What happens if poverty does not allow me to carry a digital ID?
What happens if I lose my digital ID wallet or it is compromised?
Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
> What happens if I don't want to identify myself?
It is already an offence in several EU countries to fail to present official ID documents when asked by the police.
If you don't want to identity yourself the outcome will likely depend on the mood of the police office. They may give you a verbal warning and send you on your way or they may choose to arrest you until they can ascertain your identity.
>Yes the police for sure, but this is normalising full ID verification everywhere.
The UK is not a part of the EU any longer, for pretty much all of the rest member states, that has not been an issue for quite some time... save for Ireland.
>At some point there will be a situation where you cannot do anything because you are in the 0.01% of the system that is broken.
The issued ID plastic cards would be as useful when you are present in person.
That's already the case. Since you must be able to identify yourself when asked, you have an obligation to carry your identification with you.
I believe the obligation to carry identification, and to have identification are enforced differently in different countries / states. But there is more information here:
> At some point there will be a situation where you cannot do anything because you are in the 0.01% of the system that is broken.
Not wanting to identify yourself and not being able to identify yourself are two seperate topics. I sympathise with people who fall outside of the system, but e-identity is currently a matter of convenience for people who already have identity documents and are seeking easier ways of accessing services online.
Replace 'digital ID' with 'passport' in any of your questions and you will find the answer.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
The EU digital ID is based on EIDAS, a technology that is already in use by banks in the entire EU. You can be sure it is safe, otherwise any bank in the EU would have been hacked already.
Organisations can implement eIDAS-conforming technology to provide eID services if they get certified; e.g. our company provides such services (remote onboarding without video conference need + qualified electronic signature signing): https://www.zealid.com/en/
The poster is probably just trying to build a cases tree. "What if I will not have electronic devices to buy prescribed medicines? // Then you will probably present a paper copy of the presctiption // Will it be allowed tough?".
Verifying your identity without a global ID is done today through a combination of primary and secondary identifiers. For example a passport and bank statement. Or a driver's license and recent tenancy agreement. So if you don't want to verify yourself using the above combination then companies and the government will simply not choose to interact with you.
And not sure if you've used a phone before. But you don't need the full iCloud password to unlock your phone and access a digital ID. You just need FaceID, TouchID or a 4/6-digit PIN.
The issue is more what happens when you buy a new phone or lose the old one. Then you need the full iCloud details and password. More than one person I know has got to that state and have no idea what it was. They don't even know what their own email address is to start with.
Incidentally I know how it works. I work next to the sector. The issue is that these are all legitimate questions that we have to work with daily and the abstract "we will arrest you until you ID yourself" does not work when you book a hotel...
> What happens if I don't want to identify myself?
That's a non issue in the EU.
> What happens if poverty does not allow me to carry a digital ID?
Governments will probably pay this for you.
> What happens if I lose my digital ID wallet or it is compromised?
Same as the current EU eIDs in use right now or a passport. Revoke and reissue.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
True, but that's probably something that needs to be improved with education.
In practice things are more difficult without one one. (Mine expired in January. I didn't notice until I needed to pick up a package a few weeks ago. Ended up using my US passport instead.)
https://en.wikipedia.org/wiki/Identity_document says "A number of countries have voluntary identity card schemes. These include Austria, Belize, Finland, France (see France section), Hungary (however, all citizens of Hungary must have at least one of: valid passport, photo-based driving licence, or the National ID card), Iceland, Ireland, Norway, Saint Lucia, Sweden, Switzerland and the United States."
Checking Finland, https://en.wikipedia.org/wiki/Finnish_identity_card says it's about the same as Sweden: "Possession of an ID card or any ID document is non-compulsory in Finland, though interactions with officials and companies, like voting, picking up a parcel from Posti offices or buying alcohol when a salesperson suspects buyer to be under 18 or 30 years old, can be difficult or impossible without an ID card, a passport or a driving licence."
As I recall, in Sweden to vote without id you need someone who does have an id and knows you to vouch for you.
To sum it up, it's a complete mess and every country has different rules and also enforces them differently.
After all these years I still have no clue what is actually an official ruling of anything because I've had no problem showing my driver's licence when officially I'd needed my id card (in Germany). Then there's the decade old widespread rumour that you need to _carry_ any form of id, which is completely wrong (with a few exceptions).
It's nearly indistinguishable from a passport, not a national ID card (at least as implemented in other EU states).
The closest thing in Ireland was the "mandatory but not compulsory" Public Services Card and the related MyGovID, until it was ruled unlawful to require a PSC for access to government services.
There really is nothing like a mandatory national ID card in Ireland.
Please forgive me if I'm jumping to conclusions here, but I'm guessing you're American.
> What happens if I don't want to identify myself?
In some countries that is not an option. For example, in Portugal when in a public space, the police has the ability to ask for ID if they have a reason. They must first identify themselves, and list the reasons to ask for identification. If you have no valid ID with name and photo, someone that knows you and can attest to your ID can do it, IF they themselves have ID. If you're alone, you can either ask someone to take your documents to where you are, or ask the police to go with you to where you have them. If that is still not possible for whatever reason, they you can be taken into a police station until you're properly identified and your fingerprints are taken.
After all that, if the reason why you were identified lead to nothing you can request for the info on you to be eliminated.
> What happens if poverty does not allow me to carry a digital ID?
Most countries have state issued ID cards. Note, I wrote most, not all.
> What happens if I lose my digital ID wallet or it is compromised?
Same thing that happens when you lose your wallet, I guess. Go to the nearest police station, tell what happened. Then go on from there.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
People take government stuff more seriously than they do other things. For example, my mother that can't remember her router password knows her hexadecimal password to the IRS website by heart. My in-laws kept the letters from the IRS with the password in a well known place just to use it once a year when they need to fill their forms.
I'm not saying there's implicit trust in governments in the EU, but from the discourse on the internet, it's clear to me that most (western) european citizens trust their government more than Americans, overall.
> I'm not saying there's implicit trust in governments in the EU, but from the discourse on the internet, it's clear to me that most (western) european citizens trust their government more than Americans, overall.
This is absolutely right. And they are fools to do so! The government can write legislation such as the police have the right to see your id, and everyone is meant to show it! This is nothing to do with right or wrong. It can be couched as 'protecting people' whilst being tyrannical.
At least in the US they have access to weaponry to give those government officials pause for thought of they attempt to implement tyranny. Europe is already defanged though - who could fight back, even if they wanted to?
The prospect is rigid stasis - governed by an unelected elite, who have the mechanism of fine grained control over every citizen. Its neo-feudalism via technocracy.
Funnily enough people in the US that bang on about tyranny and guns tend to also bang on about making anyone that looks like a foreigner present documents.
The US military would roll through any amount of Americans with guns.
It is unlikely a large faction of the military would actively become [technical] traitors and actively fight the US military. If they abstain. No big deal. Only a fraction of the military is needed. All the tech would still be available.
The military could spend some months building a TON of drones…get any Allies who are capable, to do the same. A fight of mostly drones and fortified heavier machinery vs normal Americans would be a bloodbath.
The morale of the dying people would be awful. That is a bloodbath. Not a fight against tyranny.
The 18+ cops at Uvalde were scared of one kid with a semi auto. The cops being that scared to do anything to protect the children of their own community while eating up 40% of the budget lends credence to not expecting more local authority and similar weaponized and experienced career folk to be much help. That’s if they are on the people’s side at all.
A look at the downfall of the trucker’s protests in Canada shows how quickly the cops and authorities will look out for themselves far above the cares or issues of the citizens they “serve”. The cops and enough authorities were engaging in disobedience, helping out the protestors, being kind to them. Once they were given more power and money, they went out in full force the next day and treated the protestors that were their peers the day before like leftist protestors. Brutally subduing the protest and ending it.
> What happens if I don't want to identify myself?
The same thing as what happens in the offline world when you try to open a bank account or board a plane without ID: You're refused. Like it or not, for some services you need to identify yourself.
> What happens if poverty does not allow me to carry a digital ID?
While this is an issue, the issue is with a service being available only online. That issue already exists. Most governmental stuff is obligated by law to be available offline as well, but for private companies its more difficult.
E.g. If I want to open a bank account and I don't have a phone or computer, some banks already make it hard to do it in person.
> What happens if I lose my digital ID wallet or it is compromised?
The same thing as what happens in the offline world. Procedure depends on where you live. Here you have to file a record to the local police and you get a new ID card a couple of days later. Now it can probably actually be blocked and you get a new id immediately.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
It's up to the government to educate people and make a foolproof system. That's easier said than done but a lot of countries already have digital ID systems and it's worked well for almost 2 decades now.
This is the proposed solution. The point is that the ID system only gives someone the information that they need. If you only want to prove something like "age > 18" then you can do that without giving up your name, address, ethnicity, etc. Every existing solution to that requires you have over more than a boolean answer that your age is above a minimum threshold.
This is effectively "attribute-based access control" (eg IAM) for the real world.
Am I being cynic here or is this just another attempt at total surveillance? It solves a problem that does not exist, will likely be mandatory at some point and is executed by a defense company.
I'm guessing more like a/multiple "recently privatized" ex-national telecommunications provider (ie blue chip company with the state as majority stakeholder). You know, "plausible deniability" and stuff…
Edit: I stand corrected, with Thales writing this article, we can expect conglomorates such as Thales or Siemens to build this as well (corporations that due to their long standing national prominence are de-facto state-entities, although not de-jure).
It solves on problem for me. Since the introduction of Apple Pay I hate taking my wallet anywhere and 95% of the time I don’t. But my ID and driver’s license is in there and it’s needed sometimes. This gets me closer to the goal.
Let’s say, travelling to a different country without a wallet would be amazing to me.
It does solve a problem that exists. In fact the use cases are listed in the article: filing tax reports, opening/accessing bank accounts, etc. Basically the stuff where in the offline world you would've needed to show your ID.
However, many (all?) EU members already have developed their own national system. So this tries to unionize those systems so dealing with other member nations becomes easier. Today I often have to mail a bunch of documents if I want to prove my business ownership to foreign companies.
and eventually those tax reports and credit ratings will be tied to super market checkout systems. So governments can pick and choose which tax payers can eat what.
Any data that is aggregated is open to abuse by the aggregator and it will be definitely abused if the aggregator is a government body.
Why do you have to bring FB into the equation? It seems you are mentioning it as a relevant alternative - what is that?
When somebody says "This may be controversial // Well, much better than being crushed under a rock", the latter is supposed to be rhetoric, here somebody seems to treat it like a real alternative, as if you went into the current events to avoid that!
Doesn't Estonia have its own E-Estonia X-road system that already does these things, using cryptography for verification and non-repudiation?
So why do we need this newer, more expensive, dystopian stuff made by some private company? How do I vote against this? Oh wait, it's the EU...so I can't.
> Am I being cynic here or is this just another attempt at total surveillance?
I don't think so. The idea is to make the wallet offline.
> It solves a problem that does not exist,
I does exist. Automatically checking identity is hard. Some counties apparently issued certificates to their citizens and enabled them being verified by anyone, simplifying several online businesses patterns.
> will likely be mandatory at some point
More like fast lane. But eventually (30 years) probably yes.
> and is executed by a defense company.
Every country is responsible for their own part. There are going to be ETSI standards for interoperability.
The actual trouble here is that (at least in my country) the officials responsible believe that rooted phone is higher security risk than automatic updates from Chinese government.
Every single non-cash transaction you make every single day needs to check your identity. Currently it is outsourced to banks, multinationals like visa, thousands of different government departments providing trusted docs (usually a few different ones per country). And a lot of fraud happens because we do a bad job at it. Or for-profits, doing 'good enough' where 'better' isn't profitable, because they get to pass on the trauma of identity theft to the victims.
The data on the document is just a snapshot of the data in electronic systems. These systems are used every single day when you use physical documents in healthcare or any other government-related scenarios to double-check on that physical document.
Just because you don't see the problem it is solving doesn't mean the problem does not exist.
Some context: I'm French, I live in Belgium. I have two e-IDs cards: one french, one belgian. When I need to identify myself, depending on the government I have to deal with, I have to use either my "FranceConnect" credentials, or my Belgian e-ID card.
When using my Belgian eID, there is a government login called CSAM, but a lot of people here use a private company called "itsme" (https://www.itsme-id.com/). ItsMe does not support Linux. CSAM does, but not every service that supports or even requires eID login here supports CSAM.
FranceConnect is even more of a mess. French government has a plethora of online services, several with their own logins and not all support FranceConnect.
Making a digital wallet won't increase surveillance... surveillance is already possible on all of this, quite easily so. What it will do is greatly simplify life for people dealing with these systems; especially for expats and new arrivals into a country, who might get stuck in the loop of "You need a bank account to get your ID" "You need an ID to open a bank account"
Not to mention all the services that do their own shitty KYC and would be better served by using automated ID checking instead. Unless you think it's better and "more private" to email a photocopy of your ID and passport to somebody who will forward it three times, save it on their computer, and share it on Slack with the tech team because there's a problem with their shitty KYC system.
