Privacy controversy on eIDAS2
Lawmaking is a difficult task! In many cases, technical experts work within parliaments and other lawmakers' structures in order to build up the right sort of rules that are to become a law. Of course, technical experts are never totally independent, as they essentially represent corporate interests. Lobbies play an essential role in the process. Most of the times, the law definition process is relatively smooth, somewhat efficient, and at the end, the law is adopted by Parliaments and other legislative bodies, and accepted by all.
Seemingly, what is going on for the European Digital ID framework, known as eIDAS2 is not as smooth as one may have anticipated.
eIDAS (electronic IDentification, Authentication and trust Services) passed as a European regulation in 2014 and came into effect in July 2015. It regulates electronic signatures, electronic transactions, authentication, certificates computation and verification, signatory authorities, … The EU is coming up now with the European Digital Identity wallet (Eudiw) project, which aims at giving all EU citizens the possibility to have a digital identity that is recognized anywhere in the EU, giving them a simple and safe way to control how much information you want to share with services that require sharing of information.
The new eIDAS2 framework, which is necessary for the European Digital Identity wallet (Eudiw), was designed based on the intervention of numerous security experts from all over Europe; it has been the object of an agreement between the European Parliament and the European Council in June 2023.
However, now, researchers from universities and public labs claim that "new legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments," according to Mozilla from the last-chance-for-eidas.org website. "These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission," they add.
Many governmental authorities consider weakening encryption or imposing backdoors in systems will give them access to the exchanged information between citizens. However, cybersecurity experts are always unanimous: weakening security systems is never a good option. It will always ease access to data for cybercriminals rather than enforce national security.
This objection is at the core of the open letter calling on the EU to abandon these plans and safeguard the web. About article 45 and 45A, they write "The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens." The open letter on the position of scientists and NGOs on the EU’s proposed digital identity reform, says "We are extremely concerned that, as proposed in its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will very likely result in less security for all." It is signed by 504 scientists and researchers from 39 countries, as well as numerous NGOs. Signatories include well-known scientist from leading universities and public labs, in and out of Europe: UC Louvain, Inria, Ecole Polytechnique, Fraunhofer Institut, Waseda University, IMDEA Software Institute, EPFL, King's College London, New York University, Stanford University, among many others. Industrialists are weighing in in another open letter signed by organizations such as Akamai, Cisco, Cloudflare, Linux foundation, Mozilla, among others.
We will monitor what is going to happen with this proposed legislation and in which terms it will be voted. Updating eIDAS and the development of the European Digital Identity wallet (Eudiw) will happen anyway, and our secure transactions industry will be here to provide solutions to fit the requirements of governments, public and private entities as well as citizens.