Software is flexible which seems to result in our human rights being equally flexible.
Imagine the police regularly raiding your apartment without announcement. The post office opening all your mail. Storage box companies searching your unit.
You wouldn't be OK with that. You're innocent until proven guilty and a search requires a reasonable suspicion of wrongdoing and an approved warrant. Private communication is private and absolutely nobody else's business. It's a crime to open somebody's mail.
In the digital domain, we're fine with all of these illegal searches, either we don't even know they happen or we do know yet let it pass, as it feels "invisible" and not intrusive. Plus, you're a standup citizen so all is good.
And that's how one day you end up as a bankrupted outcast for having insulted the king.
I 'm actually shocked that people are OK with that. People in countries that have had dictatorships recently probably remember that. Snitches everywhere, the police raiding houses again and again for no reason, with no recourse and people were just accepting it.
As a Russian student studying in Paris, it was a terrifying realization that the mayor can, apparently, prohibit any and all mass protests by simply issuing a decree, no higher authority needed. (This was in 2018 IIRC.) This is apparently part of the anti-terrorist law or something? I dunno, and nobody seemed to care except for the participants of the protests that were happening at the time.
Compared to the constant, unceasing reminders by Russian activists that the de facto prohibition on protests in Russia is a legal sham and the actual thing would require the president declaring a state of emergency (that only happened in 2022 and then not fully), the silence in an established democractic society was deafening.
The tired “freeze peach” responses on HN evoke similar feelings, as do the “private businesses can deny anything to anyone”. (Never seen a less-than-loyal artist’s concert cancelled the day before because the venue received a suggestion—not a command, mind you, a suggestion—from a city official’s phone? Have I got news for you.)
Chinese traffic laws come to mind, were reporting somebody overtaking on the right got you a small monetary reward. So folks were creeping on the left side, forcing others to overtake on the right, photos were made, the incident reported, rewards were rept.
Similar things can happen fast on the internet.
Bait somebody into breaking the law and report it for a reward.
Can even automate it.
Piracy and porn comes to mind.
Lots of places don't have strong constitutional protections, for anything.
Not that long ago, the government in Canada started freezing citizen's bank accounts on suspicions they donated small amounts to a certain peaceful organization organizing protests the government didn't like. They just decided to suspend the constitution (because that's a thing over there?).
But what's interesting to see is people from Europe and Commonwealth nations voting with their feet and deciding that they too want more constitutional protections (which they are entitled to!). Here in the Bay it seems there's a constant interest from EU nationals to move to America (judging by the volume of applications we get). But I've never heard anyone interested to do the reverse.
Top destination for EU nationals in Academia was... right here in the US [0].
Interesting to speculate what impact the policies imposed by these non-elected EU bureaucrats will have on this demographic. More brain drain? Is it the intended goal?
Also, as a European living in the Bay, part of it is for the higher salaries. If I can take my Bay rate and bring it back to Europe I'm going to do that.
Careful, if any HN folk reside in Ottawa they’ll be all over you implying that honking horns is psychological torture and that everything is the fault of the RCMP and Provincial government for not shutting down protests first.
Maybe people are voting with their feet for constitutional protections. Maybe it's because the USA is significantly richer and pays more, there's likely to be a whole range of reasons.
I work with several US nationals who have relocated to the EU.
> Here in the Bay it seems there's a constant interest from EU nationals to move to America (judging by the volume of applications we get). But I've never heard anyone interested to do the reverse.
Plenty of Americans do just that, a friend of mine got his USA certificate of un-citizenship last week
Canada has a clause in its Charter of Rights and Freedoms that literally allows the legislature of any province to pass laws in direct contradiction to most of the Charter - specifically, the sections on fundamental rights. They just have to explicitly point out which parts of the Charter they found inconvenient when invoking this clause. Quebec is notorious for abusing this power (mostly for its language laws), but other provinces have also found it useful on occasion.
> Private communication is private and absolutely nobody else's business. It's a crime to open somebody's mail.
I thought we were talking in the context of the EU? It's not a crime for them if the government is doing it (or asking for it). They don't have rights like that.
I think it’s a bit more complicated than that. The EU law will need to be implemented by national laws and at least in Germany, there is Art 10 GG (the 10th paragraph of the constitution) which protects one’s rights to private communication (specifically also against the government; this is the whole point of constitutions!).
Granted, the paragraph also contains a provision for lawful exceptions, but in general, our highest court has ruled that such exceptions need to be reasonable in scope. I have some hope (but less than I’d like) that this will happen here, as well.
