The bill could not be passed on Spain’s presidency. The presidency is now on Belgium and Stasi-fans are trying to get this bill passed again, hoping not to cause too much noise this time.
The text of the bill was modified a bit, and this time they added an exception, though
- Politicians and police are not subject to monitoring, only ordinal citizens messages’ should be wiretapped
This is what struck me as well. This is in the vein of, "Who watches the watchmen?" I can understand a world, albeit it sounds chaotic, where nothing is monitored. I'm worried about a world where the only unmonitored people are people with definitive authority.
Kind of funny to hear people refer to 1984 these days. We're so far past it now, and we did it to ourselves; giving up location data for maps (and mobile phone function for that matter), a Ring doorbell on every front door, participation in social media, etc.
But somehow it's all OK, because it's corporations instead of the government (a blurry line itself) on the other end.
Imagine living in a Bizarro world where the law said that private citizens could not be tapped without a warrant and probable cause but politicians and police must be surveilled to mitigate corruption.
Robert Kennedy Jr had to make his own political party in some states to get on the ballot. I'd assume the average person in many areas could create their own party with a stack of paperwork. Then track down local laws that define what would be considered a politician, my guess would be something like actively running for an office or being named as a party's candidate or political leader.
It's far simpler than that, it's just the reconstitution of what we call aristocracy from the past, the reversal of the American Revolution and Constitution, the pole-flip of the power relationship between the "ordinary citizens" and the powerful/government.
It is he same abusive pattern of lying used to manipulate people against the right to self-defense agains a tyrannical government through the supreme law that prohibits the government from infringing on the people's inalienable, God given right to the means of self-defense, as enshrined in the Second Amendment to the US Constitution. "Think of the children" the tyrants wail as they demand you give up your ability to defend yourself against the bombs they threaten to use against their own population that refuses to submit to the desires of the ruling class and they are also busy slaughtering children by the tens of thousands.
The real danger is criminal profiling. Read a book on criminal profiling as done by the FBI. You hear things like "the suspect appeared nervous when his eyes saw the murder weapon" or "serial killers match two of three: cruelty to animals, obsession with fire-setting, and persistent bedwetting past the age of five" (aka Macdonald triad). Impulsive killers are in their teens or early 20s, while more careful killers will be at least in their 30s.
I'm sure the motives were good - sometimes it's like finding a needle in a haystack, and it saved lives back then.
But you have mass surveillance, you can go through every hay in the haystack. Yet likely they won't. They'll settle on a middle ground with these outdated methodologies, and combine it with AI/data, to create some form of data-driven astrology. Someone will be inspired by CSI to ask AI to blow up a blurry photo, and AI might just hallucinate it. There will be experts out there who would oppose this, and these could be shut down by their bosses, the politicians who don't understand how it all works.
The Macdonald triad detects the worst criminals, sure, but it mainly detects victims of abuse. Privacy isn't important to the privileged groups; but it's a level of protection for the innocents who could be profiled wrongly.
It's worth dropping the Danish film Riders of Justice in this thread for people who haven't seen it. In the film, a facial recognition algorithm is created, and after some tinkering with the accuracy they are able to find who they are looking for - I won't spoil it, but highly suggest the movie.
I'm reminded of "ruin my search history" which when clicked will have your browser search for not only "isis application" and "hotels syria" but things like "how to kill someone hypothetically"
There could be one-click-implication on a target person.
Really it’s internal threat security vs external threat security.
Measures to reduce personal security also reduce the security of the traditional armed forces.
1) The armed forces use most of the same networking software and hardware as civilians. They also rely on the same protocols.
2) In a total war scenario, like Ukraine, civilian communication infrastructure becomes military communication infrastructure. See soldiers relying on phones for communication and apps to aim artillery.
3) The vulnerabilities that get built into civilian communications are obvious cyber warfare targets.
The framing of privacy vs security tricks the traditional armed forces into thinking that they have the same interests as the NSA.
Famous quote by Benjamin Franklin (from 1755) : “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety”
...
"...
Franklin was thus complaining of the choice facing the legislature between being able to make funds available for frontier defense and maintaining its right of self-governance--and he was criticizing the governor for suggesting it should be willing to give up the latter to ensure the former.
..."
[0]
I think that using a secure layer on top of the insecure layer undermines this argument, similar to how HTTPS is secure while using HTTP with a twist, and using every underlying system in the same way. Or how GPS functionality is regulated for civilians.
So especially "1)" won't be true. Yes, right now they may be using same or similar things, but then after the new regulation they would be using superior stuff, problem solved.
