https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix... is our attempt at Matrix to spell out what a catastrophic idea it is to backdoor end-to-end encryption (and to provide an alternative proposal in the form of using decentralised reputation to mitigate abuse. We're kicking decentralised reputation work off in earnest tomorrow, so watch this space to see how it goes).
I guess we'll be weighing in on the EU proposal as well as the 7-eyes one.
I don't know whether this has been tried before, but it is definitely the right move. The governments should be busy fighting and trying to shut down our proposals and not the other way around.
Without public pressure it is not going to happen. German politicians have been positive towards this move recently (althought without mentioning it is already in progress). Sadly politics think it is the easiest solution to counter torrorism.
While at the same time these governments fail to properly use the information they have and are able to gather through traditional intelligence work properly to avoid the type of attacks they claim putting up backdoors will prevent.
Most recently last weeks attack in Austria could have been avoided if the information the authorities received from a neighboring country of an attempt to purchase weapons by the attacker would have lead to actions. (I’ll try to find a link, apparently they had months to process and act)
So I think this makes the situation more unsafe in two ways - back doors will lead to all sorts of issues from leaking private communication to impersonation and authorities still don’t take responsibility and fix their processes so they can do their jobs.
Too late to edit my previous post, but here is the article:
"Fejzulai is also believed to have travelled to neighbouring Slovakia in July accompanied by another man, where he attempted to buy ammunition suited to the weapons he used in the attack, but the sale reportedly fell through after he failed to produce a firearms licence.
Slovakian authorities are said to have informed their Austrian counterparts at the time. The men travelled in a car registered in the name of the mother of an Islamist known to police."
They are either stupid or they don't care about terrorism. It's very easy to develop simple encryption scheme. It could be implemented by any half-competent developer. And I'm sure that global terrorists have enough money and people to make it happen. So terrorists won't care about this law. They'll switch from Telegram to Terrorgram and that's about it. But global spying over citizens will be achieved. I'm sure that politicians are just envy over China and want to replicate their measures. Many countries already replicate Great Firewall to some extent. Now they want to implement a global surveillance to strengthen their powers and prevent any kind of riots. That's terrorists they care about.
> I'm sure that politicians are just envy over China and want to replicate their measures.
China has the same goal as the Western powers have: to be able to keep spying on anyone they deem enemy of the state.
The difference is who they define as enemy of the state. In China, that includes pretty much anyone that criticises the Government, as well as what they see as hostile nations (probably the USA, maybe UK, which openly call China their enemies mostly without real provocation, and perhaps Japan due to its closeness to the US and its past of barbarities committed during the occupation of nearly half of the Chinese territory).
In most western democracies, the enemy would be terrorists (they claim) and, as we now know, pretty much any other Government, ally or not... and that's what we currently know, there is probably a much wider reach still that we may never know for sure... the Snowden leaks show that they will collect mass surveillance not only on foreign heads of state, but on their own populations without any restrictions, just in case they need it later. Given that, I am not even sure China actually has more surveillance in place than the USA and the UK, for example. It's a huge disappointment for anyone thinking the western world holds the moral ground, we who live here need to get our Governments understand we will not accept this!
Europe and some developing countries did not really react when it was revealed the US was mass-spying on its Government officials because they obviously are doing the same, they just didn't get caught in the same way yet. The people behind all this spying believe they are doing good as they're keeping world peace. I think they do the opposite: because other governments' counter-intelligence probably know more or less who is doing what against them, they're kept in a constant state of readiness for conflict. True world peace can only come when there's mutual trust between countries... While everyone spies on everyone else, we'll continue to live in a world on the brink of WW3. You think WW3 is impossible? Well, read about WW1 and how basically no one expected it at all. Circumstances today are even more heated than at the time WW1 broke out. Funnily enough, the only thing that's holding WW3 back is the nukes behind the big armies which make full-on conflict a very uncomfortable prospect indeed.
Public pressure rarely materialises spontaneously, out of a vacuum. For it to materialize, someone has to rally for it. A manifesto needs to be written, the goals written down and elaborated. It has to be pushed into the media.
It's not easy, but it's the only thing that will work.
>> Law enforcement and judicial authorities must be able to access data in a lawful and targeted manner
As is the case everywhere, they claim to want lawful access. In reality that's a minor point, what they really want is access to information without the knowledge of its owner. They're OK with needing approval or getting a warrant to read your email just as long as it's some 3rd party granting access so you won't know. Otherwise just get a warrant for Alice and Bob's email and compel them to decrypt it. No new laws or systems are actually required for that.
>They're OK with needing approval or getting a warrant to read your email just as long as it's some 3rd party granting access so you won't know.
Of course nobody will ever examine the warrants or the approval process to ensure that "lawful access" is only granted when even the minimal evidentiary standards they require are met. And if they do someday examine those warrants, and find out that they are riddled with falsehoods and inaccuracies that resulted in unlawful spying, it will all be swept under the rug and nobody responsible will be held to legal account - as we have seen in the US.
>> Of course nobody will ever examine the warrants or the approval process to ensure that "lawful access" is only granted when even the minimal evidentiary standards they require are met.
Yet another reason they dont want to serve warrants directly on individuals. If people know it's happening they'll question it and make public anything corrupt in the process.
As it should, but who will verify it's only used in that way? Who watches the watchmen? Snowden revealed that the watchmen (NSA) are scooping up all data they can find, and that they have easy access to big internet companies' data (and they're not allowed to mention your data was accessed, even if no charges were made).
Well that is the crux of the issue, how much do you trust your government and what are your options in supporting change. This may require a level of involvement in politics that is more time consuming than most want to expend or can.
This means if not actively supporting a candidate or current representative who shares your views that you instead convince them your view is worthwhile. If not actively finding one who does. Then even once that is accomplished you likely will need to be involved in writing to other representatives as well and coordinating with similarly minded groups across your country.
Politics is all about the networking to get enough voices to be heard and for something as arcane as encryption; and yes it is arcane for most; will not have as many groups focused on it. So your work is cut out for yourself in finding such groups or forming one.
in the US we have EFF and others; I am found of cato but many here do not understand libertarians. the truly sad part is most people really would be happy living in a police state as long as you don't call it one. they don't recognize how they could be in one because their view of what a police state is very heavily influenced by the media and even hollywood. most of what hollywood presents is truly exaggerated dystopian types that are borderline absurd but in truth it is the slow chipping away if not giving away of rights that does the same
This. It gets framed as "encryption = child abuse" and anyone who supports private encryption is obviously a pedo.
There doesn't appear to be an emotional argument the other way - I guess "so you're happy with random police officers[0] browsing your nudes, then?".
It needs to be framed as an emotional argument, because that's what cuts through to the audience these days. Only HN is interested in logical discussions ;)
[0] Actually, not even police officers - there is always an escalation of government departments able to access data that was originally captured to prevent serious crime.
> so you're happy with random police officers[0] browsing your nudes, then?
Your kids’ photos.
Many people don’t have nudes on their phones. Most people do have photos of their kids and know their kids have sensitive photos of themselves. “Think of the children” can be flipped if you can get the public suspicious of spooks.
>I guess "so you're happy with random police officers[0] browsing your nudes, then?".
I agree with your point, but I think a lot of people aren't actually too worried about the specific case of random police officers seeing their nude selfies.
It's hard to convey the idea that a real person is behind the faceless snooping, but usually people don't want a real person looking at their private info. "Do you want the cop who pulls your daughter over for forgetting to put the new sticker on her license plate to be able to look up all her beach photos during the stop?"
Cops want to be able to see everything. I don't think it comes necessarily from want to see nude in particular. Government likes power, the more they get, the more they want. That includes cops. They can't think beyond their own mind often. Most people would probably (at the beginning) use backdoors responsibly, but when it becomes mundane they will use it all the time and without compuncture. This leads to power grabs and politicization. If it's not an option at all, it helps a lot.
This. Hence the proliferation of government access to CCTV footage that was originally collected for "serious crime" only.
It'll start out with "we only need to break your e2e encryption for serious crime cases", but in 10 years your local council will be breaking into your dm's to see if you used the right recycling bin.
I appreciate libertarian ideas about privacy, freedom to own weapons, speech, religion, etc. I just don't agree with them a whole lot on economic issues, but they have personal freedom down pat. I think the point about government isn't that I'm so worried about the government --currently--, but I know government almost never gives something back that they take away. In this case it's privacy. Hopefully the EU government (or at least the members of the EU individually) will realize this is an autocratic power grab and doesn't make anyone safer. You'd think they'd have had enough with dictators and autocratic governments knowing everything you do given what happened in WW1 and WW2
That's right to privacy, not right to encryption specifically. And governments cracking down on encryption will, of course, claim that it is a matter of national security, and is a proportionate action to fight terrorism, child pornography, and other crimes.
Just like phone taps and listening devices. That said, those should only be employed if there is reasonable suspicion; iirc they still need a judge to approve employing these tools.
The fear with this is that they will try and catch all messages and retroactively look for bad actors. And of course that the backdoors will be discovered and abused by bad actors.
They need a judge currently. However in the USA it's a rubber stamp and warrants are almost never not given. It's around 98-99% are granted in FISA courts and it's a total joke.
> iirc they still need a judge to approve employing these tools.
that's a weak point, not a strength, in various scenarious
a) Agency XYZ files a motion to have a member of their legal team promoted to judge at the respective courts. Motion accepted, judge signs off on all requests
b) judge simply doesn't care for privacy, if it hinders the boys at work, signs off on it, gets appealed later, slap on the wrist, no consequences, learn from mistakes, rinse and repeat, obey formal obligations this time
c) Police and Attorneys construct evidence to construe threats, judge Joe Shmoe believes it, signs off on it
Besides, the whole system has been found to hinder investigation. The need for a warrant in night time emergencies is already relaxed in some countries, far as I know.
d) More over, the judge is bound by law, so you can trust as much confidence in the judge as you want. Once precedent is established at federal court level, because of your we can trust the judges, it will be a slippery sloapy down-wards spiral for more invasive access for less serious matters -- if it isn't already. This is effectively the federal judge signing off on all warrants, subject to veto by a lower judge, what can be escalated back up the chain due to the power of attorney. Vice-versa, the state attorney is bound by executive orders from the ministry -- as was surely the case after Snowden ("no evidence") -- which has been repeatedly red flagged by EU reports (that are otherwise quite benign).
The defense is the defense attorney. The precedent is frequently established because a single lawyer fails to make a case. Subsequent cases are only accepted on special occasion, otherwise declined due to precedent. Subsequently there is only limited control over a lower court's decision. The guideline cited in all commentaries on German constitutional law is, when the decision looks plain wrong. It is of course a little bit more involved in detail, but the principle is not a judge but one single judge gets to decide. Which lays a whole lot of preassure on them. Of course you get a second chance pretty much unconditionally, but that's a concern for later only if something was found, in which case the chances for an appeal on principle grounds are obviously against you. Eitherway a due notice remains at the secretion of the court (§101b (6) StPO), which may mean the judge presiding over the chamber, or the court, I'm not sure.
An ironic corralary is that, of course they will at least take a look, which has to sound but cynic in this scenario.
> The fear with this is that they will try and catch all messages and retroactively look for bad actors.
Said Stephan Harbarth was in parliament and worked on a law for collective mass surveillance, which was subsequently called by the supreme court, in which he later went on to lead. Which is incomprehensible, because I was under the impression chief justices needed to climb the ladder first (ref, probably: BVerfGG).
Very similar, good ol' Mr. Biden signed responsible in 1991 on the American bill that is equivalent to the act under discussion here: https://www.congress.gov/bill/102nd-congress/senate-bill/266 (see Title II, SubSection B: Electronic communication) not saying much at all.
This is entirely dystopic. The Bad Actors I have in mind are the good guys, I don't want to see the bad guys.
We also have unlawful state interception as evidenced by leaks from Snowden and multiple others. I think states currently should not get any concessions from secure communication platforms.
Perhaps, but see Article 8 which is cited in your sibling comment. It already contains a right to privacy.
But the term privacy is not very rigid. It can be taken and interpreted in various ways. It's certainly a good thing to mention it, but encryption needs to be mentioned explicitly, spelled out even.
There cannot be any room for interpretation: citizens have a right to encrypt their communication, end-to-end with their intended party.
That still leaves too much room for interpretation (namely, quibbling over the definitions of "encrypt" or "end-to-end").
People have a right to encrypt their communication, end-to-end with their intended participants, such that no one other than their intended participants can decrypt any aspect of their communication.
I agree. Your expanded definition is better. Now let's flesh it out into a full-fledged proposal, put it up on a website and disseminate it among the people. Let's get it into the parliaments as something that the parliament members have to discuss and finally either accept or reject.
I'm all for it, but I don't think posting it on a website is going to suffice. Get the EFF behind it, get others experienced with lobbying behind it, then it might get some momentum.
What about this tech-agnostic version: citizens have a right to deprive the unrelated citizens from accessing their communications using any means. Note that this includes E2E encryption, whisper, face-to-face private conversation, rubberhose encryption, noise insertion and steganography all in one.
I like this "right to deprive" wording and toyed with it myself. Reminds me of the way DMCA anti-circumvention works. Perhaps we could call this the anti-snooping right.
Some idiot will cut off someones ears and then say to the police that, "it was to deprive him of accessing our communications by using any means. It says so in the law, Sir!"
It would still be criminal on the grounds of breaking the bodily integrity, which is an infringement of someone else's life and health, which is normally considered more protected than privacy.
> What about proposing encryption as an EU human right? Has that been attempted?
Rights conflict. Every new right influences the others. It is easy to shorthand every problem to a human rights declaration. But just like the right to bear arms, that can have unintended consequences.
The U.S. certainly has a problem with gun violence, but I fear gun access is the proximal problem while our cultural relationship with violence and revenge is the root of the problem. (See also death penalty support, recent violent protests in Oregon and Washington, etc.) Note that the areas with very high rates of legal gun ownership aren't the hotspots of gun violence [0]. Switzerland and several other Eurpean countries have very high rates of gun ownership, but low rates of gun violence. Certainly, fixing a sick culture is more difficult than reducing gun access, but I think long-term, we need to figure out how to be a more peaceful and forgiving society, or much of the gun violence will just shift to (granted, much less efficient) knife violence. I think improving America's culture of violence and revenge will also pay mental health dividends. Sometimes you really need a crutch or a bandaid, but it's important not to mistake it for an end-goal solution.
Do any of you have any insights into ways individuals can ensure they at least leave the culture less violent than they found it?
> Switzerland and several other Eurpean countries have very high rates of gun ownership, but low rates of gun violence.
They also have vastly stricter gun regulation laws, and while ownership rates are high in some, the US is an extreme outlier and no other country comes even close.
Because nobody in any European country thinks they have a "right" to own a gun, most of them could if they wanted to, but they simply don't want to deal with the hassle that owning a properly regulated firearm entails.
As it should be, owning a deadly weapon is a lot of responsibility that not everybody is up for/actually wants. The importance of that responsibility gets completely lost when firearms are treated like cool toys that everybody should have and exist in abundance.
That's why headlines like "toddler shoots mother" or "dog shoots owner" don't exist in Europe, but are a sad somewhat regular thing out of the US. These toddlers and dogs didn't do that because they watched too much violent media, they did that because the actual owners of the guns where irresponsible individuals and never should have owned one in the first place.
The fact so many people feel they need a gun for safety is the first and biggest issue IMO.
This is fueled by movies and culture - have the gun in your possession and you’ll automatically win the fight - that was easy!
I’ve read countless comments from Americans that they have a gun to shoot intruders. Statistics telling you there’s a bigger chance someone else will get hurt be damned.
These ideas are have to be fueled by big money is my guess.
Also we humans really like our toys, so I can get that aspect of it. Wanna take my toy? Forget about it.
>The fact so many people feel they need a gun for safety is the first and biggest issue IMO.
And the reason for that is simple - marketing.
Here in Switzerland I basically see no guns unless I go to the shooting club. There's none sold in the shops, there's none advertised in newspapers, tv or on the radio. And there is definitely no gun offered when opening a bank account.
Basically if you want a gun for whatever reason - usually for recreational shooting at the shooting club, then you have to go out and look for it.
In the US I have the feeling that they're marketed as a penis extension, and you're not a proper man unless you shoot things, with the view that you'd be quite happy to project a slug of lead into somebody else at high velocity to prove you're more of a man than they are.
To solve the problem in the US I think you need to ban the advertising - like cigarettes.
Caution: This weapon inflicts pain suffering and death to others. User may be incarcerated for murder if ever used. If in a situation of conflict, gun only increases likelihood of extreme violence - leave at home.
I spent over 30 years in the U.S., mostly in the upper Midwest, and the only gun advertisements I remember seeing were in sporting magazines or in sporting goods stores. I think your perceptions of U.S. gun advertising is either greatly exaggerated, or your experience is from a very different part of the country. Maybe things have changed drastically in the 8 years since I left, but I doubt it.
Maybe things have changed drastically in the 8 years since I left, but I doubt it.
I think they have. I've also seen more gun stores opening, with provocative names.
I've no problem with firearms used responsibly for hunting or recreation, but in the very few cases I've seen someone open carrying a handgun (once at a very crowded national park, and once at a residential picnic area, both just this year) it was clear they didn't have a gun to defend themselves (if that were the case you don't need to show it off), but to threaten others. And for defending yourself against wild animals, bear spray is far more effective.
Crazy. How often do you see TV ads for firearms, firearms dealers, or gun shows these days?
I figured that the US just seemed to get crazy around 2012 because I switched to primarily external news coverage of the U.S. when I moved abroad.
Actually, now that I think about it, I think I have seen TV ads for both Remington and Beneli shotguns in duck hunting and fishing shows in the U.S. But, I'm pretty sure I've never seen TV ads for pistols in the U.S., or long guns outside of hunting/fishing shows.
One of the dudes was wearing a t-shirt with wording that strongly supports my evaluation. But even if you aren't trying to threaten, the visible presence of a deadly weapon (especially a sleek semi-auto as opposed to a revolver) creates a pretty negative "vibe". Note that I'm talking about handguns stuffed into a belt or on a leg holster, not e.g. a hunting rifle or shotgun.
Agreed, people who aren't in to firearms or firearms-related sports will basically never see an ad for a gun in the U.S. I do think the penis-extension bit gets the gist of much of the marketing that does exist right, though.
It's the wild west mentality that the US never grew out of. Can't blame them either, given the apparent incompetence of the police.
It's an issue that won't be solved by banning weapons. Educating people (e.g. mandatory background checks, operation and safety training, and safe storage) and solving the underlying problems will work. I mean a lot cite defense from home invasions as the reason to own a gun. Why do people invade homes? If they had a reasonable income and comfortable life they wouldn't have a reason to.
This is only effective with a gun registry which gun owners will not accept.
> operation and safety training
Are you required to take civics to vote?
> safe storage
If you simply mean prosecution for being negligent, that's fine. If you mean it has to be in a safe unloaded, that defeats their use for self-defense in the home. It would likely be held unconstitutional.
> Statistics telling you there’s a bigger chance someone else will get hurt be damned
Nobody believes the statistics are relevant to them. Statistics are about all those dumb other people; but I'm always the smart, responsible exception.
As I mentioned elsewhere, I think those urban-legend statistics are probably wrong in aggregate. That said, people do have knowledge about their specific situation that they bring to bear in a valid way. Crazy, violent ex? Yeah, your ratio of chances of using a gun in a way that makes sense to chances of accidentally hurting someone is way better than average.
I think you're on the mark talking about them as toys for adults. I don't think most people want them because they really fear for their safety without, though the ability to defend oneself may be a bonus. My feeling is mostly it's just a fun hobby and it's also a clear signal of group membership.
I think your claim about there being a higher chance of accidental injury vs. self defense is probably wrong. The issue is a little muddy, but there are only ~800 firearms accidental deaths per year (0.00024% of pop.) and about 50,000 self-defense uses per year (https://www.bjs.gov/content/pub/pdf/fv9311.pdf)
I'm also not convinced about movies. I bet other places have very similar mixes of actual watching and the same selection given the internet.
People who would like to take guns away should start working on changing the Constitution. Looking at the current lineup in the Supreme court all I can say is good luck. I totally support a country's choice to de-arm their populace. However I also wish they would quit trying to push their beliefs on the USA as well. Nothing in this world is safe, from driving to work, to walking down a street you don't know, to repelling off a cliff, or parachuting for fun yet no one says "don't do that, let's make it illegal", yet with guns they freak out.
Saying Switzerland has "vastly" stricter gun laws /might/ be true if mushing the U.S. into a whole, but it ignores the very important variations at the state level. Some states have very strict regimes that compare to Switzerland's, and in some you can just walk into a store and buy long guns if you're of age.
I totally agree about the responsibility thing.
Concerning the "dog shoots owner" headlines, you should ignore that sort of thing. Those sorts of incidents are super rare. They hit headlines /because/ they're rare and therefore interesting.
> Some states have very strict regimes that compare to Switzerland's, and in some you can just walk into a store and buy long guns if you're of age.
Which is exactly why the regulation in the US does not work; Anybody who disagrees with their states particular laws can just cross into another state to get their fix there.
That why any proper regulation needs to happen on a federal level so individual states won't act as a loophole.
> Concerning the "dog shoots owner" headlines, you should ignore that sort of thing. Those sorts of incidents are super rare. They hit headlines /because/ they're rare and therefore interesting.
It's something that should be non-existent, I haven't seen it anywhere else in the world. But only a couple of days ago there was yet another example out of the US [0].
These are the kind of absurd situations that simply do not happen in any other place as other places lack the "firearm saturation" that enables this in the US. So something that should be improbable, still ends up being a regular thing.
> Anybody who disagrees with their states particular laws can just cross into another state to get their fix there.
If you mean purchase something you cannot buy in your state, that's not true. Interstate handgun purchases are completely banned and long guns can only be sold if the sale complies with both state laws.
I mean bypassing state-level mandatory background checks by travelling to a state where those are not required for private sales and just buy a firearm there with zero regulation and documentation.
Personally I believe it’s about individualism vs the collective.
Here in Sweden we’ve seen a horrible development regarding gun violence - easy to chalk up to “immigration” and “soft laws” but in my mind it’s a lot deeper - interesting enough this is at the same time we have a record amount of dollar millionaires in the country.
We used to work as a collective but our economic policies are turning more and more neoliberal and thus individual. This exacerbates the issue of creating a new “class” of citizens already left partly out of the loop of riches.
