"the EU wants to scan your messages" implies its every member state and not one freak from Denmark putting this forward where it will die.
The EU has always been 90 days from passing mass surveliance for the last decade. Until member states start actually backing this these articles are nothing but click bait.
In previous EU presidencies it's only been defeated by a slim margin, in part thanks to grassroots pressure. The attitude of the governments in favor of it has been: "whatever, we'll keep trying and we'll get it eventually".
So getting upset that people talk about it when it gets tabled once again is illogical and unjustifiable.
That's why people need to always pay attention to this stuff. They only have to win once to make it "precedent" and "the way it should be, obviously". THe people in power want to remain in power forever. This is one of the main ways they can stay there, by monitoring every single moment of our lives, even the most private of messages. Of course they will always have private back channels to collude, but the rest of us are cattle to them.
I'm confused now: is now the EU the baddie or the governments? Because these are two different entities - and not at least, also "the EU" is a group of government representatives. So folks if you're in the EU and don't like something the EU does - you do have levers, go vote, campaign, do something to move your own folks to do something on the EU level. And if you're in the US maybe better check your own backyard, I think it's on fire.
It's not clickbait. Many member states do support this. Much of the disagreement is on just how rights-violating the scanning should be.
The situation here in Denmark is dire: nobody in the Danish media reports on it, so everybody just shrugs. I've gone out of my way to educate my coworkers and most are unaware many members of our parliament want this. The number of parties that support it outnumber those who don't. Writing to our representatives is met with silence.
Everyone looking to Denmark as a model state should beware what happens when you have a population with such high trust in its government: the roots of autocracy are allowed to grow unfettered.
Denmark is very liberal in some ways but very much not in others. MitID -- digital id-- is a gateway to everything and is very much gated in terms of access; it took me months to sort out. It's a crime to not tell the state where you live, or to have too many people living in your house (I'd love to know what happens if you give birth on a "full" house -- is there a grace period, or do you have to move?). The work laptop I have been issued with is filled with invasive spyware that no British university employee would tolerate, and it is run (very well) as a benign dictatorship. You can't get a phone SIM card without personal registration. The tax agency know exactly to the øre how much money you received and what you spent it on in a given year as basically every transaction is recorded.
I'm not complaining that much about it -- you have a fantastic social security system, low inequality, high pay and high taxes, leading to a happy and well educated population and great food (no upf!) -- but it is a vision of the 1960s nanny state that really does think it knowd best.
The way article is formulated little bit as clickbait.
Title tries to scare while content says it's just a topic being reintroduced.
If anybody knows EU laws and is aware that to introduce such change all states need to agree... then I just wish DK good luck until it's anyhow confirmed at _all_ not many states do support this.
I come from different EU state and I first time hear this is big topic, seems then it's not such a big topic outside Denmark maybe?
> Everyone looking to Denmark as a model state should beware what happens when you have a population with such high trust in its government: the roots of autocracy are allowed to grow unfettered.
Denmark is currently one of the nicest places you can find in the world. If that’s what happens when you trust the government then sign me up!
PS. I know the situation can quickly deteriorate if you’re not constantly monitoring what the government does and agree with OP on that. Just thought it was incredibly naive to try to make the point that this can lead to an autocracy while showing one of the most well functioning democracies in the world. The USA seems like a much better example, and even then compared to most countries in the world, as you can see by the amount of people trying to move there, it’s still a pretty damn nice place to go.
They haven't passed this yet, because every time people make noise and write their representatives. It's "clickbait" like this that makes any sort of privacy still possible.
Sure, but this is the same thing as saying "America is going to paint all birds orange" just because one person in the Iowa General House Assembly said we should do it.
Awareness is good but there is a fine line between awareness of specific politicians that suck and just misrepresenting the facts.
It is a bit like asking a girl to show you her private parts for years until she has a moment of weakness. That would make you a real creep.
The EU parliament is fake, and the unelected commission has become a pathetic clown show.
Their latest VP addition, Antonio Costa, had to be removed from office in Portugal because he was too corrupt. But good enough for leadership of the EU commission.
They had a violent rhetoric, prolonged artificially to this day the Ukraine war and watched the population being slaughtered without sending any troops.
So instead of loosing a few territory, the Ukrainian population is now dead demographically. If you prolong enough a war and the population is wreaked, the war is lost. This is what happened in WWI.
Just in the last few days they managed to be humiliated by both the US and China. China went so far to park them in a bus, arrive with no welcoming and have a walk of shame with in silence on a faded carpet.
The EU was about democracy, peace and prosperity. Today it is is pursuing the opposite objectives.
Downvote me if you want, I care more about staying alive than any internet karma points.
People said the same thing about the UKs Online Safety Act when it was proposed. If these articles do not warn us to take action and spread more awareness on what's going on, we would just be stepping closer to the dystopian future faster.
