The proposal for a Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS) is currently under evaluation by the European Parliament. The research project ABC4Trust (Attribute-based Credentials for Trust) is providing its position as input to the legislative process. ABC4Trust considers electronic identification means (eIDs) as an optimal use case for the broad deployment of privacy-enhancing attribute-based credentials (Privacy-ABCs).

The privacy concept of data minimisation is an already legally fixed principle in the Member States and also central to the current draft for a General Data Protection Regulation. A way to enable and enforce data minimisation with technical means is the concept of selective disclosure of attributes. Electronic identity solutions are based on attributes about a person with the respective attribute-value, e.g. name: Johannson, first name: Sven, place of residence: Stockholm, profession: advocate, date of birth: 1975-02-07, etc. Classic identification tokens or certificates do not allow presenting only a selected attribute without invalidating the issuer’s signature. Advanced and privacy-preserving solutions supporting selective disclosure of attributes make it possible to let a service provider only notice those pieces of information that are necessary for the given purpose while the signature verifying the correctness off the information remains intact. Besides the Privacy-ABCs deployed in the ABC4Trust project also the German eID solution supports attribute selection.

ABC4Trust currently evaluates the interoperability and functionality of Privacy-ABCs in two deployment pilots: a school network in Söderhamn, Sweden, and the evaluation of Lectures at the University of Patras, Greece. The first experiences from the pilots show that Privacy-ABCs work with secure smart cards – fulfilling a necessary prerequisite for many Member States to incorporate a technology into their national eID solution.

Consequently the ABC4Trust project considers it necessary that the concept of data minimisation is pointed out more prominent in the eIDAS regulation and welcomes existing proposals from other parties supporting this view. As a minimum Member States must be allowed to notify eID solutions permitting selective disclosure of attributes and other Member States should be hindered to reject a privacy-enhancing solution solely to the fact that not a full set of identifying data is provided but only the necessary information. Member States should be further encouraged to deploy the feature of selective disclosure of attributes in the future.

Finally ABC4Trust suggests making privacy of users and citizen s a central aspect of the regulation. It should be clarified that also the national issuers of eIDs and any services and third parties that may become necessary to make eIDs interoperable also across borders are bound to the European data protection legislation, namely must adhere to the principle of data minimisation and must not, whatsoever, use the data of the citizens or relying parties for tracking or profiling purposes. 

Summarizing the above considerations amendments to the eIDAS are necessary in three major aspects:

I. Emphasize the concept of authentication instead of identification

II. Remove barriers for privacy-preserving eID solutions

III. Clarify applicability of data protection requirements also for eID services

More information on this topic from researchers of the ABC4Trust project promoting the deployment of Privacy-ABCs for eID solutions is provided here:

 

For further questions please do not hesitate and contact the ABC4Trust project team at ULD.