. They could solve the problem of over data processing and allow users to choose the data they want to share.
However, a lot depends on the specific implementation, which is not defined by the legislation. Therefore, the European Data Protection Supervisor remained cautious because the technical architecture cannot be fully assessed yet. Wojciech Wiewiórowski would have been happier if the proposal itself had given more insights on what the Member States need to implement. He also underlined that nothing is said regarding the data controller in the eIDAS proposal.
Wojciech Wiewiórowski also warned that the Wallet could mean the end of anonymity on the internet. He also raised concerns regarding the unique identifier. This unique identifier is even unconstitutional in some Member States.
Alban Feraud, President of Eurosmart, developed three points: 1) data protection, 2) security, and 3) an open and transparent ecosystem. On data protection, he underlined that the regulation should mandate a GDPR certification for providers of attestation of attributes. He also explained that the protection of data pertaining to legal persons does not seem guaranteed in the proposal. Finally, he insisted on the need to have the data stored and processed in the EU, and ruled by EU laws only.
On security, Alban Feraud praised the inclusion of mandatory cybersecurity certification for Wallets. He indicated that the highest level of security is necessary to gain citizens’ trust. Security is not at the core of Article 6a; there should be one dedicated paragraph on security.
Finally, Alban Feraud explained that the success of eIDAS largely depends on the success of the Digital Markets Act (DMA). Providers of identification services will need to access some hardware and software features, as well as the operating system.
Kai Rannenberg, from the Goethe University Frankfurt, wondered whether the proposal really enabled the user to authenticate with a single attribute. It is not clear in the current shape. He noted that if cloud providers are involved, it might be doubtful that the user is in full control. Kai Rannenberg also asked how an attribute can be taken out of a ledger. Finally, he observed that the timing was too ambitious. He mentioned the example of the Wallet in Germany to point out that this kind of disaster can happen when things are done too quickly.
Thomas Lohninger, Executive Director at EDRi, raised concerns regarding the unique persistent identifier as it limits anonymity and tracks users. He also asked why Wallet providers can access the user’s data; this is unnecessary. In addition, there are no proper safeguards when it comes to the use of data by relying parties. Finally, Thomas Lohninger pointed out that web browsers had legitimate concerns regarding the mandatory recognition of EU Qualified Web Authentication Certificates.
Catalina Dodu, Board member of ANIS Romania, underlined that security must come first. Privacy is also of utmost importance. She observed that there is a digital divide between countries in Europe. Some countries are simply behind, and this problem needs to be addressed.
Questions from MEPS:
MEP Romana Jerković (S&D, Croatia) is the rapporteur for the revision of eIDAS. She stated that she is in full agreement with Mr Feraud and Ms Dodu; the Wallet needs to be at the highest level of security, and certification needs to be mandatory. She acknowledged that there is a whole range of acts (DMA, CSA) that need to be carefully considered to ensure legislative coherence.
MEP Pascal Arimont (EPP, Belgium) asked whether Wallets should be a public good. Should States be issuers of the Wallet? He further wondered how interoperability could be achieved. Finally, he asked how the security of attributes could be ensured; how can we trust an attribute?
MEP Alin Mituta (Renew, Romania) mentioned the digital gap between the Member States. How do you bridge this gap? He also wondered what the balance should be between the EU framework and national choices.
MEP Mikulas Peksa (Greens, Czechia) simply asked the experts what they would propose to increase the level of security.
MEP Andrus Ansip (Renew, Estonia) observed that software-based security enables a significant shorter supply chain and stronger sovereignty. With software-based security, there is no need to replace physical components, such as chips and smartcards. There are already software-based technologies that are available, such as Splitkey. Should software-based solutions be equally promoted together with hardware-based ones?
MEP Angelika Niebler (EPP, Germany) noted that the EU needs a cybersecurity scheme for the Wallet, the European Parliament might call on the Commission to start the process. [Note: Angelika Niebler was the rapporteur for the Cybersecurity Act]
Answers from the panel of experts:
Alban Feraud observed that the certification of providers of attributes should be harmonised at the European level to ensure that they all have the same process. This would guarantee that one can trust an attribute.
Regarding security, the legislators should express in a very explicit manner the target of security to be met. This approach is in line with technology neutrality. ENISA could help bridge the certification gap. Alban Feraud underlined that there is already some ongoing standardisation work at CEN. He observed that more and more smartphones are equipped with secure hardware. Secure hardware can be used to protect identity data.
Wojciech Wiewiórowski pointed out that the EDPS does not assess solutions that already exist. The decisions on what should be allowed should be taken on the basis of the certification scheme both for security and data protection.
Kai Rannenberg explained that private operators should be able to offer a Wallet in parallel to the public solution. In his view, there should not be a mandatory unique identification.
Thomas Lohninger explained that there could be personal identifiers for specific use case areas. For security, the most important thing is the unobservability of the system. The system should not allow any central entity to observe it.
Final words from the European Commission:
Norbert Sagstetter, Head of Unit at DG CNECT, explained that the system is fully geared towards data protection. The proposal presents strong safeguards for data protection. For protection towards relying parties, there is selective disclosure and data minimisation.
The eIDAS Expert Group will publish this month an Architecture Reference Framework.
The European Commission strongly disagrees with the statement according to which Qualified Website Authentication Certificates (QWACs) would downgrade the security level of internet browsers. QWACs provide more transparency and do not challenge the security level.
If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
