Self-sovereign identity is not enough

New EU regulation over online identification is a Trojan horse that threatens the privacy of everyday citizens. Web3 can fix that


Midjourney modified by Blockworks


A Trojan horse lurks outside the gates of European cyberspace. The recently signed updates to eIDAS — the EU regulation that governs online identification in the EU — threaten the online privacy of everyday citizens and make it possible to conduct state surveillance. 

Web3 identity infrastructures, blockchain and zero-knowledge technology are necessary to fight off this Trojan horse and safeguard peoples’ privacy.

The horse: Self-sovereign identities 

For privacy advocates wary of the expanding dominance of technology megaliths, eIDAS initially seemed an attractive solution. The legislation promotes Self-Sovereign Identities (SSI), a decentralized technology that gives individuals greater control over their digital identities. Under the SSI model, entities like banks, governments or social media platforms issue digital credentials, such as academic degrees, driving licenses or account log-ins.

Users maintain full control and ownership over these credentials by storing them in private, off-chain wallets. This grants them the agency to elect if and when they share these credentials with various apps and services. Not only is privacy and user control enhanced, but so too is the security and ease of online verification.

SSI represents a striking alternative to the current online identity paradigm, where users do not own their online credentials, log-ins and digital identities. Instead, users must rely on a small pool of centralized providers, such as Meta or Google, to act as intermediaries and enable access to internet services in exchange for their private activity data. 

The absence of user-owned data structures has led to information abuse scandals like that of Cambridge Analytica, and facilitated a culture of corporate surveillance. Targeted ads, which monitor and record our desires and interests, have, for instance, become a defining aspect of the online experience.

EIDAS and the roll-out of SSI will redirect the ownership of certain data-sets away from corporations. However, that doesn’t instantly place data back in the hands of users. To the contrary, Article 45 in the eIDAS legislation makes it possible for the EU to monitor the online activities of SSI wallet owners within its jurisdiction. 

If enacted, this provision would mean that both the state and Silicon Valley could monitor and analyze the online activities of users.

The hidden Greek army: Article 45

Article 45 and its consequences are difficult to intuit without cyber security expertise.

It mandates that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This is dangerous because whoever controls these certificates is able to monitor internet traffic, making it possible for the EU to track the activity of every SSI wallet on every EU-authorized site. 

It is highly unlikely that the ownership of these wallets will remain anonymous, because the EU itself will be distributing credentials such as digital national ID cards. These will likely have traceable numerical codes (DiDs) that can be mapped to wallets and their owners. 

As Mozilla, the maker of the Firefox web browser, elegantly puts it:

“[eIDAS] enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.”

Over 500 leading cyber security experts, researchers and NGOs have signed an open letter calling on the EU to amend the article. However, time has run perilously short. As it stands, there is now only one vote standing in the way of eIDAS. Widely considered a formality, this vote will take place in early 2024 during the bill’s formal ratification at the European Parliament.

How to protect Troy: Web3 identity infrastructure  

So with the horse, and its attendant army waiting at the gates, what can we do to protect users from digital state surveillance? 

First, we need to scale Web3 identity infrastructures. This encompasses a range of decentralized technologies. Blockchain is needed to bring transparency and security to public-facing identity credentials. Off-chain SSI is needed for the storage of confidential credentials that users may not want to publicly publish on the blockchain. 

Read more from our opinion section: Phones and the internet aren’t blamed for terror finance. Crypto shouldn’t either.

And, in both on-chain and off-chain environments, zero-knowledge cryptography is critical for privacy. It allows users to prove certain statements are true without revealing any additional information. For instance, you could confirm that you are older than 18 without disclosing your exact date of birth. 

Together, these technologies usher in a new era of privacy and user ownership. They grant users the right to access, manage and delete information about their online activities and preferences as needed. This user-based ownership also marks a fundamental shift in the power dynamic between users and online platforms. If users no longer need to depend on platforms to use or access their identities, it is much harder for those platforms to censor users, or misuse their data. 

The impending rollout of eIDAS and Article 45 proves that decentralization cannot be delivered in a piecemeal fashion. Doing so would leave critical gaps in privacy and security, exposing users to potential surveillance and data misuse. Instead, we need a holistic implementation that encompasses not only the technological framework, but transparent regulation and an unerring emphasis on user empowerment.

SSI alone is not enough to safeguard users. It is effective only when it exists within a robust and fully decentralized ecosystem. Thankfully, advances in decentralized and Web3 identity services are developing in leaps and bounds. While there’s much to be hopeful for, legislative actions such as eIDAS remind us that vigilance and proactive measures remain essential. 

There is no room for complacency in our efforts to safeguard privacy and freedom in the digital world.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research



Aerodrome is a "MetaDEX" that combines elements of various DEX primitives such as Uniswap V2 and V3, Curve, Convex, and Votium. Since its launch on Base, it has become the largest protocol by TVL with more than $495M in value locked, doubling Uniswap's Base deployment.


Plus, a layer-1 for intellectual property is launching and Farcaster users peaked


Crypto still hasn’t shaken one of its most garish primordial tails — funny stories about fraud


Plus, publicly traded crypto companies had a pretty eventful news week


Committee members directed more questions to Christy Goldsmith Romero, who could soon be leading one of the more troubled federal agencies


Flame’s new track — which he called “war music” for Web3 — debuted on the NFT collectible platform Drip this week


Buried inside Binance’s proof of reserves is proof of diamond hands among its users