Hold up: 300 say eIDAS rules could make surveillance easier for EU nations
Language in proposed revised regulation of eIDAS in the European Union is being loudly rebuffed by 335 individuals and civil society organizations in 32 nations.
In an open letter to the European Parliament and the Council of the EU, signatories argue that articles within the revised eIDAS would open the system to surveillance by rogue governments, and block checks on the security of EU web certificates. They also believe the rules for the European Digital Identity Wallet would enable surveillance by governments and service providers.
A similar statement issued by ten internet infrastructure and security companies says articles 45 and 45a “are likely to weaken the security of the Internet as a whole.” The articles require all web browsers to recognize new site-authentication certificates.
But the passages in question are “imprecise,” they say.
That imprecision could be interpreted as saying that all browsers must recognize the certificate authorities that are appointed by each state to authenticate domain names.
Open letter signatory and University College London Professor of Security Engineering tells Computer Weekly that the offending clause is outside of the regulation’s intended scope of governing digital identity and signatures.
A separate statement issued by Mozilla says that forcing the world to recognize authorities hand-picked by EU nations gives the government of those nations more power to “surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.”
Browsers would be prohibited from revoking trust in the keys unless the relevant government allows them to. And there would be no independent body to check what a government does, according to Mozilla.