There are constant attempts to undermine our rights. Every state has their political figures that try to push things like that and they would have succeeded (more) if there wasn't so much public backlash. They continue to try though. What you are describing is a good example of the preparedness paradox.
And it's a slippery slope. The UK already damned itself with the Investigatory Powers Act of 2016 that allowed for Technical Capability Notices to be served in secret to any organization they desired to backdoor.
Normalizing it and saying it is a mundane topic 30 years is actually helping these powers to install it, like getting tired over time and ending just accepting it. The reaction should be much stronger from the tech companies but the tech companies are actually supporters of it, just so they can continue hoarding money while violating other laws.
-> Discord/Google/Meta/etc are already scanning the private chats for pictures, and they didn't wait for a law.
To fix pedophiles, supporters of terrorism and gang members, there is a more radical solution: fund justice and police so dangerous people can be put in jail (or kill them if that's something you think is right).
Once this is done, there is no need anymore to monitor conversations outside of current scope.
Though, justice is not fair in practice, so there will be collateral innocent victims (like with privacy invasion) :/
they never really needed it because their allies already got all the data but with UK out of the EU and US proving less reliable / more volatile ally its more important for them to have their own source of intel.
though, because lawful intercept is also a thing in EU, its stupid to assume they do not already have access if they want it.
despite not having 'dragnet' surveillance , they have effective and deep targeted surveillance and laws that allow them to do that fairly freely.... (most countries are more strict with their own citizens, but then its handy to have allies to do it for u -_-... wonderful world!)
same logic as "fixing the clocks wasn't that big of a problem, the world didn't set on fire", well yeah because we warned you and fixed it. This is also the logic behind the no-win scenario of IT/security budgets:
things are working: why do we pay so much for IT/security or XYZ tool, we don't need it.
things are on fire: we pay so much money for IT/security or XYZ tool and it didn't help us
Exactly. The European """Parliament""" does not have the power to propose new laws, so if it passes once, it cannot repeal it of its own initiative. So much for democracy.
"not one freak from Denmark putting this forward where it will die"
Not true. The truth is that Chat Control has returned several times already and the majority of the EU states were actually always for, but a blocking minority has been reached each time - barely so.
Worryingly, one of the blocking minority countries used to be Germany, where privacy-minded smaller parties (Greens, FDP) are no longer in government. The new government hasn't declared its position yet. If it switches to yes, then the remnants of our privacy are kaput just like that, and the only hope will be in the ECHR, or possibly (sigh) in Trump's tech bros angrily vetoing it from abroad.
So, no one freak from Denmark, but a concerted, repeated effort.
There is an even worse set of measures in the phase of preparation, ProtectEU, which would mandate backdoors in everything under the pain of prison for vendors, introduce mandatory data retention and ban non-logging VPNs.
Fuck, I don't want to live in a China with a blue flag instead of red. This is absolutely dystopian.
Don't downplay the danger. Don't spread disinformation. This isn't a random shot from a random weirdo in Denmark. This is a seriously driven EU-wide attempt to destroy meaningful encryption with a lot of proponents and backers. And the current EC chair, Ursula von der Leyen, has a history of promoting such measures, that is why Germans call her Zensursula.
> Fuck, I don't want to live in a China with a blue flag instead of red. This is absolutely dystopian.
I think it's too late. People already showed they'd loudly support this if propagandized enough like during COVID times where the most draconian and anti constitutional of policies were enacted, literally following and lobbied by China.
Unless people recognize that they did a terrible thing in supporting covid policies instead of burying their head under the sand or persisting in the ridiculous propaganda about anti-vaxxers and disinformation, they're always going to be easily manipulated. The same goes for the "let's invade new country because 'dictator/terrorism/grave threat to our western way of life'".
Are we the baddies is a rethorical question at this point.
>Until member states start actually backing this these articles are nothing but click bait.
As the article states "According to the former MEP for the German Pirate Party, Patrick Breyer, Denmark crucially needs to manage to convince Germany of its proposed text. The new government has not yet taken a position at the time of writing."
And since the current German government is bound to take the most idiotic and destructive path it is basically assured.
Why does this stupid idea have to be killed so many times? Being watched constantly means living in fear, but seeing it almost become legally mandated practice over and over again is itself a form of living in fear. I'm so tired.
AFAIK there is a rule like that, but it needs that the proposal was voted down. Chatcontrol was never voted on by the EP. They bring it up every half a year and it would not be voted on until they can be sure it would pass.
Open source will find a way around it; there's no reason to be afraid. Unless one day their spyware is installed at the hardware level but that would be the equivalent of raiding our homes, so that's not very likely.
Ironically when Apple introduced their solution it was actually better than what we have now. It was interesting to watch people lose their minds because they didn't understand how the current or proposed system worked.
Current system everything can be decrypted on the cloud and is scanned for CSAM by all ISPs/service providers.
