Certain technical changes are quietly being made that would make it easier for governments to spy on the Internet. From Robert Blumen at brownstone.org:
The European Commission is an EU legislative body with regulatory authority over digital technology. The EC’s eIDAS Article 45, a proposed regulation, would deliberately weaken areas of internet security that the industry has carefully evolved and hardened for over 25 years. The Article would effectively grant the 27 EU governments vastly expanded surveillance powers over internet use.
The rule would require all internet browsers to trust an additional root certificate from an agency (or a regulated entity) from each of the national governments of each one of the EU member states. For the non-technical readers, I will explain what a root certificate is, how internet trust has evolved, and what Article 45 does to this. And then I will highlight some of the commentary from the tech community on this matter.
The next section of this article will explain how the trust infrastructure of the internet works. This background is necessary in order to understand how radical the proposed Article is. The explanation is intended to be accessible to a non-technical reader.
The regulation in question addresses internet security. Here, “internet” means, largely, browsers visiting websites. Internet security consists of many distinct aspects. Article 45 intends to modify public key infrastructure (PKI), a part of internet security since the mid-90s. PKI has been at first adopted, and then improved over a 25-year period, to give users and publishers the following assurances:
- Privacy of the conversation between the browser and the website: Browsers and websites converse over the internet, a network of networks operated by Internet Service Providers, and Tier 1 carriers; or cellular carriers if the device is mobile. The network itself is not inherently safe nor trustworthy. Your nosy home ISP, a traveler in the airport lounge where you are waiting for your flight, or a data vendor looking to sell leads to advertisers might want to spy on you. Without any protection, a bad actor could view confidential data such as a password, credit card balance, or health information.
- Guarantee that you view the page exactly the way the website sent it to you: When you view a web page, could it have been tampered with between the publisher and your browser? A censor might want to remove content that they don’t want you to see. Content labeled as “misinformation” was widely suppressed during covid hysteria. A hacker who had stolen your credit card might want to remove evidence of their fraudulent charges.
- Guarantee that the website you see is really the one in the browser’s location bar: When you connect to a bank how do you know that you are seeing the website of that bank, not a fake version that looks identical? You check the location bar in your browser. Could your browser be tricked into showing you a fake website that appears identical to the real one? How does your browser know – for sure – that it is connected to the correct site?
