Proposed European Electronic ID Law Raises Concerns

The harmonisation of standards for electronic identification across the EU should normally be soporific enough to send even the most Club-Mate-hyped hacker straight to sleep, but as Computer Weekly reports, discussion of this reform in the EU corridors of power has caused significant unrest among cyber security experts. Just how can providing Europeans with a harmonised digital ID be so controversial? As you might imagine, the devil lies in the detail.

At issue is the eIDAS Regulation, a system which, in the words of its website: “ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services available online in other EU countries,” and “creates a European internal market for trust services by ensuring that they will work across borders and have the same legal status as their traditional paper-based equivalents,” and the point of concern lies with its application to websites. The EU want to ensure that Europeans can digitally verify businesses as well as individuals they deal with, and since that includes websites, they want to insert a provision allowing countries to mandate their own trusted root certificates. At a stroke, this opens the potential for state actors to snoop on all encrypted online traffic, something which would compromise the security of all.

Sadly for Europeans, this isn’t the only questionable online regulation effort from that region.

Thanks [Joyce Ng] for the tip.

39 thoughts on “Proposed European Electronic ID Law Raises Concerns

  1. How , technically, does controlling the trusted certs open “the potential for state actors to snoop on all encrypted online traffic”? And if it really does, a bunch of private companies already have this power.

    1. If you own the root certificate, you can issue a fake cert for any domain and hop in with a MITM attack. But I think this worry is a bit exaggerated, I’m pretty sure most state actors can already coerce any of the certificate authorities to make any certs they want…

      1. For example, if France wants to know the traffic going on between India and China, it better not use the Italian certificate for the impersonation, they would not be undercover.

      2. Owning a root certificate is not enough, the browser has to trust that root certificate and the user is in control which root CA’s are in there. Furthermore, for my domains i can set CAA records to specify which CA’s can generate certificates for my domain and through CT logs i can verify that there the generated certificates comply to this policy. Of course a rogue CA could ignore the CAA record and choose not to publish the CT logs, but the client could still verify if the certificate is in line with the CAA policy.

        1. In the end we can’t trust anybody (especially these days), but neither can ‘they’ and so the more orgs and entities and systems are involved the harder it is to slip one by you could argue. So the more they try to ‘streamline’ things the more we should object.

        2. This is less and less true.
          There is indeed supposed to be a user controlled trust store, however more and more software is using their own trust store and ignoring the user controlled one.
          Similarly, more and more applications are using their own hardcoded DNS servers, instead of the ones provided by the network.

  2. As a reaction to “this opens the potential for state actors to snoop on all encrypted online traffic”:
    Yes, it does, but government do not hide that they monitor internet traffic:

    > Means of information gathering are both overt and covert and may include espionage, communication interception, cryptanalysis, cooperation with other institutions, and evaluation of public sources.

    Though, good to be reminded that laws can be voted in for one reason, but used for an entirely different purpose.

  3. This is really nothing new – several countries already has this through some state organization responsible for issuing certificates for official digital signatures. For example here in Czech Republic postsignum (which is Czech Post Office subsidiary) has it’s root CA in windows (not in mac, linux or on mobile though). Other countries will have something similar already.

  4. 1) You can choose not to use EID. it is not mandatory to provide auth with EID.
    2) Current root certificates are issued by companies which have to adhere to law, so already governments can do what youre complaining about.
    3) Banks use THEIR OWN EIDs for last 15+ years, already.

    1. So,
      1. The old fake it’s not madatory.. until it is once it’s implemented.
      2. They are corrupt already and we are all doomed already, just submit.
      3. Some irrelevant remark about something completely different.

      Although on the last one, the banks wanted to get in on the action as being the ones that are the trustbearers, they actually believe we believe banks are trustworthy, so funny (in a painfull way).

