EIDAS 2.0 Turns To Self-Sovereign Identification To Bring Users Ownership And Control

With the rise of an increasingly digital commercial and social world, having a trusted, all-encompassing identity stands to serve many purposes and benefit private individuals and businesses alike.

European regulators have become increasingly aware that such an ID needs to preserve user control and privacy. To this end, they are looking to self-sovereign identity technology for establishing a framework that brings such a system to the whole of the European Union. Furthermore, this is all being made possible through the use of blockchain and other cryptographic technologies.

History of eIDAS

Electronic Identification, Authentication and trust Services (or eIDAS) is an EU regulatory framework that governs electronic identification as well as general trust services as it pertains to electronic transactions. Initially established in 2014, eIDAS is part of the European Commission’s (ECs) focus on Europe’s “Digital Agenda” and the overall goal is to drive innovation in the EU. In this regulatory framework, organizations are required to employ higher levels of informational security, with a focus on both interoperability and transparency.

More specifically, eIDAS calls for the adoption of a European Digital Identity system that would give every citizen and business unique and completely verifiable credentials. These can then be stored digitally, accessed, and utilized for a wide variety of interactions both online and everywhere across the EU.

A first attempt at rolling out such an ID has already begun, but the initial rollout has been met with lackluster acceptance and the adoption rate is fairly low. Currently, only about 59% of the EU population are able to access these IDs, as not all countries have implemented them yet. There has also been some vocal pushback over concerns surrounding user autonomy and privacy, further curtailing progress.

All of this, along with some of the notable changes the world has seen in the last few years, has emphasized the need for a revision of these regulatory guidelines in such a way that is more flexible, protects users’ rights and ultimately paves the way for much more extensive adoption of these IDs by the end of the decade. To do this, the EC has to learn from the shortcomings of eIDAS 1.0, build on its potential, and upgrade to eIDAS 2.0.

The Shortcomings of eIDAS 1.0

Various elements of the initially proposed regulatory framework were specifically cited as reasons for rejection among many institutions and observers. For one, the legislation called for persistent, unique IDs that could rigidly follow an individual for his or her entire life. This, many felt, was too overarching and ultimately an unwise and unsafe practice that is prone to abuse by governments and businesses.

In a similar vein, the original eIDAS wanted governments to have the ability to remotely deactivate an ID to cut off an entity from access to its funds in the name of curbing illicit activities. Here, again, detractors were quick to point out how dangerous this would be, effectively allowing a government to “delete” a person from the system.

eIDAS 1.0 also isn’t well designed for the private sector. There are too many complexities and barriers to entry for many private industries. If this eID can’t be more ubiquitous, it will again lead to low adoption rates as the public doesn’t want to have one ID applicable to things like boarding an airplane or paying taxes and another one entirely for interacting with commerce.

Fortunately, EC has come to understand that a new version of the eIDAS needs to be put forward. Hence, it is currently developing eIDAS 2.0 to address the existing problems and create a much more functional and appealing digital ID solution.

Merits of eIDAS 2.0

The new proposal will pivot on some of the more key issues that held back the original framework. For example, instead of enforcing a single, rigid ID that openly reveals everything about an individual indefinitely, the eIDAS 2.0 structure can now potentially employ a flexible, self-sovereign identity (SSI) that puts control of all identifying information entirely into the hands of the end-users they pertain to, in both public and private partnership frameworks.

By leveraging the use of cryptographic proofs, these SSIs can provide the ability to verify only certain, relevant elements of an individual needed for a given transaction, without the need to reveal all of their information. This proposition will provide a high level of authenticity that the existing eIDAS are searching for, all while still protecting consumer privacy. Pairing this with the decentralized ethos of blockchain, eIDAS 2.0 is representative of the pinnacle of consumer privacy and security.

Speaking of protecting privacy, the EC has also appreciated that checks are needed to be in place to keep social media platforms from having access to any information save for the bare minimum needed to confirm access. This is in response to the well-documented abuses that Facebook and other platforms have partaken in when it comes to harvesting the data of their customers.

The ability for consumers to control what information others are allowed to access is incredibly important because eIDAS 2.0 also allows for a wide variety of different data types to be stored with this eID. Already written into the current legislation is the demand for such information as name, address, age, gender, civil status, family composition, nationality, educational qualifications, titles and licenses, professional qualifications, public permits and licenses, and financial and company data.

However, the EC anticipates there is also much wider potential for these IDs to handle so much more, such as medical information, travel history, bank account information, past transactions, and much more. As long as these types of information are secure, then this identity system can actually make things massively more convenient and safer for every party.

Another area where this becomes key is in person-to-person interactions. Regular individuals also need to benefit from this system by being able to verify who it is they are, say, talking to in a chat group or purchasing an item from on an auction website. As long as privacy protections are built-in, any user can be confident that the person he or she is dealing with is legitimate, adding yet another layer of protection.

One of the most important parts of all this, again, is putting full control of all information into the hands of the users. Making sure they have exclusive access to their own personal information is key, as it will drive adoption and engender trust. The same level of authenticity can be reached without having to impose on the privacy or autonomy of individuals. By focusing on this, the general public and businesses alike will be far more amenable to adopting such a framework.

New Techniques Moving Forward

Because virtually every industry can benefit from some aspects of the proposed identification system, there are some key elements of implementation that still need to be worked out. For one, this new eID needs to be completely ubiquitous across the entire European Union. Regardless of what country the resident signs up from, his or her credentials should be equally valid and accepted across all nation-states. This will be essential to broader adoption, as interoperability was a major stumbling block in the previous iteration.

Furthermore, safeguards need to be put in place that prevents third parties from continuing to build profiles of users under this new system. As mentioned, users will be able to control what information is available to other entities, but this doesn’t necessarily prevent those parties from still keeping and collating whatever information they can muster. This would, over time, erode the privacy and autonomy that these IDs are designed to preserve.

One of the ways to combat this would be to ensure that information always remains encrypted, only acting as a key for access but never being humanly readable. Zero-Knowledge (ZK) Proofs can be useful to this end, as they allow for the independent verification of information without revealing what that information is, and many of the proposed methods for implementing SSIs leverage this technology heavily. These can give an absolute assurance that an ID is legitimate without ever even giving an entity a chance to see, much less mine, the user’s data.

Lastly, biometric information stands to be the cornerstone for allowing safe, unfalsifiable access to a given account. Fingerprints, iris scans, and other forms of unique physical identifiers can serve as a means for confirming ownership or access and, when combined with the privacy protections we’ve already outlined, can mean that literally only the authorized individual will be able to utilize his or her unique SSI.

Conclusion

Ultimately, once properly set up, this form of identification system should be able to simultaneously replace everything from basic logins for everyday website access all the way to driver’s licenses and passports. Despite all being tied to one identity, it will still represent a massive step forward in privacy, security, and user control. The first pass made at eIDAS started the conversation and allowed for voices in the community to express what they felt wasn’t right about it. Fortunately, EC listened and has come forward with a new framework that addresses the major concerns. If adopted, eIDAS 2.0 could be the beginning of a revolution in how identification and verification should work and may spread to other jurisdictions worldwide.