Self-sovereign identity is not enough

New EU regulation over online identification is a Trojan horse that threatens the privacy of everyday citizens. Web3 can fix that

OPINION
article-image

Midjourney modified by Blockworks

share

A Trojan horse lurks outside the gates of European cyberspace. The recently signed updates to eIDAS — the EU regulation that governs online identification in the EU — threaten the online privacy of everyday citizens and make it possible to conduct state surveillance. 

Web3 identity infrastructures, blockchain and zero-knowledge technology are necessary to fight off this Trojan horse and safeguard peoples’ privacy.

The horse: Self-sovereign identities 

For privacy advocates wary of the expanding dominance of technology megaliths, eIDAS initially seemed an attractive solution. The legislation promotes Self-Sovereign Identities (SSI), a decentralized technology that gives individuals greater control over their digital identities. Under the SSI model, entities like banks, governments or social media platforms issue digital credentials, such as academic degrees, driving licenses or account log-ins.

Users maintain full control and ownership over these credentials by storing them in private, off-chain wallets. This grants them the agency to elect if and when they share these credentials with various apps and services. Not only is privacy and user control enhanced, but so too is the security and ease of online verification.

SSI represents a striking alternative to the current online identity paradigm, where users do not own their online credentials, log-ins and digital identities. Instead, users must rely on a small pool of centralized providers, such as Meta or Google, to act as intermediaries and enable access to internet services in exchange for their private activity data. 

The absence of user-owned data structures has led to information abuse scandals like that of Cambridge Analytica, and facilitated a culture of corporate surveillance. Targeted ads, which monitor and record our desires and interests, have, for instance, become a defining aspect of the online experience.

EIDAS and the roll-out of SSI will redirect the ownership of certain data-sets away from corporations. However, that doesn’t instantly place data back in the hands of users. To the contrary, Article 45 in the eIDAS legislation makes it possible for the EU to monitor the online activities of SSI wallet owners within its jurisdiction. 

If enacted, this provision would mean that both the state and Silicon Valley could monitor and analyze the online activities of users.

The hidden Greek army: Article 45

Article 45 and its consequences are difficult to intuit without cyber security expertise.

It mandates that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This is dangerous because whoever controls these certificates is able to monitor internet traffic, making it possible for the EU to track the activity of every SSI wallet on every EU-authorized site. 

It is highly unlikely that the ownership of these wallets will remain anonymous, because the EU itself will be distributing credentials such as digital national ID cards. These will likely have traceable numerical codes (DiDs) that can be mapped to wallets and their owners. 

As Mozilla, the maker of the Firefox web browser, elegantly puts it:

“[eIDAS] enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.”

Over 500 leading cyber security experts, researchers and NGOs have signed an open letter calling on the EU to amend the article. However, time has run perilously short. As it stands, there is now only one vote standing in the way of eIDAS. Widely considered a formality, this vote will take place in early 2024 during the bill’s formal ratification at the European Parliament.

How to protect Troy: Web3 identity infrastructure  

So with the horse, and its attendant army waiting at the gates, what can we do to protect users from digital state surveillance? 

First, we need to scale Web3 identity infrastructures. This encompasses a range of decentralized technologies. Blockchain is needed to bring transparency and security to public-facing identity credentials. Off-chain SSI is needed for the storage of confidential credentials that users may not want to publicly publish on the blockchain. 

Read more from our opinion section: Phones and the internet aren’t blamed for terror finance. Crypto shouldn’t either.

And, in both on-chain and off-chain environments, zero-knowledge cryptography is critical for privacy. It allows users to prove certain statements are true without revealing any additional information. For instance, you could confirm that you are older than 18 without disclosing your exact date of birth. 

Together, these technologies usher in a new era of privacy and user ownership. They grant users the right to access, manage and delete information about their online activities and preferences as needed. This user-based ownership also marks a fundamental shift in the power dynamic between users and online platforms. If users no longer need to depend on platforms to use or access their identities, it is much harder for those platforms to censor users, or misuse their data. 

The impending rollout of eIDAS and Article 45 proves that decentralization cannot be delivered in a piecemeal fashion. Doing so would leave critical gaps in privacy and security, exposing users to potential surveillance and data misuse. Instead, we need a holistic implementation that encompasses not only the technological framework, but transparent regulation and an unerring emphasis on user empowerment.

SSI alone is not enough to safeguard users. It is effective only when it exists within a robust and fully decentralized ecosystem. Thankfully, advances in decentralized and Web3 identity services are developing in leaps and bounds. While there’s much to be hopeful for, legislative actions such as eIDAS remind us that vigilance and proactive measures remain essential. 

There is no room for complacency in our efforts to safeguard privacy and freedom in the digital world.



Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates (6).png

Research

In recent months, a number of highly accretive developments were implemented across the protocol to improve fee capture, expand product functionality, and ultimately drive value accrual to the RUNE token, with more upgrades on the immediate horizon. These developments include hiking the minimum swap fee parameter to increase revenue, adding a Burn System Income Lever to reduce the RUNE supply, the addition of COSM-WASM smart contracting and IBC to enable an application layer, new chain integrations, and more.

article-image

Former IRS agent and Binance executive Tigran Gambaryan will remain imprisoned in Nigeria’s Kuje prison

article-image

When Permissionless III wraps on Friday, there will be 26 days left until the 2024 presidential election

article-image

Plus, an update from the ground in Salt Lake City at Permissionless III

article-image

The US regulator accused the crypto market-making firm of acting as an unregistered dealer

article-image

Customers can pay merchants in USDC or USDP on Ethereum, Solana, and Polygon, while US-based merchants are paid in dollars