Consumer protection: warning of massive tracking with digital EU wallet

Contents

The EU Commission's proposals to implement the regulation for a European electronic identity (EUid) based on digital wallets (e-wallets) contradict the interests of consumers. This is the result of a report that has now been published by the German Federation of Consumer Organizations (vzbv). For example, they make it difficult for consumers to gain an overview of how public administrations, companies and other stakeholders use their data and digital identity. The backdoor could also allow users of the wallet, in which ID documents, among other things, are supposed to be stored digitally, to be comprehensively tracked.

A sore point with the EUid, also known as the European Digital Identity (EUDI), is data protection, according to the analysis as of November. The analysis was carried out by the security company Defendo IT on behalf of the vzbv. A major problem with the current status of the specification is, therefore: Service providers that allow the planned EU wallet for identification could work with the issuers of the eID solution in secret to comprehensively track users.

In order to reduce these risks, "significant changes to the underlying protocols and algorithms" would be necessary, according to the study. There are therefore already warnings that the corresponding specification could no longer be compatible with the amendment to the eIDAS Regulation on which it is based. The feared misuse would currently only be counteracted by potential fines and liability aspects.

Politicians would have to stipulate user protection

The researchers explain: depending on the implementation of the EUDI wallet –, in particular the user authentication –, the issuers of the access data would be contacted each time these credentials are presented. This also tells them which attributes are presented. By default, the issuer does not receive any information about the third parties using the solution. The wallet software can also potentially falsify requests to conceal the actual usage patterns. Using the secure element of the user's smartphone also eliminates the need to contact the issuer.

However, if issuers collaborate with the service providers using the EUid, "they can identify where and when credentials are presented and thus create behavioral profiles", the study states. Users would then have no way of recognizing these agreements. There is also no technical mechanism to effectively prevent the widespread tracking that can be carried out in this way: "The only protective measures against this behavior are of a legal nature."

Anonymous credentials would be important

EUDI service providers could assign subsequent authentications of the same user to each other, even if the user does not intend to be identified again. For example, if a user authenticates with a qualified trust service provider to create an electronic signature, an identification check is necessary. This provides the service provider with the user's personal identification data and enables it to recognize subsequent access to its service. In principle, however, it is also conceivable to carry out the sole verification of qualified electronic signatures without the user providing personal data.

In this case, a provider would not be able to track users. There is also already a proposal to use anonymous login information without the possibility of tracking. Only a permanent personal identification number could be an exception. According to critics, the Commission wants to introduce such an identifier through the back door. The researchers are therefore urging a thorough revision of the specification, the architecture and reference framework as well as the German proposal for EUDI implementation to integrate the use of anonymous credentials.

Do not feed digital monopolies

"A digital wallet in which all important documents are stored can simplify many processes," comments Michaela Schröder from vzbv on the experts' findings. "At the same time, there is a risk of data misuse through tracking and profiling." In order for consumers to be able to use a digital wallet without hesitation, data must be collected "sparingly and the most secure setting automatically selected". This is the only way to ensure the necessary high level of protection and build trust.

In a position paper, the vzbv demands that only data that is absolutely necessary for the service should be requested from providers. Private sector service providers should be prohibited from using information from the digital wallet for their other business activities. In particular, the linking of data with official documents must be prevented.

Users are divided

The digital wallet should not lead to Google, Amazon or Apple further expanding their monopoly positions, postulates Schröder. Users should not be forced to buy or use products or services from the respective wallet issuer. There is also a risk that consumers could be tempted or de facto forced to share more data with digital companies. This would be the case, for example, if this company's wallet is "embedded in a mobile operating system that connects multiple services".

By fall 2026, all EU member states will be obliged to provide their citizens with EUid wallets. According to a representative online survey conducted by market research institute Eye Square on behalf of vzbv, 44% of participants would store their ID card or driving license in such a digital wallet. However, a good third (34 percent) would not do so. 22 percent are still undecided.

(mma)