> Making a digital wallet won't increase surveillance... surveillance is already possible on all of this,
Sure, because a little minority of people has "the burden" of managing multiple IDs, lets tear down one firewall between citizenry and big-brother for the rest of us.
What's the "firewall" in this case? eIDs already exist all over the place, as demonstrated in parent. They also clearly have their use, even though they are currently frequently broken.
The firewall is who is accountable, who is responsible to the electorate. "Broken" no, a feature yes, because exploiting technical flaws in a country's digital ID for an attacker becomes more troublesome if each country has a (an even slightly) different implementation.
Labeling it "broken" - we all are using the same password for every account anyways, aren't we?
But we're talking about the EU here, the second largest democracy in the world. Of course they're accountable to the electorate. This isn't a dictatorship.
From Berlin xHainers to Parissienne Bobos, from Munich Schwabing to Noord Amsterdam, there isn't a single citizen in the EU with discomfort of his vote becoming dilluted from a x-millionth to an x-hundredmillionth.
But thats just... yknow, how democracies work. More voters = less power/vote.
Are you just unhappy the electorate is so large? What would the appropriate size be? Mayoral? Households? That'd really maximize the power of your vote.
But then, how would we organize at the level beyond that? Warring tribes? Go back to when Germany and France were constantly at war?
I don't love vdL either. I think the EU is in need of reform. But I still think it's fundamentally a good idea and I think vote dilution is just inherent to a large democracy.
There's not much democracy in the EU, and that's by design.
I'm only surprised they haven't got rid of the ability of countries to secede the union yet. I'm guessing all these pushes for further integration are an attempt at de facto making it impossible to secede, even if not legally.
> There's not much democracy in the EU, and that's by design.
[citation needed]. Please don't just throw out wild claims without any proof. As far as I'm aware, every single element of the EU is democratically legitimized in one way or another. Do you have any evidence to the contrary?
> I'm only surprised they haven't got rid of the ability of countries to secede the union yet.
Why would they? If you don't want to be on our boat, feel free to sink on your own. We don't need the dead weight.
And that design is there to keep sovereignty of membership countries - so it is strange that you are surprised that there is still the ability of countries to secede the union. Most powerful entities in EU are national governments of countries. Who is appointing Commissioners? Member states. Similar like national governments are appointing its ministers. Then there is veto and of course, who has last word in everything? Heads of states / prime ministers.
Ah yeah, just like how Von der Leyen, Macron said that they want to abolish the consensual vote, when Hungary didn't play along with sanctions being a landlocked country. Totally democratic and totally designed to keep sovereignty.
Macron can say what he wants, he has not written any treaty yet. The Hungarian government is still free to act as they see fit.
This said, majority-rule can only increase in European mechanisms, because a continent cannot be paralized by the needs of a tiny minority on every possible choice. Does the US Senate (effectively the equivalent of EuroCouncil, with almost-equal representation for each US state) require unanimity on every choice? Obviously not, or it would never get anything done (and even like that, it struggles massively to approve anything these days).
The appropriate solution would be to reduce the power of the institutions, ideally down to the individual level and allow corporations to provide the services citizens need.
Vote with your money, don't dictate the rest of the country with your wants.
Diluted? EU has significantly more power than any single country. More than the sum of the power of each country taken individually. Hence, mathematically, your vote has more power in the EU.
"The wealthiest will do media campaigns to manipulate the public" => that I agree with, but this is really old and has always been like that, not only in democracies. I'd even say that democracies are the places where this is happening the least, compares to state-owned news like Russia or China.
Too many abstraction layers and too much happening behind closed doors withotu elected politicians present. As a citizen of EU member, I find it very hard to define EU as a democracy.
We need Swiss-style referendums-on-everything. Now it feels like oligarchy managed by lobby groups no matter what you vote for.
Do we want democracy? Or ruling by oligarchs, hoping that oligarch you like will end up ruling?
Obviously democracy needs educated citizens who don't take the responsibility lightly. That's why citizenship shall be a big privilege with even bigger responsibilities. We have to have a lively discussion. Otherwise it's people who cry loudest win.
I love Brexit as a democratical move. People voteds and government followed through. Now citizens will live out consequences, for better or worse. And they can make next decision accordingly. That's so much better than enlightened oligarchy guarding the masses from their own wrong feelings.
That's like raising kids. If you guard kids from their own painful decisions, they'll never learn. Eventually they'll be adults and they'll keep doing dumb decisions. You have to let them experience some pain to teach them a lesson.
The EU is not a democracy. Its only democratic organ is toothless.
It is an association of democracies, led by an undemocratic executive that is increasingly out of control. At the moment it is busily destroying its own economy in a way that is baffling to many of its citizens.
If it doesn't evolve into something more democratic it probably hasn't long to go.
The executive is appointed by democratically elected officials. Y'know, the same way the US president is elected by electors, or Prime Ministers are elected by parlaments. Most democracies work this way.
>There is no democratic vote, with or without proxy, before the appointment of the Commission.
Err, yes there is. The directly-elected European Parliament first elects the President of the European Commission, and then has to vote to appoint the entire Commission.[0]
And before they do they they hold hearings with each of the different commissioner-nominees to evaluate their suitability for the role, demanding that people are replaced or given different portfolios if they are not suitable.
Nominations for the role of President must take in to account the results of the election,[0] and the European Council nominates somebody from the largest party in Parliament. I wish that Parliament had stuck to its guns in 2014/2019 and rejected the nominees that weren't spitzenkandidaten but hopefully the new proposals tabled by Parliament creating transnational lists for Parliament will change this.[1]
From my vote to this decision there are so many layers of abstraction that I wouldn't even begin to have a clue who to vote for and in which election if I do or do not want this E-ID.
At least in national elections there are parties campaigning with a platform and then I can decide which platform I like best. How often the platforms of the elected parties get translated into reality is another question, but it can at least plausibly be described as demos kratos. Maybe the EU is "democracy" in some modern sense of the word, but in the original sense of the word it is not. (I'm not even saying that's a bad thing. Maybe it is in fact better to have elites deciding.)
> At least in national elections there are parties campaigning with a platform and then I can decide which platform I like best.
I fail to see how you cannot do that in European Parliament elections. If anything, EUP elections are more democratic than average, by way of using a proportional-representation system that matches voters' preferences more closely than almost any European voting system.
And if you're saying, "but it's the Commission proposing laws!", they don't pull stuff out of thin air: the Commission effectively tries to implement an agenda that European Council members agree together. And who is EuroCouncil? National governments, whom you vote for. Also, the Commission doesn't work alone - directives are effectively drafted in concert with Parliament committees, because in the end they have to be approved by such Parliament.
What do you mean itsme does not support linux? It's a phone app, you don't need to install anything on your linux machine...
However, it's not a good situation that a private company gets such a central role. In fact, Belgian government yesterday announced they're going to make their own implementation. Surely there's already eID login, but that's too cumbersome compared to itsme because it's from the pre-smartphone days.
I don't use itsme, only CSAM, because itsme does not support Linux: I can't log in with Firefox or Chrome on Linux with my eID. But CSAM is not universally supported. Example of a site that does not support it: https://www.proximus.be/ - Major ISP in Belgium)
I'm not sure because I don't use itsme anymore (it stopped working on jailbroken devices a while ago, so I just switched to TOTP auth with CSAM) but if I remember correctly the initial setup of itsme doesn't work on Linux, as it requires a browser plugin for the card reader that doesn't run on Linux. CSAM uses a different browser plugin that does work on Linux.
Worth mentioning that itsme is a private consortium of several banks and phone operators which explicitely says that data collected will be used for marketing purpose and "research".
That you can’t even think of using it if, like me, you are not using a phone operator or one of the few banks which are part of the consortium.
Yes, that's what I'm talking about, although brusselstimes seems to report it weirdly (sounds like they want to extend itsme).
https://www.standaard.be/cnt/dmf20220627_97617861 -> They want to replace itsme with something build by the government.
You're confusing a couple of things here. CSAM isn't an identity provider. It's like a gateway/umbrella to multiple identity providers like eID and itsme. You can have eID authentication without CSAM and vice-versa.
It doesn't make sense to claim itsme doesn't support linux. It's only a phone app, you dont need desktop software. I can login to proximus.be using itsme on linux.
I read the thread and they were discussing about "audit" made by the Belgium government. I double checked the certificates used for ID cards in [0] and all are self-signed. I don't see any link or ownership to "DigiCert". Perhaps the discussion were related to government's websites.
Example for Belgium Root CA2 in [0]
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3098404661496965511 (0x2affbe9fa2f0e987)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, CN=Belgium Root CA2
Validity
Not Before: Oct 4 10:00:00 2007 GMT
Not After : Dec 15 08:00:00 2021 GMT
Subject: C=BE, CN=Belgium Root CA2
The Belgium Root CA2 in Mozilla discussion is different.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:41:a1:e1:34:ba
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cybertrust, Inc, CN=Cybertrust Global Root
Validity
Not Before: Oct 10 11:00:00 2013 GMT
Not After : May 12 22:59:00 2025 GMT
Subject: C=BE, CN=Belgium Root CA2
That's I wanted to say. Belgium Root CA and its intermediates are never used for web connection (TLS) (perhaps used internally in gov intranet). I use my Id card for PDF signing. I presume CAs are added to the trused list of Adobe.
You said DigiCert owns those root CAs and I wanted more information about this.
> It doesn't make sense to claim itsme doesn't support linux. It's only a phone app, you dont need desktop software. I can login to proximus.be using itsme on linux.
I think you're seriously confused. It's perfectly reasonable to claim that itsme doesn't support Linux. Phone have operating systems too, you know - and some phones run a Linux userspace (e.g. the Pinephone and Purism).
"Does not support Linux" means "itsme can't run on a Linux userspace" (as opposed to a Linux kernel but Google userspace, which is what Android is).
The author explicitly says this: "I don't use itsme, only CSAM, because itsme does not support Linux: I can't log in with Firefox or Chrome on Linux with my eID."
> When I need to identify myself, depending on the government I have to deal with, I have to use either my "FranceConnect" credentials, or my Belgian e-ID card.
That you even have to identify yourself as often as you do in the EU is a problem the EU countries created. So basically they create a problem (people needing to identify for basically everything: vaccine, going to the restaurant, going to nightclubs, maybe going to the toilet in the future, etc.) and then come up with a solution: "Look, it's going to get easier to identify yourself!" and everybody applauds.
But, wait, why do I need to be identified all the time yet?
>Making a digital wallet won't increase surveillance...
There is no reason to believe that. You are installing a government app on a gps device with a constant internet connection. Even if it doesn't send such data initially, there is no way for a regular user to know that some forced update in the future wont introduce it. At least before they would have to go through the courts to get a warrant to get it from google or apple.
Most of them don't even work without location. The location permission is also tied to the wifi because Google had the means to pinpoint your accurate location using wifi hotspots.
I'm involved in a group who come into contact with this. It's not about surveillance, it's about providing European governments, European economy and citizens with electronic ID in all situations without having to rely on Google/Apple/Facebook. So you can have a secure way to login to websites, with many personas, without having to share your GAF (and thus be tracked by GAF / share GAF data with yet another party).
Thales on the other hand are not what I would describe as a good actor but rather one of the "usual suspects".
Personally I have a dim view of the companies working in this area / the working groups because so far they've not delivered anything yet have been working on it forever. You'd expect there to be a vibrant community on Github sharing Open Source implementations. Or at least speaks. Or at least something.
Also there are so many bullshitters and snake-oil merchants in this field; makes you think that most of the "security" industry is a confidence game.
> So you can have a secure way to login to websites, with many personas, without having to share your GAF
Let's manage the beloved and accountable Eurocrats in Brussels our private Auth-infrastructure, because its not like this problem would be solvable otherwise:
Let's give the beloved and accountable Google / Facebook / Microsoft in the US of A our private Auth-infrastructure, because its not like this problem would be solvable otherwise, and its not like they have ever done anything with our data before that would make you wonder if they can be trusted.
I look forward to being able to pick up the phone to Google / Facebook / Microsoft, talk to a human and have them troubleshoot why they have locked me out of everything in the world.
> European politicians are accountable to European citizens.
That joke made my day. I'm guessing Ursula von der Leyen is a real people's champ then.
> * Big corporations are not. This seems a step in the right direction.*
So let big corporations develop the technology? Especially those that are intertwined with the state? In otherwords, entitites where the state has created plausible deniability for itself? Great, what could go wrong?
This might be a shock to you, but people here would rather have their democratic government in charge of identity than some unelected, for-profit foreign company in a country that specifically does not have any privacy protections for non-citizens.
FIDO allows to authenticate to an identity, which ideally is securely stored in a token and cannot be cloned or stolen. This identity is only an large, arbitrary number and that's all. This is not enough here.