Apple wanted the device to scan for CSAM and if it got flagged, it allowed the file to be decrypted on the cloud for a human to check it (again, what happens now).
If it didn't get flagged then it stayed encrypted on the cloud and no one could look at it. This not only was a better protection for your data, it has a massive reduction in server costs.
CSAM is also a list of hashes for some of the worst CP video/images out there. It doesn't read anything, just hash matching.
The chance of mismatch is so incredibly small to be almost non-existent.
Even so the current CSAM guidelines require a human to review the results and require multiple hits before you are even flagged. Again this is what is happening now.
Personally I'm against having any agency the ability to read private messages, while at the same time I fully agree with what CSAM is trying to do.
Realistically if countries want to read encrypted messages, they can already do so. Some do too. The fact that the EU is debating it is a good thing.
So what would stop the list of hashes from being extended with hashes of copyrighted media, evidence of corruption (labelled slander or an invasion of the perpetrator's privacy) or evidence of the preceding abuses of the system themselves?
Once you have an established mechanism for "fighting crime", "don't use it to fight that type of crime" is not a position that has any chance of prevailing in the political landscape - see also all the cases of national security wiretaps being used against petty druggies.
The problem with the CSAM detection is that it can be used for adversarial purposes as well. For example if someone decides an image is politically inconvenient and pressures it to be blocked by hash, then Apple may have to comply or remove themselves from an entire market. Building the mechanism to do that is not acceptable in a civilised society.
And of course does this really solve the real problem of child exploitation? No it doesn't. It allows performative folk working for NGOs to feel like they've done something while children are still being abused and it is being covered up or not even investigated as is so common today.
Improving policing and investigatory standards is where this should stop. We already have RIPA.
All this does is create the expectation that a surveillance dragnet is acceptable. It is not.
> Realistically if countries want to read encrypted messages, they can already do so.
How? Are you implying adynchronous and synchronous encryption is broken? Because last time I checked since Snowden our encryption is basically the one single thing in the whole concept of the internet that has been done very right, with forward secrecy and long term security in mind. AFAIK there are no signs that someone or something has been able to break it.
Also, the solutions you present do imply that someone already has the private key to decrypt. Sure, they'll say they'll just decrypt if your a bad person, but the definition of a bad person changes from government to government (see USA), and from CEO to CEO. Encryption should and mostly is built on zero trust and it only works with zero trust. Scanning, and risking the privacy of billions and billions of messages by having the key to read them because there have been some bad actors is fighting a fly with a bazooka. Which sounds funny overkill, but, fun fact, it also just doesn't work. It destroys a lot, and gains nothing.
I don't have a better solution for the problem. But this solution is definitely the wrong one.
> CSAM is also a list of hashes for some of the worst CP video/images out there. It doesn't read anything, just hash matching.
The list presumably contains CSAM hashes. However, it could also include hashes for other types of content.
AFAIK the specific scope at any point in time is not something that can be fully evaluated by independent third parties, and there is no obvious reason why this list could not be extended to cover different types of content in the future.
Once it is in place, why not search for documents that are known to facilitate terrorism? What about human trafficking? Drug trafficking? Antisemitic memes spring to mind. Or maybe memes critical of some government, a war, etc.
This is because, despite the CSAM framing, it is essentially a censorship/surveillance infrastructure. One that is neutral with regard to content.
> Realistically if countries want to read encrypted messages, they can already do so. Some do too. The fact that the EU is debating it is a good thing.
I agree that the discussion is evolving the bill every time and there are always good amounts of feedback and comments.
It’s a bit annoying when tech websites don’t always update themselves with the latest changes, just labelling it ChatControl doesn’t mean it’s the same policy that was discussed 5 years ago. It makes for good click bait titles, but the technical nuances are missing.
For example, one would be interested to read a comparison between the “privacy” of a tool matching photos against a database of signatures vs. say Apple’s performative privacy in the Photos app or the iCloud + chatGPT/Apple Intelligence mix.
> Ironically when Apple introduced their solution it was actually better than what we have now. It was interesting to watch people lose their minds because they didn't understand how the current or proposed system worked.
What, the cloud scanning of user photos was a good idea for you? The private companyt deciding what is good or bad idea? The automated surveillance that could lead to people wrongfully accused idea?
> f it didn't get flagged then it stayed encrypted on the cloud and no one could look at it.
If Apple can decrypt your data when they find a match, they can decrypt ALL your data. Who says it will be used for good? Do you trust a private company this much?
Better still, the chats between Danish PM Mette Frederiksen and other members of government concerning the (possibly illegal) culling of all mink in Denmark. The chats were coincidentally deleted for security reasons as the press were catching on - security reasons that apparently do not apply to regular people simply texting their dad, girlfriend or anyone
I mean, it's not like you, your dad, girlfriend or anyone would be planning to perform possibly illegal culling of some species, now would you...???