It's definitely illegal to open letters not addressed to you in Sweden. I'm not sure what makes you think we don't have rights like that. I think an issue here might be that a lot of jurisdictions have privacy laws specific to post, and the law system hasn't been able to keep up with the technological development.
Don't believe vendors' lies about "end-to-end" encryption.
If caught red handed, they will always say it depends on how you define where both "ends" begin.
Do not trust a cloud service that you have not developed and deployed yourself.
You may trust untrusted hardware with your encrypted content, but only if you have given it your content pre-encrypted by yourself, not trusted a third party to encrypt it on your behalf. Obviously, this excludes mobile devices.
Do not trust a tree of certificates if you cannot trust the root certificate because it belongs to an organization that is in a jurisdiction where people may be interested in what you have written and said in your encrypted message.
Don't trust old-school typewriters and the postal system either. Letters are routinely opened and typewriters can be matched. For example, the Stasi (secret police of the former GDR - German "Democratic" Republic) had an archive of type samples of all sold models of typewriters for re-identification of political pamphlets.
You can trust a few things: You can trust your Linux box with your self-compiled kernel (no 3rd party drivers), at least as long as it is not on a network. To build a safe environment, you could start there, taking a defensive approach.
Remember, last time the paranoid turned out to be naive when Snowden revealed the real status quo in 2013 (ten years ago, when I couldn't buy a 1 TB USB stick).
> Don't trust old-school typewriters and the postal system either. Letters are routinely opened and typewriters can be matched. For example, the Stasi (secret police of the former GDR - German "Democratic" Republic) had an archive of type samples of all sold models of typewriters for re-identification of political pamphlets.
That's theoretical. I highly doubt anyone extends that much effort to target typewriters anymore. The best they could probably do is match a series of messages to the same typewriter. Though they might not even be able to do that, because the law-enforcement skills to match typewriter documents to each other have also probably nearly completely atrophied.
You're probably more likely to be caught by being the weirdo still buying typewriter ribbons.
I mean, photocopiers have the exact same technology so the US Secret Service can see who’s trying to photocopy dollar bills. (Which is what they were originally created for, not as bodyguards)
While you are right, note that the typewriters and certificates were just off-the-cuff examples to show that you cannot trust a lot of things any more, certainly not the ¨end-to-end encryption¨ promises but also many other things.
I am not advocating for typewriters as such, but there was the story about India ordering thousands after Snowden's revelations, and I just wanted to say why that is silly. If I want to find out something really badly, I will, so there is no reason to believe that people who have more resources cannot do the same.
I would agree, but then I also would have agreed with this sentiment about much of what Snowden revealed. If you want to be paranoid, may as well go all in.
Do you trust your bios? Your usb stack? Your network card firmware?
I get the desire to control the entire chain, but nowadays you’re surrounded by cameras and microphones 24/7, every smart device is a surveillance sleeper agent waiting for the magic word. Certificate chains are the least of your worries.
Anything your monitor displays or sound system outputs is subject to ubiquitous surveillance. And, when there's a gap in the surveillance that's also is subject to interpretation.
Privacy already is (mostly) lost and the battle now simply is to reliably establish authenticity that can't be impersonated or doubted. That's where encryption remains helpful.
You need to think more about your model of trust. You will quickly discover that all security is built on trusting someone, even in the examples you mention above. You can compile your own kernel, but you trust kernel developers to not have put exploits in the source code. You can't audit the source code itself. You also trust your compiler to accurately compile the source code. You also trust compiler developers to not have put exploits into the compiler itself. You also trust the compiler they used to bootstrap their toolchain to compile the compiler.
Fundamentally, all security is based on trusting somebody, understanding their incentives and intentions and weighing risk and reward. An excellent book on the subject is Bruce Schneier's "Liars and Outliers" https://www.schneier.com/books/liars-and-outliers/.
I agree with your point of taking security measures into your own hands, but given how pompompurin was only caught through using a personal email address with his name on it, despite using Windows (!), I think you're a lot safer than you think. Most of the time at least. Problem is that it's impossible to know if now is "most of the time".
Quantum computing is theoretically able to attack many of the public key encryption algorithms we use. Hardware encryption of HDs doesn't use those algorithms, it uses symmetric-key algorithms, that are not vulnerable to quantum attacks.
This is so common (not just in the EU) that it makes me feel like it was done by design in a lot of cases. By creating these massive overcomplicated bills, they make sure only a handful of individuals are capable of reading them and the rest of us (including other politicians) will never read them and instead have to rely on faith. It feels to me like they want to give you the illusion that it's all open/public but at the same time they don't want other people to read it. The fact that even the politicians signing on it can't understand it should raise a lot of red flags.