If we take care of each other in a better way as a collective there’s a chance to turn things around. It’s all about increasing the chance of a good outcome per individual. This is the secret to a lot of the success in northern Europe - if you’re born here chances are great that you’ll get an education and that you live a long and healthy life.
Regarding crime and violence specifically I’ve read a lot about the “group violence intervention” program and a lot of it is about cooperation and taking care of people in a humane way.
Here’s David Kennedy speaking in Sweden where this has been worked successfully:
In short - don’t be to afraid of taxes, and vote in a manner where money can be spent more wisely. Funneling tax money to havens by way of “entrepreneurs” seems less well spent... problem is that when such a system is set it will want to be conserved - looking at the US and it’s kinda dark over here as well.
All I can do is try to mold my children into caring human beings hoping to influence culture that way.
It appears this study shows that the majority of suspects for crimes are immigrants, which is an important distinction. I have no knowledge about the situation in Sweden, but in Germany there are known statistical problems like immigrants both having a higher chance of becoming suspects ("Tatverdachteffekt") and crimes where an immigrant is suspected are more likely to be reported ("Anzeigeeffekt").
Stastistics about suspects are most commonly used in studies like these because the police, due to the seperation of powers, usually has no or at least less statistics of the actual results of charges.
That low resolution rate alone introduces a margin of error that is larger than the difference between immigrant and non-immigrant suspects. It is therefore possible that the much higher immigrant suspect rate is entirely a result of biases.
I’m not suggesting however that because they are immigrants they commit more crime.
Note most violence is committed by 2nd generation immigrants - so they’ve been born here. How’s that for a failure of society...
They are simply people on the outside living surrounded by people leading lives they cannot relate to.
We’ve made it terribly difficult to attain this norm life as well making it even more unrelatable.
One thing that's great for societal stability is not too much inequality of wealth. Another thing is cultural homogeneity. We're probably seeing both at play in Sweden.
Just to make sure I understand you correctly: You think the strong trend toward more incidents of more extreme violence in Swedish society is because we have more dollar millionaires?
This is a bit of a hobby interest of mine. While it's possible that your statement is true, I think it misses the point. Gun murders in the U.S. are a very low percentage of deaths (0.39%) and preventable deaths (~1.1%, there's some disagreement about what's "preventable"). This excludes suicides. You may wish to include them if that makes sense given your interests. People love to focus on relative comparisons (e.g., Scotland vs. US), but miss the forest for the trees. Some tiny proportion being 5x some other country's tiny proportion is irrelevent.
If your goal is to prevent untimely, unwanted deaths there are oh so many other ways to apply your resources that will yield orders of magnitude more improvement per dollar / per minute.
People like to pay attention to it anyway for a few reasons. One is that we evolved to think specifically about interpersonal violence (~5-15% of prehistoric deaths, but way more than that for non-old people), which makes us good at luridly imagining interpersonal violence, and so comparatively we're bad at thinking about an early death due to diabetes and therefore bad at caring about it. Another reason is it's a hot-button red team/blue team political issue, so it's not so much about the issue per se but rather whether $OTHER_SIDE gets what it wants or not.
So really it wouldn’t be encryption so much as right to have secrets. Because whether I use EDCA or a really strongly in crackable safe, my right to privacy should be a thing?
It sounds like somewhat of a stronger version than the US’s fifth amendment which says that you have a right to privacy unless it has to do with the crime currently being investigated. And come to think of it, encryption is unconstitutional as in because the government can subpoena or obtain a warrant to your information it may not be able to enforce it because of the encryption. So either the government has no right to subpoena or encryption is illegal.
This is incorrect. The fourth amendment gives people the absolute right against "unreasonable search and seizure". This means the police may be granted access to search someone's property by a judge, if they are suspected of a crime. It does not give the government the right to find anything, only to search. Furthermore, the fifth amendment grants people the absolute right to not incriminate themselves. So if you know something (information about where the bodies are buried, passwords for decryption of encryption keys, etc.), you have the absolute right to not divulge that knowledge. So the people here have more rights than the government when a crime is being investigated.
Ah you are correct. But let’s make a physical analogy. If I can make an uncrackable safe in which I put evidence of a crime along with lots of other secrets. The police come to my door with a reasonable search warrant. I tell them I have the key to the safe but will not tell them where it is. They know they have absolutely no way to get into my safe without taking about 100 years and $2 billion. What happens next?
The law isn't entirely settled on the matter, but some rulings so far suggest that the government can compel the surrender of a physical key, but not the disclosure of a combination.
So by that definition since my private key is a lot like a combo to my safe, the government cannot compel me to disclose it? That sound like good news.
Also, I guess I am storing all my keys at STL files that get 3D printed and destroyed upon first use. Hello protection from search warrants!
It's the password required to decrypt the secret key that you would not need to disclose. They'll likely end up with the encrypted secret key, but no way to access it. That's because the password is something you know, and divulging it could mean self-incrimination.
Courts have ruled, for example, that the police can compel a suspect to put their face or finger up to a phone to unlock it through biometric means, but a suspect cannot be compelled to divulge their PIN. That's why using biometrics, while convenient, is a bad idea.
This is also a great example of how you can follow what sounds like logical principles to a completely bonkers end-state. Knowledge is protected but your bodily autonomy is not? Eesh.
> encryption is unconstitutional as in because the government can subpoena or obtain a warrant to your information it may not be able to enforce it because of the encryption
No, you can't subpoena information from someone that doesn't have it. So the government can subpoena the cyphertext, but can't ask for the plaintext if the provider never had access to it.
Wouldn't you want the word 'encryption' to be in the description, so there is no evil solicitor trying to argue about what 'secrets' meant. Or 'the right to confidentiality whenever, where-ever, and with whomever the person pleases'
But I would also not want the method of storage of secrets to become obsolete. The important thing is that I’m able to keep a secret, not how the secret is stored. For example, say quantum encryption comes to be known as “q-store” and is always said to be different from encryption. Now, what does that do to my rights if I move from traditional encryption to quantum algorithms?
While adding backdoors to encryption is a bad idea my gut sys decentralized reputation is just a bad. Most here know the Black Mirror episode "Nosedive". But it's worse than that, people on different sides of the political spectrum will work to "cancel" people of the other side by working to lower their rep via crowdsourcing. 4chan type groups will do the same for "the lulz", I can even imagine the ransomware people trying to find a way to make bots and "pay us or we destroy your rep"
Totally agreed that badly designed rep systems can rapidly descend into Black Mirror territory. In Nosedive for instance the score you get is absolute, while the thing we’re proposing here is entirely relative and subjective. The idea is to empower users to maintain their own view of the world. If a voting ring of idiots conspire to try to trash someone’s reputation... you’d filter out the voting ring from your reputation feeds; it should stand out very clearly. That goes whether it’s bots or humans behaving like bots. Alternatively, you could choose to hang out with that tribe and believe their rep data if you so desired.
We’ve been wargaming through all the various ways this could go horribly wrong (and have a few fun scenarii off the back of it - look for the GPT-3 example below), but on balance it feels a lot better than the Black Mirror episode where encryption is fatally weakened...
Overloading the word 'censorship' is going to get a bit confusing here ;)
"Censorship", meaning: "malicious server or ISP silently blocks or withholds traffic from you" is a risk in Matrix today, completely independently of the reputation stuff being discussed here. The mitigation is to get rid of servers (and even ISPs), as per https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix/
"Censorship", meaning: "your server admin subscribed to a blocklist of child abuse content published by someone like iwf.org.uk" would stand out to users by the server publishing the names of the blocklists that their server admin has deployed. I'd call this server-side filtering or something instead, given the filters are visible. If the server admin withholds info about their filters, then you're back in the traditional sense of censorship from the prior paragraph.
Are the blocklists public? I thought these schemes involved uploading files to a "trusted third party" like Microsoft, and for them to decide if the files are lawful?
Unfortunately, I don't think that'll work. For it to work, you would need every actor to play along, otherwise someone could just move to Tor to do the exact same thing. I don't think it's possible to eliminate what they want to eliminate, and they will only push for more and more.
My suspicion is that this system is a cop-out, like when Google blames their screw-ups on "the algorithm".
There probably has been a recent surge of right-wing users and, the Matrix administrators, which probably lean left-wing, have seen that surge as a problem and have created the reputation system as a way to get rid of those users or, at least, to give them the hypothetical yellow badge. And if someone says "censorship", they will blame it on the "downvotes" those users got.
This proposal seems to address general abuse, spam, propaganda, filter bubbles, and so on. While these are worthy issues to tackle, the authors of the 7-eyes statement are not really interested in them.
What they say they want is for terrorism and child pornography to be detectable or meaningfully reduced. Do you think a relative reputation system will solve that problem?
Yes, we think it will help meaningfully help detect and reduce abuse - mainly because it's shamelessly mimicking the way society works in real life. Many (most?) abusive communities are at least adjacent if not overlapping with publicly visible communities. Simply put, they need a way to advertise and recruit.
So, just as in person you might stay away from a given political party / religious institute / youth club because your social graph has warned you that it might actually be a front for whatever obnoxiousness, the same approach can work online (or, conversely, could also be used to help hunt down abuse in the first place). It's then up to the authorities to investigate what's going on - which is quite possible through infiltration etc without having to go and blanket break encryption for the whole of society.
To be clear: this is still largely sci-fi, and we don't think this is a perfect solution, especially given this is a fundamental problem of the human species which nobody has yet solved. Our proposal doesn't solve lone wolf situations, for instance. So perhaps for that you need the ability to gather evidence from endpoints post hoc.
Unrelated: one particularly dark dystopian outcome we've been wargaming is: what if someone (not us!) used decentralised rep to seed a GPT-3 style bot to locate abusive communities, and then automated the process of infiltrating & investigating them... only to then end up ascending the ranks while preserving its cover and accidentally triggered some atrocity. So, um, let's not do that.)
> Unrelated: one particularly dark dystopian outcome we've been wargaming is: what if someone (not us!) used decentralised rep to seed a GPT-3 style bot to locate abusive communities, and then automated the process of infiltrating & investigating them... only to then end up ascending the ranks while preserving its cover and accidentally triggered some atrocity. So, um, let's not do that.)
I think you greatly overestimate the abilities of GPT-3. GPT-3's writable memory is short-term only – its long-term memory is read-only – so by the end of a conversation, it has permanently forgotten what the topic was at the beginning. Given its lack of writable long-term memory, it is completely incapable of succeeding at any tasks involving long-term planning, such as the infiltration and investigation of a social group.
Of course, you said "GPT 3 style bot", not GPT-3, but the AI you have in mind has significantly greater capabilities than GPT-3 has, so isn't fairly said to be "GPT 3 style" at all.
Sure - "GPT-3 style" here meant "something along the lines of GPT-3" rather than anything specific to GPT-3 actual capabilities. The context being dystopian sci-fi thought experiments :) (That said, I suspect you could train GPT-3 to automatically get vetted into some fairly nasty places if you so desired).
Several EU governments use Matrix - so yeah, there's a paradox here. On one hand Element (the company set up by the core Matrix team) depends on government work to keep the lights on for Matrix work, but on the other hand we feel a clear responsibility to push back on backdoors, given backdoors are intrinsically flawed and dangerous. This is why we're proposing a (hopefully) better alternative instead (and this is also why we're soliciting funding to support reputation work via the Matrix.org Foundation at funding@matrix.org, just in case any YC billionaires happen to be reading this...)
It's probably something along the lines of 'guns for me but not for thee'. But they don't even have the excuse of encryption actively hurting anyone, so it's more like 'strong walls for me but not for thee'
Good analogy, especially because governments themselves are living in the same walls (i.e. using the same apps) and this effort will hurt their own security.
I was under the impression that all the mobile communications standards had provisions for lawful intercept, is it such a leap to think that the baseband processor is compromised aswell? Maybe the EU is just salty that they don't have the same kind of access the NSA has.
I don't like it because they advocate a social credit system as an alternative, but their criticism against back doors is on point.
I am in communities that don't use such tools and somehow there is no problem that would require any, but if that is the preference you have the option. I don't see further issues.
Interesting read, though it sounds more like decentralized censorship. It's a little unclear where you're talking about reputation of individuals vs. reputation of content.
Censorship implies that information has been invisibly removed by some absolute authority. Whereas here we're talking about empowering users to filter out the stuff on their terms - i.e. subjective/relative reputation. It's possible that a server admin might apply unilateral filters, but a) the user would be able to visualise those (assuming the server admin doesn't maliciously withhold that info), b) the user can switch to another server with different filtering rules. So, I definitely wouldn't characterise it censorship (although I can see why many have a kneejerk reaction of "ooh, this sounds a lot like censorship").
Yes. The idea is to build it to be agnostic to the objects whose trust is being tracked, but for Matrix at least the main building blocks are rooms, users, communities, servers, messages & attachments. However you could use it for other things too if you so wanted (eg client IPs, server IPs, netblocks, ASes, E.164 numbers, URLs etc)
While I know I'm just attracting downvotes, your points, in order:
1)
a: It's really not that hard to think of ways to solve backdoor problems with a mix of technical and social approaches. For example, having shared keys burned onto silicon, making physical access mandatory, and split between both the law enforcement and the company, so that both parties must knowingly engage.
b: Most software already practically backdoored already, and it's really not that big a deal. Microsoft can push whatever updates they want whenever they want. They already have the keys to the kingdom! Google doesn't store everything E2E encrypted. They also already have the keys to the kingdom! Things have mostly worked out regardless.
2) That a measure will be imperfect is not an argument that it will be ineffectual. In fact it's pretty obviously false; making abuse harder on mainstream platforms will make abuse less mainstream.
3) This is like arguing governments shouldn't be allowed to regulate weapons, because it would be hypocritical, given they own weapons themselves, and it might normalize other countries taking away their citizens' weapons, which might prevent them fighting back. That seems like an obviously bad argument.
4) Yes, your platform that makes oversight impossible is not compatible with regulations requiring oversight. That's not an accident, in either direction.
The idea later in the post seems not really honestly engaging with the topic, that it's not about ‘someone who believes birthday cake is undesirable’, but about networks which are systematically and in actuality doing things like trafficking children for sexual abuse, and that there is a moral imperative for governments to deal with this beyond just letting people choose not to engage.
1a - Because that worked out so well for HDMI? It'll be what, maybe 90 days before those "law enforcement keys" are public?
1b - If it's already backdoored then there is no need for such an act, the problem is already solved.
2 - It's ineffective for it's stated goal because the stated goal is not the real goal. The goal is to enable a continued abuse of power, one which is already ongoing, and one which produces no actionable results or meaningful outcomes. Five eyes & co is upset that they're losing some of their toys.
3 - Who says governments should be able to regulate weapons? Likewise these days, who is to say they meaningfully can?
4 - Sex trafficking existed prior to encryption. The government failed to stop it then. I strongly suspect that even if the government gets it's way and breaks encryption, sex trafficking will continue exactly at the same rate. Most sex traffickers are not technology ept, nor do they need to be - the track record for capturing them is atrocious. Epstein anyone?
This is a bad faith argument. "Protecting children" and "stopping terrorists" are the siren's song of every government overreach basically since the dawn of time and yet the government remains terrible at solving either problem. I don't think encryption is really the issue preventing those things from getting resolved. I do think encryption is very inconvenient for a very snoop heavy government.
Sex trafficking is a very difficult problem to address. Even if you were to shutdown an online network, someone could fly to a third world country to personally do it, and there are always going to be takers lining up.
People in third world countries are poor, and may be desperate. A purely technical solution is not going to address this. Rather, we need ways to lift people out of poverty, and improve their standard of living. No one should ever have to live like that to survive.
I don't know if it is possible to stop child pornography (anyone anywhere in the world can create it and anyone anywhere can view it), but it should be able to reduce the amount of sex abuse in the world, if the government were to pursue prevention initiatives to stop it where ever possible.
> Because that worked out so well for HDMI? It'll be what, maybe 90 days before those "law enforcement keys" are public?
This is a completely different context to having one copy (or a small number) of said low-bandwidth silicon held exclusively by an agency vested in keeping it exclusive, plus another copy held by the company themselves, such that both copies would need to be broken for security to be weakened.
> If it's already backdoored then there is no need for such an act, the problem is already solved.
Seriously? Microsoft having the ability to install a keylogger on any random person's machine is not the solution to finding networks of criminal activity.
> [government bad]
I'll debate the technicals but I'm not going to argue politics here.
I'm going to start naming a few major government security breaches:
+ TSA keys
+ OPM (all of it)
+ NSA's hacking tools
Were these incredible skilled sidechannel attacks? Movie esque infiltrations?
+ TSA accidentally published the keys
+ OPM was a master password from a contractor who was bribed for about the cost of an ipad
+ NSA hacking tools was.. an email trojan? A CD walked?
Do you really trust these people with anything?
Putting a backdoor into encryption is less secure than a random Microsoft employee backdooring me. At least I know it's Microsoft who will be doing the backdoor...
This isn't politics, this is history. This is not the first time, nor the last time we've seen these moves. We know 5 eyes have had major incidents of internal abuse because we have their own documentation on it - and we have their own documentation that they decided to do nothing about it.
It requires external oversight for any organization to truly follow compliance, otherwise the incentives to cheat the system are overbearing. If they won't take us at our word, why would we take them at theirs?
> Putting a backdoor into encryption is less secure than a random Microsoft employee backdooring me. At least I know it's Microsoft who will be doing the backdoor...
My point isn't about how much you trust Microsoft, but that Microsoft has keys, which are more easily stolen and in many regards more valuable than the scheme I gave.
> TSA keys
Not remotely comparable. These were never designed to be secure in the sense we're talking here.
> OPM (all of it)
> NSA's hacking tools
Hence the scheme I gave, which isn't vulnerable in the same way.
Basically all your arguments have been proved false in a short amount of time. Agencies could not name a single case where mass surveillance helped. And don't kid yourself, if you have a master key to encryption, it is mass surveillance you try to implement and it will be used as such.
We had security agencies that had the info but didn't act in case of Vienna. Encryption wasn't the issue here, this is an incontinent case of saving face at best, a deliberate attack against civil rights at worst.
> These were never designed to be secure in the sense we're talking here
Encryption today is a protection against access for a limited amount of time. It is an intrinsic rule about every encryption algorithm. It is fundamental property and widely known.
This kind of comment is exactly why I'm avoiding the politics side of things. I don't want to subject myself to this sort of bad faith jabbing, as much as it comes with the topic.
It was not meant as a jab, and certainly not bad faith. I'm just telling you that your comment was of exactly the same character. Either refrain from making a political comment yourself or have it be responded to.
Making a political comment but then trying to shut down discussion of it by stating that you will not participate in political discussions is a double standard, though perhaps you were unaware that you were doing it.
I never said people couldn't respond to them. I said I wasn't going to debate it. Saying “so you admit defeat” (or the many, many variations) whenever someone exits a heated part of a debate is a textbook jab, and has no place in honest conversation.
I think what prompted me to react was mostly your `[government bad]` blurb. It felt like you got to state your political position and caricaturise the political position of the responder while avoiding further discussion. That felt wrong.
> but about networks which are systematically and in actuality doing things like trafficking children for sexual abuse
The state must declare the child to be the most precious treasure of the people. As long as the government is perceived as working for the benefit of the children, the people will happily endure almost any curtailment of liberty and almost any deprivation. --Adolf Hitler
It's also a morally horrific line of argument. Like saying you shouldn't care about shooting civilians because bad people in the past have used human shields as a war tactic.
These are not imagined people being hurt, spun out of whole cloth.
It is a legitimate known translation, not a misquote from the Ralph Manheim translation of Mein Kampf (ISBN 0395078016 / year 1943), page 403. Other translations have similar wording on the page, although not in such a nice succint sentence.
Manheim was known to have gone into great effort to create an exact English equivalent of Hitler's work for Mein Kampf.
> It's also a morally horrific line of argument. Like saying you shouldn't care about shooting civilians because bad people in the past have used human shields as a war tactic.
The point of the quote is to show there are no limits curtailing liberties, not an absolute we shouldn't bother. The attempt to spin the quote into something else, probably because, you wish to "protect the children" is proving the point.
> The point of the quote is to show there are no limits curtailing liberties, not an absolute we shouldn't bother. The attempt to spin the quote into something else, probably because, you wish to "protect the children" is proving the point.
This is not even remotely how you used it. My argument is one where there are obvious checks and balances, where government power is clearly and significantly limited, and little is left exclusively to government trust.
Yet because I mentioned that there are actual people being actually raped, I get Godwin's Law'd. Not because I advocated for Chinese style state control. Not because I took away liberties that most people even care about, given most people are perfectly happy using Google services. But because I dared mention that real people are suffering.
This happens every time on HN, no matter how moderate my position. Anything even remotely compromising the Bottom Line (universal perfect cryptographic security) is Hitler.
This is madness. Oh, of course, it's much easier to put a wrench into some gears to show that you are actually working at "solving the terrorism problem" than shaving the yaks, but that machine is actually important for other things.
We live in a dangerous world. We cannot control everything. I don't mind a slight risk of terrorist attack on myself or my family (caveat lector: I am young), if that means greater freedom.
In my book this is the first step towards authoritarianism: ensure that the state survives at all costs. And being able to spy on the whole population to track outlaws and dissidents is part of this. There is an invisible barrier between what's legal and what's not. Crossing it isn't hard, look at extinction rebellion and other civil disobedience protestors. Yet, on the other side, your trusted options are very limited, and encryption is one of those. I'd argue that letting citizens communicate and organize privately is a vital component of democracy, even allowing citizens to seize control of the state if they deem it necessary. More so than U.S.A.'s "Second amendment", encryption is an arm citizens should legally be able to bear.
Now, it is obviously hypocritical to offer such a thing, as politicians certainly wouldn't want their texts to be snooped on, would they? Any bill that requests backdoors should request them from everyone.
And don't get me started on how governments recommend their own to use Matrix and Signal, the very apps they aim to backdoor, because they are secure. You can't both have your cake and eat it, too.
Their very existence made locks less secure (possibility of a key leak), and those are worthless against thieves now that master keys have leaked (you can 3D print them).
We do live in a dangerous world. Pretty much everybody loses their life somehow. It's amazing to me that so many of my peers survived childhood.
It is pretty stupid to try to jump a car on your bicycle without a landing ramp. Or play catch with lit M80s. And those weren't our dumbest ideas.
When I was a kid every 8-year-old pushed a lawn mower around once a week. And rode in the back of a pickup truck. Today I don't let my kids ride in the back of pickup trucks, and I'm nervous about the lawn mower. Or rather, I'm nervous about trusting my kid not to be careless with the mower.
