[MUSIC] [MUSIC] [FOREIGN] [APPLAUSE] >> Okay, actually, because this is a European issue, I would like to give this talk in English and there's a German translation. I hope that's fine. I mean, [FOREIGN] like we could do both, but I thought it will do it in English. Is there anyone here who does not speak German? There are a few. Okay, good. Let's stick to English if that's okay. >> Is there someone who doesn't speak English? >> Is there someone who doesn't speak English? The thing is, the translation is in German. So you can really get those headsets and then that should work. Otherwise, if I use words you don't understand, just raise your hands. I'm going to use the German equivalent. There is a little bit of monetary lingua in there, so bear with me and I can translate it on the spot if you want. So before we get started, a little bit about me. My name is Thomas Lohninger. I'm executive director of AP Center Works. We are a Vienna-based digital rights NGO and I'm also vice president of EDRI. And all that we will talk about here is EU legislation, is binding law that will come our way in the next months and years. And it's actually three laws that we'll cover here. First is the digital identity issue. There is a law where we are already two years into the process. Then there is the digital euro and then there is also a third law, which is a right to access of cash, like bank notes and coins. Something that is in many national debates, I think in Germany and Austria at the forefront. And there will also be legislation about that. But we start with EEDAS, with the digital identity reform of the EU. This is a regulation, so it's directly applicable in all EU countries. That means it will top any national law that we have, any national ID card in Germany, ID Austria. All of these things will be surpassed with this European system. And what actually is the plan of the EU? It's a full harmonization. So it should be one digital identity system that works across all 27 EU countries. And what it does, most importantly, is it establishes a European digital identity wallet. So this piece of software, most likely an app on our smartphones, we are the holders of that app. And it will hold many attributes about us. Our national ID, our driver license, our age, our COVID vaccinations. It's actually an open system when it comes to the attributes that can be contained within. So it would be very easy for, for example, a hotel booking, your room key could be in there, your public transport card, your credentials to log into your bank account, all of that. And the system is also open to the other side, the so-called reliant parties. So it will be used with governments when you log in to do your taxes or any other type of filing. You could order a taxi with it. You might use it in order to prove that you have a hotel booking reservation or a restaurant table. Commerce is a very central part of that. So it's not just for the public sector, it intentionally opens up digital identity from the state government issued to the private sector. And so this sentence sums it all up. The function scope of this European digital identity wallet is a universal infrastructure to identify, authenticate, and verify attributes for legal and natural persons, so both companies as well as humans, vis-a-vis the government and the private sector. And you can also sign legally binding any type of contract with that thing, and it will work online and offline. So in physical proximity or online with an Internet connection remotely. And you already see, I think, the basic problem. This is one piece of technology that will be applied horizontally across all sectors. So it's easy to see why the government needs to know who you are when you do some filings with them. But it will also be used by mobile phone providers in order to verify who their customers are. They are legally obliged to do that. Similarly to the bank or notaries. Any type of age verification, if you want to buy tobacco or alcohol, or there are several proposals, as we'll see, that oblige online platforms to do age verification. EEDAS might be the tool that you promote strongly for fulfilling these age verification use cases. And importantly, we'll also see this in the media sector, so newspapers. Wherever you have these Abramon subscriptions, you can pay 20 euros a month or just give us your consent. It will be used in these scenarios most likely as well. And credit scoring like Schufa, public transport, all of these use cases besides Big Tech are also in the cards. The EU is aiming by the end of this decade that 80% of all people are using this system. So 80% penetration. And you can say roughly around 50-60%. It gets really interesting for the private sector to interface with that system. Because I mean, it's basically a free, cheap way to identify your people, your users, your customers, your visitors. And that means any customer relationship management will jump on this thing. But the EU also does specific stuff to promote the system. Any big online platforms like the ones you see here will be obliged to offer the wallet to log into their service. So you will use the European Digital Identity Wallet, or you will be able to, to log into Facebook, Amazon, and so forth. As I mentioned, this is not something that happened yesterday. The law was proposed in June 2021. And here you see the timetable of everything that has happened in the European Parliament, in the Council. We are actually at the very final stage, the so-called "tri-log", where the three institutions, Parliament, Commission and Council, negotiate the final law. We just had a kind of a huge victory end of June, where we could kill a few things. I'm going to talk about that