Proposed European Electronic ID Law Raises Concerns

posted by on Nov 03, 2023,
updated Nov 10, 2023

The harmonisation of standards for electronic identification across the EU should normally be soporific enough to send even the most Club-Mate-hyped hacker straight to sleep, but as Computer Weekly reports, discussion of this reform in the EU corridors of power has caused significant unrest among cyber security experts. Just how can providing Europeans with a harmonised digital ID be so controversial? As you might imagine, the devil lies in the detail.

At issue is the eIDAS Regulation, a system which, in the words of its website: “ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services available online in other EU countries,” and “creates a European internal market for trust services by ensuring that they will work across borders and have the same legal status as their traditional paper-based equivalents,” and the point of concern lies with its application to websites. The EU want to ensure that Europeans can digitally verify businesses as well as individuals they deal with, and since that includes websites, they want to insert a provision allowing countries to mandate their own trusted root certificates. At a stroke, this opens the potential for state actors to snoop on all encrypted online traffic, something which would compromise the security of all.

Read on

Update (by Roy)

More in:

• Last Chance to fix eIDAS: Secret EU law threatens Internet security

  These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.

  This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.

  The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body - ETSI. This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.

• Commission services sign administrative arrangements with French and Irish media regulators to support enforcement of Digital Services Act [blocked by gratuitous javascript]

  The Commission services have signed administrative arrangements with the media regulators of France (Autorité de regulation de la communication audiovisuelle et numérique, Arcom) and Ireland (Coimisiún na Meán), to support its supervisory and enforcement powers under the Digital Services Act (DSA). These arrangements aim at developing expertise and capabilities and follow the Commission Recommendation to Member States for coordinating their response to the spread and amplification of illegal content on Very Large Online Platforms and Very Large Online Search Engines, ahead of the deadline for Member States to play their role in the enforcement of the DSA.

• EU Digital Identity framework (eIDAS) another kind of chat control?

  2. Articles 45 and 45a stipulate that web browsers must recognise a new form of certificate issued by any EU state , potentially compromising the encryption and most of all trust and overall security of the web.

  3. This situation bears similarity to the controversy surrounding "chat control", as it implies that authorities could intermediate all traffic, decrypting communications sent over services using these certificates.

• Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation

  Articles 45 and 45a of the proposed eIDAS provisions are likely to weaken the security of the Internet as a whole. These articles mandate that all Web browsers recognize a new form of certificate for the purposes of authenticating websites. The current language is imprecise, and this risks being interpreted as requiring that browsers recognize the certificate authorities that each EU member state appoints for the purposes of authenticating the domain name of websites.

  The root store programs operated by Web browsers and operating systems are the core of Internet security. The certificate authorities recognized by these programs are responsible for attesting to the authenticity of domain names for websites. However, this is not the only system that depends on these certificates. Certificates provided by certificate authorities also secure global commerce in many ways, including email, voice and video, messaging, software delivery, and many other proprietary forms of communication used by businesses.

• Hold up: 300 say eIDAS rules could make surveillance easier for EU nations

  A similar statement issued by ten internet infrastructure and security companies says articles 45 and 45a “are likely to weaken the security of the Internet as a whole.” The articles require all web browsers to recognize new site-authentication certificates.

  But the passages in question are “imprecise,” they say.

  That imprecision could be interpreted as saying that all browsers must recognize the certificate authorities that are appointed by each state to authenticate domain names.

• EU digital ID reforms should be ‘actively resisted’, say experts

  The group’s concerns over the amendments largely centre on Article 45 of the reformed eIDAS, where it says the text “radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens”.

  “This clause came as a surprise because it wasn’t about governing identities and legally binding contracts, it was about web browsers, and that was what triggered our concern,” explained Murdoch. “You can perhaps see why it might belong here, but once you go into the details, you can see why it doesn’t. It’s out of place; it should be actively resisted.”

• [Old] What is the eIDAS Regulation?

