Privacy advocates are worried about the new authority.
In order to facilitate electronic transactions within the European Union's single market, the eIDAS regulation governing electronic identification and trust services is currently undergoing revisions. It's a major piece of legislation in the age of digitization, and its implementation makes sense given the industry's explosive growth. The updating procedure, however, raised some concerns. In March 2022, a group of experts addressed Members of the European Parliament with an open letter warning of the risks of the new version of eIDAS for the global Internet security system.
Even in its preliminary form, which EU negotiators have approved, Mozilla is concerned about the potential consequences of eIDAS 2.0. Mozilla's new "Last Chance to Fix eIDAS" document goes into great detail about how upcoming legislation will mandate that all EU web browsers only trust certification authorities and cryptographic keys that have been authorised by individual national governments.
Mozilla claims that these developments could give EU governments the means to intercept encrypted internet traffic across the EU, greatly increasing their ability to monitor their citizens. As a result, any EU member state can issue authentication keys for websites, and browsers can't refuse to use them without government approval.
A certificate for interception and tracking issued by one EU Member State can be used against a citizen of any other EU country. The authorities did not implement any checks or balances to ensure that these keys were used properly before being distributed. Because of discrepancies in the rule of law among EU Member States and well-documented instances of abuse of power by the stage services for political ends, such actions give rise to grave concerns.
According to Mozilla's research, the European Signature Dialog's mission to "gather the leading European trust service providers to share best practises, shape a common industry position on regulatory issues, and enhance the capabilities of European solutions to ensure guaranteed data security" is misguided. As stated in the LinkedIn message:
Mozilla recently launched a campaign accusing the current eIDAS legislation of misinformation in order to block amendments to Article 45 concerning qualified EU web authentication certificates ("QWAC").
According to the European Signature Dialogue document, Mozilla's claims are false. Eric Rescorla, author of the Educated Guesswork blog, provides an excellent introduction to eIDAS and QWAC for those curious about the technology behind it. A less specialised problem, however, exists.
Such EU actions can lend support to the tactic of authoritarian regimes of forcing browsers to automatically trust government certification centres. Cyber security and basic human rights would be at risk if the law were adopted by other states.
The Questions Answered by the European Signature Dialogue
Since the European Union does not manage the "root" authentication centres used by QWAC issuers, it cannot "spy" on its own citizens by means of certificates. Mozilla has no right to make such an accusation.
The European Union may not have control over the "root" authentication centres, but Mozilla claims that individual EU Member States would indeed be able to obtain such control that, in turn, could allow, for example, their intelligence services to track encrypted web traffic.
The last question in the European Signature Dialogue is, "Why does Mozilla spread this disinformation?" responds that "Mozilla is often perceived as a Google satellite, opening the way for Google to promote its commercial interests." Insinuating that Mozilla is nothing more than a "satellite" of Google and therefore suspecting its motives is an attack on the other arguments put forth by the European Signature Dialogue.
In addition, Mozilla and 335 scientists and researchers from 32 countries, as well as various NGOs, have signed a joint statement criticising the proposed eIDAS reform, disproving the claim that this is simply an attempt by Google to sidestep European legislation. This is what they forewarn:
A government-run organization will intercept all web traffic from EU citizens, including financial information, legally protected data, medical records, and family photos. Because all browsers will accept certificates issued by this institution, websites accessed from outside the EU will still be vulnerable to interception. Citizens may choose not to use new services and functions under eIDAS 2.0; however, this choice is not available under article 45. All citizens will need to trust these certificates, which compromises online security for everyone.
In closing
This regulation does not eliminate any of the existing risks. In fact, it poses new dangers to European citizens and institutions while providing no benefits whatsoever by undermining tried-and-true methods of secure web authentication. In addition, if the law is implemented, it is likely that other countries will demand the same access from browsers as EU Member States (something some have already tried to do unsuccessfully in the past), posing a global threat to web security.
Comments 0