The revision of the eIDAS Regulation initiated a discussion about who sets standards for safe web browsing via Qualified Website Authentication Certificates. Dr. Kim Nguyen, Managing Director of D-Trust (a company of the Bundesdruckerei Group), explains why European digital sovereignty is the better option.
Dr. Kim Nguyen is the Managing Director of D-Trust GmbH, a company of the Bundesdruckerei Group.
With Making Europe Fit for the Digital Age, the von der Leyen Commission has set us on the road to a new, digital era for the European Union. Digital technology has a profound impact on our lives, and if the EU aims to take its values and principles seriously Europe needs this change to work for citizens and businesses alike.
Real EU-sovereignty requires a sincere well-meant protection of its citizens. In this effort, two aspects are given a key role: The ability to verify digital content, URLs, and identities as well as the ability to set sovereign European standards.
Why are standards and their certification so important? Standards are representing quality, ensuring security, and building up trust. When you currently visit a website, your browser will display a lock icon. This indicates that you have established an encrypted connection to the digital destination you have accessed. This connection is secured via digital certificates.
However, only so-called Qualified Website Authentication Certificates (QWAC) provide transparency and confirm and provide the website providers secured identity for the user. They are in a way your defence against fraudulent sites and ill-intentioned actors. They establish the level of trust in a website, which is necessary for you to browse safely and securely because they guarantee that your personal information including sensitive data like credit card information is not only protected while being transmitted but does not fall into the wrong hands.
According to a 2018 study, the websites of the twenty largest online sellers in Germany alone have been illegally replicated more than 7.000 times. This example impressively demonstrates the threats for internet users as well as the necessity for website authentication mechanisms.
The question of who is responsible for setting standards for websites and who is supervising them has become a topic of heated debates. Given the experience in other sectors, like transport, pharmaceutical or finance, it should be quite obvious that standards are set and checked by neutral external supervisory bodies.
However, today, the browsers themselves set and check the security standards and are able to arbitrarily decide whether to display QWACs or not.
The EU Commission now intends to shift this decision-making power from the hands of international Big Tech companies to the democratically elected European regulators as well as to a governance system which consists of certification and audit bodies as well as national supervisory bodies including means and processes to deal with possible critical issues. Certain web service providers argue that they are defending consumer protection and offer safer solutions under their own responsibility.
While it is true that certain digital companies excel in their sectors and that it is easier for them to create certification schemes for their own browsers, this line of argument serves to conceal an important aspect: Such an approach would leave the question of standards and accountability entirely in their hands. These companies aim to essentially usurp the role of trust service providers and take on crucial internet security responsibilities on behalf of the European Union.
In a world of big tech companies and increasingly powerful authoritarian regimes outside of Europe, the question of who to trust in setting and controlling standards for the digital world becomes ever-more important. Why would we trust the largely intransparent internal processes of global companies without any external check more than our own democratic institutions? As European citizens, we should choose to be the ones to decide on who sets up and supervises these standards.
By setting standards on a European level, we can even avoid becoming dependent on a single government. European solutions might not be perfect, but EU-governance has been very well established over the years and can be further developed. The Commissions proposal for a revision of the eIDAS Regulation is in line with the European Unions ambition to strengthen its commitment to its values such as sovereignty, accountability, and transparency.
Contrary to what recent anti-QWACs campaigning has suggested, the standard setting of liberal democratic institutions is well established, has served Europe well for decades, and cannot at all be compared to the government overreach of non-democratic states like Kazakhstan. In line with democratic principles, the European standards should be developed in cooperation with technical experts from businesses, civil society, and government.
For a website verification to be trustworthy in Europe, European standards are needed. EU standards strengthen EU-sovereignty, and from EU-sovereignty follows that the spirit of EU-laws is upheld. EU-standards entail that we as European citizens, governments, and companies develop the basic rules for the digital world together. Joint events, that bring policy makers, business and civil society together such as the European Digital Identity Roundtable, can make important contributions in this process.
Besides, it means that other companies and institutions will need to follow standards developed by and for Europeans, thus giving us a competitive advantage. It also entails that online verification will rely on European actors. Relinquishing control over website certification will not aid the EU to become more sovereign or more democratic. Therefore, the EU should make use of its right for democratically legitimized representatives and civil servants to set standards that are in the interest of European citizens.
See the rest here:
Democratic EU Standards and the Global View on Safe Web Browsing - EURACTIV