I have been involved in such processes (Trilogue), so here my take:
* We are talking about trilogues, meaning the commission has made a proposal, parliament and council has adopted their positions, and then parliament and council negotiated with the commission as broker to reach a final text. This takes place over many hours of meetings in different format and is a very complex process as each institution needs to make sure the document fits the legal and policy limitations set by the institution's position
* they only recently reached an agreement, which is done on the basis of very messy documents often thousand of pages in table format
* These documents are transformed into a legal text, which is done by parliament's lawyers
* Then all three institutions have to review the file with policy and legal experts to ensure it fits the agreed text
* Lawyer linguists check the text to assure references are correct and translations (23 language versions are all equally valid!) are fully aligned
* A few other steps, like formatting checks, etc
* Only then can the text be published as draft documents for the vote
All that, just to make clear that it's unfortunate it is not public yet, but it is not someone being malicious or intransparent, it's just a complex process. There is likely pressure to have the votes soon as it needs to be in force by early 2024. But before the vote takes place the files must and will be published, else the vote is moved.
Hmm, but I think I've seen campaigns that were mainly fighting legislation that was proposed by the Commission, even before it went to the trilogues, trying to get Parliament to strike something - e.g. [1]. What's the difference here?
> In 2023, a change was proposed to eIDAS that would allow any EU government to surveil all internet communication, even when encrypted.[..]
> The proposal would force internet companies to place a backdoor in web browsers to let them perform a man-in-the-middle attack, deceiving users into thinking that they were communicating with a server they requested, when, in fact, they would be communicating directly with the EU government. The EU government would then read and change their messages before passing the possibly modified message on to the intended recipient.
This is quite an absurd summary, both legally and technically simply nonsense.
And eidas is about digital identity management, this critiqued part is just s tiny part of it, not a main feature, so this is not "what eidas is about".
Valid criticism. I removed the snipped "what eIDAS is about" from my comment.
I think the criticism raised is not (solely) against digital identity, but about possible security risks associated with it.
Thank you. I think the criticism is really just about the certificate requirement. I just don't see what other part of eidas could be considered to MitM anyone. But of course only the author would know for sure what they meant.
That is indeed why they keep referring to Article 45 - the specific article of concern. If that was removed, presumably this new version of eIDAS would be fine. (And an existing version has already been in effect for a while, if I understand correctly.)
On the coattails of the CSAR draft for which the expert group was mostly lead by Google, I went to seek whether a similar "expert group" exists for this program.
Indeed, there's supposed to be something called the "toolbox group" which acts as an expert panel for eIDAS. However, I cannot find a single available resource online that lists who is actually on that expert group. Even the EU official site is just empty.
There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.
In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.
Of course there is no text so it’s difficult to know exactly what is happening. But, a digital ID (we have DigiD in the Netherlands) is quite handy for anything government concerned.
Of course if ever a service like Facebook would start to use it, I will stay very far away from it.
But it’s nice that my taxes, pension, healthcare etc is all available under 1 “account” (one identity).
It does perhaps open the door to nefarious things but I don’t really see it? At least not from this text. We do really need more transparency I agree there.
What you say is true. However, the dangers are at least as large as the benefits. There are two kinds of danger that we need to keep in mind.
First, and most obvious, is hacking. Government services are hacked as least as often as private services. If all of your information is centrally accessible under a single ID, that is a single point of serious danger.
Second, we tend to think of government as a monolithic organization. It is not - government is made up of people. Some good, some evil, most just trying to get through the day. There have been plenty of cases of individuals, with government access, avenging themselves on their ex-spouses, on their rivals, or on people they just don't like. Centralized access to all your government services makes you much more vulnerable to such attacks.
That's not so say a centralized ID is a bad idea. However, we need to be aware of the associated problems, and ensure that there is security, and that mitigations are already planned inadvance for when (not if) a security breech occurs.
