CYBERSECURITY AND
INDIVIDUALS
Imagine your important personal data – passwords, credit card details, names, addresses, message content and more – all in the hands of someone with bad intent. The potential harm, online and offline, is enormous.
Right now, you trust that your browser protects you from this happening. But new EU legislation could remove that protection entirely.
Online threats in the EU are on the rise
Whilst we all want to enjoy our time online and access essential services, it must be done in a secure environment.
Even more of our lives moved online during the pandemic, and this led to more cybercrime as criminals exploited the shift. Figures from late 2021 showed that serious cyberattacks in Europe had doubled over the course of a year. And the EU is considered a “prime target.”
The EU is working to support the digitisation of health and justice systems and is promoting e-commerce. However, these services cannot be rolled out without a secure internet infrastructure. We have already witnessed cyberattacks on governments, including in the United States and Ireland’s healthcare system. This goes to show that bad actors are always looking for ways in.
The risks are serious. Along with the impact on individuals accessing online data and completing transactions, this threat landscape also affects our broader society. Politically motivated actors can use online crime to unleash societal disruption, especially when they launch targeted attacks against journalists, activists, and politicians.
How QWACs create risk
The EU has an ambition to be a frontrunner on cybersecurity but proposed legislation in the eIDAS regulation could weaken existing defences, undermining the hard work so far to build resilience against malicious online attackers. Article 45.2 forces browsers to accept qualified website authentication certificates, or QWACs, effectively removing a layer of protection and putting internet users at risk. The article aims to give consumers the right to have trusted information on certain types of websites but will unintentionally lower the bar for protection and put internet users at risk.
Attackers use this technique (known as a “man in the middle attack”) to read personal information on these fake sites without the knowledge of end-users. The browsers were able to promptly alert each other about the incident and block the mis-issued certificates within just 24 hours.
In this case, browsers were able to take timely action to keep individuals safe online. However, this is precisely the check that could be removed in future.
Help browsers protect you from harm
To ensure a well-functioning online environment, web browsing should take place in a fully trustworthy security infrastructure. We must create a safer digital space where the fundamental rights of all users of digital services are protected. And this means the highest security standards should be enshrined in regulation, making sure that the internet remains a force for good that creates a space for technology innovation and growth.
We’re asking legislators to amend article 45.2 to allow for enhanced security standards. This small change will mean that browsers can continue to block digital certificates that don’t meet security standards. It’s a workable solution that will raise safety barriers and keep all users as safe as possible online.
Join the conversation and ask regulators to amend eIDAS article 45.2 so that browsers can uphold existing online security standards.