The New Digital Identity Wallet for all Europeans: Latest Amendments

It's very nice that you're all still here after a long day. It's nice weather outside. Thank you for listening. I'm going to give you something about the digital identity quest of the European union, and it's called your new wallet. And we all hope that by 2030, every European, if you are a European will have this bright and shiny, beautiful identity wallet, full of diamonds and with the consent of the European union on it, as you can see in the picture, and I'm going to explain you what it is and why we call it the digital identity quest.

Well, that's an easy one. Digital identity is difficult if you want to do it right. That's a quest. Okay. Why did your EU start with this whole digital identity quest?

Well, that's very obvious all natural persons in the European union and legal persons Schutze seamlessly interact with each other. And what do you need for that? A very good working identity scheme that is without any friction, and that is very trusted and very secure. And that would be really key to the proper functioning of the European single digital market. That world has been going around for a long time. And a lot of policy policy making has been done a lot of projects and large scale pilots. And it's really not so easy to get this ready, but he was trying really hard.

And this is the journey on what they all did. The first one was stor. And you think, what does historic have to do with digital identity?

Well, maybe because identities are being born and historics are helping with new identities, I don't know. But anyway, the name stor came from the, is the acronym, but not a real acronym from secure identity across borders linked. And that's pretty well describing what the whole entire endeavor was about.

Again, digital seamless authentication of individuals and identification across all member states of the EU. Now all member states of the EU didn't take part only 15 were helping and discussing and taking part in the consortium to manage all this 29 government bodies were taking part. So not successful because we have 28 member states. So there was stock two, zero, and again, a number of participants, a lot more and lot more member states, but still no real legislation. It didn't fly. The stalk remained where it was.

And when I was finding more information about stalk, that was really interesting. I was led to the way back machine. And does anyone know what the way back machine is? Yes. It's the internet archive. We're all dying and dead websites go. And that's where I found the information on the stalk website. So it does tell you something about the success of stalk, but hello and behold, 2015, we are going on. We give the animal a new name and it's called E Ida E electronic identification and all identification services E Ida. And you all know it, it has been mentioned few times today.

So the E Ida regulation has become E Ida 1 0 0, because today we have the two dog zero. That means that you have to mention the first one by its previous name, the one dog zero. Okay. And all government institutions were entitled to take part in that in 2018, this legislation, I studied it thoroughly. It's 80 pages. There's a lot of definitions in it. And a lot of information about technicalities and about all the services in 2018, it came into force. And at that time there were seriously problems with GDPR that had opposing requirements. These legislations were not at all harmonized.

They didn't talk too much to each other. And well, all 28 member states could take, take part, but only 14. Got it. This far that their ecosystem of national identity was taking part in this identity scheme.

And so, no, it was not completely as they wanted it a bit better than stock because it is really legislation enforce. And a lot of mistakes in stocks were made better, but then something else happened, and this was not coming from the identity era, but really from the blockchain era, we had blockchain. So European union built a playground blockchain called essay lab. And they had numerous use cases that you can use this block blockchain for. And you could use it for self-sovereign identity with help of a blockchain.

You can do self-sovereign identity without a blockchain, but this was about the blockchain. And what can you do with it? It was not about identity and how can you do it?

And, but I will bring it up in the, in an slide, what exactly was helping anyway, it was about digital identity, self sovereign with help of the blockchain. And that made the playground ready for a, the regulation number two, zero, the successor of a 1.0. And that would be SSI enabled European interactive, seamless authentication for citizens and legal persons for across all member states, BI help of digital identity wallets with diamonds on them. Okay.

Now, what was this regulation? The first one about it was enforcing 2018, the definition of the services, what type of things do you need to do with that identity? That like digital qualified seals, time stamps, signatures, and of course, identification and authentication, just easy identity stuff. There was also an oversight framework. When you do identity, you need three things. You need a technology in the operations, you need policies and someone to prescribe how to do it. And you need someone to police that, that everyone is doing it in the right way.

So these are all described in this legislation and now three, three trust levels, low, substantial, and high. Okay. How to define it. That's another story. You can't be technical in legislation. You can't prescribe tech. You can just say it should be secure, but how to measure security, another problem. And every member state that thought I'm ready. My digital identity of my nation is ready to take part in the European ecosystem across all the member states, to be trusted in all the countries that have also notified they would notify.

They would get a review from other countries, peer review, as we call it, and then they could take part and they would be an identity Federation with the member states. That would be notified.

