Principles reflect the culture and the shared values in an ecosystem; they define and guide our future behaviour and actions.

So why do we need principles for eID interoperability for the online platforms?

The cross-border eID model the EU has designed for the Europeans with eIDAS has the potential to play an integral part of the online ecosystem of the future.  And the role of online platforms in this online ecosystem is immense. The biggest value creation and exchange in the digital world nowadays is generated through the platform model – through the optimisation and management of interactions between providers of goods and services and consumers.

We are all users of various types of online platforms for personal or professional reasons – to buy or sell goods and services, to express ourselves, to learn, to interact socially, etc. To make the best use of what technology can offer us, we need to build an online ecosystem which we can trust, where we feel safe and make choices, just as we do in the physical world.

And, in order to boost trust between users who often don't know each other, when accessing an online platform, users may be confronted with the need to make a claim about who they are or provide personal data to ensure the security of their access. There are a number of questions that are relevant at this point and on which users take decisions, consciously or less so:

• Is it really necessary to reveal my true name, or can I remain anonymous while still accountable?
• What is the purpose/finality and scope of the authentication and identity data disclosure?
• Once the purpose is clearly established, should I be obliged to provide certain personal data about myself or shall I be empowered to choose other mechanisms to meet the purpose?
• As users have the possibility to access and benefit from a increasing number of online platforms on a daily basis, is the recurrent sharing of personal data the best security option?
• Do I use the same username/password for all purposes (lowering security), or do I create and keep track of multiple combinations (sacrificing convenience)?
• How and when do I need to prove that I am indeed who I claim to be?

And the list goes on and on. This is why it is important to discuss how users could be better served by allowing them to freely decide if they want to use the electronic authentication credentials they have already at their disposal. And, in this regard, what are the important aspects that we want to safeguard (as online platform providers, businesses and individual users) around which we can design the eID interoperability principles to which all stakeholders may subscribe and follow in the future.

To stimulate the discussion, let me share with you what matters to me personally as a user when I authenticate to an online platform. Accessing services online is, to me, about convenience, trust and security.

Convenience is a driving factor in online interactions. I want to be able to choose the authentication means which are most convenient for me. If I am already in possession of a trusted and reliable eID recognised at national level by my government – be it an eID card, a bank card, mobile ID – and, even better, across all EU member States (via eIDAS), would it not be great to be able to use it to prove my identity and/or authenticate myself (i.e. via trusted disclosure of attributes needed for the transaction) when logging in to an online platform as well? This would remove the need to repeatedly type in the same data about myself for each account I create.

Besides, I want to be in control of how much information I share and avoid having to provide unnecessarily detailed personal information – the disclosure should be minimal, proportionate and relevant to the particular transaction. For example, if there is a minimum age requirement for joining a platform, I should not need to reveal my date of birth (thus providing more info beyond my age) if I can prove my eligibility in another way. For example, when authenticating with my eID credential, an online platform can receive just the confirmation (i.e. a trusted attestation from my identity provider) that I am indeed above the required age.

In order to be able to decide objectively which data I am willing to share there needs to be full transparency about how this data is going to be handled – why it is collected, how it is used and with whom it is shared.

As a user, I need to have trust and confidence in the environment in which I interact, so that my experience is not ruined by fraudulent activities of counterparts acting in bad faith under fake identities. I should be able to prove my identity where it matters, in the same way in which credible providers of products, services, information should be able to distinguish themselves from imposters. We are all witnessing the 'fake news' phenomenon and there are numerous cases of identity theft for the purpose of spreading misleading information. An identity verified with an official eID can help establish a level of trust without full disclosure of the identity, while always ensuring accountability and liability for particular actions.

At the same time, in certain cases, it may not be relevant or necessary to share my real name – e.g. for private social interactions and exchanges where freedom of speech might be jeopardised.  I should be able to preserve a level of privacy and anonymity, for example by using a pseudonym or other "protected anonymity" mechanisms associated in a trustworthy manner to my electronic identity.

Another crucial aspect is the security of my data, which has to be properly ensured. Users often do not think about how their data is protected, until their authentication credentials (very often simple passwords) are compromised. They often use an e-mail address as a username and a password which is used for multitude of accounts. Or, just because it is so convenient, they rely on their social network profile to log-in to other platforms and websites. We all need to have efficient and secure access to online platforms, which provides a high level of online safety, strong protection against identity theft and fraudulent use compared to the simple username/password combinations. And to further minimise the risk of compromised information, personal identification data need not be collected or stored by the platform provider, but simply verified.

These are a few points I personally consider to be very important.  In this regard, I strongly believe that eIDAS-compliant eIDs can provide a viable solution for addressing them and bring many benefits for platforms and their users. Having the possibility to use a secure and reliable eID (which I anyway have at my disposal) can be instrumental in building trust among strangers, while providing the necessary convenience and security. And since the use of eIDs in the global digital environment is a choice, not an obligation imposed by regulation, it is important to define collectively some principles and rules that we can jointly subscribe to and which reflect our common understanding of how we can interact in the future. This is the sense/purpose of the Commission initiative to develop principles and guidance on eID interoperability for online platforms.

But I want to hear from you too! Are there issues that we all share as a common concern? And how about reflecting together on a set of principles to define and enable the possible use of eID in online platforms?

I look forward to hearing from everyone interested in the topic – online platforms, their private and business users, identity providers, member states, etc. I also invite you to join the discussions at the upcoming Workshop we are organising on 24 April 2017 in Brussels.