Let’s talk about digital identity with Viky Manaila, Trust Services Director at Intesi Group.

In episode 79 Oscar and Viky discuss eIDAS 2.0 and EU digital identity wallets – what eIDAS 2.0 is and why it was created, what lessons were learnt from eIDAS and how have these helped to build eIDAS 2.0, and how the EU digital wallets relate to eIDAS 2.0.

[Transcript below]

“So, the aim of eIDAS 2.0 is to achieve the targets set in Europe’s path to digital decade. Eighty percent of EU citizens being able to use a digital ID by 2030…”

Viky ManailaViky Manaila is an international expert in the field of electronic signatures, digital identity and digital transformation processes, who has successfully promoted the electronic business globally.

She has been technical expert to the European Commission for instituting Regulation 910/2014 (eIDAS) on electronic identity assurance and the design and roll-out of European, cross-nation e-procurement platforms and operations. She is member of different high level working groups set up by the European Commission, ETSI and the US Government aimed at aligning policy and operations around trust identity, digital signatures and cross-recognition.

Viky has successfully contributed to standardisation work for the global acceptance of European Trust Services, as an expert in ETSI ESI Specialist Task Force 560. Global Acceptance of EU Trust Services is a study of existing trust services that operate in different regions of the world and their possible mutual recognition or global acceptance.  The eIDAS Regulation and corresponding standards go beyond EU boundaries, proving that interoperability and cross-border legal recognition are the keys for global electronic commerce and transactions.

Viky is also President of Cloud Signature Consortium.

Find out more about Intesi Group.

Connect with Viky on LinkedIn or Twitter.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining us in a new episode of Let’s Talk About Digital Identity. And we are going to hear more about eIDAS 2.0 that is being evolving a lot getting ready and ready. So, for that we have a special guest who is Viky Manaila. She is an international expert in the field of electronic signatures, digital identity and digital transformation processes, who has successfully promoted the electronic business globally. She has been technical expert to the European Commission for instituting Regulation 910/2014 (eIDAS) on electronic identity assurance and the design and roll-out of European cross-nation e-procurement platforms and operations.

Viky is a member of different high level working groups set up by the European Commission, the ETSI, and the US government aimed at aligning policy and operations around trust identity, digital signatures, and cross-recognition. She’s also president of Cloud Signature Consortium. Hello, Viky.

Viky Manaila: Hello, Oscar. Hello, everyone. And welcome to Let’s Talk About Digital Identity in Europe this time.

Oscar: Exactly. We’re talking about what is happening in Europe. Yeah, fantastic. Nice hearing you. Nice meeting you, Viky. So, let’s get started.

Viky: Thank you for inviting me to your show.

Oscar: My pleasure. So, Viky, let’s talk about digital identity. So, let’s start by hearing a bit more about yourself in your journey to this world of identity.

Viky: Well, my journey into digital services and identity space started back in 2002 when I was preparing my master’s thesis in electronic signatures and cryptography. That time I came across the famous cartoon of New Yorker drawn by Peter Steiner with the two dogs in front of the computer, the old one telling to the smallest one, “On the internet, nobody knows you’re a dog.” So, that cartoon impressed me very much. And we are now almost 30 years after trying to solve the dog on the internet problem. So, this is in a nutshell.

So, I continuously worked to improve the way we are conducting digital transactions, the way we are signing digitally, we are exchanging information and now proofing who we are on the internet with the trustworthy way, in a nutshell.

Oscar: Yeah, cartoons are amazing, right?

Viky: Yes, that one I hope we can solve it soon once the eIDAS 2.0 will go into force.

Oscar: Yeah, exactly. And hopefully someone makes a cartoon for that, that also becomes a legend. So please tell us what is eIDAS 2.0 and why it was created?