later. And right now we have Spanish presidency. You might remember there was a snap election in Spain in July. New government is still formed. But we are expected that the Spanish will conclude the law. And by 2025 or 26, most likely the governments will be obliged to offer this wallet to their users, to their citizens. But some member states could choose to do it earlier. What's driving this reform? Actually, a lot of suppose sufficiency gains. Estonia is really popular with saying we have billions of public money that we are saving because we have digital identity. And those arguments are picked up by many other countries as well. So these sufficiency gains are a really strong reason for libertarians and conservatives to push for this reform. A second important reason that you see throughout the EU is this blind digitization belief. Everything is better if it's done digital. Of course, the potential for control, for insight, for surveillance of all areas of life is huge with this system. If you can observe transactions, user behavior, I know when you look into Facebook, when you interact with the government, which travel routes you take, and even physical interactions if you would do anything with a hotel or restaurant could be in that system. So it really is a kind of a panoptical thing. And a real reason that we hear from the politicians is if we don't do it, Google, Apple and Facebook will do it. They have wallets. They have identities. They have many users. They could also do an identity solution. So that's the argument that the Commission is officially also putting forward why they are doing this. And lastly, you know all that we are living in the age of large language models. Proving to be a human will become increasingly difficult. And that would be a way to also do that, to replace captures and prove that there is a human or someone with such an app on their phone in front of the computer. And I was hinting at this EIDAS reform, this wallet, is just one piece of the jigsaw puzzle. We have the European Health Data Space, which digitizes all of your interactions with your doctors, with your insurance, with your pharmacies, with your hospital, and your medical records, prescriptions that you will take to the pharmacy will all just be attributes in the wallet. So this will be the central key for the whole health sector. Driver licenses will be also one other attribute. And the infamous chat control, the CESA regulation, of course heavily has an age control element, an age verification element. And as I said, EIDAS will most likely be the way to fulfill that obligation. As I said, we are two years into the reform. What is actually now on the tables? For us, the biggest problem would really be to have this observable. To allow any central entity, an issue of this wallet, to observe our behavior, to look into all areas of life. So unobservability really is key. There are technical standards to do this. If you remember the QR codes that we all use in the pandemic to prove that we were vaccinated or recovered or tested, we actually managed to get strong unobservability into that law back then. And we are now also trying to uphold that same standard because vaccination certificates are just one of many attributes that will be part of that system. Okay. One good news, one big problem that we saw is a unique persistent identifier, basically a serial number for humans that would allow tracking and profiling on a completely unforeseen scale. It would be one social security number, but not just used in the health sector, but also used whenever you interact with the government, whenever you are logging into Facebook or doing a hotel booking and so forth. So that would really be a super cookie that follows you everywhere where you have no way of opting out. That was a big point where we fought against the commission. And I'm happy to say that by the agreement from end of June, we could actually kill the unique persistent identifier. So that's no longer in the cards. Next thing that we can strike off the list is so-called quarks. What are quarks? If you have been in the internet in 2005, 8, 9, you still remember those blue check marks in the address bar of your browser? They were called extended validation back then. They failed. All browsers decided, no, that's a horrible idea. We leave this aside. Now they use mandating to reintroduce those check marks for URLs for proving ownership of a website. And they do it by obliging all browsers to include the certificates from every trust service provider in their key store for public certificates. And what this would allow is traffic interception on a large scale. Basically, you can do man in the middle. You can fake ownership of Google.com, of Deutsche Bahn, Deutsche Bank, from every website if you are in the root CA store of a browser. And that's why we pointed out this potential for huge surveillance and for interception of traffic, for undermining security. And I'm happy to say that we got an agreeable text in the June trial meeting. At least security is a reason to refuse certificates. Privacy sadly didn't make it into this thing. I also have to say that this is the only element, the only article of this whole reform where we had support from other actors, other NGOs like ISOC and EFF. We're solely working on that. So where Mozilla and Google and Microsoft, everyone who has a browser or who has good contacts with the big NGOs, they were working on that. And this is now concluded. But again, like for us, this is just a minor thing. We were never focused on this particular issue. To understand the framing that we've used and what has worked for us as an argument, we always talked about the risk of over identification. Right