  The eIDAS Regulation is Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market. Following the UK withdrawal from the EU the eIDAS Regulation was adopted into UK law and amended by The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019). In addition, the existing UK trust services legislation, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696)) was also amended. Taken together, these regulations are referred to in this guidance as the UK eIDAS Regulations

• 9 facts about the EU Digital Identity Wallet

  The EU Digital Identity Wallet is an ambitious digital identity project launched by the European Commission with the aim of boosting the single market and creating EU champions by streamlining cross-border identity verification. Pilots have been launched both to test the infrastructure and work on the EUDI Wallet’s technical features alongside its legal aspects—a rather unusual process, but one that should speed things up. The regulation should be approved by the end of 2023, along with the implementation timeline—the EU Digital Identity Wallet should be available within the next 2 to 3 years.

• The first working demo of a web based EU digital identity wallet leveraging FIDO open authentication standards

  As opposed to the widespread use of federated identities, where cloud-based digital identity providers are the central points for users to access any number of online services, the EU Digital Identity (EUDI) wallet aims to offer a new approach where the user is in control of when and where their personal data is shared and with whom. User credentials and data will include things like driver’s licenses, insurance cards, work and student visa, travel documents, credit card data, educational credentials, digital medical prescriptions, etc.

  Yubico has been invited to join as associate partner in EWC, one of the four EUDI wallet large scale pilots, and will formalize the membership later this year. The EWC project was co-founded by Swedish government agencies including DIGG (Agency for Digital Government), Bolagsverket (Companies Registration Office) and Vetenskapsrådet (Research Council) and Sunet (University Computer Network). Bolagsverket is together with the Finnish Ministry of Finance the coordinator of EWC.

• Yubico joins EWC’s large-scale pilot for EU digital ID wallets ahead of eIDAS 2.0

  Yubico will support ECW’s specific use case of a wallet for which multiple entities require shared control. “This is sometimes referred to as an ‘organizational wallet’ or a ‘legal person wallet’,” Ehrensvard writes. “The goal is to then develop more use cases across government and commercial services where users cannot or do not want to rely on a mobile platform.” It will draw on research conducted in collaboration with Greek Universities Network, around adding FIDO-based authentication and encryption to the latter’s open source web-based ID wallet.

• The first working demo of a web based EU digital identity wallet leveraging Fido open authentication standards

  By Yubico

  COMPANY NEWS: As part of the revision of the EU common identity framework regulation, also known as eIDAS 2.0, the EU Member States will all implement a new common structure for electronic credentials based on digital identity wallets. [...]

One more (LF):

• OpenSSF Co-Signs Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation

  The organizations that build and secure the Internet are concerned about proposed EU regulations that aim to mandate that all Web browsers recognize a new form of certificate for the purposes of authenticating websites. To support Mozilla’s position on eIDAS regulation and the organization’s multi-year effort to avert a potential policy disaster for cryptography in Articles 45 and 45a of the proposed eIDAS provisions, OpenSSF has co-signed the Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation  Those provisions are likely to weaken the security of the Internet as a whole.

TechDirt:

• EU Tries To Slip In New Powers To Intercept Encrypted Web Traffic Without Anyone Noticing

  The EU is currently updating eIDAS (electronic IDentification, Authentication and trust Services), an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. That’s clearly a crucial piece of legislation in the digital age, and updating it is sensible given the fast pace of development in the sector. But it seems that something bad has happened in the process. Back in March 2022, a group of experts sent an open letter to MEPs [pdf] with the dramatic title “Global website security ecosystem at risk from EU Digital Identity framework’s new website authentication provisions”. It warned: [...]

Critical piece:

• EU urged to drop new law that could allow member states to intercept and decrypt global web traffic

  More than 300 of the world’s most respected cybersecurity experts have written to European Union lawmakers to warn that a proposed legal reform that may soon become law could fundamentally undermine security online.

  A similar joint letter has been sent by industry organizations — including the Linux Foundation, Cloudflare, and Mozilla — telling the EU lawmakers that the proposed regulations are a “dangerous intervention” that risk breaking the fragile system of trust that underpins the use of cryptographic certificates on the web.

