Just saw this update. I’ll quote from the previous article for a complete picture.
After years of legislative process, the near-final text of the eIDAS regulation has been agreed by trialogue negotiators1 representing EU’s key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
This means governments could impersonate websites, effectively breaking https. Over 500 researchers and experts had signed a letter against the problematic article 45. In the update they got a response:
In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.
So they asked ‘experts’ who said breaking https doesn’t lead to government spying.
We call on the European Commission, Council and Parliament to:
Publish the final legal text of the eIDAS regulation as soon as possible.
Ensure that civil society and cyber security experts have adequate time to scrutinize this regulation ahead of any legislative action.
Be transparent about the advice the Commission has received regarding this regulation and who was consulted.
I’m so done with this. The fact that they can just:
-
Introduce an article that breaks https into a regulation a short time before it’s voted on
-
Don’t disclose the text of the articles for independent experts to look at
-
Blatantly deny what it does after it gets discovered
Without any repercussions is depressing. They’ll just keep trying this until it sneaks past.
This text is subject to approval in the final closed-door trialogue meeting in Brussels on November 8th, after which it will be published and presented for formal ratification in the European Parliament. This is expected to be in the first few months of 2024, but this vote is seen as a formality with the text of trialogue negotiations typically being adopted into law without alteration.
Last week, representatives of the European Parliament, Council and Commission announced they had signed off on the eIDAS Regulation and that a vote in Parliament’s ITRE committee will be held on November 28th. We understand that although no changes have been made to Article 45, there were last-minute changes to the accompanying Recital 32. However, the EU has still not published the agreed legal text. There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.
Finally:
If you’re a European citizen, you can write to the member of the European Parliament responsible for the eIDAS file - Romana JERKOVIĆ - and register your concern.
Edit: formatting
You’ll get two WHOLE days to go through it how much time do you need. It’s all very very safe okay. All my advisors tell me it’s safe. Really. What’s the problem that the government can impersonate any https site online. We would never do such a thing. There’s no record in history of the government getting hacked or people accessing data they shouldn’t.
( /s for those thinking I’m being serious )
I am weirdly looking forward to the surprised pikachu face when the privkey leaks in the first week and suddenly suspiciously specific info about virtually everything whats going on privately in the EU pops up all over the world, including politicians and their friends.