The Electronic Identification, Authentication and Trust Services Act passed the European Union Parliament back in 2014 and has been slowly enacted since July 2016. But a more recent change this past summer with a proposed Article 45 of eDIAS has gotten more attention as of late, and not in a good way.

A group of more than 400 cybersecurity professionals, internet special interest groups and security providers has written to the EU to complain about this new addition. Google’s Chrome Security team posted its own disapproval last week. The change would allow any EU government agency to perform so-called man-in-the-middle compromises and legally intercept all internet traffic, including encrypted traffic.

These compromises – often related to various digital certificate failures — have become part of internet security folklore over the years. One of the more infamous events happened in 2011 when an attacker compromised the internet registrar DigiNotar and issued rogue certificates for many domains.

At the heart of this matter is the trust relationship among digital certificates. Giving various government entities the ability to insert their own certificate undermines this trust and threatens overall secure communications.

The eDIAS regulations are far-reaching: They focus on electronic transactions, including digital signatures, digital funds transfers, electronic ID cards, filing taxes online and other communications that would ordinarily use physical documents sent in the postal mail or delivered in person. Their goal was to help digital transformation and innovation by providing a solid digital trust foundation. A number of digital certificate and other trust services providers have supported the effort.

Less security for all?

That trust may be up for grabs at the moment.

“In its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended,” the letter says. “In fact, it will very likely result in less security for all.”

That’s because the proposed law will enable any EU country to intercept any communications of any citizen of the EU. Another provision will hobble security measures that might be deployed in the future, by banning any security checks without prior EU government permission.

Taken together, that could make it easy to produce phishing copycat pages that would be harder to distinguish from legitimate ones. This is because the owners of root certificates could substitute their own certificates that could be deliberately compromised.

Furthermore, once a government agency introduces its own certificate, it’s the only entity that can remove it, so there are no independent checks and balances on these decisions, or a way for any EU citizen to file an appeal if some error has happened.

The letter suggests various changes to Article 45 and also urges the EU to act with more transparency about its future digital lawmaking. Apparently, this latest amendment was done outside of any public consultation. Representatives from the Mozilla Foundation – the keeper of one web browser code base – have posted that the EU “has made it extremely difficult for civil society, academics and the general public to scrutinize or even be aware of the laws their representatives have signed off on in private meetings.”

They point out that web browsing is a global ecosystem, not just bounded by the EU. This new amendment to eDIAS, they say, could create all sorts of abuse “by governments that do not aspire to the same governance principles as the EU. For instance, the same mechanism can be used to insert a government root certificate, and thereby gain access to all browser sessions secured with those certificates.”

The letter ends with this warning: “A European solution to the central question of handling sensitive identity information needs to protect citizens against surveillance capitalism and be resilient against attempts to exploit the regulatory system.” The group behind the letter is hoping the various EU commissions that were involved in these latest changes will reconsider their options.

Image: Tumisu/Pixabay