A big problem with government having large power is that there is absolutely not repercussions for abuse and absolutely no functional way to address any abuse of power if discovered.
The Dutch government used a neighbor of mine in a drastically illegal way, faciliating criminality by proxy (Through the neighbor) and protecting said neighbor for more than 10 years. They call it an "intervention" and it's intended to be actions to interfere with organised crime. However, I was simply literally living between the civilian that this proxy intervention was being carried out and the person that once way back in 1995 was arrested and convicted for growing hennep. I became a target of this "intervention" simply because I objected to the collateral harrassment.
Not a simple safe guard succeeded. Every government department simply ignored my formal complaints. The police turned off all response to my calls simply because the public prosecutor told them to. I had to force my stalking case to caught by means of the national ombudsman and it took 5 years to get it to court. Then the prosecutors involved got involved in this caught case and made it fail. The main prosecutor was in fact pretending to prosecute someone for stalking that was his own illegally run informant. The other prosecutor moved to a position on the board of directors of the court of Maastricht so that they could interfere with the prosecution both directly by the prosecutor and behind the scenes. The one interfering behind the scenes is now the president of the court of Maastrict.
I filed police charges against one of the prosecutors. They simply refused to accept the evidence. I appealed and the attorney general simply ignored and refused to comment on the evidence.
If there is absolutely no functional safe guards for abuse, laws with this sort of power simply should not be passed!!
Yeah having government services done online but NOT having a reasonable e-ID seems like a recipe for disaster. I mean how do you validate your identity if you log in to e.g. do your taxes? I guess each authority could send out some validation code (e.g. tax authority could send out a code on a paper slip with the tax info). But that still feels a bit insecure if that's the only thing validated.
The concerns are about a specific article (Article 45) that prevents browsers from removing government certificates even if they are found to be malicious - not the concept of a digital ID in general. Digital IDs can still be implemented without that requirement - the certificates just have to make sure they hold themselves to the standards that browsers require of them.
Facebook etc are simply not allowed to use it. At least in Belgium, by law, you cannot require people to use their ID, or even ask to show it, without legal authority. Some stores will ask to scan your ID for loyalty points, but they're not allowed to treat you differently if you refuse, so normally you can also just tell them your info if you want to participate.
Our eIDs have PIN secured digital certificates that can be used to sign documents with legal authority or confirm identity. They use some open smartcard standard and there is open source Linux software available. The downside is that a card reader is required, so they commissioned the "itsme" system that largely replaces that system with a smartphone app.
The itsme authorization system can be used by most places online that require a secure identity based login like banks, HR, taxes, healthcare (state & private), pension, ... while the eID remains for use in-person. You cannot simply sign up to itsme as a developer without a valid reason.
I like this system a lot. It's relatively simple and easy to use. Even my grandparents, who used to have to ask "the young people", can now manage most of their own affairs on a tablet.
If this eAIDS is implemented, can we remove those mitm certificates from the browser and continue as usual, or will it involve some deeper change in the browser engine?
* We are talking about trilogues, meaning the commission has made a proposal, parliament and council has adopted their positions, and then parliament and council negotiated with the commission as broker to reach a final text. This takes place over many hours of meetings in different format and is a very complex process as each institution needs to make sure the document fits the legal and policy limitations set by the institution's position
* they only recently reached an agreement, which is done on the basis of very messy documents often thousand of pages in table format
* These documents are transformed into a legal text, which is done by parliament's lawyers
* Then all three institutions have to review the file with policy and legal experts to ensure it fits the agreed text
* Lawyer linguists check the text to assure references are correct and translations (23 language versions are all equally valid!) are fully aligned
* A few other steps, like formatting checks, etc
* Only then can the text be published as draft documents for the vote
All that, just to make clear that it's unfortunate it is not public yet, but it is not someone being malicious or intransparent, it's just a complex process. There is likely pressure to have the votes soon as it needs to be in force by early 2024. But before the vote takes place the files must and will be published, else the vote is moved.