Privacy

31981 readers

387 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

New technical framework for the European Digital Identity Wallet (eIDAS) reveals severe shortcomings, threatening user privacy and contradicting the regulation's intent, rights group says (epicenter.works)

submitted 4 months ago by makeasnek@lemmy.ml to c/privacy@lemmy.ml

6 comments fedilink hide all child comments

cross-posted from: https://feddit.org/post/317047

in February 2024, the EU Parliament adopted the eIDAS regulation, creating the framework for a "European Digital Identity Wallet". This digital Wallet will enable citizens to identify themselves in a legally binding manner, both online and offline, sign documents, login into websites and share personal data about them with others. Recently, the European Commission published the Architectural Reference Framework (ARF) 1.4 for the technical implementation of the Wallet.

The success of the EU Digital Identity Wallet depends on its ability to gain citizens' trust and establish a resilient infrastructure in our current data-driven economy.

"However, after our analysis, we believe that this goal has been missed," says the digital rights group Epicenter Works.

"We see severe shortcomings in the ARF that either contradict the regulation or ignore important elements of it. These issues, if left unaddressed, could significantly undermine user rights and privacy."

you are viewing a single comment's thread
view the rest of the comments

[–] originalfrozenbanana@lemm.ee 6 points 4 months ago (1 children)

No you’re right. The ARF just ignored that constraint and intentionally built in a back door here. From the linked article:

However, the current ARF stipulates that law enforcement authorities can retroactively trace pseudonyms back to their legal identity. The provisions therefore „strongly contradicts the legal requirements,“ epicenter.works writes.

[–] huginn@feddit.it 4 points 4 months ago (1 children)

Agreed that law enforcement should not be involved but the quote I posted was also from the article and it seems impossible.

[–] originalfrozenbanana@lemm.ee 2 points 4 months ago (1 children)

It’s impossible to do without signing the with the valid cert. I think destroying the anonymity is the point

[–] huginn@feddit.it 2 points 4 months ago

It's impossible to do without exposing a private signing cert to everyone, yes. That's the issue.

You can't do asymmetric key signing anonymously and with a central issuer.

So either you have to just trust the assertions (0 security) or you have to have a trusted issuer (not anonymous)

A pseudonym issuer is a trusted issuer. There's no way to do it otherwise. You have to trust someone to make this kind of system work.