The example provided (bank account, university registration) make it clear that we're talking about authenticating against a person real, legal entity here. It's not needed in all cases, and when it's not FIDO is fine, but when it's needed in the end the root of trust in Europe is one's national state anyway.
> This might be a shock to you, but people in Europe already have their democratic government - you may google "national elections" ;-)
People in Europe don't. People in the various countries do. This is just a level above, just like you don't say "oh why do we need the german government, can't the mayors do everything?".
Different levels of organization need different democratic governments. Tribalism is not the solution.
Having an executive made up of people selected by other politicians for political reasons is all very well as long as they understand that they do not have much legitimacy.
JC Junker, for all that he was a bit of an old sot, understood this very well.
Von der Leyen, either because of her immensely privileged background, or because of her inability to communicate in any diplomatic way, has revealed the undemocratic abomination at the heart of the European Project.
Her press conference with Stoltenberg (and Belgian nonentity Michel) at the outset of the Ukraine war deprived the EU of any room for manoeuvre in relations with Russia. She unilaterally committed hundreds of millions of people to a diplomatically absolutist position. Furthermore, she actively spun against attempts by Macron and Scholz to moderate that position.
The EU cannot continue like this: already I'm quite dubious as to whether it will survive the winter, with double digit inflation and mass industrial layoffs in prospect.
If Putin wants to play divide et impera with Russian fossil fuel supplies, she has certainly created the ideal conditions for him to do so.
She is corrupt (see Pfizer SMS) and unaccountable.
The commission is appointed by democratically elected heads of government, the same way the US president is appointed by democratically elected electors or the Prime Minister of the UK is appointed by democratically elected MPs.
Are all of those undemocratic, too?
> Her press conference with Stoltenberg (and Belgian nonentity Michel) at the outset of the Ukraine war deprived the EU of any room for manoeuvre in relations with Russia.
Russia's war of aggression on our neighbor deprived us of any room for manouvre. We've seen what appeasement brings in the 30s, no need to play that game again.
>Prime Minister of the UK is appointed by democratically elected MPs
That's not quite correct; the PM is appointed by the Queen.
In the event of a revolt by the parliamentary party of government against their leader, then the party gets to appoint a new leader, who then becomes PM. But that choice is reserved to the MPs of the majority party - hardly democratic.
But in the general case, there's a General Election, and the leader of the winning party becomes PM.
Every time you create an entry into a log file you have surveillance. It doesn't matter whether someone is currently watching the CCTV in your bedroom if it's all on tape.
Or spend non-cash money - i.e. debit or credit cards. You can buy prepay credit cards that you top up with cash but I wonder how long those will exist?
Providing governments with a de facto mandatory electronic ID for every citizen is inherently providing the means to surveil, though.
I also wonder how this will be regarded in countries like Ireland, which doesn't have a national ID card and where a recent attempt to make a similar digital ID system mandatory was ruled unlawful (PSC/MyGovID).
The regulation will have to make that illegal - there are several countries who would block the regulation it if it wasn't.
So the situation will be better for us than today - there will be more options providing the ID (and wallets), including highly privacy-preserving tech based on modern encryption techniques. That will make it much harder to be tracked by commercial players and much harder to be tracked legally by governments.
For the blackhat / illegal security agencies: you might make it a little harder because the US-compromised companies (FAANG + MS) aren't (always) involved.
What's your basis for this claim? From the declared strategy, it seems perfect for abuse as a surveillance tool.
> Most EU countries already have a de facto mandatory electronic ID for every resident.
As stated elsewhere, my country (Ireland) does not. It's attempt at a mandatory electronic ID (MyGovID/Public Services Card) was ruled as unlawful (it's still available, but cannot be required to access government services).
Ireland can't really do a national id scheme without mutual agreement with the UK due to the common travel area & mutual residence rights (including voting at parliamentary level upon taking residence) that are dealt with in an ad-hoc manner for many reasons. due to this, Ireland has default opt-out on justice & home affairs issues.
however, as an EU citizen, I can see immediate advantages to a cautiously administered digital id. as it is, many states within the EU demand a national tax id on registration for services as simple as bike rental, such a digital id would presumably supersede such nonsense and help further the single market everyone is working towards.
...and yet because there's only Apple and Google providing hardware that's used by the masses, exactly how is this going to work? If the environment we're using is completely contained (pwned) then how will this not be a draconian system of control?
What happens when I buy debian mobile? I presume it will not be accepted because there will be no safe app. No app, no identity? No identity means you're suddenly locked out of society.
What phone theft? Most people's phone security is almost non existent.
What about luddites who have no mobile at all?
It seems like it's 100% about control of people. And that's a privacy matter. My body, my life, my choice.
In theory, you should be able to go on using a passport for your actual needs. In practice, it is to be seen whether this initiative will cause or not cases where "options" become "constraints".
> without having to rely on G./A./F. So you can have a secure way to login to websites
Said perspective is insanity: for those websites relevant to an anagraphic identity it would be dramatically abnormal to use any supposed private company related account. It would be sheer absurdity to suppose a "need" for accounts with private entities to log on to nominal services.
The number of websites where I would willingly use my real id is no more than five. I almost never want to have anything I write online attached visibility to my actual public identity. Anonymity is the whole point of the internet!
If that's all it is then fine. But it seems to be just the first step to what many fear will become a system tied to digital currency, speech and social credit.
Most of the examples mentioned in the article already require your identity (opening bank account, tax return, etc).
Others are outright creepy. You can't access medecine without verifying your ID? That locks lots of people out of access to healthcare (illegals, tourists, etc). Age verification? So porn websites will store the real id of all their visitors (or alternatively a central EU age verification system will be notified every time you visit such a website)?
In France for instance it is illegal to identify people by their social security number in a system (at least it was 20 years ago). That's a safeguard to prevent it from making it too easy to correlate an identity across many systems. This ID scheme will go around that. To be honest I think that law was passed at a time where surveillance was still considered evil. I think governements of most liberal democracies today are actually entertaining stasi-style surveillance as a greater good.
Age verification already works with the current digital IDs and it's made in a way that doesn't leak your personal data. In general you get to see what personal data is being requested before you agree to transmit it. The IDs can also create pseudonyms, so different systems don't know that you are the same person.
I opted out of the digital functions of my ID, but I plan to have them activated, because it's better than video identification or uploading scans of my documents. That being said, I hope that only serious processes will adopt this.
In the context of German ID cards, this is mostly correct.
For age verification requests, the service provider can set the amount of years, and the ID card will simply answer with a yes or no.
The pseudonym isn't created, but calculated from the ID's private key and the service provider's public key, so even a new card means new pseudonym, which makes it slightly less useful for login long term.
>Others are outright creepy. You can't access medecine without verifying your ID? That locks lots of people out of access to healthcare (illegals, tourists, etc).
Does it not make sense that prescription medication can only be picked up by somebody who has been prescribed that medication (or somebody who has been delegated that authority by the prescribee)? As long as there's an offline mechanism available for verification I don't see the problem here.
>Age verification? So porn websites will store the real id of all their visitors (or alternatively a central EU age verification system will be notified every time you visit such a website)?
Presenting a token verifying that one is over 18 is not the same thing as presenting one's entire identity so that the service can verify one is over 18.
The way it could work is this: You try and access an age-restricted service (ARS). It returns a request for age verification including a unique ID. You then pass a hash of that request to the age verification service (AVS), and get back a token which is signed by the AVS. That token is then presented to the ARS, which validates that the signature and that the hash of their request are valid.
Boom, you have just verified that you are over 18 without leaking your identity to the ARS and without leaking the ARS's identity to the AVS.
All the AVS knows is that you're asking for an age verification token for something, but it doesn't know what the token will be used for as that information was collapsed in to a hash by you.
I'm sure there could be some sort of more elaborate protocol that would preserve privacy in the case of a log breach, the one I sketched out just shows that (assuming logs remain private and there's no collusion) that the ARS doesn't need to know the user's identity and the AVS doesn't need to know the ARS's identity in order to validate the user's age.
I live in Denmark, I have an "easyID" (NemID), along with a social security number that allows me to connect to all government websites. The system allows people to use physical passcodes mailed to people, or send a push notification to their phone, to trigger the NemID application to approve or disapprove the entry.
As others have mentioned, similar stuff exist in other countries as well.
So to me, I'd rather have a single common, shared and opensource system for both Denmark, and all of EU.
The problem of digital identity theft/fraudulent identities exist very much, you can't get rid of crime by individuals or nations. So it seems that this would be a solution.
Most EEA countries issue physical identity cards already, so a digital one would seem a logical step.
Not that I don't disagree with the concerns about it.
You just have a very US centric view. Here's the situation in Latvia: Full, searchable (by government institutions) digital registry of citizens. Your income is being recorded for tax purposes. There's centralised data on what vehicles you own, and firearms are registered too. Medical data is also being centralised, to handle prescriptions digitally, and share test results between labs and doctors. Any criminal offences are centrally registered too. The information is there, and most likely being cross-referenced already.
What this would add is a more comprehensive log of where proof of identity has been used. In my case, the last non-digital, non-already-trackable request to display proof of identity was last summer, when I was trying to buy a case of beer with a mask, sunglasses and a hat completely obscuring my face. Guess the police will now know I visit grocery stores.
What's more, that's already been sort of centralised, with a single identity broker latvija.lv being run by the government, that then relies on other "blessed" identity sources such as banks or digital signature providers. The logs on who requested the identity verification and who got verified are surely there. If they cut the banks out of the loop, I see that as a net positive.
As for me, I'm not overly bothered by this. I trust the government to not wilfully abuse the data far, far more than I trust any for-profit entity.
> You just have a very [U.S.] centric view. [...] I trust the [Latvian/EU] government to not wilfully [sic] abuse the data [sic] far, far more than I trust any for-profit entity.
If unclear why no one in the U.S. trusts federal, state, or local governments:
* The U.S. federal government now mostly acting in service of for-profit entities, due to legalized bribery of elected officials (Citizens United) and inadequate representation (the Judiciary Act of 1869 for the Supreme Court and the Permanent Apportionment Act of 1929 for the House).
* History defeating the most powerful empire in world history, emerging as the first nation to ever overthrow a colonial oppressor.
* U.S. law enforcement officers extrajudicially killing more Americans than mass shooters in 2019 and police departments across the country taking in billions USD every year in unconstitutionally seized assets.
* More Black Americans in the "justice" system in the 2020s than were enslaved in the 1860s.
> More Black Americans in the "justice" system in the 2020s than were enslaved in the 1860s.
What do you mean by in the system? I would have guessed it means incarcerated, but there were around 3.9 million slaves in 1860 which is much higher than the number of people incarcerated in the US which is around 2.3 million (Federal, state, and local) of which around 1 million are black.
What if Russia were to overtake Latvia in the coming months via direct force or through installing a puppet regime? Trump in 2024 for our American counterparts. Would you be okay with the new masters having all this data and history on you?
If Russia takes over any country, it's game over anyway like it was after WW2. The lack of an ID won't protect you from rape, robbery, murder, a trip to gulag, etc.
Europeans have a rich history of bad regimes and their removal. It's not like the puppet regime would be like "Oh no, we can't do anything about this person who tweets nasty things about us because we can't look him up in the central registry". It's going to be like "hey Twitter give us the ip address of this person or you loose your money and access to our market" and then they will phone the ISP and tell them to give the ID and address of the user with that ip address.
So in reality, central registry of information doesn't really protect you from anything but saves the bad actor a few phone calls. On the other hand, it saves you a lot of phone calls and office visits every time you need to deal with the government.
If Russians install a puppet regime, the existence or lack of central registry wont actually change much. It will require popular uprising to make a difference, which Europeans are actually accustomed to.
Riots and protests happen all the time everywhere and taking down the governments is a thing too. Of course it depend on the specific country but in general governments in European countries resign all the time and when the refuse to resign despite popular demand they end up removed by riots.
So they also have bad history of greedy private enterprises on which they don't have a say.
The idea is that there's a value in having an enterprise(the government) with centralised record keeping because they own that government and have the power to change managers on predefined reviews(elections) and they have a history of forcefully changing managers who try to stick around despite not being wanted.
What do you do when a private enterprise misbehaves? Mind you, the governmental duties are often monopolistic by nature. What do you do then? Sniper the CEO?
It's much more socially acceptable to riot against the government and burn government building than assaulting company HQ.
We've also learned from our history, and created institutions like the ECHR to enforce a minimum standard of human rights against the state, and list more things than "Speech and guns good" like the US.
Russia is indeed the main threat in our neck of the woods. And with the regimes they tend to run, lack of easily accessible digital registry is not something that will save you from falling down the stairs and accidentally landing on couple of bullets with the back of your head.
