{"id":2424,"date":"2024-11-07T02:43:18","date_gmt":"2024-11-07T10:43:18","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=2424"},"modified":"2024-11-07T02:48:02","modified_gmt":"2024-11-07T10:48:02","slug":"behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/","title":{"rendered":"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications"},"content":{"rendered":"

On October 21, 2024, Mozilla hosted a panel discussion<\/a> during the Global Encryption Summit<\/a> to explore the ongoing debate around Article 45 of the eIDAS regulation. Moderated by Robin Wilton<\/a> from the Internet Society, the panel featured experts Dennis Jackson<\/a> from Mozilla, Alexis Hancock<\/a> from Certbot at EFF, and Thomas Lohninger<\/a> from epicenter.works. Our panelists provided their insights on the technical, legal, and privacy concerns surrounding Article 45 and the potential impact on internet security and privacy. The panel, facilitated by Mozilla in connection with its membership on the Global Encryption Coalition<\/a> Steering Committee<\/a>, was part of the annual celebration of Global Encryption Day on October 21.<\/p>\n

What is eIDAS and Why is Article 45 Important?<\/b><\/h3>\n

The original eIDAS regulation, introduced in 2014, aimed to create a unified framework for secure electronic identification (eID) and trust services across the European Union. Such trust services, provided by designated Trust Service Providers (TSPs), included electronic signatures, timestamps, and website authentication certificates. Subsequently, Qualified Web Authentication Certificates (QWACs) were also recognized as a method to verify that the entity behind a website also controls the domain in an effort to increase trust amongst users that they are accessing a legitimate website.<\/p>\n

Over the years, the cybersecurity community has expressed its concerns for users’ privacy and security regarding the use of QWACs, as they can lead to a false sense of security. Despite this criticism, in 2021, an updated EU proposal to the original law, in essence, aimed to mandate the recognition of QWACs as long as they were issued by qualified TSPs. This, in practice, would undermine decades of web security measures and put users\u2019 privacy and security at stake.<\/p>\n

The Security Risk Ahead<\/a> campaign raised awareness and addressed these issues by engaging widely with policymakers and including through a public letter<\/a> signed by more than 500 experts that was also endorsed by organizations including Internet Society, European Digital Rights (EDRi), EFF, and Epicenter.works among others.<\/p>\n

The European Parliament introduced last-minute changes to mitigate risks of surveillance and fraud, but these safeguards now need to be technically implemented to protect EU citizens from potential exposure.<\/p>\n

Technical Concerns and Security Risks<\/b><\/p>\n

Thomas Lohninger<\/b> provided context on how Article 45 fits into the larger eIDAS framework. He explained that while eIDAS aims to secure the wider digital ecosystem, QWACs under Article 45 could erode trust in website security, affecting both European and global users.<\/p>\n

Dennis Jackson, <\/b>a member of Mozilla\u2019s cryptography team, cautioned that without robust safeguards, Qualified Website Authentication Certificates (QWACs) could be misused, leading to increased risk of fraud. He noted limited involvement of technical experts in drafting Article 45 resulted in significant gaps within the law. The version of Article 45, as originally proposed in 2021, radically expanded the capabilities of EU governments to surveil their citizens by ensuring that cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.<\/p>\n

Why Extended Validation Certificates (EVs) Didn\u2019t Work\u2014and Why Article 45 Might Not Either<\/b><\/h3>\n

Alexis Hancock<\/b> compared Article 45 to extended validation (EV) certificates, which were introduced years ago with similar intentions but ultimately failed to achieve their goals. EV certificates were designed to offer more information about the identity of websites but ended up being expensive and ineffective as most users didn\u2019t even notice them.<\/p>\n

Hancock cautioned that QWACs could suffer from the same problems. Instead of focusing on complex authentication mechanisms, she argued, the priority should be on improving encryption and keeping the internet secure for everyone, regardless of whether a website has paid for a specific type of certificate.<\/p>\n