Viky: Well, eIDAS 2.0 is the proposal, it’s a proposal to amend the eIDAS, the Regulation number 910 from 2014 on electronic identification and trust services for electronic transactions in the internal market. With eIDAS, the European Union lay down the foundations and a common legal framework across all member states for citizens, companies, public administrations to carry out transactions online with legal value.

eIDAS regulation has two parts: one, related to electronic identification and electronic identity. And one related to trust services such as electronic signature, timestamp, electronic seal, preservation of electronic signatures, certificates for website authentication. Now, as part of the legislative process of a regulation, after several years is coming and assessment to see how and what delivered, what needs to be changed or improved. Is it appropriate to modify its scope and specific provisions taking into consideration the technological development, the market evolution, the citizens expectations.

So, during 2020, during the pandemic, an extensive impact assessment has been carried out by a group of experts, which I was part of, analysing every detail of eIDAS including costs and benefits expected for relevant group of stakeholders affect this such as public authorities, trust service providers, conformity assessment bodies, electronic identity providers, supervisory bodies, the entire eIDAS ecosystem. Based on the evidence collected during this assessment, we drew conclusions and provided options for the legislative integration, integration, and a substantial input for the introduction of the EU framework for digital identity, the EU Digital Identity wallet concept.

So, the aim of eIDAS 2.0 is to achieve the targets set in Europe’s path to digital decade. Eighty percent of EU citizens being able to use a digital ID by 2030, so in less than 10 years, to be able to prove who they are cross-border, to be able to give the explicit consent for sharing pieces of their personal information, to know exactly with whom they’ve shared personal information and for what purpose. A technology where we can control ourselves, what data and how data is used, in a nutshell about eIDAS 2.0.

Oscar: Yeah. And it’s definitely very ambitious goal, absolutely attainable, and we need it for sure.

Viky: Yes, we need to solve the dog on the internet problem.

Oscar: So, from the experience of eIDAS, the first version eIDAS, so what are the lessons that have been learned from that experience, the good and the bad, if you can say?

Viky: Yes. So, I will start with concrete facts. Since the entering into force of eIDAS, we have only 14 European member states having in place a notified electronic ID schemes covering 59% of citizens. From this fourteen notified eID schemes only seven are mobile. Very few public services are available cross-border even for those citizens with an electronic identification mean. So, six years after the adoption of eIDAS, 41% of citizens are left without the possibility to use any trusted and secure eID across borders.

There are several pain points or problems identified during the impact assessment. Number one, an increased demand by public and private services for trusted identification and exchange of attributes. The current electronic ID framework is limited to the public sector services. There are no rules or conditions to allow the private sector services to get access to the national eID systems. In particular, the complexity and diversity of such systems, insufficient availability in all member states, the lack of flexibility to support a variety of use cases are significant in limiting the expanding of eID means. There is a huge market demand for credentials digitally proving attributes, such as professional qualifications, residency, medical certificate, and those are not covered by the current eIDAS.

The second problem identified is related to the current user expectations for seamless and trusted solutions to identify and share attributes across borders, and those expectations are not met. We are all expecting today a seamless online journey. Single sign-on solutions, mobile applications, covering all use cases for identification from electronic banking or e-health secure identification to anonymous log-on to an online platform or website. The ability to identify digitally will become an important factor of social inclusion and the provision of digital identity a strategic asset. Some member states moved already into this direction adopting new technological solution. But if this is not regulated at EU level, will further increase the disparity between national systems.

Alternative digital identification solutions by private providers and I can mention here the cases from Nordic countries where the banks are providing electronic identity solutions, those are not recognised by government outside of Nordic countries, for instance. However, they only address some private use cases not requiring high level of security. Other more secure solutions offered by private providers lack the common frameworks or standards as regards, for example, the level of assurance that they provide. So, they cannot scale up and be recognised across borders for access to public services or private services which require a certain level of trust.

The third problem identified is related to data control and security concerns that are not sufficiently addressed by available digital identity solutions. The security risks involved in providing personal data online or information system for authentication purposes are significant as more citizens conduct transactions online on a very frequent basis. However, neither public nor private offers fully respond to this demand. Existing electronic identities under eIDAS are not sufficiently widely usable for identification in the private sector to represent a viable alternative and has also inherent limitations to discretional data disclosure for the user.

