The digital State of the European Union
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 141 | |
Author | ||
License | CC Attribution - NonCommercial - ShareAlike 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
Identifiers | 10.5446/68741 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
EuroPython 202332 / 141
8
17
22
26
27
31
42
48
52
55
56
59
64
66
67
72
73
77
79
83
86
87
95
99
103
105
113
114
115
118
119
123
129
131
135
139
140
141
00:00
Transformation (genetics)Digital signalLocal GroupState of matterData structureTelecommunicationSystem programmingPhysical lawFood energyComputer networkService (economics)Principal idealNeuroinformatikSingle-precision floating-point formatGateway (telecommunications)Software frameworkSoftwarewiederverwendungIdentity managementWeb serviceSystem identificationOpen sourceAuthenticationComputer fileProcess (computing)Cloud computingMereologyInformation securityDigitizingDigital signal processingState of matterRegulator geneTelecommunicationOcean currentStandard deviationSign (mathematics)Identity managementNormal (geometry)Software frameworkFocus (optics)Real numberMathematicsKernel (computing)Service (economics)Directed setPhysical systemCASE <Informatik>Subject indexingPrice indexForm (programming)Interpreter (computing)Green's functionElectronic signaturePhysical lawMobile WebArtificial neural networkCybersexData structureDirection (geometry)AreaOpen sourceSoftware maintenanceComputing platformSoftwareStrategy gamePublic key certificateFunctional (mathematics)AuthenticationWaveLatent heatQuicksortWeb serviceObservational studyChemical equationMultiplication signPresentation of a groupFormal languageGroup actionTransformation (genetics)System identificationDifferent (Kate Ryan album)Musical ensembleType theoryStaff (military)Office suiteUniformer RaumWebsiteSlide ruleTraffic reportingZoom lensComputer animationLecture/Conference
09:14
Digital signalGateway (telecommunications)Single-precision floating-point formatSoftware frameworkSoftwarewiederverwendungIdentity managementTelecommunicationSystem identificationOpen sourceAuthenticationWeb serviceService (economics)Strategy gameProcess (computing)System programmingPhysical systemInformationFile formatInternet service providerShift operatorSelf-organizationIdentity managementAddress spaceQR codeSystem identificationWeb serviceInformation privacyHardy spaceSoftware frameworkPhysical systemRevision controlLoginMultiplication signCASE <Informatik>Physical lawNumberObservational studyImplementationConstraint (mathematics)InformationWebsiteTouchscreenState of matterFacebookIdentifiabilityPoint (geometry)Internet service providerService (economics)Source codeOpen sourceDigitizingDifferent (Kate Ryan album)Universe (mathematics)Computer architectureArithmetic meanRegulator geneSystem administratorCommunications protocolStandard deviationSoftwareEncryptionConnectivity (graph theory)Electronic mailing listData structureMathematicsGateway (telecommunications)Functional (mathematics)INTEGRALOpen setFocus (optics)Strategy gameFile formatProcess (computing)Interactive televisionLine (geometry)AuthenticationSelf-organizationContent (media)Single-precision floating-point formatBlock (periodic table)Latent heatAttribute grammarNatural numberScaling (geometry)Staff (military)1 (number)Computer animation
18:08
Service (economics)Shift operatorSoftware frameworkWeb serviceSelf-organizationShift operatorSelf-organizationProduct (business)Unit testingSoftwareSystem identificationComplex (psychology)Database transactionConnected spaceConnectivity (graph theory)Token ringAddress spaceNetwork topologyComputer architectureLatent heatGoodness of fitDifferent (Kate Ryan album)Direction (geometry)Interactive televisionSquare numberINTEGRALSource codeData conversionDatabase normalizationSoftware testingCybersexInterpreter (computing)Procedural programmingDigitizingInformation securityIdentity managementProcess (computing)Group actionService (economics)Right angleBounded variationInternet service providerTouch typingWeb serviceStandard deviationComputing platformSinc functionRegulator geneSoftware developerFeedbackIntegrated development environmentClosed setCASE <Informatik>State of matterPhysical systemTelecommunicationSoftware frameworkConvolutionUniform resource locatorFacebookField (computer science)Block (periodic table)Online helpMereologyOpen sourceLiquidComputer hardwareMultiplication signProper mapNumberVideoconferencingPoint (geometry)PlanningMusical ensembleComputer animation
27:01
MereologySoftware developerMeeting/InterviewLecture/Conference
27:49
Source codeSound effectSoftwareOpen sourceException handlingInformation securityMobile WebOpen sourceInformation securityInternet service providerRegulator geneSingle-precision floating-point formatSoftwareSoftware developerComputer animation
29:06
Lecture/ConferenceComputer animation
Transcript: English(auto-generated)
00:05
Hi, everybody, thank you. I'm still emotional after more than 10 years of Python. I am Roberto Boli, and I work at ParTech on secure, resilient cloud platform. And I spent the last five years
00:20
in the digital transformation team, working on API interoperability and standards. And today, in this opinionated talk, opinions are my own, I will present the current state of digital services in the European Union with a focus on normative and technical changes
00:41
and the real impacts on digital platforms. This requires introducing the European institutions and the strategy that the union has on cross-border services. It will then present the digital identity as a case study to show some cross-border interoperability
01:02
challenges. And finally, I will show the European interoperability framework that helps improving the user experience, cybersecurity, and maintainability of digital public platforms. But this applies to every service that
01:21
has to work cross-border. So if you have a service that needs to work between different countries, roughly the same principles apply. If we have time, we will speak about the impacts of the Cyber Resilience Act on open source. But there have been panels on this, so let's check.
