A change the EU has agreed on will give Member States a universal key for opening all locks on browsers' address bars, which will jeopardize the privacy of web users, several cybersecurity experts find. The Ministry of Economic Affairs and Communications said that while Estonia has doubted the measure's practical effect, the threat to privacy has been blown out of proportion.
Ardi Jürgens, member of the board of Zone Media OÜ, writes in the company's blog that the EU Regulation on electronic identification and trust services (eIDAS), agreed between the Commission, Council and Parliament a few weeks ago, will allow every EU Member State to include national cryptographic keys in internet browsers, whereas service providers will not be allowed to withdraw trust for the keys without governments' consent.
According to Jürgens, browsers will not be able to run additional security checks for these keys, with the EU basically providing countries with a universal key, which will covertly invalidate all digital locks on address bars.
Last week, a corresponding public address was published, which by November 8 had been signed by 504 scientists from 39 countries plus a number of nonprofit organizations.
"New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments," the Mozilla Foundation notes.
The undersigned conclude that these changes radically expand EU governments' ability to monitor citizens by allowing cryptographic keys under governments' control to be used to monitor encrypted web traffic in the entire EU.
The document also notes that no independent control and balance in terms of Member States' decisions of how and when to use these keys has been prescribed.
"This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes."
The Estonian Internet Foundation (EIS) criticized the fact that specialists were not included, at least in recent deliberations, which speaks of back room agreements.
"EIS understands the dangers the open letter references and threat to privacy should the eIDAS regulation allow every Member State to install cryptographic keys in browsers trust for which cannot be withdrawn without government's consent."
But the organization also admits that access to encrypted information may prove necessary to ensure security, which is why it expects the eIDAS regulation to also specify how to ensure users' privacy.
Mait Heidelberg, adviser at the digital development department of the Ministry of Economic Affairs and Communications, told ERR that Estonia has been skeptical of the practical necessity of such changes, while the threat to internet security and privacy is misleading and greatly exaggerated.
Heidelberg pointed out that the eIDAS2 proposal was unveiled in 2021 and came with the requirement of web browsers to recognize, next to other web certificates, qualified certificates issued based on EU rules right out of the gate.
"We are not talking about state certificates but rather those by trust-based services providers, such as SK ID Solutions in Estonia. These service providers must meet heightened EU security requirements, are subject to independent audits and bear responsibility for their actions," the ministry official said.
Heidelberg also said that use of such certificates is not an obligation but constitutes an additional option next to certificates issued on different grounds. He added that the option was included in the first version of the regulation passed nine years ago, while mainly U.S.-based browser developers did not rush to add such certificates to those they trusted.
"The updated regulation aims to make it mandatory for them. Because the tech companies do not like the idea, different lobby groups often resort to claims that are misleading at best."
Editor: Karin Koppel, Marcus Turovski