"3)" is considerable because that's true, whatever difference there is in comms security, adversaries will have the same power over the civilian comms as their own government. Right now of course this is the case already, but especially after regulating it, will it become prevalent. I think governments are fine with this in general, though, which I deduct from the lack of countermeasures to it.
In reality, encryption is power, and the more power individuals have, the less power those have who want to control individuals. Everything else is smoke and mirrors, like the classic "think of the children" argument.
Regarding #1. Will there be performance implications when adding the secure layer?
Will there be cost implications when adding a secure layer?
Will the secure layer add risks to the project? Governments are already bad at delivering defence projects on time, will the extra complexity make it worse?
How do we know which layers are insecure? Will there be a published list of vulnerabilities that need to be mitigated by the military?
I believe decision makers really need to understand 3 basic points:
1. End-to-end encryption does exist today (and it is deployed at scale). There is no going back.
2. There is no middle ground: either it is end-to-end encrypted, or it is not. "Sniffing" encrypted messages is not a thing, period.
3. Make all the laws you want, criminals will always be able to use end-to-end encryption. Those laws will only prevent honest people from protecting their communications.
I strongly agree with 2) and 3), but sadly I think 1) is overplaying our collective hand.
I would guess that the largest deployments of end-to-end-encryption today is Whatsapp and iMessage by a quite large margin. E2EE for "real people" is provided by the grace of two massive publicly traded companies who have to follow local regulation. If Apple complies [1] with dubious requirements in China, I wouldn't bet against them doing it elsewhere either.
Sure, we have Signal, but how many normal users would start delving into side loading if the application simply was banned and not allowed on the marketplaces? We can always use PGP-over-whatever, but that's an argument for 3) - not 1).
I think politicians / police (and honestly many normal people) believe that the government have the right to do lawful interception of private communication and see E2EE as a step to far. The US has been wiretapping phones for a century already.
We as privacy arguers have a pedagogical challenge of explaining why regulation like this is bad and not equivalent to 1930's style phone wiretapping.
[1]: Chinese iOS users have their iCloud data (that for the vast majority includes the decryption keys) on Chinese servers, subject to the Chinese legal system. For the rest of the world the situation is the same, but s/China/U.S, which is arguably problematic as well.
I don't think their first point meant to say that there is no going back on deployed e2ee at scale, I believe they were just providing ground for connecting the next two points: it's so pervasive currently that, even if outlawed, criminals will always have no problem retaining access to it somehow. Even Signal, which relies on fairly centralized infrastructure, still has an open source server implementation that I suspect wouldn't be terribly difficult for a motivated criminal enterprise to deploy privately. Contrast with something like advanced weapon systems, where rarity makes it still viable to control and legislate.
> Sure, we have Signal, but how many normal users would start delving into side loading if the application simply was banned and not allowed on the marketplaces
> 2. There is no middle ground: either it is end-to-end encrypted, or it is not. "Sniffing" encrypted messages is not a thing, period.
Yes, but ... it's also never truly end to end encrypted as humans can't do encryption in their heads. Thus there is an analogue hole at both ends. All you need to is install a spy app at the end points to access the unencrypted version.
And lo, I present to you the Australia "Assistance and Access Bill (2019)". It demands that companies that develop the endpoint software shall "assist" them in writing spy apps that are undetectable. It also demands those same companies shall use their "auto security patch" feature to silently install those spy programs on the targets devices.
I have no idea what the EU is proposing, and yes I agree if they are proposing we all use "breakable encryption" then it won't succeed for a whole host of practical reasons. But, I suspect they are smarter than that. And if they adopt the Australian solution, then while:
> 3. Make all the laws you want, criminals will always be able to use end-to-end encryption. Those laws will only prevent honest people from protecting their communications.
is true, it's also moot.
There is a way around the Australian version because it insists the government shall not introduce a "systemic weakness", which translates to "you shall not break the security our society depends on". Because of that they are prohibited from installing their spy software on everyone's devices; all installations must be pre-authorised by a court. That in turn means the software company must be able to target the targeted individuals devices, and only those devices. That's simple for the likes of Google, Microsoft and Amazon of course because they insist you create an account.
So the ways around it are:
1. Use open open source software, because the anonymous security updates make impossible to target someone. This is very difficult to do for most people.
2. Use a Chinese phone. They have been banned from using the closed versions of software, so they base their products on something like AOSP. You will probably get spied on by the Chinese government instead, of course - but if you live in the west why would you care? This is the easy one to do, so that's what will probably happen.
I find the ironies of the directions these proposals take us in absolutely delicious.
Well the article is about efforts aiming at weakening encryption, and my comment is about that.
> is true, it's also moot.