Now, what was the problem? Yeah, again, it wasn't taken up EU wide. It was mainly the public domain government. It was only 14 countries notified and only seven of all those schemes were fully mobile.

Well, in 2018, we've all been working with mobiles every day. There was nothing new at that time. I know that in banking, 99% of all the transactions are done on mobile devices.

So yeah, mobile is a must I think. And cross border use was not a very high domestically. The identities would be used, but not cross borders of two rigids complex onboarding for all the parties that wanted to take part. So off we go to the next level, the European self-sovereign identity, blockchain CE based self-sovereign identity. And this was a good thing for the EU to play with self-sovereign identity and different ways of doing identity with the non, not just federated identity, but really user-centric self sovereign.

I'm not going to explain what self soft identity is, I suppose, you all know by the time. And they had a lot of money for that. So on this blockchain EP C that was there to use, and they invited a lot of innovators. Anyone who thinks they can do something good on use cases of digital identity, new use cases in health, dims, transport, driving, license, whatever really business use cases or improving the infrastructure with that is needed for SSI, cuz you get the same classic identity problems that you have in classic IAM. You have to do the delegation, authorization delegation.

Well, there's a lot of stuff that is not directly in the self-sovereign wallet, but that has to be all the things around that you need the attribute registries and so on. So 40 parties were 54 parties were applying for this money, these grants from the EU in the last two years. And there were five or six rounds and the 10 were chosen to be working and helping to build identity on this FC infrastructure, 69 were doing it on the infrastructure improvements, really technical stuff.

And one of the requirements to take part in to be selected for a grant was that it should be open source and transparent and a main topic that was a lot of focus focus on was standardizing interoperability, not creating new silos, but making the world more interoperable and also improving these standards. So this has done a lot for the understanding of all the policy makers who could play on this EY stuff and who could look at this to, to, to reset the minds from the old federative model that was too heavy and the stalk and the dying other stuff.

So in a way, this was a big push for a new way of looking at identity on a European legislative level. Now. So I have here the proposal for a regulation of the European parliament and of the council, blah blah, amending the regulation a as number one, it's actually number 9 0 10, 9 10 slash 2014. This is the way they name the legislation. You can all find it on your it's website. You can find any European legislation in your own language, all European language in PDF a does one that know one that zero was public only.

And the second one is public and private, not just relying parties could be private, but also providers of the wallets could be private parties, but it should be with consent and mandate of the member state. The coverage would also be better because 59% versus 80% in Europeans in 2030. And it was not just a federative model, but decentralized identity model notification of member states with a member state national identity scheme versus notification of the wallets. So guess what? Every country could have numerous wallets for numerous different use cases.

So there will be a lot more to notify and to certify than just the legal or the national identity scheme of a country with peer reviews. So not peer reviews by other countries, but certification through assigned bodies who are really assigned to really check all these wallets. And that's a lot more work than, and a lot more complex. And we ever even don't know who these bodies would be, how they would be mentioned or who would decide about them and who would control them. There's a lot of governance that needs to go into this legislation.

And also we got some new services because if you work with distributed ledges, these should also be managed in a secure way. So about that infrastructure, also something should be managed and written and about security and levels and whatever electronic letters would be of qualified level at a third to highest level of security and also secure archiving because what Europeans could do is not just signing in and logging in and identifying themselves and make signatures, but also share attributes about this identity.

And we'll see that later on in the, in the definition of a wallet and also qualified electronic at a station of attributes, E a is one of the topics that is new in the second version of a that's and that all brings a lot more technology and a lot more things you have to think about and what happens this year in February. And it will run on until may, but we're hearing that it will be postponed the deadline, anyone in the EU who thinks they can prepare a nice wallet and deliver it to their own member states with at least partners in three member states.

So relying parties or taking part across three EU member states, they can propose. And there is I think, 31 million Euro for supporting these initiatives. The member state has applied for it or a mandated party by the member state or someone independently with consent of the member state. So all the world today, anyone who does something with identity wallet, me, I think in this room, there are, I know at least three people who are, are now discussing and trying to make the EU wallet work and working on this tender or proposal to get the money up up till 6 million per wallet.

I think there's a lot of money, but it's a very tight deadline. And the tender document describing all the requirements itself is already, I think 50 pages and the template that you have to fill out is 24 pages. And the max text you can use is 60 pages, 70 pages. So it's a lot of work and a very tight deadline to do this in a few weeks. And then all the cos. Yeah. So what is a digital wallet?

