European digital identity: creating it is more complicated than expected

European digital identity: creating it is more complicated than expected

European digital identity

Inventing a common digital identity system in Europe is more complicated than expected. On paper, the idea is simple. In a few years (the goal is 2025) every citizen of the 27 states of the Union will have an app on which they can upload their documents: identity card, driving licence, health card, but also cadastral documents of the house or educational qualifications. When he has to prove his identity in some form, instead of providing the single document, he takes out the European app. And only the bare essentials for the request. Want to know if I'm of age? Here is the age. Need to check if my driving license is valid? Here the expiration date.

A mechanism similar to that of the green pass, which was an unexpected test bed for Brussels for a larger project that has been cultivated for some time. And which the Commission now wants to put into practice, developing the first use cases as early as 2023. But, as we said, creating this common digital identity has generated various complications. Political, technical, commercial. So much so that an operator in the payments sector in an internal document consulted by , judged the roadmap of the Commission "ambitious".

The hubs of the project:

Procurement The five consortia The battle over standards The tug of war of the industry The Spid case The giants of the web The hidden battles behind the European digital identity system Standards to be defined. Firms vying to secure contracts for apps and services. States divided over security schemes. The European Parliament's barricades on online privacy. The construction of a community digital identity triggers clashes and divisions. The investigation

The tenders

Not that Brussels hasn't made an effort. On the contrary. He cares too much about digital identity. So much so that it awarded the contracts in time to develop the digital identity app and to test it in some use cases: with a driving licence, health documents and educational qualifications. The first tender is worth 26 million euros and concerns the actual creation of the app, the so-called digital identity wallet (which each country will then be able to adapt, as for green pass apps). Brussels has chosen a consortium made up of two IT companies: NetCompany-Intrasoft, a subsidiary of the Danish Intrasoft, with a turnover of 3.6 billion euros in 2021, and the Swedish Scytáles.

The second, which is giving away 37 million, covers the applications of the common digital identity system. There are five consortia in the race (and not four, as initially reconstructed in the absence of transparent information from Brussels on the participants). And on December 14, each received the green light for the offer and a cut of the contract, as confirmed by a European Commission source involved in the project, who requested anonymity in order to contribute to this article, and some notes from the consortia themselves. Everyone is happy, therefore.

The European states want to put all the faces of those who have a driving license in a maxi-facial recognition system The proposal is in the revision of the EU Council of Prüm II, which regulates the exchange of information among the Union police. The French presidency also pushes for mass research on DNA data

The five consortia

The first winner is Potential . It includes 148 members from 20 EU countries, including Austria, Greece and Spain. France and Germany are at the helm. For Italy there are, among others, the Department for Digital Transformation and the Namirial group. It has 60 million euros in cash, which from next year it will invest in applications of digital identity in the banking and healthcare fields, from telecommunications to transport. Potential expects to deliver its bouquet of services by April 2025. 

Italy is also among the six countries behind Nobid, a Nordic-based consortium (also including Iceland, Norway, Latvia, Denmark and Germany) with focus on payments. Representing Italy are Intesa Sanpaolo, PagoPa, the company owned by the Ministry of Economy and Finance (MEF) which is in charge of developing digital services for public bodies, and Abilab, the tech arm of the Italian Banking Association. Also involved are Poste Italiane, the Istituto Poligrafico and Zecca dello Stato, the software house Intesi group and Infocert, a galaxy of the Tinexta group that deals with electronic invoicing, certified electronic mail and digital identity.

Infocert, Intesi , eWitness (which deals with giving legal value to digital transactions) and Infocamere, a company representing the Chambers of Commerce, are members of the European digital wallet consortium, which also includes some non-EU countries, such as Switzerland, Ukraine, Norway and the United Kingdom . Infocert is also inside Trace4Eu . Finally, there is Digital credential 4 Europe (in which Italy is present), which covers the education, training and social security sectors.

The battle for privacy in the heart of Europe The European Guarantor for data protection appeals against Europol's new regulation, which gives the police agency broad powers over the use of information. A slap in the face of the Council and the European Parliament and a question: does the block of 27 still want to be the champion of privacy?

The battle over standards

From an industrial point of view, on balance, we can start. What is missing, however, are the technical and political agreements. Let's start from the first. The consortium that has won the development of the wallet must be based on a common framework of rules ( Architecture and reference framework , arf). Entrusted to a committee of experts, it is still being written. One of the latest versions of the text, which has been able to view, is harassed by criticisms from sector operators. Too optimistic times, unclear deadlines and missing pieces.

Standards are missing, for example. Europe has mainly chosen the path of the Mobile driving license (Mdl), which also works offline, thus ensuring greater flexibility if there was no field, but, for example, does not allow the creation of anonymous credentials. However, it has not closed the doors to the other candidate, the World wide web consortium (W3C) standard led by sir Tim Berners-Lee , which works on "anonymous" and multiple credentials and not on a unique identifier that could allow the tracking of the citizen. But if and when the W3C standard will be able to enter the community wallet, this practice is currently postponed to a future update of the agreement, with no precise times or deadlines.

