The rocky road to European digital identities

There was a tragic inevitability that when England lost to Italy in the Euro 2020 final, certain members of the public would look for a scapegoat. In fact, the vile racist abuse that emerged across online networks found three.

A bigoted invective was directed towards a trio of England’s black players that was both instantaneous following the team’s loss, as well as charged with a hatred that should have no place in the online or offline worlds.

That which followed in England was an effort to hold those behind the abuse accountable. Several of the perpetrators, although having adopted online pseudonyms, were tracked down. Many lost their jobs. As of early August, the police made 11 arrests for violations of section 127 of the Communications Act 2003, which outlaws sending ‘grossly offensive’ messages. 

In parallel, social media platforms embarked on their own investigations. On the day after the abuse had emerged, Twitter suspended 56 users, only for, as a report from The Guardian this week states, some of the accounts to ‘respawn’ under different monikers.

The knee-jerk reaction to the abuse led some lawmakers in the UK to rally the cause for increasing online accountability by mandating identity verification processes and scaling back pseudonymization.

In this arena, efforts in the UK had been gaining momentum before Euro 2020, particularly with regards to age verification obligations for regulated online services as part of the UK’s Online Safety Bill (Part 2, Chapter 4), as well as regulating digital identity services as part of the ‘Digital Identity and Attributed Trust Framework.’   

Moreover, a petition that had originally been launched in April garnered traction, calling for verified ID to be a requirement for opening a social media account and securing nearly 700,000 signatures. The government’s response, however, cited risks, noting how such efforts could “disproportionately impact users who rely on anonymity to protect their identity,” including “young people exploring their gender or sexual identity, whistleblowers, journalists’ sources and victims of abuse.”  

Such a reticence was matched by Twitter, who last week concluded a review of the abuse, finding that of the account suspensions, 99% were identifiable. This led the company to make the case against introducing mandatory verification protocols. “Our data suggests that ID verification would have been unlikely to prevent the abuse from happening - as the accounts we suspended themselves were not anonymous,” Twitter said

The EU’s efforts

In the EU, June this year saw the Commission propose a new framework for the establishment of so-called European Digital Identity Wallets, allowing for both public and private entities to provide verification interfaces for access to online services. 

The wallets, the Commission says, will link personal proofs of identity, such as driving licenses, diplomas, or bank accounts, to national digital identities, stored in a single application on a smartphone. Upon launching of the proposal, the EU’s Internal Market Chief, Thierry Breton, said at the time that the initiative will offer citizens the possibility for storing and using data “for all sorts of services, from checking in at the airport to renting a car.”

Breton added that many European firms, both ‘large and small’ would benefit, being able to “offer a wide range of new services since the proposal offers a solution for secure and trusted identification services.” In a recent response to a Parliamentary question, the Commission’s Breton said that the proposal does not impose any particular technology. 

Alongside June’s pitch for a Digital Identity Framework, the Commission also filed a recommendation to EU member states, calling them to collaborate on developing a toolbox for the project that would outline the technical architecture, common standards, and best practices. 

However, until now EU member states have taken a laggard approach to implementing electronic national identity schemes. Since 2018, when the EU’s eIDAS regulation entered into force, establishing rules under which electronic identities could be used in the provision of public services, only 14 EU countries have put electronic identity schemes into practice.

The Commission has since reflected that the take-up generally of electronic identity solutions is low, their use is ‘cumbersome,’ and business cases are ‘limited.’    

Finding a solution

The lack of confidence is reflected in cases whereby the digital identities may be abused for nefarious means. An example hit the press this week in the context of recent events in the Middle East, where the Taliban have regained control of Afghanistan in the aftermath of coalition forces withdrawing from the region.

One of the many disconcerting pieces of news was the fact that Taliban forces have obtained access to biometric databases and equipment previously held by the US military. The Human Rights First group claims that such data includes fingerprints and iris scans, as well as facial recognition technologies. Such data could be used to identify and subsequently persecute dissidents of the new regime. 

Moreover, data retrieved from Afghanistan’s tazkira - the national e-ID card - may lead Taliban forces to identify ethnic minorities across the country who could be critics of the new regime’s cause. Reports earlier this year stated that Afghanistan’s National Statistic and Information Authority had processed more than 5 million e-tazkira applications. 

Over recent years, there has been a market trend towards exploring identity and access management tools for the use of online services, a movement that has no doubt garnered momentum since the onset of the pandemic.

For their part, it’s a market that Big Tech have taken more and more heed of.

Apple has trialled a new initiative to expand their Wallet app by adding verified credentials including driving licenses or state IDs, while Google has also been involved in projects for digitalizing driving licenses.   

In many ways, the efforts to provide a European solution for digital identification are again an attempt to wrest back a sense of control from third-country providers, who may be able to capitalize on providing gateways for identity verification services in terms of access to data.

Recent research has shown that the identity and access management market was valued at $11.82 billion in 2019 and is projected to reach USD 29.79 billion by 2027. It is a market in which the EU recognizes its commitment in safeguarding the privacy concerns of consumers and citizens, but also in terms of fostering the development of identification tools that may help to bring both public and private services into the hands of Europeans in a trustworthy manner. 

The European Commission has earmarked October 2022 as the time by which EU nations should agree on the technical details of the European Digital Wallet, as well as the standards to be put in place to ensure that the initiative is in no way abused. 

In this context, questions remain as to how the eventual uptake of the European Digital Wallet can be fostered at a time in which the hazards of online identity tools have been brought to the fore, particularly in terms of how such verification systems could be used against the interests of consumers in the social media space, as well as the pitfalls of identification databases falling into the wrong hands, such as in Afghanistan. 

One solution that may be key in developing trusted security architectures, could be in the World Economic Forum’s pitching of blockchain tools to implement self-sovereign identity models which place control of identity data in the hands of citizens, rather than service providers, as is the case with the more prevalent centralized and federated protocols of digital identity management.    

The web economy will become less of a place of pseudonymization and anonymization over the coming years, but it is likely that there will be a clear fracture between services that require identity verification, and those in which lawmakers deem anonymity to be an essential condition to protect marginalized demographics and preserve freedom of expression.

Striking a balance here will be much easier said than done.

Featured image credit: Caroline / Unsplash

  1. Would you like to write the first comment?

    Would you like to write the first comment?

    Login to post comments
Follow the developments in the technology world. What would you like us to deliver to you?
Your subscription registration has been successfully created.