2nd November 2023
After years of legislative process, the near-final text of the eIDAS regulation has been agreed by trialogue negotiators1 representing EU’s key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.
This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body - ETSI. This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record (1,2,3) of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.
The introduction of this text so late in the legislative process and behind closed doors is also deeply concerning for democratic norms in Europe. Although the deal itself was publicly announced in late June, the announcement doesn’t even mention website certificates, let alone these new provisions. This has made it extremely difficult for civil society, academics and the general public to scrutinize or even be aware of the laws their representatives have signed off on in private meetings.
Over 500 cyber security experts and researchers from around the world have signed an open letter calling on the EU to abandon these plans and safeguard the web:
After reading the near-final text, we are deeply concerned by the proposed text for Article 45. The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.
We ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.
This text is subject to approval in the final closed-door trialogue meeting in Brussels on November 8th, after which it will be published and presented for formal ratification in the European Parliament. This is expected to be in the first few months of 2024, but this vote is seen as a formality with the text of trialogue negotiations typically being adopted into law without alteration.
If you’re a cybersecurity expert, researcher or represent an NGO, consider signing the open letter at https://eidas-open-letter.org.
Statements by Companies, Organisations and Individuals