Balancing Security and Privacy: A Tough Trade-Off<\/b><\/h3>\n

A key theme was balancing online transparency and protecting user privacy. All the panelists agreed that while identifying websites more clearly may have its advantages, it should not come at the expense of privacy and security. The risk is that requiring more authentication online could lead to reduced anonymity and greater potential for surveillance, undermining the principles of free expression and privacy on the internet.<\/p>\n

The panelists also pointed out that Article 45 could lead to a fragmented internet, with different regions adopting conflicting rules for registering and asserting ownership of a website. This fragmentation would make it harder to maintain a secure and unified web, complicating global web security.<\/p>\n

The Role of Web Browsers in Protecting Users<\/b><\/h3>\n

Web browsers, like Firefox, play a crucial role in protecting users. The panelists stressed that browsers have a responsibility to push back against policies that could compromise user privacy or weaken internet security.<\/p>\n

Looking Ahead: What\u2019s Next for eIDAS and Web Security?<\/b><\/h3>\n

Thomas Lohninger<\/b> raised the possibility of legal challenges to Article 45. If the regulation is implemented in a way that violates privacy rights or data protection laws, it could be contested under the EU\u2019s legal frameworks, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Such battles could be lengthy and complex however, underscoring the need for continued advocacy.<\/p>\n

As the panel drew to a close, the speakers emphasized that while the recent changes to Article 45 represent progress, the fight is far from over. The implementation of eIDAS continues to evolve, and it\u2019s crucial that stakeholders, including browsers, cybersecurity experts, and civil society groups, remain vigilant in advocating for a secure and open internet.<\/p>\n

The consensus from the panel was clear: as long as threats to encryption and web security exist, the community must stay engaged in these debates.<\/b> Scrutinizing policies like eIDAS\u00a0 is essential to ensure they truly serve the interests of internet users, not just large institutions or governments.<\/p>\n

The panelists concluded by calling for ongoing collaboration between policymakers, technical experts, and the public to protect the open web and ensure that any changes to digital identity laws enhance, rather than undermine, security and privacy for all.<\/p>\n

\u2014
\nYou can watch the panel discussion here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

On October 21, 2024, Mozilla hosted a panel discussion during the Global Encryption Summit to explore the ongoing debate around Article 45 of the eIDAS regulation. Moderated by Robin Wilton … Read more<\/a><\/p>\n","protected":false},"author":1964,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"coauthors":[453008,453012],"yoast_head":"\nBehind the Scenes of eIDAS: A Look at Article 45 and Its Implications - Open Policy & Advocacy<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sema Karaman, Joel Burke\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/\",\"name\":\"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications - Open Policy & Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2024-11-07T10:43:18+00:00\",\"dateModified\":\"2024-11-07T10:48:02+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/ddaf6f68422a2f5bbd52ff9bbd122c5e\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy & Advocacy\",\"description\":\"Mozilla's official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/ddaf6f68422a2f5bbd52ff9bbd122c5e\",\"name\":\"Sema Karaman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/2e85bc44f6c414c0fc22eccefcd7fbfc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e2cd6f285ddfad7198bf070028ab1ac3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e2cd6f285ddfad7198bf070028ab1ac3?s=96&d=mm&r=g\",\"caption\":\"Sema Karaman\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications - Open Policy & Advocacy","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/","twitter_misc":{"Written by":"Sema Karaman, Joel Burke","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/","name":"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications - Open Policy & Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2024-11-07T10:43:18+00:00","dateModified":"2024-11-07T10:48:02+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/ddaf6f68422a2f5bbd52ff9bbd122c5e"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2024\/11\/07\/behind-the-scenes-of-eidas-a-look-at-article-45-and-its-implications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"Behind the Scenes of eIDAS: A Look at Article 45 and Its Implications"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy & Advocacy","description":"Mozilla's official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/ddaf6f68422a2f5bbd52ff9bbd122c5e","name":"Sema Karaman","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/2e85bc44f6c414c0fc22eccefcd7fbfc","url":"https:\/\/secure.gravatar.com\/avatar\/e2cd6f285ddfad7198bf070028ab1ac3?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e2cd6f285ddfad7198bf070028ab1ac3?s=96&d=mm&r=g","caption":"Sema Karaman"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2424"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1964"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=2424"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2424\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=2424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=2424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=2424"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=2424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}