There is a real outcry against the proposed reform of the eIDAS (Electronic Identification, Authentication and Trust Services) regulation.
Several hundred experts in cryptography and computer science have expressed their concerns by publishing an open letter to the Council of Europe. Indeed, a revision of article 45 of the eIDAS particularly crystallizes their concerns, and this must be finalized on November 8 before receiving the final stamp of approval from the European Parliament. A project, which, you will understand, goes completely against the stated wishes of the EU when it assures that it will not monitor its citizens by implementing the digital euro. On the other hand, this decision would fit perfectly into the current context, where the EU wishes to see more transparency in the functioning of promoters of digital services, particularly GAFAM. So what is this article 45 that Europe absolutely wants to rework?
Digital trust called into question
This eIDAS article relates to the management of security certificates by browsers. For the moment, browser publishers are free to choose the issuers of these certificates, following their own criteria. It is therefore this particular point which is targeted by the revision of Article 45. Indeed, it is planned that publishers will be obliged to choose from issuers only validated by EU Member States.
The open letter addressed to the Council explains that “ this means that Member States could decide alone to impose [une mesure permettant] to monitor the Internet traffic of any European citizen, without possible protection “. Such a change would completely undermine the functioning of current browsers in addition to being frankly questionable from a confidentiality point of view.
Worrying precedents
What also worries the authors of the open letter is that such a system could put colossal quantities of data in the hands of States. A fairly recent example perfectly illustrates what type of overflow this could cause: that of Qaznet, an official Kazakh certification authority. This was caught in the act of spying on Internet users and was therefore blocked by Mozilla and Chrome.
Organizations like Cloudflare, the Linux Foundation and the Mozilla Foundation (which had already spoken out against the proposed revision of Article 45 in 2021) are obviously very concerned by this change. They co-wrote another text mentioning that “ the current system works (…) but it is also delicate “. These institutions fear a domino effect if the new revision is adopted; a disaster scenario where a bad choice made by a single Member State could affect all EU citizens.
An opaque procedure and ignored recommendations
One of the cryptography researchers at Inria, (National Institute for Research in Computer Science) Gaëtan Leurent, nevertheless admits that the European Parliament had made sure to integrate the recommendations of experts to begin this amendment process. Recommendations, which no longer seem to be current. He thus deplores that “ these softenings unfortunately disappeared from the text during the discussion » between the Parliament, the Commission and the Council of the EU.
Sylvain Ledru is head of engineering at Mozilla, and he too is rather surprised by this turn of events. However, he mentioned “ a real dialogue » in 2021 during a major meeting between browser publishers and MEPs in Brussels. However, the conclusions of the European trilogue are not publicly accessible and the reasons for their choices will therefore remain shrouded in opacity.
Researchers, scientists and NGOs signatories to the letter call for a revision of the new European copy. According to them, this change to article 45 could have the opposite effect: endangering Internet users rather than protecting them. Digital sovereignty and fundamental freedoms: an equation that is always extremely delicate.
Source : The world, eIDAS
12