Anything is moot if you completely ignore the context. The article talks about policy makers who want to alter encryption in such a way that they get more control over it. My point is that they need to understand that they cannot get this kind of control the way they advertise it (with "privacy-preserving sniffers").
Of course you can say that anyway the NSA can hack you, but that's off-topic here. My point is that politicians need to understand the basics of how encryption works, such that they can think properly about propositions like that.
Even for politicians, there is a big difference between "privacy-preserving sniffing" and "adding a spyware in every device". The former is impossible, the latter is possible. But many politicians wouldn't vote for the latter.
Can we extend this to client-to-server communication too, not just client-to-client? Why do we allow Cloudflare to terminate so much encrypted traffic?
Should all companies have to run their own CDN? I agree that Cloudflare having a huge market share is a problem but I don't see how you could outlaw this. Unless every company is buying property and running their own servers they will have to outsource some of the delivery to third-parties. But this is why they have contracts in place to govern how they can use the data. Unless you are huge, or don't need much performance you don't have many reasonable options. Also where would such a law stop? Are AWS and GCP illegal as they can read keys out of customer's VMs?
So I agree it would be great to reduce the number of third parties for many sites. But I don't think this is something that can be fixed just by slapping a bit of regulation on it.
This is my second point: there is no middle ground. Either it is useful (because it works), or is it useless. There is no "it works for the good guys but it does not work for the bad guys". There is no tradeoff. Either it works for everybody, or it does not work at all.
Are these people absolutely stupid, we could end up in a potentially catastrophic cyber war at some point and we need to be looking at better more secure systems than making even further holes in what we have!
Kinda. My guess is that they are very narrowly focused and miss th bigger picture. They worry about organized crime and the war on drugs while forgetting the bigger picture.
To be fair, death-by-voter is a fairly common way for democracies to die, so—putting aside what that may or may not justify from a policy perspective, the sentiment isn’t silly. Voters really are one of the greatest dangers to democracy, that’s just true.
Two people can keep a secret if one of them is dead. Anything involving secret backdoors, intentionally compromised crypto, not so secret master keys, etc. is doomed to leak to a hostile entities abusing this. The weakest part of the system becomes secret weaknesses staying secret.
Intentionally compromised encryption is going to be enormously appreciated by North Korea, Iran, China, and all the others one would normally want to keep from looking at secret data related to finances, personal communication, military secrets, industrial R&D, etc.
Countries need to get their priorities straight on national security. The enemy is outside of their country, not inside. And they don't play by the rules, generally.
It seems to me that you may be making a mistake in assuming these counties do no in fact have their priorities straight, only that those priorities do not align with most people's interests.
The purpose of a system is what it does, not what it consistently and persistently fails to do.
Far too long and far too much, people have assumed a good will of our governments because we have intenionlaly been conditioned to accept with blind faith that "democracy" is a universal "good", never asking oneself why the tiny psychopathic ruling class would be such vehement proponents and rabid advocates of "Our Democracy"™, a supposed rule by majority. It appears that not everyone gets as suspicious of things that contain inherent fundamental contradictions.
I'm not sure what you are on about. Plain and simple, countries like Australia are throwing away the baby with the bathwater by basically giving up on decent crypto. They are making it easier for the likes of China to spy on them who can and will abuse any informational advantage they can get. This long term puts them at a disadvantage internationally. I doubt this is in any way intentional. That would be stupid.
The type of politics that drives this is older, technically challenged politicians (aka. idiots) responding to pressure from minority groups whining about pornography and other things they don't like. The priorities seem to be appeasing groups like that in order to secure the next election cycle. By essentially sacrificing security, which they clearly have a limited understanding off.
Never attribute to malice that which can be adequately explained by stupidity. Some countries don't get their priorities straight because they are being led by idiots. It's indeed a system failure. The solution is wielding a giant clue bat and causing relevant stakeholders (military, financial sector, etc.) to wake up and push back and doing something about it.
The reason cryptography is still legal in most civilized places is that we've had a few rounds of that over the past decades.
Readit News
The bill could not be passed on Spain’s presidency. The presidency is now on Belgium and Stasi-fans are trying to get this bill passed again, hoping not to cause too much noise this time.
The text of the bill was modified a bit, and this time they added an exception, though
- Politicians and police are not subject to monitoring, only ordinal citizens messages’ should be wiretapped
https://european-pirateparty.eu/chatcontrol-eu-ministers-wan...
The inversion of values is frightening, politicians and police should be among the very few under scrutiny.
Of course, in 1984, their instruction manual, the top members of the party can turn their telescreens off.
