Introduction
Imagine that you have recently moved to a new area and are looking for a place to rent. You have found one which you believe is perfect. It has everything you were looking for. It is close to your work and is reasonably priced. You’re at the letting agent’s office so that the documents proving your eligibility to rent can be verified. Everything is going well until you are asked to provide a copy of your employment contract to prove your salary. Your stomach drops as you remember that you had left the printed copy of it in the printer of the friend’s house where you are currently staying. There is nothing you can do but reschedule the appointment and hope that your dream place does not get rented to someone else in the meantime.
Now, if you were living and working in the European Union (EU) within the next couple of years, this would no longer be an issue. You could breathe a sigh of relief as you use the relevant member state’s Digital Identity Wallet on your smartphone to send a verified digital copy of your employment contract to the letting agent.
What is a Digital Identity Wallet?
The EU aims to launch the European Digital Identity Wallet next year[1]. The Digital Identity Wallet will securely store personal information from government and trusted private sources regarding EU residents and citizens. This information can then be shared with businesses and organisations to help apply for universities, apply for loans, rent a car, or any other activity where one might have to verify their identity or credentials[2]. Users will be able to choose which information is stored, access the stored data, and choose who to share it with[3].
The benefits of the European Digital Identity Wallet are obvious, such as a way around the issue highlighted in the introduction of this article. However, it is worth taking the time to consider the potential risks to personal data protection that could arise from such a scheme.
Risk of Identity Theft
One of the main concerns surrounding the European Digital Identity Wallet is the risk for highly damaging instances of identity theft. Although each EU member state will have their own Digital Identity Wallet, the potential scale of personal information that can be stored on these wallets would be highly enticing to hackers.
Digital national ID cards, drivers’ licenses, or even medical prescriptions would be highly valuable to criminals. The European Digital Identity Wallet could face security risks from users’ outdated smartphones, malware unintentionally installed on users’ devices, or a coordinated cyberattack on the servers hosting the data within an EU member state’s Digital Identity Wallet programme[4]. Each EU member state will need to actively ensure that their Digital Identity Wallet programme remains secure from security threats caused by human user error. It will also need to be ensured that every EU member state’s Digital Identity Wallet programme’s digital security measures reflect the ever-changing capabilities of cyber security threats.
Moreover, the European Digital Identity Wallet could be vulnerable to smaller scale instances of identity theft than the ones described above. For example, an EU member state’s Digital Identity Wallet uses a user-made 8-digit pin code to control access. Let’s work through a scenario, whereby an individual (“Dave”) has their phone stolen which has their Digital Identity Wallet pin code stored on the notes app in case Dave forgets it. If the person who stole the phone can unlock it (if it even was locked in the first place), then Dave’s Digital Identity Wallet and all the documents stored on it are accessible to the thief. One of the ways EU member states could prevent such smaller scale instances of identity theft is through the use of biometrics to control access to users’ Digital Identity Wallet. The planned use of a fingerprint lock or facial recognition would help ensure that only the appropriate user has the capabilities to access their Digital Identity Wallet[5].
However, even the use of biometrics to control access to users’ Digital Identity Wallets is not completely secure. Someone caring for a family member could theoretically have access to their biometrics in order to access that family member’s Digital Identity Wallet and use the information inside for their own personal gain. Each EU member state will need to ensure that their legislation reflects the possibility of European Digital Identity Wallets being utilised for identity theft (both on a small and large scale).
Risks relating to GDPR
Another of the potential risks associated with the European Digital Identity Wallet is that it could result in companies not following the principle of data minimisation[6]. One of the main benefits of the European Digital Identity Wallet is that it allows for users to identify themselves easier through trusted digital identity documents. However, this ease could result in companies requesting this form of identification when it is not strictly necessary. For example, a social media company could request that European users verify their identity when signing up through their EU member state’s Digital Identity Wallet. In this instance, the sharing of personal data would not be strictly necessary as there already exists other less invasive methods to verify a requested user is not a bot – such as email verification or captcha.
Conclusion
The European Digital Identity Wallet has the strong potential to create long-term positive changes to the way European citizens, residents, and businesses operate. It can help create more secure and seamless transfers of data across EU member states’ borders for everyday interactions which require presenting identification and/or qualifications such as renting a car, applying for university, opening a bank account, and more.
However, the European Digital Identity Wallet is not without its risks to data protection and security. The scale of personal information which will be stored digitally across the EU opens up the possibility of highly damaging identity theft. Both on a national and international scale along with on a smaller individual level. Moreover, the European Digital Identity Wallet could have issues surrounding the principle of data minimisation if companies and organisations begin requesting more personal information than is necessary due to improved accessibility.
It is worth noting that the overall risk of these issues occurring is not high as the EU is one of the leaders in data protection and security on the global stage. The European Digital Identity Wallet will follow existing EU legislation, utilise robust cryptography, and follow specific requirements surrounding preventing security breaches[7]. However, the potential future success of the European Digital Identity Wallet could help lead to other countries implementing their own versions. If this happens, those countries will have to carefully consider all of the potential risks so that their citizens’ data security is not compromised in the name of technological progress.
[1] https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/eidas-regulations#:~:text=By%202024%2C%20all%20EU%20member,citizens%2C%20governments%2C%20and%20enterprises.
[2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en
[3] https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/eidas-regulations#:~:text=By%202024%2C%20all%20EU%20member,citizens%2C%20governments%2C%20and%20enterprises.
[4] https://www.cryptomathic.com/news-events/blog/protecting-the-european-digital-identity-wallet-1
[5] https://www.raconteur.net/technology/problems-identified-for-new-eu-digital-identity-wallet/
[6] https://edri.org/our-work/orwells-wallet-european-electronic-identity-system-leads-us-straight-into-surveillance-capitalism/
[7] https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/eidas-regulations#:~:text=By%202024%2C%20all%20EU%20member,citizens%2C%20governments%2C%20and%20enterprises.
