Als Mitunterzeichner des offenen Briefes unter https://eidas-open-letter.org unterstützen wir dessen zivilgesellschaftliche Warnung vor der derzeit im EU Trilog verhandelten eIDAS-Regulierung, da diese das Recht auf Privatsphäre der Bürger und die Sicherheit der Online-Kommunikation nicht angemessen respektiert.
Oder wie es unser Mitglied HonkHase ausdrückt:
Staatliche forcierte Root CAs in jedem Browser sind gruselig!
Hintergrund
Nach jahrelangem Gesetzgebungsverfahren haben sich die Trilog-Verhandlungsführer auf den nahezu endgültigen Text der eIDAS-Verordnung geeinigt, der noch vor Jahresende der Öffentlichkeit und dem Parlament zur Abstimmung vorgelegt werden soll.
Die neuen Gesetzesartikel sehen vor, dass alle in Europa vertriebenen Webbrowser den von den EU-Regierungen ausgewählten Zertifizierungsstellen und kryptografischen Schlüsseln vertrauen müssen.
Diese Änderungen erweitern radikal die Möglichkeiten der EU-Regierungen, ihre Bürger zu überwachen, indem sie sicherstellen, dass kryptografische Schlüssel unter staatlicher Kontrolle verwendet werden können, um den verschlüsselten Internetverkehr in der EU abzufangen. Jeder EU-Mitgliedsstaat hat die Möglichkeit, kryptografische Schlüssel für die Verteilung in Webbrowsern zu bestimmen.
Den Browsern ist es untersagt, das Vertrauen in diese Schlüssel ohne staatliche Genehmigung zu entziehen.
Dies ermöglicht es der Regierung eines jeden EU-Mitgliedstaats, Website-Zertifikate für Abhör- und Überwachungszwecke auszustellen, die gegen jeden EU-Bürger verwendet werden können, auch gegen solche, die nicht in dem ausstellenden Mitgliedstaat ansässig oder mit ihm verbunden sind. Es gibt keine unabhängige Kontrolle oder Ausgewogenheit der von den Mitgliedstaaten getroffenen Entscheidungen in Bezug auf die von ihnen genehmigten Schlüssel und deren Verwendung. Dies ist besonders besorgniserregend, wenn man bedenkt, dass die Einhaltung der Rechtsstaatlichkeit nicht in allen Mitgliedstaaten einheitlich ist und es dokumentierte Fälle von Nötigung durch die Geheimpolizei zu politischen Zwecken gibt.
Der Text verbietet es den Browsern, diese EU-Schlüssel und -Zertifikate einer Sicherheitsprüfung zu unterziehen, es sei denn, sie wurden zuvor von der IT-Normungsbehörde der EU - ETSI - genehmigt. Diese starre Struktur wäre bei jeder Einrichtung problematisch, aber das staatlich kontrollierte Normungsgremien ETSI hat obendrein hat eine besorgniserregende Erfolgsbilanz bei der Erstellung kompromittierter kryptografischer Standards und eine Arbeitsgruppe, die sich ausschließlich mit der Entwicklung von Abhörtechnologien beschäftigt.
Weiterführende Infos
Der Wortlaut des Briefes in seiner englischen Version findet sich unter https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr.
Zudem hat Mozilla unter https://last-chance-for-eidas.org/ eine Übersichtsseite mit vielen Links zu Presse-Artikeln, die das Thema aufgreifen, erstellt.
Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform
2nd November 2023
Dear Members of the European Parliament,
Dear Member States of the Council of the European Union,We the undersigned are cybersecurity experts, researchers, and civil society organisations from
across the globe.
We have read the near-final text of the eIDAS digital identity reform which has been agreed on a
technical level in the trilogue between representatives from the European Parliament, Council
and Commission. We appreciate your efforts to improve the digital security of European citizens;
it is of utmost importance that the digital interactions of citizens with government institutions and
industry can be secure while protecting citizens’ privacy. Indeed, having common technical
standards and enabling secure cross-border electronic identity solutions is a solid step in this
direction. However, we are extremely concerned that, as proposed in its current form, this
legislation will not result in adequate technological safeguards for citizens and businesses, as
intended. In fact, it will very likely result in less security for all.