now, there are many things that we can do with interacting with other humans, by doing commerce, exchanging money and so forth, that we can do anonymously. Or even if you are asked to write down your name on a piece of paper, you can give a fake name. You have a right to pseudonymity. You could spell your name differently and that would all allow you in certain ways, keeping your privacy while interacting with others. With this system, cryptography prevents you from doing that. You don't have a reason to lie. And over identification means that we lose, practically speaking, a lot of the anonymity that we enjoy today. And this risk of over identification really is vast. And we were actually supported with that from the European Data Protection Supervisor, the Datenschutzbeauftragter der EU, with his statement in February this year, where he said, like, you cannot just give this wallet into the world and then rely on consent, people saying yes or no, or if they want to share something about themselves or someone, you need to restrict what people are allowed to ask someone. Like, if I'm not a health provider, why would I need to know if you're vaccinated? If I'm just giving you a hotel room, why should I need your family status? So we really need to restrict the use cases. That's something that we fought for heavily and the one thing where the parliament is really not as much on our side as I would like, because of course business interest is heavily against us. But at least we have the EDPs on our side and that is still an open fight. And what the data protection community also has to bring to the table here is we cannot rely on consent. You cannot have this OK or pay buttons that we see on news websites all over the world. There are so many situations where you're simply not able to say no. If it's late at night and you need to gain access to an establishment, then you will not refuse. You will always, you can also have a border situation where it's very hard to say no if you want to enter into a country. So simply relying on consent would be very dangerous and would put the most marginalised people at risk. Secondly, real name policies. This debate has two sides. There are first and foremost real name policy laws that we have seen over the years nationally. In Germany in the mid 2000s, in Austria in 2019. It's the basic idea that oh you want to post on the internet? First give us your legal ID. Otherwise you're not allowed to comment, not even in a forum. And these laws usually failed because it's very expensive to identify someone. We are talking single or double digit euro amounts for every identification of a user. That makes many forums economically no more longer viable. So that's why real name laws would be technically and economically feasible if this goes through. And this is a real risk that we cannot really address with this law individually. But where I have, yeah, definitely there is a tectonic shift if suddenly everybody has means to identify themselves freely and cheaply vis-a-vis any private entity. And so what we got into the Parliament's mandate, like the text that the parliamentarians adopted, is at least that there needs to be a law. Facebook would love to have this just in the terms of services to say oh we don't allow pseudonyms. You need to give us your legal name. Our advertisers would love to know that. And that would prevent at least companies from asking for identification. If there is no legal, know your customer requirements. So banks could do it, mobile providers could do it, but not just any company. Not the Schufa for example, credit scoring institutions. Another most important thing, I mean we are talking about access to government services. That includes every single individual. Also the old people that are just not able or not willing to use smartphones, the privacy minded people like us here, young people that simply don't have a smartphone, or undocumented migrants who don't have a legal residency status. This system could also marginalize many, many people. And the problem is that once we kill the analog processes, once there is no longer a government building where there is a person that you can talk to and you can fill out a piece of paper, if everything moves digital, it's very hard if not impossible to reintroduce an analog process. So if we don't save analog processes now, we might lose them forever. And so that's why one of the things that we introduced as a fail safe for real name policies and for everything here is really a non-discrimination provision. And I'm happy to say that the parliament adopted this in all four committees and in plenary. And what this would do is basically save us in every situation where we don't want to use this wallet. You could have it in your smartphone, but simply choose, "I don't trust that guy. No, I don't have the wallet." And you should not be restricted or hindered in any way. That's what this provision says. And it would be a right that you could also then litigate about. So if somebody infringes that, you could put them to court. And it would be at least a fail safe for any type of discrimination from people that choose not to use this wallet. On the good side, I mean, there are zero-knowledge proofs in the law. What this means is that I can prove that I'm above 18 without giving my birth date, without giving anything about me. Simply I can check that I'm living in this postal code and I'm above this age. You could do any type of check in the form of a zero-knowledge proof. The parliament mandates this. Let's see whether it survives in the final law. And because we're here at an IT security conference and a hacker conference, I also briefly want to address the huge