But when I see the metal detector at the door of my kid's school I wince. Some dangers and some fears need to be met head on. For some people, those include riding in the back of pickup trucks. For some it is the school's metal detector. If only we could make those choices for ourselves and our children without forcing our fears onto our neighbors.
>Today I don't let my kids ride in the back of pickup trucks, and I'm nervous about the lawn mower.
That's because you already infected with fear. It's not your Children's fault that you don't trust them with a lawn mower..it's you and probably your society that is the problem.
>Some dangers and some fears need to be met head on.
Yes like wear a helmet on a Motorbike, but you need to dig much deeper, that a society needs a metal detector in schools.
And again the World IS much safer today...but remember the more you have the more you fear loosing it...it's the perfect setup to give up your freedom because you think you "win" some safety.
Perhaps you missed my point. Lawn mowers didn't get more dangerous. The level of danger hasn't gotten worse in that one respect. The level of trust might have changed. The acceptance of risk might have changed. I don't think that keeping my kid away from the lawn mower in order to protect them makes their life overall better or even safer.
Lawn mowers are dangerous. But that doesn't mean they should be banned. As you wrote, that's life. The solution isn't to think they aren't dangerous. The solution is to recognize the danger, then act appropriately. We just all have different ideas of what's appropriate.
Lawn mowers are safer today than they were 30 years ago. Still potentially dangerous. You point out to the kid: never let your feet go under there. Never reach your hand in here. Maybe throw an apple in to illustrate the effect. They get the message.
All that said, 8 might be a little young. I think I was around 10 when I started cutting the grass, but I don't really remember.
But i watched a documentary about the US, where Children's under 12 are not allow to play outside without supervision, they get picket up by the police and the parents got big problems.
Here, they run around the hole day in the forests with Swiss or Scout-knifes and lighters and some sausages in the backpack. It's just terrible to think that your children's are safe because they sit hole day in their rooms and play games.
I don't get it how we got here. We were allowed to play outside (East Europe) near the house when we were six. Gradually increasing the comfort perimeter as we grew up. Twelve? I could have roamed the entire city if I had enough time to get back for lunch.
Maybe listen to too much Media/News etc, when you hear just bad things happening, you think it's just a matter of time until that happens to me or my family.
So you close your mind (because everyone else is bad, and every Adult that speaks with my children is a pedo) then you buy a gun (even if the chance is much higher that exactly with that gun something bad happens) and your Children's needs to be under constant observation and they need to learn that one should trust no one, you life in constant fear and because of that you vote for trumps.
>if I had enough time to get back for lunch.
Exactly that was my biggest fear, to late for lunch meant grumpy Mum and Dad..and no roaming for the next two days.
Very few and I'd say, without checking, that it's probably much more common to lose a finger or a toe. That's a better analogy in this case too; it's unlikely that a mishap caused by the absence of encryption or the presence of a back-door will kill you. You might have to live with their consequences for a very long time though.
Arguing whether the World has suddenly become more dangerous is counter-productive in that aspect. In the end, we keep becoming wiser, technology evolves, and the World changes because of it. It doesn't matter if things actually got more dangerous or if we just got more afraid of them; it's the outcome of our actions that we need to focus on.
There is something to be said in comparing encryption to what usually amounts to spinning blades connected to some kind of engine; abusing any of those technologies can result in outcomes that are undesirable from society's point of view, and potentially from the users' point of view as well. Because, you know, fingers and toes.
The main problem is that just as if you outlawed the sale of lawn-mowers without specific features, there's nothing stopping people from using their existing lawn-mowers (or even building their own ones)anyway, the current encryption technologies won't go away. There's nothing stopping anyone from saving existing tools, or the source-code of existing tools, and keep using then. The only difference would be that such encryption, and the protection it brings with it, would now be restricted to the very criminals that the outlawing of the tools meant to stop in the first place.
Arguing whether the World has suddenly become more dangerous is counter-productive in that aspect. In the end, we keep becoming wiser, technology evolves, and the World changes because of it. It doesn't matter if things actually got more dangerous or if we just got more afraid of them; it's the outcome of our actions that we need to focus on.
Edit: As for the outcome, keeping encryption from everyone but criminals is outright ridiculous. It might get to some of the businesses selling specialized solutions catering to the people law enforcement is after, but in the end it will just result in the baddies simply moving away from those platforms and onto other platforms that are out of reach of EU law-enforcement. That leaves us with everyone else having a big target painted on them because this time we know there's a backdoor in their product.
I think what you are alluding to is the key, life has gotten so good that people get into extreme loss aversion. In my opinion the key to a decent life is to take calculated risks and if that goes wrong, then oh well that was unlucky.
There are a lot of risky things we do all day anyway, like driving any car or walking close to road. Those things are still incredibly safe.
By the numbers, this is the safest the world has ever been. The fact that you literally don't know anyone who has had smallpox attests to that.
Perception of risk is not actual risk. Yes, everyone dies, but that's more of a biological fact than a statement about how safe this world is. If you're really worried about you and your family, watch what you eat and hit the gym a bit, because statistically it's going to be a heart attack that gets you.
It's easy for people to lose sight of this with all the bad news we're seeing in 2020, but the present is the safest time in history when zoomed out to a scale of decades. The decline in violence since the 1900s to today is essentially global and scales from bar fights to wars.
2020 may not be safer than 2015, but 2010-2020 is safer than 2000-2010. You might be able to find a recent 10 year period that beats the exact past 10 years by a slim margin.
On any scale between a human lifespan and the whole of human history, now is a pretty safe time to be alive.
Easy to lose sight that whatever safety we have is because we are actively trying to make it safe. We are at a point of development where if it wasn't safe, it would be the polar opposite and be the most unsafe time in history, everything happens on a global scale. What levers we need to maintain safety as technology moves forward is a tough thing to work out. Mucking with encryption doesn't seem like a good way to go though.
You are wrong. We live in such a dangerous world that the biggest reason for cause of death in many developed countries is suicide, obesity, diseases, etc.
The world is so safe that instead of dying from war, famine or untreatable infectious disease, those in developed countries are dying from diseases of wealth and comfort.
Not sure why you're gone all grey there. This is the prevailing thinking in obesity research at the moment. You're more likely to be obese if you're poor than if you're rich.
You don't get as much chance to die from obesity related diseases if you've died in a war, famine, pandemic, or from coal lung or crushed to death in a factory accident.
It afflicts the poor in relatively comfortable and safe nations.
Suicide is not a disease of comfort. Obesity is not a disease of wealth, for food (and junk food) is incredibly inexpensive in the developed world today, likely no more expensive than heavy smoking, alcohol, cocaine or opiates.
These are diseases of overpopulation, loss of freedom and control over one's life and general lack of anything to live for in the future. Mouse utopia comes to mind.
It's true that obesity is an affliction related to poverty; but it is related to poverty in nations of relative wealth and comfort. Access to that cheap and terrible food relies upon a logistics system that is heavily resistent to famine and blight.
Those in poverty who are dying from obesity related diseases are not dying in work place accidents, and are not dying in war or from untreatible infections. They didn't die in a pandemic.
The opportunity to die of obesity related diseases is tied to the relative safety and comfort of the nations in which the late individuals were impoverished.
We do. Even though the world has become safer and more prosperous it is still dangerous to our health and sanity. That doesn't mean we should avoid all risk.
What you are more talking about is the Politicians overstate the chance of dangers and they do it on the most evocative of topics (ex: terrorism, CP, etc).
A high danger we're in is from the potential for our governments to entrench their own powers and encourage potential future totalitarianism for small benefits here and now.
Yeah - it is goddamn tiring can't the professional emotional manipulators that call themselves politicians play on any other emotion than fear to get elected?
The vast bulk of the fear mongering I see is coming from the mass media, in an attempt to drive clicks and sell newspapers, and get their preferred candidate elected.
For example, in the weeks leading up to the election, CNN ran a sidebar on the screen to continuously show current statistics on covid deaths, all day. The sidebar vanished on election day, and has not returned, even though covid death rates are worse than ever.
Huh? I'm seeing a 0.5 murders per 100K in Norway which is exceptionally safe no doubt but meanwhile Poland has 0.7 murders per 100K. Bulgaria is 1.3, Czech 0.6...the two most dangerous are Ukraine and Russia.
Belgium's 1.7, France is 1.2, Germany 0.95...
Real mix it seems. But no, it's not safer by an order of magnitude for all of it, mainly just Ukraine and Russia.
The tragic thing is that those Western countries likely used to be on the same or even better level a few decades ago as Scandinavia and Central Europe today, but they are no more.
By the way, I wouldn't necessarily mention South-Eastern Europe in the same sentence as Central Europe; the Balkans have quite a tradition of being a hotbed of conflict.
And let's not just reduce safety to murders. There is the petty crime too, which I hear is becoming widespread in some problematic areas of big cities in Western Europe. There are social tensions, there are protests with occasional deaths and property damage, there is the radicalization of politics which may lead to all sorts of "interesting" things down the line. There is the "reasonable" restrictions on freedom of speech to counter the former, and yeah, it seems we are now talking about restricting privacy in the name of war on terror, which guarantees further increase in tensions and may enable a slide into totalitarianism in the future.
Remember that when Stalin started, he didn't intend to kill millions of people for fun, he just wanted social justice. The terror "happened" along the way.
1. Terrorism and trafficking of children will win the moral high ground.
2. App stores will be forced locale by locale to conform to these policies.
3. Most people will not notice or care.
4. This will be used by N-Eyes and totalitarian governments to quash dissent.
5. Meanwhile the tech crowd will create alternate app distribution mechanisms allowing those who care to communicate securely.
6. Those secure methods will be used by people with the most to lose. (e.g. the drivers of point 1)
Given this predictable series of events I see the primary question as: How do we prevent (4)? How can we make people secure by default again and make adoption easy in the face of app store capture.
> 1. Terrorism and trafficking of children will win the moral high ground.
Requisite:
> The term was coined by Timothy C. May in 1988. May referred to "child pornographers, terrorists, drug dealers, etc."[2]. May used the phrase to express disdain for what he perceived as "Think of the children" argumentation by government officials and others seeking to justify limiting civilian use of cryptography tools. Connotations related to such argumentation continue to be attached to the phrase, and it is more commonly used by those who wish to deride various restrictions on Internet activity than by those who support such restrictions.
• By maintaining democracy, by which I mean the tenet of electing governments from the citizenry as well as by the citizenry, and specifically rather than any of the oligarchical forms.
• By maintaining the rule of law.
The consequences being, if all encryption is backdoored, then any encryption used by politicians is by definition eavesdroppable by their opponents and enemies. Since all politicians thrive in a web of mendacity and confidences, they have a strong incentive for strong encryption, and will eventually terminate/abandon legislation that weakens it.
Any politician that threatens otherwise is therefore a) grandstanding, and/or b) using the issue to leverage/negotiate something else.
Corollaries:
• Any government seriously implementing such a plan is operating as an oligarchy rather than a democracy, and will have plans to defend themselves from the surveillance imposed on the citizens.
• The first instinct of every would-be oligarch is to undermine the machinery of democracy and compromise the rule of law.
c.f. Utopia (Australia, 2014) Season 4 Episode 4 "Mission Creeps", and probably at least one Jim Hacker moment.
7. People in group 6 will be subject to increased abuse by authorities simply because they fall into this category regardless of whether other evidence suggests that they're a likely privacy advocate, political activist, or actual terrorist.
8. Privacy activists will leave group 6 by attrition, further reinforcing justification by authorities for 7.
In my view there is a good chance that (2) will not be EU law for the foreseeable future, although this does require some opposition work. I guess one can see it as education of the politicians (the commissioners in this case).
The EU takes a statist approach to privacy. Encryption is always a better protection to privacy than ever changing laws. EP members are either inexperienced when it comes to technology or serve a party or a lobby agenda. The only countries opposing for the sake of opposing are Hungary and Poland and their leaders would love encyption being backdoored as long as their secret services can pry at comms.
Educate the Comissioners? The president of the Comission is an ex home secretary ie. a lady with a policing mindset just like Theresa May, only allegedly corrupt. Somehow her phones were wiped clean when required as evidence in a recent investigation. The irony of this legislation is that it could expose her own doings.
As is always the case with these fights, the fundamental fact is that the war is asymmetric. We have to be right all of the time, they have to be right once. We have to break all encryption everywhere forever, they have to find one non-backdoor'd solution.
If you really hold the backdoor proponents' feet to the fire, they'll admit that yes, this is true, but at least with a backdoor you can catch some of the terrorists/child abusers/etc, some of the time (of course, you only get the dumb ones...), and we wouldn't want to let the perfect be the enemy of the good. But of course, saying you want to compromise all privacy in the developed world to catch a few dumb traffickers doesn't get votes.
Terrorists and other criminals already have more than enough tools in their possession to exchange data absolutely without fear of their messages being compromised.
It is trivial to create an app using encryption to send messages between two users. On Android you can sideload so no need for app store.
You can also solve this with a webpage, this way it can be used on all devices.
The point is that creating a secure channel few users use is pretty trivial unless you outlaw crypto libraries. These laws can only take down apps/websites in mainstream use.
True, but when I worked on this recruiting was mostly an in person thing. For example for Muslim terrorists it was in a radical mosque. You can still radicalize with writings on the internet, they just need to make the first step in person.
If you do the key exchange face-to-face, all you need is some bytes from /dev/random for the key, and the cryptographic algorithm Data XOR Key. They can't outlaw the XOR operator and they can't "backdoor" all random number sources (not even the most trivial ones), so the idea that it is even remotely possible to obtain political control of encryption is quite insane.
We need actual software like https://Matrix.org or https://qbix.com/platform to be good enough that people will install it. Like the Web Browser did killed AOL and MSN. Otherwise we will live with Facebook Google etc. and this is moot. But that is just the beginning.
Secondly, we need open source hardware. We are nowhere close to competing with Apple and Android. But as we have seen over the last 20 years - there is a war on general purpose computing and the closed systems have started to win. Just today I read that Android doesn’t let you take a screenshot of your own phone.
Third of all - the open distribution mechanisms you rely on today to not block you (eg web browsers) can be closed or ship updates with backdoors tomorrow to most users. Apple and Google together control most of the market. It isn’t hard to pressure them to do this.
Apple blocked blockchain dapps being distributed on iOS, unless they are made by an Apple developer whose app they can revoke. Amazon can yank your movies and books out of your hands.
Anything you think is secure (eg secure enclave) may not be. Trusted Computing Environments are made by two companies essentially.
In fact, I am surprised that more “stuxnet” attacks arent done in nuclear reactors across various countries. As self driving cars get hooked up to the net or delivery drones become ubiquitous we may see massive vulnerabilities that can be exploited all at once. Not just by state actors but anyone. Really scary stuff.
Sadly the same entities locking down the computing devices also start requiring uplinks to their servers and can push any updates. Regular people are at the mercy of corporations and the state.
Unless open source companies step up and build a decentralized hardware distribution infrastructure, with multiple actors (like VOIP relaced centralized telephone switchboard operators) all these arguments are moot. There is a handful of tech companies whose arms need to be twisted and that’s all.
PART II:
To be honest ... I no longer think that end-to-end encryption is the right solution to human rights problems. If citizens are reduced to sneaking around and denying their activities to survive, their governmental system is way past due for fixing. This is like the “good slave owners” delaying the abolition of slavery. You’re solving the wrong problem.
I believe that crypto is needed to secure decentralized byzantine fault tolerant systems like Ethereum etc. to be TRUSTED, not to hide information. Signatures, not encryption, if you will. If anything, it is the government who doesn’t want encryption to be broken (eg of copyrighted DVD content etc.) and there is an inherent contradiction since anyone who consumes unencrypted content can reshare it.
What we really need is to decentralize the personal data in many places, and use zero-knowledge proofs for attestation, but that is different than encrypting and hiding information.
I just don't understand why people go on downvote spree. There are many things here that people can agree on or at least understand.
Many of the common tools (both hardware & software) that common people use are at the hands of few, who can abuse the users themselves or at the request of the Government.
> To be honest ... I no longer think that end-to-end encryption is the right solution to human rights problems. If citizens are reduced to sneaking around and denying their activities to survive, their governmental system is way past due for fixing. This is like the “good slave owners” delaying the abolition of slavery. You’re solving the wrong problem.
>Just today I read that Android doesn’t let you take a screenshot of your own phone.
Not many seemed to care to click the link in that thread. If one did one would know that it was to a bug report and a fix was even posted in the same link. Screenshots work just fine.
Not many seemed to read through the bug report either.
The bug report was for not being able to screenshot in situations when it wasn't actually disabled.
The fundamental problem that the GP is referring to and that demonstrates the loss of control over one's own devices is that it _is_ possible for apps to disable making of screenshots to begin with.
Fine. But I can name a ton of things that were in fact closed down due to “think of the starving artists” copyright laws in US or 自我约束;自律 “self-censorship” in China for political speech [1]
I have written a far more extensive post just now on HN that fleshes out the overall argument against focusing on encryption - please read it here and we can discuss:
It pretty much is, section 12 of the Universal Declaration of Human Rights states:
> No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
I mean wearing my programmer goggles it doesn't state privacy AND correspondence but OR, but still. Not having your personal conversations get intercepted is not too much to ask for, is it?
I mean I get it, if they have a reasonable suspicion they CAN intercept your communications (listening devices, intercepting the phone conversations), but this is not a right they can claim on anyone, and they shouldn't be able to force companies to allow them to listen in. Not arbitrarily anyway (see: Snowden revelations, where it was proven that the NSA just hoovers up anything and retroactively checks if there's anything wrong in there)
The problem is that you can’t leave any room for interpretation, because governments generally interpret things as liberally as they can in their favor, to the brink of absurdity.
In other words, “encryption” needs to be listed there as a right, to remove any room for interpretation. Or explicitly listed as an example of a more general right, like the right to private speech (or whatever you want to call it).
Considering governments have about the same capacity to store data securely as a twelve-year-old, those decryption keys basically open up the door for everyone who is willing to put the effort into retrieving them.
And considering the retrieval would certainly be breaking at least a few laws, the people who are going to pull it off are going to be
- nation states
- APTs
- large criminal organizations
- large corporations (corporate espionage)
So you arguably defeat the entire purpose of having encrypted data streams. Sure, the barrier of going and "stealing the keys" is still there, but given the track record large governments have at not leaking data, it is safe to say there would be little barrier aside from legal ramifications if caught.
Like TSA luggage keys.... there's no way those would leak online, and no way anybody would be able to download them from https://www.thingiverse.com/thing:1687424 and 3d-print them... no way something like that'd happen!
Luckily, you can't 3D print an encryption key that would be useful in any way. Although, now I wish the guy from Lavabits had handed in his SSL cert as 3D printed letters and numbers like a puzzle.
3D printing is one of the more useful ways to securely backup up encryption key’s. Just ensure the only place they exist is inside an object and not only are they durable, but tamper resistant as someone can’t just photocopy the key.
3D printers can make solid objects with internal structures.
It’s the same basic idea as an envelope, as in you need to open it to see what’s inside. However, opening it up inherently breaks the object so if you have it unbroken then it’s obvious that nobody has done so. XRay’s being an obvious risk.
We are not talking about human habitats that are supposed to be transitable by design. We are talking about lockers within this habitat, that remain secure even if the house is burning, because you don't want thieves who arrive before the firedepartment to have access to your guns. It's a civil obligation.
"really locked" is using a wholy misused modifier. Neither are we talking about royal priviliges, nor the distinction to virtualized fantasy. The necessary capability of encryptian is effectivity. The effectivity of regular locks is indeed a matter of concern in the security industry to begin with, as lock picking sessions at Defcon make clear. But, if the fireman's axe shreds the frontdoor, at least there will be no denying that you have been literally hacked.
Well, if everything is working as planned - it is encrypted in a way, that the economy and the people are protected against criminals, but everything is still in control of the government. That is the plan. And it makes sense, from their point of view. But their point of view usually comes from law schools and not technical universities.
The courts may not view the police, with a warrant, wanting to see your texts because they believe you're doing something illegal as a form of 'arbitrary' interference.
This new proposal sounds nutty to me, but I think that our various constitutions provide for the possibility of government access to private stuff given legitimacy, proportionality etc.
It continues " There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law" [to ensure everyone's safety].
E2e encryption that is "safe from courts" isn't protected.
Not sure I follow. The struggle politicians are in isn't to eavesdrop on everyone. The fact that this is possible is an unwelcome side effect. The struggle is to not lose the same ability (targeted eavesdropping after court orders) when people switch to e2e from phone calls.
If cell phones had e2e encryptoions so the normal court-order landline eavesdropping disappeared from law enforcements' toolboxes - there is zero chance they would ever have been allowed in the hands of the public.
> The struggle is to not lose the same ability (targeted eavesdropping after court orders) when people switch to e2e from phone calls.
But they haven't. They can physically install a listening device at the location in the warrant and thereby record any conversations you make from there. That gives them the same capability they historically had with landlines.
Which they can do, too. Just break into an Android phone (easy enough to do remotely). Bug home, bug the car, bug shoes, now you have phone calls from an iPhone. (You can pick up electrical interference from phone calls on an iPhone, due to the hearing aid induction loop.)
For every phone, you can just slip an antenna under the case (or in the phone's body) and pick up the LCD switching interference – faint though it may be – and figure out what's on the screen from there. Or, you know, CCTV.
Encryption-for-the-masses merely protects from mass surveillance; anyone protecting themselves from targeted surveillance isn't going to suffer from an encryption ban.
I don't see any good middle ground between "authorities can never eavesdrop on inviduals' comms even with a warrant" and "authorities can do mass surveillance". It's a very difficult dilemma. I (as you do) prefer the former if I have to choose.
I understand why it's not a very wasy pill to swallow though. Hopefully techniques for targeted eavesdropping (like those you mention) will improve as e2e gets more widespread. The easy of eavesdropping on mobile comms has probably been too comfortable for too long.
The status quo today is that various encrypted messaging apps exist without any apparent backdoors. This has been the case for several years already. The status quo from not long before that was that mobile phones and text messages didn't exist at all.
Yes. Perhaps the endgame here is that when "old school" voice/text shrinks, so does that avenue for eavesdropping, and once it's almost zero, then allowing any e2e doesn't mean a loss of ability anyway.
Also, so long as metadata is available from cell towers, you can still use the most useful piece of data: that someone's phone was at a crime scene, even if the communication itself was encrypted. That will always be the case (unfortunately also in authoritarian regimes).
