La Privacy e Cybersec per le aziende
Osservatorio a cura del dott. V. Spataro privacy, formulari, check up per WordPress

   dizionario 2023-11-06 ·  NEW:   Appunta · Stampa · pdf

Last Chance to fix eIDAS (e non farlo diventare peggio di chatcontrol)


L'aggiornamento ad EIDAS usato per stravolgere la catena dei certificatori di crittografia (Ssl) dei siti.

L'idea e' che i certificati possano essere controllati (e indeboliti) dai Governi. Inaccettabile quanto chatcontro.



L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni



  • 2nd November 2023
  • European Press



Last Chance to fix eIDAS: Secret EU law threatens Internet security

Over 400 cyber security experts, researchers and NGOs sign an open letter sounding the alarm

2nd November 2023

After years of legislative process, the near-final text of the eIDAS regulation has been agreed by trialogue negotiators1 representing EU’s key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.

These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission. 

This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes. 

The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body - ETSI.  This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record (1,2,3) of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.

The introduction of this text so late in the legislative process and behind closed doors is also deeply concerning for democratic norms in Europe. Although the deal itself was publicly announced in late June, the announcement doesn’t even mention website certificates, let alone these new provisions. This has made it extremely difficult for civil society, academics and the general public to scrutinize or even be aware of the laws their representatives have signed off on in private meetings. 

Outcry across academia, civil society and industry

Over 400 cyber security experts and researchers from around the world have signed an open letter calling on the EU to abandon these plans and safeguard the web: 

After reading the near-final text, we are deeply concerned by the proposed text for Article 45. The current proposal radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.
We ask that you urgently reconsider this text and make clear that Article 45 will not interfere with trust decisions around the cryptographic keys and certificates used to secure web traffic.

Civil society groups have also backed the letter, including the Internet Society, European Digital Rights (EDRi), the EFF, and many more.

Their calls have also been echoed by companies that help build and secure the Internet including the Linux Foundation, Mullvad, DNS0.EU and Mozilla who have put out their own statement.

What next?

This text is subject to approval in the final closed-door trialogue meeting in Brussels on November 8th, after which it will be published and presented for formal ratification in the European Parliament. This is expected to be in the first few months of 2024, but this vote is seen as a formality with the text of trialogue negotiations typically being adopted into law without alteration.

If you’re a European citizen, you can write to the member of the European Parliament responsible for the eIDAS file - Romana JERKOVIĆ - and register your concern.

If you’re a cybersecurity expert, researcher or represent an NGO, consider signing the open letter at

Read More

Coverage around the web

European Press


Testo del 2023-11-06 Fonte:


i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.

Ricevi gli aggiornamenti su Last Chance to fix eIDAS (e non farlo diventare peggio di chatcontrol) e gli altri post del sito:

Email: (gratis Info privacy)

Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza