We already reported a few months ago about how the EU's quest to fix the Internet is expected to become a nightmare for citizens' privacy and security. Now, experts told TechRadar that not even VPN services could rescue our online anonymity if the law is passed in its current form.
Known as eIDAS 2.0, the infamous proposed regulation is a revision of the previous EU digital identity law, a process that began in 2020 and is nearing completion. The law aims to do two things: change the way web browsers approach website security and authentication and at the same time launch an identification application (EU ID Wallet) for all Europeans.
Secure browser vendors, such as Mozilla, and cryptographers, computer scientists, and privacy advocates have warned about how these proposed provisions jeopardize the security and privacy of citizens across the block. For the purposes of this article, I will focus solely on issues related to browser authentication.
Article 45 to boost online surveillance
“Everyone in the broader security community is shocked. I don't think the European parliament knew what they were doing,” Harry Halpin, CEO and co-founder of Nym Technologies, told me. “This is all super dangerous stuff, it's surprising that such an idiotic rule was passed.”
Halpin is a computer scientist with a long history of fighting for better privacy after experiencing firsthand the impact of invasive government surveillance. For the past 15 years, he has been on a watch list because of his past involvement with grassroots climate activist groups. Last November, he launched NymVPN to offer better online anonymity than existing solutions. Now his efforts may become obsolete, at least across the EU.
But let's take a step back to understand what the problem really is. As mentioned above, the European Commission is trying to change the way web browsers manage website authentications in a way that Halpin described as “a crazy approach.” But what is this change like?
You've probably seen the little padlock located on the left side of a website's URL in a browser's search bar (see image above). That indicates that the website you are about to access is protected by an HTTPS connection, which means that the connection between the browser and the server providing the service is encrypted.
By clicking on the padlock, you can read the details of who issued the so-called root certificate approving the security of the connection. That is the entity that ensures that the website is exactly what it says it is.
What eIDAS wants to change, which raises many concerns within the industry, is how to address these certificates. As computer engineer and EPFL professor Carmela Troncoso explained, the law will give EU states the right to issue these trust tests that web browsers must accept as truthful. Browser vendors will also be prevented from removing these certificates (as is currently the case) even in cases where they detect malicious activity, unless the member state does not allow this.
“[The law] changes the balance of power by shifting these security controls to member states. We consider this to be extremely dangerous,” Troncoso told me. “The security of the entire Internet is at stake because it is not about the security of two pages, but the security of everything.”
Short for virtual private network, a VPN is security software that spoofs your IP address and encrypts Internet connections. Simply put, it encrypts all data in transit while rerouting your connection through one of its international servers. It is widely used to bypass geo-restrictions online and increase privacy when browsing the web.
This means that governments will be able to intercept all of our Internet traffic. “A surveillance regime worse than what China and Russia have,” Halpin said. “I don't think anyone in their right mind would accept this.”
Worse yet, perhaps, it also argues that even the most secure VPN app won't be able to prevent it.
This is because the government will act as an intermediary between our machine and the website, “in the middle of our connection,” as Halpin said.
“The VPN is at a lower level: it defends the network connection, but there is also the website or application that runs on top of the network,” he said. “Then it won't really matter if I'm using a VPN because the certain government can intercept traffic at the web browser level. They can legally intercept all traffic through your web browser even if it's encrypted and they don't. “I want you to or even Google know about it.
At the same time, however, Halpin believes that a VPN can still offer some advantages, in theory. For example, you could spoof the location of your IP address to pretend you are not in Europe and download a more private and secure browser. “It's relatively crazy, but it could happen,” he said.
Whats Next?
While the European Commission dismissed such security concerns, at the time of writing it only accepted a provisional text.
That's why the team at the Norwegian browser Opera feels more optimistic. Despite agreeing with the broader industry that the law in its current form will not improve web security, Christian Zubel, vice president of IT and security, told me: “I really believe that tomorrow we can wake up and see a version different”. [of the text]”.
However, experts expect the final agreement to be revealed at the end of March, as Parliament is pushing to close all open legislative processes before the next European elections scheduled for June.
What is certain is that Article 45 of the eIDAS review does not only pave the way for greater surveillance. The risk of increased online censorship is also high, as are potential cyber attacks. “From a cybersecurity point of view, Europe is a dangerous place to do anything over the Internet,” Halpin told me.
However, it's worth noting that lawmakers appear to have been hearing the clamor from within the industry, at least partially. In fact, they did not change the provision itself, but rather added an initial recital that should clarify ambiguities and leave browser vendors more freedom to ensure web security. Despite being a good start, it remains to be seen how much value it will eventually have from a legal point of view.
