The European Union is working on updating the eIDAS regulation, which regulates electronic identification and trust services for electronic transactions in the European single market. This is an important piece of legislation in the era of digitalization, and its updating is logical given the rapid development of the sector. However, the upgrade process has raised concerns. In March 2022, a group of experts sent an open letter to members of the European Parliament warning about the risks of the new version of eIDAS for the global Internet security system.
The preliminary version of eIDAS 2.0, which has been approved by EU negotiators, is causing alarm because of its consequences, which, according to Mozilla, may be even more serious than previously thought. In its new information resource, "Last Chance to Adjust eIDAS," Mozilla explains in detail how new legislation will require all web browsers in the EU to trust certificate authorities and cryptographic keys approved by national governments.
According to Mozilla, these innovations can significantly strengthen the ability of EU governments to monitor their citizens, giving them tools to intercept encrypted Internet traffic throughout the European Union. So, any EU member state will be able to assign keys used to authenticate websites, and web browsers will be prohibited from refusing to trust these keys without explicit permission from the government.
Such a system allows any EU Member State to issue interception and surveillance certificates that can be used against any EU citizen, regardless of their place of residence. At the same time, there is no independent control or balancing of the authorities regarding the issuance and use of these keys. Such measures raise serious concerns in the light of differences in respect for the rule of law in EU member States and documented cases of abuse of power by the security services for political purposes.
The European Signature Dialog, which aims to "bring together leading European trust service providers to share best practices, build a common industry position on regulatory issues, and expand the capabilities of European solutions to ensure guaranteed data security," disagrees with the analysis provided by Mozilla. The LinkedIn post says:
Mozilla recently launched a campaign accusing the current eIDAS legislation of misinformation in order to block changes to Article 45 concerning EU Qualified Web Authentication Certificates ("QWAC").
A document from the European Signature Dialog purportedly refutes Mozilla's claims. For those interested in understanding the underlying technology, Eric Rescorla suggests checking out the excellent introduction to eIDAS and QWAC posted on the Educated Guesswork blog. But there is also a less technical question. Mozilla states:
Forcing browsers to automatically trust state certificate authorities is a key tactic used by authoritarian regimes, and such actions by the EU may support this trend. In short, if this law were adopted by other States, it could threaten cybersecurity and fundamental human rights.
What the European Signature Dialog responds to:
The European Union does not control the "root" certificate authorities used by QWAC issuers, and therefore the EU cannot use certificates to "spy" on EU citizens. Mozilla should be ashamed of this statement.
The European Union may not exercise control over the "root" authentication centers, but Mozilla claims that individual EU member states will indeed be able to gain such control, which, in turn, may allow, for example, their intelligence services to monitor encrypted web traffic.
The European Signature Dialog ends its answer with a question: "Why is Mozilla spreading this misinformation?" and he answers: "Mozilla is often perceived as a Google satellite, opening the way for Google to promote its commercial interests." Such an attack on Mozilla's motives, suggesting that it is just a "satellite" of Google, implies distrust of other arguments proposed by the European Signature Dialog.
In addition, the accusation that this is just an attempt by Google to circumvent European legislation is refuted by the fact that in addition to Mozilla, 335 scientists and researchers from 32 countries, as well as various NGOs, signed a joint statement criticizing the proposed eIDAS reform. They warn you :
A government-controlled institution will be able to intercept web traffic not only from its own citizens, but also from all EU citizens, including banking information, legally protected data, medical records and family photos. Interception is possible even when visiting websites outside the EU, since the specified institution will be able to issue certificates for any website, which all browsers will be required to accept. Although eIDAS 2.0 provides citizens with the opportunity to opt out of using new services and features, this does not apply to article 45. Every citizen will have to trust these certificates, and thus every citizen will face a threat to their online security.
In conclusion, it says:
This regulation does not eliminate any of the existing risks. On the contrary, by undermining the proven processes of secure web authentication, it introduces new risks without any benefits for citizens, businesses and institutions in Europe. Moreover, if the law comes into force, it can be assumed that other countries will insist on obtaining similar privileges from browsers as EU member states-which some have tried unsuccessfully in the past — thereby creating a global threat to web security.
