The harmonisation of standards for electronic identification across the EU should normally be soporific enough to send even the most Club-Mate-hyped hacker straight to sleep, but as Computer Weekly reports, discussion of this reform in the EU corridors of power has caused significant unrest among cyber security experts. Just how can providing Europeans with a harmonised digital ID be so controversial? As you might imagine, the devil lies in the detail.
At issue is the eIDAS Regulation, a system which, in the words of its website: “ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services available online in other EU countries,” and “creates a European internal market for trust services by ensuring that they will work across borders and have the same legal status as their traditional paper-based equivalents,” and the point of concern lies with its application to websites. The EU want to ensure that Europeans can digitally verify businesses as well as individuals they deal with, and since that includes websites, they want to insert a provision allowing countries to mandate their own trusted root certificates. At a stroke, this opens the potential for state actors to snoop on all encrypted online traffic, something which would compromise the security of all.
Sadly for Europeans, this isn’t the only questionable online regulation effort from that region.
Thanks [Joyce Ng] for the tip.
The world’s tech companies must harbour a hearty dislike for the European Union because when the many cogs of its bureaucracies turn, they find themselves with little choice but to follow or risk losing access to a huge and affluent market. There are a few areas of technology that don’t have some concessions to EU rules in their manufacturing process, and if a common charging connector or right to repair weren’t enough, they’re back for another clash with the mobile phone industry. If you hanker for the days of replaceable mobile phone batteries, you’re in luck because an EU Parliament vote has approved a set of rules covering batteries among which will be a requirement for replaceable cells in portable appliances.
We expect that the phone manufacturers will drag their feet just as some of them have over charger ports, but the greater ease of maintenance, as well as extra longevity for phones, can only be a good thing. There are a few other measures in the package, and one of them caught our eye, the introduction of a battery passport for larger industrial and EV batteries. There’s little more information in the press release, but we hope that it doesn’t inhibit their exploitation by people in our community when introduced.
We look forward to seeing more replaceable battery models appear in due course, meanwhile, you can read some of our coverage of the EU’s right-to-repair measures.
Header: Andy Melton, USA, CC BY-SA 2.0.
Society and governments are struggling to adapt to a world full of cybersecurity threats. Case in point: the EU CRA — Cyber Resilience Act — is a proposal by the European Commission to enact legislation with a noble goal: protect consumers from cybercrime by having security baked in during design. Even if you don’t live in the EU, today’s global market ensures that if the European Parliament adopts this legislation, it will affect the products you buy and, possibly, the products you create. In a recent podcast, our own [Jonathan Bennett] and [Doc Searles] interview [Mike Milinkovich] from the Eclipse Foundation about the proposal and what they fear would be almost a death blow to open source software development. You can watch the podcast below.
If you want some background, you can read the EU’s now closed request for comments and the blog post outlining the problems from opensource.org. At the heart of the issue is the need for organizations to self-certify their compliance with the act. Since open source is often maintained by a small loose-knit group of contributors, it is difficult to see how this will work.
Continue reading “The Cyber Resilience Act Threatens Open Source”
Back in the day, just about everything that used a battery had a hatch or a hutch that you could open to pull it out and replace it if need be. Whether it was a radio, a cordless phone, or a cellphone, it was a cinch to swap out a battery.
These days, many devices hide their batteries, deep beneath tamper-proof stickers and warnings that state there are “no user serviceable components inside.” The EU wants to change all that, though, and has voted to mandate that everything from cellphones to e-bikes must have easily replaceable batteries, with the legislation coming into effect as soon as 2024.
Continue reading “Replaceable Batteries Are Coming Back To Phones If The EU Gets Its Way”
It seems that few features of a consumer electronic product will generate as much rancour as a mobile phone charger socket. For those of us with Android phones, the world has slowly been moving over the last few years from micro-USB to USB-C, while iPhone users regard their Lightning connector as the ultimate in connectivity. Get a set of different phone owners together and this can become a full-on feud, as micro-USB owners complain that nobody has a handy charging cable any more, USB-C owners become smug bores, and Apple owners do what they’ve always done and pretend that Steve Jobs invented USB. Throwing a flaming torch into this incendiary mix is the European Union, which is proposing to mandate the use of USB-C on all phones sold in its 27 member nations with the aim of reducing considerably the quantity of e-waste generated.
Minor annoyances over having to carry an extra micro-USB cable for an oddball device aside, we can’t find any reason not to applaud this move, because USB-C is a connector born of several decades of USB evolution and brings with it not only the reversible plug but also the enhanced power delivery standards that enable fast charging no matter whose USB-PD charger you are using. Mandating USB-C will put an end to needlessly overpriced proprietary cables, and bring eventual unity to a fractured world. Continue reading “Showdown Time For Non-Standard Chargers In Europe”
It’s not often that events in our sphere of technology hackers have ramifications for an entire country or even a continent, but there’s a piece of news from the Netherlands (Dutch language, machine translation) that has the potential to do just that.
Enschede is an unremarkable but pleasant city in the east of the country, probably best known to international Hackaday readers as the home of the UTwente webSDR and for British readers as being the first major motorway junction we pass in the Netherlands when returning home from events in Germany. Not the type of place you’d expect to rock a continent, but the news concerns the city’s municipality. They’ve been caught tracking their citizens using WiFi, and since this contravenes Dutch privacy law they’ve been fined €600,000 (about $723,000) by the Netherlands data protection authorities.
The full story of how this came to pass comes from Dave Borghuis (Dutch language, machine translation) of the TkkrLab hackerspace, who first brought the issue to the attention of the municipality in 2017. On his website he has a complete timeline (Dutch, machine translation), and in the article he delves into some of the mechanics of WiFi tracking. He’s at pains to make the point that the objective was always only to cause the WiFi tracking to end, and that the fine comes only as a result of the municipality’s continued intransigence even after being alerted multiple times to their being on the wrong side of privacy law. The city’s response (Dutch, machine translation) is a masterpiece of the PR writer’s art which boils down to their stating that they were only using it to count the density of people across the city.
The events in Enschede are already having a knock-on effect in the rest of the Netherlands as other municipalities race to ensure compliance and turn off any offending trackers, but perhaps more importantly they have the potential to reverberate throughout the entire European Union as well.
We pity the civil servants involved in the negotiations between the European Union and the United Kingdom, because after tense meetings until almost the Eleventh Hour, they’ve had to cobble together the text of a post-Brexit trade agreement in next-to-no time. In the usual manner of such international agreements both sides are claiming some kind of victory over fish, but the really interesting parts of the document lie in the small print. In particular it was left to eagle-eyed security researchers to spot that Netscape Communicator 4, SHA-1, and RSA encryption with a 1024-bit key length are recommended to secure the transfer of DNA data between states. The paragraphs in question can be found on page 932 of the 1256-page agreement.
It’s likely that some readers under 30 years old will never have used a Netscape product even though they will be familiar with Firefox, the descendant Mozilla software. Netscape were a pioneer of early web browsers, and Communicator 4 was the company’s all-in-one browser and email offering from the late 1990s. It and its successors steadily lost ground against Microsoft’s Internet Explorer, and ultimately faded away along with the company under AOL ownership in the late 2000s. Meanwhile the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It’s clear that something is amiss in the drafting of this treaty, and we’d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document.
So will the lawmakers of Europe now have to dig for ancient software as mandated by treaty? We hope not, as from our reading they are given as examples rather than as directives. We worry however that their agencies might turn out to be as clueless on digital security as evidently the civil servants are, so maybe Verizon Communications, current owners of the Netscape brand, could be in for a few support calls.