To everyone from the previous discussion who was absolutely certain everything is agreed and set in stone: that's not how the EU works. There have been multiple changes since Mozilla's public letter, and there is still at least one trilogues meeting and then the council and parliament votes, so things can still evolve.
That being said, the law is pretty good and will be a net benefit even in it's current state. The Wallet being opt in, without any discrimination possible based on it, the obvious downsides in the lack of strict controls on how user history is handled by member states (unobservability was never on the cards), and also an European appeals process if the local authority is slacking off (cough Ireland cough).
I'm looking forward to having secure reliable EU wide electronic ID. I'm sick of having to upload or send by email/old mail random scans to prove identity, or to have to pay to a cartel of private electronic signature providers. A 21st century solution is well appreciated.
I use the digital ID systems of 3 different countries quite frequently and only 1 out of 3 is currently working properly.
The Australian one is bad, the French one is not that great. The one is Sweden actually works flawlessly most of the time.
Most importantly, Who will build this wallet? I am sure it will be a big bloated corporation that will be chosen not because they are the best or because they work is of good quality.
We can expect the project going over budget many times and continuous delays and a cool 90's retro feel.
I am afraid that it will be so bad that this thing will be dead in the water.
Not too mention that it will probably take 5 years before we see a prototype...
Bank ID (the Swedish e-identity provider the user I'm replying to is talking about) is one of the primary inspirations for eIDAS from what I understand, but there are several improvements in the eIDAS text as it stands right now, primarily zero-knowledge proofing.
I don't share your pessimism about the development time-frame for this, we already have 2 good more-or-less compatible wallets on the market in Sweden, Bank ID and Freja, if the companies behind those want to they could probably compete for becoming the standard implementation in many markets, meaning very little time before it's operational.
These are all very good reasons, and I also welcome them. I'd like to also submit my education records and whatnot when applying for a job in Europe, and so forth and so on. That said, I have a million reasons about the downsides. Among these is private sector; here, I have little trust that they won't do all they can to abuse the system. Another fundamental issue is the reliance on consent; the majority of people have no understanding whatsoever about what happens or will happen once their consents have been given.
I think it would be pretty obvious what happens if you get asked "Do you want to share your name, date of birth, email with XYX Private Company". And we still have GDPR, so abusive data collection can be punished, and revocation of consent afterwards is still possible.
> The final twist of this story is that only days before the final deal the negotiators agreed to a change in the text that ensures browsers’ freedom to protect domain authentication and the encryption of web traffic in a manner and with the technology they consider most appropriate. In practice, this means browsers will have a way to resist QWACs undermining encryption, by separating them from TLS.
Its remarkable that citizens from mostly the US and UK think this is horrible, while most citizens from western Europe actually already deal with these systems on a national level - so it isn't anything new.
Similar to how bank transactions have been instant in Europe for more than two decades, but are still a novelty in the US. Or pre-filled tax forms.
This regulation should be seen in the context of the pre-existing systems which it builds on, towards a common European standard. An obvious criticism is that this centralizes power, but that is fundamentally rooted in the assumption that the EU is similar to the US: It's not.
In the EU the component States are very influential, they have formal or 'soft' veto's on practical all matters. There are no EU presential elections. The EU 'government' is run by appointees nominated by the States. Its much more like the US Confederacy. (pre- federation, long before civil war, not that confederacy)
> Similar to how bank transactions have been instant in Europe for more than two decades, but are still a novelty in the US.
As the other commenter says, "Europe" is not a uniform entity. You may be thinking of some component of "Europe" where this may have been true for two decades. Wonder where that is.
In my experience, in the French component, this has absolutely not been the case. Only recently have "immediate" transfers become free at my bank, and they've only been available at all for a few years. Certainly less than 10 years.
And they're also not actually instant. I'm a freelance, and my professional account is at the same bank, same branch, as my personal account. The "instant" transfer is only credited the next day, even though it shows up quickly in pending transactions.
And this isn't some dingy "mom & pop" operation, it's the biggest bank in Europe (which may or may not help with these issues).
> This regulation should be seen in the context of the pre-existing systems which it builds on, towards a common European standard. An obvious criticism is that this centralizes power, but that is fundamentally rooted in the assumption that the EU is similar to the US: It's not.