  The letters were prompted by a proposed update to the bloc’s eIDAS (Electronic Identification, Authentication and Trust Services) regulations which would give EU member states the ability to issue so-called Qualified Website Authentication Certificates (QWACs).

Late coverage (Internet Society):

• Civil Society Experts Voice Concern as New EU Digital Identity Regulation Finalized

  In 2022, the Internet Society, Center for Democracy & Technology, Electronic Frontier Foundation, and Epicenter.works participated in a workshop and panel discussion on Article 45 of the European Digital Identity Regulation. Attendees explored the technical aspects of the proposal and discussed its potential negative impacts on Internet security and trust (watch video highlights of that workshop). We have tracked the development of the file through the trilogue process and, with this intervention, are sharing a set of recommendations that we believe would remove ambiguity from the text and increase public trust.

  We are concerned that despite previous discussions at which the goals and concerns of relevant stakeholders, including the Commission, were debated, the text relating to Qualified Web Authentication Certificates (QWACs) in the eIDAS proposals remains ambiguous, and risks undermining trust in browsers as a globally deployed element of the Internet ecosystem.

Late also:

• Controversy brews over new EU-based digital certificate laws that could compromise digital trust relationships

  The Electronic Identification, Authentication and Trust Services Act passed the European Union Parliament back in 2014 and has been slowly enacted since July 2016. But a more recent change this past summer with a proposed Article 45 of eDIAS has gotten more attention as of late, and not in a good way.

This has now passed:

• EU Digital Identity Regulation (eIDAS): Pirates don’t support blank cheque for surveillance of citizens online!

  The EU Parliament and EU Council yesterday struck a political deal on the reform of the EU Digital Identity Regulation (eIDAS 2). A new digital identity wallet app is to allow EU citizens to access public and private digital services such as Facebook or Google, and pay online. The deal was made even though more than 500 scientists and numerous NGOs in an open letter „strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communications“ – criticism which the Pirate Party Members of the European Parliament underline.

  “This regulation is a blank cheque for surveillance of citizens online, endangering our privacy and security online”, comments Pirate Party lawmaker Patrick Breyer. “Browser security is being undermined, and overidentification will gradually erode our right to use digital services anonymously. Mark Zuckerberg should have no right to see our ID! Entrusting our digital lives to the government instead of Facebook and Google is jumping out of the frying pan and into the fire. This deal sacrifices essential requirements the European Parliament had put forward to make the eID app privacy-friendly and secure. The EU misses the opportunity to establish a trustworthy framework for modernization and digitization. We will watch the implementation very closely.”

• EU Digital Identity Reform: The Good, Bad & Ugly in the eIDAS Regulation

  The idea of having the owner of a domain name being visible in the web browser was shelved by every browser in the world in 2009. In 2021 the Commission deemed it a good idea to force the whole world to reintroduce this mid 2000 idea of “extended validation” under the new name “Qualified Website Authentication Certificates (QWACs)”. While nobody will use this, the real damage done by this system is that every web browser in the world will be forced to trust the root certificates from all European Trust Service Providers, regardless of them being actually trustworthy or not.

  In response to the revelations of government mass surveillance by Edward Snowden, the share of encrypted web traffic jumped from less than half to 95%. The security of this encryption depends on lists of trusted certificates by browsers and governments around the world have repeatedly tried to attack this system. With the original proposal, the EU would have broken the complete trust architecture of the world wide web and even if a certificate would have been found to be used for surveillance, there would have been nothing in the law to allow the browser to kick it out.

  The final twist of this story is that only days before the final deal the negotiators agreed to a change in the text that ensures browsers’ freedom to protect domain authentication and the encryption of web traffic in a manner and with the technology they consider most appropriate. In practice, this means browsers will have a way to resist QWACs undermining encryption, by separating them from TLS. Thus, at least we can expect browsers like Mozilla to fight against the undermining of the trust architecture of the web. For others like Microsoft we have less hope.

• EU-wide digital wallet: MEPs reach deal with Council

  The legislation will now have to be endorsed by both Parliament and Council before it becomes law. The Industry, Research and Energy Committee will hold a vote on the file on 28 November.