Extending the use of eID to online platforms – risks to privacy?
On 10 October 2017, the European Commission published the “draft principles and guidance on eID interoperability for online platforms” on the electronic Identification And Trust Services (eIDAS) observatory. Building on the eIDAS Regulation, the Commission would like to extend the scope of use for the eIDs to online platforms, in addition to public services. This raises a number of issues, particularly on the protection of privacy.
The eIDAS Regulation, adopted in 2014, is part of the “European eGovernment Action Plan 2016-2020”. It aims at making all Member State issued eIDs recognisable by all Member States from 28 September 2017. By extending the scope of use of eIDs to “online platforms” in general and not only public services, the Commission is trying to make authentication easier and more secure, as the eID itself would allow logging in. It would answer some of the issues raised by the use of passwords as main authentication method. It would also be more convenient for the users who could use the same eID across different platforms.
However, as are presented in the Commission’s document, the guidelines raise a number of issues, such as the lack of definition of “online platforms”. As the eIDAS Regulation concerns access to public services throughout the EU with the same, government approved eID, it appears that “online platforms” refers to the private sector. “Online platforms” are defined, to a certain extent, in the Commission’s Communication on Online Platforms. However, the characteristics that are used are so wide they encompass both online sales websites and social media platforms.
The second issue is protection of privacy. Indeed, the draft document states that “users should be able to preserve a level of privacy and anonymity, e.g. by using a pseudonym”. The failure to understand the basic notion that anonymity and pseudonymisation are fundamentally different is worrying. It is, or should be, obvious that using one’s eID to authenticate oneself would allow the platform to link the pseudonym to the real identity and personal information. Furthermore, while it might be useful for online sale platforms to make sure transactions are taking place between real people, it defeats the purpose of using a pseudonym on social media to separate online activities to be linked to one’s real identity.
Finally, if the Commission sets the direction to make authentication easier for both platforms and users with the use of the eID, they do not provide guidelines on the implementation of privacy by default. This would make sure that online platforms only have access to authentication information and do not use it for other purposes. One of the safeguards for the use of eIDs to access public services is the ability to monitor which public servant accessed the data and when. However, regarding the use of eIDs for authentication on online platforms, there is no provision in the draft guidelines that would make sure that data are properly secured.
Bearing in mind the huge and varied damage caused to Facebook users by its “real names” policy, the risks of this project being used by certain online platforms are real and significant.
Draft principles and guidance on eID interoperability for online platforms – share your views! (10.10.2017)
Workshop: Towards principles and guidance on eID interoperability for online platforms (24.04.2017)
Communication from the Commission – Online Platforms and the Digital Single Market: Opportunities and Challenges for Europe (25.05.2016)
(Contribution by Anne-Morgane Devriendt, EDRi intern)