The EU is currently updating eIDAS (electronic IDentification, Authentication and trust Services), an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. That’s clearly a crucial piece of legislation in the digital age, and updating it is sensible given the fast pace of development in the sector. But it seems that something bad has happened in the process. Back in March 2022, a group of experts sent an open letter to MEPs [pdf] with the dramatic title “Global website security ecosystem at risk from EU Digital Identity framework’s new website authentication provisions”. It warned:
The Digital Identity framework includes provisions that are intended to increase the take-up of Qualified Website Authentication Certificates (QWACs), a specific EU form of website certificate that was created in the 2014 eIDAS regulation but which – owing to flaws with its technical implementation model – has not gained popularity in the web ecosystem. The Digital Identity framework mandates browsers accept QWACs issued by Trust Service Providers, regardless of the security characteristics of the certificates or the policies that govern their issuance. This legislative approach introduces significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing, and will significantly increase the cybersecurity risks for users of the web.
The near-final text for eIDAS 2.0 has now been agreed by the EU’s negotiators, and it seems that it is even worse than the earlier draft. A new site from Mozilla called “Last Chance to fix eIDAS” explains how new legislative articles will require all Web browsers in Europe to trust the the certificate authorities and cryptographic keys selected by the government of EU Member States. Mozilla explains:
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.
This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
To make matters worse, browser producers will be forbidden from carrying out routine and necessary checks:
The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body – ETSI. This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.
European Signature Dialog, which aims “to connect major European Trust Service Providers to share best practices, develop a common industry viewpoint on regulatory issues and empower European solutions for guaranteed data-security,” disagrees with Mozilla’s analysis. In a post on LinkedIn it writes:
Mozilla has recently launched a campaign that pushes serious misinformation about the current eIDAS legislation in order to block changes to Article 45 covering the EU’s Qualified Web Authentication Certificates (“QWACs”).
A document [pdf] from European Signature Dialog offers what it claims are refutations of Mozilla’s analysis. I will leave it to technical experts to decide who is right on the detailed points it discusses – for those interested in understanding the underlying technology, there’s an excellent introduction to eIDAS and QWACs from Eric Rescorla on the Educated Guesswork blog. But there’s a less technical issue too. Mozilla writes that:
forcing browsers to automatically trust government-backed certificate authorities is a key tactic used by authoritarian regimes, and these actors would be emboldened by the legitimising effect of the EU’s actions. In short, if this law were copied by another state, it could lead to serious threats to cybersecurity and fundamental rights.
To which European Signature Dialog responds:
The European Union is not controlling the “roots” used by the issuers of QWACs, and so the EU can’t use the certificates to “spy” on EU citizens. Mozilla should be ashamed of itself for suggesting this.
While it may be true that the European Union itself is not controlling the roots, what Mozilla says is that the individual governments of EU Member States will indeed be able to do precisely that, which means their intelligence services, for example, will be able to carry out surveillance of encrypted Web traffic.
European Signature Dialog concludes its reply to Mozilla’s analysis by asking “Why is Mozilla spreading this misinformation”, and answering its own question with: “Mozilla is generally perceived as a Google satellite, paving the way for Google to push through its own commercial interests”. Attacking the motives of Mozilla in this way, suggesting that it is just some “satellite” of Google, suggests a lack of confidence in the other arguments the European Signature Dialog has offered.
Moreover, the insinuation that this is just an attempt by Google to head off some pesky EU legislation is undercut by the fact that separately from Mozilla, 335 scientists and researchers from 32 countries and various NGOs have signed a joint statement criticizing the proposed eIDAS reform. If the latest text is adopted, they warn:
the government-controlled authority would then be able to intercept the web traffic of not only their own citizens, but all EU citizens, including banking information, legally privileged information, medical records and family photos. This would be true even when visiting non-EU websites, as such an authority could issue certificates for any website that all browsers would have to accept. Additionally, although much of eIDAS2.0 regulation carefully gives citizens the capability to opt out from usage of new services and functionality, this is not the case for Article 45. Every citizen would have to trust those certificates, and thus every citizen would see their online safety threatened.
It concludes:
This regulation does not eliminate any existing risk. Instead, by undermining the existing secure web authentication processes, introduces new risks with no gain by European citizens, businesses, and institutions. Moreover, if this regulation becomes a reality, it is only to be expected that other countries will put pressure on browsers to obtain similar privileges as EU Member States — as some have unsuccessfully attempted in the past — globally endangering web security.
Confirming the bad faith of the EU negotiators, these new and dangerous elements of eIDAS were added in closed-door meetings without any public consultation of experts. It’s a blatant power-grab by the EU, already attempting to circumvent encryption elsewhere with its Chat Control proposals. It must be stopped before it undermines core elements of the Internet’s security infrastructure not just in the EU, but globally too as result of its knock-on effects.
Follow me @glynmoody on Mastodon.