Last year, many of us wrote to you to highlight some of the dangers in the European
Commission’s proposed eIDAS regulation. After reading the near-final text, we are deeply
concerned by the proposed text for Article 45. The current proposal radically expands the ability
of governments to surveil both their own citizens and residents across the EU by providing them
with the technical means to intercept encrypted web traffic, as well as undermining the existing
oversight mechanisms relied on by European citizens. Concretely, the regulation enables each
EU member state (and recognised third party countries) to designate cryptographic keys for
which trust is mandatory; this trust can only be withdrawn with the government’s permission
(Article 45a(4)). This means any EU member state or third party country, acting alone, is
capable of intercepting the web traffic of any EU citizen and there is no effective recourse. We
ask that you urgently reconsider this text and make clear that Article 45 will not interfere with
trust decisions around the cryptographic keys and certificates used to secure web traffic.
Article 45 also bans security checks on EU web certificates unless expressly permitted by
regulation when establishing encrypted web traffic connections (Article 45(2a)). Instead of
specifying a set of minimum security measures which must be enforced as a baseline, it
effectively specifies an upper bound on the security measures which cannot be improved upon
without the permission of ETSI. This runs counter to well established global norms where new
cybersecurity technologies are developed and deployed in response to fast moving
developments in technology. This effectively limits the security measures that can be taken to
protect the European web. We ask that you reverse this clause, not limiting but encouraging the
development of new security measures in response to fast-evolving threats.The current text also mentions in multiple places the need for the European Digital Identity
Wallet to protect privacy, including data minimization, and prevention of profiling. Yet, the
legislation still allows relying parties like governments and service providers to unnecessarily
link together and gain full knowledge about the uses of credentials in the new European Digital
Identity System. Given the broad intended uses of this system, which span all areas of life from
health, finance, commerce, online activity up to public transport, we believe that failing to require
both unlinkability and unobservability will severely compromise the privacy of EU citizens. Article
6a(7)(a) should be aligned with the negotiation mandate from the European Parliament lead
Industry Committee and thereby prevent technologically that such information can be obtained
by governments and other parties without the explicit consent of users. Article 6a(7a)(b) should
“mandate” instead of “enable” that interactions cannot be linked by relying parties or other
actors, where identification of the user is not mandatory. Lastly, forum-shopping from ‘Big Tech’
and other bad actors can only be prevented by a harmonised implementation of the Regulation
that allows national eIDAS agencies to be overruled should they fail to act.
Finally, we would like to highlight our frustration that decisions crucial for the security and
privacy of citizens, businesses, and governments, are being taken behind closed doors in
trilogue negotiations without public consultation of experts about the potential consequences of
the proposed regulations. We urge the European Parliament, Commission, and Council to
reconsider their legislative processes and commit to greater transparency so that experts and
the public can effectively contribute to the development of new regulations.1
In summary, we strongly warn against the currently proposed trilogue agreement, as it
fails to properly respect the right to privacy of citizens and secure online
communications; without establishing proper safeguards as outlined above, it instead
substantially increases the potential for harm.1. Undermining website authentication undermines communications security
The current text of Article 45 mandates that browsers must accept any root certificates provided
by any Member State (and any third party country approved by the EU) and will have severe
consequences for the privacy of European citizens, the security of European commerce, and
the Internet as a whole.
Root certificates, controlled by so-called certificate authorities, provide the authentication
mechanisms for websites by assuring the user that the cryptographic keys used to authenticate
the website content belong to that website. The owner of a root certificate can intercept users’
web traffic by replacing the website’s cryptographic keys with substitutes he controls. Such a
substitution can occur even if the website has chosen to use a different certificate authority with
a different root certificate. Any root certificate trusted by the browser can be used to
compromise any website. There are multiple documented cases of abuse, because the
security of some certificate authorities has been compromised. To avoid this, there exists
legislation that regulates certificate authorities, complemented by public processes and
continuous vigilance by the security community to reveal suspicious activities.