01:44
So what's the European Union? Well, it's a lot of people, languages, wonderful places, like Prague, a great wave to Prague. And well, for me, it's having 27 member states that stopped fighting each other, and that's really great.
02:04
But Conway's law applies, and the union structure affects digital services. So let's meet the Union. Broadly speaking, European laws require the agreement of three institutions, legislative,
02:23
that is the parliament elected by citizen, and the council, composed by member state ministers reunited by sector, and executive, that is the European Commission, that is agreed by member states and the parliament. Well, shortly, you have a two-lane governance.
02:44
On one side, there is the parliament that is elected directly by citizen, and on the other, there are member states. And as you can see, every institution works per sector,
03:00
and this really affects our lives. We don't know, but it actually does. The parliament works in committees, the council, per ministry, and the European Commission, that is divided in a sort of ministries, per directorate general.
03:21
So we have vertical structure and sectoral structure. Don't be afraid. And since the union is founded on international treaties, the Commission can only propose laws cited in specific policy areas mentioned by treaties.
03:43
What does it mean for digital? That for digital, the policy areas that motivates what we experience every day, for example, from the digital green certificate to the European digital system, or the cyber resilience act,
04:03
or all the laws about mobile phones, mobile chargers that the European Union has made uniform, are based on these policy areas. For example, the functioning of the internal market, see the phone chargers, and the European telecommunication networks.
04:24
And all the stuff materializes in two principle law types. The regulation, see the GDPR, regulation of the same law for all countries. GDPR is one law in all countries. Another law that is regulation is the EIDAS regulation
04:43
that establishes the identity framework for Europe. And the other one is directive. A directive sets a goal. All the countries want to do something, for example, and this is the case for digital payments. In Europe, we want to enable digital payments.
05:01
Okay, a directive decided that goal, and every country implemented this directive in their own way. There are other types of laws, but we are not interested in that. Shortly, it's very easy. Three institutions, the parliament,
05:22
the council, and the commission, discuss for at least two years, and then everybody agrees on regulation binding the same law in all Europe, or directives implemented by member states. Governance is shared between member states and the European parliament,
05:43
and one of the real issue, but it applies to many stuff, okay, digital is affected by different policy areas. So it's a very complex matter. Digital is pervasive, it's a very complex matter. So while digital is affected by different policy areas,
06:03
there is one strategy, the digital decade. It's set for goals and associated indicators. Skilled population and professional, secure infrastructures, digital transformative business, and digital public services,
06:21
they are the main focus of this presentation. Okay, this seems very general, but actually, legislative actions, like the Cyber Resilience Act, the Digital Service Act, the Artificial Intelligence Act that made regulations, that regulates
06:42
all this part of our lives map to those goals. And well, there are various monitoring instruments, such as the indicators provided by the Digital Compounds. There is the DC index and the NIFO interpretability observatory.
07:00
Well, the nice thing of those monitoring system is that they're published. So you can go on the website, you can download the slides, you can click on those links and check your country. There are all these reports, some nice infographics, and so you can monitor if your country is doing okay or not,
07:21
and you can even try to support your country, because our countries, our member states need us. So let's zoom on digital services. Always more difficult, maybe nobody knows, remembers the Dostrevo d'Asteriks,
07:41
but I grow with that, with d'Asteriks and double-X running on and off between these bureaucratic offices, looking for the past 838. So the Europe want to get rid of that. And today we will present the European Digital Identity
08:03
that is established by the EIDAS regulation. It allows cross-border electronic identification, authentication and trust services. What's that? For example, a citizen, me, with an Italian digital identity,
08:21
I have one, well, actually I have two, can authenticate to a Dutch digital service, for example, to file a complaint. I did it, well, I didn't file the complaint because I was not a user of that digital service,
08:41
but I was able to log in and start filing the forms. Or for example, I can digitally sign a document with my Italian digital identity and send it to a French company, and it is a valid digital signature. And another example, do you remember the COVID digital green certificates?