More importantly, we already have these registries! There's already a digital identity verification service in place that, according to our law, is sufficient to identify a person to the same degree an ID card / passport would in person. It's there, I've used it as an end-user, I've set up integrations with it for my clients. The issue is that if I want to identify myself to a German institution for whatever reason, the only way I know of involves burning a whole lot of dead dinosaur juice to get to Berlin, standing in an orderly queue for a while, and presenting my passport in person. And probably filling out couple forms along the way somewhere.
Yeah but do you want this thing linked to every click, like, page view, search, post, purchase and so on? Required for entry, to buy and so on? Very easy for it to go that way. That's the fear behind those who are saying pause.
Americans love complaining harshly whenever someone mentions "contry-wide" ID like it's literally the thing of the Devil while ignoring that every other place illegally uses their SSN as an ID number
> I trust the government to not wilfully abuse the data far, far more than I trust any for-profit entity.
The prime difference between American/British world view and continental European one and I'm loving it.
Sure, it's very nice to think that the government doesn't track you and doesn't know where you live. Then they build these giant systems to covertly track everyone and listen to everything.
Essentially, everything that the Americans believe that the government wants to do to them is already being done - just clandestinely.
On the European approach, we assume that the government is competent enough and is ours, therefore we give them the information needed to provide services and security. If the governments misbehave we will simply burn their palaces and drag them on the streets.
IMHO, both approaches have merits and I'm happy that they exist at the same time. It kind of keeps the institutions on track as scandals happen and fixes are implemented in attempt of self preservation.
It's surveillance to the extent any ID system is surveillance.
This is a digital form of all the IDs you get from the state already.
There are genuine concerns about the scale at which digital IDs can potentially be exploited and/or the scale of monitoring this can enable, but in functional societies and governments you can build laws and systems to mitigate such issues.
The alternative are low quality ad hoc systems that offer convenience, but have no incentive for privacy and/or security.
For example, consider the massive Experian hack in the US. A credit score is basically required if you want to be a functioning member of American society. And yet they barely got a slap on the wrist and continue with their pathetically poor security practices. And it's not like they (or any US entity, for that matter) will not make their data available to the government.
In fact, with a government controlled DB the voters can have far more say on what the govt can do with that data, as opposed to Apple or Google owning that data (which is what's happenign in the US with Apple providing digital ID for states, and I'm sure Google will get into that as well), which becomes their private data and as a member of society you have no say on what can be done with that.
Something the customer is (fingerprint, iris, face)
Right there, trying to normalize the idea that the government needs our fingerprints, iris etc. And that ship has sailed, lots of laws getting passed that will require this from citizens.
This is not the first attempt to set something like this up in the EU (in fact, the directive is some 10 years old), and it won't be the last. In the end, it will die like all the projects that come before it, because with 27 member states all having different structures, the complexity will kill it.
It will die because it's in Thales strong financial interests to have it die a slow death with many contract revisions and cost increases.
Source:. I have been in meetings where defence contractors discuss how to corner the customer (the government) to force them to pay for more work. Up to 300x the original contract value over 7 revisions in one case!
Also, Thales is basically a sweatshop in Eastern Europe. They'll charge the EU several times what the work is worth in Western European dev wages, then nearshore the actual work in their Eastern European offices. Similar to what IBM, Oracle and other consultancies and bodyshops are doing.
I wish I was a Western European manager there. Make huge wages without doing much work other than churn out PowerPoint presentations to the tech illiterate C-suite and boss around some Eastern European juniors.
The EU covid certificate is nothing more than a signed piece of data with a PKI behind, the complexities between that and the eWallet proposal are orders of magnitude away.
If only they would actually learn from it (e.g. make it open source). As it works now, no chance this will succeed. Speaking for Germany alone, this would be monumental.
Several countries in Europe have rolled their own. This system is an attempt to digitize the countries that haven't, and standardize the countries that have (and make it work EU-wide, so it works better for citizens moving between countries).
I believe most European countries have their own solutions similar to this. e.g. in Denmark we have NemID/MitID as the way to digitally authenticate yourself to the healthcare system, your bank, etc.
If I understand correctly, this EU initiative would unify all these separate country-level identification tools into something that works EU-wide, so I can take my Danish digital ID and e.g. use it in a bank in the Netherlands.
Each country has their own system. in NL we had DigID, and apparently now iDin (first time i hear about it). In Italy we have SPID who uses a bunch of external providers (phone companies, italian posts, internet providers, ...). The whole idea is to create an interoperable standard.
The article does point out that several countries have these kind of systems but they are not cross border. Solving that is supposed to be part of this initiative. Being able too use a swedish issued id to authenticate in the Netherland would imo be a nice and a big step forward.
> Being able too use a swedish issued id to authenticate in the Netherland would imo be a nice and a big step forward.
That's unfortunately caused by the proprietary solutions chosen, BankID and similar. If Sweden and Netherlands had gone with very widely supported Smart Cards (like Finland, Estonia and Latvia), they would interoperate trivially. Especially with the advent of eIDAS.
Hopefully this legislation forces proprietary implementations to become more open.
Massive oven for a cash solving a problem which doesn't exist. Bureaucrats will hire each other then produce gigabytes of PDFs and half-baked MVP. After the covid masquerade ball, where remotely switched "certificate" determined one's basic civil right (freedom to travel), I'm not installing any app from authorities.
Sweden also, yes. Although it is not similar. As I understand the way BankID works - it is responsibility of the bank that issued your BankID (or another company, as there are a few non-bank companies where one can get "Bank"ID) to identify you physically (using a passport, national ID, driving license etc). The government (in Sweden at least) is not (visibly) involved in the process.
I am not sure what you mean by "to identify you physically".
The way it works in Norway is that, once you have a bank account (which means you had to identify yourself using passport or similar) you can get a BankID which allows you to log in to a lot of online services (health, tax, employment, etc) without having to do anything else.
Fully digital is bad, what if I lose my phone or my certs get somehow stolen. In Estonia we have a physical ID card with certs on it and I like that much better.
I think this does not look totally bad. I have lots of good experiences on similar digital ID from Estonia. That just works.
Banks etc rely there on government-backed authentication.
In Finland its totally opposite. We have 10 or so banks, which all have their own authentication methods and government has outsourced authentication to banks. And every authentication costs 0,10€ (it was previously much higher amount, something like 0,70€ but it is now [since 2017] limited by law).
So, I think at least in Finland banks will be the ones who will come up with several reasons why they should not implement this new authentication method.
Phew! But it's not something you wanted, right? This is not something that helps.
It is something that helps those doing the governing though. Tracking you. Why is it planned that we all have these sorts of id/wallet/health pass/etc?
Is it possible that it will be used as in China, with good citizens (uncritical of the government) allowed access to travel, borrowing, schools, etc nevermind the loss of privacy as each purchase, movement is tracked?
To me its plainly about control. Control like we cannot even conceive of. Even if the government is not rule by the worst (and the EU is not a democracy - there's no options to get people out) the change in society will change us. If we know we are always under close scrutiny, you will change your behaviour.
After all we have seen, I hope we are in agreement that this sort of gadget should be roundly refused.
I am actually not sure if I wanted this. I think this is better than current (specifically comparing to Finnish) state, but still far from optimal (mainly based on privacy concerns).
> Is it possible that [..] is tracked?
Yes. But I have The Great Belief that EU is _still_ one of the Goods. That may or may not last.
Still, it is very easy to exaggregate this (slippery slope) and at the same time it is too easy to understate this. Probably we - as citizens - should raise loudly these concerns and if we are not heard - then roundly refuse.
Hard to predict but usually (lost) belief transforms to feelings/actions like resistance. And probably on that point there will be also others who will do the same.
The same way I am resisting (in-efficiently) things now in democracy: by voting and trying to raise my concerns on public forums.
Yes, government could do things which prevent me doing so. Still, I am not capable to manage everything by myself and at the same time I think it is better to let things to be managed by (good) government than corporations.
> competition is what drives societies to become more complex, building more hierarchical armies to fight ever-more-complex wars and organizing increasingly bureaucratic governments to manage diverse resources and growing populations.
This sounds interesting. Having identification be a cost would make people think before engaging with anything that requires it, which would encourage companies to avoid. Also, if people can choose freely which banks to use, then there is also some market pressure on banks to have good privacy and security.
> I never had to prove my identity to rent a flat in the EU. Good people trust each other.
For how long was this rent, and WHERE? Every time I rented for living spaces, the contract had to signed, marked on every sheet that had text, and taken to a notary to be considered valid. This is because all the info is then used to calculate taxes at the end of the year.
For years. In some places I didn't even had to sign a contract, in other places I would sign it but nobody ever checked my ID. Apparently nobody really cares much as long as you look and sound nice and pay them a deposit. They would only ask for the ID in hotels (which I'd vote to abolish as well).
This is great (I'm from Sweden which already has this), but you need to be careful as this also makes it really easy for you to fall into scams. I'm at this moment fighting a company who required me to login with BankID when using their website's contact form, and as soon as I was done with my inquiry they tried to blackmail me by saying "nope, when you logged with BankID, you technically signed (extremely unfair contract that says I need to pay them obscene amounts of money for simply reaching out to them) and we will sue you if you don't pay"
Fortunately I'm fine in this case as the law states that you cannot be tricked into signing a contract that was never presented to you, but I think most people don't make the connection that your BankID logins are considered legit signatures by law and that you can be held accountable for what you use it for.
It's a fantastic system, especially when I compare how it used to work when I lived in the UK with how it works in Sweden: it feels like the UK is 50 years in the past.
It should be government owned, definitely, but Sweden has a very poor history of securing it's IT systems in government. Like.. very poor.
So, maybe I'm not 100% on-board. There needs to be oversight for sure.
> In short, companies will have much more control of the data they wish to share.
What does that even mean? Even in that context.
> Most users will access the EU Digital ID wallet in the form of a smartphone app.
Why the EU thinks, presumes or pretends I have a smartphone? If they want me to use a smartphone and obligate me to purchase one, then they should also provide a free or super cheap alternative phone + line contract.
Every time I read something like this it urges me to put together some ESP32 plus a Modem, write an email and chat client, and throw away my current phone. When they'll ask me about my phone, I would pull out some ugly 3d printed case.
> A key aim of any EU wallet is therefore to give EU-based businesses a strong, secure and powerful tool for authentication.
And all this should be safe until someone steals Thales encryption keys, as already happened in the past (Thales was formerly known as Gemalto).
> It proposed to give every EU citizen a set of strong digital identity credentials that will be recognised anywhere in the zone. These credentials will be accessible from a digital wallets and available to anyone from their mobile device
Is this thing mandating a mobile device as a document?
The digital wallet could be something like an Yubikey that holds the data and decryption software. The stipulation that it should be available to everyone is that it needs to be readable from a mobile phone (eg NFC). The phone would issue a request for access to some policy, and the device would read the data and issue a true/false response (or more if necessary.)
The wallet holder would have control over what their wallet gives the reader access to.
I imagine a mobile app would be cheaper and simpler though.
A software-only solution where private keys have the potential of leaving the device, be it an app or an USB-stick, is not really okay in this day and age.
So a proper fallback wouldn't be an USB-stick with some certificates laying around, you can instead just build the ID functionality using SIM-card applets. The keys are securely stored in hardware and you can use them on both smart and feature phones.
I live in one of the countries that have a local variant of this already (BankId in Norway). What it is used for here are services where either you are able to identify and authenticate yourself or if not, there is just now way they can be provided. These kind of services are things like banking, taxation, ownership transfers, health care, and similar.
I'm hard pressed to view allowing people access to these kind of services over the internet as something dystopian.
Getting your hands on equipment to make identity documents is physically difficult, requires lots of deals, is costly, and is limited to a few people.
Replacing this with an electronic system, where access is guaranteed via leased lines to many locations, with sloppy physical controls... and a back-end that more than likely has several holes due to misconfigurations, last-week exploits etc
I don't believe a word. The three scenarios used to promote the benefits have some big stumbling blocks that can't be solved with simple credential storage.
> With the EU Digital ID wallet, the bank can request the necessary credentials from the applicant. He or she selects them, and in seconds they are verified by the bank. The process even includes an eSignature that signals the applicant’s agreement.
This seems a bit off.
As a US citizen living in Sweden, my bank also wants to know if a customer is a US citizen, because special regulations apply.
For the above scenario to work, the EU Digital ID wallet will have to store citizenship information, including potentially multiple citizenships.
Sweden recognizes the State of Palestine. Will the EU Digital ID wallet allow storing that information?
> The student can use her EU Digital ID wallet to access, for example, the diploma she gained in one country and have it accepted instantly in any other EU country.
That's ... also odd. That's not how it works now. A diploma in one country doesn't necessarily translate to something directly in another country. Quoting https://www.uhr.se/globalassets/_uhr.se/bedomning/informatio... "A recognition statement is a document that shows what your qualification corresponds to in the Swedish education system. To prepare the statement, we review your education documents."
An app storing credentials isn't enough.