The long story is that encrypted files alone are no use to anyone, so the courts have no more right to it than anyone else. The decrypted text is a different matter. It's supposed to be protected. So you are saying, eventually, if I may interpret it that way, that speech which is protected from the authorities including the courts is not in fact protected from the courts.
Oh, ok, that's not even illogic, just paradox.
Problematicly, if you consider the abstract danger of a key cypher pair a threat, the same goes for the legislatator court partnership. The courts aren't a threat as long as there's no legislation that opens them up to it. So, clearly, the legislation is key to the infringement. This means that legislation has to act in accordance with legislation, which is as difficult to understand for regular joe as function pointer semantics in C++. So it appears to say, simply, that legislation has to act...
That's you and me. Actually though, the law is accordingly a huge tower of abstraction. The moment you try to dereference "the law" it blows up into your face, a group of skilled experts has to drop into debugging mode and, eventually, has to decide if they want to have their access limited even in debugging mode. Well, the system was designed for the hypervisor kernel to access all areas, this seems to be a problem of the virtual OS handling the capabilities for userspace incorrectly.
Well, the ECHR is (for all EU members), and has a similar clause:
> Everyone has the right to respect for his private and family life, his home and his correspondence.
unfortunately it also has exemptions for anything a government could reasonably use as justification to restrict this right:
> There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Imagine that some unnamed corrupt government treats your telegram messages as correspondence, but not encryption keys. It then orders Telegram to release said keys (pinky promising not to do anything nefarious with them) because they aren't considered correspondence.
When they have a court warrant, it's not arbitrary. I think some rights were given to the people to combat government tyranny (right to bear arms for example), but combating government tyranny is just not feasible anymore, due to a set of factors, like our inability to organize behind a common cause. Anyway, the choice here is reserving our ability to overthrow an unjust system, or giving the government the rights to catch those who might want to unjustly overthrow it.
The court warrant sounds like it's a good idea, and don't most other things work that way too? Actually End-to-end encryption isn't that different.
It so happens that there's no point in taking out a warrant against the man-in-the-middle, because he has no access to begin with.
You'll have to get a warrant against one of the ends.
What these proposals would end up doing is to force people to weaken protocols and start spying as a man-in-the-middle, just so that they can be targeted by a warrant.
This is just a little bit silly, I feel; and doesn't really help anyone. I don't think that authorities realize that that is what they're asking for. Usually when it gets explained to them, sooner or later they relent. And then a few years later someone replaces them, and it happens all over again.
I don't see any proposal to "weaken protocols." Why would the government try to mandate the use of provably unsound end-to-end encryption, weakening security for everyone, when it could just order Apple and Google to spy on the user's end, which they control?
Sorry, but this is nonsense. Possessing cryptography does not imply the boogeyman will, as a consequence, gain the ability to overthrow the system. On the other hand, there's very concrete evidence governments are the boogeymen.
It is might makes right essentially - if treason doth prospor none dare call it treason. If there is absolutely no hope of any effort to revert it succeeding it is just.
- Everyone has the right to respect for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
(I'm not feeling bright enough to comment but this seems extremely relevant)
You're going to be very disappointed by the other human rights then. They're all about proportionality. Even the right to life can give way "when a public authority (such as the police) uses necessary force to … stop a riot or uprising." https://www.equalityhumanrights.com/en/human-rights-act/arti...
First step is finding a way to educate the mainstream (including politicians) on the dangers of master keys and backdoors.
It is too easy for many politicians and security agencies to think that their master keys and backdoors won't ever fall into the wrong hands, that they're careful, etc. And if you point out the problem, they'll tell you they'll be even more careful.
Think about it from a non-techie perspective. I don't think most people even understand the concept that a message that goes from sender to recipient in WhatsApp can't be decrypted by Facebook, let alone by anyone else. I don't even know if there is a common analogue-world comparison you can draw, this is an utterly new concept for people who don't understand encryption.
E2E encryption is scary. I'm also in the "you can't ban math, why try" camp. But I can't see authorities/politicians give up the idea of getting access to decrypted communications after court orders, in a 100 years, even if everyone completely understood the topic. It's just not happening.
I mean, if you put it that way, assumption of innocence is also a scary concept; being the police and having to let someone you know is a murderer or terrorist go because you can't prove what they did is routinely touted as a genuinely terrifying prospect in plenty of TV shows.
Privacy is a human right in Europe. I don't think it's a pipe dream to give encryption some good PR, especially when it powers the internet, keeps your payments safe, protects you from bad guys, etc.
Pushing hard on the concept that Encryption == Privacy is very important. We should not call intentionally-backdoored crypto "Encryption", but something obviously bad such as "Open-Door Fake Encryption", or whatever actually speaks to people.
We expect privacy in "unencrypted" phone calls, but seem happy that law enforcement can eavesdrop on 4G when they have to. Not sure how much more privacy people expect. If you explain to people how much privacy they give up just clicking a random facebook questionnaire - they nod and then still do. Privacy and integrity is important but it will never match e.g. "terrorism" or "safety" on the list of important issues I think.
> We expect privacy in "unencrypted" phone calls, but seem happy that law enforcement can eavesdrop on 4G when they have to.
Don't assume that "we" are happy about that. You might be; others are not.
Unbreakable encryption should be available to everyone, and straightforward for everyone to use, and used by default rather than only for "sensitive" information. Unbreakable encryption should be so widely used that the thought never even occurs to anyone to associate it with wrongdoing. Communication using unbreakable encryption should simply be "communication".
> Don't assume that "we" are happy about that. You might be; others are not.
I don't want to suggest everyone is happy with the status quo, but it's at least not one of the top items on everyone's agenda for change.
> Unbreakable encryption should be available to everyone, and straightforward for everyone to use, and used by default rather than only for "sensitive" information. Unbreakable encryption should be so widely used that the thought never even occurs to anyone to associate it with wrongdoing. Communication using unbreakable encryption should simply be "communication".
I agree with you - but I also doubt it will happen. Not because of some government conspiracy but because I don't for a second believe that people would choose "government can't tap a criminal's phone call or text messages even with a court order" as an acceptable drawback for the benefit "my own conversations are always secure". I really don't. I'd be happy to be proven wrong though. So I simply don't think there is any democratic pressure for it.
One of many angles is "perhaps you trust your government (or perhaps not), but do you trust every government with a backdoor? Do you trust everyone who has gotten hold of it? Do you trust that it can't be broken or stolen or abused?"
We need to very clearly and universally make the message clear: there's unbreakable encryption, and there's broken encryption, nothing in between. Anything that purports to be in between is either broken or soon will be.
I trust my current government, I don't trust most foreign ones and I don't even trust my own next government. I think we now have the two key pillars of the dilemma: we can never have back doors (broken encryption which is as bad as no encryption), and neither the public (I'm guessing) nor authorities will allow a situation where even a court order doesn't allow eavesdropping. And between these two there is no middle ground.
Where do the existing "readily available, off-the-shelf encryption solutions" mentioned in the link fall in this dichotomy? Are they unbreakable because no network administrator can read my WhatsApp messages? Or are they broken, because Apple can push out an OS update and steal messages without the user knowing?
If anyone calls me on a regular phone call, I'm always aware of this.. It's that nasty feeling of being spied on that's really the main reason I hate this so much. The government shouldn't have any reason to spy on me but spying on everyone is simply becoming the norm because they can.
I mean scary to authorities used to be able to do targeted surrveillance of messages in transit such as law enforcement. Not to people.
It's obviously even more scary (an existential threat) to authorities that are used to be able to do mass surveillance of messages in transit (Such as the NSA).
Even a closed-source app is never really closed. In the end it's all machine code which is basically source code as well. There's many tools to analyse binaries, like IDA Pro. It's just difficult and often steps are taken to obfuscate what it's doing.
Having the higher-level source code just makes it a lot easier.
But if WhatsApp did this, it would probably be noticed pretty quickly by experts. But like I said above, Whatsapp's achilles heel isn't really the E2E encryption. It's the cloud backups.
Also wven if it does not exhilarated user data now, it's one update from doing that tomorrow. Quite possible even via a targeted update on some specific people "not in favor".
If it was open source there is some chance a backdoor would be spotted (eq. by Linux distropackage msintainers), but not when a company is pushing obfuscated binary blobs preatty much directly to users.
Well, not directly, for most people that would be via Apple/Google stores.
And of course these stores could have secret functionality for shipping targeted updates.
But if it exists, this means that 1) none of the developers working on the store backend decided to leak info about it and 2) none of the targets have had an expert look at their device to find an unusual update that wasn't seen by anyone else.
Over time, the probability of either of those things happening would be going up…
Non-techies most certainly understand what encryption is and if you describe what 'end' in the WhatsApp notice about end to end encryption means, it's very clear to them.
No, non-techies do not "understand what encryption is". They'll understand if you explain it to them, but if you ask someone off the street what encryption is, the closest to a correct description they may give you is "it's garbled text you can decrypt".
It's hard enough to explain the easy, obvious stuff like tax brackets. You think people have a native understanding of encryption?
> You think people have a native understanding of encryption?
It’s easy. Tell people they’re speaking English to one other person who also speaks English at a dinner table. No one else in the world speaks English. You can look and sound like you’re talking about how excellent the food is, but really you’re saying how terrible it is... and no one on earth will ever know, other than the one person who understands you.
This is not a good way to explain encryption to people. Explaining the concept of a "key" is essential to explain why this doesn't work.
- In your example, the contents can be deduced from the "encrypted" data, without the key. Indeed, there is no key, but rather a complex dictionary transformation.
- A "backdoor" is merely teaching GCHQ to speak English. Sounds perfectly reasonable in your example.
I'd argue the exact problem is that politicians have the particular understanding of encryption that you just gave.
You need to communicate two things:
1) Why backdooring safe encryption irreversibly breaks it for everybody
Guys, both of you are behaving like non-tech people are idiots. They are as smart as you. They often have college degrees. Even children understand perfectly well what encryption is. Boy/girl scouts go out of their way to teach it, etc.
I wonder if we can make an encryption protocol that cryptographically securely encrypts an arbitrary English sentence into an English passage that sounds like it makes sense but is unrelated to the ciphertext.
2. Given a language model which can generate a choice of multiple possible next-symbols given what has already been written, use bytes from the cypher text to choose between the available options.
For example, using the predictive text options on my iPhone, and treating 0=left 1=right, the cypher text 011100 and the starting symbol “Hi”, I get:
“Hi I have heard from the other”
(Note: I’m fairly sure the iPhone predictive text system is personalised and therefore time-variable, but the general idea still applies if you are in full control of the system).
3. If the other party knows the model and the initial word, they can use an equivalent process to recover the cypher text and put that into the normal decryption routine.
This is the correct answer, although it's worth thinking about what the threat model is.
If the government is just going to force specific companies to add backdoors, then the process above isn't really necessary, you just need a way to install a client that isn't backdoored. If, however, the government is banning the sending of encrypted messages, then you have to hope that a jury doesn't see your long pointless messages as strong evidence of using encryption.
To improve slightly upon the language model example given above, though, I suggest something like this:
> then you have to hope that a jury doesn't see your long pointless messages as strong evidence of using encryption
Don't legal people routinely just take few word sentences and rewrite them into long paragraphs of aforementioned hereinafter notwithstanding including but not limited to senseless nonsense?
So long as it looks normal for you, I suspect you’d be fine.
If I started writing long paragraphs of aforementioned hereinafter notwithstanding including but not limited to senseless nonsense, I’d be really obvious — at least to a human, not sure if current AI would notice me yet.
Hmm, I think a better strategy might be embedding the ciphertext in the fur of cat pictures. Sending lots of cat pictures seems pretty normal for anyone. Might be possible to create a GAN that outputs a synthesized cat picture with a constraint of some ciphertext that can be decoded later. Or simple modulation might just work, if I can convince JPEG to not wreck it.
That is higher bandwidth, but for normal chat apps I would expect randomly applied compression in transit breaking things. Email could work though? And if you’re generating the JPEG or PNG yourself, you can put the cypher text in at whatever level you like, including highest entropy bits of the compressed data.
You’d have to be very careful to seem “normal”, as carelessly doing that can change the entropy in a detectable way even for the least significant bits — the least significant bits saved in something like JPEG is not the sensor noise, it’s the smallest stuff that humans pay attention to.
Maybe something that's aided by an AI that generates English texts(a little similar to your iPhone auto-suggest, but more advanced) so that the sentences are valid and coherent. The recipient would need to know some sort of key/"seed" for the AI, that you'd give them in another channel. I bet something like that would be possible, but the ciphertext would be much larger than the plaintext. Still a fun idea.
I have seen a few hacky implementations of this, many years back. Essentially you use a dumb secrecy technique (every second letter of every third word). Then put your (secyrely) encrypted message as the payload.
The question of interest is "how to generate sentences that allow the most dense insertion of data?".
The best two I saw were:
* Used a copy paste (with link) of tweets / jokes / song lyrics with trite comments around them.
* Used an html formatted email with images embedded. The images were fiddled to hold the bulk of the payload and the surrounding sentences were just to describe the image to give it authenticity.
The funniest was a dirty poem generator based on an oracled (to inject the payload) monte carlo sim. It ised historic dirty letters and all sorts of poem formats.
I fully subscribe to this point. It comes up, then it either gets voted out or doesn't even come that far.
What baffles me though is that such blatant power-grabs are being introduced, and that anyone thinks that anything would be better off afterwards. Surveillance is going to get more difficult, not easier unless you want to spy on middle-aged people talking about fishing or sour dough recipes.
IMO the right to encryption naturally follows form the fundamental right to speech but yes the right to practice math and science including should be additionally protected.
I was born and raised in a country occupied by communist invaders, so I know very well how unbelievably horrific it was to live under continuous surveillance.
Despite the many Western fiction works, either movies or novels, which attempted to describe how life was in the Eastern Europe and Soviet Union, I have not seen any that succeeded to really convey how awful that was, because it is very difficult to imagine it when you have not experienced it.
After 1990 there was a short time when things seemed to be improving in the world, about the human rights, but that did not last for long.
After 2000, the Western countries began to resemble more and more every year with the communist countries they were formerly criticizing.
This sad evolution concerns not only the continuous attempts to restrict the basic human rights but also the continuous reduction in competition in the economy, by more and more mergers and acquisitions.
Despite what some say, the socialist economies were not really different from the capitalist economies, but they were identical to the extreme form of a capitalist economy, where, in the absence of regulation, everything is produced by monopolies. Now, with the exception of few domains where there is still vigorous competition, even the American economy is so much dominated by quasi-monopolies, that it resembles more to the old Russian economy than to the American economy of 30 years ago.
Twenty years ago, when I designed some electronics hardware, I could search the Internet for the datasheets and manuals of possible components and I had many possible choices for each of them.
Now, for many key components, I have only one possible source. Moreover, for many important components that I might use, I cannot really determine whether they could be used, because their technical documentation is provided only after signing an NDA and only if you intend to buy really large quantities.
Such changes were very gradual, so for those who did not live enough to span several decades of experience, the way things are done now may seem normal, but they are not and they are definitely worse than before. Now it is far more difficult to innovate.
Regarding surveillance and encryption, most Western people, who have not yet experienced the extreme abuses towards which the current legislation slowly evolves, are very naive and they do not understand how dangerous this really is.
The irony is that now the Western countries are trying to make lawful things that not even the communists had the courage to introduce in their laws.
Even in the communist constitution that was valid when I was a child there were constitutional rights for the secrecy both of the phone conversations and of the mail messages.
Obviously, like the NSA, the secret police did not care about what is lawful and what is not, so they intercepted any mail message or phone conversation they desired, but at least there was no doubt that their activities are illegal.
Fortunately, they did not have the technical abilities to intercept all the phone & mail communications, like today. Otherwise I would be still living in a communist country.
Because of my experience, no matter what abusive laws might be introduced in the future by corrupt politicians and no matter which would be the consequences, I would never recognize that any other human being has the right to command me to not encrypt any information that belongs to me. Equivalently with being against the interdiction of encryption, I would also never accept that any human being has the right to demand that I must answer to any question, if I do not want to answer.
Of course, if that question had been in the context of a legal investigation, refusing to answer some question may be considered as evidence supporting the supposition that the questioned person might have done something wrong. Therefore that person might be punished for what he/she is supposed to have been done, if being guilty is considered certain enough.
However, punishing the person just for refusing to answer a question, without any evidence strong enough that the person has committed any other crime, as it is frequent now in the USA, this is something that I consider to be an unacceptable abuse and a breach of the most basic human right.
The EU doesn't see free speech as a basic human right. They are of the opinion that some ideas are dangerous in and of themselves, even without a call to violence.
It is doubtful that it will see something like encryption that allows speech and communication at a distance without government knowledge or control as a basic human right. After all, if some speech is so dangerous that it cannot be posted online, then we should make sure it is not spreading to who knows what kinds of people without government knowledge.
There is no logical connection between your first sentence and encryption. (By the way, it's incorrect, we call it the right to freedom of expression over here; sometimes also referred to as the freedom of opinion)
I'm Italian, it's a crime here too, I don't have to go to Berlin to see how it goes, when my father's home was raided by Nazis and he had to run and hide in the woods where he lived for two years, till the end of the war
He was 4 years old.
If you read again what I wrote it's already there: free of opinion doesn't mean that all opinions are permitted, because some of them are crimes.
Anyway, if you know Berlin you should also know that there have been a spree of neo-nazi violence lately and the police is not doing much to stop it (I lived in Berlin for a few years)
I want to also give some perspective why this is bad even IF we can make sure that only governments will have the keys. We have just uncovered an organized crime at the top levels in Slovakia where even the President of police is part of it and they influenced many court cases and were accessing secret information and databases on citizens, basically a mafia. And we are part of EU. I don't trust our goverment to use they keys only for good purpose. And I speak from the recent experience.
Another way of determining whether these proposals past the "smell test" is to ask how politicians treat legitimate requests for access to their communications (carried out as part of their jobs, which we pay them for) in response to Freedom Of Information requests.
An example[0] from 2012 in a (then) EU member state is very informative in that regard, as indeed is the name of the special adviser behind the controversial policy.
I also don't trust my goverment to use the keys only for good purpose, recently in Spain a commissar was paying girls to have sexual contact with influential people to get information about politiceans.
In our case those guys had direct access to police systems, they could look up anything (and they did!). Now imagine if they could also read all your messages. The EU proposal will actually weaken the security of its own citizens. The IT community must fight back.
Yep, also scandals like the one in neighboring Austria where senior government officials were caught on candid camera making deals with fake oligarchs.
It's a developing story, I will try to find some got article later. The funny thing is that it all started after one criminal (Marian Kocner) was arrested and his iPhone had the app Threema installed - an E2E encrypted chat. Fortunately for the investigators he had backups enabled and they could access the chat history in plain text. He was in direct contact with government officials including politicians, judges, and so on. And this helped to uncover an even bigger organized group. The whole communication leaked and everyone can read it. You can find passages where he asks to pull specific information from police database. I think maybe 30+ high ranked people are now waiting behind bars for the trial.
Wow, this is a truly fascinating story that I hadn't previously heard about in the US. Here is a good article I found that led me down the rabbit hole:
Government is just another group of people. We currently have few statesmen in politics, only people afraid to loose control and this is a symptom that has haunted us for over 30 years. Any cooperation with the EU on these issue should be denied. Many people are way ahead of constitutions and democratic legitimacy.
I was told that this only happens in authoritarian regimes like China. Turns out that while everybody was talking about China exact same things were happening here in the West. It's as if the whole focus on China was specifically designed to distract people from what's happening in their own countries.
What concerns me is that with the increase in arguably totalitarian laws and the constant attempts on once sacrosanct principles like the above we're moving in a direction where we'll run out of room to point at that side and say "yes they've got X but I'd still rather us because they have Y" when more and more we have Y as well.
I think we may already be in that situation given how China and the West handled the pandemic respectively. Our governments are quietly implementing all the worst aspects of Chinese authoritarianism and pervasive surveillance without any of the benefits of having a competent government that's able to deal with large scale problems.
China dealt with the pandemic swiftly and decisively and life is getting back to normal there now. Meanwhile, the West had months of warning and vast majority of the governments chose to do nothing. Instead of stocking up on supplies and preparing the public the officials and the media called Chinese lockdowns authoritarian and played down the severity of the problem until thousands of people started dying. Our governments chose to protect business interests and to sacrifice the public for the sake of the profits.
The pandemic is just a small preview of what we can expect to happen with climate change in the coming decade.
> […] the constant attempts on once sacrosanct principles like the above we're moving in a direction […]
This is sometimes done on purpose:
> The Overton Window is an approach to identifying the ideas that define the spectrum of acceptability of governmental policies. Politicians can only act within the acceptable range. Shifting the Overton Window involves proponents of policies outside the window persuading the public to expand the window. Proponents of current policies, or similar ones within the window, seek to convince people that policies outside it should be deemed unacceptable.
It's also big in the Netherlands.. In the 90s they had the biggest number of phone taps in the world, and this is not per capita, but the absolute number! With a population a mere fraction of the US's.
However the Netherlands is a fairly honest country when it comes to statistics, so I wouldn't be surprised that the US still came out on top, but they just didn't report most of their taps for 'national security' reasons.
But something has really changed in the past 20-30 years. Before this there was no way to literally monitor everyone. It was too labour/storage intensive. You really had to be a 'person of interest' for some kind of (usually legitimate) reason.
Whereas now in this digital age (and with everyone carrying a portable listening device in their pocket) this is totally feasible and thanks to Snowden we know it's actually being done too.
> Before this there was no way to literally monitor everyone
The DDR did it
Another important factor is that until 20-30 years ago people communicated a lot less
They mostly talked face to face
The challenge today is not easier: to literally monitor everyone is not possible, the signal to noise ratio is too high
They could listen to everyone, it's doubtful it is possible to extract any meaningful information on random communications between random people that are not being monitored because they are already of interest
As someone else said metadata is more important because it allows to create connections between actors from thin air. When you have narrowed the scope, listening becomes a lot more effective.
"China exact same things were happening here in the West"
No, there's really no comparison.
A justice system, with reasonable information to infer a crime, seeking a warrant, using rules and regulations that have integrity, oversight, sanctioned by a Judge, following specific rules of access with certain, proportional criteria - is nothing like 'China'.
In fact, we are already subject to that, everywhere in Europe, just not your messaging apps.