The proposed eIDAS revision gives Member States the possibility of inserting root certificates at
will, with the aim to improve the digital security of European citizens by giving them new ways to
obtain authentic information of who operates a website. In practice, this does exactly the
opposite. Consider the situation in which one of the Member States (or any of the third party
states recognized now or in the future) were to add a new authority to the EU Trusted List. The
certificate would have to be immediately added to all browsers and distributed to all of their
users across the EU as a trusted certificate. By using the substitution techniques explained
above, the government-controlled authority would then be able to intercept the web traffic of
not only their own citizens, but all EU citizens, including banking information, legally
privileged information, medical records and family photos. This would be true even when visiting
non-EU websites, as such an authority could issue certificates for any website that all browsers
would have to accept. Additionally, although much of eIDAS2.0 regulation carefully gives
citizens the capability to opt out from usage of new services and functionality, this is not the
case for Article 45. Every citizen would have to trust those certificates, and thus every
citizen would see their online safety threatened.
Even if this misbehaviour was discovered, under the current proposal it would not be possible to
remove this certificate without the ultimate approval of the country having introduced the
certificate authority. Neither eIDAS’s article 45 nor any provisions in adjacent EU legislation
such as the NIS2 Directive provide any independent checks and balances on these decisions.
Further, European citizens do not have an effective way to appeal these decisions. This
situation would be unacceptably damaging to online trust and safety in Europe and across the
world. We believe this legislative text must be urgently reworked to avoid these serious
consequences by clarifying that eIDAS does not impose obligations to trust cryptographic keys
used for encrypted web traffic.The proposed legislation also prevents the introduction of security checks when verifying the
certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that
the EU’s website certificates not be subjected to any mandatory requirements beyond those
specified in ETSI standards. Mandatory requirements on certificates are essential when
browsers validate certificates presented for use in encrypted web connections. Preventing these
additional security checks has no useful purpose and only hampers the improvement of
cybersecurity for European citizens. The detailed rules on certificate validation and display are
constantly being adapted based on new research results and consensus in the security
community. Existing security mechanisms, well-studied and accepted by the security community
at large, such as TLS 1.3 and certificate transparency logs currently enable browsers to quickly
adapt to changing threats and improve global web security. It is essential that this regulation
establishes a mandatory minimum set of security standards, but does not impose a limited set of
requirements which would hamper the adoption of new security technology within the EU.
While Article 45 could be understood as reducing the power of the large companies behind the
major web browsers, from a technical perspective, this is not the case. There already exists a
large number of certificate authorities capable of issuing certificates trusted in every web
browser, many of which are European and also recognised under the EU’s existing eIDAS
legislation. Websites have a free choice about which certificate authority they use and all of the
approved certificate authorities are treated equally in the browser. Should issues arise, the EU is
already well-equipped to tackle them through the recently passed Digital Markets Act, which
specifically identifies popular browsers and cloud services and bans self-preferencing behaviour
by gatekeepers. Article 45 itself does nothing to assist this process or to enable European
scrutiny of trust decisions by ‘Big Tech’, instead it only enables the interception of EU citizens’
web traffic by European governments. It further prevents concerned users, who may have
serious and substantiated concerns about being subject to state surveillance, from choosing, or
even creating, a browser that has stricter security checks.
In summary, this regulation allows misbehaviour by any individual Member State (or approved
third party countries) to compromise the safety and security of other Member State’s citizens. If
it is implemented, it would result in citizens having to, without a choice, trust all certificate
authorities defined by Member States (and recognized third countries) in addition to the parties
they trust today. This regulation does not eliminate any existing risk. Instead, by undermining the
existing secure web authentication processes, introduces new risks with no gain by European
citizens, businesses, and institutions. Moreover, if this regulation becomes a reality, it is only to
be expected that other countries will put pressure on browsers to obtain similar privileges
as EU Member States — as some have unsuccessfully attempted in the past — globally
endangering web security.