> With the EU Digital ID wallet, the person can provide trusted proof of age and nothing more.
Bars and nightclubs also gather names to help spot people who have been banned, and will also share a list of banned people with other bars. They also gather this information to spot VIP customers.
They are't going to want to give it up.
In practice it will be like a a go-away-cookie-banner button. The bar's system will ask for more information, people will press the "confirm" button w/o reading, and the bar will still get demographic information. Those few who do read and say "no" will not be allowed entry.
If preventing this sort of information leak is important, then make it illegal to collect more information than is needed to verify age, or restrict what can be done with that information.
> Billions of people regularly use mobile apps, so the process will be familiar to the vast majority of citizens and businesses.
An odd statement. The population of the EU is less than 1 billion, so this refers to the world-wide population. But world-wide, billions of people don't regularly use mobile apps.
> As a US citizen living in Sweden, my bank also wants to know if a customer is a US citizen, because special regulations apply.
> For the above scenario to work, the EU Digital ID wallet will have to store citizenship information, including potentially multiple citizenships.
You can’t proof a negative (absence of US citizenship). Today, your bank will ask you to sign an affirmation whether you hold US citizenship or not. I don’t expect anything to change about this in the future, you’ll just sign it digitally. However money laundry laws do require positive identification of the customer. Today, when opening a bank account digitally, this requires a video call where I’m ask to hold my ID card to my forehead.
> That's not how it works now. A diploma in one country doesn't necessarily translate to something directly in another country.
I agree the diploma use-case is rather less useful (how often do you need to present your academic credentials to anyone?) but there’s a difference between “I hold this German degree” and “my German degree is suffice to exercise licensed profession X in Sweden”. The digital wallet would only do the former.
The scenario was "With the EU Digital ID wallet, the bank can request the necessary credentials from the applicant. He or she selects them, and in seconds they are verified by the bank. The process even includes an eSignature that signals the applicant’s agreement."
Where in the process would the applicant fill in the information that the bank needs, but which isn't on the wallet? I guess it's a multi-step process, where one step presents credentials and another is the form-filling, and a third is the agreement.
Another way to ask my question is, what does "time-consuming and complicated" mean? Because there will still be time-consuming and complicated step even with this wallet.
As I understand it, before these Know Your Customer rules came into place, I could have walked into a bank and open an account with simply a signature card - how do you beat that simplicity?
> licensed profession X in Sweden
The document I linked to was "to work or study in Sweden", which is the "I hold this German degree" scenario you described.
The end of the document confirms that it's not concerning the "exercise licensed profession X in Sweden" - "Some professions are regulated in Sweden. This means that a special licence or authorisation is required to work in them. Contact the authority responsible for the regulated profession – for example, the Swedish National Agency for Education for teacher certification and the Swedish National Board of Health and Welfare for a licence to practice as a doctor or nurse."
> As I understand it, before these Know Your Customer rules came into place, I could have walked into a bank and open an account with simply a signature card - how do you beat that simplicity?
Of course that is a lot simpler but these regulations do exist for a reason. The status quo when opening a bank account online is the weird “hold your ID card to your forehead” dance. This proposal would be a clear improvement.
> The document I linked to was "to work or study in Sweden", which is the "I hold this German degree" scenario you described.
The document you linked describes a process with either 0 or very little force of law. (It might for government employment). Yes, an employer might like it when you translate your foreign credentials into the domestic Swedish system. But it’s in no way required.
It's honestly hard for me to judge. I don't know what it's like to be, say, a Swede moving to Spain and wanting to open a local bank account.
Still, the marketing scenario is that an EU citizen will be able to open a bank account "in seconds", with seemingly no consideration for how a digital wallet may be able to fulfill those existing regulations.
> But it’s in no way required.
Which means the scenario doesn't describe a big need, right?
If this were a solution to real problems, I would expect more substantial scenarios, not something that makes me doubt they've thought seriously about the problems.
I'm still curious if "citizenship" will be stored in the wallet, and who get to decide if "Palestine" is an allowed term.
I recently moved to Spain and managed to get a digital identity certificate. It seems to be a fairly open implementation, but has a few weird things. It’s just an x509 certificate (in p12 format) that you install into the OS certificate manager and then it is used on various governmental websites to authenticate yourself/sign documents.
First weird thing is that there’s no method to recover the key if it’s lost, besides starting from the beginning and going through the physical identity verification process again.
The other thing I noticed is that the “configurator” macOS app isn’t a sandboxed/signed app. They even have instructions on how to enable opening app from untrusted sources on their website. I feel they should bite the bullet and get a $100/yr developer account. AFAIK, all the app does is generate the certificate, transmits it to a server (to be signed by the CA after your verification happens) and generates a PIN you need to show when you are showing your physical ID. Once you are verified you enter another code that was emailed to you and it spits out your pk12 file.
Anyways, it’s come in handy so I think an EU wide standardized version could be helpful in day to day life.
It's encrypted with a password, but yeah. I spent a bit of time looking if I could load it into a Yubikey. I'm pretty sure it's possible, but I only have a U2F Yubikey at the moment, not a "full" one.
370 comments
[ 1.8 ms ] story [ 4919 ms ] threadIf you wanna study this stuff, participate in
* https://w3c-ccg.github.io/
* https://trustoverip.org/
* https://identity.foundation/
What happens if poverty does not allow me to carry a digital ID?
What happens if I lose my digital ID wallet or it is compromised?
Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
It is already an offence in several EU countries to fail to present official ID documents when asked by the police.
If you don't want to identity yourself the outcome will likely depend on the mood of the police office. They may give you a verbal warning and send you on your way or they may choose to arrest you until they can ascertain your identity.
At some point there will be a situation where you cannot do anything because you are in the 0.01% of the system that is broken.
The UK is not a part of the EU any longer, for pretty much all of the rest member states, that has not been an issue for quite some time... save for Ireland.
>At some point there will be a situation where you cannot do anything because you are in the 0.01% of the system that is broken.
The issued ID plastic cards would be as useful when you are present in person.
I believe the obligation to carry identification, and to have identification are enforced differently in different countries / states. But there is more information here:
https://en.wikipedia.org/wiki/Obligation_of_identification
https://en.wikipedia.org/wiki/National_identity_cards_in_the...
> At some point there will be a situation where you cannot do anything because you are in the 0.01% of the system that is broken.
Not wanting to identify yourself and not being able to identify yourself are two seperate topics. I sympathise with people who fall outside of the system, but e-identity is currently a matter of convenience for people who already have identity documents and are seeking easier ways of accessing services online.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
The EU digital ID is based on EIDAS, a technology that is already in use by banks in the entire EU. You can be sure it is safe, otherwise any bank in the EU would have been hacked already.
Organisations can implement eIDAS-conforming technology to provide eID services if they get certified; e.g. our company provides such services (remote onboarding without video conference need + qualified electronic signature signing): https://www.zealid.com/en/
That's already illegal in many countries. You'll be fined and possibly arrested until you can prove who you are.
If you don't provide ID to the police, however, that's another issue altogether.
Verifying your identity without a global ID is done today through a combination of primary and secondary identifiers. For example a passport and bank statement. Or a driver's license and recent tenancy agreement. So if you don't want to verify yourself using the above combination then companies and the government will simply not choose to interact with you.
And not sure if you've used a phone before. But you don't need the full iCloud password to unlock your phone and access a digital ID. You just need FaceID, TouchID or a 4/6-digit PIN.
Incidentally I know how it works. I work next to the sector. The issue is that these are all legitimate questions that we have to work with daily and the abstract "we will arrest you until you ID yourself" does not work when you book a hotel...
That's a non issue in the EU.
> What happens if poverty does not allow me to carry a digital ID?
Governments will probably pay this for you.
> What happens if I lose my digital ID wallet or it is compromised?
Same as the current EU eIDs in use right now or a passport. Revoke and reissue.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
True, but that's probably something that needs to be improved with education.
Maybe in your EU country. ID cards are not mandatory in mine (Ireland) - a national ID card has been rejected by the electorate multiple times.
Be careful not to generalise your own experience to the entire bloc - it's not a homogeneous entity.
In practice things are more difficult without one one. (Mine expired in January. I didn't notice until I needed to pick up a package a few weeks ago. Ended up using my US passport instead.)
https://en.wikipedia.org/wiki/Identity_document says "A number of countries have voluntary identity card schemes. These include Austria, Belize, Finland, France (see France section), Hungary (however, all citizens of Hungary must have at least one of: valid passport, photo-based driving licence, or the National ID card), Iceland, Ireland, Norway, Saint Lucia, Sweden, Switzerland and the United States."
Checking Finland, https://en.wikipedia.org/wiki/Finnish_identity_card says it's about the same as Sweden: "Possession of an ID card or any ID document is non-compulsory in Finland, though interactions with officials and companies, like voting, picking up a parcel from Posti offices or buying alcohol when a salesperson suspects buyer to be under 18 or 30 years old, can be difficult or impossible without an ID card, a passport or a driving licence."
As I recall, in Sweden to vote without id you need someone who does have an id and knows you to vouch for you.
After all these years I still have no clue what is actually an official ruling of anything because I've had no problem showing my driver's licence when officially I'd needed my id card (in Germany). Then there's the decade old widespread rumour that you need to _carry_ any form of id, which is completely wrong (with a few exceptions).
However there’s a passport card, which is nearly indistinguishable from an identity card:
https://en.wikipedia.org/wiki/Irish_passport#Passport_Card
The closest thing in Ireland was the "mandatory but not compulsory" Public Services Card and the related MyGovID, until it was ruled unlawful to require a PSC for access to government services.
There really is nothing like a mandatory national ID card in Ireland.
For now
> What happens if I don't want to identify myself?
In some countries that is not an option. For example, in Portugal when in a public space, the police has the ability to ask for ID if they have a reason. They must first identify themselves, and list the reasons to ask for identification. If you have no valid ID with name and photo, someone that knows you and can attest to your ID can do it, IF they themselves have ID. If you're alone, you can either ask someone to take your documents to where you are, or ask the police to go with you to where you have them. If that is still not possible for whatever reason, they you can be taken into a police station until you're properly identified and your fingerprints are taken.
After all that, if the reason why you were identified lead to nothing you can request for the info on you to be eliminated.
> What happens if poverty does not allow me to carry a digital ID?
Most countries have state issued ID cards. Note, I wrote most, not all.
> What happens if I lose my digital ID wallet or it is compromised?
Same thing that happens when you lose your wallet, I guess. Go to the nearest police station, tell what happened. Then go on from there.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
People take government stuff more seriously than they do other things. For example, my mother that can't remember her router password knows her hexadecimal password to the IRS website by heart. My in-laws kept the letters from the IRS with the password in a well known place just to use it once a year when they need to fill their forms.
I'm not saying there's implicit trust in governments in the EU, but from the discourse on the internet, it's clear to me that most (western) european citizens trust their government more than Americans, overall.
Having been in a police station in Portugal they'd probably laugh at you for getting your wallet ripped off and run you to the airport.
And then there's the smaller towns in Germany. They don't even accept cards out there yet. Cash or fuck off.
I think this is far off the status quo across Europe.
This is absolutely right. And they are fools to do so! The government can write legislation such as the police have the right to see your id, and everyone is meant to show it! This is nothing to do with right or wrong. It can be couched as 'protecting people' whilst being tyrannical.
At least in the US they have access to weaponry to give those government officials pause for thought of they attempt to implement tyranny. Europe is already defanged though - who could fight back, even if they wanted to?
The prospect is rigid stasis - governed by an unelected elite, who have the mechanism of fine grained control over every citizen. Its neo-feudalism via technocracy.
Freedom for me and stazi for thee
It is unlikely a large faction of the military would actively become [technical] traitors and actively fight the US military. If they abstain. No big deal. Only a fraction of the military is needed. All the tech would still be available.
The military could spend some months building a TON of drones…get any Allies who are capable, to do the same. A fight of mostly drones and fortified heavier machinery vs normal Americans would be a bloodbath.
The morale of the dying people would be awful. That is a bloodbath. Not a fight against tyranny.
The 18+ cops at Uvalde were scared of one kid with a semi auto. The cops being that scared to do anything to protect the children of their own community while eating up 40% of the budget lends credence to not expecting more local authority and similar weaponized and experienced career folk to be much help. That’s if they are on the people’s side at all.
A look at the downfall of the trucker’s protests in Canada shows how quickly the cops and authorities will look out for themselves far above the cares or issues of the citizens they “serve”. The cops and enough authorities were engaging in disobedience, helping out the protestors, being kind to them. Once they were given more power and money, they went out in full force the next day and treated the protestors that were their peers the day before like leftist protestors. Brutally subduing the protest and ending it.
The same thing as what happens in the offline world when you try to open a bank account or board a plane without ID: You're refused. Like it or not, for some services you need to identify yourself.
> What happens if poverty does not allow me to carry a digital ID?