There's lots of little privileges like this that only seem to apply to politicians. Like, lifelong retirement after just one year of work in parliament and government provided tax-free apartments in central Copenhagen.
The argument for the latter is that it is needed for them to be near the work, but if a private company provides the same to their employees the employee will be taxed by its full value.
Granted, it's less corruption than other places, but definitely still corruption.
By banning real encryption, the police can arrest anyone using chat apps they can't control. Them not being able to spy on you automatically makes you guilty.
Also something something children something terrorism something something safety, whatever makes the uninformed public feel like this is something that'll benefit them.
The criminals will just use something that hides in plain sight.
I think it was Encrochat devices that booted into a fairly vanilla looking OS, and there was another platform where it was hidden in something like a calculator app.
Yes, 100%. I grew up in Europe, and have been in the US for the last 10+ years, with all of my family still in Europe. I think this gives me reasonable feel for the "situation on the ground."
The best way I can describe my social circles in the US and EU is that in the US, we still have "principled freedom", where there (still) is a majority of people that understand the original ideas of the founding fathers, and can imagine that things could theoretically be different (the word used for this is "tyranny", which sounded super weird when I first came here).
In EU, I see a total disconnect with any foundational principles or values. Worse is that the population would 100% disagree with you on this, but when you probe "what are these values and why are they there," you get mostly circular reasoning based on some neo-liberal viewpoints. Furthermore, people just can't imagine ever losing their freedoms. This makes Europe essentially like the frog in the pot on the stove. If you mention the word "tyranny" to Europeans, they basically think you're a crackpot.
I have seen things change a teeny bit with the war in Ukraine, where folks get at least somewhat concerned, but the concerns are still about an external boogyman. Nowhere is there any realization that big government, with a lot of unelected bureaucrats, typically becomes the enemy of the people because "power corrupts."
When real encryption is illegal, it will be easier to roll them up.
> Why are some of these people so obsessed with reading everyone's chats?
Having worked with some of the people in law enforcement heavily pushing this, it generally does come from child safety concerns and the overwhelming amount of CSAM sent via encrypted means.
Personally, I don't believe that it will ever be restricted to serious crimes and the potential for abuse is infinite, so I don't believe it is justifiable, but child sexual abuse is a real and enormous problem that causes untold harm and suffering, so we have to find a balance.
I am willing to increase funding for undercover operatives who infiltrate CSAM smuggling rings and bust them. But nobody asked for this. They always say it is impossible without breaking encryption.
> This will catch the x% of lone wolf terrorists who are too mentally unwell to use encryption and too unwell to hide their intentions.
> Without this, the relative increase in terrorism will cause strongmen to get elected who will just enact even more severe surveillance, among many other bad things.
> So it's not a choice between surveillance and no surveillance. It's a choice between relative levels of badness.
> This will also catch real criminals by listening to their close family members who have worse OPSEC than the criminals.
Because total surveillance increases the power of the state which can then use it to suppress threats to its power, including effective political dissent. It's not new. It happens everytime if you follow history but people have been conditioned to think skepticism, unless is against "trump bad", is absolutely a conspiracy theory.
The important thing also is that this total massive invasion of privacy won't be for all. You don't get gov transparency but the opposite. The asymmetry of information only increases that power to oppress.
It really depends on the "use case." Regulators are primarily concerned about grooming, which involves criminals using apps that teenagers frequent.
Also, criminals usually have poor operational security—far from perfect. The seriousness of the offense isn't related to the quality of their opsec.
Regulators and law enforcement are generally rational. They may be short-sighted, but they often have reasonable explanations for things you might dismiss as stupid.
That sucks, CSAM sucks, emotional regulation sucks, and as a society, we don't know how to manage allowing kids online. In fact we don't even know, what we'd like. From a political/policy standpoint, that's the challenge of the next 20 years.
That's trying to find a technical solution to a problem that is not technical.
The sad truth is that law enforcement doesn't have the resources to go after a huge chunk of the cases - particularly before anything serious happens.
For this reason giving them even more power won't markedly increase prevention, but will introduce more cases of people abusing said power. Ultimately the government is run by people, and people are fallible:
I was reflecting on the whole chat apps and protocols the other day and felt we might just have trapped ourselves artificially.
If I want to casually keep in touch with a friend, I am supposed to have the following options:
- SMS/RCS: no need for an app but is controlled
- WhatsApp: no good to many reasons
- Signal: how can you believe it is not controlled once it becomes the mandatory app in the US Gov.
- Matrix: great but you need to self host a server, create accounts, etc.
- SimpleX: very interesting, but centralised and I feel it might just be the next Signal. Might be a solution since you can exit at some point by self hosting a server and I guess have alternative implementations.
- Delta chat: great but I guess email fall into the mass surveillance target.