It is not totalitarian whatsoever - there is just the risk of totalitarianism creeping in. A risk, which quite frankly is overstated. There is almost zero material harm that comes to innocent individuals as a result of these policies in states with lawful civic infrastructure. There can be, but it's rare and again, the 'problem' is more expansive and that an authoritarian takes power and uses the system for unlawful purposes.
China does not have an independent legal system, or much concern for human rights. The CCP uses these things to censor every day speech on a variety of topics - even for the most innocuous things like comparing Xi to 'Winnie the Pooh' let alone for discussing things like Tibet, Hong Kong, or Taiwan privately.
The CPP uses these controls as an 'total and complete information and thought control system' that interjects into every aspect of life. If you talk bad about Xi on your 'chat'- that will literally go on your file. It could affect your credit, promotional opportunities, how the justice system treats you etc..
They have successfully suppressed and controlled dialogue on a variety of issues - this system is frankly the CCP's most powerful means of control, far more so than anything physical like the 'police' or the 'army'.
Western governments want to use it to go after people making bombs, sex traffickers, and tax evaders. There is no chance that the German government is going to send police to your house because you said 'Angela Merkel is a clown and needs to go!' to your buddy on WeChat. There is a chance some future government could to it, for the wrong reasons, and that's cause for come concern, but it's not pragmaticaly the issue.
>A justice system, with reasonable information to infer a crime, seeking a warrant, using rules and regulations that have integrity, oversight, sanctioned by a Judge, following specific rules of access with certain, proportional criteria - is nothing like 'China'.
LMFAO imagine saying that with a straight face in 2020 when US nabs people off the street in unmarked vans, and the judicial branch is staffed by political partisans actively working withe the republican party to steal the election.
I would bet a guess that privacy in NK is actually better when you're purely looking at a digital point of view.
After all, many people there won't have access to such technology. They'll be off the grid unlike most of us.
Of course that doesn't actually give them privacy, I'm sure that there's plenty of 'friendly' neighbours spying on each other for a few bucks, basically stasi style.
And also this watermarking isn't all that different from our browser fingerprinting and mega data collection. It's just a cultural difference. The NK government wants their citizens to know they're being spied on. Whereas ours is trying to hide it. Thus more focus on the endpoint device rather than the cloud side.
On the other hand, how many styles of haircut are you legally allowed in the USA? Can you leave if you want to? Can you criticise the government without you and your family being shot?
Never mind Apples and Oranges, you’re comparing a rabid kitten (NK: you don’t want to be a cell inside it, but the animal is containable) with a healthy chimpanzee in the jungle you’re walking though (USA: violent and acts like it owns the place, so being one of its cells is safer than being a cell in many of the things around it).
So USA is more dangerous than NK in general and the chances of getting shot and killed (quoting "Can you criticise the government without you and your family being shot?" https://news.ycombinator.com/item?id=25032711) are 42 times worse in USA than in NK.
It means that for every person shot and killed in NK there are 42 in USA.
I was wrong anyway, it's not 6 chances in 1 million but ~1 chance in a million to get shot and killed in NK.
Compare it now to some other western country, for example Italy, my country:
homicide rate: 0.7 / 100k
homicide rate by firearms: 0.3 / 100k
Italy is quite average for the west, all the other western countries have similar stats, more or less.
Ah, you’re referring to murder specifically by guns yet regardless of motivation.
Yeah, no. The figure here would be for those executed by the state for political crimes, though that will be hard to measure in both cases and I’d prefer to include in that count things like “unlawfully killed by cops who didn’t like you because you uncovered evidence of systematic racism” because I feel de-facto truths are more important than de-jure claims.
Then you get messy things like prison labour, and systematic policies of punishing entire communities for crimes (or protests) of a few from that community, and I don’t even know if you’re able to demonstrate any of these without being piled on by people defending any given example as unrelated/justified/propaganda/all of the above.
In fairness to you, this is a lot messier than my original comment. :)
Regardless of the motivation USA is more dangerous than Somalia (4.31/100k) - of course there are other reasons to be scared there,being killed is only one among many - but still it is kinda bad IMO.
If we count, for example, people killed by the police, there have been 1,004 killings in USA in 2019, 3 every million, 34 every 10 million residents. compared to Germany, whose police is said to be quite violent, it's 30 times more (Germany is around 1 per 10 million residents) and 170 times worse than Japan (0.2 per 10 millions)
All in all, as much as I know numbers don't tell the whole truth, something needs to change over there .
A friend of mine here in Berlin is from Hong Kong. Thanks to the Pro-Democracy protests in Hong Kong, the general nature of which my friend confirmed, I know about how to use traffic cones to defend against tear gas.
I’ve personally witnessed “we don’t like how Corona is being handled” marches here in Berlin.
Not to forget that top epidemiologists demand to stop the devastating measures immediately because our data shows that they cause much more harm than good.
My german isn't that good, but from what I understand and from the translation below, the source seems a bit conspiratorial.
I completely agree with the concerns raised elsewhere in this thread, but I'm not sure I see the clear link to recent events in Vienna etc claimed here.
Here[0] is an earlier document from 21 october which the article seems to take some screenshots from, so it seems that this has been coming either way.
I wonder how this effects countries like Switzerland and the UK?
Thanks—we've changed the URL from https://fm4.orf.at/stories/3008930/. Submissions to HN need to be in English—we have great respect for other languages, including German, but HN is an English language site. Happily in this case, following the site guideline that calls for original sources solves this problem as well.
(I've taken the title from the new URL, btw, which uses the rather strong preposition "against"—I suppose this is a matter of interpretation since the document itself seems to fall over itself insisting on the opposite.)
The German article is more on point and it goes into more details about the background and also the probable solution with "Exceptional Access" architecture.
The official EU draft documents always use a very careful language to not create too much suspicion. Only one or two sentences actually tell the truth: "Possible solutions may need the support of service providers in a transparent and lawful manner, as well as improving the technical and tactical skills which the law enforcement and judicial authorities need to face the challenges of digitisation at a global scale."
I hope some English articles will appear soon.
I'm certainly open to changing the URL from what is probably an obscurantist press release to a more accurate and neutral source. But it would need to be in English. Sorry—I realize that's frustrating to anyone who reads both languages, but most HN readers can't.
Update: I got an indirect confirmation that the REV1 version of the document should be authentic and they also noted that radiofm4 (ORF) has a good record of previous disclosures.
There may be some confusion. The original link wasn't in English. The current one is a press release or similar. What would be best is an article that is both in English and not a press release.
You're conflating the language issue with the alleged "obscurantist" issue. In your opinion, since you brought it up, what facts are the original link lying about or hiding?
HN needs to come together to reward 'dang's hard work keeping HN to HN quality.
I have this theory that with almost any great music groups there's usually one, sometimes two, great mind(s) working in the background, usually introverted, that really define the talent of the wider group (Brian Wilson, Quincy Jones, Phil Spector, etc are the rare few who got that recognition).
NYT did a great exploration of how this currently works in pop music:
This analogy is already starting to stretch a bit thin but my main point is there are always some smart people working hard in the background who don't always get enough recognition for what they do. The Aussie girl is in the NYT clip who basically made the song still lives in relative obscurity (you can find her on twitter, probably well paid, but still living without much fanfare), despite this song among others blowing up in the charts.
I am going to attempt to think of something on a personal level but it'd be great if we could organize something larger like a community backed gift/reward. At some level simply upvote internet points aren't enough thanks for the work people put into user forums like these to keep them healthy. I obviously don't have the full solution here just a seed of an idea.
Maybe something nice to do in these depressing pandemic times!
Edit: if anyone has any ideas about organizing such a thing please let me know, maybe a discord channel?
> The Aussie girl is in the NYT clip who basically made the song still lives in relative obscurity (you can find her on twitter, probably well paid, but still living without much fanfare), despite this song among others blowing up in the charts.
The sad part is they don't even name her in the summary. She's "a 23-year old songwriter". The famous producers and vocalists get named, but she doesn't.
Kanye might tweets some crazy stuff but his recent crusade against shitty record contracts (tweeting out his entire Warner contract deal for example and calling out real owners to stop robbing kids) and the general nonrecognition of the artists themselves is something I can get behind.
I almost went into the music industry before programming which is why this stuff piques my interests and I'm happy I didn't in many ways due the lawyering. There are big problems in the music industry with plenty of analogies to SciHub/Aaron Schwartz and the academic paper world (10x). There needs to be a rethinking of how musicians and promoters get paid and how ownership of what musical artists are creating is controlled.
Not to totally sidetrack the main point of my original comment :p
I was worried mentioning his name would take this thread off-topic and become all about Kayne. I'm neither an expert on GOOD Records's past nor seek to defend him in general. These arguments applies generally to the industry as a whole and are hardly limited to just to Kanye himself.
The way I came across his statements on the matter was that it was a sort of recent revelation he had. And that it's a thing thats out in the wide open, people have been talking about it for a long time, but it's still just the way it is. The labels have a ton of power, regardless of the changes in the industry.
It's reminds me of entrenched businesses exploiting out-of-date regulatory systems. Like trying to apply the old taxi car numbers cap / medallion model to Ubers system just doesn't make sense at all.
The internet changed the music industry even more than taxis. Especially with artists becoming social media 'influencers' in the process (and almost as a pre-requirement) and more of the power is going back into their hands.
So I support anything that gives the artists more control of their masters/content, more say in the room about distribution since it's not all backroom radio shows and record store deals like it used to be.
When you have soundcloud rappers getting famous with zero major label help its just basic logic that the old-school contracts, major parts of which are still apparently being used frequently by the big labels, will need updating.
Certain power dynamics have clearly changed.
I'm not a lawyer and don't have all the answers but it is an opportunity for more decentralized control and wealth going back to the creators and promoters more directly.
Very much the next Sia who lived in public obscurity for many years but was well known and highly regarding in the business and independent music scene.
Sarah won multiple APRA awards for her work (the ones the Australian music industry cares about) so she'll likely stay in high demand.
If you're looking for a domain I recommend https://domainr.com for search (they get affiliate revenue but I don't) and https://namecheap.com for registration. Namecheap has done a great job of defending privacy and offering a solid product. Also no affiliation, but the CEO did respond to me on twitter!
Switzerland is not part of the european union but has to follow some rules to have access to their market. If Whatsapp breaks E2E it will possibly affect multiple countries.
Sure, there's always-on E2E encryption that is really well designed. However, WhatsApp constantly prompts every user to back up to the cloud, which is much less well secured.
Thus, it's pretty trivial for the authorities to get to it there, I'm sure they can get into iCloud and Google Drive if they want to. It only takes one person in the conversation to have this option switched on. I think this is why WhatsApp doesn't get so much flak from the authorities for having good E2E encryption.
Which is to say WhatsApp is perfectly secure as long as the hostile actor cannot access the WhatsApp backups. Only nation state actors might be able to do that.
Isn't it more like "literally any LEO or pseudo-LEO in a 'friendly' country" at this point based on what we know at this point?
I think the threat model here is less about a hostile actor subverting the backups than the extreme ease of access to all data on those systems that is given to law enforcement?
or until LEO or State Security compels / sidepushes a trojan app update via play store update. It's as trivial as that. Or just tap the baseband chip via the provider.
I don't have a nice name for people in EU parliament that write these things, they don't really understand what encryption is. It's not a technology. You can't ban encryption. Terrorists can just use unencrypted chat and either use their own encryption or they can use predefined words and sentences that actually have a totally different meaning.
This is not from the Parliament. This is from the Council of Ministers. All shitty ideas in the EU come from there or from the Commission. These bodies are not elected and have very little, and very indirect, democratic legitimation.
> They aren’t directly elected, but the minister is from the government of each country, which is elected (at least as most understand the term)
Many ministers are initially elected to posts in their national parliament and then promoted into a government job. But this is not a real requirement, and many aren't. And even those that we elected, we elected for national jobs, not for the EU, and I do think that that makes a difference. This is what I mean by indirect legitimation.
> Parliament is directly elected
Yes.
And that leaves the Commission, which is mostly former-ministers-who-need-a-job and are appointed based on negotiations between the governments.
Unless your country has joined the EU since your last election then you know you know you are electing a government head. Technically you tend to vote for a local representative who then elect the head of governemt but that’s not how people see it, just like they think they vote for Trump or Biden, but they actually vote for electors who could vote for anyone.
Generally we don’t have a directly elected ministers in Europe, just like the US don’t elect the Secretary of State, they are selected by the head of government. Unlike the US they tend to be elected people.
> Unless your country has joined the EU since your last election then you know you know you are electing a government head. [...] Generally we don’t have a directly elected ministers in Europe, [...] they are selected by the head of government.
This is all mostly true. But also very indirect, yes? I remember the discussions about the EU constitution project and the treaty of Lisbon, and this system with national government representatives was sold to us as a necessary democratic counterweight to the "dominance" of the most populous states (especially Germany) in Parliament. I acknowledge the need for some kind of balancing between pure population majority one the one hand and the needs of smaller states on the other hand. A proper elected "upper house" similar to the US Senate, with a fixed number (more than two!) of members from each member state, would be vastly superior to the current system.
(Also, when the corrupt Austrian government collapsed last year, it was replaced for half a year with an "expert cabinet", with a chancellor and ministers who were all very capable and all, but not politicians, and never elected for any position. https://en.wikipedia.org/wiki/Bierlein_government They did refrain from big EU-level moves, but nothing would have stopped them.)
It is also eye opening to watch how MEP vote. This is a farce and has nothing to do with democracy. They just want to enslave and control all Europeans.
They push a button on a screen, which is publicly recorded as a vote for, against, abstain or not present.
Nowhere near superior systems like the U.K. where members leave te room, spend a couple of hours queuing to go into one of two rooms, and then see the result later in the day.
I assume you are being sarcastic and actually think that the UK's "analogue" system of voting is worse because it is slower. Let me assure you that making Westminster votes quicker is not the metric we should be optimising for.
> But actually, a group of Swedish MEPs have revealed that they pressed the wrong button, and have asked to have the record corrected. They have issued a statement saying they'd intended to open a debate on amendments to the Directive so they could help vote down Articles 11 and 13.
> We lost on a technicality, and there is no recourse.
Counter-example in the UK: where the method of voting is walking into a room with your chums, MPs sometimes have to say that they "accidentally" walked into the wrong room:
It's clear your example that they (Swedish MEPs) were all agreed to vote in this direction, since they each press their own button. It's most likely that they didn't understand the significance of the vote and thought better of it afterwards.
I'm not sure if that UK counter-example is as strong as you suggest:
> A spokesman for Mr Stunell, MP for Hazel Grove, said he had voted against the Labour amendment "as he was supposed to" and had gone to get a drink of water for a fellow minister when he found that lobby doors had been "locked".
> "He was temporarily on the wrong side but sanity prevailed and they let him out," he said.
A funny story, but not a legally significant outcome.
Here, it's suggested that MPs sometimes vote both ways to cancel their own mistake out, although they normally claim that they are taking some nuanced view: https://www.publicwhip.org.uk/boths.php
Not to mention that UK MPs can't vote if they have to be absent for any reason - for example if they have child-care duties.
Your original point was that the UK Commons' system of slow voting is foolproof: it isn't.
It's not about listening to terrorists (there were many terrorist attacks, where the police was informed about the terrrists in advance, and still didn't do anything). It's about listening to the masses of their own people.
Yes, isn't it strange how governments keep asking us to sacrifice essential liberties for temporary safety, but never turn around after an attack and say "I guess we were wrong, we shouldn't have sacrificed those liberties". Instead the refrain is always "Well, we obviously didn't take enough liberties".
A middle ground in the encryption/privacy debate seems to be "the authorities can spy on what I do, but have to notify me first".
That could be implemented by having full e2e encryption as today, but requiring clients to hand over the keys when requested by a local governing authority. The client/app would then immediately show to the user "Local Authorities have viewed a copy of this message".
Why isn't this middle ground being discussed?
I understand authorities don't want to alert their targets about an investigation, but let's be honest - if they read the messages and find you've done some crime, authorities will eventually track you down.
I don't know why they are not proposing this instead (well, I do, because they'd prefer more power), but I do not find this proposal acceptable either.
The fact that you might be able to see that a government read a message of yours offers little assurance that the government will not start abusing this power. After all, what possible recourse do we have after we start seeing these notifications on our messages? Certainly the government won't start telling us the exact reason they are snooping. The very fact that your conversations had been snooped on by the government might imply there is something shady about you. Where there is smoke, there's also fire, right? And this still has us relying that governments won't start pressuring clients to have special code which bypasses the notification when it is convenient for them.
No. The government must not be allowed to deny the citizen his right to have private conversations.
> little assurance that the government will not start abusing this power.
My hope is that if millions of people started seeing these messages next to their conversations with their lovers, the people would vote for a different government.
There's a big difference between knowing big brother is scanning for criminals, to seeing big brother has right now looked at my private message.
That's a bleak future to hope for. We can do better. How about if we do not allow big brother to scan for criminals in the first place? Big brother has no business scanning for anything.
Also, remember that criminals are defined by the law and the law is defined by the government.
But they already do that with warrants. As long as they have a warrant and aren't breaking encryption by putting in backdoors, they should have the ability to listen in on conversations.
Yes, without encryption, they have that possibility, after they prove probable cause. Without getting into a debate whether that is appropriate, it is important to keep in mind that it is the citizen's right to privacy of conversations is the more fundamental here. The government does not have a right to snoop on everyone's conversations, they simply have this possibility in certain situations.
The obvious downside is that anyone who cares about privacy will write their own client, governments will regulate against unofficial clients, platforms will comply with the regulation and lock everything down, and the end result will be users unable to exercise any control over what's installed on their devices.
I can picture this. It's the year 2050. You hear about how a dangerous man was arrested the other day and is being charged with owning an unlawful communication device.
I would especially like to see a cryptographic mechanism enforcing such middle ground. That is, a mechanism that would allow law enforcement accessing the private key or plain text, but only with some inescapable side effect which would hinder abusing that power. That may be producing a cryptographic "proof of compromise" for the person being spied on, or the spying being publicized, possibly with some delay, or something else. I am searching for an analogue of having police show up for a home search, which would notify both you and your neighbors, and cannot be done sneakily and by-the-book at the same time.
Are there some interesting candidates for such a mechanism? At first is sounds like a long shot, but there are cryptographic mechanisms achieving unintuitive results, so it may very well be possible.
But then again there is a mechanism already, just not cryptographic, and that is police having to physically seize your device. I guess we don't need to work on this. There's nothing special about an E2E communication device compared to other things you may have in your home.
It is much more difficult to get data off an E2E communication device these days because mobile OSes use cryptography to mitigate the consequences of loss and theft. That is why law enforcement agencies want "the support of service providers," who can do things like deploy a backdoored WhatsApp binary, or bruteforce passcodes without triggering data loss. https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...
that's what they need to do even today after they have found enough evidence that the court sent you what's called "notice of inquiry" and preliminary investigations start (it doesn't mean yo are guilty, it means there's gonna be an official investigation on you and after the investigation has ended they're gonna either drop the charges or go to trial).
but crime prevention usually works best when investigations are kept secret.
Imagine if in Italy we called every mob boss the police was investigating on to tell them they were tapping their phones or checking their bank accounts.
They knew it anyway, but that's where the middle ground is.
Another possibility would be, as I've written somewhere else, that a pair of keys is always created and made available to the local authorities, but they have to be authorized from a judge to use them.
The encrypted data is instead kept on the provider side, so that even if someone steals the keys, they can't access the data because it is in a separate facility, protected in the same way it is today, because it's in the best interest of the provider, that is already collecting that data, to keep it safe.
And if someone steals the data, can't decrypt it.
Metadata are also very important to investigators, I imagine that their need to decrypt the conversations comes from the fact that with the metadata they can narrow down the number of suspects to a few, but without the actual content they can't tell exactly what's going on.
> if they read the messages and find you've done some crime, authorities will eventually track you down
that's not so obvious.
I could show you a lot of cases when this has not happened, for various reasons, most of them formal (tapping lasted a few hours more than authorized, tapping was badly misreported in some other meaningless section of the conversation but it's enough to nullify it in its entirety, tapping included someone else that was not under investigation that should have been removed from the records bu it's still there, etc. etc.)
They keep saying "encryption is important" and "law enforcement needs to be able to access relevant data" without ever elaborating why encryption is important, why law enforcement needs access to the data, or even what data law enforcement needs access to. It's just a collection of assertions without any of the insight necessary to have a useful conversation on the subject.
They also completely fail to address the elephant in the room: bad actors already have access to strong encryption and they don't need the blessings of Apple, Microsoft, Google, Facebook, or any organization to use it. Encryption is an idea, not a product. They cannot prevent terrorists from using strong encryption any more than they can prevent terrorists from using algebra.
Less relevant to European regulation, but the FBI's attempt to use phone taps/hotel room bugs to blackmail Dr. Martin Luther King, Jr. int committing suicide[0], is a good example of why we should be suspicious of even lawful intercept. Terrorism is bad, but I think we can all agree a world where the US civil rights movement was stillborn would be much worse than what we have. (They went after more civil rights leaders than just Dr. King.) More recently, FISA courts have a terrible record of filtering out unreasonable lawful intercept requests.
Are there any comparable post-WWII Eurpopean abuses that should make citizens think twice about blanket law enforcement back-doors?
As usual the malevolent statists in Brussels care nothing about the rights of the INDIVIDUAL ... just "government, industry, and society", whatever "society" means:
"Encryption is a necessary means of protecting fundamental rights and the digital security of
governments, industry and society."
But they did reveal themselves by putting the list in order of importance, with "government" first of course.
The statists around the world are increasingly brazen - out in the open - with their objectives. It's remarkable to watch as they hide their aims less as authoritarianism rises around the world, they feel more comfortable not hiding their ambitions for power and control in the programs they implement.
Which makes sense - the US is gradually going Socialist and the world's other superpower is a Communist dictatorship. The world is about to be pinned between two authoritarian nightmares that presume total power over the individual.
This makes me sad and somewhat angry. How does mass spying help in cases like the Vienna attack? If the authorities had done their work as I would expect as citizen and tax payer (the government already admitted massive failures, basically they clearly failed to act on existing intelligence) this would not have happened.
I also think this could spawn lots of Signal-like, self hostable chat-server solutions that will be much harder to spy on. So this could be a shoot in the foot.
The EU Parliament, which votes on proposals but does not write them, defended the right of encryption prior to the most recent election, and it was news that it hoped to enshrine end-to-end encryption as a Fundamental Right of the European Union.