While this is an issue, the issue is with a service being available only online. That issue already exists. Most governmental stuff is obligated by law to be available offline as well, but for private companies its more difficult. E.g. If I want to open a bank account and I don't have a phone or computer, some banks already make it hard to do it in person.
> What happens if I lose my digital ID wallet or it is compromised?
The same thing as what happens in the offline world. Procedure depends on where you live. Here you have to file a record to the local police and you get a new ID card a couple of days later. Now it can probably actually be blocked and you get a new id immediately.
> Also judging by dealing with the average citizen on a daily basis, even securing an iOS device and remembering the iCloud password is beyond their level of care.
It's up to the government to educate people and make a foolproof system. That's easier said than done but a lot of countries already have digital ID systems and it's worked well for almost 2 decades now.
It is called a good market that you avoid them.
This is the proposed solution. The point is that the ID system only gives someone the information that they need. If you only want to prove something like "age > 18" then you can do that without giving up your name, address, ethnicity, etc. Every existing solution to that requires you have over more than a boolean answer that your age is above a minimum threshold.
This is effectively "attribute-based access control" (eg IAM) for the real world.
Requirement of carrying ID varies country by country
You get arrested until the police can figure out who you are, at least that's how it works presently in most of the EU.
Edit: I stand corrected, with Thales writing this article, we can expect conglomorates such as Thales or Siemens to build this as well (corporations that due to their long standing national prominence are de-facto state-entities, although not de-jure).
Let’s say, travelling to a different country without a wallet would be amazing to me.
However, many (all?) EU members already have developed their own national system. So this tries to unionize those systems so dealing with other member nations becomes easier. Today I often have to mail a bunch of documents if I want to prove my business ownership to foreign companies.
Any data that is aggregated is open to abuse by the aggregator and it will be definitely abused if the aggregator is a government body.
Even in your contrived dystopia, I'd rather have a democratic government be the Big Brother than some unelected tech CEO.
I trust the former more to have my best interests in mind.
Come again?
When somebody says "This may be controversial // Well, much better than being crushed under a rock", the latter is supposed to be rhetoric, here somebody seems to treat it like a real alternative, as if you went into the current events to avoid that!
Norway is one step closer to that:
https://www.lifeinnorway.net/norway-to-track-all-supermarket...
So why do we need this newer, more expensive, dystopian stuff made by some private company? How do I vote against this? Oh wait, it's the EU...so I can't.
I don't think so. The idea is to make the wallet offline.
> It solves a problem that does not exist,
I does exist. Automatically checking identity is hard. Some counties apparently issued certificates to their citizens and enabled them being verified by anyone, simplifying several online businesses patterns.
> will likely be mandatory at some point
More like fast lane. But eventually (30 years) probably yes.
> and is executed by a defense company.
Every country is responsible for their own part. There are going to be ETSI standards for interoperability.
The actual trouble here is that (at least in my country) the officials responsible believe that rooted phone is higher security risk than automatic updates from Chinese government.
This seems like a feature, not a bug.
The quiet explosion in CCTV cameras across Europe is far more a threat than some unique identifier.
Physical documents. This is an electronic system, with potential for issues as you (in this crowd) should suspect.
> is far more a threat
Which definitely concerns us in its own turn - who the daughter is dating will take its own slot.
The issue is not with the governmental database, taken for granted. It is with the consequences brought by the electronic system on the user side.
Some context: I'm French, I live in Belgium. I have two e-IDs cards: one french, one belgian. When I need to identify myself, depending on the government I have to deal with, I have to use either my "FranceConnect" credentials, or my Belgian e-ID card.
When using my Belgian eID, there is a government login called CSAM, but a lot of people here use a private company called "itsme" (https://www.itsme-id.com/). ItsMe does not support Linux. CSAM does, but not every service that supports or even requires eID login here supports CSAM.
FranceConnect is even more of a mess. French government has a plethora of online services, several with their own logins and not all support FranceConnect.
Making a digital wallet won't increase surveillance... surveillance is already possible on all of this, quite easily so. What it will do is greatly simplify life for people dealing with these systems; especially for expats and new arrivals into a country, who might get stuck in the loop of "You need a bank account to get your ID" "You need an ID to open a bank account"
Not to mention all the services that do their own shitty KYC and would be better served by using automated ID checking instead. Unless you think it's better and "more private" to email a photocopy of your ID and passport to somebody who will forward it three times, save it on their computer, and share it on Slack with the tech team because there's a problem with their shitty KYC system.
Sure, because a little minority of people has "the burden" of managing multiple IDs, lets tear down one firewall between citizenry and big-brother for the rest of us.
Is the brokenness the firewall?
Labeling it "broken" - we all are using the same password for every account anyways, aren't we?
From Berlin xHainers to Parissienne Bobos, from Munich Schwabing to Noord Amsterdam, there isn't a single citizen in the EU with discomfort of his vote becoming dilluted from a x-millionth to an x-hundredmillionth.
That's why Ursula von der Leyen is so popular.
Are you just unhappy the electorate is so large? What would the appropriate size be? Mayoral? Households? That'd really maximize the power of your vote.
But then, how would we organize at the level beyond that? Warring tribes? Go back to when Germany and France were constantly at war?
I don't love vdL either. I think the EU is in need of reform. But I still think it's fundamentally a good idea and I think vote dilution is just inherent to a large democracy.
I'm only surprised they haven't got rid of the ability of countries to secede the union yet. I'm guessing all these pushes for further integration are an attempt at de facto making it impossible to secede, even if not legally.
[citation needed]. Please don't just throw out wild claims without any proof. As far as I'm aware, every single element of the EU is democratically legitimized in one way or another. Do you have any evidence to the contrary?
> I'm only surprised they haven't got rid of the ability of countries to secede the union yet.
Why would they? If you don't want to be on our boat, feel free to sink on your own. We don't need the dead weight.
And that design is there to keep sovereignty of membership countries - so it is strange that you are surprised that there is still the ability of countries to secede the union. Most powerful entities in EU are national governments of countries. Who is appointing Commissioners? Member states. Similar like national governments are appointing its ministers. Then there is veto and of course, who has last word in everything? Heads of states / prime ministers.
This said, majority-rule can only increase in European mechanisms, because a continent cannot be paralized by the needs of a tiny minority on every possible choice. Does the US Senate (effectively the equivalent of EuroCouncil, with almost-equal representation for each US state) require unanimity on every choice? Obviously not, or it would never get anything done (and even like that, it struggles massively to approve anything these days).
Vote with your money, don't dictate the rest of the country with your wants.
In other words, it's antidemocratic.
Democracy is a scam, it's just an oligarchy.
The wealthiest will do media campaigns to manipulate the public into electing their people and then these people will do whatever the elite want.
That was my point above.
"Democracy is a scam" = trolling, please refer to the guidelines. https://news.ycombinator.com/newsguidelines.html
"The wealthiest will do media campaigns to manipulate the public" => that I agree with, but this is really old and has always been like that, not only in democracies. I'd even say that democracies are the places where this is happening the least, compares to state-owned news like Russia or China.
We need Swiss-style referendums-on-everything. Now it feels like oligarchy managed by lobby groups no matter what you vote for.
Ah, yes, nothing like asking 450M people for their opinion on something they know nothing about.
This is how Brexit happened, isn't it?
Obviously democracy needs educated citizens who don't take the responsibility lightly. That's why citizenship shall be a big privilege with even bigger responsibilities. We have to have a lively discussion. Otherwise it's people who cry loudest win.
I love Brexit as a democratical move. People voteds and government followed through. Now citizens will live out consequences, for better or worse. And they can make next decision accordingly. That's so much better than enlightened oligarchy guarding the masses from their own wrong feelings.
That's like raising kids. If you guard kids from their own painful decisions, they'll never learn. Eventually they'll be adults and they'll keep doing dumb decisions. You have to let them experience some pain to teach them a lesson.
It is an association of democracies, led by an undemocratic executive that is increasingly out of control. At the moment it is busily destroying its own economy in a way that is baffling to many of its citizens.
If it doesn't evolve into something more democratic it probably hasn't long to go.
The US president campaigns before a democratic election. The people know who they can choose before they vote. Same with the UK.
There is no democratic vote, with or without proxy, before the appointment of the Commission.
Why the downvote btw? This isn't reddit.
Err, yes there is. The directly-elected European Parliament first elects the President of the European Commission, and then has to vote to appoint the entire Commission.[0]
And before they do they they hold hearings with each of the different commissioner-nominees to evaluate their suitability for the role, demanding that people are replaced or given different portfolios if they are not suitable.
Nominations for the role of President must take in to account the results of the election,[0] and the European Council nominates somebody from the largest party in Parliament. I wish that Parliament had stuck to its guns in 2014/2019 and rejected the nominees that weren't spitzenkandidaten but hopefully the new proposals tabled by Parliament creating transnational lists for Parliament will change this.[1]
[0] Article 17(7) of the Treaty on European Union
[1] https://www.europarl.europa.eu/news/en/press-room/20220429IP...
Of course there is. The commission is chosen by the countries elected representatives (and confirmed by the directly elected EU Parliament)
The downvotes are justified
The chances of it happening are low, but the vote of the people might not be upheld.
At least in national elections there are parties campaigning with a platform and then I can decide which platform I like best. How often the platforms of the elected parties get translated into reality is another question, but it can at least plausibly be described as demos kratos. Maybe the EU is "democracy" in some modern sense of the word, but in the original sense of the word it is not. (I'm not even saying that's a bad thing. Maybe it is in fact better to have elites deciding.)
I fail to see how you cannot do that in European Parliament elections. If anything, EUP elections are more democratic than average, by way of using a proportional-representation system that matches voters' preferences more closely than almost any European voting system.
And if you're saying, "but it's the Commission proposing laws!", they don't pull stuff out of thin air: the Commission effectively tries to implement an agenda that European Council members agree together. And who is EuroCouncil? National governments, whom you vote for. Also, the Commission doesn't work alone - directives are effectively drafted in concert with Parliament committees, because in the end they have to be approved by such Parliament.
Greece is a democracy, the EU is a bureaucracy.
However, it's not a good situation that a private company gets such a central role. In fact, Belgian government yesterday announced they're going to make their own implementation. Surely there's already eID login, but that's too cumbersome compared to itsme because it's from the pre-smartphone days.
https://www.brusselstimes.com/belgium/246070/federal-governm...
The Belgian government already has an implementation: https://www.csam.be/en/egov-profile.html
I don't use itsme, only CSAM, because itsme does not support Linux: I can't log in with Firefox or Chrome on Linux with my eID. But CSAM is not universally supported. Example of a site that does not support it: https://www.proximus.be/ - Major ISP in Belgium)
You can login to CSAM protected websites on Linux with Firefox or Chromium and with Itsme token running on Android or iPhone.
You can also login on Linux with Firefox or Chromium and with your eID card inserted in a properly configured card reader such as ACR-38U.
P.S. If you use a JB device, you should also use Magisk and be ready to troubleshoot.
That you can’t even think of using it if, like me, you are not using a phone operator or one of the few banks which are part of the consortium.
Yes, that's what I'm talking about, although brusselstimes seems to report it weirdly (sounds like they want to extend itsme). https://www.standaard.be/cnt/dmf20220627_97617861 -> They want to replace itsme with something build by the government.
> The Belgian government already has an implementation: https://www.csam.be/en/egov-profile.html
You're confusing a couple of things here. CSAM isn't an identity provider. It's like a gateway/umbrella to multiple identity providers like eID and itsme. You can have eID authentication without CSAM and vice-versa.
It doesn't make sense to claim itsme doesn't support linux. It's only a phone app, you dont need desktop software. I can login to proximus.be using itsme on linux.
It is now handled by Digicert, a US company.
[0] https://repository.eid.belgium.be/certificates.php
https://bugzilla.mozilla.org/show_bug.cgi?id=1335253
Example for Belgium Root CA2 in [0]
Certificate: Data: Version: 3 (0x2) Serial Number: 3098404661496965511 (0x2affbe9fa2f0e987) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, CN=Belgium Root CA2 Validity Not Before: Oct 4 10:00:00 2007 GMT Not After : Dec 15 08:00:00 2021 GMT Subject: C=BE, CN=Belgium Root CA2
The Belgium Root CA2 in Mozilla discussion is different.
Certificate: Data: Version: 3 (0x2) Serial Number: 04:00:00:00:00:01:41:a1:e1:34:ba Signature Algorithm: sha1WithRSAEncryption Issuer: O=Cybertrust, Inc, CN=Cybertrust Global Root Validity Not Before: Oct 10 11:00:00 2013 GMT Not After : May 12 22:59:00 2025 GMT Subject: C=BE, CN=Belgium Root CA2
[0] https://repository.eid.belgium.be/certificates.php?cert=Root...
Is there a Belgium Root CA in Mozilla, Windows, Android or iPhone trust stores now?
