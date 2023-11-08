ID, passwords and all payments in the same application. It is what is known as the ‘European Digital Identity Wallet’. A unified system that the European Union wants to create as an alternative to large technology companies. To implement it, work is being done on the new eIDAS (‘electronic IDentification, Authentication and trust Services’) regulation. A reform that has put dozens of organizations on alert due to its profound risks to the privacy and security of users.

Certified companies that pass all controls. In the reform of the eIDAS regulation, the creation of “Certified Authorities” has been proposed. It would be a series of selected European companies that would have certified authentication (QWACs).

The controversy arises as described in article 45, which states that all browsers will be obliged to accept these certificates as valid. Regardless of whether or not they meet security standards. Instead of applying the browser’s criteria in each case, you will be forced to accept the security criteria of the European Union.

Dozens of organizations and hundreds of experts against it. In an open letter, more than 460 researchers from 36 different countries and dozens of non-governmental organizations have warned of the risks of this eIDAS reform.

From the Electronic Frontier Foundation (EFF) to the Document Foundation (LibreOffice), passing through Mozilla, the Linux Foundation or pioneers like Vint Cerf.

Article 45 is a “dangerous intervention in internet security.” In the open letter sent to members of the Parliament and the European Council they explain that the current HTTPS certificates follow common rules and that any failure can compromise communications.

Among the aspects of article 45 that they criticize is that “requiring certain entities to be certified does not comply with the recommendations of the ‘CA/Browser Forum’.”

“The current proposal radically expands the ability of governments to surveil residents across the EU, providing the technical means to intercept encrypted data on the internet, as well as undermining existing oversight mechanisms,” they explain.

The mere mistake of one country could spread to all. Article 45 may entail “undesirable extraterritorial effects,” they explain in the open letter. This is because the certified authorities of a country must be recognized throughout the European Union. Let’s say the case that a certain country decides to grant this certificate corruptly. This decision would affect the security of all other users.

And it would bring fragmentation. In addition to the privacy risk, establishing specific certified authorities could result in them not being accepted outside the European Union and opting for a separate list of certified companies. This would have the adverse effect of leading to a fragmented website, with websites only accessible depending on the region, point out the organizations that have signed the letter against it.

Let’s hope it ends the same as ‘Chat Control’. Negotiators are scheduled to meet today for a final dialogue, behind closed doors. In December the Council should reach an agreement and in February 2024 the European Parliament will have to vote on what will eventually become law.

“The vast majority of changes that introduce new risks have been made in closed-door meetings, without giving experts and the public the opportunity to give their opinion. When changes can have a significant effect on our freedoms, there should be more transparency,” Carmela Troncoso explainsassociate professor at EPFL and privacy specialist.

The risk is similar to that of ‘Chat control’ and the intention to de facto eliminate end-to-end encryption. Fortunately, at the end of October Parliament voted against the section that involved reviewing all conversations.

Image | Evgeniy Alyoshin

