Digital identity wallets: exploring benefits and luxury traps

What are luxury traps?

In his book Sapiens [1] Yuval Noah Harari concludes that humans struggle to predict side effects of new technology. In a chapter called “The Luxury Trap” he uses the invention of agriculture as earliest example. It provides the obvious benefit of predicable food supply, but later turns out to have downsides as well: to take care of their crops nomadic people start to live in settlements, where they are exposed to more diseases, while increased birth rates wipe out food surpluses.

A modern example is the smartphone. It brought us great benefits, but also transformed our behavior in unforeseen ways: it scatters our focus and can addict us to information consumption.

Sapiens inspired me to explore the benefits and "luxury traps" of a new upcoming invention: the digital identity wallet.

Digital identity wallets

Digital identity wallets are apps to manage your identity on your phone. They allow you to:

• Store and share person identification data (e.g. name, date of birth)
• Prove your (remote) presence (by confirming this via the app)
• Store and share other types of credentials, so-called “attestations” (like a driving license, access to bank account, or school diploma)
• Approve transactions or sign documents.

The European Commission has recently taken initiative to stimulate (and regulate) the development of these apps.

Are identity wallets really new?

One might argue that identity wallets already exist: many European countries have apps which allow you to identify & authenticate online, often called electronic identities (eIDs).

However, the challenge with current eIDs is that their use is often restricted to:

• A specific sector (e.g. Dutch DigiD can only be used in the Dutch public sector)
• A limited dataset (e.g. Swedish BankID does not provide a residential address)
• A domestic market (e.g. FranceConnect can only be used by organizations registered in France).

These restrictions result in a scattered set of per-market solutions, with clear needs for simplification. At Signicat we solve this problem by providing access to a wide range of identity sources via one technical platform, which is the most comprehensive on a Pan-European basis.

Our success, however, underlines the need for further simplification.

What is the EU plan about?

The EU incentivizes national governments to step up their game and take responsibility for doing online what they have been doing offline: issuing and protecting their citizens identities and allowing them to share their credentials when needed to progress in life.

It's more than just a plan. The specifications of the wallet apps are currently being tested in 4 pilot projects, of which Signicat is involved in 2: EWC and NOBID, playing a leading role in the former. Note that the ecosystem allows multiple apps to co-exist.

Competition can be expected: Apple and Google are working hard to establish themselves as wallet providers as well, and the recent success of Apple & Google Pay shows that consumers are willing to trust big-tech with their credentials.

The benefits: convenience and safety

The goal of the EU identity wallet initiative is to contribute to a convenient and safe society, both online and offline. Let me illustrate the benefits with a few examples:

• Convenience: you’ll get 1 app to identify yourself, no matter if it's for a public service (filing your tax return), work (signing a contract on behalf of an organization), financial service (confirming a payment) or leisure (checking in at a hotel). The app allows you to store and use credentials across many process steps. For example, you can use the app at an airline to (1) confirm the payment (2) store the ticket (3) and identify yourself when boarding the plane.
• Safety: bots, fake accounts or impersonation attacks are getting more advanced due to the rise of AI. Take for example “CEO fraud”, where criminals ask you to transfer money using the voice of your boss. An identity app could help you to verify a sender's identity by adding a “digital signature” to any message, call, or video, ensuring the sender is who they claim to be. The app can also verify the receiver of information: it can for example protect children against harmful content by being able to provide a proof of “being an adult”. In France, such verification will be required in due time.

Another possible benefit of the EU wallet could be privacy. The draft EU regulation requires that the wallet gives the user control over the data they share. This is done by requiring user approval before sharing data, and by supporting so-called “selective disclosure”, which allows users to only share what is needed (sharing "I'm an adult” instead of my date of birth). The EU regulation also restricts the wallet issuer’s control, which could make it stand out against big-tech alternatives where the issuer decides the rules.

New obligations

With such clear advantages, it can be tempting to ignore a wallet’s (unintended) side effects. “One of history’s few iron laws is that luxuries tend to become necessities and to spawn new obligations”, Harari writes. So what could be the new obligations of identity wallets?

