Wednesday, October 26th, 2022

Buggy Law 5: eIDAS and Personal Identity

Can legislation have bugs? That is, can it contain “errors or imperfections that reduce reliability, performance, or user experience” – just like bugs do in computer software? This is a series of posts where we take a bottom-up view of eIDAS, the EU law that controls online identification and online signatures for the public sector in all EU states.

Previous posts in this series have pointed out apparent glitches in eIDAS – flaws by commission and omission playing out as you read this. This post is concerned with a misconceived idea in eIDAS that may become more apparent in the future, an idea about personal identity.

What is a personal identity? For the purposes of this post, a personal identity is a symbol used to refer to a person. Instead of physically getting hold of the person you use a symbol, it is obviously much easier. In a family someone may say to one of the children, “Give this to Dad”. “Dad” is a symbol which uniquely refers to a person. It doesn’t have to be qualified.

The same child may be asked at school by a teacher, “Who is your dad?” The child responds, “Edward Nordstrom”. This is interesting, because it shows that every identity has a scope. “Dad” works well within the scope of a family. Outside its scope it is an unresolved reference, next to meaningless. The child understands this intuitively and translates Dad’s identity to a different, wider scope.

The same Edward Nordstrom may be referred to as “Ed” by colleagues in his own department, “Nordstrom” by colleagues in other departments. For official business even “Edward Nordstrom” does not suffice. Every country has its own way of uniquely identifying its citizens. As for scope in the current age of mobile phones, a mobile phone number is one of the few identities that has global scope. Several international online services use this fact to identify their users.

It is obvious that a person has many identities and that every identity has a scope where it is relevant. Unfortunately, this obvious fact did not make it into eIDAS. It assumes that a person has a single identity. It does not consider or mention scope.

Is this something to get upset about? Yes. If the flawed theory that a person has a single identity gains ground then politicians will be swept away by the gravitational pull of a pan-European personal identity. Politicians, in contrast to technicians, are magnetised by lofty ideas: the grander the more enticing. Proposals are currently underway.

As a technician I see that this idea necessarily leads up to centralised databases tracking European personal identities. They will be hacked, and when they are, it will be impossible to find anyone to blame. Such is life in the public sector.

The idea of a European personal identity is hubris, a modern Icarus, or a modern tower of Babel. It is important to avoid this mistake. Every technician knows this: the foundation of security is to compartmentalise, to federate. Less is more.

Next time we will take a look at terminology in eIDAS. Does it reflect a thorough understanding of its subject matter?

Link to all posts in this series

Comments are closed due to the spam factor. You may respond by email to blog AT soderstrom DOT se

Comments are closed.