The European Commission (EC) has been investing a lot of resources in the European Blockchain Services Infrastructure (EBSI). During an online Demo Day, six 'use cases' were demonstrated, although they all were still at the pilot level.
Outside experts have mixed feelings about the initiative.
Early Adopters Demo Day in late May was the provisional culmination of a major technology project initiated by the EC in 2018. EBSI was to become a European Union (EU)-wide service to verify credentials like driving licenses and diplomas. EU citizens have the right to live, work and study in every EU member state, with hardly any restrictions. A European digital identity and digitally verifiable credentials should make it much easier for citizens to move to another member-state, and to decrease the administrative burden for them and for governments.
The six use-cases presented all had a similar structure: a Trusted Accreditation Organization (TAO) can certify various Issuers (for instance, a university) to issue a verifiable credential (like a diploma) to a Holder (a student). The Holder stores this in his or her digital wallet (on a cellphone, for instance). When asked by a Verifier (another university or an employer) to supply proof of having a diploma, the Holder sends this verifiable credential from her digital wallet to the Verifier.
This chain of trust is protected against fraud by digital signatures. It starts with a TAO–typically a government authority, which issues accreditations secured by a digital signature. Other parties down the chain also sign credentials with digital signatures, all encrypted with the secret key of the issuer. Every receiver down the chain of trust can decrypt this signature with the public key of that issuer. The fact that decryption produces a readable message, not gibberish, proves to the receiver that the signature is authentic. This chain of trust is similar to the system of QR (Quick Response) codes widely adopted in the EU to prove the holder had been vaccinated against Covid-19.
Such a chain of trust does not need to use a blockchain; as the QR code demonstrates, it also can be set up by a central authority. Decentralizing the chain of trust to a blockchain–also known as a distributed ledger–causes additional privacy and security issues.
The EBSI use-cases mostly involved students wanting to transfer to a university in another EU member-state, making laborious paperwork and physical checks of credentials superfluous. The one exception was the European Qualification Passport for Refugees (EQPR), a digital document proving refugee and higher education status.
All these projects are still in the pilot stage; only some universities are willing to process these credentials. The EQPR has existed since 2017, but of the hundreds of thousands of refugees that came to the EU since then, just 664 have been issued an EQPR.
The concept of 'use-case' for the blockchain is rather revealing in itself; governments never needed to subsidize use-cases for cellphones or the Internet. Once these technologies were available, countless applications were developed by the private sector and adopted by the public at lightning speed. Covid-19 QR codes also were rolled out in mere months across Europe and much of the rest of the world.
Part of the problem is that participation in EBSI is restricted to companies who obtain accreditation from their national governments. During Demo Day, several panelists urged the European Commission to open up EBSI to independent developers. Sebastiano Toffaletti, secretary-general of the European Digital SME Alliance, referred to Facebook as an example of such a platform: "If Facebook could do it, why can't EBSI do this? Let independent innovators work on top of the EBSI-structure."
This remark visibly embarrassed Maxine Lem, the discussion moderator from the EC, After all, the market dominance of Facebook and other big tech companies is the EC's main motivation to try to build EBSI and a European digital identity.
In 2017, the Dutch government tried to set up a national blockchain infrastructure similar to EBSI called the Dutch Blockchain Coalition; so far, it has not produced any widely adopted use-cases.
Bart Jacobs, a professor of Security, Privacy, and Identity at the Netherlands' Radboud University Nijmegen, minces no words about that initiative: "It has basically collapsed, because blockchain doesn't add any value. It's hot air." Jacobs has no doubts that if any personal data were put on a blockchain, it would violate the EU's own General Data Protection Regulation (GDPR). Said Jacobs, "It took the Blockchain Coalition years to understand this."
Considering the privacy problems of blockchain, a system which by construction cannot undo additions to the chain so personal data can never be deleted or 'forgotten', the role of blockchain in the EBSI infrastructure remained fuzzy.
Marc Stevens, cryptologist at the Centrum Wiskunde & Informatica (CWI) research center in Amsterdam, can sees some merit in the blockchain. "The advantage of blockchain is that it lowers the threshold for cooperation considerably." That could be a positive factor in a European Union with 27 member-states, each with its own brand of red tape.
Nevertheless, Stevens thinks more effort should be put into analysis of the security and privacy risks.
Because data saved on the blockchain stays there forever, the possibility of quantum computing should be considered even now. Current blockchains use encryption systems that could be broken easily by a quantum computer, and if that becomes a reality in the near future, the data security of all these blockchains can be considered broken retroactively.
Said Stevens, "I have not studied the EBSI blockchain in particular, and I'm sure they try very hard to make it safe, but we have seen many accidents with blockchains already. Large-scale theft of bitcoins is a well-known example, but also 'smart contracts' have been drained by hackers."
Because so many people have access to a blockchain and there is no central oversight, Stevens characterizes its pervasive vulnerability as "Small mistakes, huge problems."
Europeans Wary of New Digital Identity
Arnout Jaspers is a freelance science writer based in Leiden, the Netherlands.
No entries found