Thales Blog

EIDAS – Breaking The Grip From Ink And Paper

January 18, 2017

Anders Henrikson | More About This Author >

Much has already been written on eIDAS, the new EU regulation on electronic identification and trust services; that it holds the promise of a safer and more integrated digital Europe, for example, or that it will make our everyday lives easier – whether opening a bank account or enrolling in a foreign university.

However a task such as opening a bank account in the EU country of which you are a national – let alone one in a neighbouring country – can be surrounded by so much complexity and time, and so many processes (both paper-based and analog) that it becomes more of an esoteric ritual.

There really is nothing digital about it.

Spain recently passed a law which many consider to be trailblazing. It enables banks to digitally onboard new customers wanting to open a bank account with video conferencing – allowing new customers to be interviewed remotely by a real, physical clerk while holding their ID cards in front of their phone’s camera for the clerk to verify.

But, wait a minute... did I just say digital? Surely, this is really only moving the old process on to a mobile device, and doesn’t remove any of the human bottlenecks.

I recently read a handbook for drug administration in a Swedish county council. It documents the process of manually checking drugs into storage, and mandates (among other things) the use of archival inks in order to protect documents against fading and moisture, and for the document to be verifiable.

Processes like this exist all around us, and digitalizing them can be not only a problem with technology but also a problem with processes. Typically it’s the people who are able to re-engineer these processes and develop new and smarter services who are the winners in this digital age.

While applying for university in another country may seem like the ultimate use case for eIDAS, I think eIDAS will really be about money (it always is) and personal data. Let me explain.

eIDAS is about trust.

Wikipedia has two definitions of the word trust, one of which is reliance, and the other misplaced loyalty. Even if our world view is not quite that cynical, most people will have limits to the amount of money or personal data they are prepared to transact online.

A few years ago, for example, I bought a used car on eBay from a US car dealer in Texas and my wife thought I’d lost the plot. Even though the US dollar was at a record low against the Euro and cars were generally cheaper there than in Europe, it was still a lot of money. ‘Digital’ enabled me to find a car in Texas, to look inside it, to transact with the dealer, and to pay for it securely, but ultimately I had to place some faith, my trust, in the car dealer.

Any large value transaction is typically surrounded by process and paperwork, all designed to create trust (and hopefully not misplaced loyalty). It’s understandable, therefore, that when we’re about to spend a lot of money on a car, or even a house, we want to be able to rely on the counterparty to that transaction, and this is where I think eIDAS will eventually make the biggest impact.

In Sweden, where I live, the processes that have never made it to the digital space are those that relate to big investments such as buying a house or a car. Credit card limits, money transfer limits, old processes; they all create a barrier to transacting large values digitally. It’s as if you get to a point where digital is not good enough, so it must be better to revert to a physical encounter and some good old-fashioned paperwork.

All this will change in due course, and we’ll know when that time has come. That will be the day I decide to browse for a nice summer home on Capri (let’s forget the part about being able to afford it), transact swiftly and securely from my bank account, and trust the digital process implicitly. And that implicit trust is about knowing the digital paperwork is in order. It’s about knowing the dealer will not be able to turn around and say the house I bought wasn’t actually a house and wasn’t actually on Capri, or that he or she never signed the contract, or that the time and date I signed the contract was different to when I actually signed it.

The technology isn’t the bottleneck here and, as the new regulation has opened the doors, we now have the building blocks for digital trust at our disposal.

One example I’ve been working with is the QSCD, a nerdy acronym for Qualified Signature Creation Device. What it actually means is that the real estate dealer on Capri won’t be able to forge my digital signature, or change the dates or the terms of our contract.

Ultimately it’s all about our digital identity, which is something I’ve been working with for the past twenty years. The old adage ‘on the Internet, nobody knows you are a dog’ (based on a cartoon caption in the New Yorker) will no longer work in the new digital era. We need someone to vouch for the actual identity of the person or machine we are digitally transacting with. We call that the root of trust and, once that’s established, we can build all kinds of trust services on top of it. The inclusion of the QSCD will be invisible to me but it will allow me to buy, with reliance and NOT misplaced trust, my retirement home on Capri.

Guest blog from Anders Henrikson, Verisec (@Verisec)