Now most people do not have crazy security requirements and just want to be able to send a simple text message to a friend and be notified instantly without participating in mass surveillance. So why even using a formal Chat app that will be target by a regulation like Chat Control or kicked out of the App store?
Something like Gotify [0] or ntfy [1] are almost enough for most users. It has the whole free from Google and Apple push notification system figured out. You would just need to modify a bit the app to exchange keys with a QR code for individual topics (that you would use as contact or groups).
In a way we just need MQTT servers, a client with reliable push notifications and a manual key exchange mechanism. That would be really hard for govs to target.
A few corrections:
- Matrix does not require you to host a server, even if I'd prefer it - there are multiple public ones in various jurisdictions.
- There is XMPP - like Matrix, but older, jankier, much lighter and kind of freer.
- Weird to call Simplex "centralized" if you did acknowledge that it's selfhostable... But it's indeed weird that last I've seen, there's not some directory with the public servers like there is for Matrix/XMPP. They seem to be going with adding other servers to defaults instead, like they did with Flux recently.
I don't have a need for secure chat at this moment but if I did ...
I would just find a simple SSH application and give it to all of the chat participants.
Then I would establish a 1U server that I own and control, or even a raspi in my own house, and have everyone log in to run some simple (and old) version of 'talk' - presumably one that has a "wall" feature.
Very simple and very low trust.
Further, the exploit(s) required to infiltrate this are extremely valuable and also hyper specific.
I would have to be an extremely valuable and urgent target for any actor to burn an honest-to-god OpenSSH 0day on ... or a remote root FreeBSD exploit of a system running nothing but OpenSSH.
Bonus points if no ports are open and you have to knock ... which suggests a threat model of remote root vuln on a system with no ports open.
> In a way we just need MQTT servers, a client with reliable push notifications and a manual key exchange mechanism. That would be really hard for govs to target.
Go even further: Meshtastic (https://meshtastic.org/). P2P E2EE texting, primarily via LoRa mesh (a mesh of long-range low-bandwidth direct radio connections) plus MQTT backup, with surprisingly nice UX even for non-techies. You can message people directly, or create encrypted groups too.
In effect, you broadcast your message (encrypted) via LoRa (travels a couple of kilometers through apartment blocks in a big city, or up to hundreds of kilometers in open countryside with line-of-sight), and then anybody else with meshtastic rebroadcasts it, up to 3 hops by default. Works OK for local chat through normal nodes, or really well if somebody within a few kilometers has a router on a roof/big hill nearby (map of opted-into-mapping public nodes: https://meshmap.net/ - IME that's about 10% of actual nodes). Optionally uses MQTT when there's any kind of internet connection available so you can chat long-range too (there's a public MQTT server available, or you can run your own) although that's not really the main use case.
No paid intermediaries or services involved, doesn't require a cell plan or internet or anything, even if the whole world collapses, you just keep on texting (for as long as you have battery).
Requires either a tiny radio gateway (e.g. https://lilygo.cc/products/t-echo-meshtastic) that you connect through with your phone via BT, or you can get a standalone device (https://lilygo.cc/products/t-deck-plus-1) but <$100 in either case. Low-bandwidth though: only text & GPS, no pictures or audio. And obviously, this is pretty deep in the weird nerd shit so it might be a hard sell for your grandparents, and by its nature it's mostly useful for the local area chat anyway. Perfect for trips to low connectivity zones though (hiking, skiing, etc).
Agree I love those LoRa devices & Meshtastic, but it requires your contacts to invest and carry additional hardware.
Now the most exiting project in that space IMHO is Reticulum because you can transparently mix transports: any radio (incl LoRa), TCP, UDP, etc. [0]
Their Sideband app [1] is not as polished as Meshtastic but you can start over the standard Internet, or I2P, yggdrasil and slowly introduce LoRa among your group of friends over time and if necessary.
> - Signal: how can you believe it is not controlled once it becomes the mandatory app in the US Gov.
Isn't this a good sign? When the US Gov has enough trust to use it internally and officials are already using it for their communications, would this not mean that the service is truly encrypted.
They could have some sort of switch for it, but the frontend is open-source and that's where the encryption happens.
it seems it is the general Zeitgeist in Europe.
Also in Switzerland and generally erosions of Privacy laws all across the continent. The governments are scared of insurgencies from the right, from the left, from immigrants, from foreign nations.
Paranoia and fear are quite prominent.
It's always a minority pushing the weakening of encryption, which is why the proposals have never made it very far. What separates Europe from the US is that our political system is way more diverse and involves many more political groups (some of which have extreme opinions). This naturally means more diverse proposals, and lower chance of a given proposal becoming a reality. Especially so when compared to the US where it seems one person with the support of one political party can seemingly implement any crazy policy they think of on a whim.
I think it's probably a good thing to explore a wider range of ideas, even if many of the ideas suck and end up being scrapped.