Kind of funny to hear people refer to 1984 these days. We're so far past it now, and we did it to ourselves; giving up location data for maps (and mobile phone function for that matter), a Ring doorbell on every front door, participation in social media, etc.
But somehow it's all OK, because it's corporations instead of the government (a blurry line itself) on the other end.
Isn't that -again- a direct violation of the charter of fundamental rights (article 20)? (all are equal before the law)
Deleted Comment
Imagine living in a Bizarro world where the law said that private citizens could not be tapped without a warrant and probable cause but politicians and police must be surveilled to mitigate corruption.
Wonder how low would be the bar to become a politician. Signing up for a local council elections definitely makes one a politician, right!
Animal order, at its best.
It is he same abusive pattern of lying used to manipulate people against the right to self-defense agains a tyrannical government through the supreme law that prohibits the government from infringing on the people's inalienable, God given right to the means of self-defense, as enshrined in the Second Amendment to the US Constitution. "Think of the children" the tyrants wail as they demand you give up your ability to defend yourself against the bombs they threaten to use against their own population that refuses to submit to the desires of the ruling class and they are also busy slaughtering children by the tens of thousands.
Is this language necessary?
It’s the use of a certain language to draw attention to a very important topic.
I'm sure the motives were good - sometimes it's like finding a needle in a haystack, and it saved lives back then.
But you have mass surveillance, you can go through every hay in the haystack. Yet likely they won't. They'll settle on a middle ground with these outdated methodologies, and combine it with AI/data, to create some form of data-driven astrology. Someone will be inspired by CSI to ask AI to blow up a blurry photo, and AI might just hallucinate it. There will be experts out there who would oppose this, and these could be shut down by their bosses, the politicians who don't understand how it all works.
The Macdonald triad detects the worst criminals, sure, but it mainly detects victims of abuse. Privacy isn't important to the privileged groups; but it's a level of protection for the innocents who could be profiled wrongly.
That’s such an apt description of the junk science that’s going to get justified by AI.
There could be one-click-implication on a target person.
Polygraphs are still heavily used in US even though everyone know it's anti-scientific bullshit.
Really it’s internal threat security vs external threat security.
Measures to reduce personal security also reduce the security of the traditional armed forces.
1) The armed forces use most of the same networking software and hardware as civilians. They also rely on the same protocols.
2) In a total war scenario, like Ukraine, civilian communication infrastructure becomes military communication infrastructure. See soldiers relying on phones for communication and apps to aim artillery.
3) The vulnerabilities that get built into civilian communications are obvious cyber warfare targets.
The framing of privacy vs security tricks the traditional armed forces into thinking that they have the same interests as the NSA.
...
"... Franklin was thus complaining of the choice facing the legislature between being able to make funds available for frontier defense and maintaining its right of self-governance--and he was criticizing the governor for suggesting it should be willing to give up the latter to ensure the former. ..." [0]
[0] https://www.lawfaremedia.org/article/what-ben-franklin-reall...
So especially "1)" won't be true. Yes, right now they may be using same or similar things, but then after the new regulation they would be using superior stuff, problem solved.
"3)" is considerable because that's true, whatever difference there is in comms security, adversaries will have the same power over the civilian comms as their own government. Right now of course this is the case already, but especially after regulating it, will it become prevalent. I think governments are fine with this in general, though, which I deduct from the lack of countermeasures to it.
In reality, encryption is power, and the more power individuals have, the less power those have who want to control individuals. Everything else is smoke and mirrors, like the classic "think of the children" argument.
Will there be cost implications when adding a secure layer?
Will the secure layer add risks to the project? Governments are already bad at delivering defence projects on time, will the extra complexity make it worse?
How do we know which layers are insecure? Will there be a published list of vulnerabilities that need to be mitigated by the military?
1. End-to-end encryption does exist today (and it is deployed at scale). There is no going back.
2. There is no middle ground: either it is end-to-end encrypted, or it is not. "Sniffing" encrypted messages is not a thing, period.
3. Make all the laws you want, criminals will always be able to use end-to-end encryption. Those laws will only prevent honest people from protecting their communications.
I would guess that the largest deployments of end-to-end-encryption today is Whatsapp and iMessage by a quite large margin. E2EE for "real people" is provided by the grace of two massive publicly traded companies who have to follow local regulation. If Apple complies [1] with dubious requirements in China, I wouldn't bet against them doing it elsewhere either.
Sure, we have Signal, but how many normal users would start delving into side loading if the application simply was banned and not allowed on the marketplaces? We can always use PGP-over-whatever, but that's an argument for 3) - not 1).
