eIDAS: EU’s internet reforms will undermine a decade of advances in online security

The European Union’s attempt to reform its electronic identification and trust services – a package of laws better known as eIDAS 2.0 – contains legislation that poses a grave threat to online privacy and security. An article buried deep in the draft text of the bill would force web browsers to place total trust in certificate authorities (CAs) that have been approved by EU governments.

Currently, browsers can independently test the authenticity and trustworthiness of CAs and choose not to rely on those that fail to pass muster, but this bill would revoke their ability to do so – and this will open the door to a form of online surveillance that threatens the rights of every citizen in Europe.

Negotiators agreed on the near-final wording of the proposed changes to the bill earlier this month. This bundle of laws will now be formally voted on (and almost certainly rubber stamped) by the EU Council and Parliament in the coming weeks.

Yet the bill has provoked an outcry from internet safety specialists, privacy advocates, and online freedom campaigners. Basically, everyone who believes in a free and safe internet is speaking out against eIDAS.

The unintended consequences of the bill are so great, in fact, that Mozilla recently shared an open letter co-signed by a raft of internet companies concerned that eIDAS will make the internet less secure. And earlier this month, hundreds of cyber security experts called for a rethink of the new laws, arguing that eIDAS will leave the internet without essential technological safeguards. eIDAS, they say, will result in “less security for all”.

Introducing eIDAS 2.0

On the surface, eIDAS 2.0 is an attempt to modernize an existing set of EU regulations which came into force in 2018.

The stated aim is to improve trust, security, and convenience for EU citizens in all their online dealings; this will be achieved, according to the bill’s supporters, through new laws governing online ID and trust services.

eIDAS regulation will also establish a fully harmonized framework for digitally identifying individuals. The EU intends to do this with a sweeping suite of bills covers everything from e-signatures to time stamps to website authentication. And here’s where the biggest problems lie.

What the QWAC?

The most contentious parts of eIDAS are articles 45 and 45a, to which Mozilla and Co. object to in their open letter. These articles mandate that web browsers recognize two new procedures through which websites can apply for authentication certificates – referred to in the bill as qualified website authentication certificates (QWACs).

Authentication certificates are used to prove the identity of websites and other objects in cyberspace. Under the current system of certification, browsers operate their own “root store programs” to monitor the security and trustworthiness of certificate issuers (i.e., certificate authorities). The onus is on the browser to recognize certificates and keys from trusted authorities, and to refuse to recognize certificates from issuers they can’t trust.

Opponents of eIDAS point out, rightly, that this is a system which works, and has worked for years. Articles 45 and 45a, however, would force existing certificate authorities to go through a yearly evaluation by a conformity assessment body before they are added to the EU trust list and, therefore, allowed to issue QWACs.

Under these articles, browsers and client vendors (i.e., root store operators) will also have a legal requirement to add EU-government-approved root certificate authorities to their root stores (and therefore to trust them). Web browsers won’t be able to apply their usual safety and approval mechanisms to test whether that trust is warranted.

Making the internet less secure

While they may sound inoffensive in theory, the technical requirements of Article 45 will create a raft of problems in practice.

Under the new laws, browsers would also be unable to implement their own security controls on state-sanctioned certificate authorities beyond a suite of existing, pre-approved controls set out by the EU’s IT standards body: the European Telecommunications Standards Institute (ETSI). This undermines the ability of web browsers to enforce authentication policies that have been effective in the past and essentially sets an upper limit on how diligently web browsers can secure the internet.

If web browsers became concerned that certificates from an EU-approved authority are being misused (for example, in cases of interception by a state actor in the form of a “man in the middle attack”), they would be impotent to take countermeasures and distrust the QWACs in question. Under eIDAS, browsers will be less able to hold certificate authorities accountable, removing a vital check that many citizens rely on to keep the internet secure.

Rolling back the clock

The implications of Article 45 are terrifying. Mozilla warned in a separate statement that any EU government could “issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state.”

The firm adds that “there is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.”

Since certificate authorities approved by one member state will be recognized across the entire EU, a mistake (or deliberate duplicitous action) by one EU member state would affect internet users across the bloc. One misstep in one country could jeopardize the safety and privacy of every internet user on the continent, regardless of the territory from which they happen to be using the internet.

In many ways, the furore over Article 45 harks back to a time when certificate authorities could collaborate with governments to spy on encrypted web traffic. Since 2011, tightened privacy and security laws have prevented this from happening – and campaigners had hoped that this practice was long dead.

Yet eIDAS legislation threatens to roll back internet security by over a decade, erasing all the gains privacy advocates and citizens have fought for since 2011.

A nightmare for privacy

Opponents fear eIDAS will open the door for government surveillance, arguing that Article 45 essentially provides EU member states with the technical means to intercept encrypted web traffic. It also “undermines existing oversight mechanisms relied on by European citizens,” in the words of the 500 experts who spoke out against the bill.

Root certificates assure web browsers that the cryptographic keys used to authenticate a website’s content belong to who they say they belong to. Certificate owners can intercept the web traffic of internet users by replacing cryptographic keys with their own.

Under the proposed Article 45, through the assistance of a friendly state-backed certificate authority, EU member states would theoretically be able to insert new root certificates at will. The EU state in question would then be able to intercept web traffic from other EU citizens, potentially harvesting confidential and private information in the process.

Even in the case of such abuse, Article 45 contains no provision to rescind rogue certificate authorities without the agreement of the issuing country. Nor is there an opt-out for EU citizens concerned about the effects of this procedure. To make matters worse, Mozilla says that the Article 45 provisions were added to eIDAS in “closed-door meetings” at the last minute.

Here we have a wide-ranging bill which will change the internet as we know it, and the EU drafted the text with next to no scrutiny – and against all the recommendations of the most knowledgeable stakeholders in the online industry.

eIDAS threatens to undermine website independence and security and make the internet a less safe, less private place.