1. Home
  2. Identity

Identity

Identity checks on crypto exchanges at risk as AI deepfakes evolve

Once HeyGen’s AI-generated digital avatar is available to the public, users will be able to create a video with a real life-like digital avatar in just two minutes.

The rise of artificial intelligence (AI) has been subject to growing concerns over identity verification tools on cryptocurrency exchanges.

With rapidly evolving AI technology, the process of creating deepfake proofs of identity is becoming easier than ever. The concerns about AI-enabled risks in crypto have triggered some prominent industry executives to speak out on the matter.

Changpeng Zhao, CEO and founder of major global crypto exchange Binance, took to X (formerly Twitter) on Aug. 9 to raise the alarm on the use of AI in crypto by bad actors.

“This is pretty scary from a video verification perspective. Don’t send people coins even if they send you a video,” Zhao wrote.

Like many other crypto exchanges, Binance’s internal Know Your Customer (KYC) processes require crypto investors to submit video evidence for processing certain transactions. 

Binance requires video evidence of the user for certain withdrawal of funds. Source: Binance

Binance CEO referred to an AI-generated video featuring HeyGen co-founder and CEO Joshua Xu. The video specifically included Xu’s AI-generated avatar, which looks just like the real HeyGen CEO and reproduces his facial expressions as well as voice and speech patterns.

“Both of these video clips were 100% AI-generated, featuring my own avatar and voice clone,” Xu noted. He added that HeyGen has been progressing with some massive enhancements to its life-style avatar’s video quality and voice technology to mimic his unique accent and speech patterns.

“This will be soon deployed to production and everyone can try it out,” Xu added.

Once available to the public, the AI tool will allow anyone to create a real life-like digital avatar in just “two minutes,” the HeyGen CEO said.

The public exposure to AI generation tools like HeyGen could potentially cause serious identity verification issues for cryptocurrency exchanges like Binance. Like many other exchanges, Binance practices KYC measures involving a requirement to send a video featuring the user and certain documents to get access to services or even to withdraw funds from the platform.

Related: AI mentions skyrocket in major tech companies’ Q2 calls

Binance’s statement video specifically requires users to submit the video along with the picture of their identity document, such  an ID card, driver’s license or passport. The policy requires users to mention the date and certain requests on the video record.

“Please do not put watermarks on your videos and do not edit your videos,” the policy reads.

Binance chief security officer Jimmy Su previously warned about AI deepfake-associated risks as well. In late May, Su argued that AI tech is getting so advanced that AI deepfakes may soon become undetectable by a human verifier.

Binance and HeyGen did not immediately respond to Cointelegraph’s request for comment. This article will be updated pending new information.

Magazine: AI Eye: AI’s trained on AI content go MAD, is Threads a loss leader for AI data?

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Worldcoin expects more companies to integrate in the coming months, says product head

The head of product at Tools for Humanity told Cointelegraph that Worldcoin is expecting more companies to integrate in the second half of the year.

Worldcoin has been in the spotlight since its launch on July 24, with users lining up to scan their irises for a digital ID and others questioning its methods for collecting data. 

The project is built on the premise of supplying users with a digital ID via an iris scan that can be used for instant verification online and, in the future, for issuance of a universal basic income (UBI).

While it’s still in the early stages, the company has already integrated with Auth0, which facilitates thousands of its clients with the ability to sign in via World ID. In an interview with Cointelegraph, Tiago Sada, head of product at Tools for Humanity — the company behind Worldcoin — said the company anticipates these types of integrations to accelerate in the coming months.

Sada said that since its launch, it has opened up its software development kit (SDK) for any developer to be able to use it and has also integrated with the platform Discord. 

“Over the coming weeks and months — during the second half of the year — we expect to spend a lot more time helping companies set up these integrations.”

Last week, Reuters reported that Worldcoin plans to expand its services to allow governments and organizations to utilize its software. Sada explained to Cointelegraph, given that it is an open identity protocol built on top of zero-knowledge proofs, anyone can choose to use it and is subject to the same rules of the protocol.

This includes governments, which he pointed out have had issues with ID verifications due to the availability of duplications and fakes on the black market.

“We’re not trying to replace a passport or driver’s license,” he clarified. “This is something that you can use in addition to that.”

“We’ve been approached by governments over the past few months inquiring about how the protocol works, but no specific integration to announce right now.”

