An unexpected threat to privacy and freedom on the Internet

eIDAS (electronic IDentification, Authentication and trust Services) is a European Union regulation on electronic identification and trust services. Unfortunately, politicians and bureaucrats have apparently privately agreed that the regulation in question allows each member state of the European Union to place “national” cryptographic keys in browsers and browser manufacturers are prohibited from revoking trust in these keys without the government’s permission.

In Estonia, the eIDAS name and logo can be found in the pitch-decks of several start-up companies and in the presentations of opinion leaders, which discuss the success stories of e-Estonia, as it supports the development of our modern digital authentication services.

eIDAS has unexpectedly become a curse word and a threat to internet users, which seems to be walking the paths made by totalitarian dictatorships. (Parallels between eIDAS and actions from the Russian government?)

What happened?

A few weeks ago, the officials of the European Commission, the Council of the European Union and the European Parliament patted each other on the back because they had just agreed on the wording of the eIDAS version 2.0.

Only a few days passed when its text was leaked, forcing privacy and cyber security researchers and professionals to first grab onto their heads and then their pens to draft a joint open letter: Last Chance to fix eIDAS: Secret EU law threatens Internet security.

Namely, politicians and bureaucrats have apparently agreed behind closed doors that every country in the European Union will have the right to put “national certification centre” cryptographic keys in web browsers in the future and browser manufacturers are prohibited from revoking trust in these keys without the government’s permission.

In addition, web browsers are deprived of the right to apply additional security checks to these keys, unless they are pre-approved by ETSI, the European Telecommunication Standards Institute.

Essentially, the European Union is giving each country a universal key that secretly renders all digital locks in the address bar of web browsers useless.

These keys enable institutions under the control of European countries to technically eavesdrop on otherwise encrypted Internet traffic, including e-mail, which is also read by a large number of people today via a browser.

The temptation to use this opportunity will probably be very high, especially in countries sliding towards authoritarianism, the likes of which are found more and more in the Union recently.

However, let’s imagine for a moment that privacy is not a fundamental right to be protected and no autocrats are in power or will come to power in any country of the European Union, who would like to rule their country with an iron fist and secretly keep an eye on their opponents.

There is still a huge security risk in the air, which will materialise at the moment when such a universal key is controlled and used by a country that can compromise access to secrets protecting the security of the European Union or NATO.

Seems like the comic book quote “You either die a hero or live long enough to see yourself become a villain…” applies to law as well.