> In the EU the component States are very influential, they have formal or 'soft' veto's on practical all matters. There are no EU presential elections. The EU 'government' is run by appointees nominated by the States. Its much more like the US Confederacy.
I'm not familiar with US' workings or its history so can't comment on how close the EU is to it. But, at least in France, people do take issue with the centralization of power. "It's not the US" is actually an argument against centralization (again, not sure how correct this is).
> Similar to how bank transactions have been instant in Europe for more than two decades
Please elaborate. Are you talking about some country-specific schemes? Cause I’m not aware of any EU-wide instant payment scheme that has existed for 20 years. AFAIK Instant SEPA Credit Transfers are still a relative novelty. My bank charges extra for them and there’s a cap of several thousand euros on the transfer amount.
In the Netherlands, instant transfers have been possible for at least 5 years. I think also in Belgium.
This is indeed being rolled out to the whole EU.
How this technically works under the hood is less about any technical implementation and more about banks having agreements with each other. That said, it's amazing how fast you get used to instant bank transfers.
Instant transfers are the default method and there is no charge in Slovakia. But if it’s over few hundred Euro then it will usually downgrade to regular SEPA (usually next day).
In Italy we have already digital IDs through SPID[1] which is most likely going to be phased into eIDAS and it works a similar way (though way less standardized), government websites can integrate it willy-nilly while private companies have to undergo quite a rough approval process to make sure they absolutely need that information.
Given the amount of already digital tech in our gov (we also have "legal mail" via PEC[2] and a bunch others minor standards) I think it would be insane if EU just went "nice work you have there, now scrap it all and use ours instead", so I see why component states still have so much authority (even if it means some will not have a good time).
With so much talk about eIDAS see actually a different trend.
For many years, we had Belgium Root CA in browsers but they have been replaced by Digicert certificates, effectively giving the US power over the encryption for all Belgian government services and more.
That really isn't how this works. DigiCert don't have any 'power' as you suggest - the .be government are free to choose any CA they wish from those who are globally trusted. These are for serverAuth certificates, too, so no-one is talking about internal/top-secret/sensitive intra-government communications.
Even if you were paranoid enough to think a US company like DigiCert would 'do anything' - their issuance is subject to public scrutiny (something the EU proposal doesn't like) and malfeasance has very real consequences to the whole of Digicert's business.
Before the change, the Belgian government did not have to choose any CA from "globally trusted". They were one of the globally trusted CAs.
I think the eIDAS is trying to revert the trend and put Europeans back in charge of their CAs. See for instance the eSignature Trusted Lists like this one [1]
I understand and support the intention. European Commission is just too bad at implementing it.
DigiCert's HQ is a 10 minute drive away from the NSA's Utah Data Center. I don't think you you need to be particularly paranoid to think there might be foul play there.
> The Wallet will have a full transaction history of every request for information the user ever received […]
This sounds good because it allows you to audit who received your personal information, but it also provides a nice breadcrumb that allows attackers to figure out your behavioral patterns. I wish it became more common for information to self-destruct, we don't need logs of everything forever.
I’ve been using one of these id wallets since a few years (itsme) and it’s been a huge quality of life improvement. I don’t have to create accounts, passwords, etc; I just login to the websites, it’s like a global single sign on.
While the fact that it’s done under my verified real name and address could be a privacy issue in some cases, it’s also a big security improvement for all the cases where the third party need that info anyway.
> it’s also a big security improvement for all the cases where the third party need that info anyway
Security there (in the cases I am guessing) is determined not by Alice being able to prove that she is Alice, but by Trudy not having secondary ways allowing her to claim that she is Alice.
So, it would be «a big security improvement» only when login were restricted to needing a certificate.
See, a noteworthy news in the Epicenter.Works' take was that Big Tech is also required to implement the thing. They do not "need" to know anything, but I am sure they're quite trilled about this requirement.
It is illegal in the EU to ask for unnecessary personal information and the wallet app can authenticate you without giving your name and address. So I don’t think it’s as bad as it’s made out to be
> every web browser in the world will be forced to trust the root certificates from all European Trust Service Providers
What I could never understand is why limiting the scope of root certificates is not a standard feature? Why cannot I set a whitelist of domains for the specific root certificate and expect the connection to fail when this root is used for anything else?