On the other hand, some governments have been openly looking into Worldcoin due to concerns for privacy and data collection. The data watchdog for the German government launched a probe into Worldcoin back in November 2022 prior to the official launch. 

Related: French privacy watchdog questions Worldcoin’s data collection method: Report

Sada also highlighted that historically, there has always been a struggle with the notion of building applications that are “bot-resistant.” Now, with the age of artificial intelligence (AI), it will become a much more difficult yet important problem to solve.

“It is clear that the world needs and will need something like Worldcoin in the coming years. We just hope that happens in a privacy-preserving decentralized, open-source, permissionless way.”

The explosion of interest in and accessibility of AI tools and applications has already caused concerns over the possibility of rampant fake news and deep fakes. 

On July 3, AI-generated fake news circulated that resulted in rumors of the resignation of United States Securities and Exchange Commission Chair Gary Gensler.

Already, Worldcoin has deployed at least 1,500 metal orbs for in-person scans and sign-ups in physical locations around the world, including major cities, such as London, Paris and Dubai.

Magazine: Experts want to give AI human ‘souls’ so they don’t kill us all

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Worldcoin rebuts reports of lackluster takeup as Altman cites Japan queues

A video shared by Worldcoin co-founder Sam Altman shows a long queue of people in Japan reportedly waiting to collect $50 worth of Worldcoin (WLD) tokens or 25 WLD.

Amid discussions around the falling interest in Worldcoin —the blockchain project dedicated to building a user identity network — its co-founder Sam Altman shared a video that shows people in Japan lined up to give away their iris scans in exchange for “free” Worldcoin (WLD) tokens.

A video shared by Altman shows a long queue of people in Japan reportedly waiting to collect $50 worth of Worldcoin (WLD) tokens or 25 WLD. In exchange, the users are required to provide their identification through an iris scan.

“One person getting verified every 8 seconds now,” wrote Altman as he shared the video of people lining up for the Orb. However, Worldcoin has not yet responded to Cointelegraph’s request for comment to confirm the accuracy of the information shared on Twitter (rebranded to X).

As explained in the Worldcoin introductory letter, the Orb is a biometric verification device that provides a World ID to users upon successful biometric data collection. The company plans to set up Orb venues worldwide to expedite the onboarding process on a global scale.

While Japanese investors seemingly showed a greater interest in Worldcoin, not many Hong Kongers shared the same enthusiasm. As Cointelegraph reported, the three Orbs in Hong Kong cumulatively reported just 200 sign-ups on the first day and 600 in total.

Although on the surface, Worldcoin sign-ups seem like a step forward toward crypto adoption, entrepreneurs, including Twitter co-founder Jack Dorsey and Ethereum co-founder Vitalik Buterin believe the proposed system would be catastrophic if it were to work against the ethos — privacy, accessibility, decentralization — that the crypto ecosystem was founded on.

Related: Worldcoin token launch sparks response from Vitalik Buterin

Worldcoin may face resistance from the data regulators in the United Kingdom, as the Information Commissioner’s Office (ICO) reportedly raised concerns over privacy and critical biometric data safety.

However, an ICO spokesperson said they “have not announced anything publicly to confirm or deny if we are looking into Worldcoin. Until then, I would not be able to pass comments.”

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Magazine: ‘Elegant and ass-backward’: Jameson Lopp’s first impression of Bitcoin

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Worldcoin token launch sparks response from Vitalik Buterin

The Ethereum co-founder released a long-form response to the launch of Worldcoin’s decentralized human identity verification system.

Vitalik Buterin, the co-founder of the Ethereum network, released a long-form essay with his thoughts on the recently launched Worldcoin human identity verification system. 

On July 24th, Buterin tweeted his response to Worldcoin which launched on the same day.

In his article, along with an explanation of Worldcoin and how it intends to work, Buterin addressed the larger concept in discussion within the release of the Worldcoin token which is proof-of-humanity.”

Worldcoin, along with other similar identity solutions such as Proof of Humanity, BrightID, Idenam and Circles believe that as artificial intelligence (AI) advances it will become increasingly difficult to distinguish between humans and machines.

Most of these systems that supply a type of token, such as Worldcoin, also see human utility being endangered by bots and therefore needing a type of universal basic income (UBI).

Buterin writes that these factors combined beckon the need for digital verification of humans. He argues that this system of proof of personhood is valuable to solving “anti-spam and anti-concentration-of-power problems.”