09:03
No, nobody? You were lucky. Okay, well, they were exactly digital sign documents and knowledge by all European countries. And it was a stepping stone for the second revision of the EIDAS regulation.
09:21
Another important thing is the once only principle that is established by the single digital regulation. So you can see infrastructures and regulation, because you need the regulation, you need a law to create infrastructure. It's not something that you can say,
09:41
let's create something, why do you want to do it? You need regulation. Even for spending money, your countries need to write regulation before spending money or investing something. So the once only principle states, well, that's mind-blowing,
10:00
administration must reduce administrative burden, reorganizing their internal processes, and exchanging data provided by citizen business, eventually creating cross-border services. That's stunning. And then there is software they use.
10:22
It is incentivized via the open source software strategy, but is then threatened by the current proposal, because it has not been approved yet, and is still under discussion. So let's start with the European Digital Identities
10:42
instituted by the EIDAS regulation. EIDAS is more than digital identity, but we just have time for this now, sorry. A member state, that is Italy, France, Czech Republic, can qualify its digital identity system as EIDAS compliant. What does it mean, qualify?
11:02
It means that your country is not forced to do it. It can do it. And in this case, those identities can be used to log in to qualified digital services provided by other member states. And this system is working right now,
11:23
and check whether your country provides you a European digital identity, and you can try on the next screen, prepare your phone, on the next screens, prepare your phone, there will be a QR code for logging into the European Union website. But since every member state has its own
11:43
list of identity providers, and different user attributes, they require a national gateway, national components. So you see there are two user different countries that are trying to use the service of a Belgian university.
12:02
The Italian, the user with the Italian identity is redirected to the Italian identity infrastructure that does all the check and replies to and then brings back the user on the Belgian university. And this is the same for the Dutch user.
12:23
The fact is that you have 27 of those blocks. So there are a lot of stuff, a lot of checks. You will be requested to continuously give consent for your data going from your national identity provider
12:43
to a foreign country. And the general architecture is quite complex but works. And the major challenge is the re-identification of a user from another member state in time. Member states might not rely on identifiers
13:01
that persist over time, not on unique identifiers. This means that the same German citizen can access an Italian service using a given identifier in 2020 and a different identifier in 2024.
13:23
Well, how can I recognize him? His identity have been changed. But well, this is not a problem inside a single state since internally every state can implement for the checks and use different sources in case of homonyms.
13:41
In cross-border interaction, our aligned member states cannot access all the information of the country of origin. So in case of homonyms, a service may not be granted. Well, I don't want to focus on this problem
14:00
but on the general case. The case of persistent identifiers is debated between member states. Some say it is a threat to privacy. Some say that whatever we do, Facebook already has all your information so why don't use it to provide services? But my personal opinion, what I've noted,
14:23
is that this kind of issue only hinders services for citizen. This is because in case of issuing sanction, the regulatory framework of all the countries already allows gathering all the information they need.
14:40
So if you need to be sanctioned for something you have done, there are all the legal background to identify you. But if you need to consume a service, there are, since the framework doesn't allow all those exchanges, there are data protection concerns.
15:06
But the point is, this is a topic where not all member states agree. This was the screen. If you want to try your EI-logging experience, you can try on the European Union website.
15:24
You will be prompted with all the countries that currently have EI-DAS supported identities and the other countries will eventually join in time. But the first time that you will be asked is,
15:42
which is your country? Because you will be redirected on your country's gateway. Currently, you should just focus on the EI-DAS login. There are other ways of login, but they are facility logins.
16:01
For example, Google. But they are not capable of identifying yourself. While if you login with your European identity, they will know that it's you. So it's another way, the quality of the identification is different.
16:22
So EI-DAS identification is a great case of study for interoperability changes, challenges, it has technical component, organizational challenges, and so on. The European Interoperability Framework support the creation of user-centered interoperable digital services. And the governance layers are one of the pillars.
16:42
And classify possible challenges. Number one, legal constraints. Is my service legal in all other states? Do I need to implement further functionalities? For example, I take out functionalities. This means that creating cross border service
17:01
requires to address at first legal issue. Do you remember GDPR and all the stuff? Legal issues first. Then comes organizational issues. They are related to the inner functioning of organization, such as institution or companies. While it's Conway's law again.
17:23
Then we have semantic issues that cover both meaning and syntax of exchange of data. Do my API use the same format? If our APIs use different format, our system cannot cooperate. If I use SAML and your identity system use OpenID Connect, we cannot interoperate.
17:43
Do we use the same currency or temperature scale? Otherwise, we are communicating information, but they have not the same meaning. I made a talk on this topic, and if you're interested in that, just come back. And then there is the technical interoperability. It defines all the required standards.
18:03
Protocol infrastructures, such as OpenID specification, TLS encryption algorithm, URLs and so on. So you can see this as a design pipeline. If you don't address a legal issue in the legal layer,
18:22
it will shift to organizational layer and so on until reaching the technical layer. And the more issue you shift right, the more your service will be unusable.
