We already reported a few months ago how the EU's quest to fix the internet is expected to turn into a privacy and security nightmare for citizens. Now, experts told TechRadar that not even VPN services could rescue our online anonymity if the law passes in its current form.

Known as the eIDAS 2.0, the infamous proposed regulation is a revision of the previous EU's digital identity law—a process that began in 2020 and is about to be finalized. The law aims to do two things: changing how web browsers deal with security and website authentication while launching an identification app (EU ID Wallet) for all Europeans.  

Secure browser providers, like Mozilla, and cryptographers, computer scientists, and privacy advocates have warned of how these proposed provisions endanger the security and privacy of citizens across the block. For the purpose of this article, I will focus solely on the issues regarding browser authentication.

Article 45 to boost online surveillance

“We are all in the larger security community shocked. I don't think the European parliament knew what they were doing,” Harry Halpin, CEO and co-founder of Nym Technologies, told me. “This is all super dangerous stuff, it's amazing that such an idiotic rule has passed.”

Halpin is a computer scientist with a long history of fighting for better privacy after experiencing the impact of invasive government surveillance firsthand. For the last 15 years, he's been on a watch list for its past involvement with climate grassroot-activist groups. Last November, he launched NymVPN to deliver better online anonymity than existing solutions. Now, his efforts may be rendered obsolete—across the EU, at least.

Let's take a step back, though, to understand what the issue really is. As mentioned before, the European Commission is trying to change how web browsers manage website authentications in a way that Halpin described as “a crazy approach.” But, what does this change look like?

You've probably seen the little padlock sitting on the left-hand side of a website URL in a browser's search bar (see image above). That indicates the website you're about to access is secured by a HTTPS connection, meaning the connection between the browser and the server providing the service is encrypted. 

Clicking on the padlock, you can read the details of who issued the so-called root certificate by approving the security of the connection. That's the entity that ensures that the website is exactly what it claims to be.

What the eIDAS wants to change, raising many concerns within the industry, is how to deal with these certificates. As computer engineer and professor at EPFL Carmela Troncoso explained, the law will give EU states the right to issue these proofs of trust which web browsers will have to accept as truthful. Browser providers will also be prevented from removing these certificates (as it currently happens) even in cases where they notice malicious activities, unless the member state doesn't allow it.

“[The law] changes the balance of power by moving these security checks on member states. We find this to be extremely dangerous,” Troncoso told me. “The security of the whole internet is on the line because this is not about the security of two pages, it is the whole thing.” 

This means that governments will be able to intercept all our internet traffic. “A surveillance regime worse than what China and Russia have,” said Halpin. “I don't think anyone in their right mind would accept this.” 

Even worse, perhaps, he also argues that not even the most secure VPN app will be able to prevent it.

That's because the government will act as the man in the middle between our machine and the website, “in the middle of our connection” as Halpin put it. 

“The VPN is on a lower level—it defends the network connection, but then there's also the website or the application that runs on top of the network,” he said. “It won't then really matter if I'm using a VPN because the given government can intercept the traffic on the level of the web browser. They can legally intercept all traffic through your web browser even if it's encrypted and they don't want you or even Google to know about it.”

At the same time, though, Halpin believes a VPN may be able to still bring some advantages—in theory. For example, you could spoof your IP address location to pretend not to be in Europe and download a more private and secure browser. “It's relatively crazy, but could happen,” he said.

What's next?

While the European Commission dismissed such security concerns, at the time of writing, it agreed only to a provisional text.

That's why the team at the Norwegian browser, Opera, feels more optimistic. Despite agreeing with the wider industry that in its current form the law will not improve the security of the web, VP of IT and Security Christian Zubel told me: “I truly believe that we may wake up tomorrow and see a different version [of the text].”

Nonetheless, experts expect the final agreement to be revealed by the end of March as the Parliament is pushing to close all the open legislative processes before the upcoming European elections scheduled in June.

What's certain is that Article 45 of the eIDAS revision doesn't pave the way for greater surveillance only. The risk that online censorship could increase is high, too, and so are potential cyberattacks. “From a cybersecurity standpoint, it makes Europe a dangerous place to do anything over the internet,” Halpin told me.

It's worth noting, though, that lawmakers seem to have been listening to the cry from within the industry—partially, at least. They did not change the provision itself, in fact, but rather added a recital upfront that should clarify ambiguities and leave browser providers more freedom to ensure web security. Despite this being a good start, it remains to be seen how much value it would eventually have from a legal point of view.