1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • EU eIDAS: VPNs won't protect Europeans privacy if law passes, exp

    From TechnologyDaily@1337:1/100 to All on Fri Feb 16 07:45:04 2024
    EU eIDAS: VPNs won't protect Europeans privacy if law passes, experts warn

    Date:
    Fri, 16 Feb 2024 07:31:37 +0000

    Description:
    While lawmakers seek to fix web security in the EU, experts warn that greater surveillance and censorship may arrive in Europe soon. Here's what this means for your privacy.

    FULL STORY ======================================================================

    We already reported a few months ago how the EU's quest to fix the internet
    is expected to turn into a privacy and security nightmare for citizens. Now, experts told TechRadar that not even VPN services could rescue our online anonymity if the law passes in its current form.

    Known as the eIDAS 2.0 , the infamous proposed regulation is a revision of
    the previous EU's digital identity lawa process that began in 2020 and is about to be finalized. The law aims to do two things: changing how web browsers deal with security and website authentication while launching an identification app (EU ID Wallet) for all Europeans.

    Secure browser providers, like Mozilla, and cryptographers, computer scientists, and privacy advocates have warned of how these proposed
    provisions endanger the security and privacy of citizens across the block.
    For the purpose of this article, I will focus solely on the issues regarding browser authentication. Article 45 to boost online surveillance

    "We are all in the larger security community shocked. I don't think the European parliament knew what they were doing," Harry Halpin, CEO and co-founder of Nym Technologies, told me. "This is all super dangerous stuff, it's amazing that such an idiotic rule has passed."

    Halpin is a computer scientist with a long history of fighting for better privacy after experiencing the impact of invasive government surveillance firsthand. For the last 15 years, he's been on a watch list for its past involvement with climate grassroot-activist groups. Last November, he
    launched NymVPN to deliver better online anonymity than existing solutions. Now, his efforts may be rendered obsoleteacross the EU, at least.

    Let's take a step back, though, to understand what the issue really is. As mentioned before, the European Commission is trying to change how web
    browsers manage website authentications in a way that Halpin described as "a crazy approach." But, what does this change look like? (Image credit: Getty Images)

    You've probably seen the little padlock sitting on the left-hand side of a website URL in a browser's search bar (see image above). That indicates the website you're about to access is secured by a HTTPS connection, meaning the connection between the browser and the server providing the service is encrypted.

    Clicking on the padlock, you can read the details of who issued the so-called root certificate by approving the security of the connection. That's the entity that ensures that the website is exactly what it claims to be.

    What the eIDAS wants to change, raising many concerns within the industry, is how to deal with these certificates. As computer engineer and professor at EPFL Carmela Troncoso explained, the law will give EU states the right to issue these proofs of trust which web browsers will have to accept as truthful. Browser providers will also be prevented from removing these certificates (as it currently happens) even in cases where they notice malicious activities, unless the member state doesn't allow it.

    "[The law] changes the balance of power by moving these security checks on member states. We find this to be extremely dangerous," Troncoso told me.
    "The security of the whole internet is on the line because this is not about the security of two pages, it is the whole thing." Did you know? Short for virtual private network , a VPN is security software that both spoofs your IP address and encrypts internet connections. Put simply, it encrypts all the data in transit while rerouting your connection via one of its international servers. It's widely used for bypassing geo-restrictions online and boosting privacy when browsing the web.

    This means that governments will be able to intercept all our internet traffic. "A surveillance regime worse than what China and Russia have," said Halpin. "I don't think anyone in their right mind would accept this."

    Even worse, perhaps, he also argues that not even the most secure VPN app
    will be able to prevent it.

    That's because the government will act as the man in the middle between our machine and the website, "in the middle of our connection" as Halpin put it.

    "The VPN is on a lower levelit defends the network connection, but then there's also the website or the application that runs on top of the network," he said. "It won't then really matter if I'm using a VPN because the given government can intercept the traffic on the level of the web browser. They
    can legally intercept all traffic through your web browser even if it's encrypted and they don't want you or even Google to know about it."

    At the same time, though, Halpin believes a VPN may be able to still bring some advantagesin theory. For example, you could spoof your IP address location to pretend not to be in Europe and download a more private and
    secure browser. "It's relatively crazy, but could happen," he said. What's next?

    While the European Commission dismissed such security concerns, at the time
    of writing, it agreed only to a provisional text.

    That's why the team at the Norwegian browser, Opera, feels more optimistic. Despite agreeing with the wider industry that in its current form the law
    will not improve the security of the web, VP of IT and Security Christian Zubel told me: "I truly believe that we may wake up tomorrow and see a different version [of the text]."

    Nonetheless, experts expect the final agreement to be revealed by the end of March as the Parliament is pushing to close all the open legislative
    processes before the upcoming European elections scheduled in June.

    What's certain is that Article 45 of the eIDAS revision doesn't pave the way for greater surveillance only. The risk that online censorship could increase is high, too, and so are potential cyberattacks. "From a cybersecurity standpoint, it makes Europe a dangerous place to do anything over the internet," Halpin told me.

    It's worth noting, though, that lawmakers seem to have been listening to the cry from within the industrypartially, at least. They did not change the provision itself, in fact, but rather added a recital upfront that should clarify ambiguities and leave browser providers more freedom to ensure web security. Despite this being a good start, it remains to be seen how much value it would eventually have from a legal point of view.



    ======================================================================
    Link to news story: https://www.techradar.com/computing/cyber-security/eu-eidas-vpns-wont-protect- europeans-privacy-if-law-passes-experts-warn


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)