No Broken Browsers

Brass padlock broken into many pieces over a background of the EU flag

After years of legislative process, the near-final text of the eIDAS regulation has been agreed upon by trialogue negotiators representing EU’s key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.

Mozilla, Internet Society, European Digital Rights (EDRi), the EFF, and hundreds of security researchers and experts signed an open letter calling for reform and urged others to join them. Below is the feedback I submitted.

I encourage EU citizens to email Romana Jerković, the member of the European Parliament responsible for the eIDAS file, and their members of EU Parliament as soon as possible. Feel free to copy and paste my letter.

🇸🇪 Sverige residents, here is your email list: 

romana.jerkovic@europarl.europa.eu, abir.alsahlani@europarl.europa.eu, erik.bergkvist@europarl.europa.eu, malin.bjork@europarl.europa.eu, jakop.dalunde@europarl.europa.eu, evin.incir@europarl.europa.eu, par.holmgren@europarl.europa.eu, helene.fritzon@europarl.europa.eu, ilan.debasso@europarl.europa.eu, karin.karlsbro@europarl.europa.eu, arba.kokalari@europarl.europa.eu, alice.kuhnke@europarl.europa.eu, david.lega@europarl.europa.eu, jessica.polfjard@europarl.europa.eu, carina.ohlsson@europarl.europa.eu, johan.nissinen@europarl.europa.eu, peter.lundgren@europarl.europa.eu, sara.skyttedal@europarl.europa.eu, tomas.tobe@europarl.europa.eu, jorgen.warborn@europarl.europa.eu, charlie.weimers@europarl.europa.eu, emma.wiesner@europarl.europa.eu

Subject: eIDAS must not undermine web security and individual privacy

Dear Members of the European Parliament,
Dear Member States of the Council of the European Union,

I appreciate your efforts to improve the digital security of European citizens. However, I am concerned the near-final text of the eIDAS digital identity reform will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will result in less security for all.

Article 45 radically expands the ability of governments to surveil citizens by providing them with the technical means to intercept encrypted Web traffic and undermines existing oversight mechanisms. I ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure Web traffic.

Article 45 bans security checks on EU Web certificates unless expressly permitted by regulation when establishing encrypted Web traffic connections (Article 45(2a)). Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. This runs counter to well established global norms where new security technologies are developed and deployed in response to fast moving developments in technology. This effectively limits the security measures that can be taken to protect the European Web. I ask that you reverse this clause, not limiting but encouraging the development of new security measures in response to fast-evolving threats.

The current text also mentions the need for the European Digital Identity Wallet to protect privacy. However, the legislation allows relying parties like governments and service providers to unnecessarily link together and gain full knowledge about the uses of credentials in the new European Digital Identity System. Given the broad intended uses of this system—which span all areas of life from health, finance, commerce, online activity up to public transport—I believe that failing to require both unlinkability and unobservability will severely compromise the privacy of EU citizens. Article 6a(7)(a) should be aligned with the negotiation mandate from the European Parliament lead Industry Committee and thereby prevent technologically that such information can be obtained by governments and other parties without the explicit consent of users. Article 6a(7a)(b) should “mandate” instead of “enable” that interactions cannot be linked by relying parties or other actors, where identification of the user is not mandatory.

Finally, I am frustrated that decisions crucial for the security and privacy of citizens, businesses, and governments, are being taken behind closed doors in trilogue negotiations without public consultation of experts about the potential consequences of the proposed regulations. I urge the European Parliament, Commission, and Council to reconsider their legislative processes and commit to greater transparency so that experts and the public can effectively contribute to the development of new regulations.

In summary, I warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communications. It instead substantially increases the potential for harm.

In order to avoid creating a new privacy problem with no security gain, I recommend implementing the advice submitted in the joint statement of scientists and NGOs on the EU’s proposed eIDAS reform.

Respectfully,
Jeremiah Lee
Digital Rights Activist, Sverige

Photorealistic brass padlock broken into many pieces over a background of the EU flag generated with Bing Image Creator.