Not really. That's still something the owner of the domain has to do. What I'm talking about is a setting in the browser that lets me as a user decide what root certificates I want to trust and for what. Why can't I do that?
> The final text of the eIDAS regulation counters this with a right to pseudonymity[: i]t allows users to use a pseudonym generated by the Wallet and that is only stored locally
In which scenarios could it happen that for pseudonymity, for the purpose of anonymity, one should resort to a pseudo-identity generated by the certificate for the actual identity?
Has there been any talk about implementation details? What protocols and standards will be used? I know there are quite a few competing standards being worked on in this space (example OIDC's verifiable credentials), but I haven't seen any mention on what (if any) the EU will standardize on?
> the “Architecture Reference Framework” (ARF) … couldn’t be further away from the democratically agreed legal text: Almost all the safeguards in the legislation that we explained here are missing in the ARF. Without a lot of work, either the timeline will not hold or the Wallet will be met with mistrust because it’s in breach of the law.
The Trilogue happens today, and this is pretty much going under the radar in mainstream media, so it is very very likely Article 45 comes to be approved as soon as this afternoon :(
overall it's a huge win. In Germany we effectively already have an eID system as an extension of your national ID and you could use it to for example trivially get covid relief funds as student or you can use it to age verify when buying say, booze on Amazon.
The status quo of typing your personal information into random websites only to find them on haveibeenwpnd a few months later rather than having a proper API between your identity and private services is just awful.
Yeah but it is quite frustrating that member states lobbied against having the backend services open to public review.
I can only hope that states will not make such wallet login mandatory. My family moved to the EU from India to get away from Aadhar, only for this to happen -.-
At least the unique identifier thing didn't happen, for now ..
> In response to the revelations of government mass surveillance by Edward Snowden, the share of encrypted web traffic jumped from less than half to 95%.
Seriously?
In last 10 years situation with government mass surveillance become much worse. Now majority of web runs on public cloud and "encrypted" by CloudFlare MiTM engine. These are literally centralised mass surveillance platforms.
> Now majority of web runs on public cloud and "encrypted" by CloudFlare MiTM engine. These are literally centralised mass surveillance platforms.
If you can prove any of the big public clouds are breaking TLS for surveillance purposes, they'll be dead within months. Now is your chance, short them and expose them (or you can even combine with professionals, like Hindenburg Research).
It's about having to extend trust past your comfort zone. Would you be fine with total strangers having your address and your house keys, and a pinky swear to never use them, or would you rather them not have your keys in the first place?
Nothing wrong with TLS. It's just funny how author suggests that someone actually cared about Snowden revelations.
It's like "We were worried about mass surveillance after Snowden so decided to host everything directly on FBI servers" because CloudFlare is exactly this.
> a Frankenstein bill more than 200 pages long, combining the choicest parts of a stack of cannibalized privacy bills that rarely made it past committee. The patchwork effect helps form a comprehensive package, targeting various surveillance loopholes and tricks at all levels of government—from executive orders signed by the president, to contracts secured between obscure security firms and single-deputy police departments in rural areas ... The GSRA is a Christmas list for privacy hawks and a nightmare for authorities who rely on secrecy and circumventing judicial review to gather data on Americans without their knowledge or consent.
It's also a bit simplistic to say that Snowden is the reason for prevalent HTTPS.
The share of encrypted web traffic rose after Firesheep, HTTPS Everywhere, the Snowden revelations, LetsEncrypt, HSTS and opportunistic encryption. There's been a concerted effort over the past 13 years to make it easier to deploy and use HTTPS for clients and servers.
That being said, the law is pretty good and will be a net benefit even in it's current state. The Wallet being opt in, without any discrimination possible based on it, the obvious downsides in the lack of strict controls on how user history is handled by member states (unobservability was never on the cards), and also an European appeals process if the local authority is slacking off (cough Ireland cough).
I'm looking forward to having secure reliable EU wide electronic ID. I'm sick of having to upload or send by email/old mail random scans to prove identity, or to have to pay to a cartel of private electronic signature providers. A 21st century solution is well appreciated.