We interviewed one of the most influential figures in applied cryptography in Europe: Bart Preneel.

Bart Preneel is a professor at KU Leuven (the Catholic University of Leuven in Belgium), where he heads the COSIC group (Computer Security and Industrial Cryptography), one of the world’s most respected research teams in cryptography and security.

During the Covid-19 pandemic, Bart Preneel was among those who designed the DP-3T protocol - Decentralized Privacy-Preserving Proximity Tracing. This solution would go on to form the core of numerous contact-tracing applications across Europe in 2020 and 2021. While the protocol chosen by countries such as Belgium and Germany was privacy-respecting, in practice it relied on the Apple and Google APIs. These decentralized applications were designed to prevent governments from gaining access to the data.

In effect, privacy protection from state surveillance was guaranteed by… two American companies. At the time, this was seen as an acceptable compromise justified by the urgency of the situation, and one mitigated by the temporary and limited nature of the system.

The cryptographer therefore knows exactly what he is talking about when he highlights the risks of deploying, on a structural and permanent basis, far more sensitive data through the European Digital Identity and the age verification application — both of which rely on Google and Apple APIs.

“Google, which already exerts extensive control over the Android ecosystem, could use this to further strengthen its influence, particularly in future developments,” warns Bart Preneel. “Here, Google and Apple control everything; they see everything that happens on the internet. This is a considerable advantage handed to them by the European Commission.”

Bart Preneel has received numerous prestigious awards, including the RSA Award for Excellence in Mathematics in 2014 and the ESORICS Outstanding Research Award in 2017. He is a highly regarded member of the IACR (International Association for Cryptologic Research), of which he has served as president. In 2024, Bart Preneel was elected a member of the Royal Academy of Sciences and Arts of Belgium.

L’Eclaireur – Is there a direct link between Immuni, the Italian StopCovid app, and the European digital identity application? Immuni, which had major vulnerabilities, did it serve as a “model” for the European app? In both cases, we see that the promised anonymity is illusory, that these tools are highly vulnerable, and that proven solutions exist to address these issues - blind signatures for Immuni, BBS anonymous credentials for the European app - yet they were not used…

Bart Preneel - Immuni, the Italian contact-tracing app developed during the Covid-19 crisis, was not the best solution either technically or in terms of privacy protection. Other countries, such as Switzerland, Germany or Belgium - where Bart Preneel was technically responsible for the development, editor’s note - put forward solutions that showed far greater respect for user data.

That said, what we managed to achieve was to deploy an application to more than 100 million Europeans in just three or four months. This success actually inspired the European Commission to launch a similar project, this time for a digital identity application. That is precisely what is generating a great deal of interest today.

Immuni did indeed have significant shortcomings in terms of privacy protection, but it was developed under extremely difficult conditions. There was also a clear tension between the objectives of the medical community, which wanted to collect as much data as possible, and those of the technology and privacy experts, who were far more cautious about the information to be gathered.

It was around that time, in 2021, that the European Commission announced it would create a European identity application within two or three years - what later became the European Digital Identity Wallet (EUDI Wallet).

As was the case with the contact-tracing applications during the Covid pandemic, this is not a single app managed at the European level, but rather a set of common rules and standards. Each Member State then develops its own version.

In this digital age, I believe it is a good idea for governments to offer an integrated identity application. Personally, I do not see any major problem with it. In my view, it is preferable to entrust this to governments rather than to the private sector. After all, a State already legitimately requires data on its citizens to manage healthcare, taxes, social benefits, and many other public services.

The big issue with this application, in my view, is that it will not be used solely for public services. It will also be used by the private sector - for booking plane tickets, train tickets, rental cars, hotels, and so on. In reality, it will become an app for almost everything. If we entrust this to governments, we protect privacy in the most effective way possible. Because we certainly do not want the State to develop tools that would allow private companies to track citizens everywhere and obtain authenticated information such as their address or date of birth.

The European Commission has understood this well. The legislation includes numerous safeguards designed to protect privacy to the greatest extent possible. In this area, the eIDAS 2 regulation is not a bad piece of legislation. Moreover, the wallet will be optional — this is clearly stated in the 2.0 digital identity regulation. The application will not be mandatory and must not exclude any citizen.

The real challenge now lies in its practical implementation.

The Commission has chosen technical methods that allow a person to be identified or to prove that they are over 16 years old, without transmitting any additional information. Neither the full date of birth nor the address nor any other unnecessary data is shared. Technically, this is entirely feasible. This was more or less the vision we wanted to implement.

With this application, the government will therefore have access to all the necessary information about the citizen. In contrast, the private sector will only receive the data that is strictly necessary - what it needs and nothing more. This is the underlying philosophy of the entire project.

On paper, it is a very good idea.

The problem is that it is extremely complex to implement. We are not ready yet - but the European Commission is pushing very hard anyway, in order to move forward quickly. First of all, we need protocols that can resist attacks from quantum computers (post-quantum cryptography). In addition, the Commission has mandated that the application must be tied to a single mobile phone. This creates significant technical constraints and raises questions about which technical solutions are actually viable.

With more than a billion different phones in use, this also gives far greater control to Google and Apple.

Many European researchers believe that the current solutions are not the best way to tackle this complex problem. They are calling on the Commission to give them time to propose solutions, conduct an in-depth study, and then select the best option. This would likely take one or two years.

However, Paolo de Rosa, the CTO of the EUDI Wallet project, naturally does not want to see his project slowed down or halted. In March, he presented Google’s Longfellow solution 1 at the RSAC conference in the United States. This choice has strongly displeased several Member States. France, in particular, is far from satisfied with a solution that is too dependent on Google, and it is not the only one.

