Last Chance to Fix eIDAS: Secret EU Law Threatens Internet Security
canopic jug writes:
The Mozilla Corporation, known for applications like the Thunderbird e-mail client and the Firefox web browser, has issued a warning statement about some EU legislation sneaking its way through the back rooms. The text of the legislation is slated for approval in a non-public meeting in Brussels on November 8th.
After years of legislative process, the near-final text of the eIDAS regulation has been agreed by trialogue negotiators1 representing EU's key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.
This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU's IT standards body - ETSI. This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.
The introduction of this text so late in the legislative process and behind closed doors is also deeply concerning for democratic norms in Europe. Although the deal itself was publicly announced in late June, the announcement doesn't even mention website certificates, let alone these new provisions. This has made it extremely difficult for civil society, academics and the general public to scrutinize or even be aware of the laws their representatives have signed off on in private meetings.
Romana JERKOVI is responsible for the eIDAS file. It goes without saying that the race to the bottom affects both sides of the pond because each time damage is done, the other side quickly adapts the same policies for the sake of "harmonization". Everyone has a stake in this.
Read more of this story at SoylentNews.