With 335 votes to 190 and 31 abstentions, the EU Parliament passed the long-controversial regulation for a European electronic identity (EUid) based on digital wallets (e-wallets) on Thursday. The EU Commission's approach was particularly controversial until the end, according to which browsers such as Chrome, Edge, Firefox, Opera and Safari will have to recognize qualified certificates for website authentication in the future with the amendment to the eIDAS regulation. With their agreement reached in November, the EU legislative bodies adhered in principle to the introduction of such Qualified Website Authentication Certificates (QWACs). However, after massive criticism from scientists and civil rights activists, they added passages on how the “established safety rules and standards of the industry can be adhered to”.
Advertisement
With QWACs, users can check who is behind a website. Providers like D-Trust see this as an important contribution to the fight against phishing. However, experts have repeatedly warned that such state root certificates make it easier for authorities to intercept encrypted communications through so-called man-in-the-middle attacks. The government of Kazakhstan, for example, forced such a certificate on its citizens in 2020 so that they could read data traffic. Back then, browser manufacturers were still able to react quickly. The fact that this is still possible is regulated by a new Article 45a added to the regulation: In cases of “well-founded concerns about security violations or a loss of integrity of a specific certificate,” web browser providers can therefore take “precautionary measures” in consultation with the authorities and the issuer.
Foundation stone for e-government or surveillance?
Recital 65 also states: “The obligation to recognize, interoperate and support qualified certificates for website authentication does not affect the freedom of web browser providers to ensure web security, domain authentication and encryption of web traffic in the manner and with the technology that they consider most suitable.” The Commission welcomes this clarification in a separate statement. According to her, browsers can continue to “establish encrypted connections with websites” or authenticate the cryptographic keys used for this purpose in the development stage. Firefox maker Mozilla celebrates the additions as a “victory for web security.” During the implementation phase, attention will now be paid to “ensuring that eIDAS does not enable monitoring or interception of web traffic”.
With the reform, EU states will have to make an e-wallet available to all citizens and companies in the future. In the digital wallet, users should be able to voluntarily store their national eID, especially on mobile devices, and link it with evidence of other personal attributes such as driver's license, diplomas, birth or marriage certificates, payment details and medical prescriptions. This does not include the obligation initially requested by the Commission to design the eID as a lifelong personal identification number. The app client must be open source. The industry association Bitkom sees this as laying the foundation for real digital communication between citizens, administration and business. EU MP Patrick Breyer (Pirate Party) remains skeptical: “We're getting data collection, user monitoring and an attack on encryption.” The civil rights activists at Epicenter.works also warn: “The wide availability of eID systems also creates new potential for misuse and surveillance.”
(dmk)