- From: Kyle Den Hartog <kyle@pryvit.tech>
- Date: Sun, 15 Feb 2026 19:03:48 +0000
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Steffen Schwalm <Steffen.Schwalm@msg.group>, NIKOLAOS FOTIOY <fotiou@aueb.gr>, Filip Kolarik <filip26@gmail.com>, public-credentials <public-credentials@w3.org>
- Message-ID: <9x2GRIDa_DZ1hFCuIF2Yw9FRSuCqbhgPlOEfDnP_XWb5WecsPyWx3abYsS2oQRzcQ9uZlRzfYfiuKML>
Everyone here seems to be arguing for points about how trust isn’t improved and this slows down EU adoption. I agree both of those are true but I see slow adoption as a feature not a bug. This site certification process is a feature because it reduces the adoption of credentials and counters Jevons Paradox. Today we’re already seeing more and more sites pulling up their walls with paywalls and logins required to access most of their site. This is true on news sites, social media platforms, and even large content hosts like YouTube now. This has been referred to as the “deep web”. The “deep web” is about to turned into the “attributed deep web” though with the addition of digital credentials instead of just self attested emails. No longer will I be able to make up fake emails with SimpleLogin to unlink myself and bypass these “deep web” gates. I’ll now be required to show my digital credentials everywhere because the sites don’t trust me self attesting information so they can track me on their site. I don’t trust the sites to be a good judge of making that decision either given how much I’m required to hand over an email these days so they can spam me with marketing emails later. On top of that, the last thing I want to do is provide my digital credential to prove I’m human so I can read a news article because some IDV promoted digital credentials as an antifraud tool. I’ll just stop visiting their sites in the same way I don’t check Instagram, TikTok, or Facebook anymore because I deleted my login and they don’t want me to view their content unless I’m signed in. YouTube is now doing the same thing to my IP address because I run an adblocker on my TV and they want me to be logged in so they can still track me. There’s many other such cases of the “deep web”occurring which will get worse once digital credentials are prevalent. So yes, I want my browser restricting which sites can use these. That’s advantageous to me to slow adoption of this and reduce Jevons Paradox of attested information taking hold on the web and further reducing the Open Web principle. To me slow adoption is a feature not a bug. Some might ask, but your wallet can do that and you’d be correct but you’re not thinking about UX I’d counter with. If I have to agree to share the request on the browser UI first before it hits the wallet then it both leaks information to the wallet (which site I visited) and requires me to click through at least once in the browser to realize this mistake which is a bad UX. Instead I argue Jevons paradox should be solved at the browser layer not the wallet layer because of this. -Kyle -------- Original Message -------- On Monday, 02/16/26 at 07:09 Adrian Gropper <agropper@healthurl.com> wrote: > I appreciate Manu’s web browser perspective. They are a superb example of an important complex product with very low switching costs. Most also offer to manage my credentials across devices. > > So how do we explain that only wallets have access to biometrics? > > Adrian > > On Sun, Feb 15, 2026 at 10:13 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > >> On Sun, Feb 15, 2026 at 8:41 AM Steffen Schwalm >> <Steffen.Schwalm@msg.group> wrote: >>> I guess the key is the combination of legislation and math. Math without legal backing is interesting science but not useable in regulated environments, law without technical basement = math is meaningless because its goals not achievable. >> >> Counterpoint: Web browsers, the World Wide Web, and the Internet. :) >> >> Web browsers have no mandatory regulatory regime, yet they're used in >> highly regulated activities (payments, banking, interaction with >> government). They don't have to "prove their code is secure" before >> engaging with a website during a regulated activity. >> >> Transport Layer Security (TLS) depends on math, not legislation, to >> secure connections over the Web and Internet. >> >> Web sites have no mandatory regulatory regime that is checked for by >> the Web browser before requesting arbitrary information from the >> individual and the Web browser has no mandatory regulatory regime that >> it checks before sending arbitrary information from the individual to >> the website. >> >> There are 5.5 billion people on the planet that use this system to >> engage in regulated environments... and it needs far less European >> regulation to operate than what EUDI is attempting. >> >> Now, that's not to say that there isn't regulation involved. The >> Domain Name System (DNS) does have governance policies