18:41
We can see that all the issues, while this is a split up of the EID on the various layers, I'm not just going all through that, but I want to go back to the first example. All the issue that I haven't addressed at the legal
19:01
layer, that is where member states couldn't agree in a suitable time, eventually shift rights. So since there is no agreement on cross-border identification, in case of homonomy, service providers have to establish organizational identification procedures.
19:22
So they have to identify procedures, maybe they will call each other. Is Bruno Gans the same Bruno Gans that came back with this identity? Well, they won't go probably, hopefully by phone, but it means that the issue had shift right.
19:45
And so this is for fear of providing data to the wrong person. At this point, organization and service providers can decide to ensure identification. This is always an example on the EID.
20:02
Decide another topic, for example, digital payments, and you will have similar issues. So at this point, organization and service providers can decide to ensure identification with further data exchanges, creating one-to-one agreements.
20:21
So instead of having one single European framework, all the shifted right topics are solved by member states. For example, since Italy and Germany has, for example, five million people,
20:41
I just throw a number, maybe it's more, that work or interpret cross-border five million citizens, they decide that what they cannot agree at the European side, they create specific infrastructure for communicating or checking identities between the Italian revenue system
21:01
and the German revenue system, for example. This means procedure and eventually technical components, more hardware, more software, more tests that have to pass. So shortly, shift left interoperability.
21:22
Legal and organizational interoperability enable direct communication between services because the legal and organizational framework is clear. Shifting right issues to the technical layer might increase the overall complexity to one square because we have all to implement outside the organization
21:44
legal and organizational framework, all the possible interaction and conversion and unit tests and integration tests and to create all the platforms whenever regulation in a single country is updated. So such point-to-point connectors
22:01
address specific issues, need to be maintained, overrated, and eventually aligned with each member state's regulation. This increase architectural and transactional complexity and affects the security posture of the components
22:20
and clearly of the whole ecosystem. So shifting left on the interoperability pipeline is key to ensure and to create secure, manageable cross-border services. One of the example, for example,
22:41
not on national digital identities was OpenID Connect. You don't need to sign any agreement or to create specific component to translate OpenID token from Google and Facebook. You just use OpenID tokens from Google, from Facebook.
23:05
They have the same fields. I mean, clearly they do not provide the same guarantees that certain identification does. But again, it's just an example.
23:20
Every block that shift rights to the technical layer requires specific technical specification, specific specification, no puns intended, that are subject to the following risks. Those are the risks that you have when you define technical specification.
23:44
Over complexity. Bureaucratic, non-digital processes are mapped to convoluted API design without a proper redesign. Time-constrained engineering. We have five people.
24:02
We have six months to release a new specification for this topic. And whatever we do, it will be released in six months, and it doesn't care. We are a restricted group. There is very small feedback.
24:25
This is very problematic. Another one, closed development. The IT community is rarely involved in all these kind of specification. Development happens in a closed environment or for security reason.
24:41
Sometimes even the specifications are closed. And redundancy, when built on variation of existing standard without keeping in touch with original communities, you will eventually end in messy, complicated, and redundant specification.
25:01
Well, we have five minutes. I can just, I just want to say one thing about oven source and the cyber resilience act. My understanding is that the problem is related to facing this topic
25:21
by different part, different institutions, then not every institutions have the same knowledge about the topic of oven source. For example, the internal market committee made
25:41
some good amendments and improvements to the resilience act proposal, while the industry committee made some further amendment that doesn't help improving. This is because the industry mindset is different from the mindset of people that works
26:06
on internal market and in general products or software products. So the main topic is this one. It is important for us to discuss and support the discussion in our companies
26:24
on this topic, and even with our friends that work in legal departments, for example. The legal people is really, they are good at legal, but they don't understand software. Software is not easy. Digital is pervasive.
26:41
So it is very, very, very complex topic. So I am finished. Sorry for the rush. And thank you, I don't know if we have one minute for Q&A, but if we have, what, that's it?
27:30
Okay, well, if there are no question, you have one? No, please. Okay. So one example on the critic parts of the CRA
27:43
that equilibrates professional software developers and manufacturers like Google and Samsung is this one. When you say why open source should require all the qualifications that you have asked,
28:00
even for single developers, and the industry mindset tell us, a mobile phone manufacturer, for example, Google, may refuse to provide security upgrades, telling that they just provided open source software, and it is provided as is, so they are not forced.
28:25
They should be exempted of providing security upgrades on your mobile phone because it's open source. So this is for saying that when we see all those regulation, the first thing we think
28:41
is they are crazy. The fact is that they are not. They have a different mindset. We need to learn the different mindset, the different culture, and try to exploit them and explain better and discuss better why those regulation are problematic.
29:02
So now it's really the end.