Similar to how bank transactions have been instant in Europe for more than two decades, but are still a novelty in the US. Or pre-filled tax forms.
This regulation should be seen in the context of the pre-existing systems which it builds on, towards a common European standard. An obvious criticism is that this centralizes power, but that is fundamentally rooted in the assumption that the EU is similar to the US: It's not.
In the EU the component States are very influential, they have formal or 'soft' veto's on practical all matters. There are no EU presential elections. The EU 'government' is run by appointees nominated by the States. Its much more like the US Confederacy. (pre- federation, long before civil war, not that confederacy)
As the other commenter says, "Europe" is not a uniform entity. You may be thinking of some component of "Europe" where this may have been true for two decades. Wonder where that is.
In my experience, in the French component, this has absolutely not been the case. Only recently have "immediate" transfers become free at my bank, and they've only been available at all for a few years. Certainly less than 10 years.
And they're also not actually instant. I'm a freelance, and my professional account is at the same bank, same branch, as my personal account. The "instant" transfer is only credited the next day, even though it shows up quickly in pending transactions.
And this isn't some dingy "mom & pop" operation, it's the biggest bank in Europe (which may or may not help with these issues).
> This regulation should be seen in the context of the pre-existing systems which it builds on, towards a common European standard. An obvious criticism is that this centralizes power, but that is fundamentally rooted in the assumption that the EU is similar to the US: It's not.
> In the EU the component States are very influential, they have formal or 'soft' veto's on practical all matters. There are no EU presential elections. The EU 'government' is run by appointees nominated by the States. Its much more like the US Confederacy.
I'm not familiar with US' workings or its history so can't comment on how close the EU is to it. But, at least in France, people do take issue with the centralization of power. "It's not the US" is actually an argument against centralization (again, not sure how correct this is).
Please elaborate. Are you talking about some country-specific schemes? Cause I’m not aware of any EU-wide instant payment scheme that has existed for 20 years. AFAIK Instant SEPA Credit Transfers are still a relative novelty. My bank charges extra for them and there’s a cap of several thousand euros on the transfer amount.
[1] https://www.betaalvereniging.nl/en/focus/giro-based-and-onli...
Given the amount of already digital tech in our gov (we also have "legal mail" via PEC[2] and a bunch others minor standards) I think it would be insane if EU just went "nice work you have there, now scrap it all and use ours instead", so I see why component states still have so much authority (even if it means some will not have a good time).
1. https://www.spid.gov.it/en/ 2. https://www.rfc-editor.org/rfc/rfc6109.html
For many years, we had Belgium Root CA in browsers but they have been replaced by Digicert certificates, effectively giving the US power over the encryption for all Belgian government services and more.
Even if you were paranoid enough to think a US company like DigiCert would 'do anything' - their issuance is subject to public scrutiny (something the EU proposal doesn't like) and malfeasance has very real consequences to the whole of Digicert's business.
> In response to the revelations of government mass surveillance by Edward Snowden, the share of encrypted web traffic jumped from less than half to 95%.
In last 10 years situation with government mass surveillance become much worse. Now majority of web runs on public cloud and "encrypted" by CloudFlare MiTM engine. These are literally centralised mass surveillance platforms.
If you can prove any of the big public clouds are breaking TLS for surveillance purposes, they'll be dead within months. Now is your chance, short them and expose them (or you can even combine with professionals, like Hindenburg Research).
1. CloudFlare and clouds obliged to follow US law.
2. Gag orders exist.
It doesn't matter if they actively used for mass surveillance or not. This "encryption" dont protect anything from US government or it's allies.
You mean how all the telco corporations that, as Snowned releaved, helped NSA conduct mass survailance are now bancrupt? Oh, wait!
The share of encrypted web traffic rose after Firesheep, HTTPS Everywhere, the Snowden revelations, LetsEncrypt, HSTS and opportunistic encryption. There's been a concerted effort over the past 13 years to make it easier to deploy and use HTTPS for clients and servers.
That being said, the law is pretty good and will be a net benefit even in it's current state. The Wallet being opt in, without any discrimination possible based on it, the obvious downsides in the lack of strict controls on how user history is handled by member states (unobservability was never on the cards), and also an European appeals process if the local authority is slacking off (cough Ireland cough).
I'm looking forward to having secure reliable EU wide electronic ID. I'm sick of having to upload or send by email/old mail random scans to prove identity, or to have to pay to a cartel of private electronic signature providers. A 21st century solution is well appreciated.
I use the digital ID systems of 3 different countries quite frequently and only 1 out of 3 is currently working properly.
The Australian one is bad, the French one is not that great. The one is Sweden actually works flawlessly most of the time.
Most importantly, Who will build this wallet? I am sure it will be a big bloated corporation that will be chosen not because they are the best or because they work is of good quality.
We can expect the project going over budget many times and continuous delays and a cool 90's retro feel.
I am afraid that it will be so bad that this thing will be dead in the water. Not too mention that it will probably take 5 years before we see a prototype...
I don't share your pessimism about the development time-frame for this, we already have 2 good more-or-less compatible wallets on the market in Sweden, Bank ID and Freja, if the companies behind those want to they could probably compete for becoming the standard implementation in many markets, meaning very little time before it's operational.
> The final twist of this story is that only days before the final deal the negotiators agreed to a change in the text that ensures browsers’ freedom to protect domain authentication and the encryption of web traffic in a manner and with the technology they consider most appropriate. In practice, this means browsers will have a way to resist QWACs undermining encryption, by separating them from TLS.
While the fact that it’s done under my verified real name and address could be a privacy issue in some cases, it’s also a big security improvement for all the cases where the third party need that info anyway.
Security there (in the cases I am guessing) is determined not by Alice being able to prove that she is Alice, but by Trudy not having secondary ways allowing her to claim that she is Alice.
So, it would be «a big security improvement» only when login were restricted to needing a certificate.
See, a noteworthy news in the Epicenter.Works' take was that Big Tech is also required to implement the thing. They do not "need" to know anything, but I am sure they're quite trilled about this requirement.
What I could never understand is why limiting the scope of root certificates is not a standard feature? Why cannot I set a whitelist of domains for the specific root certificate and expect the connection to fail when this root is used for anything else?
> the “Architecture Reference Framework” (ARF) … couldn’t be further away from the democratically agreed legal text: Almost all the safeguards in the legislation that we explained here are missing in the ARF. Without a lot of work, either the timeline will not hold or the Wallet will be met with mistrust because it’s in breach of the law.
The status quo of typing your personal information into random websites only to find them on haveibeenwpnd a few months later rather than having a proper API between your identity and private services is just awful.
At least the unique identifier thing didn't happen, for now ..
This sounds good because it allows you to audit who received your personal information, but it also provides a nice breadcrumb that allows attackers to figure out your behavioral patterns. I wish it became more common for information to self-destruct, we don't need logs of everything forever.
In which scenarios could it happen that for pseudonymity, for the purpose of anonymity, one should resort to a pseudo-identity generated by the certificate for the actual identity?