We should treat them the same way that an anti-virus treats "safe" code with payloads that are obfuscated using techniques also used by viruses (a big reason why you get false positives on cracks and keygens btw). We should assume that they are trying to hide something they don't want us to see when they make their bills extremely hard to read even for lawyers.
I worked for my government, in the EU, and participated in the creation of such laws.
The vague wording and the complexity is here to give the legislator a lot of freedom in the interpretation of the text.
Bear in mind that those “technical” laws aren't written by MPs – they are written by lobbyists and private consultants like McKinsey, in cooperation with high-tier civil servants. Therefore, they usually follow an agenda that may be hidden or dishonest relative to their initial aim.
I'll take an example: you write a law relaxing the legal definition of what “chocolate” is. It happens that the MP in charge of this law has a Cadbury plant in its constituency – by pure chance, of course! The law and the debate will follow talking points about letting chocolate makers innovate and try new recipes. In reality, Cadbury et al. want to cut costs by introducing cheaper ingredients and reducing quality.
Once automatic screening is in place, it's effortless for the government to start repressing political dissent, to spy on the citizen's economic activity, and so on. In many EU countries, such as France, for instance, an authoritarian government would need to vote very few laws to completely shut down dissent : all the legislative weapons have already been voted by well-meaning and deluded MPs.
The European commission is as hypocritical as it can be. Von der Leyen refuses to show the private texts she exchanged with Pfizer' boss, but wants every EU citizen to surrender their private communications. What is next?
except it would mean silencing millions of people, which is frankly more similar to the intro of a sci-fi novel than modern France. See what's happening in Israel, not even the omnipotent Netanyahu could go against the huge popular protests.
> Von der Leyen refuses to show the private texts she exchanged with Pfizer' boss,
That's the same right everyone has in Europe.
Nobody can be forced to publicly show their private conversations.
Only the authorities can ask for them in the case of a trial, if a judge gives the authorization.
> but wants every EU citizen to surrender their private communications.
That's a non sequitur. The law is not about "surrender your private communications", first of all because E2E it's about secrecy, not privacy, privacy still exists without secrecy, and even if it was, Von der Leyen (that I dislike, to use an euphemism) would be subject to it too.
Legalese is like that thanks to a long history of people looking for and abusing any and all loopholes.
That led to the natural conclusion of legal words holding standardized definitions that might differ from common understanding, and extreme specification of all details in an effort to preemptively close off any and all loopholes.
Anyone who tries to make legalese simpler finds themselves immediately torn asunder by the aforementioned people looking for and abusing any and all loopholes as lawyers and those who learned the hard way look on shaking their heads.
I have no problem with the vocabulary itself and most of the Legalese. I try to use more of it in my documentation because, as you mentioned, it has less room to interpretation and loopholes compared to more commonly used phrasing.
My problem is when they take what should have been a simple table with a few columns and turn it into a 9-line long sentence with triple negations, exceptions to the exceptions to the exceptions and abusing references to other sections to create these puzzles that are very hard to solve. If they need it for some reason, they should also provide the easy-to-read version alongside it. I would prefer that the easy version came from the same people who wrote the original bill instead of a college textbook or a journalist relying on second hand information because he also can't read it properly.
Mixing multiple unrelated subject into a single bill is also completely unnecessary from the pov preventing loopholes.
When it gets to the point that even the people voting on it can't understand/read it, something needs to change. How do you know they didn't slip in intentional loophole? Even with a well intentioned politicians, the intern typing it could sneak something in.
> That led to the natural conclusion of legal words holding standardized definitions that might differ from common understanding, and extreme specification of all details in an effort to preemptively close off any and all loopholes.
And yet they end up with unintended consequences all the time (some of which were predicted by outside observers), outdated laws are kept on the books, tax advisors keep finding loopholes, laws are regularly taken down by constitutional courts over concerns that opponents pointed out in advance etc. etc.
If that obtuse legalese is helping at all it's barely so.
I don't know what would help. Maybe laws should start with outcome specifications and a bunch of policies that are applicable conditional on achieving the stated outcomes? More adversarial testing in advance, involving some game theory?
Yet at the same time you always hear people repeat that law isn't code, and it isn't dumb, and the spirit of the law is more important than any loophole. That if you try exploiting a loophole, you will just get caught and shot down. So which is it?
And if the wording of the law is meant to prevent loopholes, then this could be accomplished in better ways than writing extremely convoluted sentences over and over again. There are patterns to the loopholes and to the disclaimers meant to prevent them, which means we could reasonably define better abstractions to avoid the need to verbosely repeat each pattern each time by replacing them with shorter, well-defined qualifiers.
