Marcel Wendt, founder of Digidentity, wants to know how far the possibilities go of the digital identity wallet, co-developed by his company. That is why he is participating in a European pilot project. “This technology is coming, and companies will have to participate.”
Anyone checking into a hotel as a guest usually has to show a passport or some other ID. The receptionist often makes a copy as well. Even though the hotel doesn’t even need most of the information on the passport. There is a safer and more privacy-conscious alternative, according to Marcel Wendt, founder of Digidentity. The solution he and his company are working on is a digital wallet, one that exists only on a user’s phone and allows them to share only the info that is needed at a given moment.
“The technology behind a wallet like that makes necessary data available through a kind of need-to-know principle,” Wendt explains. “That wallet of ours is designed to provide data very selectively. How much? The minimum needed to meet legal or other obligations—no more or less.”
“We’re not talking about a kind of European digital identity, as some fear. Meaning one that sends all our data to Brussels. Instead, it’s about your data only being in the wallet on your phone and not in a central database.”
Growing awareness
Protecting personal information is increasingly on the minds of regular people. In the Netherlands, the national statistics bureau CBS calculated that 89 percent of the population had taken measures to protect personal data on the internet by 2023, compared to 82 percent in 2021. That is the highest amount in Europe. This particular research mainly concerned profile data and messages on social media.
Recent research by Digidentity paints a different picture. It shows that only 27 percent of the Dutch take serious steps to keep their data safe, such as multifactor authentication via biometric or fingerprint scans. The yardstick by which Digidentity measures the average Internet user is, however, a lot more strict than the one used by the Dutch statistics bureau.
His company is right to be strict, Wendt believes. After all, malicious actors can commit fraud with very small snippets of information regarding one’s identity. “Take security questions like ‘What is your mother’s maiden name?’ You wouldn’t believe it, but some companies still rely on such questions that barely offer any protection. If you’re a cybercriminal doing a little Facebook research or poking around on a victim’s LinkedIn profile, you’ll dig up such info in no time.”
“We onboard about 8,000 people daily on our platforms,” he continues. “Regularly, we see attempts there to sign up under a different identity, by using fake passports for example. We manage to stop all these attempts, but criminals do try.”
European pilot project
Digidentity is part of the EU Digital Identity Wallet Consortium, with 41 partners and 28 associated partners from across the EU and some other European countries (companies, governments, and non-profits). This is one of four pilot projects launched by the European Commission to test the application of a digital wallet according to specifications set by the commission. The pilot has 1,000 EU citizens testing the wallet and will run until next year. By then, the legislation for which the underlying framework was developed should also come into force.
The hotel example’s identification requirement stems from legislation. Often, hotels and other lodgings are required to register their guests’ names, residences, and types of IDs. However, a citizen service number is not required but can be found on a passport or identity card anyway. “All that unused personal data lying around in archives and on data carriers encourages fraud, at worst,” Marcel Wendt warns.
He chooses the hotel example for good reason. The pilot in which his company is participating focuses particularly on travelers’ use cases, such as booking flights and hotel stays and making cross-border payments. Partners include Visa and Amadeus, a provider of technology services for the travel and tourism industry. Sweden’s Bolagsverket (somewhat similar to a Chamber of Commerce) is the lead agency for the pilot in which Digidentity is participating.
Other pilot projects testing the digital wallet focus on online purchases, government services, banking and authentication of sensitive documents such as diplomas.
Providing data selectively
Apart from the specific use cases that ‘his’ pilot is investigating, Wendt sees many other advantages: “When someone rents a car or buys alcohol, the rental agency or liquor store needs to know that they are old enough. But all kinds of other information they don’t need at all. Not even the exact date of birth. They don’t want to send a birthday card, they want to know that the person is the right age. So the only necessary info that should be provided is ‘this person is old enough’.”
“Regarding that liquor store, why should the vendor need to know your name? Because that is what shows on everyone’s physical ID. Our wallet limited third-party access to that kind of personal information, much more than is possible with physical IDs.”
“What’s more, this also eliminates the need for the cashier to calculate on the basis of your date of birth as to what your exact age is,” he jokes. “That makes it all a bit safer and less error-prone anyway.”
Decentralized technology
The wallet shares limited data with official agencies, stores, hotels or other parties via a security token. In the case of an online store, a user would scan a QR code with their wallet. That allows the store to read the required payment information on the phone (and no more than just that). No information is stored elsewhere; the source of the data is only on the phone. That prevents bank account numbers or credit card information from ending up in an external database.
“The technology is decentralized, rather than federated, as is the case with DigID, for example (DigId is the identity validation technology currently used for online interaction between Dutch government services and citizens). That means your personal data is only on your phone, not in a database somewhere. The less data is in such databases, the less can be stolen.”
Digidentity is one of the few parties in the Netherlands allowed to provide level 4 e-recognition solutions. This is the highest level for processing highly sensitive information or fraud-sensitive transactions. “Moreover, we are the only party in the Netherlands whose technology allows for completely remote onboarding of users.” By this, Wendt means that validated user authentication can be done fully online. “With our competitors’ technology, it is necessary that users initially still make a face-to-face appointment with the relevant authority.”
Wallet soon to be mandatory for companies
Digidentity hopes to bring precisely this expertise and reliability to the consortium. “Of course, we hope to reuse that part in this pilot, as well as qualified cloud signing, a way of digital signing that is legally valid throughout the EU.” Adobe Acrobat Sign and DocuSign, among others, use this technology co-developed by Digidentity.
Companies, including banks and tech giants such as Apple, Microsoft, Meta and Google, will soon have to enable signing in to their platforms via the wallet. In theory, that would result in the latter missing out on a lot of user data. It will not be the only way to register for something or make a purchase, and according to Wendt, EU citizens will not be obliged to use the wallet, but governments must offer the possibility.
He also predicts that there will be incentives to steer as many citizens as possible toward the wallet. “For example, it will cost you some money if you want to work outside that wallet, and otherwise, it will be free.” The intention, by the way, is not to ‘bully’ citizens toward a wallet, but primarily to somewhat curb companies’ data-gathering appetite while enabling them to comply with Know Your Customer (KYC) legislation more easily.
Not doing it for the money
According to Wendt, his company is not initially participating in the pilot for the money involved. “We have to keep huge records to account for every hour. And then you only get paid fifty percent of your effort anyway. Sometimes, I think we would be better off doing this for free.” But for Digidentity, their participation is mostly about a kind of exploration of both the limits of the technology, and to survey the expertise of participating European competitors.
“It’s also a practical exploration. How does interoperability work when use extends across multiple countries? I consider this pilot successful when we know it can be done and the participating end users are convinced it will benefit them.”
About Digidentity
Digidentity provides solutions for e-recognition, digital signatures, identity verification and validation, as well as authentication technology. The company is Adobe’s partner in e-signing and counts insurance companies ASR and Achmea among its customers. It provided expertise and technical infrastructure during the development and implementation of DigiD, the Dutch government’s digital identification system. Digidentity Wallet, its proprietary platform, has authenticated some 25 million users worldwide.
The company is a Qualified Trust Service Provider (QTSP) and is one of nine Dutch organizations on the European Commission’s European Trusted List (EUTL). The company’s services are compliant with eIDAS (Electronic Identification And Trust Services). Meaning it is authorized to provide solutions for electronic signatures and seals according to a set of agreements established by EU member states.
Also read: EU revamps eIDAS with law allowing member states to track internet sessions