EU revamps eIDAS with law allowing member states to track internet sessions

EU revamps eIDAS with law allowing member states to track internet sessions

EU lawmakers voted the past week on a second version of the European Digital Identity Regulation. It includes an idea experts say will again make the internet less secure. Lawmakers seem reluctant to act on these warnings.

The piece of legislation is perhaps more commonly known as eIDAS 2.0. This includes regulations for online identification, authentication and trust services are included. A second version of the text is important to keep things up to date, according to the EU.

Web browsers less secure

Experts say the innovation may send the internet back to the state it was about a decade ago regarding security. They note security problems with the section dealing with certificates for website authentication.

Namely, the law restricts the activities of browsers in two areas. This has an effect on both checking these certificates and taking action against malicious websites. With this, politicians are trying to take power away from web browsers and take control. Certificate Authorities (CA) that received approval from European governments may still be trusted. In addition, all security rules of the European Telecommunications Standards Institute (ETSI) require mandatory integration. Adding additional security mechanisms is not allowed.

With politics taking control, experts are concerned about citizen privacy. Mozilla, the company behind the web browser Firefox, for example, is already talking about allowing EU member states to issue website certificates allowing themselves to intercept internet sessions. “There is no independent control or balance between the decisions member states make regarding the keys they authorize and the use they make of them.”

The Electronic Frontier Foundation (EFF) reiterated much the same views this week: “Article 45 prohibits browsers from imposing modern security requirements on certain CAs without the approval of an EU member state government. Which CAs? Specifically, government-appointed CAs, some of which will be owned or operated by that same government. That means cryptographic keys under the control of one government could be used to intercept HTTPS communications across the EU and beyond.”

Lawmakers don’t always see the consequences

Another proposed EU law was under fire not too long ago because of potential security risks. The discussion is about a law mandating client-side scanning on communications platforms. Experts see the law primarily as a privacy issue that could also pose security problems depending on the final interpretation of the law.

Read also: Is client-side scanning a good alternative for a prohibition on end-to-end encryption?

Both laws show that legislators do not always see the consequences that a proposed law may bring. In the period between the presentation of the law, the vote and the final drafting of the law, they usually come to know about it. Possibly, in the case of IT legislation, part of ignorance also lies at the root.

It is sometimes a matter of unwillingness

In the case of the European Digital Identity Regulation, it appears to be mainly a matter of unwillingness. Lawmakers were warned of the dangers in an open letter from more than 500 experts, but the letter was simply pushed aside. “These changes radically increase the ability of EU governments to keep tabs on their citizens by ensuring that government-controlled cryptographic keys can be used to intercept encrypted web traffic across the EU,” the experts know.

Despite the warnings, the European Commission, Council and Parliament came to an agreement last week. The vote will follow in early 2024. The agreement was followed by another press conference in which the European Commission denied all possible dangers experts warned about. The agency says that the criticism was discussed with its experts, which would have shown that Mozilla, the EFF and all the open letter experts are wrong. The experts would forget that EU governments only have control over the public key in a certificate and never over a user’s identity.

New trick?

Lately, the EU has been informed by those “experts” more often. It is not clear which experts these are in practice. Regarding the law on client-side scanning, the EU rejects the request to reveal the list. However, it is notable that these experts always defend the EU’s views and not those of all the other experts who can be heard online.

Both laws are currently under heavy discussion but remain a game of hidden experts against public experts. How long the EU can keep up this new trick, time will tell.