You said DigiCert owns those root CAs and I wanted more information about this.
I think you're seriously confused. It's perfectly reasonable to claim that itsme doesn't support Linux. Phone have operating systems too, you know - and some phones run a Linux userspace (e.g. the Pinephone and Purism).
"Does not support Linux" means "itsme can't run on a Linux userspace" (as opposed to a Linux kernel but Google userspace, which is what Android is).
The author explicitly says this: "I don't use itsme, only CSAM, because itsme does not support Linux: I can't log in with Firefox or Chrome on Linux with my eID."
It probably doesn't help that the CSAM term has an overlap with another english abbreviation.
That you even have to identify yourself as often as you do in the EU is a problem the EU countries created. So basically they create a problem (people needing to identify for basically everything: vaccine, going to the restaurant, going to nightclubs, maybe going to the toilet in the future, etc.) and then come up with a solution: "Look, it's going to get easier to identify yourself!" and everybody applauds.
But, wait, why do I need to be identified all the time yet?
I have no idea what you’re on and I’d love to know where I can get some.
There is no reason to believe that. You are installing a government app on a gps device with a constant internet connection. Even if it doesn't send such data initially, there is no way for a regular user to know that some forced update in the future wont introduce it. At least before they would have to go through the courts to get a warrant to get it from google or apple.
Thales on the other hand are not what I would describe as a good actor but rather one of the "usual suspects".
Also there are so many bullshitters and snake-oil merchants in this field; makes you think that most of the "security" industry is a confidence game.
Let's manage the beloved and accountable Eurocrats in Brussels our private Auth-infrastructure, because its not like this problem would be solvable otherwise:
https://news.ycombinator.com/item?id=31836922
That's the key. European politicians are accountable to European citizens. Big corporations are not. This seems a step in the right direction.
That joke made my day. I'm guessing Ursula von der Leyen is a real people's champ then.
> * Big corporations are not. This seems a step in the right direction.*
So let big corporations develop the technology? Especially those that are intertwined with the state? In otherwords, entitites where the state has created plausible deniability for itself? Great, what could go wrong?
And again, FIDO is an open standard, that by definition isn't run or dependend on the servers of "for profit private companies".
But gee, I must be total noob then. Open-Source can be bad, as can be accountability.
For the greater good I guess.
The example provided (bank account, university registration) make it clear that we're talking about authenticating against a person real, legal entity here. It's not needed in all cases, and when it's not FIDO is fine, but when it's needed in the end the root of trust in Europe is one's national state anyway.
People in Europe don't. People in the various countries do. This is just a level above, just like you don't say "oh why do we need the german government, can't the mayors do everything?".
Different levels of organization need different democratic governments. Tribalism is not the solution.
Having an executive made up of people selected by other politicians for political reasons is all very well as long as they understand that they do not have much legitimacy.
JC Junker, for all that he was a bit of an old sot, understood this very well.
Von der Leyen, either because of her immensely privileged background, or because of her inability to communicate in any diplomatic way, has revealed the undemocratic abomination at the heart of the European Project.
Her press conference with Stoltenberg (and Belgian nonentity Michel) at the outset of the Ukraine war deprived the EU of any room for manoeuvre in relations with Russia. She unilaterally committed hundreds of millions of people to a diplomatically absolutist position. Furthermore, she actively spun against attempts by Macron and Scholz to moderate that position.
The EU cannot continue like this: already I'm quite dubious as to whether it will survive the winter, with double digit inflation and mass industrial layoffs in prospect.
If Putin wants to play divide et impera with Russian fossil fuel supplies, she has certainly created the ideal conditions for him to do so.
She is corrupt (see Pfizer SMS) and unaccountable.
Are all of those undemocratic, too?
> Her press conference with Stoltenberg (and Belgian nonentity Michel) at the outset of the Ukraine war deprived the EU of any room for manoeuvre in relations with Russia.
Russia's war of aggression on our neighbor deprived us of any room for manouvre. We've seen what appeasement brings in the 30s, no need to play that game again.
The game we are playing is resulting in mass death and destruction in Ukraine, and slowly throttling the European economies. What's the point?
Perhaps if you expanded your frame of historical reference you might see more clearly.
Perhaps if you educate yourself more about the era you might see the parallels more clearly.
You say "slowly throttling the economies", I say finally giving us a reason to accelerate investment in renewables before climate change kills us all.
That's not quite correct; the PM is appointed by the Queen.
In the event of a revolt by the parliamentary party of government against their leader, then the party gets to appoint a new leader, who then becomes PM. But that choice is reserved to the MPs of the majority party - hardly democratic.
But in the general case, there's a General Election, and the leader of the winning party becomes PM.
It's designed for things like filing your taxes or applying for a passport.
Does the grocery store ask you for your passport? If not, why should the online store ask you for your online passport?
I also wonder how this will be regarded in countries like Ireland, which doesn't have a national ID card and where a recent attempt to make a similar digital ID system mandatory was ruled unlawful (PSC/MyGovID).
So the situation will be better for us than today - there will be more options providing the ID (and wallets), including highly privacy-preserving tech based on modern encryption techniques. That will make it much harder to be tracked by commercial players and much harder to be tracked legally by governments.
For the blackhat / illegal security agencies: you might make it a little harder because the US-compromised companies (FAANG + MS) aren't (always) involved.
But this suggestion ain't it. Most EU countries already have a de facto mandatory electronic ID for every resident.
What's your basis for this claim? From the declared strategy, it seems perfect for abuse as a surveillance tool.
> Most EU countries already have a de facto mandatory electronic ID for every resident.
As stated elsewhere, my country (Ireland) does not. It's attempt at a mandatory electronic ID (MyGovID/Public Services Card) was ruled as unlawful (it's still available, but cannot be required to access government services).
Strategy link: https://ec.europa.eu/info/strategy/priorities-2019-2024/euro...
however, as an EU citizen, I can see immediate advantages to a cautiously administered digital id. as it is, many states within the EU demand a national tax id on registration for services as simple as bike rental, such a digital id would presumably supersede such nonsense and help further the single market everyone is working towards.
What happens when I buy debian mobile? I presume it will not be accepted because there will be no safe app. No app, no identity? No identity means you're suddenly locked out of society.
What phone theft? Most people's phone security is almost non existent.
What about luddites who have no mobile at all?
It seems like it's 100% about control of people. And that's a privacy matter. My body, my life, my choice.
In theory, you should be able to go on using a passport for your actual needs. In practice, it is to be seen whether this initiative will cause or not cases where "options" become "constraints".
Said perspective is insanity: for those websites relevant to an anagraphic identity it would be dramatically abnormal to use any supposed private company related account. It would be sheer absurdity to suppose a "need" for accounts with private entities to log on to nominal services.
Well yes, have you seen what europol can do now? Safe and analyze data even from unsuspected people.
German:
https://www.heise.de/news/Europols-Mandat-zur-Massenueberwac...
Others are outright creepy. You can't access medecine without verifying your ID? That locks lots of people out of access to healthcare (illegals, tourists, etc). Age verification? So porn websites will store the real id of all their visitors (or alternatively a central EU age verification system will be notified every time you visit such a website)?
In France for instance it is illegal to identify people by their social security number in a system (at least it was 20 years ago). That's a safeguard to prevent it from making it too easy to correlate an identity across many systems. This ID scheme will go around that. To be honest I think that law was passed at a time where surveillance was still considered evil. I think governements of most liberal democracies today are actually entertaining stasi-style surveillance as a greater good.
I opted out of the digital functions of my ID, but I plan to have them activated, because it's better than video identification or uploading scans of my documents. That being said, I hope that only serious processes will adopt this.
For age verification requests, the service provider can set the amount of years, and the ID card will simply answer with a yes or no.
The pseudonym isn't created, but calculated from the ID's private key and the service provider's public key, so even a new card means new pseudonym, which makes it slightly less useful for login long term.
Does it not make sense that prescription medication can only be picked up by somebody who has been prescribed that medication (or somebody who has been delegated that authority by the prescribee)? As long as there's an offline mechanism available for verification I don't see the problem here.
>Age verification? So porn websites will store the real id of all their visitors (or alternatively a central EU age verification system will be notified every time you visit such a website)?
Presenting a token verifying that one is over 18 is not the same thing as presenting one's entire identity so that the service can verify one is over 18.
The way it could work is this: You try and access an age-restricted service (ARS). It returns a request for age verification including a unique ID. You then pass a hash of that request to the age verification service (AVS), and get back a token which is signed by the AVS. That token is then presented to the ARS, which validates that the signature and that the hash of their request are valid.
Boom, you have just verified that you are over 18 without leaking your identity to the ARS and without leaking the ARS's identity to the AVS.
I'm sure there could be some sort of more elaborate protocol that would preserve privacy in the case of a log breach, the one I sketched out just shows that (assuming logs remain private and there's no collusion) that the ARS doesn't need to know the user's identity and the AVS doesn't need to know the ARS's identity in order to validate the user's age.
As others have mentioned, similar stuff exist in other countries as well.
So to me, I'd rather have a single common, shared and opensource system for both Denmark, and all of EU.
Most EEA countries issue physical identity cards already, so a digital one would seem a logical step.
Not that I don't disagree with the concerns about it.
What this would add is a more comprehensive log of where proof of identity has been used. In my case, the last non-digital, non-already-trackable request to display proof of identity was last summer, when I was trying to buy a case of beer with a mask, sunglasses and a hat completely obscuring my face. Guess the police will now know I visit grocery stores.
What's more, that's already been sort of centralised, with a single identity broker latvija.lv being run by the government, that then relies on other "blessed" identity sources such as banks or digital signature providers. The logs on who requested the identity verification and who got verified are surely there. If they cut the banks out of the loop, I see that as a net positive.
As for me, I'm not overly bothered by this. I trust the government to not wilfully abuse the data far, far more than I trust any for-profit entity.
If unclear why no one in the U.S. trusts federal, state, or local governments:
* The U.S. federal government now mostly acting in service of for-profit entities, due to legalized bribery of elected officials (Citizens United) and inadequate representation (the Judiciary Act of 1869 for the Supreme Court and the Permanent Apportionment Act of 1929 for the House).
* History defeating the most powerful empire in world history, emerging as the first nation to ever overthrow a colonial oppressor.
* U.S. law enforcement officers extrajudicially killing more Americans than mass shooters in 2019 and police departments across the country taking in billions USD every year in unconstitutionally seized assets.
* More Black Americans in the "justice" system in the 2020s than were enslaved in the 1860s.
What do you mean by in the system? I would have guessed it means incarcerated, but there were around 3.9 million slaves in 1860 which is much higher than the number of people incarcerated in the US which is around 2.3 million (Federal, state, and local) of which around 1 million are black.
"More Black men are in prison or jail, on probation or parole than were enslaved in 1850, before the Civil War began"
https://www.laprogressive.com/law-and-the-justice-system/bla...
So in reality, central registry of information doesn't really protect you from anything but saves the bad actor a few phone calls. On the other hand, it saves you a lot of phone calls and office visits every time you need to deal with the government.
If Russians install a puppet regime, the existence or lack of central registry wont actually change much. It will require popular uprising to make a difference, which Europeans are actually accustomed to.
Riots and protests happen all the time everywhere and taking down the governments is a thing too. Of course it depend on the specific country but in general governments in European countries resign all the time and when the refuse to resign despite popular demand they end up removed by riots.
The idea is that there's a value in having an enterprise(the government) with centralised record keeping because they own that government and have the power to change managers on predefined reviews(elections) and they have a history of forcefully changing managers who try to stick around despite not being wanted.
What do you do when a private enterprise misbehaves? Mind you, the governmental duties are often monopolistic by nature. What do you do then? Sniper the CEO?
It's much more socially acceptable to riot against the government and burn government building than assaulting company HQ.
More importantly, we already have these registries! There's already a digital identity verification service in place that, according to our law, is sufficient to identify a person to the same degree an ID card / passport would in person. It's there, I've used it as an end-user, I've set up integrations with it for my clients. The issue is that if I want to identify myself to a German institution for whatever reason, the only way I know of involves burning a whole lot of dead dinosaur juice to get to Berlin, standing in an orderly queue for a while, and presenting my passport in person. And probably filling out couple forms along the way somewhere.
The prime difference between American/British world view and continental European one and I'm loving it.
Sure, it's very nice to think that the government doesn't track you and doesn't know where you live. Then they build these giant systems to covertly track everyone and listen to everything.
Essentially, everything that the Americans believe that the government wants to do to them is already being done - just clandestinely.
On the European approach, we assume that the government is competent enough and is ours, therefore we give them the information needed to provide services and security. If the governments misbehave we will simply burn their palaces and drag them on the streets.
IMHO, both approaches have merits and I'm happy that they exist at the same time. It kind of keeps the institutions on track as scandals happen and fixes are implemented in attempt of self preservation.