This might change, but there is hope that they will continue with this position.
Since you're likely to have multiple MEP representatives from different parliamentary groups (and different national parties), it's worth getting in touch with each of your representatives by party to make your point clear. Some groups and parties will be more sympathetic than others but all will benefit from hearing this - and phone is more compelling than e-mail.
(I'm still trying to find a previous similar vote that might be enlightening on what you can expect.)
The real fight is against general purpose computing. If I control my CPU, then I can easily implement the Diffie-Hellman algorithm and communicate secretly with my friends around the world. Any ban against encryption is ineffective unless it attacks general purpose computing. We live in scary times!
For someone currently living in Germany, I'd say that protection against government surveillance is one of the main arguments for encrypted conversations between citizens.
> Governments have all sorts of things like machine guns, tanks, and battleships that (rightfully) aren't allowed for the general public.
You have listed three things which are all really the same thing. There is no objection to private ownership of motor vehicles or ships. You object to the weaponry.
But we can put aside the whole right to bear arms debate in this case because there is an obvious way to distinguish it. Encryption is a purely defensive technology.
It is totally illegitimate for a government to prohibit things like armor and electromagnetic shielding, even if some of them do, because these things only defend, they do not attack.
And indeed it would be. Conversely, if you only used a gun to defend your self it would be a defensive technology. Seems like classifying technology as either offensive or defensive is a fool's errand. Perhaps you should try a different argument.
One could maybe play silly rhetorical games like "It wasn't the gun that killed him, it was the bullet", but to say "It wasn't the gun that killed him, it was the house that the killer lived in while she thought about committing the crime" is beyond ridiculous.
I feel quite comfortable classifying encrypted messaging apps in the same category as houses and chain mail, even if the US government has historically disagreed.
There is an difference between doing something directly and indirectly. Anything can do anything given enough indirection. There is no plausible way in which your ordinary use of encryption or body armor could directly harm anybody else. There are some immediately obvious ways that your ordinary use of a howitzer could directly harm somebody else.
And the right to defend yourself using indirect offensive measures has no inherent symmetry with the right of government (or lack thereof) to prevent you from defending yourself using direct defensive measures.
Not really. Ransomware works by creating an encrypted copy of your data and then deleting the original data. The direct harm comes from deleting the original. Where would the harm be if all they did was create an encrypted copy without deleting the original?
And the same attack works if instead of encrypting your data they upload a copy of it to their servers before deleting it. Albeit less efficiently, so we're back to indirect harms.
(The Zumwalt-class destroyer displaces ~15,000 tons, which is too large to be considered a cruiser under the terms of the inter-war naval treaties, and is roughly the displacement of a 1910s-era South Carolina-class battleship).
Thats still less than a half of the displacement of Warspite, third of the Iowas, let alone monsters like the Yamato class. And unlike Zumwalt, all of those had working guns. ;-)
On a more serious note a modern destroyer could sink any of those with long range missiles long before the batlleship could ever get into a range for a proper gun duel.
Not counting modern aircraft with yet more standoof missiles or even the anti/ship ICBMs that are being talked about.
Oh well, battleships were an elegant weapon for a more civilized age...
And there were times countries had lines of battle of these missile targets spanning the horizon - imagine that! :)
Somehow these just look so much more elegant than just spamming more bombers and nukes. Maybe because they usually only caused death of the sailors crewing them and other warships in battle rather than city populations like bombers and nukes often do ? (Well, unless you live in Yarmouth or on the River Plate.)
Disclaimer: I've made - very minor - contributions to the 2017 proposal to enforce mandatory E2E encryption (as a technical consultant, I have no political role of any kind)
How does that follow?
I am as free as anybody else in the EU to use any chat software I want.
This is just a proposal and ha no value in itself until it is approved and ratified by the single parliaments in the EU countries.
EU is not some tirannic state, or some hegemonic super power where when the president loses the elections they refuse to leave.
It's a very complex political institution, that works through official channels.
the proposal is public, there will be a discussion, years of debates, they did not hide it under the carpet, it's in the open so that anyone is aware of what it entails and can react by supporting it or opposing to it.
Nothing to be scared about.
And if the citizen of Europe through their elected members of the EU parliament will approve it, so be it.
Overreacting is equally dangerous, I could argue that if they were really killing the freedom to communicate we should fight them as we would fight an enemy, possibly going to war, armed.
That's not what's happening here.
It might be useful to remember that our communications have never been encrypted before a few years ago and they haven't been less free.
Also: encrypted communication but clear text metadata kinda defeat the purpose of encrypted communication.
If I know where, when and who was involved in a call, I can easily tell that two people chatting and ending up in the same place every time both their partners phones are away from home, could be cheating
If I call an ambulance at the same time and place where an accident happened but the ambulance doesn't report a second vehicle, guess who probably didn't report an accident?
Privacy and secrecy are a broader subject, it's good we discuss about it, it's not good to blindly trust WhatsApp or Facebook with our data.
Bad as it might be, I have more control and trust more my state than a private company on the other side of the World.
First of all, I don't about you, but I am European and have been actively involved in the process of bringing encryption to all of EU citizens, as an obligation to the companies that supply communication software.
I trust the people of EU, on the other hand you seem not to trust other's people capabilities, not even your own parents
> "Apple does know better than the vast majority of its users. It's why I buy, and properly configure, iPhones for my senior citizen parents."
Anyway, back to the point: there is always a tension to find a middle ground between two different opposing interest: one is privacy and secrecy the other is safety.
You probably know technology better than me, you probably know there are technical solutions to the problem that, obviously, involve having some fate that the public servants will exercise the necessary due diligence.
One possible solution that popped out of my mind is to use the same functionalities chat applications use for groups (not because I agree, but because it is possible without compromising too much what we already lacked anyway - secrecy and privacy).
When you have an E2E encrypted group chat every person in the chat receives the encryption keys and messages are encrypted by each sender, signed, sent to the server that than forward it to any participant in the group.
Or you could do it the PGP way, each recipient has its own keys and the message is encrypted for each one of them.
What we need is to add to it separation of church and state.
The state is always participating in these chats, meaning that it always receives a pair of keys, but it has no access to the actual encrypted data, that is stored by the provider and inaccessible by anyone else unless authorized by the justice system.
Nobody, except the key owner, jas the keys to drecrypt them anyway.
It is exactly how it worked before with phone calls, companies kept records of calls and SMS, but they could only be accessed from authorized actors.
Records and keys would expire after a period of time (it was 10 years for phone calls)
objection 1: it means WhatsApp and the other will keep records of my communications -> they are already doing it anyway
objection 2: it would take a lot of space -> they are already doing it anyway
objection 3: that would give the state power over my communications -> it already has it
objection 4: that means anybody could decrypt my messages -> not really, and it would be a crime, you can't prevent crimes by not doing things, in any case it would be easier to steal your phone.
If the government can break encryption, so can hackers. If hackers can break your encryption, and my records are being held in it, then your competition will eat your lunch as I move my records to their services.
Either my data is safe from rogue agents and rogue governments or it is not. If encryption is outlawed, only outlaws will use it.
The EU can make as many logical conclusions it wants to, but reality will come back and bite their law enforcement offices that their criminals won't stop using unbreakable encryption.
The difference between theory and practice is greater in practice than it is in theory.
It's not really true that everyone committing a crime will use cryptography. Most people (including criminals) do not care or think about cryptography that much, but the providers of the services and devices they use to commit crimes do think about it. In that way, lawful service providers help haphazard criminals cover their tracks. I believe the idea is to change that, so that lawful service providers will not provide that level of security anymore.
All that being said, obviously countries outside of the EU will continue to allow cryptography. So, unless they create a "great firewall" sensible people (including sensible criminals) will just move elswhere, possibly weakening the EU's presence in the Internet as a whole (which seems like a bad move to me).
Its a bit naive to believe decision makers are tech-illiterate. Why not consider that they are both literate and understand what they are asking for? Is it because we don't like what that means?
I'd definitely say they are "tech-illiterate". The mere suggestion that we should seek to limit terrorist access to encryption is evident of a fundamental misunderstanding of the technology.
Encryption is not a product. It is not an application made by Apple, Microsoft, Google, or whoever which you use to secure data. Encryption is an idea. Humans have been encrypting information since long before computers. We cannot stop it.
It's like arguing that we should limit terrorist access to algebra. I'd say anyone arguing for that is illiterate when it comes to algebra. Likewise, I'd say anyone arguing for limitations on encryption is illiterate when it comes to encryption.
Because recordings of politicians interacting with experts and NGOs in a recent Norwegian hearing (about bulk metadata collection) makes it seem they have no practical understanding of the subject matter.
Yeah: run for office, win, and then effect policy change. But almost no one's willing to actually do that. They just want easy outs like "contacting your MP" or "donating to an org that says they'll try to fix it".
I mean, I organize petitions, write op-eds (incl. in major national papers), contribute to OSS, have back-and-forths with major decision makers in public, etc. ...
But I don't seem to reach through. I'd be willing to do volunteer work or start an organization, but can't really run for office as I have another career.
Besides: I don't know what party would have me, because it seems to me that the politicians don't understand the arguments nor the premise – they're no tech-experts, after all (which is part of the problem, I suspect).
It can be done - an ex-coleague of mine got elected to the European Parliament last time - ot took two tries but wprled out & he is doing a good job there as far as I can tell. It's hardky an insurmountable barrier.
What can someone like me do to help? Someone who know little about politics or policy, who k ow little about encryption, but who is concerned about the development?
I live in the EU but I am not even sure who my representatives are to whom I could raise my concern. Where in the EU is this being worked on?
They are actually quite responsive when ypu write them! While it was not enough in the end to stop it I had a 50% response rate when I wrote to the Czech representatives in the european parliament due to the article 13 last year.
So they have to make an key for the EU. Then the US will do the same, also make an key for the US too. And China and India would like to have the key too. Then every other country will ask for the same.
At this point you can drop encryption anyway, because 1000 eyes will read every message. Just WTF, and everybody said 2020 can't become more worse.
Is it just me or is the title a bit sensationalized?
For starters, the document is a declaration "ON" encryption, not "AGAINST" it.
Also the document clarifies the intent to work with the industry to come up with solutions that strike a "balance" and not to blanket ban E2EE protocols.
What the EU decides to do if/when they conclude that there are no viable solutions will be interesting.
IMO the heated comments on this thread that have assumed bad intent is (for now) unwarranted.
Read it, it's in English and it's pretty straightforward
> technical solutions for gaining access to encrypted data must match the principles of legality, necessity and proportionality.
> Since there is no single way of achieving the set goals (read, banning or limiting encryption), governments and industry need to work together to create this balance
Can we spin this in a massive public campaign that govt wants encryption backdoors so they can see your privates and be the pedophiles?
Snowden did expose that yes indeed, NSA did share around private pictures of people within themselves and joked around.
The way Uber+Lyft made a giant stink by making everyone acknowledge how Prop22 will affect them before they could hail a ride, tech companies coukd create awareness of anti-encryption in a similar manner right ?
The EU has done a fantastic job painting themselves as defenders of human rights. Don’t fall for it. Democratic governments are representatives of the people and proposals like this only further entrench the political ruling class.
Apart from online personal information (which is still available to governments , so not private) they don't hold high free speech standards as the US does. I dont think there's a perception that EU is the pinnacle of human rights protections.
The EU defends human rights with the exception of allowing the US to spy on EU citizens and businesses and allowing member states to sell weapons to authoritarian regimes that are sometimes used to commit war crimes.
It's a corrupt cabal just like the United States. European citizens like to blind themselves to the atrocities by patting themselves on the back when the EU builds some renewable energy, as if it makes up for the wet work committed by EU members in the Middle East and otherwise. It's almost cult-like.
Ultimately the problem with any idea like this is that encryption is as basic as mathematics and trying to ban it will only harm everyday people and the dumb criminal.
The criminals that want to stay hidden will continue to do so because you will always find open source projects that provides encryption.
It wouldn't be an encryption ban, but a ban on operating a platform that enables E2EE messaging.
Similarly in most places you already cannot be an ISP or VPN provider without following some reporting requirements. And there's no simple way for criminals to get mainstream quality networking services that don't follow regulations.
I don't agree with the ban, but I do think it would certainly hurt many classes criminals. I'd say it's generally a pretty bad strategy to oppose such policies by denying the supposed effect on criminals. All kinds of freedoms benefit some criminals.
You cannot ban it unless you start deep inspection of people conversations. You can easily sneak public keys disguised as regular conversation and then encrypt messages offline and disguise as well.
And I'm sure the government doesn't expect a perfect ban. By going after platforms you'll take the ability to engage in secure E2EE messaging away from a large part of the population.
E2EE messaging that required coordination was already possible for decades and the governments didn't mind that as much.
Users that send too many encrypted blobs can simply be banned by platforms as suspicious (and I wouldn't be surprised if that's happening already). Exchanging files is easiest to detect by centralized platforms and hardest to do efficiently with good delivery assurances in reasonably anonymous decentralized systems.
Not to mention those same bad actors will gladly risk going after those keys. Given the track record of government organizations' secure storage of data, I think it's likely they would succeed.
How is this going to be enforced? The easy thing to do is to ban chat apps offering encryption. But the consequences are much greater. For example, do they need to ban Tor or I2P as well, even SSH? Unencrypted applications will gain encryption and sometimes even anonymization if encapsulated within these. What about abusing legal services using encryption for chat like purposes? All they need to do is to offer collaboration features on shared data?
A writer from Earth visits a space station in another solar system called "Paradise". The space station is ruled by a tatalitary regime on the grounds of safety of the inhabitants as the plannet they originally went to settle truned out to be uninhabitable.
As a results the space station inhabitants live in cramped conditions in rooms with glass walls with no privacy and a computer system analyses their every word for signs of dissent. If some digression is detected, the system automatically lowers social score of the ofeending person.
Lower score means less priviledges and a shitty job and the lowest score means forced labor in dangerous mines on the planet surface "for the good of all". Sometimes people survive that and come back though.
So what have ortinary citizens devised to combat this opressive nightmare ? Steganographic peoetry! It even has its own page on the Wikipedia:
https://en.m.wikipedia.org/wiki/Koalang
Due to the shear amount of material the spzing is done bz computers, so people speak a combonation of metaphors and poetry in a way that can convey meaning to the other party but not to the machine listening in. Its not that easy though, as the spy system is self learning, so one has to continually adjust and not repeate the same methapors ot the computer might get the meaning.
Still the question is - why are they doing this ? Its almost as if the opressive regime ruling the station was not telling the truth and was working hard to cover something very fundametal up about the Paradise station...
We had this book on our highschool reading list and it left quite an impression.
The EU is slowly starting to show their true face. We probably have left at the last minute. I personally think this is an attempted assault on human rights and such ideas should be nipped in a bud and people proposing that banned from any office. My blood boils.
The institutions that write these proposals in the EU have no power to put them into law, though.
Also - I am still shocked how much surveillance there is in the UK compared to mainland Europe. In the UK it's a criminal offence to refuse to hand over passwords for your devices (and encryption keys).
That is not the case in the EU, so I find it quite funny that you cite a proposal that would have to go through the parliament first and could still be overruled by national laws, as a good reason for not being in the EU :D
While every EU member state has the right to veto important laws, there is no way to abolish a law unless all member states agree. So even if 90% of all Germans agree that a EU law should be abolished, they can't overrule tiny countries like Malta or Cyprus. This is a fundamental, undemocratic flaw that most politicians and supreme courts in Europe have yet to realize.
I think a lot of this depends on where your political position is, what is elected in your country and how the the EU is currently pointing. For instance for me as an Austrian citizen my country is significantly more leaning towards surveillance that I'm more worried about what we would be doing if we were not protected by the EU lawmaking process getting a lot more scrutiny and visibility.
I'm Austrian as well and I don't think lawmaking would go in the direction of surveillance without the EU. Austria's main ruling party has too many show politicians - I think they can do what they do now because they don't have to say in public what they do. In short: I don't think Sebastian Kurz would say in public that he wants all encryption (or chat app encryption) to be illegal.
These things come from EC. Your vote does not influence incoming legislation. Only way to achieve something is lobbying and you'd have to find huge sums to have EC members even consider talking to you. They can make a lot of money from controlling the communication of citizens and you cannot vote them out, so what's the alternative?
Legislation in most countries does not come from elected officials, it typically is drafted up by lawyers. That's not a good argument. With the commission a lot of what ends up on the proposals is lobbied by citizens and it's the MEP that vote on it before becoming law who are elected.
I vote liberal parties in my country and that has done jack shit to prevent shitty laws to be passed because the majority seems to be electing the types of people who absolutely adore surveillance.
The difference is that you can vote for people who choose lawyers and they can influence what lawyers write. You dont have this much control in the EU.
The governments of each country in the EU, elected democratically, are the people who choose the specific law-writers (council of ministers) who you are critical of for proposing this law in this story.
To the extent that conspiracies of “deep state” or “lobbyist” are involved, the only reason the EU is different to the member states themselves is that it’s a single big target instead of a lot of small ones.
And in this case lawyers role is to implement what EC proposed and MEPs voted in. Elected governments are like management of McDonalds franchise. People can choose chair layout or where napkins are located.
??? This is the Council of the European Union, which is the relevant cabinet members from the national governments. You vote out your representative in, say, the Environment Council, in exactly the same way you vote out the national Minister of Environment (or equivalent) in your EU country, because it's literally the same person.
Confusingly, there's also the European Council. You vote out your representative in there by voting out your your head of government (president, premier, taoiseach etc.), because again, it's literally the same person.
And if you're talking about the commission, which seems to have little to do with this, you vote them out by voting in different heads of government (again) to nominate different commissioners/a different president, and/or different members of the European parliament to not confirm them.
In the UK? Voting is a paper tiger for stuff like this. The bill was supported by both Tories and Labour, and I was living in a Tory safe seat. I mean, I could’ve moved to Scotland and supported the SNP bid for independence or Wales and Plaid Cymru (but not NI and Sinn Féin given their policy of not taking their seats), but realistically there was nothing I could do about it other than what I did do about it.
If you didn't have any luck with the House of Commons, you perhaps should have tried voting for a different member of the House of Lords, or different judges, or a different monarch. Now that the UK has left the EU, you don't have to worry about those institutions being overridden by unelected MEPs.
By the time the next UK general election is scheduled, I rather hope to have replaced my UK citizenship with a German one. (It’s not certain I could do it that fast, but I’m going to try).
I agree save for the attack on the EU at the start. I'm assuming you're English (or an Irish Unionist), and will point out that the UK has been entirely onboard with the EU's most egregious abuses of power. Hell, some of them were the UK's idea. (EUCD Article 17 comes to mind.) In this particular case the UK already has local laws which establish a legal duty to decrypt data on command of the government. As far as I'm concerned the UK's hands are just as dirty as any other EU member state, and the problems with the EU are not the institution itself but the member states that make it up using it as a policy laundering device.
Fun fact, almost all of that surveillance is operated by private players - pubs, shops, small stores, etc. The UK never had a Big Brother set up unlike some mainland cities. People keep bringing up this bullshit statistic without going deeper.
And it's not like the police can barge in and demand video.
I mean sure there is the GCHQ and all of its shenanigans, but none closely resembling a system where the police track your movements every single second via video feed.
Well then there is nothing to worry about haha, you sure seem like a splendid lad and the coppers won't ever knock on your door for wrong-think will they, because that has never happened right, that simply isn't a thing in the UK, couldn't be me I surely have only officially approved opinions haha I love this new law
Funnily when I was in London, coppers knocked on my door at least twice a year on average. It was a running gag towards the end.
Considering that I come from a third world nation where the cops often pull members of my community aside for searches and special checks, the British police force for all their faults are a breath of fresh air. I've been exactly in that spot, with police using surveillance data and national ID data to arrest protestors and put them under false charges. I've personally almost been arrested for no reason except for 1.) walking in the night alone and 2.) walking at night in suspicious clothing (i.e. T-shirt and shorts).
Brexit was founded on the misunderstanding that it was "faceless unelected bureaucrats" that run the EU. I'd argue Britons wielded more power than most others in the EU, and that the EU parliament is quite a lot more democratic than the British one. The british are now stuck with the UK parliament without adult supervision.
Because they still had exactly the same power in their own government, and a sizable chunk of power in the European one. Now they'll follow a huge part of European regulations to be able to trade, but have no seat at the table.
I note that here I am in the UK, and the current home secretary appears to be Priti Patel. Who is far more hardline on this than the EU, and not in the good direction.
If we left at the last minute, it's so that we can go faster. One of the things we are deliberately jettisoning is the protections afforded us by being in the EU.
Could you please name a party who's against this? The Pirate Party UK recently disbanded. There is no one to vote for and practically starting a party won't achieve much. Seriously, give me a party to vote for to reduce the state of surveillance in the UK.
It does not exist because there is no public awareness. One of the parties could start looking into it and make noise. But if it won't catch up with the public it won't happen, however without EU at least we have a chance.
Which is why we can now watch our protections and human rights and other such vanish into the distance. Without the need to convince dozens of other countries to join in, the UK can fuck itself over. The greatest threat to the liberties of the British people remains its own government and ruling classes.
People who cared about this in the UK; our best bet was to stay in the EU which is not nearly so extreme about it as the UK is. The current UK government is looking forwards to jettisoning the protections and human rights that were afforded us by being in the EU.
That said, the current UK government is fantastically inept. Everything they touch turns to shit, and any time BoJo says he absolutely won't do something - he'll crumble in a fortnight (see e.g. every EU negotiation, Lockdown 2.0, the feeding children fiasco, etc etc).
There are current UK ministers whose names have become bywords for incompetency and government fuckup. If the UK decided to ban encryption tomorrow, and the government put their best people on it, we'd be looking at a decade or so before they got anywhere. The EU are heading to a more moderate place, but they will get there faster by virtue of not being British; by not having to do it via the dream team of Johnson, Cummings, and whoever is in charge of screwing up everything they touch this week (Chris Grayling, the man who paid millions to a ferry company that had never owned, chartered, leased or in any other way been involved with a ferry or single ferry route, historically takes this role).
> the current home secretary appears to be Priti Patel.
Ah, Priti Patel, the minister that was forced to resign by the May government for having had several secret meetings with Israeli officials during her tenure. Enjoy the UK!
I don't understand what this solves. If bad guys want to do bad things via chat, they can easily create their on chat app that encrypts messages in a few lines of code.
