Scientists deeply concerned with upcoming EU digital identity regulations

Dupe:<p><i>Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38126997">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38126997</a> - Nov 2023 (65 comments)<p><i>Last Chance to fix eIDAS: Secret EU law threatens Internet security</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38109494">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38109494</a> - Nov 2023 (302 comments)

The linked PDF is an open letter undersigned by many scientists.<p><i>&gt; Last year, many of us wrote to you to highlight some of the dangers in the European Commission’s proposed eIDAS regulation. After reading the near-final text, we are deeply concerned by the proposed text for Article 45. The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens. Concretely, the regulation enables each EU member state (and recognised third party countries) to designate cryptographic keys for which trust is mandatory; this trust can only be withdrawn with the government’s permission (Article 45a(4)). This means any EU member state or third party country, acting alone, is capable of intercepting the web traffic of any EU citizen and there is no effective recourse. We ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.<p>Article 45 also bans security checks on EU web certificates unless expressly permitted by regulation when establishing encrypted web traffic connections (Article 45(2a)). Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. This runs counter to well established global norms where new cybersecurity technologies are developed and deployed in response to fast moving developments in technology. This effectively limits the security measures that can be taken to protect the European web. We ask that you reverse this clause, not limiting but encouraging the development of new security measures in response to fast-evolving threats.</i>

Share private thoughts between you and your friends in the future and get rounded up in no time!<p>I know we&#x27;re already close with NSA, Five Eyes and whatnot but could the plutocracy be a little less blatant?<p>I wonder if at some point surveillance and tech bureaucracy will become so cemented there&#x27;s zero chance of revolt or accountability for the upper echelons.<p>Whoever&#x27;s on top at that point will stay on top until there&#x27;s a sunstorm.

&gt;Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures<p>What the F Why ?

I think a french tradition of building barricades and setting shit on fire is sorely needed in brussels.

I still don&#x27;t get the MITM argument. To me, it feels like there is a lot of heavy lifting beneath the could in &quot;a EU government could MITM any other EU country citizen&quot;. Can somebody walk me through an example of how could the Romanian government MITM a portuguese citizen in Portugal accessing a website hosted in Sweden? Maybe there&#x27;s something I&#x27;m missing? To me it feels like it would require a lot of third party cooperation (ie ISPs).<p>As to the tracking potential of eIDs, I agree it could be lessened by improving the legislation as the letter proposes, but to me if feels like it adds a small risk of abuse for a lot of benefits (digital access to the administration, and better security through relying on modern practices instead of handwritten signatures). Again, what is the threat model for being tracked with this ID? Will a random t-shirt shop ask me for my ID? Will this give them better insight into my online habits than asking for my CC number?<p>I see a lot of security professionals warning against this law, and I tend to defer to people who know more than me, but time and again, and as with other EU legislation, the arguments seem to feel unconvincing and mired with &quot;potentials for abuse&quot; and slippery slopes.

Is there any recourse for a free web going forward?

Anything except self-governance, is an abuse. It abuses those who have been taught to go along with this external governance by those running the governance system. Its all it ever was, all it can ever be. There is no social contract, its all abuse. Legalised theft to put in roads, or remove them, as at present.<p>If some people want to work together, to opt-in voluntarily to do this or that, as long as it doesn&#x27;t harm another - then great. To have this immoral monolith writing laws that no one can justify, is ridiculous. All pretence of legitimacy is gone, it is simply about control.<p>The above is not a political argument. It is a moral one. What circumstances allow one to forcibly extract from another and steal 40% of their work, or worse <i>and</i> then have the gall to call itself &quot;good&quot;? How big does a gang have to be to gain rights than an individual does not have? No one would think it &quot;right&quot; that I demand 40% of their income! Government is just an extractive mafia system that attempts to pose as the &quot;best we&#x27;ve got&quot;, whilst using force to knock down any alternative possibilities of management.