Related: OpenAI CEO Sam Altman testifies in ‘historic’ Senate hearing on AI safety

Additionally, the Ethereum co-founder also highlights that systems like Worldcoin, if it continues to decentralize as promised, will avoid “dependence on centralized authorities and reveal the minimal information possible.”

“If proof of personhood is not solved, decentralized governance… becomes much easier to capture by very wealthy actors, including hostile governments.”

Buterin also addressed the major concerns looming over such solutions, which he summarized into four main points of privacy, accessibility, centralization within the Worldcoin Foundation and security. 

On June 27th, Worldcoin had a small scare that it immediately clarified after thousands of Safe deployments to Optimism caused speculation of an attack.

Steve Dakh, a developer working on the Ethereum Attestation Service (EAS), which is the network’s own service that creates, verifies and revokes on/off-chain attestations said commented on Buterin’s post saying systems like Worldcoin could be complimentary with EAS.

In conclusion, Buterin said there is currently “no ideal form of proof of personhood” and currently envisions three different approaches to the problem that could potentially become a hybrid of each other. 

He called for community accountability in the process with audits and checks and balances. Although saying he does not envy those whose task it is to design and implement such systems, his point is simple:

“A world with no proof-of-personhood seems more likely to be a world dominated by centralized identity solutions, money, small closed communities, or some combination of all three.”

As of July 14, a week prior to the system’s launch, sign-ups for Worldcoin surpassed 2 million to World ID in less than half the time that it took to reach the first million.

Magazine: Tokenizing music royalties as NFTs could help the next Taylor Swift

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

How easy is a SIM swap hack and how does one guard against it?

As SIM swap attacks are often seen as non-demanding in terms of technical skills, users must pay due diligence to their identity security.

Despite the rise of cybersecurity infrastructure, the online identity still faces many risks, including those related to the hacks of one’s phone numbers.

In early July, LayerZero CEO Bryan Pellegrino became one of the latest victims of a SIM swap attack, which allowed hackers to briefly take over his Twitter.

“My guess is that somebody grabbed my badge out of the trash and somehow was able to trick a rep into using it as a form of ID for the SIM swap while I was leaving Collision,” Pellegrino wrote soon after having his Twitter account back.

“It was ‘Bryan Pellegrino — speaker’ just your normal paper conference badge,” Pellegrino told Cointelegraph.

The incident involving Pellegrino’s mishap may lead to users assuming that performing a SIM swap hack is as easy as just grabbing someone’s badge. Cointelegraph has reached out to some cryptocurrency security firms to find out whether that’s the case.

What is a SIM swap hack? How big is it?

A SIM swap hack is a form of identity theft where attackers take over a victim’s phone number, allowing them to gain access to bank accounts, credit cards or crypto accounts.

In 2021, the Federal Bureau of Investigation received more than 1,600 SIM swapping complaints involving losses of more than $68 million. This represented a 400% increase in the number of complaints received in the three prior years, indicating that SIM swapping is “definitely on the rise,” CertiK’s director of security operations Hugh Brooks told Cointelegraph.

“If there is no move away from SMS-based 2FA and telecommunications providers do not lift their security standards, we are likely to see attacks continue to grow,” Brooks stated.

According to SlowMist chief information security officer (CISO) 23pds, SIM swapping is currently not too widespread, but it has a significant potential to rise further in the near future. He stated:

“As the popularity of Web3 grows and attracts more people into the industry, the likelihood of SIM swapping attacks also increases due to its relatively lower technical requirements.”

23pds mentioned a few cases involving SIM swap hacks in crypto over the past few years. In October 2021, Coinbase officially disclosed that hackers stole crypto from at least 6,000 customers due to a 2FA breach. Previously, British Hacker Joseph O’Connor was indicted in 2019 for stealing roughly $800,000 in crypto via multiple SIM swap hacks.

How hard is it to perform a SIM swap hack?

According to CertiK’s exec, SIM swap hacking can often be done with information that is publicly available or can be obtained through social engineering.

“Overall, SIM swapping might be seen as a lower barrier to entry for attackers when compared to the more technically demanding attacks like smart contract exploits or exchange hacks,” Brooks said.

SlowMist’s 23pds agreed that SIM swapping doesn’t require high-level technical skills. He also noted that such SIM swaps are “prevalent even in the Web2 world,” so it's “not surprising” to see it emerge in the Web3 environment as well.