potential for security vulnerabilities. I mean, this thing would be critical infrastructure. Imagine that a downtime of a day with this. You could not use public transport. You could not interact with your government. You might not be able to access your hotel room if you are a tourist. You will not be able to log into your bank account. So many things would not be available to people if we have this single point of failure. And of course, it would be a prime target for any statewide actor or criminal syndicate if you have the health, financial and identity data from half a billion of the richest people of the world in one system. The whole surface is huge. And just here, this is a real slide. The development that the commission for saw was like one quarter. Yeah. They, of course, didn't manage to keep the timetable in September. We are supposed to see the first open source implementation of the wallet. There is a lot about the technical stuff that I'm happy to answer in Q&A. It's a disaster to put it mightily. But I mean, at least there will be an open source implementation from the commission of this wallet. And if we succeed in Parliament, then we might also see the source code of the national wallets because every member state has to do their own wallet based on the template from the commission. And the Parliament rightfully said, no, no, no, this needs to be open source. Before I leave this EEDAS part and go to the other two laws that we need to talk about, I briefly want to address why there is no huge complaint from us on this issue and why we haven't simply called for rejection of this bill. When this law came out in June of 2021, we actually waited for half a year after our first reaction to select. Is there anyone willing to work on this? Nobody raised their hand. And in the second half, this first half of 2022, we actually started to work on this published papers, but we're always engaging with Adrian, the whole network of over 40 NGOs, the consumer protection organizations in Europe and also false at before in Germany. Also hacker communities like the Lidlitman. Sadly, nobody of them actually wanted to work on this false at before now has it in their work program for next year when the law is done. But that's why we couldn't do a campaign as one NGO. This is a group effort. I've done this in the past. You really need all hands on deck for that. And only then it can a campaign viably do a difference because you need people on the ground in the language group in order to make a difference. And why we haven't called for rejection or not only for rejection. We always said it would be a better world if we don't have that. But we also said like, OK, these are the safeguards that at least have to be in there if you want people to trust the system. And the real problem was also that they have this argument that we don't do this. Facebook and Apple will do it. And that is in Europe, a very strong driver because big tech is the devil. And whenever Europe can save the people, it is very difficult to get a majority against that argument. And the Commission has used it heavily. And a rejection at this point would also be better for Europe, I think, in the short run. But this will pop up again and again. And at least now at this point, we still have the possibility to prevent national systems from overtaking this use case. And many member states, the European system is a huge improvement over what people have now. And I know that in Germany this might not be the case, but I do policy for all of Europe. I cannot just orient myself on what would be best for one country. We'll go back to Q&A about the ETHOS. But first I want to talk about printed money and cash. There is a law that gives us access to cash and an obligation for people to accept cash, vendors to accept cash. This is a totally overlooked law, but I love it because it would put this stupid idea and debate to rest that we have to put the right to cash in the Constitution. You have these debates from right extremist parties all over the EU. And actually this law would more or less solve this problem. Of course, this is connected to the digital euro. You cannot have an obligation to accept the digital euro if you don't have an obligation to accept cash. So those two are linked. What the law says, basically in a nutshell, I'm going to boil this down, is that the ability to cash in the forms of ATMs and cash county as a bank that give you out paper money, that needs to be available throughout the territory of a member state, also in rural areas, and member states are obliged to provide access to cash to the citizens and residents. And then there's also an obligation on any type of payee, a FKUF, a vendor, to not unilaterally exclude cash. So you need to accept if someone comes with a 10 euro note, in theory you should not say, "Oh no, no, I only accept a visa." Of course there are exceptions to that obligation to accept cash. If it is justified and temporary, for example, if somebody comes with a 200 euro sign to pay like 3 euros, then you are able to say no, because you simply don't have enough cash at hand to give change. But importantly, it needs to be justified and temporary. So you could not have a blatant "no cash accepted" here sign. That's in the law, but we already see high commission officials to backtrack from that. So this is something where we need to be mindful to protect the right to cash. And there's also some ugly thing that the commissioner member states could add further exceptions to this obligation. So practically speaking, if you see any of these signs, cards only, no cash, they should be restricted if this law is adopted. And that's exactly what we are fighting for with this minor