The Internet must be at the service of the "public good" : Tim Berners-Lee's manifesto

The tug of war of the industry

Operators are worried, as emerges from the documents seen by . For the Norwegian identity provider Signicat and the German Spherity, which works with Ethereum, the risk is that the revision of the European identity regulation, Eidas 2.0, will give more power to states to decide how to develop these systems. And in the absence of shared standards already now, those who are investing in specific technologies or innovations could find themselves betting on the wrong horse because the chancelleries, in the meantime, decide to go in a completely different direction.

Spherity suggests letting the Commission know “ that this continued uncertainty is really a big problem for the commercial sector and for Europe's digital competitiveness ”. According to Visa experts, this negotiation is taking longer than expected. Result? “ This will realistically take longer than the 12 months ” foreseen by Brussels. And again according to observers of the payments giant, the Commission "may be reluctant to periodically update" its standards, thus risking cutting off the wallet and its citizens from the latest technological advances.

Notifications such as registered letters and automatic bonuses: PagoPa's construction site for new digital public services The test of the digital notification platform to integrate pec and registered letters is underway. At the end of the year, an automatic refund system for purchases supported by bonuses. Number one Virgone talks about the projects for the Io and PagoPa app in the coming months

The Spid case

And for Italy there is one more problem. Because the European Council, where the States sit, has expressed itself on the common digital identity system. Which in recent days have given the green light to their position on the wallet. And among the various decisions they have defined the levels of assurance that the identity system will have to have. The choice fell on the high level (the highest of three), which is, to be clear, the identity card, also electronic: issued in presence and cryptographic chip on the card. Which cuts out the Italian public digital identity system (Spid), judged to be of a substantial level. One step below.

“ Italy has not taken sides in the Council and so we risk throwing overboard the things done with Spid, the most widespread digital identity program in Europe - Carmine Auletta tells , head of innovation and strategy at Infocert -. If the Council line passes, 33 million Spid identities will not be able to be useful to the European wallet ”.

Many countries have suggested to the Council not to agree on the maximum level, but to stick to the substantive one. “ Sweden, Poland, Denmark and Belgium were for a substantial level,” says Auletta. But the request was not listened to. Pushing for the high level is Germany, which has invested in the electronic identity card, assigned to all citizens. “ But between January and February 2022, Germany made half a million transactions with its card - attacks Auletta, based on data from the German federal government - while in Italy with Spid we are at 23.6 million in the last week of November alone ” . Officials of the Digital Italy Agency (Agid) said in Auletta that they had not defended Spid as they would not have been able to negotiate a common position with other states of the Union.

The fact remains that against this vote Assocertificatori, the association of trust service providers of which Auletta is president, and the Cloud signature consortium, an international association whose founders include Infocert, intend to move now that the ball passes to the European Parliament, which should express itself on the issue in February to close the trilogue negotiations with the Council and the Commission.

According to a source from the Commission's Directorate-General for Connect, who requested anonymity to contribute to this article, Spid's would however be a false problem, because the Council has left open the possibility of making the recognition from remote (and not in person) for those who have this type of digital identity to move up a level. A trick that would allow Spid to be saved, equipping virtual branches for the conversion of the identity from substantial to high.

WiredLeaks, how to send us an anonymous report Do you have information on projects, rules and contracts of the European Commission, the European Parliament and the Council that you want to report to us in a secure way? Use WiredLeaks

The giants of the web

As long as it is the Council's line that wins. Which also went sideways to web platforms. The text contemplates minimum levels of security and interoperability between the certificates issued by online managers and the European wallet. According to Mozilla, the foundation behind Firefox, this would undermine online security, garnering the support of Google and Apple. The Electronic Frontier Foundation (EFF), a digital rights foundation, has accused the Council of wanting to force platforms to recognize and accept certificates issued by European states for online identification, even if they deem them unsafe and potentially harmful to its users.

An accusation that Brussels sends back to the sender. No one wants to let go. For states it is a matter of security, sovereignty and data control. While billions dance for companies. Brussels has estimated that the benefits range between 3.9 and 9.6 billion between savings and added value. With an adoption of 67%, already 500 million investments could multiply in economic opportunities by 1.2 billion in ten years, with new jobs between 5 thousand and 27 thousand units.

“ At the European level, the digital identity systems which in recent years were going through a phase of rapid development have continued the path of consolidation and diffusion among users and companies, even if the growth rate is progressively slowing down”, is the conclusion of an analysis by the observatory on digital identity of the School of management of the Politecnico di Milano. Faced with this slowdown, the idea of ​​the wallet makes its way. But it will be an uphill battle.

Powered by Blogger.