The irony is that they cannot deal with an insurgency if it was organised offline or via secure messaging platforms. They simply don't have the man power to deal with it. At the moment only a few people realise this, if that changes and any insurgent activity actually do halfway decent OPSEC they are finished.
It's quite interesting, that while this topic comes up from time to time (it has been going on a long time after all already), people on here seem to seldom talk about the organizations that lobby for this proposal for years, with big ties to the US and intelligence agencies. So this is by no means just an European phenomenon but there seems to be a much bigger agenda behind it all.
Now, at the moment, I don't have a good english language source, but I am sure someone else could provide one?
Here is a german language one[0], from netzpolitik.org, who follow chat control for years now an have many articles going in depth about this. I am sure you could use translation software to read it until someone provides a better source. (And if you have not heard of this, you should!)
And while someone already linked to patrick breyers website[1] which has a good overview, I do so again so maybe more people will see it.
This thing is not new, but it is also not easily ignored and everyone should be informed whats going on here. They will try to pass this again and again since they have done for years now and it's mostly been close calls until now.
The problem is that citizens cannot start referendums, and MPs cannot propose laws to prohibit these privacy violations. So the commission will bring this up again and again and again, until it eventually passes.
Readit News
The EU has always been 90 days from passing mass surveliance for the last decade. Until member states start actually backing this these articles are nothing but click bait.
So getting upset that people talk about it when it gets tabled once again is illogical and unjustifiable.
The situation here in Denmark is dire: nobody in the Danish media reports on it, so everybody just shrugs. I've gone out of my way to educate my coworkers and most are unaware many members of our parliament want this. The number of parties that support it outnumber those who don't. Writing to our representatives is met with silence.
Everyone looking to Denmark as a model state should beware what happens when you have a population with such high trust in its government: the roots of autocracy are allowed to grow unfettered.
I'm not complaining that much about it -- you have a fantastic social security system, low inequality, high pay and high taxes, leading to a happy and well educated population and great food (no upf!) -- but it is a vision of the 1960s nanny state that really does think it knowd best.
Title tries to scare while content says it's just a topic being reintroduced. If anybody knows EU laws and is aware that to introduce such change all states need to agree... then I just wish DK good luck until it's anyhow confirmed at _all_ not many states do support this.
I come from different EU state and I first time hear this is big topic, seems then it's not such a big topic outside Denmark maybe?
Denmark is currently one of the nicest places you can find in the world. If that’s what happens when you trust the government then sign me up!
PS. I know the situation can quickly deteriorate if you’re not constantly monitoring what the government does and agree with OP on that. Just thought it was incredibly naive to try to make the point that this can lead to an autocracy while showing one of the most well functioning democracies in the world. The USA seems like a much better example, and even then compared to most countries in the world, as you can see by the amount of people trying to move there, it’s still a pretty damn nice place to go.
Awareness is good but there is a fine line between awareness of specific politicians that suck and just misrepresenting the facts.
The EU parliament is fake, and the unelected commission has become a pathetic clown show. Their latest VP addition, Antonio Costa, had to be removed from office in Portugal because he was too corrupt. But good enough for leadership of the EU commission.
They had a violent rhetoric, prolonged artificially to this day the Ukraine war and watched the population being slaughtered without sending any troops. So instead of loosing a few territory, the Ukrainian population is now dead demographically. If you prolong enough a war and the population is wreaked, the war is lost. This is what happened in WWI.
Just in the last few days they managed to be humiliated by both the US and China. China went so far to park them in a bus, arrive with no welcoming and have a walk of shame with in silence on a faded carpet.
The EU was about democracy, peace and prosperity. Today it is is pursuing the opposite objectives.
Downvote me if you want, I care more about staying alive than any internet karma points.
Do you know what's even funnier with the UK? Parliament has most of the power
It keeps us aware of how stupid the powers that be are.
-> Discord/Google/Meta/etc are already scanning the private chats for pictures, and they didn't wait for a law.
To fix pedophiles, supporters of terrorism and gang members, there is a more radical solution: fund justice and police so dangerous people can be put in jail (or kill them if that's something you think is right).
Once this is done, there is no need anymore to monitor conversations outside of current scope.
Though, justice is not fair in practice, so there will be collateral innocent victims (like with privacy invasion) :/
though, because lawful intercept is also a thing in EU, its stupid to assume they do not already have access if they want it.
despite not having 'dragnet' surveillance , they have effective and deep targeted surveillance and laws that allow them to do that fairly freely.... (most countries are more strict with their own citizens, but then its handy to have allies to do it for u -_-... wonderful world!)
things are working: why do we pay so much for IT/security or XYZ tool, we don't need it.
things are on fire: we pay so much money for IT/security or XYZ tool and it didn't help us
Not true. The truth is that Chat Control has returned several times already and the majority of the EU states were actually always for, but a blocking minority has been reached each time - barely so.
