"According to a legal opinion by Prof. Dr. Ninon Colneric automated scanning could indeed be illegal. Surveillance without a specific reason or reasonable suspicion is prohibited in the EU due to the fact of its violation of fundamental rights. The European Court of Justice has repeatedly confirmed this view and, for example, reproved the retention of data on a number of occasions.
Nevertheless, attempts to revive the data retention zombie with legal tricks have not died down. The demand can be found regularly in council papers of various EU countries. Thus, this type of mass surveillance is still part of the German Telecommunications Act („Telekommunikationsgesetz“), although being currently suspended."
The open letter, linked in the article, is also a good read:
"Individuals,
businesses and government rely on end-to-end encryption to safeguard their personal, commercial and
state secrets. The safety of individuals (e.g. witnesses, officials) depends on secure encryption protecting
their confidential communications. Backdoors can and will be abused by criminals, foreign intelligence
services and forces that seek to destabilise our society. The Commission keeps reiterating its
commitment to not generally weaken encryption, but “client-side scanning” would do exactly this."
A question I have about this topic: Banks and other organizations, including governments themselves, mandate that specific kinds of information be kept secret. An example of this is the information I need to log in to my bank account.
How am I supposed to comply with these requirements if every device I use is compromised?
Quoting for example from https://curia.europa.eu/jcms/upload/docs/application/pdf/202..., "The Court of Justice confirms that EU law precludes national legislation requiring a
provider of electronic communications services to carry out the general and
indiscriminate transmission or retention of traffic data and location data for the
purpose of combating crime in general or of safeguarding national security":
"Thus, in the judgment of 8 April 2014, Digital Rights Ireland and Others (C-293/12 and C-594/12) (see Press
Release No 54/14), the Court declared Directive 2006/24/EC of the European Parliament and of the Council of
15 March 2006 on the retention of data generated or processed in connection with the provision of publicly
available electronic communications services or of public communications networks and amending Directive
2002/58/EC (OJ 2006 L 105, p. 54), invalid on the ground that the interference with the rights to respect for private
life and to the protection of personal data, recognised by the Charter of Fundamental Rights of the European Union
(‘the Charter'), which resulted from the general obligation to retain traffic data and location data laid down by that
directive was not limited to what was strictly necessary. In the judgment of 21 December 2016, Tele2 Sverige and
Watson and Others (C-203/15 and C-698/15) (see Press Release No 145/16), the Court then interpreted
Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the
European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) ('the directive on privacy and
electronic communications')."
now that apple has shown the world that Pandora's box is open it is a foregone conclusion that on device scanning will be implemented on android as well. and not just for images of course, but all device contents.
apple:
- “Let us be clear, this technology is limited to detecting CSAM [child sexual abuse material] stored in iCloud and we will not accede to any government’s request to expand it,”
also appel:
- “These decisions are not always easy, and we may not agree with the laws that shape them,” the company said. “But our priority remains creating the best user experience without violating the rules we are obligated to follow.”
the on-device method will 100% absolutely be abused in due time. apple will simply claim it is a new system, not the previously used CSAM method, and then hide behind their "lawful obligation".
> apple will simply [...] hide behind their "lawful obligation".
Not sure why you expect Apple to fight your legal battles, since they are simply selling tools (iPhones) that have to comply with the local laws. Would you want random OEMs to skip the local laws they do not like?
If you do not agree with the laws in your country, you need to work to change them.
It's a little more than "expecting apple to fight your legal battles", when apple's demonstration of their capabilities is the motivation for the legal changes to begin with.
Would you support a feature that made your car report you to the authorities every time you drove over the speed limit? Or, would you support listening devices installed in your car, with specific filters in place, which only report you to the authorities if you, say, threaten to kill the president? If the above sounds creepy or invasive (which they do to me), then Apple's actions should seem creepy or invasive to you as well.
Also, many laws are routinely broken by convention. If you drive in the US for example you will see that the speed limit, by convention, is most often the minimum acceptable speed, with a 10-15 mph buffer; ie, a speed limit of 65 means the majority of cars will drive at 65-75 mph. Also, laws are routinely added but rarely removed.
So then we create systems which send 10 nonsense emails with occasional flagged words along with every one real message, inundating them with so much data they cannot begin the handle it.
They already cannot handle the reams of financial reporting data they began requiring a few years ago - burdens which have made good companies shut down because the increased overhead was so great that doing business was no longer feasible.
These politicians are so ignorant of technology and real life itself that it’s a wonder we keep electing them.
They can absolutely handle the data, because all they have to do is collect it not analyse it.
The data's use isn't just in real time on ingestion. It allows them to examine anyone they want under a microscope forever after.
Once the collection has been running for a while: If I'm in power today and I don't like something you said today, I can look over your entire life history, and that of your parents and all other associates, and find all kinds of things to make you disappear, even if you never actually did anything wrong.
But you don't have access to that same power to discredit me or to defend yourself.
> So then we create systems which send 10 nonsense emails with occasional flagged words along with every one real message, inundating them with so much data they cannot begin the handle it.
Which will then get you charged with wasting police time, covering criminals or worse. Also, it will be pretty obvious that all those reports originate from you, unless you have a massive amount of burner phones - which are, by the way, also on their legislative way out.
I wonder if government will ever shift focus to the OS layer? Seems like surveillance of keyboard apps and app metadata would be more difficult to casually get around.
Personally I still consider it unlikely that the actual proposal, whenever it comes, would include mandatory screening of encrypted communications of the kind depicted in the article. It would not pass parliament.
It will more likely aim to legalize the current practice of voluntary screening (which is temporarily allowed for 3 years, granted in July 2021) or something similar.