I, as a german trust Scholz only as far as i can throw him... and as i am a pencil necked hacker this isn't far
This is a digital form of all the IDs you get from the state already.
There are genuine concerns about the scale at which digital IDs can potentially be exploited and/or the scale of monitoring this can enable, but in functional societies and governments you can build laws and systems to mitigate such issues.
The alternative are low quality ad hoc systems that offer convenience, but have no incentive for privacy and/or security.
For example, consider the massive Experian hack in the US. A credit score is basically required if you want to be a functioning member of American society. And yet they barely got a slap on the wrist and continue with their pathetically poor security practices. And it's not like they (or any US entity, for that matter) will not make their data available to the government.
In fact, with a government controlled DB the voters can have far more say on what the govt can do with that data, as opposed to Apple or Google owning that data (which is what's happenign in the US with Apple providing digital ID for states, and I'm sure Google will get into that as well), which becomes their private data and as a member of society you have no say on what can be done with that.
Something the customer is (fingerprint, iris, face)
Right there, trying to normalize the idea that the government needs our fingerprints, iris etc. And that ship has sailed, lots of laws getting passed that will require this from citizens.
Source:. I have been in meetings where defence contractors discuss how to corner the customer (the government) to force them to pay for more work. Up to 300x the original contract value over 7 revisions in one case!
I wish I was a Western European manager there. Make huge wages without doing much work other than churn out PowerPoint presentations to the tech illiterate C-suite and boss around some Eastern European juniors.
In theory, it's bad for "democracy". But I'm more worried that social existence will necessitate a digital existence.
I'm connected, therefore I exist?
No way.
This system allows one to identify him/her self via, for example, a banking app.
https://www.ct.nl/nieuws/idin-identificatie/
https://www.idin.nl/
https://www.consumentenbond.nl/betaalrekening/idin
I realize now that I can only find Dutch links to this system, so I am assuming The Kingdom of the Netherlands is simply ahead of the EU crows?
If I understand correctly, this EU initiative would unify all these separate country-level identification tools into something that works EU-wide, so I can take my Danish digital ID and e.g. use it in a bank in the Netherlands.
That's unfortunately caused by the proprietary solutions chosen, BankID and similar. If Sweden and Netherlands had gone with very widely supported Smart Cards (like Finland, Estonia and Latvia), they would interoperate trivially. Especially with the advent of eIDAS.
Hopefully this legislation forces proprietary implementations to become more open.
I want society to experiment with firing all these bureaucrats. Then listen carefully at the silence. Are we missing anybody?
[0] https://feber.se/samhalle/regeringen-vill-ha-en-statlig-e-le...
The way it works in Norway is that, once you have a bank account (which means you had to identify yourself using passport or similar) you can get a BankID which allows you to log in to a lot of online services (health, tax, employment, etc) without having to do anything else.
In Finland its totally opposite. We have 10 or so banks, which all have their own authentication methods and government has outsourced authentication to banks. And every authentication costs 0,10€ (it was previously much higher amount, something like 0,70€ but it is now [since 2017] limited by law).
So, I think at least in Finland banks will be the ones who will come up with several reasons why they should not implement this new authentication method.
Phew! But it's not something you wanted, right? This is not something that helps.
It is something that helps those doing the governing though. Tracking you. Why is it planned that we all have these sorts of id/wallet/health pass/etc?
Is it possible that it will be used as in China, with good citizens (uncritical of the government) allowed access to travel, borrowing, schools, etc nevermind the loss of privacy as each purchase, movement is tracked?
To me its plainly about control. Control like we cannot even conceive of. Even if the government is not rule by the worst (and the EU is not a democracy - there's no options to get people out) the change in society will change us. If we know we are always under close scrutiny, you will change your behaviour.
After all we have seen, I hope we are in agreement that this sort of gadget should be roundly refused.
I am actually not sure if I wanted this. I think this is better than current (specifically comparing to Finnish) state, but still far from optimal (mainly based on privacy concerns).
> Is it possible that [..] is tracked?
Yes. But I have The Great Belief that EU is _still_ one of the Goods. That may or may not last.
Still, it is very easy to exaggregate this (slippery slope) and at the same time it is too easy to understate this. Probably we - as citizens - should raise loudly these concerns and if we are not heard - then roundly refuse.
Still eh? What happens when that belief has waned? The infrastructure will still be there.
Hard to predict but usually (lost) belief transforms to feelings/actions like resistance. And probably on that point there will be also others who will do the same.
Yes, government could do things which prevent me doing so. Still, I am not capable to manage everything by myself and at the same time I think it is better to let things to be managed by (good) government than corporations.
This sounds interesting. Having identification be a cost would make people think before engaging with anything that requires it, which would encourage companies to avoid. Also, if people can choose freely which banks to use, then there is also some market pressure on banks to have good privacy and security.
In many cases when it is meant to, it should not.
> whether you are a citizen opening a bank account, renting a flat or a business registering a new service.
I never had to prove my identity to rent a flat in the EU. Good people trust each other.
Why is it considered OK to take a bus or eat at a restaurant anonymously but renting an apartment or paying humble sums of money is not?
> How do you even know they are human?
You never know anymore. Give this up. Just keep in mind it may be a bot.
For how long was this rent, and WHERE? Every time I rented for living spaces, the contract had to signed, marked on every sheet that had text, and taken to a notary to be considered valid. This is because all the info is then used to calculate taxes at the end of the year.
Fortunately I'm fine in this case as the law states that you cannot be tricked into signing a contract that was never presented to you, but I think most people don't make the connection that your BankID logins are considered legit signatures by law and that you can be held accountable for what you use it for.
[0] https://feber.se/samhalle/regeringen-vill-ha-en-statlig-e-le...
It's a fantastic system, especially when I compare how it used to work when I lived in the UK with how it works in Sweden: it feels like the UK is 50 years in the past.
It should be government owned, definitely, but Sweden has a very poor history of securing it's IT systems in government. Like.. very poor.
So, maybe I'm not 100% on-board. There needs to be oversight for sure.
https://www.holmsecurity.com/resources/the-1177-leak
https://www.bitdefender.com/blog/hotforsecurity/sweden-leaks...
What does that even mean? Even in that context.
> Most users will access the EU Digital ID wallet in the form of a smartphone app.
Why the EU thinks, presumes or pretends I have a smartphone? If they want me to use a smartphone and obligate me to purchase one, then they should also provide a free or super cheap alternative phone + line contract.
Every time I read something like this it urges me to put together some ESP32 plus a Modem, write an email and chat client, and throw away my current phone. When they'll ask me about my phone, I would pull out some ugly 3d printed case.
> A key aim of any EU wallet is therefore to give EU-based businesses a strong, secure and powerful tool for authentication.
And all this should be safe until someone steals Thales encryption keys, as already happened in the past (Thales was formerly known as Gemalto).
They don't. As the site says any traditional form of ID still works. This isn't mandatory.
a good global ID system with zero knowledge is possible of course, probably even with this system, but no goverment will pass free up free control ...
Unfortunately, many people fail to see this obvoius trap.
Is this thing mandating a mobile device as a document?
The wallet holder would have control over what their wallet gives the reader access to.
I imagine a mobile app would be cheaper and simpler though.
So a proper fallback wouldn't be an USB-stick with some certificates laying around, you can instead just build the ID functionality using SIM-card applets. The keys are securely stored in hardware and you can use them on both smart and feature phones.
I'm hard pressed to view allowing people access to these kind of services over the internet as something dystopian.
Replacing this with an electronic system, where access is guaranteed via leased lines to many locations, with sloppy physical controls... and a back-end that more than likely has several holes due to misconfigurations, last-week exploits etc
This is fine.
> With the EU Digital ID wallet, the bank can request the necessary credentials from the applicant. He or she selects them, and in seconds they are verified by the bank. The process even includes an eSignature that signals the applicant’s agreement.
This seems a bit off.
As a US citizen living in Sweden, my bank also wants to know if a customer is a US citizen, because special regulations apply.
For the above scenario to work, the EU Digital ID wallet will have to store citizenship information, including potentially multiple citizenships.
Sweden recognizes the State of Palestine. Will the EU Digital ID wallet allow storing that information?
> The student can use her EU Digital ID wallet to access, for example, the diploma she gained in one country and have it accepted instantly in any other EU country.
That's ... also odd. That's not how it works now. A diploma in one country doesn't necessarily translate to something directly in another country. Quoting https://www.uhr.se/globalassets/_uhr.se/bedomning/informatio... "A recognition statement is a document that shows what your qualification corresponds to in the Swedish education system. To prepare the statement, we review your education documents."
An app storing credentials isn't enough.
> With the EU Digital ID wallet, the person can provide trusted proof of age and nothing more.
Bars and nightclubs also gather names to help spot people who have been banned, and will also share a list of banned people with other bars. They also gather this information to spot VIP customers.
They are't going to want to give it up.
In practice it will be like a a go-away-cookie-banner button. The bar's system will ask for more information, people will press the "confirm" button w/o reading, and the bar will still get demographic information. Those few who do read and say "no" will not be allowed entry.
If preventing this sort of information leak is important, then make it illegal to collect more information than is needed to verify age, or restrict what can be done with that information.
> Billions of people regularly use mobile apps, so the process will be familiar to the vast majority of citizens and businesses.
An odd statement. The population of the EU is less than 1 billion, so this refers to the world-wide population. But world-wide, billions of people don't regularly use mobile apps.
A better statement would be the number of people in the EU who regularly use mobile phones. https://newzoo.com/insights/rankings/top-countries-by-smartp... says for Italy that's about 75% penetration.
I assume that more direct comparison wasn't used to avoid talking about what to do for the people in the EU who don't have or don't want smartphones.
You can’t proof a negative (absence of US citizenship). Today, your bank will ask you to sign an affirmation whether you hold US citizenship or not. I don’t expect anything to change about this in the future, you’ll just sign it digitally. However money laundry laws do require positive identification of the customer. Today, when opening a bank account digitally, this requires a video call where I’m ask to hold my ID card to my forehead.
> That's not how it works now. A diploma in one country doesn't necessarily translate to something directly in another country.
I agree the diploma use-case is rather less useful (how often do you need to present your academic credentials to anyone?) but there’s a difference between “I hold this German degree” and “my German degree is suffice to exercise licensed profession X in Sweden”. The digital wallet would only do the former.
Where in the process would the applicant fill in the information that the bank needs, but which isn't on the wallet? I guess it's a multi-step process, where one step presents credentials and another is the form-filling, and a third is the agreement.
Another way to ask my question is, what does "time-consuming and complicated" mean? Because there will still be time-consuming and complicated step even with this wallet.
As I understand it, before these Know Your Customer rules came into place, I could have walked into a bank and open an account with simply a signature card - how do you beat that simplicity?
> licensed profession X in Sweden
The document I linked to was "to work or study in Sweden", which is the "I hold this German degree" scenario you described.
The end of the document confirms that it's not concerning the "exercise licensed profession X in Sweden" - "Some professions are regulated in Sweden. This means that a special licence or authorisation is required to work in them. Contact the authority responsible for the regulated profession – for example, the Swedish National Agency for Education for teacher certification and the Swedish National Board of Health and Welfare for a licence to practice as a doctor or nurse."
Of course that is a lot simpler but these regulations do exist for a reason. The status quo when opening a bank account online is the weird “hold your ID card to your forehead” dance. This proposal would be a clear improvement.
> The document I linked to was "to work or study in Sweden", which is the "I hold this German degree" scenario you described.
The document you linked describes a process with either 0 or very little force of law. (It might for government employment). Yes, an employer might like it when you translate your foreign credentials into the domestic Swedish system. But it’s in no way required.
It's honestly hard for me to judge. I don't know what it's like to be, say, a Swede moving to Spain and wanting to open a local bank account.
Still, the marketing scenario is that an EU citizen will be able to open a bank account "in seconds", with seemingly no consideration for how a digital wallet may be able to fulfill those existing regulations.
> But it’s in no way required.
Which means the scenario doesn't describe a big need, right?
If this were a solution to real problems, I would expect more substantial scenarios, not something that makes me doubt they've thought seriously about the problems.
I'm still curious if "citizenship" will be stored in the wallet, and who get to decide if "Palestine" is an allowed term.
First weird thing is that there’s no method to recover the key if it’s lost, besides starting from the beginning and going through the physical identity verification process again.
The other thing I noticed is that the “configurator” macOS app isn’t a sandboxed/signed app. They even have instructions on how to enable opening app from untrusted sources on their website. I feel they should bite the bullet and get a $100/yr developer account. AFAIK, all the app does is generate the certificate, transmits it to a server (to be signed by the CA after your verification happens) and generates a PIN you need to show when you are showing your physical ID. Once you are verified you enter another code that was emailed to you and it spits out your pk12 file.
Anyways, it’s come in handy so I think an EU wide standardized version could be helpful in day to day life.
EU is neither my country nor it will ever be. Therefore, no EU digital Id for me.