Proposed EU legislation poses security threat to internet users
In the wrong hands, the changes could enable state-sponsored internet surveillance says Mozilla’s Chief Security Officer
Brussels sees growing criticism of article 45.2 of the eIDAS regulation
BRUSSELS, July 13, 2022 – There is a serious threat to existing internet security measures stemming from the European Commission’s proposed revision to the eIDAS regulation. If implemented, experts say it could open individuals browsing online to additional security risks and set a precedent to allow state-sponsored internet surveillance. As currently drafted, article 45.2 could undermine the EU’s own ambitions to be the frontrunner of a more secure, responsible and competitive internet that protects people from illegal activity.
Under the revised article 45.2 of the eIDAS regulation, browsers would be mandated to accept the EU-designed Qualified Web Authentication Certificates (QWACs) even though they have weaker security properties than those most browsers currently allow. Moreover, browsers would be prevented from applying any of the existing security due diligence checks to the entities which issue these certificates, thereby bypassing the critical first line of defense against cybercrime.
Article 45.2 is attracting growing attention from parliamentarians and cybersecurity experts alike. In her draft report, MEP Romana Jerković, the file’s rapporteur, deleted it in order to have more time to figure out an approach that doesn’t compromise security. Meanwhile, in a letter sent to MEPs and EU countries, academics said that mandating the use of QWACs could introduce “significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing.” They added that the move could make it “more difficult to protect individuals from cybercriminals.”
Attempts have been made in the past to forcefully bypass browser security checks for rights-interfering ends, most notably in Kazakhstan in 2020 and Mauritius in 2021. In both cases, the governments aimed to use so called “man-in-the-middle” attacks to carry out state-sponsored surveillance of internet traffic.
Marshall Erwin, Chief Security Officer at Mozilla, said: “While this is not the intent of the EU, the inclusion of article 45.2 in eIDAS will make it more difficult to push back on these surveillance attempts in future. The EU sets many global standards and we’re concerned that if this is copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic. Such actions present a very real and dangerous unintended consequence of the EU’s digital identity plans.”
For more information see here.