Article 45: So Who Could Spy on You? Well, Your Government
Article 45: So Who Could Spy on You? Well, Your Government
The eIDAS signature method is a great thing and supports some legal certainty for a digital signature. It is thus moving the EU towards a digital signing infrastructure. Overall, the EU must be congratulated for their advancement, as most countries of the world have struggled to implement a digital identity system which supports digital signing from citizens — especially in cross-border applications. This is part of the advancement towards the European Digital Identity Wallet.
But, there’s a problem, and which is identified with this joint statement [here]:
Overall, it relates to Article 45, and where it is suspected that there is not enough technical controls to protect citizens from being spied upon:
The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.
In the Act, an EU member state has the right to designate the trust of cryptographic keys to themselves — and which can then revoke these. This means that EU member states will have complete control of the trust infrastructure and be able to police it. It will also allow a member state to intercept Web traffic for any EU citizen. The joint statement asks the EU Commission not to interfere with trust decisions on cryptographic keys.
In the Article, there is an expressed note that EU web certificates will not be checked for their security — this goes against the best practice established by ETSI. The worry here is that the EU would be open to abuse from false certificates and where these certificates could not be checked.
The Article, too, allows the linkage of a citizen to their user credentials and the new European Digital Identity System. If you are interested in our work on a privacy-aware digital wallet for the EU, there is more information here:
GLASS puts the individual at the heart of controlling their own relationship with government and business WHAT WE DO…www.glass-h2020.eu
Conclusions
So, well done to the EU in advancing digital identity and digital wallets, but they should be careful in how it is implemented, or we could reset the Internet back to its early days.