At its core, there is nothing inherently wrong with this approach. But the fact that the solution is not yet fully mature, that it has certain shortcomings, and that it is tightly controlled by Google is far from ideal.

It is true that the wallet data would not be centralised on Google’s servers and that the code for their proposal is open source. The problem, however, is that Google - which already exerts extensive control over the Android ecosystem - could use this to further strengthen its influence, particularly in future developments.

It should also be understood that the solutions chosen by the Commission emphasise official standards and norms. Therefore, even if an academic researcher were to come up with a far better solution today, or if we started from an open-source technology, it would still take twelve to eighteen months for it to become a recognised standard.

Google, on the other hand, has far greater resources and much larger budgets. It is clear that, in this debate, a major corporation like Google enjoys an enormous advantage over academics or small companies. That is the core of the problem.

If we choose to tie the application to a single phone, we are de facto placing ourselves under the dependence of Google and Apple. Because to bind an application to a smartphone, you have to go through iOS or Android. The problem with open-source mobile operating systems (such as GrapheneOS or certain solutions offered on Fairphone) is that they give the user full control, which could allow them to clone their identity across multiple devices. This is why the anti-cloning requirement restricts the choice of operating system to iOS and native Android.

In this situation, Google and Apple control everything; they see everything that happens on the internet. This is a considerable advantage handed to them by the European Commission.

L’Eclaireur - Have the independent experts who have been raising the alarm and publishing open letters since 2022 been involved in these discussions?

Bart Preneel – We do have discussions and there are regular meetings on the subject. Belgium is represented by an expert. As for myself, I do not participate in them physically. I can answer questions, I can speak with the Belgian expert, but I am not admitted to these meetings. By contrast, Google seems to enjoy much broader access. It is quite strange. That is how things work.

But I must be honest: there is currently no academic solution that matches the same level of maturity and reliability as Google’s Longfellow proposal.

L’Eclaireur - In short, what we need is a European Google...

Bart Preneel – Or else they should genuinely give power to the researchers and organise an open competition. In two years’ time, we would clearly see which is the best solution. But the Commission no longer has that patience. The Commission wants to move forward at all costs. It wants this application to be available by the end of the year.

L’Eclaireur - Why?

Bart Preneel – For the Commission, this is a matter of honour: they want to roll out this application now. There are also very strong personal commitments at stake. In 2021, they promised a launch in 2024. That was then pushed back to 2026… and now it will probably be 2027 for several countries.

If we decided to launch an open call for tenders to find better protocols, it would cause a delay of several years. The project could have been managed better since 2021, particularly in terms of collaboration with the academic community.

L’Eclaireur - Whether it is the DSA for online hate, ChatControl, or the age verification on line for the protection of the most vulnerable, these initiatives address legitimate issues but ultimately fail to deliver the right technical solutions…

Bart Preneel – There is still work to be done, yes. At the same time, we must also consider that another application is currently under development: the age verification application. And this has become a political priority. The major difference is that this application will be mandatory for everyone. Without it, it will no longer be possible to use social networks. Indirectly, this risks making the digital identity wallet almost compulsory.

That is not the optimal solution either. The Commission asked Deutsche Telekom and Scytáles to develop a reference application for the Member States in order to speed up the process. The result: the application was hacked and broken within the first hour of its release.

L’Eclaireur - Is going through an application and all these technological solutions the only way forward?

Bart Preneel – From our experience, we believe this is a very bad solution. In Australia, where access to social networks has been banned for under-16s since December, a majority of them continue to access them. There are many ways to bypass the restriction, particularly through VPNs. Not to mention the problem of people who do not have a smartphone.

What about elderly people, for example, who do not own a mobile phone and go to the library to check Facebook and keep up with news from their children and grandchildren?

And the European Commission has already announced that it intends to ban VPNs. We risk ending up with the same kind of social control as China’s Great Firewall. Social networks must be held accountable: they are toxic. They need to be improved, rather than shifting the entire problem onto users.

I have just come back from the Belgian Federal Parliament. Politicians want an immediate solution to address the legitimate concerns of citizens. Even when we explain all the problems to them and make it clear that there is no technical solution that does not come with very significant negative side effects, they still insist. It is a political response: they have the feeling that they have done their job and taken every possible measure.

L’Eclaireur - Behind this online deanonymisation enabled by these technological flaws, do you see a risk of mass surveillance?

Bart Preneel – I believe mass surveillance already exists today, but it primarily takes place through social networks. Even if you use a pseudonym, it is not truly anonymous: a government can always request companies such as Google or Meta to reveal the real identity of the person behind the account. So the situation is not straightforward, and this new application will mainly introduce far more surveillance.

It may perhaps make it slightly easier for governments to know who is doing what on social networks… But for me, mass surveillance is not the real issue. The real problem is the exclusion it will create, the high cost, and the inconvenience for many people.

Looking at what is happening in the UK and Australia, we know that half of the children will continue to access social networks despite the bans. Is this really the solution? We already know in advance that we will end up with the same result.

If we really want to make this mechanism effective, we will end up with a Chinese-style system. In China, the government has total control over what happens on social networks. It can block pornographic images or any information it dislikes. It can do whatever it wants. Certainly, it “protects” citizens, but unfortunately we lose diversity and freedom. It may be a political solution, but at what cost?

For us technical experts, there simply are no good solutions to this problem. The real solution, in our view, is to tackle the social networks directly - which are toxic - and to change their economic model based on capturing users in order to maximise advertising revenue.