legislation that was just announced in June of this year. And yeah, summing it up, I mean there's the weak obligation, but I think we can fix that. Enforcement is wacky and we have not enough transparency and most importantly they force all the right to complain. Like if you are living in a rural area and there are no ATMs anywhere around, you would have to drive 30 kilometers to get cash. You can complain, but there is no guarantee at all that you would actually get a remedy, that they would help you. And we would like to change that. That's it for this law. Let's talk about the digital euro. Maybe that's why you're here. So, that water was a mistake. So first let me say that the European Central Bank is not early with this. We have central bank money in many countries around the world in various stages. Sometimes they're just research projects, sometimes it's full-fledged digital cash available. And there are many of these maps, just Google CBCD, money, map. There are several of these maps. And so, of course, this whole issue is kind of related to the cryptocurrency movement, Bitcoin and so forth. But then really it's not. The real reason why we are having this debate is because a few years ago, before the pandemic, Facebook announced that they're going to do Libra, their digital currency. And that was really a huge scare for central bankers all around the world. And that prompted many of them to move in that direction. Another justification that we often hear from central banks why they need to do digital money and no longer just paper money is because so much of our commerce is digital. And believe it or not, but your bank account or your credit card, although it is in a currency, that's actually not Nordenbankgeld. It's not really currency from the central bank. It's just an obligation with Wies, an obligation with Deutsche Bank. And so that's another reason why they say we actually need to be in control of these monetary systems. And from a European perspective, a lot of it is also that we don't want the Visa and MasterCards and other American companies to fully control the payment system online. So there's a little bit of a digital sovereignty argument that the commission is making here as well. Let's boil this down, what it would mean in practice. So this digital euro, every business would have to accept it, except if they have below 10 staff and below 2 million of revenue per year. Then if they are bigger than that, they would have to accept it. Nonprofits are also exempt. But if any type of company or nonprofit offers digital payment, they have to offer digital euro as well. And the commission can add further exceptions. That's a thing that we see more and more that they always give themselves the power to add something to the law later. Let's go back to this card here, to this picture of a cards only no cash sign. When we go to the digital euro, it would mean they accept cards. That means they have to accept the digital euro. So you could have only cash sign, but any type of digital payment always has to include the digital euro. For us as consumers, there would be no surcharge, but the merchant might have to then incur the cost. There will be merchant fees. How high they will be is still in dispute. Importantly, the digital euro comes in two forms, online and offline. And it's important to say that this is not blockchain money. This is not a decentralized ledger with any type of proof of work or proof of stake. It is a database at the ECB for the settlement of money, every digital money they give out. But it's a centralized database and it will basically include all of the holdings of any type of digital euro anywhere. That's at least true when it comes to online payments. There's also an offline version, which is really horrible. The commission was actually doing a survey, a big consultation with business and NGOs, inquiring what would be important if we do a digital euro. Unilaterally, everybody said privacy is the most important thing, even the business sector. And that's the one thing where they fucked up completely. So you are fully identified when you as a person or as a company interact with your bank or the PayPal with any type of payment service provider, because all of these payment service providers are obliged to offer the digital euro, potentially also crypto exchanges, by the way. And they would have a unique identifier, persistent identifier that identifies you, an identifier for your device if you use the offline euro and your transaction history. And the bank would know that. And then everything on the right side, the European Central Bank, the national central banks, their settlement infrastructure, the Ani-Money Laundering Institute, financial intelligence units, like all of the people that do anti-terror financing, and then some form of providers of support services that are completely left blank, what they would do. All of them would have access to your transaction history and your pseudomized data. So they wouldn't know your real name. But in effect, they could really easily identify yourself. Because if I know what your employer is, if I know where you live and with whom you are paying your rent, it would be very easy to actually re-identify people. And in case of money laundering or fraud, they could easily re-identify. If your bank goes bankrupt and you have to switch your accounts, they could re-identify. So one central banker put it like this, "Yeah, yeah, yeah, we could sue everything, but we promise not to look." So it's really a disastrous architecture when it comes to privacy. And that's just only the online part. For the offline part, we have a little bit higher privacy incentives, because you would still have the ECB