EU Digital Identity Regulation (eIDAS): Pirates don’t support blank cheque for surveillance of citizens online!

The EU Parliament and EU Council yesterday struck a political deal on the reform of the EU Digital Identity Regulation (eIDAS 2). A new digital identity wallet app is to allow EU citizens to access public and private digital services such as Facebook or Google, and pay online. The deal was made even though more than 500 scientists and numerous NGOs in an open letter „strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communications“ – criticism which the Pirate Party Members of the European Parliament underline.

“This regulation is a blank cheque for surveillance of citizens online, endangering our privacy and security online”, comments Pirate Party lawmaker Patrick Breyer. “Browser security is being undermined, and overidentification will gradually erode our right to use digital services anonymously. Mark Zuckerberg should have no right to see our ID! Entrusting our digital lives to the government instead of Facebook and Google is jumping out of the frying pan and into the fire. This deal sacrifices essential requirements the European Parliament had put forward to make the eID app privacy-friendly and secure. The EU misses the opportunity to establish a trustworthy framework for modernization and digitization. We will watch the implementation very closely.”

Pirates Mikulas Peksa and Patrick Breyer worked until the last minute to try and fix at least some of the numerous risks of the EU digital identity scheme. In a major victory, Member States will not be obliged to assign a single unique ID number to every citizen. Signing up for the eID app will be voluntary, and it will remain possible to access public and private services by other existing identification and authentication means. The app client will be open source.

Overall though the scheme remains a blank cheque for surveillance of citizens online: As hundreds of scientists publicly warn and contrary to what the EU claims, web browser manufacturers could be forced to expose our securely encrypted Internet use (including intimate and sensitive activities) to government surveillance. This is an unacceptable attack on secure encryption. The eID apps can also be used to monitor our digital lives because there is no requirement of unobservability. The content of our eID wallets (potentially bringing together personal banking data, medical prescriptions and criminal records) could be monitored via central databases because we have no right to store documents exclusively on our personal devices.

The lure of conveniently signing in to private digital services using a single official eID app is a trap. Overidentification will gradually erode our right to use digital services anonymously which currently keeps us safe from criminal activity, unauthorised disclosure, identity theft, stalking and other forms of abuse of personal data. The eID app will not allow for multiple, truly separate user profiles which vulnerable persons rely on.

The server-side code of the eID wallet will not have to be open source, meaning the public cannot know what the code actually does and if it is safe.

In view of all this, the new EU eID app will not be trustworthy and will fail to sufficiently encourage the development of digital and eGovernment services in Europe – much to the Pirates regret.

See also the assessment of the deal published by NGO epicenter.works