The European Union legislative bodies are on the brink of enacting a new set of digital identity rules, known as eIDAS 2.0, amid concern from civil society groups.
The legislation allegedly aims to modernize existing digital identity and trust service rules, encompassing electronic signatures, time stamps, and website authentication certificates.
A contentious requirement of eIDAS 2.0 is that web browser makers trust government-approved Certificate Authorities (CAs) and refrain from enforcing additional security controls not specified by the European Telecommunications Standards Institute (ETSI). Critics argue this could lead to a less secure internet and increased potential for state surveillance.
Under the new regulations, should browser makers detect any misuse, such as traffic interception, by these government-endorsed CAs, they would be prohibited from taking countermeasures such as distrusting the certificates or removing the CA from their list of trusted entities.
This blatantly contrasts current practices, where browsers play a crucial role in maintaining web security by vetting CAs and intervening when certificates are misused.
Mozilla adamantly opposes these changes, stating, "This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen."
They, along with over 400 cybersecurity experts and non-governmental organizations, have signed an open letter pressing EU lawmakers for a clarification that would prevent Article 45 from disallowing browser trust decisions.
The final decision on eIDAS 2.0 is expected to be made behind closed doors in Brussels, with the potential for far-reaching implications on privacy and security online.
In light of these developments, here are recommendations to help ensure your data remains private and secure while you're connected to the internet: