 What happens when Mozilla, the organization behind Firefox, shares a letter signed by 500 cybersecurity experts, researchers and NGOs about a piece of European legislation that has basically been already agreed upon by the European Union and threatens one of the core values of the open internet? Mozilla even claims that this legislation is a secret legislation because it has been discussed and written during closed doors meetings and it is not yet publicly available. I would say it's a weird way to phrase it, but sure, a secret legislation. And it's not just Mozilla, the Electronic Frontier Foundation, AFF says that the legislation will roll back web security by 12 years. Even Google has urged lawmakers to revise part of this legislation. The Mulvud calls this a new kind of chat control. Most of you, like me, probably never heard of ADAS, I'm gonna pronounce it ADAS and just see how it goes. Most of you, like me, probably never heard of ADAS before this, and thus the question is, what the hell is going on? So let's start with context. ADAS is an acronym and it stands for Electronic Identification, Authentication and Thrust Services. I am gonna learn how to pronounce English one day. It's a regulation that was agreed upon back in July 2014 and it became effective a couple of years later. One of its core ideas is the Electronic Identification, thus EID, which is a framework for member states to recognize electronic identification, an example of which is the Italian speed system, which I do have, the German Vertrauensdienste Gesetz, or the Australian Signature Set. Basically, ADAS guarantees that any electronic identification meets certain standards that will be recognized not only in the country that issued them, but also everywhere in Europe, or at least the European Union. Obviously, Mozilla isn't angry towards a piece of legislation of 10 years ago, but rather there's ongoing work to agree on a new and expanded version of ADAS, which will include a wider range of digital identity and trust services. The near-final text was just agreed upon last month and is expected to be voted in the ITRA Committee later this month and in the plenary in early 2024. This is all rather technical and uninteresting, which is why I'm giving less context than usual. The whole issue is contained in one article, which is the Article 45, and it's mostly about root certificates. So here's the thing. I want to talk to a website, and I want the communication between us to be encrypted. To do so, I need the public cryptographic keys of that website. Those are the backbone of my private communication. And if those keys are compromised in any way, my secure communication won't be secure anymore. Because of that, we have a tool called root certificates that assure the user that yes, you are using the correct cryptographic keys. These root certificates are issued by so-called certificate authorities. Browsers such as Firefox and Chrome go to their certificate authorities and trust them with the job of providing those root certificates. So here's the thing. Certificate authorities actually have a tremendous power on your secure communication. They could say, hey, actually, you are using the incorrect cryptographic keys. Here's the correct ones. And just by doing that, they now have access to all communication between you and your website. The cool thing is, even if a website wanted to use a different certificate authority, it doesn't matter. Any certificate authority can do this, key replacement on any website and immediately start reading all of your internet traffic. And this has happened multiple times, in fact. In 2013, Turk Trust, a Turkish internet authority agency, which is part of the Turkish government, started maliciously to intercept and inspect encrypted web traffic. However, Google immediately noticed and blocked them in Chrome, and they also told Mozilla to do the same. So thanks, Google, for saving us. Roughly the same has happened to the national agency of the French government. In 2015, basically a subordinate certificate authority issued a certificate that they installed on a network monitoring device, not the French government itself, but a subordinate of the government. This has happened again and again. In 2015, for the Chinese certificate authority, part of the cyberspace administration of China and in 2019, directly by the Kazakhstan government itself. So according to Mozilla, there are credible reports that the government was using their root certificates to intercept the internet traffic of everyone in the country as they previously attempted to do already. To make the internet work, we need those certificate authorities. It is then a fight to make sure that those entities remain uncompromised. Because of that, we have a legislation called the NIS-2 directive that regulates these certificate authorities in Europe, although I was unable to exactly understand in which way those authorities are regulated, actually. We finally get to the core of the issue. This ADAS-2 legislation in article 45 requires all browsers to always trust a list of certificate authorities that each government decides. This way, it won't be Google or Mozilla to look for compromised governmental certificates, but only the governments themselves, they will have to hold themselves accountable. And those certificates will have to be trusted by law, by every citizen. And the lack of transparency of the whole process is alarming. There are no independent checks or balances on the government decision to keep or remove certificate authorities, and European citizens have no way to appeal those decisions. Even worse, Google and Mozilla and Apple would not be able to make any kind of security check when verifying those government-meditated certificate authorities. If they meet those certificate authorities, meet the basic European security standards, they have to be included in every browser, and they cannot be subject to any additional mandatory requirement. Because your action should not be, oh no, how can I help? There are some ways. Firstly, there is a lot of work to do on the information part of things. This ADAS reform wasn't really noticed in the past few months, especially given other privacy-threatening legislation that are being discussed, so people kind of missed the whole thing. If you have any kind of audience, even if it's your friends or, I don't know, then I would suggest as spreading the word about what's happening. That's what I'm currently doing. If you happen to be a cyber security expert or a researcher or a European representative or an NGO, you can also sign the open letter that this video is referencing. Finally, you can call the European Parliament representative who is responsible for handling the ADAS file, which in this case is Romana Djarkovic, which I have no clue how to pronounce correctly. I'm personally not sure how effective that is, but it surely won't hurt. The very last thing I want to talk about is how this video is not sponsored by anybody, nobody pays for it. And yet it took quite some time to research, write, record with some quite expensive equipment, even though I got the lights wrong clearly, and then edit and publish. We're talking about hours and hours of work of multiple people, and I'm only able to keep the channel running through donations. My goal is to reach 1,000 euros every month, and we're currently a bit beyond the midpoint around 650. I would love if you could chip in something if you haven't already, but to make sure I can keep this whole thing running, which I hope you would be happy about. I saw that this blue light wasn't this strong when I started recording, but let's just pretend everything's fine.