EU continues with digital identity, despite fears of abuse

Europe has taken a new step towards the introduction of a European digital identity. Privacy activists warn that the new rules make spying by governments possible.

The European Member States and the European Parliament agreed on Wednesday evening on a provisional legal text regulating the introduction of a European electronic identity. After a technical and legal revision, the new regulation, eIDAS in European jargon, will be submitted to the European Council and the European Parliament for approval.

The purpose of eIDAS is to enable uniform digital authentication for all European citizens, so that they can, for example, shop safely, exchange data or request official documents. Europe wants to make an ‘identity wallet’ possible for every citizen, for storing and using official documents online in a digital version.

However, civil rights and privacy activists fear that an article in the law opens the door for the government to spy on its citizens on a large scale. This concerns Article 45, which requires web browser operators to cooperate with certificate authorities (CAs) designated by the Member States.

Certificate authorities are a kind of digital intermediaries that can guarantee that a website is safe and reliable with a system of cryptographic keys. Anyone surfing the web can recognize such a certified website by the prefix ‘https’ and the lock in the browser field. A handful of large companies, including Globalsign and Verisign, offer these certification services. They are in turn audited by browser providers such as Google or Mozilla. “That system is not perfect, but it functions quite well,” says renowned cryptographer Bart Preneel (KU Leuven).

There are now fears that European governments will from now on appoint CAs that are under the control of the same government. In this way, the government can obtain all digital keys to intercept secure communications. Article 45 in question also prohibits browsers from imposing stricter security requirements on CAs than the standards centrally determined by ETSI, an institute that imposes telecom standards in Europe.

Preneel thinks that many politicians underestimate the scope of the new legislation. ‘It is a very technical matter, which may also explain why little was published about it in the media. But this certainly opens the door for surveillance on a large scale.’