Wednesday, October 12th, 2022

Buggy Law 1: eIDAS, An Experience

Can legislation have bugs? That is, can it contain “errors or imperfections that reduce reliability, performance, or user experience” – just like bugs do in computer software? If so, surely only obscure law in obscure corners of the world? Not eIDAS, a major piece of legislation controlling public sector online services in all of the EU? Please no, tell me no.

If a law contains bugs, or mistakes, it will subject people to these mistakes over and over. It may even breed infrastructure where these mistakes are cemented and projected onto a population on a massive scale.

An Online Bank Transaction

Let’s begin with a practical exercise using online signatures in Sweden, an EU state. Carry out an ordinary online bank transaction. Enter the numbers, click to commit the transaction. A short summary of the transaction appears on your screen, and you are asked to sign. When you sign, your digital DNA is attached to the transaction summary you saw. We say “digital DNA” because, like ordinary DNA, it binds you very strongly to the signature. It is practically undeniable. It holds in court.

No problem so far. This is how online signatures are supposed to work. However, banks are not public sector, and eIDAS does not necessarily apply.

An Online Income Statement

Now, let’s fill out an online income statement for the Swedish Tax Agency. This clearly is the public sector where eIDAS rules since 2016. Again, enter the numbers and click to proceed. This time you don’t get anything resembling a document to sign. A message appears, saying literally, “You sign the information you entered in the previous dialogue”. Nothing else. Note especially that there is no reference number or anything else that might identify this transaction.

Then you are asked to identify again. (The first time was when you logged in to the service.) So you go through another online identification. Then – surprise! – you are all set. Your income statement is accepted. It seems to have been signed somehow even though you didn’t sign. But how? No clues are offered at this point.

Two observations about the income statement,

  • What you were about to sign was vague. “The previous dialogue” is just a shrug equivalent to “you know what we were talking about”, and you were expected to sign without being given a definite visual impression.
  • Apparently your statement was mysteriously signed even though you didn’t sign anything. There was just an extra identification. Whatever happened goes unexplained.

We have just found two omissions in eIDAS,

  • There is no law against having people sign something they don’t see.
  • There is no law against hiding what an online signature procedure is doing. Transparency is not required.


The non-transparency in this case is accentuated by the fact that there actually is a document that was signed: an XML file which is accessible only to special staff at the Tax Agency. (XML is a language suited to computers, not people.) The document is completely hidden from the person who signs. Besides, even if you try, you won’t get access to what you allegedly signed. You may get derived data, but not the original containing the signature. This is a third omission:

  • There is no law against withholding a signed document from a person who signed it.

One may argue that these quirks belong to the realm of common decency. They should not require legislation. As we have just seen, reality tells us otherwise.

No Digital DNA

The most important point remains, however.

  • You never signed. This means that if a signature was created somehow, we can be sure it doesn’t contain your digital DNA.

Digital DNA is not transmitted by identification, only by signing. Thus your digital DNA cannot be found on the signed document, wherever and whatever it is. If it does not contain your digital DNA, in what way does it point back to you?

This practical exercise uncovered significant weaknesses in eIDAS. It takes another post to explain how a signature according to eIDAS can be created without using the digital DNA of the person who signs.

Link to all posts in this series

Comments are closed due to the spam factor. You may respond by email to blog AT soderstrom DOT se

Comments are closed.