This is only step 1. Step 2 is to ban people from installing unapproved apps on their phone. But, as you say, these apps are just a few lines of code, so step 3 is stopping people visiting non-whitelisted websites.
When the only real solution is to outlaw encryption, it is disingenuous for government (or the EU president to ask member governments) to “call on industry to work together.”
By working together the President means “we hate encryption but it’s politically distasteful to ban it, so we’re going to make you ban it instead or else we’ll backdate your Irish taxes to be Belgian ones instead.”
Good lord. As a Scot, when the UK voted to leave the EU, I lamented the fact that the EU has always seemed more liberal, more sensible on privacy and human rights than the UK's home secretaries invariably are. It felt like the EU helped keep our politicians in check, keep them from doing anything too insane.
If the liberal EU is taking a stance like this, what hope is there?!
Recently every crime seems to make legislators think it's time to tighten the grip and introduce more laws to fix societal problems, which remain the same, while I and everyone else is forced to abide by more and more absurd laws.
Most recently when criminals went all-out in Austria with guns the police later admitted they knew the attacker was shopping for ammo. What would change if the police knew they were chit-chatting by tapping into their coms as a man-in-the-middle. Likely they would be saying after the attack they were hating the state over whatever-chat while the attacks would happen nontheless. By banning encryption nothing would change but the potential for abuse is incredible.
What we need is less legislation, that actually has some measurable positive effect. It would also help if EU was way more aggressive against countries that sponsored various terrorist groups, overthrew governments and pushed some middleeastern countries back into the dark ages.
Perhaps some groups want to ban encryption to get more information, for example to force politiceans to resign. That is to know small bad things about people to make them resign. For example Madrid President (*),
or Dominique Strauss, or Monica Levinski case. Many people rip off their clothes in outrage when their minds are conveniently manipulated. Getting information for pouring shit into your political adversary, who is going to ban that before banning encryption?
I have ranted against this many times, and I will say it one more time: the goal of war on encryption is not fight with terrorism. It is thought-policing.
Terrorists have easy ways to talk to each other securely, using GPG and email, or even SSH for that matter. They don't need fancy apps, filters, masks, stickers and other UX candy.
General population, on the other hand, wants these things, and uses a small number of apps that government wants to control. Turns out, not just in authoritarian countries, but in a supposedly democratic EU too. It is common people who are most affected by lack of privacy, and the goal is the same that STASI / KGB had: to filter out dissidents who might pose risk to those who are currenlty at the top.
Such powers can be abused easily, and it special services will be granted such powers, they WILL be abused. So a duty of every free person is to fight such proposals and kill them outright.
As someone in tech I’m well aware of the downsides, and inclined to agree with the consensus here that this is a really bad idea.
However, I’m interested in at least understanding the other side. Are there any studies or estimates of the effect this might have? How many crimes would have actually been prevented by this, in the past few years? How many lives saved or child trafficking victims spared?
Of course, criminal behavior might easily change once a law like this is passed, but this would at least help give an upper bound on the benefit and my guess is it would still be very low. The world mostly continues to get safer and safer, there are still some outlier horrific crimes that happen but these might not be affected by banning encryption (such as mass shootings, which are usually a single person not coordinating with anybody).
I would just like to understand what concrete problem this solves from the lawmakers perspective.
1. creating a backdoor defeats the purpose of having encryption in the first place. it makes the creation of encryption irrelevant and pointless. a chicken and egg scenario. so it's an all or nothing kind of argument.
2. don't quantum computers make all encryption obsolete anyways? and with quantum encryption, whether or not your data gets compromised, it tells you that someone tried to, or got access to, your encrypted data.
it seems like the government already has a backdoor for all encryptions since they already have a quantum computer. so i think that this whole argument is more about setting the precedent of control over a population. gaining consensus and solidifying power. something you do when you're trying to increase your influence [which someone says the gov is always trying to do]. applying the use of force to encryption.
i think the thing for humanity to realize is that absolutes exist only in oblivion
To suggest there is a 'fair right' to data behind encryption for goverment use, to my mind, somewhat misses the point of encryption and privacy in general. This is the point I believe we should be arguing.
Your representaiton of the article as a 'declaration against encryption' somewhat undermines this argument, and polarises it into an 'us vs them' debate.
For accuracy, this document is titled:
"Draft Council Declaration on Encryption
- Security through encryption and security despite encryption"
Its pretty handwavy, overly general, and seems to call for some sort of 'back door' from the tech companies. Missing the point really, anybody wishing to use strong encryption for criminal purpoes can do so so with very few resources, and quite independently.
So, basically they want a backdoor but want strong encryption as well. In this case you can't have your cake and eat it.
And really how are they going to make this happen? I'm sure Whatsapp, Telegram etc will cave in. But there will always remain open-source solutions. Encryption is not a secret.
Google translate (more info in English -- the note itself -- is linked in the article as [PDF], link at the bottom):
The terrorist attack is followed by an EU ban on encryption
In the EU Council of Ministers, a resolution was made ready within five days, obliging platform operators such as WhatsApp, Signal and Co to create master keys for monitoring E2E-encrypted chats and messages.
Share on Facebook Share on Twitter
From Erich Moechel
The terrorist attack in Vienna is used in the EU Council of Ministers to enforce a ban on secure encryption for services such as WhatsApp, Signal and many others in the rapid-boiling process. This emerges from an internal document dated November 6th from the German Council Presidency to the delegations of the member states in the Council, which ORF.at has received.
This should now be understood under the "further steps against terrorism" that French President Emmanuel Macron wants to discuss with Federal Chancellor Sebastian Kurz (ÖVP) in a video conference at the beginning of the week. The resolution has already been agreed to such an extent that it can be passed in the video conference of the interior and justice ministers at the beginning of December without further discussion.
text
<<picture: screenshot of a note from "presidency" to "delegations". Higlighted portion is "Draft Council Resolution on encryption - Security trough encryption and security despite encryption">>
On the right are the council working groups to which this text was sent, the first revised version of which was apparently ready on Friday. As is customary in the Council of Ministers, the document was classified as a "limit". As for this reason it is nowhere available to the public apart from the Council, it is made available here. [PDF]
The final trialogue negotiations on the regulation against terrorism are currently underway in Brussels. The sticking point here are the planned upload filters for relevant videos .
Analogies to data retention
Macron's visit, originally planned for the beginning of next week, turned into a video conference “to fight Islamist terrorism” due to the pandemic. In addition, the EU Council President Charles Michel is due to visit Vienna on Monday, who will also hold talks with Chancellor Kurz. In addition, European Minister Karoline Edtstadler (ÖVP) welcomes the French Secretary of State for Europe, Clement Beaune, to the Federal Chancellery. Of course, it is not just about expressing condolences.
In the meantime it is becoming increasingly clear that apparently hair-raising investigative errors in the BVT made the attack possible in the first place and not a lack of digital surveillance powers. However, whether there is any such connection to the act is irrelevant. In Brussels, such an occasion has been abused for 25 years with disdainful regularity to implement surveillance projects that have long been planned. In this way, the data retention, which had been controversial in the EU for five years after the train attacks in Madrid (2004) and London by Islamists (2005), was channeled through the Council of Ministers and Parliament.
text
<<picture: screenshot from the note pdf: Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes infighting serious and/or organized crimes and terrorism, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully.>>
The latest changes (bold and underlined) show which formulations were complained about in the text by individual member states. “Terrorism” and an inconspicuous change in the wording were added last. Instead of the usual “law enforcement” in all documents since 1995, the term “competent authorities” is now consistently used. Who is meant by this is below.
Farewell without further discussion
According to the document - any final objections are requested - this resolution of the Council of Ministers is not only almost completely formulated. It has apparently already been voted on in the Council. On November 19, it is to be adopted by the Council Working Group on Cooperation in the National Security Sector (COSI), and on 25th it is planned to be presented to the Council of Permanent Representatives of the EU Member States (COREPER). There, the council resolution already has the status of an I-item, so it can pass without further discussion.
The decision will then be celebrated in a virtual meeting of the Council of Interior and Justice Ministers planned for the beginning of December. What will follow is clear, namely an order from the Council of Ministers to the EU Commission to draw up a draft regulation, which will then go through the usual procedure by Parliament and the Council. In view of the apparent unanimity, however, it would be possible in the Council of Ministers to implement the planned regulation in its core even without the involvement of Parliament. That has already been done in connection with surveillance. For example, the famous decision in the Council's Fisheries Committee of 1995 to monitor the then new GSM networks was carried through as an A-Item (decided matter), of which the EU Parliament only became aware after it came into force in 1996.
text
<<picture, highlighted text it "Enable law enforcement access to content in a readable and usable format where an authorization is lawfully issues>>
This passage looks confusingly similar to the EU Council of Ministers decision, but does not come from Europe. Rather, it can be found in a resolution by the interior and justice ministers from the “Five Eyes” states, dated October 11th. In addition to Europol and various European services, the espionage alliance is one of the driving forces behind the current resolution of the Council of Ministers.
Driving forces in the background
The presentation of the “moderate suggestions” by the GCHQ for duplicate keys at the end of 2018 was still met with heavy criticism
France has been promoting the action against secure encryption on platforms such as WhatsApp, originally initiated by Great Britain, throughout the year at EU level. The ground for this has been prepared since 2015 in a whole series of campaigns that were run alternately by Europol and FBI or the services of the “Five Eyes” espionage alliance and the responsible ministers. It was only at the beginning of October that the interior ministers of these five countries - Great Britain, USA, Australia, New Zealand and Canada - asked the Internet companies again to equip their IT networks with back doors for law enforcement officers.
They were seconded by their counterparts in Japan and India. Why the secret service alliance has so conspicuously worried about the unfortunate prosecutors for years is actually self-explanatory. They are the remaining “Competent Authorities” that will also be granted access.
"Competent Authorities" send their regards
According to further information available from ORF.at, the monitoring method “Exceptional Access” should be selected, which is already indirectly evident from this non-technical resolution text. The one from the British “National Cyber Security Center” (NCSC) was selected from eight possible model proposals, all of which stem from technical scenarios from various secret services. The NCSC is a division of the British military intelligence service GCHQ. Platform operators such as WhatsApp, Signal and Co, who all use E2E encryption, are to be obliged to create and store additional master keys.
Sketches from documents
<<picture: graph showing messages transiting on an "ESP server" before reaching the target device>>
Here a duplicate key for third parties is smuggled into the encryption process of two chat participants, it is the "Exceptional Access" method of the GCHQ. Like all other variants contained in this document, this has nothing to do with secure encryption, it is simply different types of "man-in-the-middle" attacks on secure communication. The study was carried out on behalf of the German Council Presidency and published in August by the specialist magazine Politico .
These are the “competent authorities”: GCHQ, DGSE, BND, etc. whose vacuum cleaner methods on the glass fibers bring in less and less processable data due to increasing transport encryption. In order to avert this threatening data poverty, general keys have now been requested and it looks like this will also be approved in the council. Then the BVT, which does not even manage to eliminate a terrorist who is served twice on a silver platter by two other services, will not be able to investigate in future even in chat histories for weeks.
If you are accused of something you have a right to remain silent. Wouldn't this proposal violate this? If you spy on someone's communication you essentially change the audience to whom the accused may not wish to speak to.
I understand that the authorities want to catch the bad people, but where does it end? Should we accept having a civil servant and their handler in our homes? Should we have weekly polygraph testing? What if someone speaks in a code, that is the spoken sentences will have a different meaning than what language would suggest? What if someone speaks their mother tongue, is that going to be classed as circumvention of surveillance?
Why this is even an official proposal?
I remember what it was like when we didn't rely on mobile phones. a lot of the communications with loved ones and friends that is now taking place over E2EE channels used to be in person. But back then we also didn't spend all our days in the office. My dad used to be back at 18:00 and home-offices were unheard of for most jobs.
The argument is now to break open what has been until now a private comms channel in order to catch a few crooks, pedos and nutters. Guess we should all be prepared for a stronger presence of people wearing uniforms in our lives.
The current HN link points to a page written in what looks like the German language to me. I do not understand German. The German language could be and has historically been used to spread hatred resulting in the deaths of millions of people. It is clearly risky to allow people to run around using languages I don't understand. Especially scary languages like German. And that includes Dutch.
Please ban all speech that is not understandable by me. If you are that concerned about privacy, you can use Pig Latin.
One thing these kinds of documents never seem to incorporate, is something along the lines of "how do we stop 'legally allowed' groups from one jurisdiction, from accessing politicians communications in another?".
For example, if backdoor(s) are added to all EU E2E encryption through this... then the NSA and other non-EU groups will be listening in on EU leadership's (eg Angela Merkel) private communications 24/7.
That's not a scenario the EU leadership seems like it would be ok with.
And of course, government officials will be exempt from that backdoor. I would like to see CIA agreeing that FBI has "lawful" backdoor access to all their secrets.
Sorry if this is an aside, but I mean... practically speaking, wouldn't a ban on encryption basically be useful and impossible to enforce? The US export controls on encryption in the 1990s were largely ineffective, no?
Forcing Apple/Microsoft to build in backdoors in their implementations of encryption packages might be one thing, but software developers surely have local copies of openssl, libsodium, etc, so what will this actually be able to achieve?
An enormous problem with laws of this nature is that they create a large new category of contraband. It is worse than drug laws in that this is invisible, weightless contraband that can be instantly delivered anywhere. Defending yourself against accusations that you posses this kind of contraband will be devilishly difficult. Inevitably that will be used to make false accusations, often against vulnerable minorities.
prohibiting encryption practically means prohibiting speech whenever government can't understand it or even just when government can suspect that there is another interpretation possible (would be one more reason for the straight very simple language in 1984). That naturally leads to government having right to demand a detailed explanation to any speech and actions to the full understanding/satisfaction by the government. I mean that belly dance moves may be an encrypted sequence carrying an secret message. Now, try to prove (to the full satisfaction of that polite government bureaucrat) that is isn't.
Conspiracy theory - wise : how about an idea that the authorities let the terrorist act to happen (as they had been warned in advance about the guy) in order to have pretext to make further push for tightening of the screws ( Belarus has just again shown the power of social media communication channels and that couldn't have been missed by the powers-to-be). I mean it is kind of curious how immediately after the terrorist act where AK-47 was used there is an attack on encryption instead of say on AK-47 sales.
This is really 3 problems for the EU or whatever government wants to bring this in.
The way I see it is the government/EU, whatever, needs to first force this encryption backdoor into use, then force everyone to only use chat apps with the backdoor, and finally force everybody not to go looking for this backdoor.
They are listed in order of difficulty. And they are totalitarian in their level of force.
I'm not a Brexiteer (never was either), but frankly I'm disgusted at the EU for this. People elsewhere on this thread keep bringing up Priti Patel and how she's much worse than an encryption ban, but she's a useless wench who won't be able to do shit, and at least we can kick her out of Cabinet, unlike the faceless super-bureaucracy of the EU.
It's not like Britain is any better than the EU in how it treats encryption. I remember them demanding private keys from Whatsapp. Though I agree it's much easier to lobby for change in a single country than to lobby change in a democratically deficient structure like the EU, where you first have to change local governments in EU countries, which in turn have to change eurocomissars, who will propose new legislation to the European parliament, where you too have to have the majority on your side.
Perhaps. Feeling is different to being, however. If the latest abuses of secondary legislation in the name of coronavirus and our government’s general disregard for the law doesn’t scare the sovereign types, I’m not sure what will
Personally, I think this proposal does not mean much unless it actually passes parliament, which I find very unlikely (if it actually bans encryption like the title suggests, that is).
Ah, so that's where the Covid recovery funds are going. I was wondering why small business can't access any of it, or why it's not invested in tech (well, I guess you can call this "tech) and energy. Paid for by your taxes.
Why don't we just ban crime, surely that's more effective.
"Law
enforcement and judicial authorities must be able to access data in a lawful and targeted manner, in
full respect of fundamental rights and data protection regime, while upholding cybersecurity."
For me it sounds like banning legal weapons in the expectation that all criminals are going to follow the rules.
I expected nothing less from the EU. They say that strong encryption is important to our society. It is important for privacy. And then they go on explaining how they're going to undermine that encryption. I absolutely hate this double speak. They do it all the time in the EU.
It's really ridiculous. Law enforcement and intelligence constantly fail to pay attention to forewarnings or invest in investigations, but right-wing populists still continue to nab on citizens' and human rights.
Austia, for instance, was informed by Turkey and Slovakia about that man's IS affiliation.
HN reads from EU, take half an hour to contact your EU parlament elect and provide them with information and arguments on why this law shouldn't be passed. The comments with links on this thread should help you compile a reasonable email.
Stuff like this is exactly why I'm planning to move out of the EU soon. After article 13 and nonsense like this it's clear that the EU does not serve the interests of its member states' citizens.
There are several powers in conflict over "control of the EU". Parliament is often a lot more reasonable than the Commission or the Council of Ministers. They may well reject this. But it's also possible that it will have to go through the Court of Justice, which has to restore our human rights more often that it should need to.
If this came to pass and a person wanted to shut down their online accounts before they immediately get hacked, how would you live a modern life as a software engineer?
People often point to child predators when they argue for things like this. We have examples like Facebook where there's no privacy and child predators abound.
Liberalism has failed. It was a great truce between political factions and (not all that different) value systems. But the value systems are drifting further apart. Conservatives and liberals no longer tolerate each other and technology has made it easier to coordinate and carry out mass illegality.
The future is more authoritarian states that don’t espouse neutrality but firmly embrace a value system and enforce it. We are seeing this already. In the US, the political battle is now between left authoritarians and right authoritarians (grudgingly dragging right-liberals/libertarians with them).
This is awful for people with liberal (left or right) sensibilities because it raises the stakes of politics. But there’s nothing we can do about it. Only authority can hold our societies together at this point.
Democracy will probably survive, but liberalism will not, except in its vestigial form. In America (unlike Europe), the government will not come for you for expressing your opinions, but it will indoctrinate your children against you and it will increasingly limit the exercise of freedom of conscience. It will not arrest you for publishing an article, but it will also not stop monopolist private platforms from censoring you, and will in fact encourage that censorship as responsible.
Wouldn't it be feasible to say, have a video streaming site hide messages it its streams and also in its control data? More sophisticated methods are of course possible. Basically "outlawing encryption means only outlaws have encryption."
The only use from any such laws is surveillance of the public at large.
My serious question is this: how do we stop terrorism and criminals when they have access to military grade encryption technology?
It seems like there is a lot of ideological push for freedom, but as criminal activity moves to the virtual world, have we not created a problem for ourselves?
If you let fear be your guide you would never even leave the house.
Don't do bad things and there won't be terrorists.
Attack other countries, incite wars and you'll have them.
It's simple. Don't be a douche and no one will slap your face.
That seems like such a gross oversimplification I don’t even know where to start. There will always be those in society who want to do harm for one reason or another, utopia does not exist. These people are what we call criminals.
Most criminals are criminals because of the circumstances.
Circumstances can be improved but they'd rather spend 5.5 billion (the one after the million) € on Eurofighters than make away with poverty.
We could go back and forth and it would change nothing at all because no one from the EC will see it and as an EU citizen I can't change the resolution, because the EP can't do anything about it.
And just because there are "criminals" doesn't mean that I have to live behind steel bars in my house and let every letter be seen by some policeman before I read it.
We're also not talking about criminals, we're talking about some guy who's country was attacked, maybe his family killed. Who knows what his motives were? I don't.
US, EU, Russia, Turkey all waged a proxy war in Syria.
If not for that war maybe he would not had done what he did.
If not for 9/11 there would be no ISIS.
Why does the US have to plunder other countries? Instigate wars in other countries? If anything we should send to refugees to the US because they're to blame for it all.
> Why does the US have to plunder other countries? Instigate wars in other countries? If anything we should send to refugees to the US because they're to blame for it all.
It's not just the US, you said it yourself - France, Russia, Turkey, Saudi Arabia, the EU (agricultural subsidies make it impossible for local African farmers to compete with cheap, subsidised surpluses from the EU), Germany (weapon deals), China, and many others depending on region.
It's easy to point the finger to just the US, but in reality it's been European colonialism that started most of the mess in the first place. Just compare the borders in Africa and the Middle East to the borders in Europe and you might get an idea why peace and prosperity might be a long ways away.
> Most criminals are criminals because of the circumstances. Circumstances can be improved but they'd rather spend 5.5 billion (the one after the million) € on Eurofighters than make away with poverty.
The EU alone has a population of 440M. 5.5Bn is just 12.5€/person. Say 1 in 1000 people within the EU can be considered poor, that's still just 12500€ per poor person. That might be great for a year in many places, but then you'd have the same problem again next year. And the year after that, and the year after that...
Circumstances can be improved, but it doesn't start with money. The first step needs to be the disbandment of ghettos - way too many migrant families are segregated into their own streets, city blocks and quarters. Their children are stigmatised from birth and discrimination starts at an early age.
These people don't need money - they need a perspective, a fair chance, and acceptance. As long as football fans throw racial slurs even at their own players and as long as your country of birth, ethnic- and social background determines your future more than your skills, personality and hard work, being a terrorist or criminal has more appeal than being a productive part of society.
Your view of reality is that of a severely coddled person. In reality, you cannot have rich without poor, unless you suggest literal communism. Even in Scandinavian utopias, people rape, steal and murder.
Please wake up from the fairy tale that all bad things have a just cause that can be fixed. No. Some people would rather steal your stuff than go to the trouble of getting their own legitimately.
> My serious question is this: how do we stop terrorism and criminals when they have access to military grade encryption technology?
You don't and technology has nothing to with it either.
Terrorism is as old as government itself and doesn't need the internet in order to function.
Radicalisation takes place in many places and law enforcement as well as national intelligence agencies have put their focus away from good old-fashioned police work, infiltration and observation towards telecommunication.
Terrorism is neither a new phenomenon nor boosted by the internet - it's our perception that has been boosted. Today, every single incident is instantly known and international news.
People just seem to have forgotten that terrorism was pretty much part of daily life in past decades, too (the German version seems to be more complete, listing terror attacks without fatalities as well: https://de.wikipedia.org/wiki/Liste_von_Terroranschlägen_im_... )
Exchange of information and coordination doesn't require encrypted internet technology at all.
In Spain, ETA declared a new ceasefire in 2010 presumably because political parties with ties to them were banned and a leading member died (of undisclosed cause).
In Germany, the left-wing terror group RAF disbanded in 1998 after key members had been arrested and the 1991 collapse of the Soviet Union, Germany reunification and the subsequent disintegration of the communist bloc basically robbed them of their ideological base, support structures and legitimisation.