with the settlement infrastructure knowing that you on your device with this identifier have, let's say, 50 digital euros for offline payments stored. And then when you exchange that money to someone else, the transaction individually would not be noted centrally. So there wouldn't be a record how you spend your money. But then, of course, if the other person in their wallet wants to convert that offline euro money back into anything else, they would have then again the funding and defunding of these transactions. So that, of course, is a very weak form of privacy to begin with. And it very much depends on the proliferation of that whole system. And if you have any interest or listened or read up on how digital money works, you might be aware of the problem of double spending. Computers copy stuff all the time, perfect copies of everything. How do you prevent digital money from being copied twice so that you can use the same five euros and spend it twice or three times or a few million times? Blockchains and Bitcoin solve this by decentralized ledger. Here we only have a centralized ledger. Offline payment means there is no network. And the only thing they rely upon are the secure enclaves on our phones. And then if you read up in Article 30, they actually say, "Final settlement of online offline digital euro payment transactions shall occur at the moment when the records of the digital euro holdings concerned in the local stirvichas of the payer and payee are updated." So, legally speaking, you can copy money if there ever is a vulnerability in the secure enclaves. And if you've read the recent book of Cory Doctorow, Red Team Blues, it's a whole novel about what can go wrong with that. I mean, secure enclaves are secure for the most part, but you basically trust them completely to the vendors of these devices and these security chips. And I, as someone who has some interest in the euro not falling apart tomorrow, I'm really worried about this provision. Because, I mean, this would be an attack surface that would be very, very lucrative for criminals. And we're not even talking about Russia or any other state-level actor that might want to fuck with the European Central Bank and destabilize the biggest market in the world with the euro. So, summing it up, I mean, the digital euro bill honestly has no benefits for the user. We couldn't find anything that would make a good case for us as citizens or consumers why we should use that. It's horrible in privacy. It's blind trust in secure elements and banks and the central banks. And the potential for control and surveillance is just insurmountable and completely disproportionate. And so I think, actually, that there is a good chance that this could be killed. It's still early stages, as I said, the law came out in June. We will publish an analysis in the next months, but it's still in drafting stage and review stage. And I want to have other NGOs on board with this as well. But that's where we stand with the digital euro. And lastly, I want to just briefly zoom a little bit out. We have similarities between these reforms. I mean, the digital identity and the digital euro both have privacy safeguards only in theory, not in the law. So we need to really increase the law if this should be good at all in any way. Both laws leave the technical implementation and feasibility unclear. Like both of the wallet and with the digital euro, it's kind of unclear if this would ever work. Oh, and I haven't even told you the best bit. The European Central Bank decided, so I mean, we are printing the money. We just let eight and twelve different companies develop the digital euro in parallel. And then we just pick the best implementation that we like the most. And one of the companies, Rumors has it, that is tended out by the European Central Bank to develop the central euro is Amazon. As I said, like both proposals allow a bird's eye view upon an optical about all areas of our lives. And it's a cheap excuse for the EU to say big tech would be worse. Big tech would do this. So we have to do it first. But that's the underlying argument with both of these reforms. And this basically concludes the talk. We still have ten minutes for Q&A. Before we go to that, just say that we'll have another session here in this tent tomorrow at 11 p.m. because we give data access to everyone here at camp to a tool that we are developing to contact members of the European Parliament. So it's something that we'll use for chat control first, but it will be free software and a GPL license. It's a way to contact parliamentarians quite easily. And everybody is invited to join the demo and to come tomorrow to talk with us. Yeah, that's that. I'm looking forward to your questions. Thank you very much for the wonderful talk. We have some questions. I would start with the Internet. So signal Asian. The Internet is asking, does the use of the secure enclave for offline transaction with the digital euro mean everyone who uses an open source operating system on their phone will be excluded from the digital euro? That could very well be the case, yes. And that that might also be an exclusionary factor for the European digital identity wallet as well. And it gets even worse because according to some versions of the law, biometrics could be another precondition. So you need to have a big tech phone and you need to enable biometrics. And that, of course, would be absolutely horrible. And but those are conditions that the EU is seriously putting in a lot. So then thanks for the talk. I have a very simple question. What happens to a person who has two citizenships or more for the digital identity? That's a good question. So there should be interoperability between the