EU digital ID reforms should be ‘actively resisted’, say experts

Over 300 cyber security experts have called for the EU to rethink its proposals for eIDAS digital identity reforms, saying some of the provisions risk damaging user privacy and security

A group of 309 cyber security experts, researchers and scientists hailing from 31 countries around the world has called on the European Union (EU) to rethink proposals to reform the electronic identification, authentication and trust services (eIDAS) Regulations, saying that “as proposed in its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will very likely result in less security for all”.

The eIDAS regulations first came into force in September 2018, a little over five years ago, to promote and improve trust, security and convenience for EU citizens through a single, union-wide set of rules governing electronic identification and trust services, such as electronic signatures, seals, time stamps, delivery services and website authentication.

Among its provisions is the possibility for any company or private individual to use their own national e-identities (eIDs) when they work or live in another EU state, meaning that all organisations delivering public digital services in an EU member state must recognise and support the eIDs of all the others.

Steven Murdoch, professor of security engineering at University College London (UCL) – who is among the signatories – said the scope of eIDAS, and its predecessors, had largely related to digital identity and the legal aspects of digital signatures, but that these areas had evolved massively in the past few years, triggering impetus for reform.

“The Covid pandemic triggered a lot of interest because it allowed many things that previously had to happen with pen and paper to move online [and] that was a good thing,” he told Computer Weekly. “What eIDAS is trying to do is make this smoother, more secure, and have greater uniformity between member states and third countries.”

The group’s concerns over the amendments largely centre on Article 45 of the reformed eIDAS, where it says the text “radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens”.

“This clause came as a surprise because it wasn’t about governing identities and legally binding contracts, it was about web browsers, and that was what triggered our concern,” explained Murdoch. “You can perhaps see why it might belong here, but once you go into the details, you can see why it doesn’t. It’s out of place; it should be actively resisted.”

All websites today are authenticated by root certificates controlled by certificate authorities, which assure the user that the cryptographic keys used to authenticate the website content belong to the website. The certificate owner can intercept a user’s web traffic by replacing these cryptographic keys with ones they control, even if the website has chosen to use a different certificate authority with a different certificate. There are multiple cases of this mechanism having been abused in reality, and legislation to govern certificate authorities does exist and, by and large, has worked well.

The proposed Article 45 now gives EU member states the ability to insert new root certificates at will, which supposedly improves security for website users by giving them a new way to obtain authentic information about who operates a website. However, the group believes that in practice this will have the opposite effect.

For example, if one member state – or a recognised third-party state – adds a new authority to the EU Trusted List, its certificate will legally have to be added to all browsers and distributed across the entire EU as a trusted certificate. At this point, if the government were to use the outlined substitution technique, it would gain the ability to intercept the web traffic of not only its own citizens, but everybody in the EU, and harvest confidential data such as financial information, medical records and so on.

To make matters worse, if one member state were to abuse the system in this way, Article 45 contains no provision that enables the rogue certificate to be rescinded without that country’s authority – and there is no opt-out mechanism for citizens when it comes to Article 45, observed the group.

In essence, said the group, the EU is undermining website authentication and thus undermining communications security. “We ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic,” the group said.

The issues with Article 45 do not stop there, for it also bans security checks on EU web certificates unless permitted by regulation when establishing encrypted connections. As opposed to specifying a baseline of minimum security measures, it specifies an upper bound on them, which cannot be improved upon without explicit permission from ETSI. According to the group, this goes against every established norm when new security technologies are rolled out, and effectively limits the security measures that can be taken to secure the web in the EU.

“We ask that you reverse this clause, not limiting, but encouraging the development of new security measures in response to fast-evolving threats,” the group said.

Murdoch said the EU’s proposals may have emerged from a desire to curb the power that the large browser operators, chiefly Google and Microsoft, have over root certificates.

“This clause could be interpreted as a way of taking power away from big tech and handing it to governments,” he said. “[However], this is the wrong mechanism for that.”

He explained that the tech giants have, in general, recognised that users are rightly concerned about them holding the ultimate power over root certificates and their issuers, so they have agreed to transparent governance processes, which have been used against negligent certificate authorities in the past. It is debatable, said Murdoch, how effective those processes are, but they do not seem to be being abused.

“Even if they were [abusing the processes], eIDAS would not be the right tool. It’s a competition problem, it should be addressed through competition law,” he said.

Digital Identity Wallets not up to scratch

A third major objection raised by the collective covers the European Digital Identity Wallet. The current eIDAS text sets out the need for this functionality to protect privacy, minimise data collected, and prevent profiling, yet Article 6a((7)(a) of the proposed updates allow governments and tech services providers to link together and gain full knowledge about how credentials are being used through eIDAS.

The group argued this was unnecessary and, given the broad intended uses of eIDAS, would compromise citizen privacy. Group members are calling on the EU to prevent this information from being obtained without a user’s explicit consent by having the article “mandate” rather than “enable” that interactions can’t be linked if it is not mandatory to identify the user, and to harmonise this across the EU to prevent tech organisations from shopping around for more lenient jurisdictions.

“Without these necessary amendments, the eIDAS regulation risks becoming a gift to Google and other big tech actors,” said the group. “A European solution to the central question of handling sensitive identity information needs to protect citizens against surveillance capitalism through strong technical mechanisms and be resilient against attempts to exploit the regulatory system through jurisdiction shopping.”

Brexit questions

An amended form of the EU eIDAS was transposed into UK law following Brexit, although while the UK’s regulations allow the legal effect of EU eIDAS qualified services to be recognised and used in the UK, no reciprocal agreement exists and the UK’s regulations are not automatically recognised and accepted on the European mainland.

But with the UK having a similarly service-driven economy that is increasingly digitising, observed Murdoch, “it would be a surprise if the UK was not to adopt it”.

Additionally, the UK is not a large enough market alone for private sector organisations to consider policy carve-outs or special product versions compared to the EU. Therefore, if something is compliant with EU law and not actively forbidden in the UK, it will likely be adopted here – a similar situation having been seen with Apple’s EU-mandated switch to USB-C charging ports for iPhones.

Read more on Privacy and data protection