Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is for the second time and in the same topic of discussion, Alejandro Leal. He is a Research Analyst for KuppingerCole Analysts working out of Stuttgart. Hi Alejandro.
Hi, Matthias. Thank you for having me back.
Great to have you back because we want to continue our discussion that we started in an earlier episode a few weeks ago. We started about talking that digital transformation for public services, for the public sector. And you've explained the services and the change of services in this public sector, while the requirement is more and more pressing that the cost there needs to be reduced while improving and increasing the level of services that are provided. You've explained to the Estonian example and how the services work in Estonia and how digital they are already. And we want to start with that part again. And I want to ask a question because in many publications we can see the topic of Self-Sovereign identities coming up, especially in connection with public services, with the public sector, because the states issued identities could be a good source for self-sovereign identities. Can you explain a bit more how that comes into play when we are talking about the digital transformation for public sector?
Of course, this is a very interesting topic and for the listeners out there who would like to know more about topics such as this one, I believe Episode 57 of this podcast focuses on verifiable digital identities. And Episode 98 talks about reusable identities, where my colleague Andy Bailey tackles these issues. For this episode, yes, I'm going to talk about Self-Sovereign identities and also about the European Commission's revision of the eIDAS regulation. But first, what are self-sovereign identities or in short, SSI? SSI is an emerging concept that can be viewed as an identity protocol and identity management system, or a human centric data management paradigm as in comparison to a centralized identity management system. SSI is decentralized identity management system, which allows users, individuals and other entities to manage their own identities and the personal data associated with those identities by storing them locally on their own devices. SSI consists of the following elements: decentralized identifiers, verifiable credentials - which are cryptographically collections of users' attributes - and digital wallets. Which is something I'm going to talk later on. And digital wallets basically consist of a software that allows individuals to store their own private keys, their own verifiable credentials and other documents.
As we talked about in the previous episode, we said that SSI systems can strengthen the privacy of citizens. But at the same time, they can also enable the identification of the weakest members of society. We also discussed how, historically speaking, many people have been excluded and persecuted with the assistance of prior identity architectures. So when it comes to a digital identity, we're really going into an uncharted territory. I think it's important that there needs to be a separation of the technical from the political, it's important. So governments and vendors out there, they need to take this into consideration because the two are related. The SSI market has several challenges and limitations. For example, the lack of regulation and standards. The immaturity of the technology. And also the fragmentation of the SSI market. I also think it's important to say that decentralized technologies such as SSI do not always guarantee decentralized outcomes. And I think that's also something important that vendors and governments need to pay attention to. Essentially, SSI ecosystems also provide a new aspect to the discussion related to data as a capital and as a means for surveillance. We also discussed last time how trust in government in many countries is at an all time low. Therefore, the implementation and acceptance of SSI systems and similar technologies is going to depend on the history and the culture and the context of the countries. So I think that researchers in the academia or analysts must conduct studies to see how different actors perceive technology such as SSI. They can also study the different facets and value that these systems enable, and they can also study the role of SSI systems in fighting social injustice, caused by the asymmetrical accumulation of personal data. I think that in the context of the EU, there needs to be cooperation between governments, private companies and academics, and that's going to be essential when it comes to emerging technologies such as SSI.
If I think of the GDPR and its context and its concept of fairness, I think that is something that comes into play here as well, because fairness in GDPR context as far as I understand it - and I'm not a lawyer - but it really means that the user, the consumer, the citizen should be on the same level of power when it comes to dealing with the data provided. So that there should not be an upper/lower, superior/inferior relationship between the data owner, the consumer, the citizen and the organization that is dealing with the data. And I think what you just mentioned, making sure that these concepts are also taken into account and implemented in such an SSI architecture is really of importance. Just because a user owns his or her own data and can hand it over and specifically for purposes, that does not mean that this data might not be misused afterwards. So there need to be mechanisms in place that that make sure that it's only used for a purpose or it's some kind of a zero knowledge proof. So something like, yes, I can prove that I'm at legal age to buy alcohol without displaying the actual age or name or address or anything else. Can you can you dig a bit deeper into that as well?
Yes, of course. As you mentioned, the GDPR is a very important element. But I think when it comes to the general public, many people are not very familiar with how these technologies work and there needs to be more education and awareness so citizens can understand how these technologies are going to impact their day to day activities. I think, for example, the recent revision of the eIDAS regulation is an important case that can also bring about more awareness into these topics because this is a regulation that involves the EU member states and I believe this has a more direct impact into the citizens lives, especially those who are not very familiar with how these technologies work or people who are not familiar with the GDPR regulations and laws. So the eIDAS, it came into force in the year 2014. It stands for electronic Identification Authentication and Trust Services. And for the past two years, the European Commission has launched a series of studies, expert committees, public surveys and other preparations to make a revision on this regulation and make some improvements. For example, the eIDAS revision proposes digital wallets for citizens in the EU, but it does not specify the use of decentralized wallets, which I think it's very interesting. The European Commission proposal for a European Digital Identity Framework would provide a trusted and secure way to authenticate citizens across borders and share qualified data attributes online through a digital wallet. If this is put into effect, it would aim to achieve the target set by the EU, the so-called path to a digital decade, which is aiming to make 80% of EU citizens to use a digital ID by the end of the decade.
