The eID Wallet still doesn’t deserve your full trust

The EU Digital Identity Wallet (EUDI Wallet or eID Wallet) is a mobile identity wallet intended to let people securely prove who they are online and share verified attributes. It was introduced by Regulation (EU) 2024/1183 (eIDAS 2.0), which amends the eIDAS 1.0 framework, namely the 2014 EU Regulation on electronic identification procedures in legal transactions, to establish a European Digital Identity.

Despite the law being in place, the eID Wallet is not yet available. That’s because while the Regulation sets the legal framework, the technical and operational framework still needs be specified, through a form of law called ‘implementing acts’. The implementing acts for the eID Wallet define, among others, the data formats, protocols, application programme interfaces (APIs), or the concrete security and certification requirements for the Wallet. Based on these common parameters, each Member State is then to develop and deploy its own Wallet, interoperable with others within the EU, and each offering the same level of security.

Over the past five years, EDRi member epicenter.works has been warning about pitfalls in users’ safety, security and privacy when it comes to a Europe-wide digital identification system. The organisation has been a key stakeholder in ensuring that the eIDAS Regulation and the eID Wallet include crucial safeguards, and it is thanks to their leadership and the collaboration they offered that EDRi has been able to develop expertise and participate in the most recent consultation opened by the Commission.

The latest version of the eIDAS (draft) implementing acts was the subject of three simultaneous public consultations (1, 2, 3) to which EDRi responded, raising red flags. Indeed, through these acts, the Commission is:

• weakening the Wallet safeguards (untraceability and unlinkability) meant to prevent surveillance of people who use it;
• imposing an additional mandatory processing of sensitive biometric facial data, an intrusive feature unforeseen in the eIDAS Regulation;
• pushing for a narrow interpretation of the eIDAS Regulation’s provisions which enable the use of pseudonyms, a valuable feature for providing certified attributes without revealing one’s identity. This makes over-identification of users the default as well as making pseudonyms practically useless when available;
• making registration certificates optional. This leads to a situation wherein people using the Wallet need to scrutinise every Wallet interaction, to ensure that services providers do not request more information than what is needed to provide the service (similar to a “cookie-fatigue” situation, where people bear the burden of safeguarding their privacy without ever being given a meaningful choice).

More details and additional points of concerns can be found in our full submission, in which we also present fixes.

This situation is extremely worrying. It is made worse by the fact that national and EU lawmakers are anticipating a broader list of cases in which the Wallet should be used. Originally, the Wallet was meant to facilitate access to public services online, and safeguards were included to ensure its use remains voluntary for citizens and residents. Now, many lawmakers are calling for social media to be banned for young people, and for such policy to be enforced through a mandatory use of the eID Wallet, because they believe this tool addresses the privacy and data protection concerns facing the alternative age verification methods. However, the elements we raise regarding the implementing acts demonstrate that the eID Wallet is still not the perfect solution which the Commission has been pitching. These elements also come on top of the concerns we raised elsewhere about the disproportionate impact the eID could have on the ability of young people and other impacted demographics to exercise their fundamental rights online. Altogether, this must lead lawmakers to halt their plans of making the eID Wallet mandatory – whether it is for accessing social media or other online spaces.

This is why EDRi is joining Epicenter.works andeight other NGOs in urging the European Commission to change course and to implement the solutions we collectively identified. Individuals must be able to trust the eID Wallet, therefore the Wallet must be subject to the highest safeguards. If our concerns are not addressed, the eID Wallet risks becoming a tool of surveillance and control rather than a tool that empowers users to access the services they need in a secure and safe way.