Last month, the Czech presidency of the EU Council presented a new draft of the European Digital Identity proposal, which is intended to allow all EU citizens, residents, and businesses to securely access public and private services online with electronic identification (eID). This draft, Euractiv reported, is intended to break a deadlock in the Council that has persisted for months because of security and privacy concerns. The amendments suggested by the Czech presidency allow the use of record matching instead of unique identifiers to authenticate eID users. Record matching has major disadvantages when compared to unique identifiers, so even if this compromise breaks the deadlock, it is likely to cause problems in the long term.
Even though the eIDs will be subject to the EU’s data protection regulations, some policymakers seem to be concerned that eIDs will make citizens’ data vulnerable to data breaches and hacks. In some European countries like France and Germany, citizens are also unwilling to share their private data with both companies and public organizations because of long-standing cultural attitudes. But most EU countries already have mandatory unique identifiers, such as national identification numbers or ID cards—eIDs based on a unique identifier would simply standardize this system across the trade union. And using record matching in eIDs instead of unique identifiers is unlikely to address Europeans’ privacy concerns.
Record matching is a method that compares data points in two or more data sets to find data that belong to the same person. For record matching to be successful, both data sets need to contain enough identical data points about a person to find a likely match. Record matching avoids linking records across datasets with persistent, unique identifiers, such as a national tax identification number, and instead finds matches using multiple data points, such as name, date of birth, and address. At first glance, this method may sound better to those who fear unique identifiers will allow the public and private sectors to track individuals closely. Still, in practice, record matching is more inconvenient, more error-prone, and more likely to attract cyberattacks than unique identifiers.
Record matching becomes less reliable whenever it involves multiple data sets held by different entities, falls under different regulations, or is encoded following different practices. In addition, the risk of mismatching data is high, for example, with women who change their names after marriage and people who have common names and share a birthday. Researchers also find that record matching systems attract hackers because they rely on using sensitive information like addresses. If each citizen has a unique identifier, they do not need to disclose additional sensitive information to public agencies across the EU every time they identify themselves electronically.
Lastly, record matching requires citizens to submit the same information about themselves over and over to create enough identical data points in different data sets to make record matching possible. This repetition is inefficient and a waste of taxpayers’ time and money. People are unlikely to use an inconvenient tool, so relying on record matching will make this new European eID unpopular and inefficient from the start. And a faulty and complicated eID system will likely create the impression with EU citizens that eIDs are risky and impractical, making it more challenging to implement improved eID systems in the future.
Real-world examples prove that an eID system that uses unique identifiers can be protected against cyberattacks, addressing data privacy and security concerns. EU member state Estonia is a good example. Estonian culture is open to technological innovation and values the convenience and efficiency novel solutions provide. As a result, the Estonian government implemented eIDs and electronic government services for citizens as early as 2002. In cooperation with private companies, the Estonian government built a nationwide e-governance system that all citizens and residents can access via their physical ID cards and an individual National Identification Code. The Estonian government relies on blockchain technology and on X-Road, an open source, decentralized system for saving and exchanging encrypted data. The government of Estonia also lets citizens track who accesses their data, when, and why, ensuring transparency and public accountability.
The Estonian authorities estimate that they save over 1,400 years of working time every year by allowing their citizens to identify themselves and take care of most administrative issues online. Other countries in the EU could benefit from similar effects by offering a system for electronic identification based on unique identifiers that is safe, convenient to use, and compatible across the EU.
The Czech proposal of relying on record matching for the EU’s eID instead of assigning a unique identifier to every citizen is motivated by political reasons. The Czech representatives at the Council are prioritizing accommodating cultural attitudes on data privacy over championing a technical solution that is practical, secure, in the citizens’ interests, and supported by all other member states. It is understandable and commendable that the Czech presidency is seeking a way out of the deadlock in the Council. But it would be much better in the long term if the EU member states agreed on using unique identifiers for EU eIDs, which is convenient, saves taxpayers’ money, decreases administrative burden across the EU, and addresses security concerns.
Image source: Unsplash