So after the revision, the major findings were some of the following. There were many privacy concerns, as we already talked about previously, and you briefly mentioned. Citizens, they cannot limit what eIDAS attributes they want to present for authentication. Also, for example, the eIDAS schemes are approved on a national domestic level, but there are challenges because the certification requirements differ from country to country. So far, only 19 countries have notified the eIDAS schemes, which is basically around 59 - 60% of the EU population. So after the revision, there have been some major improvements. For example, the most significant improvement, I believe, is that the EU is trying to launch a digital identity wallet which will make it available for all EU citizens. For example, this digital wallet can be used for several use cases. For example, it could replace a driver's license or it will also be used for as an electronic passport, as an electronic ID card to sign documents, for example, or identification to online services. Also, another major development is that it will be mandatory now for EU member states to provide an EU digital identity free of charge as opposed to being voluntarily. That was the case before the revision. However, of course, private citizens have the option to adopt an EU digital identity. It's not mandatory for citizens and they could also select those who accept a digital identity. They will be able to select what attributes they want to show to the evaluator. Another development is that also private actors will now be involved in the issue of EU digital wallets, which is also a major development because before it was only the government of the EU member states who were going to be able to do that. And another development is the aim to create a common toolbox which will be basically standardizing the EU data wallet. This toolbox is expected to be launched or worked by the end of this year. There are also another important development is the inclusion of the European Blockchain Service infrastructure. They are known to be perhaps the main institution to work on this revision. They were founded in 2018 and basically their mission is to facilitate cross-border services across European member states and also not only focusing on the public sector but also for businesses and citizens. And the deadline for EU members to implement the new eIDAS regulation will be in 2024.
Okay, so we are talking about creating an infrastructure that will be aligned with the individual national laws as well. So creating an infrastructure means it needs to be done right, it needs to be done properly. So the citizens but also analysts and as you said, academia need to be vigilant to look at what is really implemented, how it is used, which data is used for which purpose, and to also prevent misuse of data that has been presented in good faith to another actor. And we're talking about just one persona of one identity. So that would be my state issued identity. That does not mean that it's my only identity then. So it would be used for, as you said, public services use cases, for replacing a driver's license, my ID card in public use cases. But that does not mean that it needs to be used for each and every use case replacing my Twitter or Facebook or whatever login in other use cases. So it would be one persona which needs to be clearly stated here as well. But I think it's really needs to be done properly. And having it being provided by the EU and the nation states gives some kind of security. But that does not mean that we don't need to watch it properly. Would you agree?
Absolutely. Yes. And something that we talked about in the previous episode was how the acceptance of such technologies depends a lot on history. And I believe that if European member states cooperate on technology such as this one, it's in a way creating European history. And that can also benefit not only the EU but also citizens. And as we discussed last time with the Estonian case, there are many lessons to be learned there. But the EU can also be an example for other countries in the world to demonstrate how cooperation between academia, governments and private actors can lead to a better use of technologies.
Perfect. You've mentioned the earlier podcast episode already. What else is there at kuppingercole.com for those who are interested in learning more? And what are sources that you could recommend to dig deeper into this topic?
Well, KuppingerCole has lots of content from Leadership Compasses focusing on verifiable digital identities to podcast episodes to Market Compasses and blog posts. So make sure to check the website to get more information and reach out to any of the analysts that can help your organization to get more information about SSI and similar technologies.
Right. And this is a topic that is really in discussion right now, and this is a hot topic. And there's also lots of criticism going on. And I think we will dig deeper into this topic anyway in upcoming episodes and in our research, of course. But if the audience if you have any questions regarding or comments or contradictions, if you're watching this on YouTube, just leave a comment below this episode. And we will we will try to get back to you and answer that questions, or pick them up in upcoming episodes. Really let us know what you are interested in, what your opinions are, how to make this a worthwhile move to a more digital way of doing interactions with your governments. And if you're watching or listening to that with your podcatcher, please have a look at the show notes, there are the mail addresses for Alejandro and me. Please reach out to us, get into discussion with us. We are not sitting in an ivory tower. We really want to get in touch with you and get to your questions, your feedback, your statements, and continue the discussion from there. Maybe with Annie maybe with Alejandro or both of them. And to continue that discussion that I'm really looking forward to, this is a hot topic and that will be something that will be on our plate for the next years, and we will see how that plays out in reality. Thank you, Alejandro, for being my guest today again and I think we will just continue this discussion for the time being. Thank you very much for being my guest today.
Thank you, Matthias.
Thank you and bye bye bye.