Rather than assuming bad faith, I think it makes more sense to treat these documents like the codebase for a large open source software project. Perhaps there are reasons, not apparent to someone who hasn’t spent months working on the code and the systems it integrates with, for what appears to be unnecessary complexity. And perhaps it’s reasonable for people to advocate for or against using the project without having read and understood every line of code themselves.
The way I see it, there is also good reason why keygens are encrypting their payload. But that doesn't change the fact that getting viruses from them was extremely common until we got reputable repack site (eg. fit-girl) that tests them for us.
You also have to keep in mind that it's not just the average people who can't understand them, even the people writing and voting on them can't understand the content. The journalist reporting on them also don't understand the content.
It's like downloading an installer from a hacker on 4chan who can't remember exactly what it does, why it's so big and why it has a big encrypted payload. Would you install it on your production environment? His package will probably solve whatever problem you wanted to fix... but who knows what else is in there or if a friend that collaborated with him put a virus in there. The reason why viruses spread so much with cracked content is that the crack were actually working.
Legal documents aren't complicated because some cabal of evil lawyers has decided to make the text hard to understand for you, they're complicated because legal concepts require precision and specificity that ordinary language isn't able to express.
It's like calling code "programmerlese" and claim that programmers invented it so ordinary people don't understand software. The average adult reads with the comprehension of an 8th grader, if deception was the goal they'd hardly need to try that hard.
EU documents are complicated because more than two-dozen national governments and thousands of people work on these texts because they can't ever agree on anything without throwing in 500 exceptions for each country, it's that simple, there's no tinfoil conspiracy.
It's interesting to think about how perhaps some ideas from software and programming language theory could be applied in legal settings.
The requirements are quite similar. Unambiguous interpretation of precisely defined concepts.
Particularly, it might allow much more efficient searching in legal texts. Imagine automatically searching for inconsistencies/loopholes or other "bugs" in the legal system.
I'm reminded of the "oops I wrote a compiler" meme reding your comment about legalese requiring "precision and specificity ordinary language is not able to express".
> By creating these massive overcomplicated bills, they make sure only a handful of individuals are capable of reading them and the rest of us
Of course it is by design, not necessarily for evil purposes though.
First of all, the fact that laws are written in a "natural language" doesn't imply they can be fully understood by everyone, they are more like a math formula, it's only less obvious that laws need to be crafted in a way that requires an extensive knowledge of the subject. They're readable, but not always intelligible.
Natural languages are ambiguous, laws try to avoid it as much as they can, changing a word can often change the law intentions completely.
Secondly, exactly like scientific papers, if they have some kind of impact in the community, experts are gonna look at them, you can bet on it (also don't forget the army of lawyers companies like Google, Amazon, Microsoft, Apple, Meta, etc. have on their payroll).
And they will cover the entire spectrum from the most complacent to the biggest opponents and everything in between, so it's not actually like they will pass unnoticed. There's too much to gain in exposing your political opponents (and sometimes allies) to not take advantage from it. No professional politician would miss the opportunity.
It's no secret that many politicians have a training in law and the reason is obvious.
For example in the US of the 535 members who make up Congress, 40% had attended law school. For senators, nearly 54% have obtained a law degree. The House contains 37% law degree holders
> We should assume that they are trying to hide something
To assume this we should also assume that they - whoever they are, it's not clear to me - are all on board with the "evil plan" which is arguably very far from the facts we can prove.
In the game of assuming bad faith, we could equally assume that the opposition to this particular proposal is paid by the big tech corporations to avoid investing a lot of money to update their systems and losing the vendor lock in (WhatsApp messages are readable only by WhatsApp, Instagram messages only by Instagram, and so on...)
I think you are assuming too much competence. If lawmakers are anything like other employees, then 80% of them are there just for the paycheck. They’re not going to expend any extra effort to fully understand a complicated law that they’re not particularly invested in.
Chances are very few of them actually consider where this could lead, not because they’re malicious, but because they just cannot be bothered. They’re probably working on their own fancy laws that will be much more popular with their voters.
I’m reminded of that recent embarrassing display of US government where the TikTok CEO was peppered with the kinds of questions that betray the fact that the congresscritter doesn’t comprehend the topic.
If they wanted real answers they’d say, “I yield my time to this SME I brought in.” But they’re just there to look tough on whatever.
You don't need to be a subject matter expert to understand how encryption works. E2E can be explained to an 8 year old. The problem is that the skills selected for in politicians is the same as the skills selected for in non-venomous snakes, ie, their resemblance to venomous snakes, without the metabolic overhead of actually producing venom.
