Lawmakers in Europe are expected to adopt digital identity rules that civil society groups say will make the internet less secure and open up citizens to online surveillance.

The legislation, referred to as eIDAS (electronic IDentification, Authentication and trust Services) 2.0, has been described as an attempt to modernize an initial version of the digital identity and trust service rules. The rules cover things like electronic signatures, time stamps, registered delivery services, and certificates for website authentication.

But one of the requirements of eIDAS 2.0 is that browser makers trust government-approved Certificate Authorities (CA) and do not implement security controls beyond those specified by the European Telecommunications Standards Institute (ETSI).

Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, or QTSPs – would issue TLS certificates – Qualified Website Authentication Certificates, or QWACs – to websites.

But browser makers, if they suspect or detect misuse – for example, traffic interception – would not be allowed to take countermeasures by distrusting those certificates/QWACs or removing the root certificate of the associated CA/QTSP from their list of trusted root certificates.

Put simply: In order to communicate securely using TLS encryption – the technology that underpins your secure HTTPS connections – a website needs to obtain a digital certificate, issued and digitally signed by a CA, that shows the website address matches the certified address. When a browser visits that site, the website presents a public portion of its CA-issued certificate to the browser, and the browser checks the cert was indeed issued by one of the CAs it trusts, using the root certificate, and is correct for that site.

If the certificate was issued by a known good CA, and all the details are correct, then the site is trusted, and the browser will try to establish a secure, encrypted connection with the website so that your activity with the site isn’t visible to an eavesdropper on the network. If the cert was issued by a non-trusted CA, or the certificate doesn’t match the website’s address, or some details are wrong, the browser will reject the website out of a concern that it’s not connected to the actual website the user wants, and may be talking to an impersonator.

Here’s one problem: if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website. Thus, using a proxy in a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allowing the regime to monitor exactly what people are doing with that site at any time. The browser won’t even be able to block the certificate.