Update: I changed the title of this post from “major blow” to “existential threat” because a 2 orders of magnitude impact is more an existential threat than a blow.
Have you ever shared your medical records via Whatsapp ?
Have you ever sent your documents to a counterparty via email ?
Don’t cheat! of course you did!
Yet we know whatsapp is under scrutiny for privacy related issues.
Yet we know that email is stored in plain text and flows thorugh various private parties.
Fact is that usability prevails in people’s habits.
In the EU there are now three levels of security (assurance): low, substantial and high. There’s an upcoming vote at the Digital Parliament that plans to kill “substantial” and leave only “high” level of assurance.
Suppose we have the technology to do DNA testing at home. Would we require DNA testing to ascertain people identity when signing a letter to our pension fund ? Of course we would not…
There’s a balance to strike between the level of assurance and usability
Build something that is conceptually “extremely secure” but not usable and people will resort to unsecure means. WE ALL DO!
Lawmakers, aim to the conceptually best, and you wil practically get the worst !!!
Aim to “high” by killing “substantial” and you will get the “low”.
(and, as a side effect, making a a bonsai industry of what is a flourishing sector today)
It seems strange to me that, whilst the Commission is (correctly) adopting in all their regulation a risk-based approach, in this case the Council is pursuing a theoretically driven, conceptual approach, that leads to unusable solutions.
Level “high” envolves the usage of smartcards, something that we know from observed data, that is 100 times less used wrt smartphone-based authentication and that leads to a 60% lower usage of digital services.
Whilst, on the opposite side, we know from observed data that smartphone based authentication drives increase in digitization of public administrations.
Killing “substantial” assurance in favor of a conceptual “high”-only is a provision that exceeds requirements from the banking sector!
I fully support the position of Cloud Signature Consortium (CSC), together with other organisations representing the qualified trust services sector (European Signature Dialog | Associated European Trust Centers (ESD), AssoCertificatori from Italy, ASEPEC from Spain and Club PSCO from France…

who have written this Open letter.
Italy is a peculiar case in this space.
It has demonstrated how digital public administration can be a huge success. We have increased employment, investments, efficiency, cost reduction, skills, quality of life, env. impact, etc. at an unparalleled level in the EU (and worldwide) with a shoestring budget, in a short timeframe, thanks to appropriate policies and design choices. All with negligible negatives.
It seems that some lawmakers, instead of looking at the data and pursuing best practices, in love with a techno-legal philosophical idea, tend towards practices that, that have demonstrated in other countries, in the same timeframe, to be 100x less effective.
Please, MEPs. Look at the facts. Stick to data.
What Bitkom says is unfortunately true: once this regulation comes into effect, … would mean an immediate end to the qualified trust services as we know it