Also, the main problem here isn't explaining the tech itself (although the quotations in the link indicate this is also a problem), but rather explaining why it's (a) actually good, and (b) impossible to prevent even if it wasn't good.
But even if it was the tech itself, most people don't have maths skills and fundamentally don't (care to?) think logically.
When I was a kid, I couldn't understand why the adults kept joking about why it was so hard to stop the VCR from flashing 12:00 when I found it trivial.
(I think we're getting to the point where you could run an image detection process on the display itself, totally circumventing any encryption. This will have a lot of consequences that are totally obvious and yet it may be done regardless).
Sure, I'd be as surprised as anyone else if it could straight up write good laws, but it can almost certainly talk in political jargon better than any of us software developers can manage.
That's indeed quite worrying, this plus the American Cloud Act means online privacy is at risk..
I wonder why Mullvad doesn't complain about the American Cloud Act, or did they already? Mullvad employees could be extradited to the US if they do not comply (opening up your servers for example), since it's a bilateral agreement with the EU
For all the faults that lobbying brings with it, there is something to be said for actually bringing in outside experts into the legislative process. You can seek intellectual purity all you want, but at the end of the day you are going to have to have some trust that farmers know where seeds go and tech companies know how encryption works.
Similar bills have died several times in the US, if only because there were actual experts available (aka, lobbyists) who could tell them why this idea was dumb and impossible.
It's hard not to see this following in the line of "right to be forgotten" or "tracking consent" where legitimate concerns about the language of the rules were completely dismissed as industry noise.
Lawmakers obviously need the assistance of outside expertise. The problem with lobbying is that most of the assistance comes from the people with most of the money. Lawmakers could (and in some jurisdictions do) seek out assistance rather than relying on moneyed interests to offer it.
The podcast episode in Svenska Dagbladet (which is otherwise a very good podcast) was infuriating because the opponent and the host did not catch on to her ridiculous statements about encryption. She really needs to meet a journalist that can cross-examine her statements about this. She got away too easy there.
I only read the blog summarizing the interviews, but I’m horrified that she can talk this much bs with such apparent confidence. I don’t know who she is and how she got to have this role, which she does not appear qualified to hold.
She is a Swedish politician from the Social Democratic party. One of the senior ones that served as minister in the cabinet for a number of years. Unfortunately, that does not mean she is competent
Are you saying that sending and scanning are the same? I think we need to define "scan" (or "sniff" or whatever other metaphors are used here) as more than just receiving a copy that's still encrypted. What definition is there, which is distinct from "decrypt"?
You can often determine the source, the destination, the amount of data over time, etc. but those are hardly sufficient to suspect wrongdoing unless there's also other overwhelming evidence already.
Readit News
Imagine the police regularly raiding your apartment without announcement. The post office opening all your mail. Storage box companies searching your unit.
You wouldn't be OK with that. You're innocent until proven guilty and a search requires a reasonable suspicion of wrongdoing and an approved warrant. Private communication is private and absolutely nobody else's business. It's a crime to open somebody's mail.
In the digital domain, we're fine with all of these illegal searches, either we don't even know they happen or we do know yet let it pass, as it feels "invisible" and not intrusive. Plus, you're a standup citizen so all is good.
And that's how one day you end up as a bankrupted outcast for having insulted the king.
Compared to the constant, unceasing reminders by Russian activists that the de facto prohibition on protests in Russia is a legal sham and the actual thing would require the president declaring a state of emergency (that only happened in 2022 and then not fully), the silence in an established democractic society was deafening.
The tired “freeze peach” responses on HN evoke similar feelings, as do the “private businesses can deny anything to anyone”. (Never seen a less-than-loyal artist’s concert cancelled the day before because the venue received a suggestion—not a command, mind you, a suggestion—from a city official’s phone? Have I got news for you.)
Chinese traffic laws come to mind, were reporting somebody overtaking on the right got you a small monetary reward. So folks were creeping on the left side, forcing others to overtake on the right, photos were made, the incident reported, rewards were rept.
Similar things can happen fast on the internet. Bait somebody into breaking the law and report it for a reward. Can even automate it. Piracy and porn comes to mind.
Yeah, but also, people in countries that have had dictatorships recently are waaay more likely to support dictatorships.
Not that long ago, the government in Canada started freezing citizen's bank accounts on suspicions they donated small amounts to a certain peaceful organization organizing protests the government didn't like. They just decided to suspend the constitution (because that's a thing over there?).
