The European Union is notorious for its commitment to regulate the internet, either for better or worse. The GDPR has been echoed by nations worldwide as the blueprint for protecting citizens' digital privacy. From August 25, the Digital Market Act and Digital Service Act have introduced new obligations for digital services. At the same time, the Chat Control proposal is gathering a lot of criticism for its attack on encryption in the name of online safety.
Among these highly-debated legislations, one proposal may have flown under the radar: the revision of the EU's digital identity law (eIDAS). A process started in October 2020 and currently under trialogue negotiations as lawmakers seek to "fix" web security among country members. However, experts warn of unintended consequences like greater surveillance, censorship, and false security instead.
"The European Commission is leading security technology down the wrong path... a move that risks instilling an insecure future for the web," wrote secure browser provider Mozilla in a recent report: A law of unintended consequences. So, what's the proposed revision trying to change, and what's at stake for users in the EU?
Article 45.2 and website padlocks
You've likely seen the little padlock sitting on the left-hand side of a website URL in a browser's search bar. This indicates accessing that specific site is secured by a HTTPS connection, meaning the connection between the browser and the server providing the service is encrypted. Nowadays, 90% of connections are HTTPS.
The security padlock is something introduced only in 2019, though. Before that, the URL bar displayed what's known as extended validation (EV) certificates. The problem here was that de facto, everyone could issue these certificates and trick users into thinking a website is safe when it's not. A problem that continues to punish the unaware who assume the padlock means a safe site, instead of the reality: a safe connection.
Browsers stopped displaying them altogether and began running root store programs instead to decide for themselves whether or not to label the connection as secure. Everyone was happy, besides the certificate authorities—the people who used to sell these certificates.
Now, EU lawmakers are pushing for a revision to Article 45 to bring EV certificates back. The new law will then introduce an obligation of displaying identity information in the browser, while requiring the EU to maintain its own list of certificate authorities (here called trust service provider).
Udbhav Tiwari, Mozilla's Head of Global Product Policy, told TechRadar: "What they want to do is essentially create a parallel infrastructure where, rather than just browsers making determinations, EU governments decide who can and cannot issue certificates and what kind of certificates should be displayed."
The move comes as a means to make the internet more secure. Yet, global experts and civil societies warn this could cause exactly the opposite outcome by "establishing a ceiling on website certificates rather than a floor or foundation," said Tiwary, and giving out new sweeping powers to governments. "That's the biggest thing we're pushing back against," he added.
As Mozilla detailed in its report, such a provision would enable EU governments to conduct mass surveillance and censorship campaigns with ease, among other things. It would also weaken web security by undermining encryption and creating a false sense of safety among users.
🛡️ What's happening in Russia with Sberbank serves as a warning for the EU's eIDAS regulation. By bypassing browser security checks, eIDAS could enable state-owned CAs to conduct surveillance. #securityriskahead #eidasApril 28, 2023
Most worryingly, it will set a "dangerous global precedent," Tasos Stampelos, Head of EU Public Policy at Mozilla, told TechRadar. He said: "Other countries will be seeing Europe and then might use this in order to deploy any type of malicious purposes."
Article 45.2 does not seem to take into account the dynamic nature of security threats, either. As Senior Vice President for Strong Internet at the Internet Society Joseph Lorenzo Hall explained, web browser providers will be "handcuffed" and prevented from doing "things that we would normally do very quickly to protect the people of the internet."
That's why the #SecurityRiskAhead campaign is calling on EU lawmakers to agree on a cybersecurity exemption for browsers' root stores to leave providers the freedom to react to issues. "Cyberattacks happen in a matter of hours and can last for less than a day," said Tiwari. "We need to have the ability to act very quickly."
ID Wallet
Issues with the revisions of the eIDAS don't end here, though. Another contentious matter is around the EU ID Wallet regulations listed in Article 6. "It is creating a lot of friction amongst policymakers," confirmed Stampelos.
The proposal promises to enable European citizens and businesses to share identity data in a way that's more convenient and secure. However, this plan opens up to some privacy concerns.
It might be more convenient to have just one identity number, instead of separate identification references, but this also "enables governments to surveil citizens more effectively," explained Tiwari.
I’m extremely worried about the direction of the #eIDAS trilogue negotiations. We see a massive attack on core privacy principles in the text proposed by the @EU_Commission and @eu2023es Presidency. The EU ID Wallet risks becoming a privacy nightmare that is not safe to use!!!September 3, 2023
Then there are the issues of consensus among EU country members as local authorities' approaches to unique identifier numbers change dramatically among nations.
For example, in Germany, it's currently unconstitutional to have a single number that identifies an individual across all the government bodies. While other countries notorious for stronger control over the population, like Hungary, are welcoming the proposal as it could make citizens' tracking even easier.
Tiwari said: "It's a conversation that's very much ongoing.
What's next?
As mentioned, the eIDAS revisions are currently under trialogue negotiations between representatives of the European Parliament, the Council of the European Union, and the European Commission. The aim of this process is reaching a provisional agreement, something that in part has been reached on June 29 but it doesn't fully meet the experts' demands just yet.
"One of the big concerns is that the principles agreed back in June are not necessarily reflected in the technical text," Stampelos told us. "We think if the wording is not correct, whatever we achieved on the cybersecurity exemption is overthrown."
Experts are now pushing for some small but important tweaks to the latest text (specifically to the Recital 32 and Article 45, paragraph 2) to remove any ambiguities and ensure browsers can exert their cybersecurity exemption fully.
What's certain right now is that there's a strong political pressure to wrap this up, a project that has lasted for three years already. So far, the EU Commission seems to be listening, in part at least, to experts' concerns. Yet, the secretive nature of the ongoing negotiations might produce a dangerous law nonetheless.
On this point, Stampelos said: "Here you have both sides. We are saying 'It's weak, make it stronger for us' and they're saying 'It's weak, make it stronger for us.' Nobody knows which side will ultimately end up winning."
