After years of negotiations between the major European regulators, the European Union is enacting a new set of digital identity rules: eIDAS 2.0.
The aim is to provide a shared framework to ensure security and control over digital ID data at the continental level instead of relying only on national solutions.
However, a controversy stemmed between the key EU legislative bodies and several civil society groups, including the free software community Mozilla.
According to Mozilla, there’s a serious concern about the balance between the control power provided to the ‘government-approved’ Certificate Authorities (CAs).
Browsers will be left with very little range to apply any countermeasure in a situation where CAs can potentially start surveilling people.
What are the foundations of eIDAS and the reasons for revising it? Why are these revisions so controversial? How is the future of digital IDs in Europe going to evolve? Let’s try to find an answer to all these questions to obtain a clearer picture of what’s going on.
What is eIDAS, and What Does 2.0 Entail?
eIDAS is a regulation that established a shared framework between all 27 European Union (EU) countries for safe and efficient business electronic interactions.
Its acronym stands for “electronic Identification, Authentication, and trust Services,” and it was passed in 2014. eIDAS regulates all forms of electronic identification (eID), such as electronic signatures, digital certificates, and electronic seals, as well as trust services for electronic transactions within the EU market.
The purpose is to provide a safe way for individuals and businesses to transfer electronic funds or perform transactions without needing paper-based documents.
The European Commission established eIDAS as part of the broader Europe’s Digital Agenda. Its implementation aimed to drive innovation and information security by focusing on interoperability and transparency while conducting cross-border business. eIDAS constituted the regulatory framework under which several components of the Digital Agenda eventually fell. Among these, some of the most important ones were:
- Digital Identity
- Electronic signature (eSignature)
- Advanced electronic signature (AdES)
- Trust Services
- Qualified website authentication certificates (QWACs)
Fast-forward to a decade later.
On February 9, 2023, the Industry, Research and Energy Committee (ITRE) adopted a revision of the eIDAS that would change several aspects to adapt it to the changes in technologies in the years since.
The changes recommended in the ‘eIDAS 2.0’ include several aspects of the original regulation — these range from privacy and security to cross-border identification, digital identity wallets, and QWACs.
While most of these revisions or updates were accepted nominally, the change in QWACs and establishing of government-endorsed Certificate Authorities (CAs) was widely condemned by groups of cyber security experts, NGOs, and researchers. The main subject matter of the dispute is, in particular, Article 45.
Which Part of eIDAS is so Controversial?
Hundreds of globally respected cybersecurity experts, NGOs, and several industry organizations such as Cloudflare, the Linux Foundation, and Mozilla vocally asked the EU lawmakers to take a step back on eIDAS 2.0.
According to them, the updated proposal seriously threatens privacy and human rights since it can potentially undermine online security and allow governments to conduct unwanted surveillance operations on encrypted internet communication.
Let’s try to untangle the knot and understand all this.
First, we need to understand what a quality certificate is. Whenever we check a website that is using a secured Hypertext Transfer Protocol (HTTPS), we can see a small padlock on the left of the URL.
That padlock indicates that all communications between the web browser and the server are secure since the identity of the server has been authenticated.
This is particularly important to prevent man-in-the-middle attacks with malicious entities intercepting network traffic and faking the user’s actual destination.
But who decides when these connections are secure and can, therefore, be trusted? That’s where CAs come in – intermediators who release the certificates, and they are verified by hosts and browsers to ensure that when they release a certificate, it can be trusted.
These CAs are where the European Commission wants to intervene. According to the proponents of the EU regulation changes, browsers are both controllers and controlled, centralizing too much authority in their hands. They are the ones who vet the certificates and issue them to cloud hosting services, owning much more power than intended.
On top of that, the European Signature Dialog argues that the rules established by browsers to determine when a certificate is valid are subjective and potentially exist simply to promote their commercial interests.
The answer that would move this excessive power from their hands to the hands of governmental authorities is, indeed, QWACs.
These certificates will replace those issued by CAs and will add another layer of transparency to show who the operator and legal owner of the website are.
According to opponents of Article 45 of eIDAS 2.0, however, this change is not just bad, it’s terrible.
Why Could Article 45 be Dangerous to Internet Freedom?
QWACs will be issued by CAs that will be endorsed by governments rather than private corporations. This would be a very good thing when it comes to issuing certificates to government-issued identities, such as governmental websites and services. However, when it comes to the vastness of the internet, things can become a little bit sketchier.
The root certificates controlled by CAs (whether they are government-endorsed or fully private entities) provide the authentication mechanisms to ensure that the cryptographic keys used by that website are the property of that website alone.
This means that whoever owns the root certificate can intercept that website’s traffic by substituting its cryptographic keys with others owned by them.
This is extremely dangerous, as there are several cases in which national governmental-backed CAs allegedly used this tactic to spy on citizens both inside Europe — such as in France — and outside of it, such as in Kazakhstan or Turkey.
Even when it’s not the government spying on citizens, governmental CAs could be the target of attacks from malicious entities, as when a Dutch CA was hacked to intercept the internet activities of Iranian users.
Another worry is that each government of every EU member state could add their CAs to a centralized, unchangeable list. This means that the malice (or, to use Hanlon’s Razor, ineptitude) of a single state or CA could potentially impact the lives of all citizens living in Europe.
The final aspect that opponents of Article 45 argue against is that browsers have no power to take any countermeasures.
Even if they detect suspicious activity from a CA, such as an interception of encrypted traffic, they have no legal recourse to stop it or distrust the certificates issued by that CA.
In their words, their hands are tied: “Every citizen would have to trust those certificates.”
There are two sides to the argument: On the one hand, the centralization of power in the hands of a few Big Tech companies is rarely a good thing for anyone except the companies themselves.
On the other one, the solution proposed by the EU authorities mostly looks like a way to shift that power balance from one player to the other, with no middle ground in sight.
As usual, the fate of the many rests in the hands of the few – in this case, a few giant corporations against a handful of European commissioners.
What matters in the end is that whatever solution they find, we can only hope it will be for the betterment of everyone in terms of the security and transparency of the internet.
According to more than 50 organizations and more than 550 scientists and researchers from 42 countries, the solution on the table is not the right way to go about it.