But what's interesting to see is people from Europe and Commonwealth nations voting with their feet and deciding that they too want more constitutional protections (which they are entitled to!). Here in the Bay it seems there's a constant interest from EU nationals to move to America (judging by the volume of applications we get). But I've never heard anyone interested to do the reverse.
Top destination for EU nationals in Academia was... right here in the US [0].
Interesting to speculate what impact the policies imposed by these non-elected EU bureaucrats will have on this demographic. More brain drain? Is it the intended goal?
[0] http://spectrum.ieee.org/at-work/tech-careers/the-global-bra...
Also, as a European living in the Bay, part of it is for the higher salaries. If I can take my Bay rate and bring it back to Europe I'm going to do that.
I work with several US nationals who have relocated to the EU.
Plenty of Americans do just that, a friend of mine got his USA certificate of un-citizenship last week
https://en.wikipedia.org/wiki/Section_33_of_the_Canadian_Cha...
When you go beyond defending behavior, to go out of your way to avoid saying what you are talking about, you discredit yourself.
I thought we were talking in the context of the EU? It's not a crime for them if the government is doing it (or asking for it). They don't have rights like that.
Granted, the paragraph also contains a provision for lawful exceptions, but in general, our highest court has ruled that such exceptions need to be reasonable in scope. I have some hope (but less than I’d like) that this will happen here, as well.
If caught red handed, they will always say it depends on how you define where both "ends" begin.
Do not trust a cloud service that you have not developed and deployed yourself.
You may trust untrusted hardware with your encrypted content, but only if you have given it your content pre-encrypted by yourself, not trusted a third party to encrypt it on your behalf. Obviously, this excludes mobile devices.
Do not trust a tree of certificates if you cannot trust the root certificate because it belongs to an organization that is in a jurisdiction where people may be interested in what you have written and said in your encrypted message.
Don't trust old-school typewriters and the postal system either. Letters are routinely opened and typewriters can be matched. For example, the Stasi (secret police of the former GDR - German "Democratic" Republic) had an archive of type samples of all sold models of typewriters for re-identification of political pamphlets.
You can trust a few things: You can trust your Linux box with your self-compiled kernel (no 3rd party drivers), at least as long as it is not on a network. To build a safe environment, you could start there, taking a defensive approach. Remember, last time the paranoid turned out to be naive when Snowden revealed the real status quo in 2013 (ten years ago, when I couldn't buy a 1 TB USB stick).
That's theoretical. I highly doubt anyone extends that much effort to target typewriters anymore. The best they could probably do is match a series of messages to the same typewriter. Though they might not even be able to do that, because the law-enforcement skills to match typewriter documents to each other have also probably nearly completely atrophied.
You're probably more likely to be caught by being the weirdo still buying typewriter ribbons.
https://www.eff.org/press/archives/2005/10/16
I am not advocating for typewriters as such, but there was the story about India ordering thousands after Snowden's revelations, and I just wanted to say why that is silly. If I want to find out something really badly, I will, so there is no reason to believe that people who have more resources cannot do the same.
I would agree, but then I also would have agreed with this sentiment about much of what Snowden revealed. If you want to be paranoid, may as well go all in.
Might be hard to read or remember but it sure does stand out.
I get the desire to control the entire chain, but nowadays you’re surrounded by cameras and microphones 24/7, every smart device is a surveillance sleeper agent waiting for the magic word. Certificate chains are the least of your worries.
Yes, it's Coreboot with disabled and neutralized Intel ME.
> Your usb stack?
No, it's isolated in a dedicated, hardware-virtualized VM on Qubes OS.
> Your network card firmware?
Same as above. And it's FLOSS.
> surrounded by cameras and microphones
For those, I have hardware kill switches. On the phone, too.
Privacy already is (mostly) lost and the battle now simply is to reliably establish authenticity that can't be impersonated or doubted. That's where encryption remains helpful.
Sure, because I have the complete source code for all three of those things:
https://www.raptorcs.com/TALOSII/
Can you? If we're going this far, you can't trust the compiler either.
Fundamentally, all security is based on trusting somebody, understanding their incentives and intentions and weighing risk and reward. An excellent book on the subject is Bruce Schneier's "Liars and Outliers" https://www.schneier.com/books/liars-and-outliers/.
Couldn't someone still capture them from the untrusted hardware, wait until quantum computer technology is available, then decrypt them?
See: https://en.wikipedia.org/wiki/Post-quantum_cryptography
We should treat them the same way that an anti-virus treats "safe" code with payloads that are obfuscated using techniques also used by viruses (a big reason why you get false positives on cracks and keygens btw). We should assume that they are trying to hide something they don't want us to see when they make their bills extremely hard to read even for lawyers.
