When Lawyers and Politicians Ignore Cybersecurity Experts … Bad Things Could Happen, eg Mass…

When Lawyers and Politicians Ignore Cybersecurity Experts … Bad Things Could Happen, eg Mass Surveillance

When it comes down to it, lawyers and politicians often don’t quite understand technology. For example, for them to properly understand how the digital trust of the Internet works, it would possibly involve an extensive training course on public key encryption, the implementation of the PKI (Public Key Infrastructure) and the usage of digital certificates.

Unfortunately, many cybersecurity professionals struggle to explain the basic operation of the PKI, and so there’s possibly little chance of law-makers having any real understanding of how the trust of the Internet is actually implemented. And, with this lack of knowledge, decision-makers can end up making the wrong choices in the laws they law down — and thus break down five decades of advancement.

eIDAS 2.0

While many countries of the world have struggled the scale digital identity into a tokenized world, the EU has blazed a trail in supporting e-ID and the usage of eIDAS 2.0 for digital signatures. This will hopefully break down the barriers towards a frictionless digital trading infrastructure and put digital identity and digital signing at the core of building a world which supports the freedom of movement of trade and people across the EU.

With eIDAS 2.0, we have a standard which defines the format of electronic transactions that exist in the EU - including the creation of their digital signatures and their timestamps. But, while all is good for transactions, the EU now want to apply it to the creation of digital certificates for Web sites [here]:

Current issues include [1]:

• Enables each EU member state to allocate cryptographic keys for which trust is mandatory (and can only be withdrawn on the permission of the government — Article 45a(4)). This allows Web traffic to be intercepted for any EU citizen, and there is no effective recourse.
• A ban on security checks on EU web certificates unless expressly permitted by the regulation when establishing encrypted web traffic connections (Article 45(2a)).

The core weakness in the new draft bill is that new certificate authorities (CAs) within the EU will be added to the trusted list. Normally, a root certificate authority must exist for many years before they are trusted to become a root signer. This happened with Let’s Encrypt, where they were not trusted to be a root signer and had to rely on an existing root signer to enable them to be an intermediate signer. At present, there are around 80 root CAs, which have shown themselves to be highly secure and trustworthy.

We will thus see around 40 new certificate providers across the EU, which have not gone through the level of scutiny that our existing root CAs have but which can produce certificates for any website in the world. The great worry is that these 40 new certificate providers could be working with law enforcement agencies in their own country and thus passing on the private key for the site to others.

Firefox is quoted as:

This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.

Article 45

The eIDAS signature method is a great thing and supports some legal certainty for a digital signature. It is thus moving the EU towards a digital signing infrastructure. Overall, the EU must be congratulated for their advancement, as most countries of the world have struggled to implement a digital identity system which supports digital signing from citizens — especially in cross-border applications. This is part of the advancement towards the European Digital Identity Wallet.

But, there’s a problem, and which is identified with this joint statement [here]:

The letter has been signed by 551 scientists and researchers from 42 countries, and which includes my signature:

Overall, it relates to Article 45, and where it is suspected that there is not enough technical controls to protect citizens from being spied upon:

The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.

In the Act, an EU member state has the right to designate the trust of cryptographic keys to themselves — and which can then revoke these. This means that EU member states will have complete control of the trust infrastructure and be able to police it. It will also allow a member state to intercept Web traffic for any EU citizen. The joint statement asks the EU Commission not to interfere with trust decisions on cryptographic keys.

In the Article, there is an expressed note that EU web certificates will not be checked for their security — this goes against the best practice established by ETSI. The worry here is that the EU would be open to abuse from false certificates and where these certificates could not be checked.

The Article, too, allows the linkage of a citizen to their user credentials and the new European Digital Identity System. If you are interested in our work on a privacy-aware digital wallet for the EU, there is more information here:

Conclusions

So, well done to the EU in advancing digital identity and digital wallets, but they should be careful in how it is implemented, or we could reset the Internet back to its early days.

References

[1] https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years