“It is often easier to execute, with social engineering being used to deceive relevant operators or customer service personnel,” 23pds said.

How to prevent SIM swapping hacks?

As SIM swap attacks are often seen as non-demanding in terms of hackers’ technical skills, users must pay due diligence to their identity security to prevent such hacks.

The core protection measure from a SIM swap hack is to restrict the usage of SIM card-based methods for 2FA verification. Instead of relying on methods like SMS, one should better use apps like Google Authenticator or Authy, Hacken’s Budorin noted.

SlowMist CISO 23pds also mentioned more strategies like multi-factor authentication and enhanced account verification like additional passwords. He also strongly recommended users to establish strong PIN or passwords for SIM cards or mobile phone accounts.

Related: Over $765K worth of NFTs stolen after SIM swap attack on Gutter Cat Gang

Another measure to avoid SIM swapping is to properly protect personal data like name, address, phone number and date of birth. SlowMist CISO also recommended scrutinizing online accounts for any anomalous activity.

Platforms should be also responsible for promoting safe 2FA practices, CertiK’s Brooks stressed. For example, firms can require additional verification before allowing changes to account information and educate users about the risks of SIM swapping.

Additional reporting by Cointelegraph editor Felix Ng.

Magazine: Asia Express: China expands CBDC’s tentacles, Malaysia is HK’s new crypto rival

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Bitcoin can bring ’cause and consequence into cyberspace’, boost security — Michael Saylor

During an interview, Michael Saylor discussed how crypto networks like Bitcoin can promote security and combat digital trust issues.

Bitcoin may be the answer to combat cybersecurity threats driven by artificial intelligence, such as deepfake, said Michael Saylor, executive chairman of MicroStrategy, during a recent interview with Kitco News.

Saylor illustrated his views using social media accounts created by robots as an example. According to him, billions of fake accounts are behind a digital "civil war" in today's society, stirring up hatred among real users of digital platforms.

"The risk in cyberspace is I can spin up a billion fake people, and I can create a civil war by having the fake Republicans hate on the fake Democrats, or the real Democrats. Having the fake Democrats hate on the real Republicans," said the tech executive when discussing how artificial intelligence and other next-generation technologies will make deepfake cheaper and harder to detect.

Michael Saylor during interview at the Bitcoin 2023. Source: Kitco News

According to Saylor, who has over 3 million Twitter followers, he receives nearly 2,000 fake followers every day. "I literally saw in a matter of one hour, 1500 bot accounts got scrubbed off my account, and they were bots. So, we can no longer live with that status quo," he continued. The executive believes the solution for deepfake and other digital trust issues lies in decentralized identities (DIDs).

A decentralized identity is a self-owned, independent identity that enables trusted data exchange. In other words, it is a way to verify and control an online identity and personal information.

"If someone wants to launch a billion Twitter bots, that's going to cost them a billion transactions [...]. By combining the power of cryptography with the power of a decentralized crypto network like Bitcoin, we can bring cost and consequence into cyberspace," he explained.

Saylor's Microstrategy is one of the companies working on encrypted signatures for social users and corporate solutions. The CEO of Open AI, Sam Altman, is also developing technology for proof of personhood with his crypto project, Worldcoin. To build decentralized identification tools, the company closed a $115 million fund round last week.

Similarly, layer-2 protocol Polygon launched a decentralized identity solution in March. Powered by zero-knowledge proofs (ZK proofs), it uses cryptographic techniques to allow users to verify their identity online without having their sensitive information passed or potentially stored with a third party. The product came out nearly a year after announcing its development.

Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Federal Reserve’s FedNow will integrate with Metal Blockchain

The integration will allow users to instantly convert cash to stablecoin for use in DeFi protocols.

The Federal Reserve’s forthcoming instant payment service FedNow will be integrated with Metal Blockchain, according to a May 11 announcement from the Metal Blockchain team. The announcement said that the integration will allow Metal users to instantly convert funds to stablecoin and back again using FedNow’s “send/receive” function.

Metal Blockchain’s listing in the FedNow Service Provider Showcase. Source: FedNow

FedNow is an instant payment system developed by the United States Federal Reserve. It allows for round-the-clock, near-instant payments between banks. Currently, U.S. residents can only make instant payments domestically through third-party apps such as PayPal and Venmo or crypto wallets. The Federal Reserve has stated that the new service will launch in July.