So, despite offering high level of security, they show limitations as regards the principle of data minimisation. For example, eIDAS does not support so called zero knowledge claims. In addition, identification provided by large online platforms, often does not allow for the effective protection of personnel data. We have noticed that more and more platforms are allowing us to identify with our Google account or with our Facebook account or other providers account. But those platforms does not guarantee us the protection of personal data. And this has been evidenced by major data breaches and enforcement actions over the last period of time.

So, the general shift towards a more comprehensive identity ecosystem that integrates attributes and credentials, some of them carrying sensitive data, such as in the health sector, makes it necessary to develop an electronic identity ecosystem that is able to effectively protect personal data and offer full user control. And the last and the fourth major problem identified is related to unequal conditions for the provision of trust services.

Also, the evaluation of the eIDAS regulation concludes that the regulatory framework has successfully established legal certainty on liability, burden of proof, legal effect and international aspects of trust services. It also shows that there is room for improvement regarding a harmonised application of supervisory procedures and especially for processes for identity proofing that are the very basis for several other digital services, in particular, when these processes are carried out remotely.

There is also need for improvement concerning the efficiency of a particular trust service, the provision of Qualified Website Authentication Certificates, so called QWACs. What is happening despite the introduction of the certificates by the eIDAS regulation, web browsers refused to include them in their root stores and to display them clearly, which makes these certificates unusable for traders and consumers. For websites run by intermediaries or trading companies only, QWACs can guarantee the identity of the entity behind the website with a high level of assurance.

So, I’m a consumer, I want to buy something online, I go on a website that is claiming to sell clothes made in Italy or Italian brands. But if I look careful on that website, I can notice that is not an Italian website. It’s hosted in China. It’s a Chinese website. So, what is happening when I buy something, and I want to return because the quality is not the one expected or the one shown in the picture? We know a lot of problems related to this aspect. So, you cannot send back your purchase, you cannot get back your money. So, the lack of recognition of QWACs by web browsers may also conflict with the protection of fundamental rights of consumers that are enshrined in the treaty of the functioning of the European Union and with the EU consumer protection legislation. So, these are the most important problems issues identified related to the eIDAS regulation.

Oscar: Yeah, indeed, I think that were so exhausted explanation of those several problems. Of course, it feels like they are, how to say, incomplete solutions, right? So, there are some solutions, but they don’t completely fulfil, yeah, what they were meant to do. So, what do you think are the drivers of these problems?

Viky: Well, first of all, the member states are not obliged by the current eIDAS regulation to notify or to provide an electronic identity scheme or electronic identity mechanism. It is voluntary, and the process of notification is long and complex. Not all member states that have notified national electronic identities open those systems to the private sector for domestic reasons or for lack of incentives.

Private providers of digital identity attributes are not subject to a harmonised regulatory framework, ensuring trust and security across border. Then we have diverse and ineffective conditions for private online service providers that cannot rely on trusted and secure eID cross borders. Then the set of identity data provided by eIDAS is too limited and rigid. And last but not least inconsistent interpretation, divergent application and lack of acceptance of the eIDAS regulation in relation to QWACs certificate.

Oscar: Yeah. So, every country does things quite different.

Viky: Yes, quite different and not that the same beat and not at the same rate. And then we have discrepancy. And even if we have those electronic identification means we cannot use them cross-borders. For instance, I have the Italian SPID which is the notified electronic identification mean, but I cannot use it to open bank account in my country of origin, Romania, for instance, because it’s not possible yet to check cross-border this information.

Oscar: Exactly. What solutions could be done I guess some of those are being now cooked on in eIDAS, right? So, what are the solutions to these issues?

Viky: I just wanted to mention that not all in eIDAS is bad that how the listeners or the audience could interpret the part related to trust services provisioning delivered exceptionally, so the regulation became recognised and globally approach to trust services provisioning and supervision. The term of qualified as the highest assurance level for a service has been adopted widely, and many countries transposed this definition into national legislation.

So, you will find the term of qualified electronic signature, which is essentially an European term introduced by eIDAS regulation, also outside the European Union, or trust service supervision, or trust service provisioning in other countries as well. So, the supervision and accreditation, the standards for trust services provisioning are a benchmark now.

Oscar: That’s great to hear that, yeah. That inspire other…

Viky: Yes. I am very proud of that.

