18.11.2023 – Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform
Dear Members of the European Parliament,Dear Member States of the Council of the European Union,
We the undersigned are cybersecurity experts, researchers, and civil society organisations fromacross the globe.
We have read the near-final text of the eIDAS digital identity reform which has been agreed on atechnical level in the trilogue between representatives from the European Parliament, Counciland Commission. We appreciate your efforts to improve the digital security of European citizens;it is of utmost importance that the digital interactions of citizens with government institutions andindustry can be secure while protecting citizens’ privacy. Indeed, having common technicalstandards and enabling secure cross-border electronic identity solutions is a solid step in thisdirection. However, we are extremely concerned that, as proposed in its current form, thislegislation will not result in adequate technological safeguards for citizens and businesses, asintended. In fact, it will very likely result in less security for all.
Last year, many of us wrote to you to highlight some of the dangers in the EuropeanCommission’s proposed eIDAS regulation. After reading the near-final text, we are deeplyconcerned by the proposed text for Article 45. The current proposal radically expands the abilityof governments to surveil both their own citizens and residents across the EU by providing themwith the technical means to intercept encrypted web traffic, as well as undermining the existingoversight mechanisms relied on by European citizens. Concretely, the regulation enables eachEU member state (and recognised third party countries) to designate cryptographic keys forwhich trust is mandatory; this trust can only be withdrawn with the government’s permission(Article 45a(4)). This means any EU member state or third party country, acting alone, iscapable of intercepting the web traffic of any EU citizen and there is no effective recourse. Weask that you urgently reconsider this text and make clear that Article 45 will not interfere withtrust decisions around the cryptographic keys and certificates used to secure web traffic.
Article 45 also bans security checks on EU web certificates unless expressly permitted byregulation when establishing encrypted web traffic connections (Article 45(2a)). Instead ofspecifying a set of minimum security measures which must be enforced as a baseline, iteffectively specifies an upper bound on the security measures which cannot be improved uponwithout the permission of ETSI. This runs counter to well established global norms where newcybersecurity technologies are developed and deployed in response to fast movingdevelopments in technology. This effectively limits the security measures that can be taken toprotect the European web. We ask that you reverse this clause, not limiting but encouraging thedevelopment of new security measures in response to fast-evolving threats.
The current text also mentions in multiple places the need for the European Digital IdentityWallettoprotectprivacy, including data minimization, and prevention of profiling. Yet, thelegislation still allows relying parties like governments and service providers to unnecessarilylink together and gain full knowledge about the uses of credentials in the new European Digital Identity System. Given the broad intended uses of this system, which span all areas of life fromhealth, finance, commerce, online activity up to public transport, we believe that failing to requireboth unlinkability and unobservability will severely compromise the privacy of EU citizens. Article6a(7)(a) should be aligned with the negotiation mandate from the European Parliament leadIndustry Committee and thereby prevent technologically that such information can be obtainedby governments and other parties without the explicit consent of users. Article 6a(7a)(b) should “mandate” instead of “enable” that interactions cannot be linked by relying parties or otheractors, where identification of the user is not mandatory. Lastly, forum-shopping from ‘Big Tech’and other bad actors can only be prevented by a harmonised implementation of the Regulationthat allows national eIDAS agencies to be overruled should they fail to act.
Finally, we would like to highlight our frustration that decisions crucial for the security andprivacy of citizens, businesses, and governments, are being taken behind closed doors intrilogue negotiations without public consultation of experts about the potential consequences ofthe proposed regulations. We urge the European Parliament, Commission, and Council toreconsider their legislative processes and commit to greater transparency so that experts andthe public can effectively contribute to the development of new regulations (T-540/15 - De Capitani v Parliament).
In summary, we strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communication; without establishing proper safeguards as outlined above, it insteadsubstantially increases the potential for harm.
Continue reading the full letter and see all signatories at:
About the FIfF
The Forum of Computer Scientists for Peace and Societal Responsibility (FIfF) e. V. is a Germany-wide association of experts who take a critical look at the effects of the use of computer science and information technology on society. Our members mainly work in computer science-related professions, from IT systems electronics technicians to professors of theoretical computer computer science. The FIfF works in many technical and non-technical areas of society areas of society to promote the socially responsible use of information technology systems for the benefit of society. society. Our tasks include public relations work as well as counselling and the development of technical studies. In addition, the FIfF publishes the quarterly "FIfF-Kommunikation - Zeitschrift für Informatik und Gesellschaft" and works with other peace and civil rights organisations. Here you can find our 10 values.
Rainer Rehak: rainer (dot) rehak (ät) fiff (dot) de