The vague wording and the complexity is here to give the legislator a lot of freedom in the interpretation of the text.
Bear in mind that those “technical” laws aren't written by MPs – they are written by lobbyists and private consultants like McKinsey, in cooperation with high-tier civil servants. Therefore, they usually follow an agenda that may be hidden or dishonest relative to their initial aim.
I'll take an example: you write a law relaxing the legal definition of what “chocolate” is. It happens that the MP in charge of this law has a Cadbury plant in its constituency – by pure chance, of course! The law and the debate will follow talking points about letting chocolate makers innovate and try new recipes. In reality, Cadbury et al. want to cut costs by introducing cheaper ingredients and reducing quality.
Once automatic screening is in place, it's effortless for the government to start repressing political dissent, to spy on the citizen's economic activity, and so on. In many EU countries, such as France, for instance, an authoritarian government would need to vote very few laws to completely shut down dissent : all the legislative weapons have already been voted by well-meaning and deluded MPs.
The European commission is as hypocritical as it can be. Von der Leyen refuses to show the private texts she exchanged with Pfizer' boss, but wants every EU citizen to surrender their private communications. What is next?
except it would mean silencing millions of people, which is frankly more similar to the intro of a sci-fi novel than modern France. See what's happening in Israel, not even the omnipotent Netanyahu could go against the huge popular protests.
> Von der Leyen refuses to show the private texts she exchanged with Pfizer' boss,
That's the same right everyone has in Europe.
Nobody can be forced to publicly show their private conversations.
Only the authorities can ask for them in the case of a trial, if a judge gives the authorization.
> but wants every EU citizen to surrender their private communications.
That's a non sequitur. The law is not about "surrender your private communications", first of all because E2E it's about secrecy, not privacy, privacy still exists without secrecy, and even if it was, Von der Leyen (that I dislike, to use an euphemism) would be subject to it too.
The real World does not work like Gotham City.
That led to the natural conclusion of legal words holding standardized definitions that might differ from common understanding, and extreme specification of all details in an effort to preemptively close off any and all loopholes.
Anyone who tries to make legalese simpler finds themselves immediately torn asunder by the aforementioned people looking for and abusing any and all loopholes as lawyers and those who learned the hard way look on shaking their heads.
My problem is when they take what should have been a simple table with a few columns and turn it into a 9-line long sentence with triple negations, exceptions to the exceptions to the exceptions and abusing references to other sections to create these puzzles that are very hard to solve. If they need it for some reason, they should also provide the easy-to-read version alongside it. I would prefer that the easy version came from the same people who wrote the original bill instead of a college textbook or a journalist relying on second hand information because he also can't read it properly.
Mixing multiple unrelated subject into a single bill is also completely unnecessary from the pov preventing loopholes.
When it gets to the point that even the people voting on it can't understand/read it, something needs to change. How do you know they didn't slip in intentional loophole? Even with a well intentioned politicians, the intern typing it could sneak something in.
And yet they end up with unintended consequences all the time (some of which were predicted by outside observers), outdated laws are kept on the books, tax advisors keep finding loopholes, laws are regularly taken down by constitutional courts over concerns that opponents pointed out in advance etc. etc. If that obtuse legalese is helping at all it's barely so.
I don't know what would help. Maybe laws should start with outcome specifications and a bunch of policies that are applicable conditional on achieving the stated outcomes? More adversarial testing in advance, involving some game theory?
And if the wording of the law is meant to prevent loopholes, then this could be accomplished in better ways than writing extremely convoluted sentences over and over again. There are patterns to the loopholes and to the disclaimers meant to prevent them, which means we could reasonably define better abstractions to avoid the need to verbosely repeat each pattern each time by replacing them with shorter, well-defined qualifiers.
You also have to keep in mind that it's not just the average people who can't understand them, even the people writing and voting on them can't understand the content. The journalist reporting on them also don't understand the content.
It's like downloading an installer from a hacker on 4chan who can't remember exactly what it does, why it's so big and why it has a big encrypted payload. Would you install it on your production environment? His package will probably solve whatever problem you wanted to fix... but who knows what else is in there or if a friend that collaborated with him put a virus in there. The reason why viruses spread so much with cracked content is that the crack were actually working.
It's like calling code "programmerlese" and claim that programmers invented it so ordinary people don't understand software. The average adult reads with the comprehension of an 8th grader, if deception was the goal they'd hardly need to try that hard.
EU documents are complicated because more than two-dozen national governments and thousands of people work on these texts because they can't ever agree on anything without throwing in 500 exceptions for each country, it's that simple, there's no tinfoil conspiracy.
