Questions regarding future of Brave with eIDA2 (EU/GB only)

Description of the issue:
I do not know if i am allowed to post this but I read more and more about it and I’m very concerned.
As of a few days ago the eIDAS2.0 law was accepted in the GB and the entire EU.

It will take a while but after several months, products created or distributed in GB and the EU will be forced to add a root certificate (or several) to comply with EU Regulations. Browsers (and every application with a browsing ability) will be forced to swap certificates without user knowledge (example it shows Verified as Let’s Encrypt with thumb print ZZZZZ, a request is made at random and says Verified as Let’s Encrypt with thumb print XXXXX). This is all for user security.
As the law currently states “browsers are not allowed to mention suspicion of tampering or inform the user in any way”.
This is very concerning since it is a government sanctioned MITM.

How will this affect GB/EU citizens from braves POV?

Brave is a company that is located in San Fransisci, California, United States but to distribute the Browser through public channels (be it a website, or store on a mobile device) they will have to adhere to laws (Similar to GDPR).

As a citizen of GB im much more concerned with the fact that any country in the EU can MITM ANY HTTPS connection with a faux (often not secure) certificate, instead of worrying about Brave receiving “very minimal, if any, data”.

Could any of the devs please give a statement about this since it is a big deal.

Please do not say it is only “opt-in”. It is opt-in until the technology shows to be effective, this is always the case.

Steps to Reproduce (add as many as necessary): 1. 2. 3.

Have a look at

https://www.idcentral.io/blog/understanding-the-eus-eidas-2-0-implications-for-identity-verification/ (minimal info, showing how lawmakers think)

https://www.techradar.com/computing/cyber-security/eu-eidas-vpns-wont-protect-europeans-privacy-if-law-passes-experts-warn (a more honest and critical warning about the law in general)

Expected result:

Since this looks nice at first sight but is a security issue of huge proportions.
That Brave to allow a (US) or (EU) version to be available for download.
Platforms that do not have a way in which this directly possible through the OS/Store. To have a (US) and (EU) download available through, as example, APK on both the brave site and github.

Operating System and Brave Version(See the About Brave page in the main menu):

Every OS.

Additional Information:

See description.
Please advice and give some information. The law is in effect. I receive requests from various concerned users in both GB and the EU.

@BravS great question, thank you for asking

While I’m not the best person to respond to this, our Data Protection Officer was aware of this and had responded prior. According to him:

eIDAS 2 is not yet law in the EU. The European Parliament only approved revised text on the 29 Feb. It will be approx 18 months before it becomes law in the EU and applies to the EU iD wallet/app. The key issue is Article 45 and that browsers must recognise, be interoperable with and support QWACs.

Latest update is that "Signing up for the eID app will be voluntary, and it will remain possible to access public and private services by other existing identification and authentication means. The app client will be open source."The UK is not in the EU and it’s unclear if it will update its laws.

I will be deferring any follow up replies to other team members who are more qualified to reply to these issues

1 Like

Thank you so much for taking this huge privacy issue seriously.

The message you have quoted was from “when we still had hope”. Unfortunately, all hope is lost.
The question about if, or if, not GB would comply, we have the answer for this and unfortunately the answer is not favorable.

As stated in the quote, it will starts as an “opt-in” solution to make life easier, to protect citizens and to make everything better.
Past experience of Data Lawmakers has shown that this “opt-in” solution will quickly change to a default requirement when the efficay (and, boy, will this law be efficient!) is determined.

Over the years I have become decent at learning and understanding the law as someone that works in, and is a proud user of, the digital world.
From my understanding of this law (read to the letter) there will be two options.
Either stop all business in GB and the EU or bend the knee.
I know brave is not a company that bends the knee easily, this is why I made this post. Brave is about privacy first and has always shown this to be true.

After reading everything we need to comply with I do not see any other option than having two seperate branches. One for GB/EU and one for the rest of the world (with both versions compliant to every previous Privacy Law on each country, or rather, US and GDPR law).

The requirement for each build is none for the US and installed root certificates for the GB/EU versions.
From my understanding all stores will quickly need to adapt to this.

Manual installations based on personal choice, with integrated auto-updaters based on the choice they made, do not. A GB/EU user should be guided to the GB/EU website and store of their mobile device, however, if they choose to install a version and comply with the terms of another country, those laws will apply. With a manual auto updating feature that circumvents the official download page (example, github) this will no longer be an issue.
The law also does not say anything about educating the user about this law being in effect on the application delivered on any platform, only when the law is applied will a company not be allowed to share any information.

Hopefully Brave will find a way to please both sides and still allow us our freedom after the “opt-in” grace period expires.

It will either require a simple option to pick between laws or the creation of a completely new HTTP encryption model that does not use root certificates in any way, shape or form, to keep users safe.

Thank you for continuing the struggle for the right to have privacy.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.