It just doesn't make sense to me why anyone tries these things. The reality of the situation would be very obvious. Just because everyone in the EU is in the EU, doesn't make them one big happy family. Do the French want the Germans to be able to spy on their citizens? Seems unlikely. And at a larger scale, the US isn't going to go with that. So the browsers will simply be updated to distrust all of these CA's whom no longer can be trusted and... those EU CA's are out of business. Poof. Hell, if it were reverse you'd see the EU up in arms. "Why should we trust the USA?" - And rightly you shouldn't. That's why Galileo exists.
But on the Internet, it doesn't work that way. You can't just do your own thing, lest you kneecap your citizens. How will the Europeans citizens react if their own "free and democratic" governments take away their access to Wikipedia? Or Facebook? Or Tiktok?
Using known suspect TLS Certs would also violate basically every B2B contract. When businesses sign contracts for SaaS applications, it involves some verbiage about encryption and best practices and data security in transit and at rest. What business will WANT to sign a deal that says "Yes, it's ok to use a TLS cert that we know our government can intercept" when they have the option to use a cert from someone else that's secure? Cool, shoot your own businesses in the foot too, while you're at it.
Freaking politicians. Can't be bothered to do anything about the issues we citizens ACTUALLY want, but instead are too busy meddling in shit that no one wants.
I understand that it helps to have a name for something like this, but
there is no "EU". "It" cannot think.
Heed the Meehan quote; "Men are at war because each man is at war with
himself". It's not just that human minds are one psychotic insight
away from seeing our dissociative identity disorder just beneath the
surface... evey institution and collective is the same. What is wrong
in the "EU" (principally the Commission) is that it's large and
disparate enough for some extraordinary bad actors to hide within it
and exercise undue toxic influence. It is by lack of transparency that
they cannot easily be rooted out, named, shamed and dislodged.
Meanwhile much of the "EU" functions very well, and cares for its
citizens.
I need to clarify. I was using "the EU thinks" as shorthand for "the strong consensus view of the people running the EU". I thought (obviously wrongly) that this was obvious because an organisation cannot think.
I think it is safe to assume that the majority of people running the EU share the aim of "ever closer union" enshrined in EU treaties, which implies aiming to put the interests of the EU above national interests, which I took to be what the comment I was replying to meant by being "one big happy family"
> I was using "the EU thinks" as shorthand for "the strong consensus
view of the people running the EU".
Understood. And I was questioning the concept of "consensus" in that
frame.
> I thought (obviously wrongly) that this was obvious
Not at all. I don't think that is obvious. Interestingly some are
raising GPT as a metaphor for emergent organisational "thinking". Is
it a good analogy? I don't know, but we do see similar phenomena in
networks whether they be human brains, machines or other organisms.
And one feature is that we are not sure how to locate "consensus".
There's lot more than weighted sums at play. And despite official
structures and protocols, that's not really how things work, I think
we all know.
Thus the emergent identity gets a lot attributed to it, which it may
not be "aware of" in large parts of itself. For minds we have the
concept of the unconscious. Perhaps in neural networks we will come to
recognise something similar. But the concept seems sadly lacking in
organisational dynamics where it might help us to stop talking about
ideas such as "What Google says" or "What the market demands".
> because an organisation cannot think.
And yet we so often talk as if they can. We see Searle's "Chinese
Room" everywhere and wish to encapsulate and name too readily.
The "EU" is "mentally unhealthy" in that sense. in that it's simply
too big and disparate to be coherent and consistent. The article about
snooping on web TLS certificates could not more clearly contradict
other strongly held "beliefs" within the organism about "privacy".
That might have be more helpful if it was clear that there is actually anything like thinking going on in GPT-4, but to the extent there is I don't believe it's a good analogy for EU-the-organization.
It's multiple regular humans doing regular human thinking (in various quantities) and otherwise acting, and interacting, subject to social pressures.
Calling that an organization thinking might be a convenient shorthand, but as I far as I'm concerned the utility stop right there, and forgetting that it is merely a shorthand is potentially badly misleading (which, I take it, was one major point of https://news.ycombinator.com/item?id=38182349 )
>Do the French want the Germans to be able to spy on their citizens?
They might. It's how the US intelligence agencies route around laws that prohibit spying on US citizens. They spy on a 5-eyes nation's citizens (often the UK) who is spying on US citizens. Then they trade connections.
This is an often parroted conspiracy theory rooted in novices looking at leaked documents and not really understanding the context. Just because GCHQ shares data with NSA it does not mean the program lacks controls that protect American citizens. Partner data is still filtered for US nexus and tagged appropriately as to require multiple layers of approvals and oversight to query or view.
> how sharing takes place in spite of those controls
Sharing takes place because countries have mutual data sharing agreements. It is up to the receiving country to comply with domestic laws.
For example if GCHQ has a dish pointed at a foreign communications satellite and receives all downlink communications, they might share that stream of raw data with partner countries. If NSA receives that stream the first thing that happens is it gets decoded into call data and parsed for any hint of US nexus communications at which point it gets tagged USPER and is not accessible to analysts.
But there's presumably little to stop the NSA asking GCHQ "can you give us a list of US citizen that match profile X", so does the fact that they strip it out of their local copy make a big difference?
These are the same government agencies that the Snowden leaks informed about. How many people in the government were fined or went to jail because those were revealed to the public?
But unlike Kazakhstan, the EU can actually ORDER browser makers to keep approving their backdoored certificates. And then mandate that anyone serving their own citizens use them.
Look at what the UK has already done with its “think of the children” bills. The UK is weaker than the EU
> the EU can actually ORDER browser makers to keep approving their backdoored certificates
But they can’t. Maybe they can order some companies to do so, those companies which would fight tooth and nail in court, whom cumulatively have more money than the EU (probably).. . and certainly more lawyers.
But at the end of the day, they couldn’t force every browser. No company would accept a website that doesn’t work with 30% of the internet. It would, once again, knee cap that company.
And while I’m not sure of every browser, I’m fairly sure you can delete CA’s in most browsers today. You certainly can on an OS level. So as soon as one CA get’s p0wned by the government, the techies would just run around and “help” all their friends and family delete the CA from being trusted.
How? Mozilla can just get out of the EU. Google can spin off its browser to a nominally independent project (Chromium) and offer plugins for Google functionality. I don't see how they will win this.
But on the Internet, it doesn't work that way. You can't just do your own thing, lest you kneecap your citizens. How will the Europeans citizens react if their own "free and democratic" governments take away their access to Wikipedia? Or Facebook? Or Tiktok?
Using known suspect TLS Certs would also violate basically every B2B contract. When businesses sign contracts for SaaS applications, it involves some verbiage about encryption and best practices and data security in transit and at rest. What business will WANT to sign a deal that says "Yes, it's ok to use a TLS cert that we know our government can intercept" when they have the option to use a cert from someone else that's secure? Cool, shoot your own businesses in the foot too, while you're at it.
Freaking politicians. Can't be bothered to do anything about the issues we citizens ACTUALLY want, but instead are too busy meddling in shit that no one wants.