(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


Hot on the heels of #ChatControl and in the name of “identity” and “consumer choice” the EU seeks the ability to undetectably spy on HTTPS communication; 300+ experts say “no” to #Article45 of #eIDAS

2023-11

There’s an old British political joke that goes:

“Why is there only one ‘Monopolies Commission’?”

The joke can be updated or localised to suit reader tastes:

“…only one Competition & Markets Authority?”

“…one Federal Trade Commission?”

“…Autorité de la Concurrence?”

…etc, but the point of the joke is to poke fun at (generally) there being only one authority to oversee monopoly and competition in any given nation — and also to highlight that sometimes it’s wise to have only one of a given thing.

Thus we are with various internet capabilities, and the European Union — at least, in public — have bent themselves towards breaking up “monopolistic” (i.e., huge and non-European) services on the Internet, in the name of benefitting European startups user choice.

I’ve written previously about how this approach reduces choice by (e.g.) treating all messenger solutions as fungible and broadly identical, where the EU is demanding that larger ones must “interoperate” in order to break consumer lock-in “network” effects which the EU supposedly fear. My personal suspicion is that this effort is at least equally motivated by a desire to delay adoption of end-to-end secure messaging solutions that lack data leakage and other means to passively “backdoor” them.

And this brings us to the eIDAS (“Electronic IDentification And trust Services”) program which has been kicking around for ages — but what you need to know for today’s announcement is:

The EU wants a European HTTPS/TLS/SSL Certificate Hierarchy …and it also wants a European DNS Service …and European Digital ID Cards …and an entire ecosystem of Digital Identity technologies …because extant technologies in this space tend to reinforce American tax revenue hegemony …and few European companies are significantly taxable dominant in those technology areas …and because being able to attribute and optionally track citizen internet usage via their European Digital Identity Wallets would be excellent competition for Facebook & the NSA beneficial to the online provision of pan-EU state services to citizens … and because mandatory deployment of European TLS/SSL Certificates by major browsers means that the EU security services would be able to silently spy on literally any EU-terminated HTTPS connection …and did I mention that they also want, in the name of “standards” , to ban any of: avoidance, circumvention, or detection of such interception? Users and Platforms will be obliged to trust EU-sourced HTTPS Certificates without checking them for authenticity, because why would you not trust the state to act in your interest?

I’ve argued previously that all third-party digital identity is bunk — it’s a layer of intermediation that should exist for the convenience and at the behest of one/both the parties to a communication, not to serve a patrician and parochial infrastructure provider such as a local or nation state government. The claim is that QWAC is necessary so that users can attribute websites to actual people or other entities — but we already tried that with EV certificates and it turns out that nobody cares about that level of attribution.

But: far beyond this “identity ecosystem” verbiage, the latest draft of Section 45 of the EU’s eIDAS proposal contain phenomenally dangerous propositions that will clearly undermine the security and privacy of millions, even billions (because Europeans also speak with non-Europeans) of people. They are a replay of the widely derided ChatControl proposal but at the other end of the application stack — and they too deserve to be roundly and loudly rejected by the privacy-loving European public.

Online “Trust” is not a “Monopoly” that needs breaking up, and “Browsers” are not somehow conspiring to exclude European innovation. It’s simply safer and clearer and more transparent to have just one agreed, well-oiled, open, global, standard website trust mechanism, especially where it’s proposed to be regionally usurped by something that is so clearly undermining trust and enabling surveillance.

The last country to attempt such an illiberal, misconceived, even foolish proposal like this was Kazakhstan… and that did not end well.

CALL TO ACTION

Please go read this letter: https://eidas-open-letter.org/

…and read/get informed about the proposal, and go tell other people — ideally MEPs — why you are concerned. Online trust is not a problem which requires a European regulatory solution to improve it — instead it requires global consensus and standards for robust and secure communication, of which this particular eIDAS proposal is the precise opposite.

The proposal (Article 45) needs to be amended and reduced in reach to harmonise with — rather than attempt to redefine, override, or displace — extant internet standards.

UPDATE: WHAT TO DO ABOUT THIS

Some instruction has been posted at https://last-chance-for-eidas.org; there is not very much time to act. The rappoteur responsible for collating feedback is @jerkovicromana – I recommend being constructive and polite, if firm, when sharing your opinions. Have a cup of tea, first.

MORE INFORMATION

If you are interested in contemporary Twitter discussion surrounding this matter, this Ready Made Twitter Search may be of some assistance.
[END]

[1] URL: https://alecmuffett.com/article/108139#comment-259782
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.