Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform
2nd November 2023
Dear Members of the European Parliament,
Dear Member States of the Council of the European Union,
We the undersigned are cybersecurity experts, researchers, and civil society organisations from across the globe.
We are extremely concerned that, as proposed in its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will very likely result in less security for all.
Last year, many of us wrote to you to highlight some of the dangers in the European Commission’s proposed eIDAS regulation. After reading the near-final text, we are deeply concerned by the proposed text for Article 45. The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens. Concretely, the regulation enables each EU member state (and recognised third party countries) to designate cryptographic keys for which trust is mandatory; this trust can only be withdrawn with the government’s permission (Article 45a(4)). This means any EU member state or third party country, acting alone, is capable of intercepting the web traffic of any EU citizen and there is no effective recourse. We ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.
Article 45 also bans security checks on EU web certificates unless expressly permitted by regulation when establishing encrypted web traffic connections (Article 45(2a)). Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. This runs counter to well established global norms where new cybersecurity technologies are developed and deployed in response to fast moving developments in technology. This effectively limits the security measures that can be taken to protect the European web. We ask that you reverse this clause, not limiting but encouraging the development of new security measures in response to fast-evolving threats
The current text also mentions in multiple places the need for the European Digital Identity Wallet to protect privacy, including data minimization, and prevention of profiling. Yet, the legislation still allows relying parties like governments and service providers to unnecessarily link together and gain full knowledge about the uses of credentials in the new European Digital Identity System. Given the broad intended uses of this system, which span all areas of life from health, finance, commerce, online activity up to public transport, we believe that failing to require
both unlinkability and unobservability will severely compromise the privacy of EU citizens.
Article 6a(7)(a) should be aligned with the negotiation mandate from the European Parliament lead Industry Committee and thereby prevent technologically that such information can be obtained by governments and other parties without the explicit consent of users. Article 6a(7a)(b) should “mandate” instead of “enable” that interactions cannot be linked by relying parties or other actors, where identification of the user is not mandatory. Lastly, forum-shopping from ‘Big Tech’and other bad actors can only be prevented by a harmonised implementation of the Regulation that allows national eIDAS agencies to be overruled should they fail to act.
In summary, we strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communications; without establishing proper safeguards as outlined above, it instead substantially increases the potential for harm.
No comments:
Post a Comment