LOAD e.V.

Offener Brief zur technischen Umsetzung des European Digital ID Systems (eIDAS)

Blog, Presse

Wir setzen uns für digitale Bürgerrechte, Datenschutz und ein offenes Internet ein. In diesem Rahmen möchten wir unsere Unterstützung für den offenen Brief eIDAS Joint Statement Technical Implementation ARF 1.4 von epicenter.works zu den ernsthaften Bedenken hinsichtlich des Datenschutzes und der Privatsphäre bei der Umsetzung des „European Digital ID Systems“ (eIDAS) ARF 1.4 ausdrücken.

Die eIDAS-Verordnung wurde vom Europäischen Parlament verabschiedet und soll die sichere und nahtlose Nutzung elektronischer Identitäten (eID) innerhalb der EU ermöglichen. Ein häufig genanntes Anwendungsbeispiel wäre der Altersnachweis bei Online-Einkäufen, bei dem der Online-Shop nur die Information „User ist alt genug“ erhält. eIDs ermöglichen somit sicherere, effizientere, privatsphäre-achtendere und datensparsamere Dienste, als aktuelle Lösungen.

LOAD begrüßt grundsätzlich die eIDAS-Verordnung und die Bemühungen der EU-Kommission, eine sichere und benutzerfreundliche elektronische Identität zu schaffen. Besonders hervorzuheben ist die offene Entwicklung des Architektur- und Referenz-Frameworks auf GitHub, die Transparenz und Zusammenarbeit mit der Community und Wissenschaft fördert.

Allerdings dürfen wichtige Details nicht dem Zeitdruck oder innenpolitischen Interessen geopfert werden. Wir fordern daher, dass die EU-Kommission die vorgeschlagenen neueren kryptografischen Standards ernsthaft prüft und mehr Ressourcen in die Lösung der technischen Herausforderungen investiert. Zudem müssen die Bedenken bezüglich der Überwachung durch Strafverfolgungsbehörden adressiert werden, um den Datenschutz und die Privatsphäre der Bürger zu gewährleisten.

Wir unterstützen daher den offenen Brief von epicenter.works und setzen uns für eine nachhaltige und datenschutzfreundliche Umsetzung der eIDAS-Verordnung ein.

Der Brief vom 7.August 2024 im Wortlaut

Zur PDF-Version

Dear EU Member State Representatives, dear European Commission,

We write you to express our deep concern about the current draft of the Architecture Reference Framework (version 1.4) intended to implement the eIDAS Regulation (EU) 2024/1183. The goal of this legislation is to establish a trusted and secure ecosystem for the exchange of sensitive identity and personal information across the Union. The academics and civil society experts that signed this letter see severe shortcomings in the current proposal that would jeopardize the security and privacy of all citizens using this EU Digital Identity Wallet.
The proposed draft ignores key privacy safeguards and undermines user rights. The proposal contains a backdoor to re-identify every user on request of law enforcement agencies. The technical implementation would not protect users against illegal information requests and prevent them from obtaining meaningful and timely redress in cases of fraud or identity theft.
The proposed cryptographic mechanisms are not state-of-the-art, but instead have been chosen solely to be compatible with existing national digital identity systems. Such old systems were never designed to handle massive amounts of personal information from all areas of society in a modern, data-driven economy (Big Tech). Key privacy requirements the law obliges for unlinkability, unobservability or zero knowledge proofs are ignored completely.
In essence, the proposed EU Digital Identity Wallet would not be safe to use.

We understand the urgency of the European Commission under the strict timeline that is foreseen for the technical implementation and we support the European Commission’s commitment to respect deadlines – an important part of building public trust. For the protection of citizens and careful implementation of necessary safeguards, however, timelines have to be set realistically – especially, when it comes to the technical implementation of EU law. This is evident even from recent examples of very technical implementing acts where the risk for citizens was low and still technical complications lead to the delayed adoption of implementing acts more than a year after their legally mandated deadline. The eIDAS regulation, too, includes a timeline that does not pay full justice to the complexity of the issue. Thus we urge the Commission not to proceed hastily with this implementing act, chasing an unrealistic deadline. Otherwise it will not only violate the legally-mandated privacy safeguards established in the eIDAS Regulation, but will furthermore put people at risk due to its reliance on outdated or inadequate technology.
If the EU decides to go through with this proposal, we would be in a situation were we have to warn the public to refrain from using the EU Digital Identity Wallet because it cannot protect them from tracking, state surveillance, over-identification or offer meaningful redress in cases of fraud or identity theft. We would also consider challenging any implementing act that violates the underlying eIDAS Regulation in front of the European Court of Justice.

We urge you to take a step back and rethink the technical requirements in order to ensure the EU Digital Identity Wallet is only offered to users once it can be ensured that the technical implementation is ready to meet the requirements of the eIDAS regulation to establish a trusted, safe and privacy-respecting ecosystem for the exchange of personal data.

Weiterführende Links