Worryingly, one of the blocking minority countries used to be Germany, where privacy-minded smaller parties (Greens, FDP) are no longer in government. The new government hasn't declared its position yet. If it switches to yes, then the remnants of our privacy are kaput just like that, and the only hope will be in the ECHR, or possibly (sigh) in Trump's tech bros angrily vetoing it from abroad.
So, no one freak from Denmark, but a concerted, repeated effort.
There is an even worse set of measures in the phase of preparation, ProtectEU, which would mandate backdoors in everything under the pain of prison for vendors, introduce mandatory data retention and ban non-logging VPNs.
Fuck, I don't want to live in a China with a blue flag instead of red. This is absolutely dystopian.
Don't downplay the danger. Don't spread disinformation. This isn't a random shot from a random weirdo in Denmark. This is a seriously driven EU-wide attempt to destroy meaningful encryption with a lot of proponents and backers. And the current EC chair, Ursula von der Leyen, has a history of promoting such measures, that is why Germans call her Zensursula.
I think it's too late. People already showed they'd loudly support this if propagandized enough like during COVID times where the most draconian and anti constitutional of policies were enacted, literally following and lobbied by China.
Unless people recognize that they did a terrible thing in supporting covid policies instead of burying their head under the sand or persisting in the ridiculous propaganda about anti-vaxxers and disinformation, they're always going to be easily manipulated. The same goes for the "let's invade new country because 'dictator/terrorism/grave threat to our western way of life'".
Are we the baddies is a rethorical question at this point.
As the article states "According to the former MEP for the German Pirate Party, Patrick Breyer, Denmark crucially needs to manage to convince Germany of its proposed text. The new government has not yet taken a position at the time of writing."
And since the current German government is bound to take the most idiotic and destructive path it is basically assured.
Here the wolf is clearly visible.
Ironically when Apple introduced their solution it was actually better than what we have now. It was interesting to watch people lose their minds because they didn't understand how the current or proposed system worked.
Current system everything can be decrypted on the cloud and is scanned for CSAM by all ISPs/service providers.
Apple wanted the device to scan for CSAM and if it got flagged, it allowed the file to be decrypted on the cloud for a human to check it (again, what happens now).
If it didn't get flagged then it stayed encrypted on the cloud and no one could look at it. This not only was a better protection for your data, it has a massive reduction in server costs.
CSAM is also a list of hashes for some of the worst CP video/images out there. It doesn't read anything, just hash matching.
The chance of mismatch is so incredibly small to be almost non-existent.
Even so the current CSAM guidelines require a human to review the results and require multiple hits before you are even flagged. Again this is what is happening now.
Personally I'm against having any agency the ability to read private messages, while at the same time I fully agree with what CSAM is trying to do.
Realistically if countries want to read encrypted messages, they can already do so. Some do too. The fact that the EU is debating it is a good thing.
Once you have an established mechanism for "fighting crime", "don't use it to fight that type of crime" is not a position that has any chance of prevailing in the political landscape - see also all the cases of national security wiretaps being used against petty druggies.
And of course does this really solve the real problem of child exploitation? No it doesn't. It allows performative folk working for NGOs to feel like they've done something while children are still being abused and it is being covered up or not even investigated as is so common today.
Improving policing and investigatory standards is where this should stop. We already have RIPA.
All this does is create the expectation that a surveillance dragnet is acceptable. It is not.
How? Are you implying adynchronous and synchronous encryption is broken? Because last time I checked since Snowden our encryption is basically the one single thing in the whole concept of the internet that has been done very right, with forward secrecy and long term security in mind. AFAIK there are no signs that someone or something has been able to break it.
Also, the solutions you present do imply that someone already has the private key to decrypt. Sure, they'll say they'll just decrypt if your a bad person, but the definition of a bad person changes from government to government (see USA), and from CEO to CEO. Encryption should and mostly is built on zero trust and it only works with zero trust. Scanning, and risking the privacy of billions and billions of messages by having the key to read them because there have been some bad actors is fighting a fly with a bazooka. Which sounds funny overkill, but, fun fact, it also just doesn't work. It destroys a lot, and gains nothing.
I don't have a better solution for the problem. But this solution is definitely the wrong one.
The list presumably contains CSAM hashes. However, it could also include hashes for other types of content.
AFAIK the specific scope at any point in time is not something that can be fully evaluated by independent third parties, and there is no obvious reason why this list could not be extended to cover different types of content in the future.
Once it is in place, why not search for documents that are known to facilitate terrorism? What about human trafficking? Drug trafficking? Antisemitic memes spring to mind. Or maybe memes critical of some government, a war, etc.
This is because, despite the CSAM framing, it is essentially a censorship/surveillance infrastructure. One that is neutral with regard to content.
