How eIDAS legislation could put fundamental rights at risk
In recent years, cyber operations have become an increasingly large part of conflicts. State-backed bad actors have carried out attacks on citizens, government bodies, agencies, and national systems around the world, including within the European Union.
The risks that come with this, including to citizens’ fundamental rights, are only becoming greater as more of our lives take place online. And with the ambition to digitize critical systems, including healthcare and justice, online protection becomes even more essential.
Lawmakers and regulators recognize there is an alarming trend in state-backed cyberattacks that threaten free and secure internet use. In early 2022, for example, the European Parliament’s special committee on foreign interference adopted a new report asking for a more coordinated European strategy to counter dangerous cyber-attacks.
Unfortunately, the EU’s eIDAS article 45.2 would be a major step backwards.
eIDAS will open users up to attacks
Authoritarian regimes have long sought ways to spy on users, collect data, predict their behaviour, and alter outcomes. One of their tactics is to alter the website authentication process so that they can conduct so-called “man in the middle” attacks and intercept web traffic.
One notorious case happened in 2011, when users from 298,140 unique internet protocal addresses trying to access Google websites were redirected to falsified sites. The fake sites were certified as belonging to Google, according to false website certificates issued by Dutch company DigiNotar. The vast vajorty (95 per cent) of those IP addresses targeted originated in Iran.
As Hans Hoogstraaten who led the Dutch government’s investigation into the DigiNotar attack put it: “What really shocked me was when I realized the impact it had for the people of Iran. In those days … people got killed for having a different opinion. The hackers (presumably the state) had access to over 300,000 Gmail accounts. The realization that the … security of a small company in Holland [may have] played a part in the killing or torture of people really shocked me.”
DigiNotar is an important reminder of why there are now a series of checks and balances for webpages, but others have still attempted similar attacks. In more recent years, the Kazakhstan government and the Mauritius government have both tried to force browsers to accept government-backed certificate authorities. In practice this would bypass existing checks and enable surveillance of their citizens’ web traffic just like in the DigiNotar example.
Moreover, in 2019 a certificate authority associated with the United Arab Emirates was blocked by Mozilla because the company has a history of working with the Emirati ruling family in surveillance operations targeting activists, political leaders and suspected terrorists.
Help browsers protect internet users
Browsers provide protection against these kinds of attacks through their Root Program, a trusted website authentication ecosystem that acts as a barrier to online surveillance. Major browsers, including Mozilla, also invest in continuous improvement to solutions to keep the internet safe and secure.
As currently proposed, the EU eIDAS regulation framework would bypass the existing checks that are in place by forcing browsers to accept qualified website certificates, or QWACs, a type of website security certificate with weaker security properties. A major concern is that this will set a global precedent and hinder the ability of browsers to push back against similar attacks to monitor web traffic.
As the examples above show, forcing browsers to automatically trust government-backed certificate authorities is a key tactic used by authoritarian regimes, and these actors would be emboldened by the legitimising effect of the EU’s actions. In short, if this law were copied by another state, it could lead to serious threats to cybersecurity and fundamental rights.
It is essential that the EU doesn’t create loopholes that could inadvertently assist bad actors. Journalists, human rights activists, politicians, and others who may be targeted for attack by private or state actors must be kept safe online.
Thorough and certified vetting mechanisms for websites would deter any potential attacks on users. That’s why we must amend article 45.2 in the proposed eIDAS regulation to allow for enhanced internet safety. This will mean that browsers can continue to block certificates that don’t meet security standards.
High security standards and smart regulation will ensure that the internet remains a force for good. Join the conversation and ask regulators to amend eIDAS article 45.2 so that browsers can uphold existing online security standards.