I think politicians / police (and honestly many normal people) believe that the government have the right to do lawful interception of private communication and see E2EE as a step to far. The US has been wiretapping phones for a century already.
We as privacy arguers have a pedagogical challenge of explaining why regulation like this is bad and not equivalent to 1930's style phone wiretapping.
[1]: Chinese iOS users have their iCloud data (that for the vast majority includes the decryption keys) on Chinese servers, subject to the Chinese legal system. For the rest of the world the situation is the same, but s/China/U.S, which is arguably problematic as well.
At lot. Police concocted a fake chat app and somehow convinced their targets to side load it. By all reports it was a wild success: https://www.theguardian.com/australia-news/2021/jun/08/anom-...
Yes, but ... it's also never truly end to end encrypted as humans can't do encryption in their heads. Thus there is an analogue hole at both ends. All you need to is install a spy app at the end points to access the unencrypted version.
And lo, I present to you the Australia "Assistance and Access Bill (2019)". It demands that companies that develop the endpoint software shall "assist" them in writing spy apps that are undetectable. It also demands those same companies shall use their "auto security patch" feature to silently install those spy programs on the targets devices.
I have no idea what the EU is proposing, and yes I agree if they are proposing we all use "breakable encryption" then it won't succeed for a whole host of practical reasons. But, I suspect they are smarter than that. And if they adopt the Australian solution, then while:
> 3. Make all the laws you want, criminals will always be able to use end-to-end encryption. Those laws will only prevent honest people from protecting their communications.
is true, it's also moot.
There is a way around the Australian version because it insists the government shall not introduce a "systemic weakness", which translates to "you shall not break the security our society depends on". Because of that they are prohibited from installing their spy software on everyone's devices; all installations must be pre-authorised by a court. That in turn means the software company must be able to target the targeted individuals devices, and only those devices. That's simple for the likes of Google, Microsoft and Amazon of course because they insist you create an account.
So the ways around it are:
1. Use open open source software, because the anonymous security updates make impossible to target someone. This is very difficult to do for most people.
2. Use a Chinese phone. They have been banned from using the closed versions of software, so they base their products on something like AOSP. You will probably get spied on by the Chinese government instead, of course - but if you live in the west why would you care? This is the easy one to do, so that's what will probably happen.
I find the ironies of the directions these proposals take us in absolutely delicious.
Well the article is about efforts aiming at weakening encryption, and my comment is about that.
> is true, it's also moot.
Anything is moot if you completely ignore the context. The article talks about policy makers who want to alter encryption in such a way that they get more control over it. My point is that they need to understand that they cannot get this kind of control the way they advertise it (with "privacy-preserving sniffers").
Of course you can say that anyway the NSA can hack you, but that's off-topic here. My point is that politicians need to understand the basics of how encryption works, such that they can think properly about propositions like that.
Even for politicians, there is a big difference between "privacy-preserving sniffing" and "adding a spyware in every device". The former is impossible, the latter is possible. But many politicians wouldn't vote for the latter.
So I agree it would be great to reduce the number of third parties for many sites. But I don't think this is something that can be fixed just by slapping a bit of regulation on it.
It is useless if the spyware can scrape screen, log your keyboard / etc
The scientists know better than you.
No scientists were harmed (or involved) in this farce.
Intentionally compromised encryption is going to be enormously appreciated by North Korea, Iran, China, and all the others one would normally want to keep from looking at secret data related to finances, personal communication, military secrets, industrial R&D, etc.
Countries need to get their priorities straight on national security. The enemy is outside of their country, not inside. And they don't play by the rules, generally.
The purpose of a system is what it does, not what it consistently and persistently fails to do.
Far too long and far too much, people have assumed a good will of our governments because we have intenionlaly been conditioned to accept with blind faith that "democracy" is a universal "good", never asking oneself why the tiny psychopathic ruling class would be such vehement proponents and rabid advocates of "Our Democracy"™, a supposed rule by majority. It appears that not everyone gets as suspicious of things that contain inherent fundamental contradictions.
The type of politics that drives this is older, technically challenged politicians (aka. idiots) responding to pressure from minority groups whining about pornography and other things they don't like. The priorities seem to be appeasing groups like that in order to secure the next election cycle. By essentially sacrificing security, which they clearly have a limited understanding off.
Never attribute to malice that which can be adequately explained by stupidity. Some countries don't get their priorities straight because they are being led by idiots. It's indeed a system failure. The solution is wielding a giant clue bat and causing relevant stakeholders (military, financial sector, etc.) to wake up and push back and doing something about it.
The reason cryptography is still legal in most civilized places is that we've had a few rounds of that over the past decades.
Knowledge and information need no rules, but humans do.