A few months ago we reported how the EU’s quest to improve the internet is expected to turn into a privacy and security nightmare for citizens. Experts now told Ny Breaking that even VPN services cannot save our online anonymity if the law is passed in its current form.
Known as the eIDAS 2.0the infamous proposed regulation is an overhaul of the previous EU digital identity law – a process that started in 2020 and is about to be concluded. The law aims to do two things: change the way web browsers handle security and website authentication and at the same time launch an identification app (EU ID Wallet) for all Europeans.
Secure browser providers such as Mozilla, as well as cryptographers, computer scientists and privacy advocates, have warned about how these proposed provisions will jeopardize the security and privacy of citizens around the world. For the purposes of this article, I will focus solely on the issues related to browser authentication.
Article 45 to encourage online surveillance
“All of us in the larger security community are shocked. I don’t think the European Parliament knew what they were doing,” Harry Halpin, CEO and co-founder of Nym Technologies, told me. “These are all super dangerous things, it’s amazing that such an idiotic rule has been passed.”
Halpin is a computer scientist with a long history of fighting for better privacy after experiencing firsthand the impact of invasive government surveillance. He has been on a watch list for the past fifteen years due to his past involvement with climate activist groups. Last November, he launched NymVPN to provide better online anonymity than existing solutions. Now his efforts may be outdated – at least across the EU.
However, let’s take a step back to understand what the problem really is. As previously mentioned, the European Commission is trying to change the way web browsers manage website authentications in a way that Halpin described as “a crazy approach.” But what does this change look like?
You’ve probably seen the little padlock to the left of a website’s URL in a browser’s search bar (see image above). That indicates that the website you are about to visit is secured by an HTTPS connection, which means that the connection between the browser and the server providing the service is encrypted.
By clicking on the padlock you can read the details of who issued the so-called root certificate by approving the security of the connection. That is the entity that ensures that the website is exactly what it claims to be.
What the eIDAS wants to change, which raises many concerns within the sector, is the way in which these certificates should be handled. As computer engineer and professor at EPFL Carmela Troncoso explained, the law will give EU states the right to issue these proofs of trust, which web browsers will have to accept as truthful. Browser providers will also be prevented from removing these certificates (as is currently done), even in cases where they notice malicious activity, unless the Member State does not allow this.
“(The law) changes the balance of power by shifting these security controls to the member states. We consider this extremely dangerous,” Troncoso told me. “The security of the entire Internet is at stake, because it’s not about the security of two pages, it’s about the whole thing.”
Did you know?
Short for Virtual Private Network, a VPN is security software that both spoofs your IP address and encrypts internet connections. Simply put, it encrypts all data in transit while rerouting your connection through one of its international servers. It is widely used to bypass online geo-restrictions and increase privacy while browsing the Internet.
This means that governments can intercept all our internet traffic. “A surveillance regime worse than what China and Russia have,” Halpin said. “I don’t think anyone in their right mind would accept this.”
In fact, he also states that even the most secure VPN app cannot prevent this.
That’s because the government will act as the man in the middle between our machine and the website, “in the middle of our connection,” as Halpin put it.
“The VPN is at a lower level: it defends the network connection, but then there is also the website or the application that runs on top of the network,” he said. “It doesn’t really matter if I use a VPN, because the given government can intercept the traffic at the web browser level. They can legally intercept all traffic through your web browser, even if it is encrypted, and they don’t I want you or even Google to know about this.”
At the same time, however, Halpin believes that a VPN can still provide some benefits in theory. For example, you can spoof your IP address location to pretend you are not in Europe and download a more private and secure browser. “It’s relatively crazy, but it can happen,” he said.
What’s next?
Although the European Commission has rejected such security concerns, at the time of writing it has only agreed to a provisional text.
That’s why the team at the Norwegian browser Opera is more optimistic. Despite agreeing with the wider industry that the law in its current form will not improve internet security, VP of IT and Security Christian Zubel told me: “I truly believe that tomorrow we will wake up and see a different version will see (of the text).”
Nevertheless, experts expect the final agreement to be announced by the end of March, as Parliament insists on closing all open legislative processes before the upcoming European elections, scheduled for June.
What is certain is that Article 45 of the eIDAS revision does not only pave the way for more supervision. The risk that online censorship could increase is also high, as are potential cyber attacks. “From a cybersecurity perspective, this makes Europe a dangerous place to do anything over the internet,” Halpin told me.
However, it is worth noting that lawmakers appear to have listened to the industry’s calls – at least in part. They have not changed the provision itself, but rather added a recital that should clarify ambiguities and give browser providers more freedom to ensure web security. While this is a good start, it remains to be seen how much value it will ultimately have legally.