      1. 1. They need to do it this way, so you do not have to install app, but you can only use BROWSERs AND/OR OS certificate store. For YOUR ease of use. So by you complaining youre making it worse for everybody.
        2. Sarcasm requires mental supremacy. Please download some.
        3. If you think about how they done it, then you atleast will maybe understand what was ment by that remark.

        You need to use state certificates to access state services like filing taxes, etc………. It is not ment for google to use for auth ( BUT THEY CAN ). AND if we are talking about google,facebook, apple, youre using OAUTH, so you complaining about using third party auth is “misquided”.

        And wanting from companies to use something else then digital services in 21 century is D******D.

    2. In dystopian North Korea… by which I mean Denmark.. all access to your bank account, several private companies and all public services is required to go through the state ID.
      If the future government doesn’t like you.. they just turn off access to your bank account.
      They’re also trying hard to push it for age verification – so you can control everything on the internet.

  5. “A news is not a hack” is an interesting observation.
    I guess that you don’t like the weather report at the end of each news bulletin either. Because well… weather isn’t news (at it’s best it is a prediction of what may happen). I’m pretty sure that you don’t like the selling of TV’s at the grocery or DIY store either, because TV’s aren’t groceries or DIY related stuff. If you are willing too look close enough you’ll notice that there’s something wrong with everything. Personally I’m looking forward for similar news items like this because otherwise I might not even know about this. And 90% of the items on Hackaday is still about hacks.
    So Hackaday thanks for mentioning it here, it is appreciated.

    1. On the other hand, what did the UK ever contribute to Europe/EU?

      The UK/GB used to be an empire and it didn’t really stop to act accordingly.
      Not sure thus, if it’s any better when it comes to be authoritarian. 🤷‍♂️

      1. Oh for sure not better per se, but I guess since it’s in their own way it’s..uhm.. in a weird way better? At least they get to ask people for a license to see porn… and a license ot join a social media platform and a license to.. well just a lot of licensing, that’s their thing.

      2. If UK lawmakers care about this issue (doubtful) then as part of the EU they could have worked to oppose it.

        But.. as part of planet Earth they will still be sharing the Internet with the EU and dealing with multinational companies that are forced to comply with EU regulations.

  6. One thing is certain: government always wants more power and more tax over time, until it becomes unbearable. Then something breaks, reset happens, and then the cycle starts again.

  7. If the EU tries to force “trusted” certificates onto devices, my expectation is most Linux operating systems will safely ignore them. Knowing that the server you are connecting to genuinely is the real site, not the one Brussels wants you to see instead and enter your password in to, should stay reliable on Linux. Digital IDs are already a pretty bad move though, takes steps towards a checkpoint society and expecting people to provide ID to do all sorts of things they could do privately beforehand. Digital ID turns human rights in to privileges which can be revoked in real-time whenever the state decides it doesn’t like you, or simply because government computer services have crashed on that day.

  8. “At a stroke, this opens the potential for state actors to snoop on all encrypted online traffic, something which would compromise the security of all.”

    Not even remotely, this is not how eIDs work. Electronic IDs have nothing to do with encrypting internet traffic, you sign documents with them. eIDs can also be used as a secure method to authenticate to various services by sending an authentication request to the signing platform, where the user signs the request and the platform returns the signed request to the requesting service. The requestor never sees any user interaction from the signing process.
    btw: for most Europeans, eIDAS will be the 3rd or 4th generation of eIDs. Here in Austria this started about 20 years ago with the “Bürgerkarte” (a cert stored on the social security card) and platform independent software, later the cert was stored on a smartphone (“Handysignatur”) and the signing procedure was moved to an accredited provider (A-cert), recently this has been refined to “ID Austria” (cert on smartphone or crypto dongle), which will be integrated in eIDAS in the near future. The certificates are issued the same way like an ID card or passport, you have to request them in person at certain government agencies.

    1. THE WHOLE POINT of this article is that they’ve tagged a root certificate provision onto the eID law. Yes, I know how eIDs work, and this isn’t about eIDs.

      Please read the article.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.