and there is >> regulation in place to determine who gets to manage top-level domains >> as well as certificate authorities. So, this isn't a "there should be >> zero regulation" stance -- it's just that EUDI is overdoing it, by a >> very wide margin. >> >>> Basically we have no BigTech in the QTSP. >> >> Why would BigTech want to become a QTSP? There is no money or control >> in it... the money and control is in holding the most critical >> identity documents of an individual in a digital wallet and then >> charging the market for access to those identity documents. >> >> For example, Apple and Google can charge a larger percentage of a >> credit card transaction if they also have a PID in the same digital >> wallet -- that's many tens of billions of dollars a year in revenue >> without having to become a QTSP. Google can do more targeted >> advertising with a PID in a wallet... and if the PID is in a wallet, >> the fact that more credentials tied to that PID are likely to appear >> gives them even more data for targeted advertising, which is many >> hundreds of billions of dollars a year more. Banks will pay them to >> put their cards in the wallet, give them basis point kickbacks (to the >> tune of billions of dollars), because that's what people are using >> (and they get visibility into consumer spending habits)... that >> doesn't happen in the state-issued government wallet, which will never >> hold the variety of credentials that BigTech wallets will hold. >> >> All BigTech needs to do is make sure that the competitive landscape is >> hobbled and the EU is doing a fine job of that by making the >> regulations so complex and hard to meet that there will be very little >> real competition when it comes to digital wallets in the EU. >> >>> Reason is complexity in becoming and running a QTSP. >> >> Yes, that's why small organizations can't become a QTSP in the EU. But >> for Big Tech... no, that's not the reason. BigTech has no problem >> throwing money at regulatory complexity if there is a profit motive >> there. They could become a QTSP if they wanted to... it's just that >> there's no need for them to do so in order to hit their profit motive >> (yet)... and frankly, I don't think Google even asked the EU to >> constrain competition in the way that has ended up happening... the EU >> shot itself in the foot wrt. wallet competition all by itself. I >> expect Apple is overjoyed with the current direction. >> >>> So QTSP regime seems more a key to keep BigTech out of regulated environments - so far the experiences from eIDAS 1. Only DocuSign was bit successful but by underlying EU rules. >> >> EU is not an attractive market to digital credential businesses >> outside of the EU because the regulations are such that home-grown >> systems built for the EU market are so complex and EU-centric that >> they don't have a chance of surviving in other markets. It's one of >> the reasons the EU does not have many tech companies that can compete >> at a global scale. You're hobbling your own tech companies through >> regulatory overreach, all in the name of "protecting the citizen", >> which is largely security theatre. >> >> Just take a look at what it takes to become a QTSP (checklist on pages 16-30): >> >> https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Conformity%20Assessment%20of%20Qualified%20Trust%20Service%20Providers.pdf >> >> and the laundry list of European-centric standards that you have to >> implement, that the rest of the world does not use, to become a QTSP >> (on page 11): >> >> https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Recommendations%20for%20QTSPs%20based%20on%20Standards.pdf >> >> Speaking as an entrepreneur, I do not envy European tech companies >> that need to build to overcome those regulatory hurdles. I think it's >> telling that your governments are the one's largely building and >> funding digital wallets. I expect only the larger companies, that do >> so at a loss, will be able to survive over the long term... and even >> they will be overcome when a less Minitel-like system[1] is overtaken >> by a more Web-like system. >> >> ... and to be thoroughly clear, I think that certain US state >> governments allowing Big Tech to be the sole holder of state-issued >> identity documents, with proprietary protocols run between the state >> and the Big Tech digital wallet, to be an even worse outcome... but at >> least the US hasn't made the regulatory mistakes the EU has (yet). >> >> Utah is the only state I've seen so far get the regulatory stuff >> mostly right. Time will tell if they fumble the execution, or if they >> do a good job there as well. >> >> -- manu >> >> [1] https://www.bbc.com/news/magazine-18610692 >> >> -- >> Manu Sporny - https://www.linkedin.com/in/manusporny/ >> Founder/CEO - Digital Bazaar, Inc. >> https://www.digitalbazaar.com/
Received on Sunday, 15 February 2026 19:04:00 UTC