The requirements are quite similar. Unambiguous interpretation of precisely defined concepts.
Particularly, it might allow much more efficient searching in legal texts. Imagine automatically searching for inconsistencies/loopholes or other "bugs" in the legal system.
I'm reminded of the "oops I wrote a compiler" meme reding your comment about legalese requiring "precision and specificity ordinary language is not able to express".
Of course it is by design, not necessarily for evil purposes though.
First of all, the fact that laws are written in a "natural language" doesn't imply they can be fully understood by everyone, they are more like a math formula, it's only less obvious that laws need to be crafted in a way that requires an extensive knowledge of the subject. They're readable, but not always intelligible.
Natural languages are ambiguous, laws try to avoid it as much as they can, changing a word can often change the law intentions completely.
Secondly, exactly like scientific papers, if they have some kind of impact in the community, experts are gonna look at them, you can bet on it (also don't forget the army of lawyers companies like Google, Amazon, Microsoft, Apple, Meta, etc. have on their payroll).
And they will cover the entire spectrum from the most complacent to the biggest opponents and everything in between, so it's not actually like they will pass unnoticed. There's too much to gain in exposing your political opponents (and sometimes allies) to not take advantage from it. No professional politician would miss the opportunity.
It's no secret that many politicians have a training in law and the reason is obvious.
For example in the US of the 535 members who make up Congress, 40% had attended law school. For senators, nearly 54% have obtained a law degree. The House contains 37% law degree holders
> We should assume that they are trying to hide something
To assume this we should also assume that they - whoever they are, it's not clear to me - are all on board with the "evil plan" which is arguably very far from the facts we can prove.
In the game of assuming bad faith, we could equally assume that the opposition to this particular proposal is paid by the big tech corporations to avoid investing a lot of money to update their systems and losing the vendor lock in (WhatsApp messages are readable only by WhatsApp, Instagram messages only by Instagram, and so on...)
Chances are very few of them actually consider where this could lead, not because they’re malicious, but because they just cannot be bothered. They’re probably working on their own fancy laws that will be much more popular with their voters.
I’m reminded of that recent embarrassing display of US government where the TikTok CEO was peppered with the kinds of questions that betray the fact that the congresscritter doesn’t comprehend the topic.
If they wanted real answers they’d say, “I yield my time to this SME I brought in.” But they’re just there to look tough on whatever.
> E2E can be explained to an 8 year old.
Can.
Also, the main problem here isn't explaining the tech itself (although the quotations in the link indicate this is also a problem), but rather explaining why it's (a) actually good, and (b) impossible to prevent even if it wasn't good.
But even if it was the tech itself, most people don't have maths skills and fundamentally don't (care to?) think logically.
When I was a kid, I couldn't understand why the adults kept joking about why it was so hard to stop the VCR from flashing 12:00 when I found it trivial.
(I think we're getting to the point where you could run an image detection process on the display itself, totally circumventing any encryption. This will have a lot of consequences that are totally obvious and yet it may be done regardless).
And to be even more honest, technical people have a very hard time getting their point across non-technical people and engaging in politics
Sure, I'd be as surprised as anyone else if it could straight up write good laws, but it can almost certainly talk in political jargon better than any of us software developers can manage.
I wonder why Mullvad doesn't complain about the American Cloud Act, or did they already? Mullvad employees could be extradited to the US if they do not comply (opening up your servers for example), since it's a bilateral agreement with the EU
It's a pretty dark era ahead of us: https://www.justice.gov/criminal-oia/cloud-act-resources
Similar bills have died several times in the US, if only because there were actual experts available (aka, lobbyists) who could tell them why this idea was dumb and impossible.
It's hard not to see this following in the line of "right to be forgotten" or "tracking consent" where legitimate concerns about the language of the rules were completely dismissed as industry noise.
Deleted Comment
This is trivially possible.
1. send an end to end encrypted message to the recipient
2. also send an end to end encrypted copy of the message to the government.
I’m not agreeing with it. But you can clearly send end to end encrypted messages to multiple parties without fundamentally breaking the encryption…
Also, assuming message 1 and 2 contents are identical, if anyone steals the governments' private key the encryption of message 1 is moot.
Why do you say that e2ee is broken if the plain text is encrypted more than once?
Isn't that what happens in group chats?
And if not, they could just make all chats group chats. You, your recipient and the government.
You can often determine the source, the destination, the amount of data over time, etc. but those are hardly sufficient to suspect wrongdoing unless there's also other overwhelming evidence already.