eu-digital-identity-wallet / eudi-doc-architecture-and-reference-framework

The European Digital Identity Wallet
https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/
Other
431 stars 60 forks source link

Terminology obfuscation #179

Open OBIvision opened 5 months ago

OBIvision commented 5 months ago

A primary problem with the ARF appriach is the way terminology is obfuscated to mean almost the opposite when it suits the agenda. https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/arf/#413-privacy-by-design

E.g.

4.1.3 Privacy by Design

The EUDI wallet architecture embodies the principle of privacy by design. This means that the protection of user data is a fundamental pillar of the wallet\'s design. The principle of data minimisation guides the collection of personal information, ensuring only what is necessary is gathered. The wallet empowers users with granular control over what data is shared and with whom. Transparency is built into the system, with clear explanations of how data is used and protected. By making privacy a cornerstone from the beginning, the EUDI wallet aims to foster trust and protect the fundamental rights of its users.

Notice "The wallet empowers users with granular control over what data is shared and with whom. "

This is not Privacy by design, it is Surveillance by Default - you got Privacy by Design if you do not create personal data, not merely because you get to share 99 or 100 in a surveillance setup.

E.g.

4.1.4 Security by Design

The EUDI wallet architecture embraces the principle of security by design. This means security considerations are woven into the very fabric of the wallet\'s design. Throughout the design process, potential vulnerabilities are identified and mitigated. Secure coding practices are mandated, and the architecture itself minimises attack surfaces by compartmentalizing sensitive data and access controls. By prioritizing security from the outset, the EUDI wallet aims to be inherently resistant to cyberattacks and data breaches, fostering trust and user confidence in this digital identity system.

Notice "the architecture itself minimises attack surfaces by compartmentalizing sensitive data and access controls"

This is not Security by Design, but merely some perimeter access control to scenarios where control is alwards transferred form the citizen to someone else - depending on the aspect BigTech control intra-phone, BigGov control through the inherent surveillance model or the counterparty as there are no support for unlinakable identity as a set of credentials.

The essential issue is that the ARF as-is is inherently overriding the eIDAS regulation and eliminate all aspect of citizen security, self-determination and rights. It is non-compliant.

The question is if this is deliberate or something that will be remedied?

digeorgi commented 2 months ago

Thank you for your submission. Please refer to our response to the issue #173 covering the raised topic.