Why German eIDAS Implementation Means Big Tech Control
Germany's eIDAS implementation, designed to meet EU-mandated "strong integrity" requirements, relies on an attestation mechanism that proves a key was generated within a secure enclave on a device and that the device itself has not been tampered with. This forms a trusted device chain required by law to prevent identity spoofing via modified clients.
On Android, for example, this means meeting the MEETS_STRONG_INTEGRITY requirement, which often translates to using Google Play Integrity APIs. While Apple has its own equivalent attestation services, the underlying design of this German eIDAS implementation, by relying on platform-level attestation, inherently creates a dependency on either Google or Apple's ecosystem. The initial German rollout, specifically, is limited to Google/Android platforms, but the broader implication is a requirement for an account from one of these tech giants.
The practical impact of this German eIDAS implementation design choice is an initial implementation limited to Google/Android platforms. While GrapheneOS is on the list for future support, the immediate reality is a dependency on Google/Apple accounts and their respective app stores for accessing eIDAS and other EU digital services. This dependency stems from the underlying platform attestation services that verify device and application integrity. For the initial Android implementation, if a device cannot pass Google's Play Integrity checks, the German eIDAS wallet will not function. This approach creates a risk of users permanently losing access to their Google/Apple accounts, potentially excluding them from essential services.
This reliance on a hardware root of trust, like a Trusted Platform Module (TPM), and the requirement for a security patch within the last 12 months (for Android) are technically sound security measures. They aim to prevent identity theft through compromised devices. While these are technically sound measures to prevent identity theft, the chosen implementation method funnels control through a very narrow set of gatekeepers, raising concerns beyond mere security goals.
The Real-World Consequences: Exclusion and Centralized Control
The immediate consequence is a dependency on Google and Apple's app stores and their respective ecosystems for accessing eIDAS and other EU digital services, such as the digital Euro or Wero. This reliance introduces several critical vulnerabilities.
First, this reliance creates a significant risk of exclusion. Consider users who do not have a Google or Apple account, or those who use non-certified Android devices; they are effectively locked out of essential services. This isn't a hypothetical concern. Users running alternative Android distributions or those who simply choose not to engage with these ecosystems could find themselves unable to access government services.
A more severe concern involves account bans and due process. If Google or Apple decide to ban an account, or if an automated process flags a user, that individual could permanently lose access to their eIDAS. Such a scenario means individuals could be denied access to critical national services based on the opaque policies and automated decisions of private, foreign corporations. The lack of clear due process here is not just a concern; it represents a profound challenge to citizens' rights and autonomy.
Finally, this approach directly undermines digital sovereignty. Despite the EU's ambitious goals in this area, this implementation choice creates a direct contradiction: Germany relies on the continued goodwill and operational stability of two US-based companies for a fundamental aspect of digital identity—a core piece of national infrastructure. Its impact extends beyond privacy, directly affecting control over citizens' digital lives.
It is important to note that the existing German eID (the authentication chip on physical ID cards) is expected to remain functional. While this new system is an alternative, it introduces a significant new dependency.
Paths Forward
The current approach, while technically sound for device integrity, creates a single point of failure and a massive centralization of power, making viable alternatives worthy of serious consideration.
One path involves open standards and APIs. Publishing these specifications would allow the community to build clients for various platforms, fostering competition and reducing reliance on specific vendors. This doesn't require reinventing core technology, but rather opening existing specifications for broader implementation. For the German eIDAS implementation to truly serve all citizens, such open approaches are vital.
Another robust, platform-agnostic solution lies in dedicated EU hardware tokens. These could support multiple government and bank keys within a secure enclave. We have precedents: Austria's eIDAS implementation supports FIDO2 tokens, a modern standard for strong, phishing-resistant authentication, for PC-based authentication, and Norwegian banks have long used physical SIM cards for secure access. The ISO7816 smartcard standard, a foundational standard for chip cards nearly four decades old, remains widely used in banking for secure identity. Such options return control to the user and the issuing authority, rather than the device manufacturer.
Finally, the EU itself developed an eIDAS-compatible European Self-Sovereign Identity Framework (ESSIF). This framework, developed in 2019, aims to give individuals greater control over their digital identities, reducing reliance on centralized providers and directly aligning with the stated goals of digital sovereignty. Integrating ESSIF principles could offer a more independent path for the German eIDAS implementation.
The prevailing EU policy trend emphasizes service provider responsibility for user safety, which often leads to restrictions on supported platforms. However, this cannot come at the cost of fundamental user control and national independence. The choice to lean so heavily on Google and Apple for device attestation, rather than investing in truly open or European-controlled alternatives, appears to be a strategic misstep. This approach risks prioritizing a narrow definition of security over broader principles of sovereignty and accessibility.
The German implementation of eIDAS, by relying on these closed ecosystems for "strong integrity," effectively risks trading digital sovereignty for convenience and a perceived ease of security implementation. Such a trade-off should not be made for critical national infrastructure. Instead, we should advocate for open standards and hardware-agnostic solutions that empower citizens, rather than further entrenching the power of a few tech giants.
Conclusion: Reclaiming Digital Sovereignty
The path chosen for the German eIDAS implementation, while aiming for robust security, inadvertently creates a significant dependence on foreign tech giants. This dependency not only threatens digital sovereignty but also risks excluding segments of the population and centralizing control over essential services. Moving forward, it is imperative for Germany and the broader EU to prioritize truly open, platform-agnostic, and European-controlled solutions. By embracing open standards, investing in secure hardware tokens, and fully leveraging frameworks like ESSIF, the vision of a secure, accessible, and sovereign digital identity for all European citizens can be realized, free from the undue influence of corporate gatekeepers. The future of digital identity in Europe, including the German eIDAS implementation, must be built on principles of autonomy and inclusivity.