European digital identity wallets. So you could have Swedish and Belgium digital identity wallet or you could have your Swedish identity and the Belgian wallet. There should be full interoperability within these systems. Mind you, that data portability is restricted to technical feasibility. So an open source wallet again might be something that we still have to fight about. But the government issued wallets should be interoperable. I think the mic is over there. I would have a rather technical question about the implementation of the EUD digital wallet. If I'm not mistaken, the reference framework includes adherence as a must to the V3C VC standard, which is basically the V3C standard for blockchain implementations. Do you see any way of getting that argued out given that they already are putting up a reference open source implementation that has a mandatory blockchain standard inside, which is kind of a Trojan horse? Yeah, absolutely right. And I actually haven't included that there is a project called DC3, a huge multimillion large scale pilot for EEDAS, which basically has all of the Social Security insurances from EU member states proving on a blockchain if a person is health insured or not. And that's just one of the examples where a lot of money and development cost has gone in there. You're right in the RAF and the architecture reference framework. We similarly have these Trojan horses. There is a whole consortium for European blockchain that heavily influences all of these projects. And two weeks ago we had the kickoff workshop from the German ministries on the EEDAS implementation. And they were very proudly saying, we decided in Germany that we'll not use blockchain. And I pointed out to them that's actually not really helpful if the EU mandates blockchain. So that cognitive dissonance has not really sink in, I believe. And yeah, the problem is that this will be decided on the European level. And as I just said, these wallets and the attributes will be interoperable. So we cannot just save this for Germany, neither what I think that we should. OK, more questions? Maybe just over there and then audience again. Just one piece of information that may be useful. I believe this lady, Elaine Barker, who's the one who ran the NSA's program to backdoor to have these the dual EC DRBG backdoor distributed. She is, I think, now the head of cryptography at Amazon. Interesting. Thank you. Thank you very much for your work. I was offline wallet is each euro each cent is it like unique or is it just like a mount which are being transferred? Is it or is it not decided yet? So actually digital euro is fungible. So it clearly says like with cash that any 10 euro note, any digital 10 euro should be absolutely the same and interchangeable. Whether that's true in the technical implementation is very much in dispute. Like whether there is no unique identifier attached to digital euro. The law doesn't say anything about that. And that would be one of many things where the law needs to specify that the technical implementation has to prevent any type of profiling, tracking of individual euro, digital euro coins. But so far the law is silent on that question. You mentioned that it's like the same as a euro banknote, but a banknote is I mean, it has a serial. You're right. And I mean, they might argue it in the same way that you but legally speaking, you cannot say I am a matter is to euro 50. But I only accept banknotes with serial numbers ending in an odd digit, you know, that that is what they mean with fungibility. But you're absolutely right. The only money laundering people could then say, no, but we need to be able to track everything and that that will be a huge fight because money laundering legislation already is horrible when it comes to privacy. That's the reason why having any type of payment service provider that's privacy friendly is super hard. And we we cannot rewrite anti money laundering law with digital euro. Sadly. So I think with anti money laundering laws, there's often the discussion to restrict payments and over a certain sum, it should be a digital payment. Right. Could you see that also as a possible implementation of the digital euro that, for example, the offline wallet only could contain, say, ten thousand euros. So to prevent the or as an attempt to prevent money laundering. Yes, that's already in the draft bill on several ways. So you can have a spending limit or a holding limit on digital euros. You will also have a cap on the amount of online digital euros that you can have. And the real reason for them, of course, is anti money laundering. But then it's also because the banks are super pissed at you because if you have ten thousand euros in your bank account with Deutsche Bank, it's actually money that they hold and that they can give out as credits to someone else where they get interest. If you have the same ten thousand euros in your digital euro account, it's actually not money that the bank can use in any way. Yeah. And so it's much more like the money you have on your pillow. And that's why the banking industry actually is super pissed at you about doing this with the digital euro, which might be a potential ally for us to work with. So you already mentioned that that factor of the trust execution environment. What other considerations does the policy have for the security of this money? Because there's not really any guarantee that the device the app is running on is actually a trusted device. User is an attacker. The answer to that question, like with all of these bills, also in the digital euro, is certification. There will be a certification that it is secure. Because when it has that stamp, we blindly believe it. Sadly, that's