Oscar: Sure. And inspire all the legislation…

Viky: Because we manage – yes, we manage to deliver a very good model. Coming back to your question, what is introducing new eIDAS 2.0, what are the new services? There are several new trust services such as electronic archiving, or distributed ledgers, or electronic attestation of attributes, which I would like to just talk a bit on.

What means electronic attestation of attributes? We are familiar with verifiable credentials term from self-sovereign identity space. So, the electronic attestation of attributes such as proof of age, for instance, for accessing age-restricted social media platforms, professional qualifications, I’m a lawyer, I’m a student, I’m a doctor, I’m… I don’t know professional digital space, digital driving licenses, vaccination certificates. We have seen the recent use case where we should came up with solutions in a very short time, with the possibility to check this information across border.

So, in this new ecosystem, identity data and attributes would, whenever required, be securely linked to the legal electronic identity of the user, making the data trustworthy and legally enforceable across border. These new service, electronic attestation of attributes, could be used to enable EU-wide authentication to access a variety of online services in the financial sector offer today at national level only. But in the future, we will have the possibility to use cross-border, and also would allow for the identification and authentication of IoT devices.

The aim with the new services introduced by eIDAS 2.0 is to achieve a shift from the reliance on national digital identity solutions only, to the provision of electronic attestation of attributes valid at European level. Providers of electronic attestation of attributes should benefit as a consequence of the eIDAS 2.0 from a clear and uniform set of rules. And public administrations should be able to rely on electronic documents in a given format, no matter what is the country that issued those documents.

So, these are the new services, of course, followed by the validation of electronic archiving, validation of electronic attestation of attributes. And last but not least, the most famous electronic digital identity wallet. But I think we need a month to discuss on only this aspect related to the wallet. It’s a very debated topic in the making.

Oscar: So that will be a debate interview, a marathon debate interview.

Viky: Yes, exactly a marathon, we should organise a marathon for EUDI wallet, everything you wanted to know and never asked before.

Oscar: Maybe we can do it.

Viky: Yes. We’d be happy to participate.

Oscar: OK. Yeah, I know that the lack of these trust services was one of the reasons why the first eIDAS was, yeah, it was difficult to implement in different countries because each country, which service should we build, right? So that’s great that eIDAS 2.0 already has a framework for that. Could you now share some concrete examples, if possible, from different countries about these trust services?

Viky: Yes, sure. I will take the most common, most known and used trust service, which is the provisioning of digital certificates for electronic signature. What I would like to mention, we arrived at eIDAS regulation after the European directive on electronic signature from 1999, where we had disparate solutions, each country transposed into their own legislation differently, the terms and the conditions for electronic signatures, they were not available with the same legal effect cross-border. So eIDAS regulation fixed this problem.

We have a common market, we have a common approach for the provisioning of digital certificates, for electronic signature accepted in all European countries with the same legal effect. And we have all flavours and forms of electronic signature, simple electronic signature, advanced qualified electronic signature, issued on secure cryptographic devices, or cloud-based with the cryptographic keys stored on a secure HSM.

I would like to mention for anyone interested in adopting a solution that allow users to sign from whatever device, be that mobile or desktop, the standardisation effort of Cloud Signature Consortium, which delivered common technical specification for cloud-based digital signatures adopted widely, not only in EU. So, Cloud Signature Consortium, as I mentioned, at the beginning, is a non-profit association with 68 members from 41 countries. Those members implemented the specifications from CSC into their solution, providing signature services with global interoperability not only within the EU boundaries. So, we have an open market for uniform adoption of solutions with legal effect. Everyone should have access to secure digital signature, which must be a commodity now, across a full range of cloud applications on mobile devices and the web.

Oscar: Yeah, sounds definitely, definitely good.

Viky: Yes, indeed, indeed it’s a success story as well. And I’m very happy to be part of this brilliant team of experts working together in bringing standards on the market. And of course, we will continue with new services related to digital transformation services.

Oscar: And what is the current status now we are in, we’re talking now in November, I think this is going to be – probably slightly later but yeah, November 2022, we are talking November 2022, what is the current status of eIDAS 2.0?