Metal Blockchain is a crypto network developed by Metallicus, based on a fork of Avalanche's code. It was created to offer compliance-friendly options for decentralized finance (DeFi) developers. In the May 11 announcement, Metal developers claimed that the network is “built on the foundation of BSA [Bank Secrecy Act] Compliance,” implying that it has identity verification and anti-money laundering features built in.

According to its documents, the network features a subnet called “X-Chain” that allows developers to enact rules for transferring assets. For example, a token can be issued with the rule that it “can only be sent to US citizens” or “can’t be traded until tomorrow.”

Cointelegraph couldn't verify what criteria FedNow uses for integration with the payment system. However, most blockchain networks use pseudonymous addresses as user identities, which means that they could be seen as not complying with the Bank Secrecy Act. This may explain why Metal is one of the first blockchain networks to be listed as a FedNow service provider.

In a conversation with Cointelegraph, Metallicus co-founder and CEO Marshall Hayner said Metal's integration with FedNow could enable the formation of interconnected “bank chains,” creating a larger blockchain ecosystem that is secure and does not rely on oracles. This will allow banks to communicate with each other to process payments and handle settlements while staying connected to the FedNow system. 

He stated that the integration will also allow banks to prepare for an eventual central bank digital currency (CBDC), as well as for “bank issued stablecoins that can interact within a basket of stablecoin currencies.”

Related: US wholesale CBDC has ‘promise,’ Fed governor says

FedNow has been criticized by some U.S. politicians, including Florida Governor Ron DeSantis and U.S. Presidential candidate Robert Kennedy, Jr., who have alleged that it is a first step towards a blockchain-based CBDC that they say will infringe privacy. The Federal Reserve has denied that FedNow is related to a CBDC.

When asked his opinion of the controversy, Hayner dismissed these criticisms of CBDCs.

“I believe this controversy is unfounded [...] As the same rigor that is applied to the banking system will be applied to CBDC,” he said.

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

CFTC proposes reducing anonymity to manage risks

Commodity Futures Trading Commission Commissioner Christy Goldsmith Romero has urged crypto companies to verify the digital identity of users, saying that Congress is considering new laws addressing anonymity and digital identity.

A commissioner of the United States  Commodity Futures Trading Commission (CFTC), Christy Goldsmith Romero, has proposed reducing the anonymity of cryptocurrencies as a means of managing the risks associated with digital assets. The statement was made during the keynote speech on Illicit Finance and Other Key Risks of Digital Finance at City Week 2023 in London on April 25.

Romero stresses the need for governments and the industry to tackle the primary feature that makes cryptocurrencies appealing to illicit finance — anonymity. In her speech, Romero said that the risks associated with digital assets must be managed, as market integrity, national security and financial stability are crucial and cannot be compromised. 

Reducing illicit finance risks in the cryptocurrency market requires addressing the challenge of identity verification, Romero said. Although the public blockchain offers some transparency and traceability, the use of mixers and anonymity-enhancing technology increases the potential for substantial risk, she added. In her words:

“It is possible for all crypto companies to distance themselves from mixers and anonymity-enhanced technology, while still appropriately providing financial privacy for customers.”

A crypto mixer is a service that blends the cryptocurrencies of many users together to confuse the origins and owners of the funds. Because Bitcoin, Ethereum, and most other public blockchains are transparent, this level of privacy is otherwise hard to achieve.

While talking about the need for identity verification, Romero highlighted that two mixers — Blender and Tornado Cash — were recently sanctioned by the United States Treasury Department. According to her, Tornado Cash was allegedly involved in laundering $7 billion, including millions of dollars stolen by Lazarus Group, a North Korean state-sponsored hacking group that has been involved in cyberattacks to aid illicit nuclear and ballistic missile programs.

Romero expressed that crypto companies can maintain financial privacy for their customers without relying on mixers and anonymity-enhancing technology. She continued by stating there is a distinction between financial privacy and anonymity. Traditional finance (TradFi) ensures financial privacy by verifying the customer’s identity through Know Your Customer (KYC), Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) measures, without relying on anonymity-enhancing technology.

Related: OFAC sanctions OTC traders who converted crypto for North Korea’s Lazarus group

Romero encouraged the verification of digital identity, urging exchanges as well as decentralized finance (DeFi) platforms to verify the digital identity of users. She pointed out that, more often than not, DeFi services are not fully decentralized but instead maintained by central parties who could verify identities and may be held accountable for doing so.