According to the definition of the EU or the I two zero it's written in article three, a digital wallet is a service or a product as something that does something that allows a user to store identity data, not just identity data, but also credentials and attribute that are linked to the identity. And that's very new. It's not just Logman or signing. It's also attribute sharing and this attributes could be shown or shared with relying parties in a blockchain country. We would call them validators.

The user would be the hold or the, the relying party would be the validator and the party that issues this data would, this data would be the, the issuer, but they use the old term relying party and user, and also create qualified signatures. So it's a bit wider in scope. And of course this should be for legal persons or natural persons in the atmosphere of public and private relying parties and issuing parties. So the scope is a bit more bigger. And what does a wallet like that look like?

Well, it's just an app on your model device. So it's supposed to be self sovereign, but we can question how self sovereign this is. Of course now there are, there is a minimum attribute set prescribed, and number seven to 10 also enable the parties that are non-governmental. A lot of use cases would need the last four of these things. And the first seven would first six would be more governmental reach. I know I have to make up some time from previous speakers, so I will hurry up.

Now, there are more required features for the wallet, just self-sovereign identity stuff. You shouldn't collect the data. If you are the wallet issuer, you're not allowed to collect the data in the wallet. You're not elect you. Can't consolidate all the data and trace what user is using the wallet for. There would be full user control on the data. So the user would decide what data would in the wallet and with whom it would be shared. And it would be a minimum set shared for the purpose of the transaction.

So not your whole passport, but only are you over 18, yes or no validation instead of data sharing. And the data would come from the original sources from the issuers, but that's more drilling into the self-sovereign identity concept and there would be reporting on breaches. There would be a lot of administration and governance and well access to disabled person, a common interface for relying parties, APIs.

Well, where have we heard this reminds me payment services directive too, where the banks back officers should be open up and the member says should be in charge and the assurance level should be high. And almost every part of this whole set of the architecture, the toolbox, the, the, the agreements is regulated.

So they, they managed to write it down in six 60 pages, but these are only the commandments to the previous a, so it's a lot of text. Now, this is what the EA architecture for what it looks like after this. I have one more slide. Then I done a decentralized identity Mo with wallet, with wallets on the distributed ledger with archiving, it takes a lot more to describe and to legislate than an identity Federation model like we used to have in ADOS. And there are a lot of gaps that are not clear.

And the problem is you can't prescribe technology details operationally in a law because a lot it takes a year to, to write it. And then after a year, it should be adopted and enforced. And then the member state has to, to use it and to bring it into practice. So that's not so easy. And so there are some challenges, operational aspects for privacy security. They're not well enough elaborated there, the wallets for the tender.

Well, 17 may everyone should have selected their member states programs and get the subsidized money for the, the calls for proposals in the member states. And then we all should start building these wallets. And in the next year, it should be ready. That should be the definition of complete tool books, architecture, and every member state should have a wallet for the people. And in 2030, it should cover 80% of the Europeans. So that's quite difficult.

Also, what does full user control mean when you are using smartphone? Is that very sovereign? I'm not sure. Harmonization with other legislation on digital security.

There are, there's a host of new legislation coming up. The cyber resilience act the, the, well, any there's a whole list. I won't mention them all of that, but that has to be harmonized how to do that. Some things are not clear. Something are still nacent in, in a really at the beginning state.

So, and these certification bodies, what, how do they certify, how do you do this? It's all innovative technology, qualified trust service providers also in third countries. non-Europeans okay. How do you legislate that? They're not under your control and also non-qualified trust service providers could take part in the ecosystems.

Now these are some of the challenges that are just tipping the top of the iceberg, but, well, I I'm really curious what happens and if we get it and make it in 2023, but I think I'm happy someone decided to harmonize this and to get this innovative concept of ASI, a chance, at least it's on the map and in my life after 20 years in identity, I think that's almost a revolution and well, it, it leverage at least the knowledge and the awareness of this concept and of privacy. And I think GDPR in 2018 has helped to leverage the privacy awareness as well.

Now this is it I've added a lot of links, mostly European links, the legislation proposal itself, the original aid as legislation, the, the tender documents, which states a lot of requirements for the wallets that want to get money and take a, a part in tender. So there's a lot of information and well, if you want to know more, most of it is here and yeah, I hope that in maybe one year we can see what came of it, but yeah, that's it. So thank you for being here and thank you later.