The European Commission is an EU legislative body with regulatory authority over digital technology. Article 45 of the EC's proposed eIDAS Regulation would deliberately weaken certain aspects of internet security that the industry has carefully developed and strengthened for over 25 years. This article would in effect grant the 27 EU governments very broad surveillance powers over Internet use.

The rule would require all Internet browsers to trust an additional root certificate from an agency (or regulated entity) of each of the national governments of each of the EU member states. For non-specialist readers, I will explain what a root certificate is, how trust in the internet has evolved and what Article 45 brings in this regard. Next, I'll highlight some comments from the tech community on this issue.

The next section of this article explains how the Internet's trust infrastructure works. This context is necessary to understand how radical the proposed article is. The explanation is intended to be accessible to a non-technical reader.

The regulation in question concerns internet security. By “internet” here we mean, to a large extent, browsers that visit websites. Internet security has many distinct aspects. Article 45 aims to change public key infrastructure (PKI), which has been part of internet security since the mid-90s. PKI was first adopted and then improved over a period of 25 years, in order to give users and publishers the following guarantees:

Browser-website conversation privacy: Browsers and websites converse over the Internet, a network of networks operated by Internet service providers and Tier 1 carriers, or cellular carriers. if the device is mobile. The network itself is not inherently secure or trustworthy. Your home Internet service provider, a traveler in the airport waiting room where you're waiting for your flight, or a data provider looking to sell leads to advertisers may want to spy on you. Without any protection, a malicious actor could view confidential data such as a password, credit card balance, or health information.
Ensure that you view the page exactly as the website sent it to you: When you view a web page, could it have changed between the editor and your browser? A censor may want to remove content they don't want you to see. Content labeled as “disinformation” was largely removed during the covid hysteria. A hacker who stole your credit card might want to remove evidence of their fraudulent spending.
Ensure that the website you see is the one in the browser's address bar: When you log into a bank, how do you know you are seeing that bank's website, and not a fake version that looks the same? You check your browser's address bar. Could your browser be tricked and show you a fake website that looks identical to the real one? How does your browser know – for sure – that it is connected to the right site?

In the early days of the internet, none of these guarantees existed. In 2010, a browser plugin available in the add-ons store allowed the user to join another person's Facebook group chat at a hotspot cafe. Today, with ICP, you can be pretty sure of these things.

These security features are protected by a system based on digital certificates. Digital certificates are a form of identification – the internet version of a driving license. When a browser connects to a site, the site presents it with a certificate. The certificate contains a cryptographic key. The browser and website work together using a series of cryptographic calculations to establish secure communication.

Together, the browser and the website provide the three security guarantees:

- confidentiality: by encrypting the conversation.
- cryptographic digital signatures: to ensure that content is not modified in flight.
- publisher verification: through the chain of trust provided by the ICP, which I will explain in more detail below.

A good identity should be difficult to counterfeit. In ancient times, the wax casting of a seal served this purpose. Human identities rely on biometrics. Your face is one of the oldest shapes. In the non-digital world, when you need to enter an age-restricted venue, for example to order an alcoholic drink, you will be asked for photo ID.

read the article