I am not sure it goes through any parliament.It doesnt have to pass parliament to become EU law. I guess it would be EU regulation, which can be created by either EU council or EU commission and has to be implemented eu wide.
Once again, technology causes disruption to those in power. Thus, those in power dictate that technology must be tightly controlled with the rulers having access to superior technology than the ruled.
The article says “The EU Commission wants all smartphones to search messages and photos for allegedly suspicious content before they are sent via encrypted messaging services.”
So then you just sideload the messaging app instead of using the official build that complies with the legal system. Just like many crime groups do already - look at the EncroChat phones that gangs were using.
This just isn't enforceable. Yet more laws made by people that don't understand the technology.
It just seems like we're moving trust further and further down the stack. Sure, you can do verification of your OS, but then the question becomes can you trust your firmware, hardware, etc.
Readit News
EU Chatcontrol 2.0 [video] - https://news.ycombinator.com/item?id=29066894 - Nov 2021 (197 comments)
Previously:
Messaging and chat control - https://news.ycombinator.com/item?id=28115343 - Aug 2021 (317 comments)
EU Parliament approves mass surveillance of private communications - https://news.ycombinator.com/item?id=27759814 - July 2021 (11 comments)
European Parliament approves mass surveillance of private communication - https://news.ycombinator.com/item?id=27753727 - July 2021 (415 comments)
Indiscriminate messaging and chatcontrol: Last chance to protest - https://news.ycombinator.com/item?id=27736435 - July 2021 (104 comments)
IT companies warn in open letter: EU wants to ban encryption - https://news.ycombinator.com/item?id=26825653 - April 2021 (217 comments)
Others?
https://netzpolitik.org/2021/eu-commission-why-chat-control-...
Including for example:
"According to a legal opinion by Prof. Dr. Ninon Colneric automated scanning could indeed be illegal. Surveillance without a specific reason or reasonable suspicion is prohibited in the EU due to the fact of its violation of fundamental rights. The European Court of Justice has repeatedly confirmed this view and, for example, reproved the retention of data on a number of occasions.
Nevertheless, attempts to revive the data retention zombie with legal tricks have not died down. The demand can be found regularly in council papers of various EU countries. Thus, this type of mass surveillance is still part of the German Telecommunications Act („Telekommunikationsgesetz“), although being currently suspended."
The open letter, linked in the article, is also a good read:
https://www.patrick-breyer.de/wp-content/uploads/2021/11/202...
Notably:
"Individuals, businesses and government rely on end-to-end encryption to safeguard their personal, commercial and state secrets. The safety of individuals (e.g. witnesses, officials) depends on secure encryption protecting their confidential communications. Backdoors can and will be abused by criminals, foreign intelligence services and forces that seek to destabilise our society. The Commission keeps reiterating its commitment to not generally weaken encryption, but “client-side scanning” would do exactly this."
A question I have about this topic: Banks and other organizations, including governments themselves, mandate that specific kinds of information be kept secret. An example of this is the information I need to log in to my bank account.
How am I supposed to comply with these requirements if every device I use is compromised?
Source?
"Thus, in the judgment of 8 April 2014, Digital Rights Ireland and Others (C-293/12 and C-594/12) (see Press Release No 54/14), the Court declared Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54), invalid on the ground that the interference with the rights to respect for private life and to the protection of personal data, recognised by the Charter of Fundamental Rights of the European Union (‘the Charter'), which resulted from the general obligation to retain traffic data and location data laid down by that directive was not limited to what was strictly necessary. In the judgment of 21 December 2016, Tele2 Sverige and Watson and Others (C-203/15 and C-698/15) (see Press Release No 145/16), the Court then interpreted Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) ('the directive on privacy and electronic communications')."
https://www.bunniestudios.com/blog/?p=6097
apple:
also appel: the on-device method will 100% absolutely be abused in due time. apple will simply claim it is a new system, not the previously used CSAM method, and then hide behind their "lawful obligation".Not sure why you expect Apple to fight your legal battles, since they are simply selling tools (iPhones) that have to comply with the local laws. Would you want random OEMs to skip the local laws they do not like?
If you do not agree with the laws in your country, you need to work to change them.
Also, many laws are routinely broken by convention. If you drive in the US for example you will see that the speed limit, by convention, is most often the minimum acceptable speed, with a 10-15 mph buffer; ie, a speed limit of 65 means the majority of cars will drive at 65-75 mph. Also, laws are routinely added but rarely removed.
They already cannot handle the reams of financial reporting data they began requiring a few years ago - burdens which have made good companies shut down because the increased overhead was so great that doing business was no longer feasible.
These politicians are so ignorant of technology and real life itself that it’s a wonder we keep electing them.
The data's use isn't just in real time on ingestion. It allows them to examine anyone they want under a microscope forever after.
Once the collection has been running for a while: If I'm in power today and I don't like something you said today, I can look over your entire life history, and that of your parents and all other associates, and find all kinds of things to make you disappear, even if you never actually did anything wrong.
But you don't have access to that same power to discredit me or to defend yourself.
Which will then get you charged with wasting police time, covering criminals or worse. Also, it will be pretty obvious that all those reports originate from you, unless you have a massive amount of burner phones - which are, by the way, also on their legislative way out.
Personally I still consider it unlikely that the actual proposal, whenever it comes, would include mandatory screening of encrypted communications of the kind depicted in the article. It would not pass parliament.
It will more likely aim to legalize the current practice of voluntary screening (which is temporarily allowed for 3 years, granted in July 2021) or something similar.
EU parliament can voice, but not block.
Actually the last I heard, the latest proposals had the chat monitoring removed, but I can't find the link now
This just isn't enforceable. Yet more laws made by people that don't understand the technology.