European lawmakers are on the cusp of approving new digital identity rules known as eIDAS 2.0. While this legislation aims to modernize digital identity and trust services, civil society groups argue that it could lead to a less secure and more surveilled internet. The concern primarily revolves around the requirement for browser makers to trust government-approved Certificate Authorities (CAs) and refrain from implementing additional security controls.

Under eIDAS 2.0, Qualified Trust Service Providers (QTSPs) – government-endorsed CAs – would issue Qualified Website Authentication Certificates (QWACs) to websites. However, if browser makers suspect misuse or detect traffic interception, they would be prohibited from taking countermeasures like distrusting the certificates or removing the associated CA’s root certificate.

This raises significant security and privacy issues. Governments that possess these authorized certificates could potentially intercept and decrypt encrypted HTTPS traffic, allowing them to monitor users’ activities on websites. The lack of independent oversight raises concerns about potential misuse and abuse of power. This scenario echoes a troubling era when certificate authorities collaborated with governments to spy on encrypted traffic.

Browser makers have historically taken action against untrustworthy CAs removing their root certificates from trusted lists. However, eIDAS 2.0 would prevent them from doing so when the CA has government approval. This limitation, outlined in Article 45 of the legislation, hampers the ability to enforce modern security requirements.

Unsurprisingly, organizations like the Electronic Frontier Foundation, Mozilla, and over 400 cybersecurity experts and NGOs have voiced their concerns. They argue that Article 45 could enable any EU government or recognized third party to intercept web traffic without accountability or oversight.

It is essential for EU lawmakers to address these concerns and revise the legislation with suitable safeguards. Security and privacy on the internet must remain paramount, and the potential risks associated with eIDAS 2.0 cannot be ignored.

What are eIDAS 2.0 digital identity rules?

eIDAS 2.0 refers to the proposed legislation aimed at modernizing digital identity and trust services in Europe. It includes regulations on electronic signatures, time stamps, registered delivery services, and certificates for website authentication.

Why are civil society groups concerned about eIDAS 2.0?

Civil society groups argue that eIDAS 2.0 could make the internet less secure and expose citizens to online surveillance. The requirement for browser makers to trust government-approved Certificate Authorities (CAs) and the limitations on implementing additional security controls raise significant privacy and security concerns.

What is the potential risk associated with eIDAS 2.0?

One of the major risks is that governments with authorized certificates could intercept and decrypt encrypted HTTPS traffic, allowing them to monitor users’ activities on websites. The lack of independent oversight on the use of these certificates raises concerns about potential misuse and abuse of power.