I don’t pretend to have a full overview, but tried to identify trends by looking at initiatives which have similar characteristics (access to centralized personal data, digitization of transactions):

(1) The need for further regulation to avoid undesired data disclosure for commercial purposes

The wallet app makes personal data easier available than ever before. This can trigger businesses to require such data in situations where they previously were unlikely to do so.

One of the EU wallet’s key principles is that it should give “full control to users to choose which aspects of their identity, data and certificates they share”. There are however situations thinkable where users practically have no choice but to agree (or pay a high price for not agreeing).

It makes me think of a situation in Norway. Here, the 3 largest supermarkets give you a 10% to 15% discount on fruit & vegetables when you share personal data during your purchase. It's easy to use: your payment card can be used as identification token. At least half of all Norwegian adults signed up for the discounts [3].

However, the challenge with these discounts become evident when (too) many people join: supermarkets will need to increase their base prices to maintain their margins. The model then becomes “inverted”: to buy fruit & vegetables for a “normal” price, you must share personal data. Anecdotal evidence, the supermarkets' total market share of 75% [2] and the popularity of the discounts [3] are reasons to believe that this "inverted" model might already be reality for many healthy Norwegians.

In short, opt-in doesn’t guarantee real voluntary consent. This leads me to think that we will need (even more) regulation to ensure fair and privacy friendly commerce. We see a first glimpse of such regulations being introduced for big techs with the new EU DSA and DMA acts. The example of the Norwegian supermarkets shows that such legislation might be needed for domestic monopolists or oligopolists as well.

(2) Balanced choices between risks and respect for human rights

We want a safe society, and need to protect ourselves against risks. The identity wallet could allow us (and governments) to manage risks automatically, and in a much higher level of detail before.

An example of such detailed risk management might be anti-money laundering regulation (AML). This regulation requires financial service providers (like banks) to check a customer's identity and behavior, and report suspicious activities to the authorities. While the regulation's intentions are good, it has undesired side effects as well. Some people are denied as a banking customer because of their "challenging" characteristics (so-called de-risking), while others struggle to transfer their funds due to their background.

The challenge with the above example is that people’s identities are reduced to a set of data points which need to fit to the decision logic of a system to be "approved". With more data points becoming available via the identity wallet, will it be more likely to mitigate risks in more areas then we do today, like in health, travel or education?

Clear policies aligned with human rights, scrutiny by supervisors (as starting to happen with anti-money laundering) and a good technical design of the wallet app (for example of the unique identifier in the wallet’s personal identification data) can contribute to balanced trade-offs and avoid potential profiling.

(3) Alternative solutions as safeguards

Not everybody is comfortable with using apps, or digital services at all. Without alternatives, these people are not able to participate in society. Alternative solutions also ensure we have something to fall back to in case unforeseen situations arise.

The payment domain provides an example: while digital payments are on the rise, regulation is made to ensure cash remains a viable alternative for those who prefer to pay with cash. "Viable" means that you are not being hindered if you don’t adopt. It contributes to trust in the wider financial system and avoids a lock in situation.

For identity wallets, alternatives could remain in the form of alternative identification methods and certificates.

Open discussion

Open discussions about these (and other) future obligations will help us to avoid “luxury traps” and will contribute to a solution which provides convenience and safety while respecting human rights.

When we do it right, we will be rewarded with the user’s trust, which will be essential for the wallet’s success.

Sources

[1] Harari, Yuval Noah. Sapiens. Harper, 2015.

[2] The 3 supermarkets Kiwi, Rema 1000 and Coop together have 75% market share in Norway according to NielsenIQ.

[3] The adult citizen population in Norway in 2022 was 4.3 million. The Rema 1000 "Æ" scheme had over 2 million members in 2022, the Kiwi "Trumf" scheme had 2.3 million active members in 2022, the Coop scheme had over 2 million members in 2023.