"If we don't learn the lessons from the shortcomings of the EU's Digital COVID Certificate, the proposed European Digital Identity Wallet will fail to achieve its full potential. We must involve the private sector to help to deliver a better balanced design – with regards to privacy, security, interoperability and usability – that works for all ecosystem players." This is the stark warning from INNOPAY's Vincent Jansen and Eefje van der Harst.
The COVID Certificate solves an immediate problem, but we need to learn important lessons
On 01 July the EU will make available the Digital COVID Certificate to all Member States. The system is designed to facilitate safe free movement of citizens during the COVID-19 pandemic. It will do this by providing a centralised gateway which interoperates with national certification systems across the EU, enabling users to prove via a smartphone app or on paper if they have been vaccinated, received a negative test result or recovered from the virus.
Given the speed of its development – driven in part by the urgency of tourism-reliant Member States to open up holiday travel this summer – the COVID Certificate should be applauded. However with speed comes added risk, and Vincent believes, "Hasty decisions were made due to the understandable time pressure, and there are significant weaknesses in the COVID Certificate system with regards to privacy, security and usability. It has been a good exercise and one that solves an urgent need to enable safe travel, but it reveals many things that should be addressed in the development and rollout of the Digital Identity Wallet."
The European Digital Identity Wallet is the EU's ambitious initiative to build on the existing eIDAS Regulation by developing a framework through which citizens' national identities and credentials can be seamlessly shared across all Member States via a 'digital wallet', whilst crucially remaining under the control of the individual user. This will facilitate a wide range of activities outside a user's home country such as enrolling in a university or renting a car.
Eefje explains, "We see the COVID Certificate as a very specific use case. It is really only a credential for a specific purpose, and the user also needs to present it alongside their passport to prove that the COVID records belong to them. The Digital Identity Wallet will need to enable a multitude of different use cases and types of transactions. To enable trusted digital transactions at scale we will need a strict binding between an individual's identity and the data about them. This will allow their data to be verified during the transaction against a trusted source by the verifier. But we must certainly use the learnings from the COVID Certificate to guide the design and implementation of the much wider and broader Digital Identity Wallet."
A deeper dive into the flaws in the COVID Certificate
The challenges faced by the COVID Certificate include issues around privacy, security, usability, interoperability, transparency and expectation management.
"One of the main privacy criticisms of the COVID Certificate is the lack of selective disclosure regarding what data is exposed in different situations," explains Vincent. "So for example, why do we need to show which type of vaccine was administered to get on a plane? This has triggered a debate about which details should be shown on the Certificate, particularly on the paper version where it's not possible to tailor which data is displayed."
"There is also a lot of concern around usability and inclusivity," adds Eefje, "which has sparked the conversation about whether some groups are discriminated against by the COVID Certificate. Whilst it's true that having the paper version does provide an option for people without a smartphone, I'm not convinced that the current implementation fully takes into account the needs and challenges of groups like the elderly, those with reading difficulties and so on."
Questions have also been raised about the transparency of decision-making during the system's development, and whether a sufficiently broad range of experts have contributed to its design. The technological and regulatory choices underpinning the system have been somewhat opaque throughout much of the process, causing unease amongst privacy and security experts sitting outside the tent.
There are also lessons to be learned about communications to the public. "There has been a mixed reaction. People see it as a necessary evil to allow them to travel. But there is a lot of discomfort about how long this will last, and also around potential scope creep. Will it only be for travel or will it be extended to going to festivals and entering offices? People's concerns have not really been allayed".
Which lessons must be learned for the Digital Identity Wallet?
The EU Commission has recently invited Member States to establish a common toolbox for the technical architecture, standards and best practice guidelines for the Digital Identity Wallet by September 2022. This makes it imperative that the lessons of the COVID Certificate are quickly taken on board.
Vincent and Eefje are strong advocates of opening up the process. "Our concern is that the process will take a very public-led and centralised approach, and will not take into account the needs and also the capabilities of the private sector. It is essential to fully involve the private sector in the development of the Digital Identity Wallet, particularly in the design of the standards and protocols. There are many solution providers which already have the technology and the capabilities to bring significant innovation to the process, for instance focusing on improved usability and inclusion. The EU and Member States would benefit from involving these parties in further detailing the current plans."
Eefje continues, "The eIDAS Regulation already enables public sector services to digitally verify citizens' identities in many countries. There is now a real opportunity to extend this to the private sector. Enabling digital identity verification across borders for private sector services would provide greater convenience for citizens. It would also be very attractive to private service providers by removing much of the friction currently involved in customer identification for compliance reasons and for risk management."
Turning to the privacy issue, the EU appears keen to enable selective disclosure of data, meaning that only the data which is necessary for a specific service or transaction will be surfaced by the Digital Identity Wallet. But there is also an opportunity to introduce an accreditation process for specific types of verifiers (e.g. travel companies will be able to request access to only data related to travel). This is already established locally in some Member States, but it is not yet clear if this will be extended to the Digital Identity Wallet.
Communications also need to be carefully planned, and it would seem sensible to position the Digital Identity Wallet as a value-add which sits on top of each Member State's national ID programs, rather than a centralised 'big brother' system. The EU intends to develop a solution which is decentralised, privacy-friendly and secure, and it will be important that this message gets across to a sometimes sceptical public. And the EU will need to fully address the concerns of those sections of society which are not yet ready for a wholesale migration to a digital identity solution.
Calling on the EU to involve the private sector
Taking into account the speed of its development, the Covid Certificate is a laudable effort which will hopefully play a significant role in opening up travel across Member States this summer. However its weaknesses must be taken into account and used as 'lessons learned' during the design and implementation of the planned European Digital Identity Wallet.
The key takeaway from Vincent and Eefje is that the private sector needs to be embraced in this process. "If we fully involve the private sector solution providers – who can bring their technologies and innovative capabilities – then we can make better choices, and deliver a solution that will not only help the end user but also provide significant opportunities and benefits for private service providers."