Germany's EUDI Wallet Implementation Will Require Apple or Google Account — Privacy Concerns Raised
Digital Identity Tied to Big Tech Platforms
Germany's implementation of the EU's eIDAS regulation for digital identity wallets will effectively require users to have an Apple or Google account to function, according to official architecture documentation.
The Architecture
The German National EUDI Wallet relies on security features provided by mobile operating systems:
- Hardware Key Store (HKS) — The secure element in iPhones (Secure Enclave) and Android devices that stores cryptographic keys
- Device Vulnerability Management — The wallet's security depends on the mobile OS vendor's ability to patch vulnerabilities
- Two-factor authentication — A possession factor (HKS) and a knowledge factor entered via the mobile device
The Problem
The architecture document explicitly states that wallet security depends on:
- The existence of exploitable vulnerabilities in the device's HKS
- The security of the mobile operating system
- The vendor's vulnerability management practices
This means the EU's digital identity infrastructure is fundamentally dependent on Apple and Google's security practices and platform policies.
Assurance Levels
The eIDAS regulation defines several assurance levels. For "high" assurance level identification, the requirements are strict:
- Protection against duplication attacks by attackers with "high attack potential"
- Protection against misuse of authentication mechanisms
- ISO/IEC 18045 security evaluation of the key storage mechanism
Privacy Implications
Critics argue this creates several concerns:
- Vendor lock-in — Users must maintain accounts with Apple or Google to use government digital ID
- Single point of failure — If Apple or Google changes their policies, the entire digital ID system could be affected
- Surveillance potential — Tech companies gain visibility into government ID usage patterns
- Anti-competitive — No path for alternative mobile OS vendors to participate
Broader Context
The EU has positioned itself as a leader in digital privacy regulation (GDPR, Digital Markets Act). The eIDAS wallet implementation appears to conflict with these principles by centralizing digital identity infrastructure around two American tech companies.
Source: German BMI EUDI Wallet Architecture Documentation, Hacker News