The privacy pitfalls of EU's eIDAS framework


The EU Commission has formally agreed on the use of a digital identity wallet, but the tech industry believes it may break internet security.

The EU, which gave us the Euro currency, the infamous GDPR, and the EU Charter of Fundamental Rights, believes in the power of individual digital rights and interoperability. For almost ten years, the EU has been pushing the concept of a cross-border digital identity framed under the eIDAS framework (electronic Identification, Authentication, and Trust Services).

As Ursula von der Leyen, President of the European Commission, states: “Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how.”

ADVERTISEMENT

This ‘technology’ in eIDAS V2 will be a digital wallet. However, word is that the EU approach is far from a privacy utopia and includes some digital certificate shenanigans that have caused industry-wide concerns. The security and control of this eIDAS wallet are under scrutiny, and the result seems not to be in the spirit of the EU.

eIDAS Article 45 is coming to surveil you

European Digital Identity Wallets are a strategic move for the EU. Harmonization has always been a core principle driving the bloc, reflected in regulations like the GDPR.

eIDAS V2 has, at its core, a digital identity that can work across borders and is accepted by major commercial organizations, including banks. Sounds great – after all, we all want an easier way to organize our paperwork and finances, and surely this will be convenience encapsulated in wallet form.

Well, security and privacy professionals are mounting an offensive, asking some hard questions about the EU. The problems derive from Article 45 of eIDAS V2. These concerns have been captured in two key letters:

  • The tech industry: on November 2nd, 2023, an “Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation” published concerns over eIDAS Article 45 and security. Several industry stalwarts, including Mozilla, Cloudflare, the Internet Security Research Group, and Linux, signed this letter. In a bold statement, the letter warns: “Articles 45 and 45a of the proposed eIDAS provisions are likely to weaken the security of the internet as a whole.”
  • Scientists and researchers: an open letter calling for a rethink of eIDAS has been signed by 504 scientists and researchers as of November 8th, 2023. The letter offers a stark warning of the dangers of Article 45 in eIDAS 2 – the letter again warns, “The current proposal radically expands the ability of governments to surveilboth their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.”

This is indeed the stuff of dystopian novels. Many talk of the state of big tech and its lack of respect for individual privacy, but this is a multi-state body that was previously dedicated to upholding the privacy rights of the individual and is now circumventing those rights for the sake of digital transformation.

What’s the deal with eIDAS Article 45?

ADVERTISEMENT

Getting to the heart of the issue, what exactly is the big deal with Article 45? The focus of concern by both letters is on using a new form of state-controlled root certificate that all web browsers must recognize and that will be used to authenticate websites.

The issue stems from the scope of eIDAS, which was initially focused on digital identity and digital signatures but is now expanding to include communication with many services, including the "Very Large Online Platforms" like Amazon, Booking.com, and Facebook. The problem statement goes like this (bear with me):

One of the foundation stones of internet security is HTTPS, a secure extension of the hypertext transfer protocol (HTTP). HTTPS handles the secure communication between the browser and the web server by using authentication based on encryption in the form of a digital certificate. Clicking on the padlock icon that you see in the address bar of a website shows the certificate details, i.e., the company to which the certificate was issued. The certificate is issued by a certification authority (CA) and signed by the "root certificate" – the trust element of HTTPS and part of a 'chain of trust' establishing secure and authenticated communications across the internet. This is a fundamental mechanism to help build secure internet communications, designed and developed by industry experts.

The problem with the EU's eIDAS framework, which underpins the EU Digital Identity Wallet, is that the technology works outside this established mechanism, hence the industry's and experts' warnings that it will break internet security.

If an EU state (and designated third-party countries) is allowed to insert its own root certificate, this certificate will be added to all browsers across the EU and will be a trusted certificate. This substitution of the chain of trust root certificate could be used to decrypt all traffic between a citizen's browser and online services. In other words, the state will be able to see everything you do online, it could intercept and collect personal data, including health records, political views, purchase history, and so on – a sort of state-enabled man-in-the-middle attack.

A virtual panopticon

One of the better things about the tech sector is that security and privacy professionals are usually on the case of anything untoward. The two Article 45 letters have made waves across the sector, so the EU will hopefully take heed. Digital wallets can be used wisely and provide greater control for individuals who use them, but they must be used with caution.

A legitimate concern is that the digital identity wallet that defines eIDAS V2 is more of a life locker. The Commission has stated that an EU Digital Identity Wallet will be used to access public and private online services, including "Very Large Online Platforms." As our digital lives merge into our real lives, this EU Digital Identity Wallet could become a virtual panopticon, an all-seeing state that watches your every online move.

If the security considerations have been poorly thought through, as suggested in the two letters, our lives will be an open book for governments to delve into. As we enter an era where wallets rule, we must be assured that these wallets are ours to control and not part of a surveillance network that can be dipped into at will.

Next steps

ADVERTISEMENT

On November 8th, the Commission published its formal agreement on the EU Digital Identity Wallet. The next stage is subject to formal approval by the European Parliament and the Council.

If adopted, the European Digital Identity framework will enter into force on the 20th day following its publication in the Official Journal. After this date, EU Member States must provide EU Digital Identity Wallets to their citizens within 24 months of adoption.