In order to address these concerns and avoid the security issues introduced by the current
legislation proposal which could result in incalculable damage, we recommend:● The text be clarified to ensure that this legislation will not interfere with trust decisions
around the cryptographic keys or certificates used to secure web traffic and the
consequent impact on privacy and security of European citizens.● Additional checks independent from those envisioned in the legislation are not only
permitted but encouraged to enable browsers to rapidly incorporate advances made by
the security community to improve the security of communications.In particular:
● The re-introduction of text to Article 45 (2) limiting its scope: “Such recognition, support
and interoperability means solely that web-browsers shall ensure that the identity data
attested in the certificate provided using any of the methods is displayed in a
user-friendly manner.”
● The deletion of Article 45 (2a) so that new security checks can be implemented
effectively
● In Recital 32: Adding clarification that the obligations of recognition, interoperability and
support in Article 45 do not extend to the use of encryption and authentication
technologies for securing web traffic.
We also explicitly note that established processes clearly allow new certificate authorities to be
added to browser root trust stores; nation states wishing to establish a new CA legitimate and
lawful purposes need to go through the same security certification procedures that existing
authorities do, without requiring new regulation. Fostering the development of an EU-native
browser, or strengthening the supervision of certificate authorities across the EU, would have a
much more positive impact on the overall security of European citizens than attempting to
change the status quo of web security from within the eIDAS regulation.2. A complex system only provides the security and privacy guarantees of its weakest
component
The European Digital Identity Wallet (EDIW) is designed to identify and authenticate users with
a high level of assurance. The Wallet includes identity information from national IDs (age, sex,
etc), and can be extended with additional attributes. These attributes could include very
sensitive information such as medical certificates, or important information for the future of
European citizens such as their professional qualifications. The eIDAS regulation foresees the
creation of an ecosystem of public and private entities that will benefit from the Wallet to have
access to certified personal information about citizens.
We welcome the provisions crafted in the legislation, which advocate for strong protections to
preclude tracking and profiling, that enable the option of revealing attributes in a selective
manner or via zero-knowledge attestation, that attribute providers should not learn about with
whom users share their attributes, or that mention that the wallet should allow for unlinkability
when identification is not needed. These are essential to promote the use of technologies that
can provide these properties by design, and we commend the legislators for including them.
Yet, the legislation only enables the existence of privacy-preserving technologies, but does not
mandate them (Article 6a(7a)(b)). We are concerned that this legal ambiguity could lead to a
deterioration of privacy-safeguards that ultimately leaves too much room for technical
implementation on member state level. Importantly, operators of the EDIW can still obtain
knowledge about concrete user behaviour even when the user has not consented to this. With a
privacy-respecting architecture such information is not necessary for the provision of the EDIW.
With the current legal text the architecture of the whole system risks undermining trust from
citizens in the whole system (Article 6a(7)). A fully harmonised European system for the benefit
of the private sector also needs a fully harmonised level of safeguards European citizens can
rely upon. Moreover, relying parties (service providers with access to the wallet) can also
register in any of the Member States, thus the effective regulatory regime that bad actors and
‘Big Tech’ can exploit is the weakest of all Member States as we have seen with the GDPR and
DSA. This is particularly challenging because of the necessity of cross-border interoperability.
Hence, we recommend in Article 46e to empower the European Digital Identity Cooperation
Group to overrule the decisions of national eIDAS regulators in order to prevent the
circumvention of these important protections.In order to address these concerns and avoid that the eIDAS regulation results in a new privacy
problem with no security gain in terms of authentication, we recommend:
● Make unlinkability a mandatory rather than optional requirement by Replacing “enable”
with “mandate” in Article 6a(7a)(b).
● Align the technical architecture with the strong protections established in the lead
Industry committee of the European Parliament in Article 6a(7).
● Provide a majority in the European Digital Identity Cooperation Group according to
Article 46e the power to overrule the decision of national eIDAS regulators in order to
ensure a harmonised enforcement of this regulation.
Without these necessary amendments the eIDAS regulation risks becoming a gift to Google and
other Big Tech actors. A European solution to the central question of handling sensitive identity
information needs to protect citizens against surveillance capitalism through strong technical
mechanisms and be resilient against attempts to exploit the regulatory system through
jurisdiction-shopping.