Inharmonious Compromise
Bryn Robinson-Morgan
Principal Consultant - Digital Identity: Strategy, Product Development, and Implementation
Let me start by saying that those drafting the Implementing Acts for the EU Digital Identity Wallets have done a good job with a challenging task.? Creating an EU-wide Trust Network is no small feat.? Having reviewed the drafts, one of my main areas of concern is over the mandatory attributes within the Personal Identification Data (PID).
A requirement for the PID is that it must be unique.? The problem with such a requirement is that how the Member States uniquely identify their citizens varies.? This mandatory / minimum dataset was an issue in eIDAS v1 and will be an issue in eIDAS v2.? In some Member States, a citizen number ensures uniqueness – however due to privacy reasons its use is constrained by legislation.? Name (Given and Family names) and date of birth alone do not provide uniqueness.
The approach taken in the draft Implementing Acts is to include other mandatory attributes, including given and family names at birth.? The inclusion of these attributes will enable the uniqueness of PID requirement to be met.? Unfortunately, by pushing on the uniqueness lever, it pulls on the privacy, equity, and usability levers.
There are many reasons why a person will change their name during their lifetime.? Such as taking a partner’s family name in marriage.? For many, having their birth names included in their PID will not be a concern.
For survivors of domestic abuse, changing one’s name can be a breakpoint from the past, whether for their own mental health or safety from their abuser. ?For those who have transitioned gender, taking a new name can also be an important part of their journey.? A PID containing these names at birth does not afford the right to privacy and therefore cannot deliver equity for those who do not wish to have these details included for very valid reasons.
Providing validated attributes for names at birth, with strong assurance that they relate to the citizen’s current name, will be a challenge for Member States.? Even for the well documented, showing the link from a current to former name often becomes more challenging over time.? It is not uncommon for someone to have had many names – e.g. born, married, divorced, remarried – either so the number of linking events can be extremely complicated.? Even more so for people resident in a country different from their birth, and for under documented individuals.
How citizens enrol into the ecosystem will be one of the key success factors for eIDAS v2.? If obtaining a PID is too difficult, then regardless of the promised benefits of an EU-wide trust network, citizens will not engage with it through choice.? Unless the mandatory attributes are present in existing identity systems, whether physical documents or digital identities, obtaining a PID to enrol in their EU Digital Identity Wallet will be a barrier to uptake.
I hope that the feedback on the draft Implementing Acts forces new thinking on this point and that a sensible solution can be found.? I do have concerns that perhaps there are still fundamental flaws in the model.
Law Five of Kim Cameron’s Seven Laws of Identity states:
领英推荐
Pluralism of Operators and Technologies: There should be a variety of identity providers and technologies to promote competition and innovation.? This will help ensure that users have choices, and that the system is resilient.
It is hard to make a case that Member States as a singular PID Issuer to a singular Wallet based on a singular technical standard meets this framework law of pluralism.? The review of the draft Implementing Acts should act as a natural point of reflection.? It is critical that patches aren’t being applied in the Implementing Acts to solve flaws in the Architectural Reference Framework or even in the Regulation itself.
We may be on the right path, though it’s always good to confirm the destination is where we truly wanted to go, and that our bearings are true.
About the author
Bryn has worked at the forefront of digital transformation and consumer led innovation for over 20 years. A key influencer for how people interact in the digital age, he has redefined the customer experience for trusted interactions; helping major organisations evolve their customer architectures through the use of digital identity.
Check out other articles https://www.moresburg.co.uk/articles
?
?
ED @ GAN | Digital Trust Ecosystems | entrepreneur | co-founder @TrustOverIP
1 个月great work Bryn
Creating Trust in a Digital World. Software for Digital Credentials, EUDI Wallets, SSI, Decentralized Identities, Verifiable Credentials, mDL. Building products in co-creation. With you?
2 个月Good article.
Digital Identity and Digital Transformation Consultant | Portfolio, Programme, Project and Global Delivery Management
2 个月Back at the beginning of the Digital Identity journey, we found that many of the technologies that made Blockchain work could be useful in the field of identity - notably cryptographic proofs. We then mistakenly thought it'd be a good idea to put identity data on the blockchain. Soon after, we figured out that there are a number of edge cases that would make this a terrible idea: gender reassignment, those in witness protection schemes and agents and spies - all of whom effectively need a new "identity" without it being obvious that this identity hadn't always existed. This retrospective identity thinking is both poorly thought through and dangerous and appears to focus more on who I was, not who I am. Some examples of defining identity uniqueness have been more successful than others, and some uphold more privacy and security than others. I agree with your statement that finding and proving ownership of historic identity data would be challenging if not impossible for some. While I have had the same name since birth, I wonder how I might feel seeing a continual reminder of a history that I might prefer to forget?
Enterprise Senior Account Director | Leadership Team at Women in Identity | Business Life Coach
2 个月You raise a valid concern regarding the proposed mandatory attributes for Personal Identification Data. Requiring attributes like birth names does pose challenges to privacy, equity, and usability, particularly for individuals who have changed their names due to personal circumstances (e.g., gender transition, marital status, protection from abuse). Interesting read!
PKI & Cryptography Expert | PKI Implementation | Digital Signature Specialist | Common Criteria Consultant | eIDAS | HSM | Developer | Consultant
2 个月The EU's proposed mandatory attributes for PIDs in Digital Identity Wallets raise valid concerns about privacy and inclusivity, particularly for individuals who have changed their names. Exploring alternative methods to ensure PID uniqueness is crucial to maintaining trust and equity within the EU's digital trust network. Reassessing this approach could help align with the broader goals of privacy and user-centric design.