According to the commissioner, there are existing technologies to provide digital identity and more are being developed. Congress is also considering new laws addressing anonymity and digital identity. The U.S. government will continue to prioritize preventing crypto’s use for illicit finance.

Magazine: Crypto regulation: Does SEC Chair Gary Gensler have the final say?

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Vitalik Buterin and Indian yogi Sadhguru discuss tech, identity and more

In a virtual conversation hosted by the reState Foundation the two thought leaders joined together to talk about the direction of the future of technology and human consciousness.

Emerging technologies such as blockchain are ushering in a new era of interactions between humans and the digital world. This is an evolving topic of conversation for thought-leaders both inside and outside of the industry trying to predict how such technologies will prompt change in the human experience. 

On April 25th the reState Foundation hosted a virtual talk between co-founder and inventor of Ethereum Vitalik Buterin and founder of the Isha Foundation, the Indian mystic Sadhguru to discuss the intersection of technology and human consciousness. 

reState Foundation, Sadhguru and Vitalik Buterin in conversation. Source: YouTube, reState Foundation

Buterin opened the conversation by highlighting that the core of blockchain technology is about “human coordination and interaction” with one another. He said:

“[Blockchain] is about helping different groups of people come together to be able to trust each other more, to collaborate across larger distances on many different kinds of projects.”

The talk promptly continued by pointing out a growing gap between the rate of technological evolution and the progression of human ethical and consciousness development, with the latter being left behind.

According to the Sadhguru, much of this blockage on the part of humans comes from the need to identify with a group. The yogi said this need for self-identification therefore, surrenders intelligence over to “protecting and defending the identity” of that group.

Growing gap of technology development and human consciousness development. Source: YouTube, reState

However, Buterin highlighted that new emerging tech actually makes it easier for people to recognize complicated identities and connect with one another on common ground. “Ultimately every technology is a social technology in some way,” he said.

“These are tools to help groups of people organize. There are tools to help people identify things that they value in common.”

He continued to say that while emerging technologies will not solve all problems of users, agreements and disagreements in the space have the potential to result in “realized cooperation” and learning opportunities, respectively. “I think those are the kinds of ideas that I know a lot of people in Ethereum and in those related communities really care about,” he said.

Related: Death in the metaverse: Web3 aims to offer new answers to old questions

As these new technologies continue to take precedence in the lives of users and in systems around the world, Sadhguru encouraged listeners to be mindful that humans are the “highest level of technology” and by doing so we can improve the way we interact with technologies.

“Technology is not just something humans merely create; it is an extension of our consciousness. As we elevate our consciousness, our technology will automatically follow.”

Both speakers pointed to proper usage of technologies like blockchain as the key to its implementation as a tool for greater understanding and raising human consciousness. 

Magazine: Here’s how Ethereum’s ZK-rollups can become interoperable

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist

Europe’s digital ID wallet — Easy for users or a data privacy nightmare?

European Union lawmakers are planning an EU-wide digital identity wallet for access to essential services.

On March 15, the European Parliament voted 418 to 103 (with 24 abstentions) in favor of negotiating a mandate for talks with the European Union member states about revising the new European Digital Identity (eID) framework and creating the “European Digital Identity Wallet,” also known as EUDI Wallet or EU wallet. 

Citizen’s IDs, health cards, certificates and many other documents could soon be digitally stored in a smartphone application for EU citizens.

According to an official statement from the European Parliament, the system would allow citizens to identify and authenticate themselves online without relying on big commercial providers like Apple, Google, Amazon or Facebook.

The new eID framework will purportedly give EU citizens digital access to key public services across the EU. Citizens will remain in “full control of their data” and be able to “decide for themselves what information to share and with whom.”

European lawmakers have set an ambitious goal for this new wallet, aiming to bring it to 80% of the population by 2030. This could be achieved by mandating that the wallet be supported by e-government services and companies that have a legal requirement to identify their customers through Know Your Customer checks. It could require major online platforms like Google or Facebook to offer the EU wallet to log in to their services, with soft law and delegated acts that could require small and medium-sized enterprises to support the wallet.

Negotiations with the European Council on implementation would be the next step, but digital transformation and data protection experts have doubts and differing opinions about implementing the wallet.