The preliminary version of eIDAS 2.0, which has been approved by EU negotiators, is causing alarm because of its consequences, which, according to Mozilla, may be even more serious than previously thought. In its new information resource, "Last Chance to Adjust eIDAS," Mozilla explains in detail how new legislation will require all web browsers in the EU to trust certificate authorities and cryptographic keys approved by national governments.
According to Mozilla, these innovations can significantly strengthen the ability of EU governments to monitor their citizens, giving them tools to intercept encrypted Internet traffic throughout the European Union. So, any EU member state will be able to assign keys used to authenticate websites, and web browsers will be prohibited from refusing to trust these keys without explicit permission from the government.
Such a system allows any EU Member State to issue interception and surveillance certificates that can be used against any EU citizen, regardless of their place of residence. At the same time, there is no independent control or balancing of the authorities regarding the issuance and use of these keys. Such measures raise serious concerns in the light of differences in respect for the rule of law in EU member States and documented cases of abuse of power by the security services for political purposes.
The European Signature Dialog, which aims to "bring together leading European trust service providers to share best practices, build a common industry position on regulatory issues, and expand the capabilities of European solutions to ensure guaranteed data security," disagrees with the analysis provided by Mozilla. The LinkedIn post says:
Mozilla recently launched a campaign accusing the current eIDAS legislation of misinformation in order to block changes to Article 45 concerning EU Qualified Web Authentication Certificates ("QWAC").
A document from the European Signature Dialog purportedly refutes Mozilla's claims. For those interested in understanding the underlying technology, Eric Rescorla suggests checking out the excellent introduction to eIDAS and QWAC posted on the Educated Guesswork blog. But there is also a less technical question. Mozilla states:
Forcing browsers to automatically trust state certificate authorities is a key tactic used by authoritarian regimes, and such actions by the EU may support this trend. In short, if this law were adopted by other States, it could threaten cybersecurity and fundamental human rights.
What the European Signature Dialog responds to:
The European Union does not control the "root" certificate authorities used by QWAC issuers, and therefore the EU cannot use certificates to "spy" on EU citizens. Mozilla should be ashamed of this statement.
The European Union may not exercise control over the "root" authentication centers, but Mozilla claims that individual EU member states will indeed be able to gain such control, which, in turn, may allow, for example, their intelligence services to monitor encrypted web traffic.
The European Signature Dialog ends its answer with a question: "Why is Mozilla spreading this misinformation?" and he answers: "Mozilla is often perceived as a Google satellite, opening the way for Google to promote its commercial interests." Such an attack on Mozilla's motives, suggesting that it is just a "satellite" of Google, implies distrust of other arguments proposed by the European Signature Dialog.
In addition, the accusation that this is just an attempt by Google to circumvent European legislation is refuted by the fact that in addition to Mozilla, 335 scientists and researchers from 32 countries, as well as various NGOs, signed a joint statement criticizing the proposed eIDAS reform. They warn you :
A government-controlled institution will be able to intercept web traffic not only from its own citizens, but also from all EU citizens, including banking information, legally protected data, medical records and family photos. Interception is possible even when visiting websites outside the EU, since the specified institution will be able to issue certificates for any website, which all browsers will be required to accept. Although eIDAS 2.0 provides citizens with the opportunity to opt out of using new services and features, this does not apply to article 45. Every citizen will have to trust these certificates, and thus every citizen will face a threat to their online security.
In conclusion, it says:
This regulation does not eliminate any of the existing risks. On the contrary, by undermining the proven processes of secure web authentication, it introduces new risks without any benefits for citizens, businesses and institutions in Europe. Moreover, if the law comes into force, it can be assumed that other countries will insist on obtaining similar privileges from browsers as EU member states-which some have tried unsuccessfully in the past — thereby creating a global threat to web security.