The whole IRA business seemed somewhat sorted with the Good Friday Agreement in 1998, but in the aftermath of Brexit tensions seem to start to raise again.
Basically, politics, old school police work and having a close eye on organisations are much more effective than mass surveillance and technology.
You won't be able to catch every "lone wolf" - be that the right-wing extremist who starts a mass shooting or the Islamic extremist who randomly stabs people.
But you can avoid a lot of it by enforcing a zero-tolerance policy (most of the recent extremist terrorists had a criminal record), deporting criminals, shutting down organisations that support terrorism (including mosques if applicable) and drying out sources of finance.
Mass surveillance, bans, and thought crime (i.e. "hate speech", which is basically a blanket term for "I am offended" these days) are not viable solutions.
I think you missed the part where law enforcement has problems putting criminals behind bars because there is too little evidence. This happens all the time.
Three of the terrorists involved in recent attacks in Germany and Austria had been behind bars already.
This is not as big a problem as it's made out to be. These guys aren't mobsters or professional fraudsters - they're violent criminals and (domestic) terrorists with no regards for covering their tracks.
Little known fact: the Trump NSC, in its capacity as delegates to bilateral and multilateral fora, was the sole remaining force for strong encryption rights for individuals.
In that regard, is any large organisation different?
I tried to convince the UK government this was a terrible idea when the Investigatory Powers Act was going through. I failed to make any difference at all to any part of it, but I did learn about Select Committees while trying to find out which MP I had to try to convince given my local MP was a powerless newbie.
With the UK, I've found (as a foreigner with voting rights previously) that it's best to build your relationship with a seniorish MP, and if that doesn't work, cough up to donate around 8-10k to the parties every year (for much more senior access). You'll pop a few eyeballs in Labour with such a donation, while the Conservatives have their own special interest groups for donors (although these usually end up as mass grilling sessions for the MPs).
I don’t know if I should be happy to know I personally can afford to buy access to UK politicians, or embarrassed that they are so cheap, but either way that is a very interesting anecdote.
I'd appreciate that at least the system is overt. All of the above information usually is public info. You know exactly which politician got funded by which Russian tycoon, etc.
Instead of the Office and President, have a commission of 50 presidents. Each state chooses one commissioner. But not by election, instead let the state legislature choose the commissioner for the state. The House needs to approve the members of the commission.
Instead of Senate, have regular meetings of all state governors (or someone from their offices). Also, state governors are not chosen in elections, but by the state legislatures.
Keep House as it is, but House cannot initiate new legislation. They can only approve/deny proposals from commission and the governors-senate.
Are you suggesting they are doing it in violation of some law? This law isn't even a law yet, it's a proposal. Obviously eavesdropping and storing data with a court order is a valid use case under the GDPR. The GDPR might help ensure authorities properly delete old data though. I'm hoping that's already sorted since I hope authorities like law enforcement comply with the GDPR.
There is nothing inherent about eavesdropping that would violate the GDPR.
some non-obvious negative effects of banning end-to-end encryption:
1. an individual loses his power against large corporations, most importantly, GOVERNMENTS. Large structures become corrupt over time and occasionally need to be demolished partially or fully because they stop serving their purpose but start serving their self-interest. Only an individual, not groups, as ultimate indivisible units is the last resort for all values that any civilisation is built on: starting from justice, democracy etc. Thus, e-2-e encryption empowers individuals (putting aside criminals that cane be considered as a necessary evil) that doesn't make groups in power happy. So, by shifting the power from individuals to groups, the first loose an ability to use their intrinsic, built by billions of years of evolution, judgements what is good and what is now, to keep the system in check and press a red button when needed to destroy a government (like Nazi) that went out of control or a corporation.
2. Introducing these kind of anti-individualistic laws creates a bad example for already corrupted and authoritarian countries lie Russia, China and others, that would use this as an justifications to toughen already draconian laws to control their citizens. Once they do loose a good example of freedom that is meant to exist in western countries, they would become corrupted even more, causing not only troubles, but potentially military confrontations that would cost way more than those relatively small issues caused by criminals.
Even just this simple example shows that stepping aside from principles for the sake of expedience may create unforeseen consequences that left governments (because all governments in europe are large and trying to become even larger) don't want to realise because of one simple reason: they have already transformed from serving their initial idea and purpose to being self-serving.
Anyone else getting mixed messages here? Seems like the TL;DR is something like "Encryption is great and helps people be safe and also for our own safety we need the ability to break encryption"
I also don't see how they can propose with a straight face that encryption is important in securing human rights while advocating for governmental ability to break encryption.
One aspect people don’t realize that this will be abused by those in power for inside information.
Imagine having access to the cell phone data of scientists developing the Covid vaccine and getting inside info on their timeline to announcing a working vaccine. They then make calls or pump money into the company and make money.
This is ripe for financial abuse from governments and representatives.
There is no "reasonable middle ground" in this issue. Either the encryption works, and it protects the conversation, or it doesn't and it can be broken by both state and private actors, foreign or domestic. It is not like other policies in the phisical world, where a compromise on guns, drugs etc. can be reached that maximize the social welfare. The mathematics of encryption do not allow partial privacy, you either have it, or you don't and when you do, no government can break it.
It follows that any "reasonable balance" in practice alwas means a de facto ban of encryption technology, and replacing it with a state monopoly on encryption. Thus, citizens could pe provided with simulated encryption tools, where messages are securely sent to infrastructure controlled by the government, stored, then resent securely to the intended recipient, with the state or their intermediaries controlling the privacy of the conversations. This conceptual copying need not be done for every encrypted exchange, the key issue being the existence of a backdoor that could be activated at the decision of the state.
This is undesirable for many reasons:
1. It is insecure and dangerous; once a backdoor exists, its activation must be unknowable by the citizens, otherwise it makes no sense as it would tip off the criminals. If activation of the backdoor is unknowable, then there can exist no guarantees it's only used for legitimate purposes. The backdoor would be of a mathematical and technical nature while the institutions called to regulate it would be no better than other institutions humans create: they could be corruptible, incompetent, tyrannical etc. The mathematics of encryption backdoors would serve such institutions well regardless of their dedication to the goal of providing only lawful access, and would serve any 3rd party that could abuse it. Furthermore, lawful intereption points constitute a central point of attack for a powerful adversary, even to the point of weakening national security.
2. It is essentially useless. Smart criminals use off-the-shelf technology because they know it's fit for purpose. If government snooping is implemented in all such products, then they would switch to other forms of communications that can provide them with the secrecy they require to operate. Additionally, encryption is just math, and the fundamental capability of computers that surround us is to perform math and load user-defined programs. Encryption can never be banned, just commercial products that use it. Criminals don't care about such bans and would revert to older implementations or write their own ilegal encryption tools.
3. It disempowers citizens. The ability to have private communication unperturbed by the power of the state is a fundamental freedom in a democratic country. It is a modern manifestation of a timeless pact between the governed and the rulers: government exists to protect the liberty of ruled, not protect itself. People are to be trusted because their freedom is an end in itself, and the technology of encryption is vastly liberty enhancing without being, by itself, a direct threat to anyone.
What do you mean, "citation please"? Things are permitted unless forbidden by law, so it's up to you to quote a EU-binding law that forbids Tor. I can't prove a negative.
I have given this stuff a lot of thought. I have spent $1M and years to build a company that builds decentralized social networks (https://qbix.com/platform) and now a company that uses crypto to secure payments and elections (https://community.intercoin.org)
So I have spent a long time thinking about, and spoken to a lot of prominent people about, encryption and
I have come to a seemingly contrarian type conclusion that perhaps flies in the face of what HN typically says, but I hope that, instead of knee-jerk downvoting it, you think about it and let’s have a discussion based on substance.
There is a difference between using crypto primitives for signatures and zk proofs to secure everyone’s TRUST in a resilient, decentralized system, and using encryption to hide content from others.
To be honest ... I no longer think that end-to-end encryption is the right solution to human rights problems. If citizens are reduced to sneaking around and denying their activities to survive, their governmental system is way past due for fixing. This is like the “good slave owners” delaying the abolition of slavery. You’re solving the wrong problem.
I believe that crypto is needed to secure decentralized byzantine fault tolerant systems like Ethereum etc. to be TRUSTED, not to hide information. Signatures, not encryption, if you will. If anything, it is the government who doesn’t want encryption to be broken (eg of copyrighted DVD content etc.) and there is an inherent contradiction since anyone who consumes unencrypted content can reshare it.
What we really need is to decentralize the personal data in many places, and use zero-knowledge proofs for attestation, but that is different than encrypting and hiding information.
Should we make bulk collection of data infeasible in huge amounts? Sure. But let’s see if there are any uses of encryption — as opposed to signing and securing data - that are truly indispensable to society and are the right and best solution to solve the problem.
Within organizations, auditing and accountability are very much desired. Banning users and so on. Even though I am a libertarian, there is no simple solution to “just always have a flat system” - hierarchies always form due to efficiencies of scale (eg to gang up on people and defend against that, etc.)
What we should instead focus on, imho, is programming incentives from the beginning to promote checks and balances among the most powerful entities in the system. Look at the US Constitution and how the system has endured. Look at Bitcoin miners, Ethereum miners and so on. That is what we need - to have benign rules for everyone and make sure it’s super hard to maintain a collusion for long to overturn these rules.
Otherwise you can geek out on encryption all you want while the AI-enhanced government will track all of your physical movements and speech with cameras, gait recognition, speech recognition on vibrating potato chip bags through windows, will figure out what you’re all planning through network analysis and precrime, and nail you with parallel construction and social credit score penalties, and if anyone tries to help you they’ll get nailed too. Think it’s far fetched? China and Palantir are already doing it. Social credit systems are actually more benign, jailing and physical coersion and brainwashing are worse. Encryption won’t save the Uyghurs from re-education camps, nor profiling of Black youth in USA, nor will it help foil the next terrorist attack or mass shooting, so it doesn’t help either side of the equation that exacerbates the other in endless escalation and reprisals. And if you really don’t want those things to happen, you need to focus on architecting the governmen’t technology to be more benign in its rules, rather than facilitating sneaking around and delaying the need for the real solutions!!
Don’t listen to me only. Listen to the venerable Randall Munroe: https://xkcd.com/538/
I am very interested in having you expand some of these points, because they're not clear to me yet.
> I no longer think that end-to-end encryption is the right solution to human rights problems
I agree with this sentiment. But I don't understand why you consider it significant. Of course, secrecy is (and always has been) a way to lessen the impact of human rights problems. But where was it suggested that it would solve human rights problems?
> But let’s see if there are any uses of encryption — as opposed to signing and securing data - that are truly indispensable to society and are the right and best solution to solve the problem.
I may be missing the point, but if I want to send a private electronic communication to someone (be it an email containing corporate secrets, a chat message discussing a sensitive topic, or a copy of my bank statements)... What do you propose instead of encrypting the communication channel?
> checks and balances among the most powerful entities in the system [...] make sure it’s super hard to maintain a collusion for long
Isn't a collusion exactly the way to break these rules founded on checks and balances?
> you need to focus on architecting the governmen’t technology to be more benign in its rules
This sounds great in principle. But - while I haven't exactly looked - I'm unaware of any government that's looking to be re-architected, or a concrete proposal for how that would look like. Can you point me to an example of at least the latter?
The EU is worse than any terrorist organization. GDPR, Upload Filter, Encryption Ban, etc... United States shouldn't rescue them from soviet union in WW2 and let it fail and be completely destroyed by the soviets.
I dunno... I feel like I should just give up on encryption and privacy and say what the hell, so long as you're able to thwart the terror attacks that are coming thats probably a better outcome than any notion of privacy at this point.
If you can have wiretapping you don't have E2E encryption. So I think this would be a ban on E2E encryption, not on encryption in general of course but I think that should be self evident.
If you make it cost $30,000 worth of computer time to decrypt, the vast majority of people would have privacy, yet the government could afford to tap important targets (and it would also block government fishing expeditions - they would be too expensive).
The government could, and any medium-sized corporation could as well. Ahoy, industrial espionage!
Don't forget the Moore's law as well (even though it's taken a hit lately). Come next year, it will cost 15000, in another few years it's 7500, and some time after it will cost <1000. In the meantime, the encryption standard's complexity will be the same (because the legislation rarely moves that quickly).
And also, please remember that the journalists and human rights activists use encryption to keep their correspondence concealed chiefly from the government. And there are other governments on this planet, not just US.
> The government could, and any medium-sized corporation could as well. Ahoy, industrial espionage!
It's not actually that easy to tap into internet communications. Even without encryption it would be a huge challenge to spy on someone.
A government could obviously do it. A medium-sized corporation? Not likely.
> because the legislation rarely moves that quickly
Just legislate "encryption that takes no more than $80,000 to break, indexed for inflation", and it will auto adjust as computers get faster. (i.e. legislate the cost, not the key-strength.)
> the journalists and human rights activists use encryption to keep their correspondence concealed chiefly from the government. And there are other governments on this planet, not just US.
Those other governments can just outlaw encryption then entirely. My idea is specifically for governments that are gentle enough to allow normal people privacy. Authoritarian governments are not going to be limited by a law.
> A government could obviously do it. A medium-sized corporation? Not likely.
A medium-sized corporation can be an Internet provider. Or have a deal with one.
> Those other governments can just outlaw encryption then entirely.
If the EU criminalizes encryption, people living in those other countries wouldn't be able to use private communications (to hide from their oppressive governments) in the popular chat apps which usually target US and EU markets. Whether their governments outlaw encryption or not.
If your connection can be tapped it is not end-to-end encrypted, obviously. If it is possible for anyone to tap into your communication it is not encrypted (properly).
What you are saying makes no sense. Either the channel is encrypted and safe from being listened in on or it is not. You cannot have both.
This shows that the attack was planned by the powers that be, if not planned at least not actively blocked.
It was 1 guy with a weapon that the Austrian secret service was warned about.
The media made it 6 people doing a huge thing, in the end it was just 1 guy with an AK47 apparently.
Austrian intelligence was warned by the Slovaks about him and they let him do regardless.
Just like the 9/11 stuff, they knew what was coming and they allowed it because it suited their political agenda.
1 guy shooting around doesn't justify chat apps being monitored. This is a political setup.
The kinds of people who call for eliminating international institutions rather than reforming them are generally less interested in the actual problem they cause and more interested in NIMBYing other human beings.
I don't think it's possible.
I remind you about how much we protested against the upload filters about hosts being responsible for content their users upload, about the censorship laws in general in 2018.
The protesters were called "bots".
When the young people went out and protested they were defamed.
In the end everything passed by a shady vote.
That is why we need to leave the EU.
How do you fix a dictatorship?
You can't fix it, you can kill or peacefully leave.
The system is flawed, read the Lisboa treaty.
I am from Slovakia and yes - this idiot actually went to our capital city (near border) to a gun shop and tried to buy ammunition for his AK-47. Of course you can't buy anything if you are not a citizen and you don't have a gun permit. So he didn't buy anything, the seller contacted the police and they did a background check and found out that he was sentenced for radicalism, he tried to go to Syria to fight a war and so on. They sent an official warning in June to Austria. Austria didn't act. You will find lots of news on this. There is actually a scan of the official letter Slovakia sent with all the details floating on the internet, but it's in Slovak: https://i.imgur.com/vxCU6tN.png
They want to ban encryption, but they can't arrest and stop the attack based on DIRECT evidence? Please...
Thanks, I couldn't have written it better.
@lprd It was all over the news in the German language sphere, which I happen to receive via satellite. (German and Austrian news). I don't have links at the ready but you're able to find them with a little google-fu (or similar search engine).
I remind the readers about the upload filters "guidelines" and other internet censorship "guidelines". The EU is not a democracy, it's a corrupt rule of a few political elites.
And they want to spy on us.
First they went the NSA route, and when that blew up because of Edward Snowden, now they want their own NSA.
In which democracy does a parliament elected by the people have 0 rights over a council? And the council has veto power about anything the parliament decides?
Is that a democracy? No it's not.
> but they can't arrest and stop the attack based on DIRECT evidence?
Ah but that would require someone to actually do something, that would be too hard. And I guess for some of the "human rights" crowd, some people have all the benefit of the doubt unless they're caught in the act
I'm in my early 40s. Up until I was ~35 I was very strongly against this, sort of like most you.
Now I feel the EU in general (some member states a lot worse than others) has backed itself into a corner because of the utterly failed integration efforts, union-wide. I live in a EU nation that has seen a very high rise in violent (and sometimes frankly horrible) crime over the past decade. As a dad of a 1-year old daughter I unfortunately find my self welcoming this proposal. The criminals are doing laps around the police because of these apps. :/
What makes you think this would help? In the specific recent case of the Vienna shooter, he had been in prison for trying to join ISIS, he had gone to Slovakia to try to buy ammunition for a Kalashnikov AK-47 and the Austrian authorities were warned.
They had all the necessary information to know that guy presented a risk and they didn't act on it. What makes you think that having more information in the form of unencrypted chats would have helped the authorities?
The question on banning encryption always comes back, but so far I haven't seen any cogent argument for why it would really help the police stop crime. And, what would stop criminals from using an illegal chat app that uses encryption? Or from using their own code words? This kind of law will only reduce the rights of the innocent majority while doing very little to stop criminals.
You are of course aware that "having a law that says one more part of the already illegal activity is illegal" is going to do nothing to stop that illegal activity, right? All this does is criminalize the use of e2ee for everyone, which solves the whole "crime" problems for exactly no one. Your kids aren't any safer, but everyone who needs e2ee (journalists, activists, vulnerable/opressed groups) now needs to engage in criminal behaviour. That's the opposite of solving the problem.
Just curious: do you also apply this argument to the the gun control debate in the United States?
In any case, it's quite possible that making something dangerous illegal does indeed stop some would-be bad guys. The truly committed criminals break the law and gain access to the contraband, while the casual/less intelligent criminal is stopped.
You have to make a call: is the reduction, but not complete elimination, of bad things worth the loss of value derived from allowing law-abiding people access to encryption/guns? That's a difficult question because its answer depends not just on how much bad will actually be prevented but the subjective value you personally place on the good these things provide.
Removing guns from easy access means removing the very means that a lot of crimes are perpetrated with. Including crimes of passion (non-premeditated ones).
Not so with encryption.
And since the terrorist cases are really aberrations in our times (there are very few incidents, realistically speaking, compared to other kinds of crime and other causes of death), the perpetrators must be significantly motivated individuals (or groups) that are unlikely to be deterred by E2E encryption being unavailable in the popular chat apps.
It's an interesting point you make, but there's a fundamental difference between E2EE communication and guns. Mass shootings require guns. They do not require E2EE communication.
Yes, regulating both could reduce the "bad things", but clearly to very different degree. They would both cause "reduction, but not complete elimination", but equating them does not make sense in my eyes.
What makes you think that this will reduce violent crime in any meaningful way? The guy who mugs you isn't going to go on Messenger and send out a quick "brb gonna mug someone" message. And they definitely won't if they know the government is listening.
And regardless, we trade freedoms for risk of death all the time. We would have far less crime if no one was allowed to leave their house without an ankle monitor and a body cam, but that would be a violation of people freedoms.
I don't think he's talking about the guy who mugs him.
More like about the guy who mows down a crowd with an automatic weapon, the guy who drives a truck through the center of a Christmas market or the guy who blows up a metro station.
Well, no, you're wrong. The terrorists are horrible, of course, but they don't really cause that much of a risk to the everyday person.
In my country there's a rapidly growing organized crime scene built around the distribution of narcotics. They are organizing themselves via these apps using burner phones. They are exploding bombs in multi-home buildings to scare/take out the competition on a weekly basis. And its all accellerating at a very scary rate.
School-age kids are using what sales people love to refer to as "military grade encryption" to communicate about hits/murders.
Really, what country would that be? I call BS. And when ever I read "military grade encryption" I'm thinking buzzwords. Don't make yourself sound more important than you actually are.
The guy who does that stuff is going to keep using encryption. Or maybe he won’t bother and he’ll keep using SMS or some other channel that intelligence agencies are too busy to monitor. Mass communications surveillance against operations like this is a fool’s errand.
It's common that people become much more concerned about possible threats to physical safety after having children. That strikes me as reasonable, even if it leads someone to take a different side than I would in a freedom/safety question.
With that out of the way, how do you propose stopping criminals from using encrypted chat? You can make it illegal, of course, but making it impossible for someone who doesn't care about laws to install software that's available on the internet and use it to send and receive data over the internet is... difficult.
With everything that has been happening in US, Hong Kong, China, Belarus, Russia, Egypt, Nigeria, and others. Where does this trust comes from? Media?
I think you are more likely to be brutalized by police in US than terrorist right now. Maybe you feel that your country is better and somehow won't end up like others but what exactly is stopping that?
I really want to know how this mindset works. Maybe people have been living in peace for too long that they don't recognize all the horrible crimes committed by the state.
I suspect you're underestimating the ability of criminals to obtain communication tools with sufficient plausible deniability to prevent detection by the local police after the first few prosecutions for that.
All they really need to hide from the local cops is an app that appears to be something else. A quick google search for "disguised encrypted chat app" found one called CoverMe that can disguise itself as a photo album. There are probably more sophisticated options available now, and there will be an explosion of them if the EU bans encrypted chat apps.
With a marginally more sophisticated user, they can get far more hidden. The Android anti-theft app Cerberus, before the company behind it imploded spectacularly, could be installed as a system app on any rooted device, then hide itself until a user-specified code was entered on the phone dialer. If there isn't already an encrypted chat app with that feature, there surely will be after an EU ban. The barrier to entry is not high.
I'll grant it would likely result in a small number of gang members spending a greater percentage of their lives in jail, but that's not a lot of benefit for an extremely high cost.
You do know that "think of the kids" is a terrible argument?
And, more importantly, why do you think that your daughter won't want the same freedoms that you had? Or should she be protected from those freedoms?
Don't get me wrong, douchebags exist. Nonetheless, however well intentioned any of this starts off, it opens the road to mass surveillance at a level that was never practical before. And that is just as a big a danger, if not bigger, than any you might see today, and I don't discount extreme religious nuts.
The general idea of “governments should have powers not available to the general population” isn’t one I oppose.
However: the way to get the security you want for your family is not to mess with encryption. Mess with that and everything breaks.
It would genuinely be less bad to require every display to, on command, transmit to the authorities what it is currently showing, to the than to mess with encryption.
I guess we'll be weighing in on the EU proposal as well as the 7-eyes one.