New proposed eiDAS amendment gives the EU legal mandate to surveil HTTPS sites
In 2018, the European Union introduced the electronic identification, authentication and trust services (eiDAS) as a set of regulations that establish a baseline for cyberspace trust and security via electronic signatures, seals, time stamps, delivery services and website authentication. Some of the regulations had to be revised with the emergence of the pandemic, and the reformed eiDAS could soon include an Article 45 that essentially allows EU governments to surveil EU citizens and residents through various means of intercepting encrypted internet traffic on the HTTPS protocol. This particular article was amended without public consent and over 300 academics and tech experts are now trying to call out such grave infringements on human rights by publishing an open letter that urges the adoption of established web standards.
As reported by ComputerWeekly, Steven Murdoch - professor of security engineering at University College London (UCL) is among the open letter signatories who were surprised to find mentions of web browser surveillance in the reformed eiDAS. If Article 45 passes as is, EU governments will be able to insert new root HTTPS certificates at will under the pretext that they improve security for website users. However, these newly inserted certificates may also be used to intercept web traffic across the entire EU, harvesting confidential data. The signatories urge the European Commission to “urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.”
Murdoch points out that Article 45 "could be interpreted as a way of taking power away from big tech and handing it to governments,” but “this is the wrong mechanism for that,” as it is still detrimental to all EU citizens. Additionally, the clauses referring to the European Digital Identity Wallet in the proposed article 6a and 7a essentially empower governments and tech services providers to monitor how digital credentials are being used at an individual level.