Usability is the key to adoption

The EU wallet — like the current electronic ID cards in Germany and other European countries — will hardly be adopted by citizens in their daily lives if it doesn’t offer a good use case.

The challenge is to make it easier and more efficient for citizens to interact with public services and administrations, enabling authentication and verification processes, especially in the private sector.

According to Clemens Schleupner, policy officer of digital identity and trust services at Germany’s digital association Bitkom, the possibility of storing electronic IDs on a smartphone to use online as well as digitizing drivers’ licenses, health cards, passports, tickets, school reports, credit cards, membership certificates, etc., and combining them into one wallet could have mass market potential.

Applying for a bank loan with eID. Source: European Commission

The EUDI Wallet could make that happen; however, this will only succeed “if adoption among citizens in Europe is ensured through security and usability, relevance through a high number of possible uses and interoperability of different applications throughout Europe,” Schleupner told Cointelegraph.

Lack of usability and public awareness are also significant concerns for Christof Stein, spokesperson for Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Stein told Cointelegraph that using proven technologies and trusted infrastructures with enforced IT security and data protection standards are crucial for citizens using the EU wallet.

Privacy is king

As the final rules are not yet known, it is too early to evaluate the EU wallet at this early stage of implementation. For citizens, it is important that the legal framework provides a data-saving solution that only lets organizations ask for user data when they need it.

According to Stein, it is critical that users are protected from tracking by wallet providers, and wallet providers must ensure that wallet data processing is in line with legal requirements.

“What is necessary is a central anchor of trust enabling the enforcement of rules for the protection of individuals. For example, the infrastructure must be designed so that all organizations participating in the system must register to ‘identify’ themselves to users.”

The previous proposal from the European Commission lacked essential privacy safeguards that would have enabled third parties to obtain data about user transactions, possibly allowing bad actors to exploit the system for identity theft or fraud.

According to Thomas Lohninger, executive director of data protection Austrian NGO epicenter.works, the European Parliament has drastically improved the law and adopted a good position in the first reading. He told Cointelegraph:

“It is unlikely that the Parliament will win 100% of the trialogue negotiations. But we hope that the Council and the Commission will realize that the success of the whole system depends on the privacy and trust that is built in. Only if it is the trusted and chosen tool of citizens for their most sensitive health, identity and financial data can the European Digital Identity Wallet be a success.”

The problem of “over-identification”

Lohninger also warned of “over-identification,” i.e., if everyone in the EU is obliged to always use the wallet, this could lead to a loss of anonymity and pseudonymity in everyday interactions.

BfDI’s Stein shared this view, arguing that there should be no general obligation to use the EUDI Wallet and that there should be alternatives.

The European Parliament appears to have heard these concerns, as one of the most important safeguards in the recently passed identity framework is a non-discrimination clause that “protects anyone who chooses not to use the EU wallet, whether it’s in access to government services, freedom of business or the labour market.”

In the European Parliament, all four committees adopted this safeguard with a cross-party consensus. Now this safeguard must survive the trialogue — negotiations with representatives from the European Parliament, the Council of the European Union and the European Commission.

What about zero-knowledge proofs?

As Cointelegraph reported, the EU’s Industry, Research and Energy Committee included a standard for zero-knowledge proofs (ZK-proofs) in its eID amendments.

This technology, which allows the selective disclosure of certain information — like revealing only one’s age, for example — could become a core function of the EU wallet, said Stein.

Epicenter.work’s Lohninger noted that ZK-proofs could provide “unlikability.” For example, someone could prove they are of age to someone else on different occasions without the latter party knowing the former is the same person.

Recent: Islam and crypto: How digital assets can comply with Islamic financial law

Although ZK-proofs allow personal data to be anonymized, Schleupner sees two challenges. First, ZK-proofs in their current application are “a new technology and vulnerabilities may arise if they are not implemented properly,” and second, “many use cases [of ZK-proofs] have not yet been conclusively evaluated.”

Before trusting the technology, EU regulators must ensure that ZK-proofs comply with privacy regulations and meet all specific requirements of the General Data Protection Regulation.

The trialogue at the EU has much to consider before passing eID into a usable, safe and reliable tool for Europeans. How regulators balance these considerations could have profound implications for other formers of digital or blockchain-based ID.

Pixel Heroes Adventure: A Retro MMORPG With a Web3 Twist