the only thing in the digital euro bill when it comes to that. You would expect that there is provisions about what's that in English? Haftung, like who bears the risk and who would be liable. Yeah. And and so there is no merchant liability in case of a double spend, for example. The law is lacking provisions like that totally. There was a talk on Nutala here on this stage, I think yesterday or the day before. It must have been yesterday. Are there any ideas from Nutala or any other similar projects that the digital euro might borrow? Or do these projects already or ideas from the projects already the political debate? Yeah, I mean, Marie put me up to this talk basically. So Marie from Blackwater 2 is working for Tala and she said it would be good to complement the tech side with the legal side. This one here. I hope that these discussions are happening and I think that Tala has at least with their Swiss established organization. With the Swiss they are talking a lot. I don't know how much they are in exchange with the European Central Bank, particularly on the offline thing. I heard that those arguments were made to the ECB and the Commission, but it was a political decision to still move ahead and to have to online and offline systems. Although the offline one clearly includes certain risks. What I can say is speaking for the Tala team, we had several rounds of discussion with the European Central Bank. They are very well aware of Tala, but I think the short answer is they prefer the absolute control over the population over adding privacy and listening to technical advice. With the exception of the Austrian Central Bank that wrote a paper that Tala would be the best solution for the digital euro. But it's just one of the member states central banks. But they are at least aware and we have talked to several member states central banks and the European Central Bank. So they have no excuse of saying we didn't know. Are there further questions? Please raise your hand. What are some practical and useful things that everyone here could do to stop the legislation? I mean, with the digital euro, we are thankfully very early on and the earlier you engage in your debates, the better, the more efficient it is. So really combining in every we have a single group. If you come later, then I'm happy to put on your contacts and have the NGOs that at least have shown initial interest in this file to it would always be helpful. If the people working on legal also have support from the tech community and particularly people that work on practical implementations, you know, because we need to make those arguments. And first and foremost, what is your euro? It's still time to organize. As I said, like there will be a legal assessment so that we at least to our side that there is a whole picture of like what is what is wrong and what would work, what wouldn't review from a technical side for that paper would also be welcome. And then subsequently, it's the long and winding road with speaking with MEPs, with local governments, maybe also speaking with central banks and forming alliances. I think particularly on this issue, there are interesting coalitions that would maybe really allow us to kill the digital euro. But we need to always do this with unlikely allies. And I mean, encryption in the nineties, we also killed with the banks together, so it wouldn't be unprecedented. So that the short answer is organized. And that's also why we're here on the E does file. We are so late in the debate that only like what we are doing is basically holding the hands of the negotiators and trying to influence the draft as much as possible. Trial is a nightmare. You got 60 pages at 10 p.m. and you have until 8 a.m. to give a response. But that is something where we are trying to stay on top with that file. And there are individual member states where it would make sense to push anyone being in Spain, working on Spain, who could help get the government little bit more on our side. The presidency holds the keys here. They are the one country that can propose new language. And yeah, but these things, once they're in trial, it's inherently secretive in the parliament. Everything is public and look at every amendment. You know, every deadline, you know, when they meet, you can watch the live stream in trial. Look, everything is limited secret. It's like even if you get the text, you're not even allowed to share. That's why he does is at this stage at best we can hope to get what we have already in the parliament's mandate. And honestly, that would build be a huge improvement. Will I rest easy with the E does that it is not a law that will horribly regret? Probably no. But I've just again, we are one NGO. We tried our best to unfuck it as much as possible. Okay. Those are my questions open. No. Okay. I think then we know there's. Oh, there's. Um, it is at the works. We are based in Vienna. We are 12 people. This rights NGO founded 14 years ago as working group on data retention. We were the ones that killed the data retention surveillance bill in 2014. We worked a lot on net neutrality and digital identity has been a major issue since 2017 for us. And a lot of covert legislation in the pandemic. And yeah, we basically are one of these small fast chips that goes where it hurts where we can make a difference. And we are part of a tree, the European umbrella network of over 40 to rights NGOs. And we live off donations. Okay. If there are no questions left, I would say you can deepen your talks, your topics with Thomas. Maybe we have dinner time right now. So maybe you can catch him up. Thank you a lot. Thank you, Thomas, for this wonderful talk. I think we give him a big applause again. Thank you.