The eIDAS 2 European regulation that specifies trust services provisions is currently at the final stage, the trilogue. The European Commission, the council (representatives of the member states’ governments) and the European Parliament have all approved a version and now there’s a discussion to reach to a commonly agreed text.
One of the issues that are being debated is whether the digital wallet that will hold the Digital Identity certificate and the Digital Signature certificate should or should not be Open Source.
Some member states are pushing security by obscurity. (keep the source code secret), This approach is not only arguably less secure as it would be preferable to rely on the open security approach, but is also deeply concerning for democratic oversight. If the source code is secret, how can a citizen trust the state’s digital wallet application? Who can control the controller? How can a citizen be sure that, let’s say, in X years time, under some authoritarian leaning minister’s control, the wallet will not be used as a Trojan horse to invisibly snoop on some citizen’s life?
This is even more worrying if we consider that it will likely end up to be provided by non EU companies: Apple and Google.
A provision that has been introduced by the Parliament is that the wallet, identity and signature certificates shall be free of charge for citizens. This removes incentives to third parties to provide them (and to provide customer care, support, troubleshooting, etc), something that favors the monopolists.
The regulation allows for
- a digital wallet from a member state to be used by citizens of another member state (this is reasonable; how could a tiny state be autonomous?) and
- a member state digital wallet to be provided by an entity authorized by a member state.
It seems obvious to me that some member state will be lured into authorizing Google and Apple’s wallets, which will then be legally valid and usable by citizens of all other member states.
The following obvious step is that the wallets will be preinstalled on all devices by Apple and Google thus quickly becoming the default wallets for EU citizens (their functions are standardized, all of them will do the same things).
IMHO we should at least require them to publish the source code, as a minimum safeguard for EU citizens.