On Thursday, the EU Council and Parliament reached a provisional agreement on a new framework for a European digital identity (eID) known as eIDAS2.0. A key part of the new legislation is to provide digital wallets linked to national digital identities. However, more than 500 cybersecurity and privacy specialists signed a letter objecting to the draft law shortly before signature. With privacy as one of the key concerns around a digital euro, passing controversial legislation claimed to enable Big Brother surveillance won’t help.
The letter asserts the legislation would enable a single government to snoop on all EU citizens’ web browsing. And the wallet lacks an important privacy safeguard. It needs to make it compulsory to prevent linking separate pieces of data about an individual.
Amongst the signatories to the letter are the Electronic Frontier Foundation (EFF) and hundreds of academics from around the world. More than a dozen industry members wrote a separate, less emotive letter objecting to the change that potentially enables web browsing surveillance. The industry letter avoids mentioning snooping but raises concerns about the impact on the security of the internet and the likelihood of fragmenting the internet – some websites may not be available to EU citizens. Signatories include Akamai, Cisco, Cloudflare, the Linux Foundation and Mozilla.
Note: we would usually review draft legislation ourselves before publishing an article. However, the latest draft is unavailable. We hope to add it soon. Hence, we are relying on third party statements made in the letter. Both of the two points covered here are late additions because they are not in the March eIDAS draft.
Opening the door to Big Brother surveillance
It’s not uncommon for parents to check which websites their teens visit. According to Pew Research, 61% of parents do so. Now imagine an unauthorized third party doing that. And not just seeing which websites the teens visited but exactly what they looked at and how they interacted.
Many employees are unaware that corporate computers often can do just that – monitor all browser activity. Whether they do or not is another matter.
The EFF and letter authors believe the legislation potentially gives that same ability to any EU government. And not just to snoop on their own citizens but on any person using a browser. Hence, if the EU passes the legislation as currently drafted, that will result in EU citizens having to download special web browsers. Apple, Google and Mozilla aren’t going to allow the EU to potentially snoop on global traffic.
How Big Brother web snooping works
When you visit a website, the padlock in the browser’s address bar indicates it’s encrypted using security certificates. What if someone was capable of switching all the certificates of all the websites you view? Then they can see everything you see. Including all your bank details, the data on the health website you visited, your chats, or anything else.
A website’s security certificate is issued by a certificate authority – usually a company. Google Chrome trusts sixty or so certificate authorities. There are multiple parts to security certificates, one being the root certificate of the certificate authority. That’s the element that gives the issuer the ability to switch any certificate and snoop on anyone’s web traffic. That intervention is not limited to the websites for which they issued security certificates. Hence browser developers want to be able to remove root certificates and issuers if they misbehave.
Earlier this year, Google removed TrustCor’s certificates from Chrome. It followed a Washington Post article alleging links between TrustCor and U.S. intelligence agencies.
The EU wants the right for EU governments to specify root certificate providers. Additionally, it doesn’t want browser developers to be able to remove them if they misbehave. There’s a formal process. To remove a provider, a web browser has to have the approval of the government that listed the provider in the first place.
Undoubtedly the EU has a valid reason for wanting to add its own certificate authorities. The question is whether it understood the ramifications. Either way, that’s concerning.
Wallets and linking data
Meanwhile, EU digital wallets will initially store digital identity. When the digital euro is inevitably issued it will be stored in wallets. An eIDAS wallet could also store your health, financial and other data. Most of it is likely to be very personal.
One of the key issues with identity is preventing cross linking of information. So if every piece of data that you share uses the same identifier – not necessarily your name – if you share data with different people, there’s potential to aggregate that data.
Earlier this year, the EU’s data protection watchdog raised concerns about cross linking data. “This identifier inherently creates risks for individuals, such as full and possibly unnecessary ability to link personal data across sectors and actors, wide consequences in case of identity theft, surveillance, and of course abuse by marketing practices,” said Wojciech Wiewiórowski European Data Protection Supervisor in a February speech.
An earlier draft of Clause 6 stated that “European Digital Identity Wallets shall ensure security-by-design.” However, the EFF letter highlights that a recent draft proposes a block on linking, but fails to mandate it.
Despite the EU Council and Parliament agreement, the legislation is not yet final so there’s still an opportunity to address the issues.
An opinion
Ledger Insights aims to provide impartial coverage where possible. However, when it comes to privacy we believe this is a fundamental right.
There are plenty of conspiracy theories circulating about digital currencies and the like. In most (not all) cases, we believe that central banks have no intention to snoop on citizens. However, if the infrastructure is not appropriately designed it can provide the foundations for future malevolent leaders to surveil and restrict citizens at will.
Why does this legislation undermine the digital euro’s planned privacy? Because the EU certificate requirement would make it possible to snoop on every transaction via the web.
Intentional or not, if this legislation is passed as drafted per the EFF letter, it could provide the EU with Chinese level surveillance abilities.