Viky: Well, we should look at eIDAS 2.0 as a highway with multiple lanes. We have legislative, we have standardisation, and we have implementation lane. The eIDAS 2.0 proposal has a complex process of approval, and a very challenging timeline. Currently, the file is close to the end of revision period, by the policymakers, I mean, the Council of the European Union and the EU Parliament. Each of them will come with an amended version and is expected that in 2023, the first quarter or latest, the second quarter, will enter into a trialogue with the European Commission for the final form of the proposal. So, end of second quarter 2023, we should have the final draft of eIDAS 2.0 regulation.

In addition to that, there is the toolbox expert group under the European Commission guidance and in close cooperation with representatives from each member states, are working on a technical architecture and reference framework, common standards and technical specifications, common guidelines and best practices for the EUDI wallet and corresponding use cases.

The core actors for the toolbox group are different DG units from the European Commission, DG CONNECT, DG IT, DG MOVE, DG HOME, DG SANTE and ENISA European institution covering the security and the cybersecurity aspects. Also, the private sectors community and relevant standardisation bodies have been invited by the toolbox expert group to provide support based on their relevant expertise.

A first draft of their architecture reference framework was published this year in February, and by mid-November, so in a couple of – in two weeks, for instance, is expected the second version. So, everybody stay tuned, we should see the enhanced architecture reference framework publicly available. But as the timeline for the implementation is really tight, once eIDAS 2.0 will enter into force, the European Commission has already launched two separate funding calls. One for the reference, EUDI wallet development and implementation. And one for large scale projects, proposing major use cases with cross-border transactions and significant number of users to be on-boarded.

So, you can notice the great support of everyone in the European Union of what I personally consider the most ambitious project since the invention of the internet. eIDAS 2.0 will be a success and the benchmark for digital identity as is for trust services already.

Oscar: Yeah, absolutely. It’s very ambitious and – and you said, so when the citizens will be starting using, probably by 2024?

Viky: Yes, probably by 2024. Because the large-scale project, for instance, should start working on the implementation early next year, with two years deadline. So, by the end of 2024, we should have the first citizens on-boarded in this large-scale project. For instance, being able to show their driving license online through EUDI wallet, or to have the capability to open a bank account using their electronic identity from the wallet, or to have a very seamless digital travel experience from buying flight tickets, to the check-in, to the border control authorities, up to on-boarded on the plane.

Oscar: Yeah, absolutely. It sounds like a dream but that’s something that is coming already. It’s really coming. That’s good.

Viky: Yes, it sounds like a dream but will become reality. I’m very confident.

Oscar: Yeah, exactly. That’s the good thing. And I’m sure this is going to expand outside Europe in a way once this reached the success.

Viky: Yes, absolutely. Absolutely, we’ll expand, and we’ll have an impact outside Europe as well, because we are moving, we are moving in other countries so we can use our electronic identities to verify and to prove who we are in other countries as well.

Oscar: Excellent. Viky, final question, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Viky: eIDAS 2.0 main capital. eIDAS 2.0 is a game changer for such multifaceted concept as digital identity that will restore the trust and confidence of citizens in online interaction without forfeiting our fundamental rights and our privacy. It’s a very ambitious mission. It’s a very challenging mission. And the effort should be collaborative for its success. Policymakers, standardisation bodies, public administrators, public administrations, private sector providers, we should all work together to design and to regulate our smart devices to be tools of digital freedom, not of digital surveillance.

Oscar: Absolutely. Thanks a lot, Viky, for super interesting conversation. And I can of course, commend you, all the work you and many of your colleagues across the members of the European Union have been working during this last year. It’s a fantastic job. So please let us know how people would like to get in touch with you. What are the best ways for that?

Viky: Well, they can reach me out through my LinkedIn profile where I’m quite active, Viky Manaila. Or, my Twitter profile, the same Viky Manaila. And of course, by email that I suppose you will post it on the transcription notes on the episode.

Oscar: Excellent. Again, thanks a lot, Viky, for this conversation and all the best.

Viky: Thank you. Thank you and goodbye, everyone.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.