New EU cyber regulation ‘will likely result in less security’
Under eIDAS, which is due to become European law imminently but which would then need to be transposed into each individual member state’s national law, individual governments will be able to dictate what certificates browsers must accept and whether or not they can perform transparency checks regarding those verifications in order to detect any bad faith actions. File picture
A new EU regulation which could make it easier for governments to monitor internet traffic has been sharply criticised by hundreds of academics as it “substantially increases the potential for harm”.
The eIDAS regulation (Electronic Identification and Trust Services), which has been agreed on a technical level by representatives from the European Parliament, Council, and Commission, serves to alter how web browsers verify the identity and safety status of individual websites.
At present, such verification is achieved via a certificate administered by roughly 1,000 private organisations from within the web community itself. Such regulation appears for internet users when a website’s certificate fails a browser’s verification requirements, leading to a warning page indicating that the website in question is not safe to visit.
Under eIDAS, which is due to become European law imminently but which would then need to be transposed into each individual member state’s national law, individual governments will be able to dictate what certificates browsers must accept and whether or not they can perform transparency checks regarding those verifications in order to detect any bad faith actions.
However, a letter to all members of the European Parliament signed by more than 400 academics and cybersecurity experts from across the EU, including Ireland, claims that the new regulation will not amount to a common technical standard across the union, but rather “will very likely result in less security for all”.
The letter states:
“We strongly warn against the currently proposed... agreement, as it fails to properly respect the right to privacy of citizens and secure online communications; without establishing proper safeguards... it instead substantially increases the potential for harm,” it said.
One of the signatories of the document who preferred to remain anonymous said that the new regulation theoretically could see a bad faith actor, potentially with government approval, take advantage of the new State-sponsored system of web certificates to “pretend to be any website they wish, Gmail, Facebook, you name it” in order to covertly monitor user usage of that site.
Dr Stephen Farrell, research fellow at Trinity College Dublin’s school of computer science and also one of the letter’s signatories, said the regulation “is a bad capability to put in place without there being any way for users to detect and reject misbehaviour”.
TJ McIntyre, privacy expert and associate professor at the UCD school of law, meanwhile said that “the real concern is that you are essentially building a Government back door into the tool that is currently used to keep our internet use safe, and you’re doing it in a way that from a political perspective is very underhand”.
Read More
CONNECT WITH US TODAY
Be the first to know the latest news and updates