I agree that the discussion is evolving the bill every time and there are always good amounts of feedback and comments.
It’s a bit annoying when tech websites don’t always update themselves with the latest changes, just labelling it ChatControl doesn’t mean it’s the same policy that was discussed 5 years ago. It makes for good click bait titles, but the technical nuances are missing.
For example, one would be interested to read a comparison between the “privacy” of a tool matching photos against a database of signatures vs. say Apple’s performative privacy in the Photos app or the iCloud + chatGPT/Apple Intelligence mix.
What, the cloud scanning of user photos was a good idea for you? The private companyt deciding what is good or bad idea? The automated surveillance that could lead to people wrongfully accused idea?
> f it didn't get flagged then it stayed encrypted on the cloud and no one could look at it.
If Apple can decrypt your data when they find a match, they can decrypt ALL your data. Who says it will be used for good? Do you trust a private company this much?
There's lots of little privileges like this that only seem to apply to politicians. Like, lifelong retirement after just one year of work in parliament and government provided tax-free apartments in central Copenhagen.
The argument for the latter is that it is needed for them to be near the work, but if a private company provides the same to their employees the employee will be taxed by its full value.
Granted, it's less corruption than other places, but definitely still corruption.
Deleted Comment
Also something something children something terrorism something something safety, whatever makes the uninformed public feel like this is something that'll benefit them.
I think it was Encrochat devices that booted into a fairly vanilla looking OS, and there was another platform where it was hidden in something like a calculator app.
The rise of totalitairianism in the EU is very real.
The best way I can describe my social circles in the US and EU is that in the US, we still have "principled freedom", where there (still) is a majority of people that understand the original ideas of the founding fathers, and can imagine that things could theoretically be different (the word used for this is "tyranny", which sounded super weird when I first came here).
In EU, I see a total disconnect with any foundational principles or values. Worse is that the population would 100% disagree with you on this, but when you probe "what are these values and why are they there," you get mostly circular reasoning based on some neo-liberal viewpoints. Furthermore, people just can't imagine ever losing their freedoms. This makes Europe essentially like the frog in the pot on the stove. If you mention the word "tyranny" to Europeans, they basically think you're a crackpot.
I have seen things change a teeny bit with the war in Ukraine, where folks get at least somewhat concerned, but the concerns are still about an external boogyman. Nowhere is there any realization that big government, with a lot of unelected bureaucrats, typically becomes the enemy of the people because "power corrupts."
Dead Comment
> Why are some of these people so obsessed with reading everyone's chats?
Having worked with some of the people in law enforcement heavily pushing this, it generally does come from child safety concerns and the overwhelming amount of CSAM sent via encrypted means.
Personally, I don't believe that it will ever be restricted to serious crimes and the potential for abuse is infinite, so I don't believe it is justifiable, but child sexual abuse is a real and enormous problem that causes untold harm and suffering, so we have to find a balance.
> This will catch the x% of lone wolf terrorists who are too mentally unwell to use encryption and too unwell to hide their intentions.
> Without this, the relative increase in terrorism will cause strongmen to get elected who will just enact even more severe surveillance, among many other bad things.
> So it's not a choice between surveillance and no surveillance. It's a choice between relative levels of badness.
> This will also catch real criminals by listening to their close family members who have worse OPSEC than the criminals.
The criminals aren't the masterminds people portrait in the movies.
I wonder if anyone believes those measure are actually against childporn.
The important thing also is that this total massive invasion of privacy won't be for all. You don't get gov transparency but the opposite. The asymmetry of information only increases that power to oppress.
Also, criminals usually have poor operational security—far from perfect. The seriousness of the offense isn't related to the quality of their opsec.
Regulators and law enforcement are generally rational. They may be short-sighted, but they often have reasonable explanations for things you might dismiss as stupid.
That sucks, CSAM sucks, emotional regulation sucks, and as a society, we don't know how to manage allowing kids online. In fact we don't even know, what we'd like. From a political/policy standpoint, that's the challenge of the next 20 years.
The sad truth is that law enforcement doesn't have the resources to go after a huge chunk of the cases - particularly before anything serious happens.
For this reason giving them even more power won't markedly increase prevention, but will introduce more cases of people abusing said power. Ultimately the government is run by people, and people are fallible:
https://abcnews.go.com/blogs/headlines/2013/09/loveint-given...
If I want to casually keep in touch with a friend, I am supposed to have the following options:
- SMS/RCS: no need for an app but is controlled
- WhatsApp: no good to many reasons
- Signal: how can you believe it is not controlled once it becomes the mandatory app in the US Gov.
- Matrix: great but you need to self host a server, create accounts, etc.
- SimpleX: very interesting, but centralised and I feel it might just be the next Signal. Might be a solution since you can exit at some point by self hosting a server and I guess have alternative implementations.
- Delta chat: great but I guess email fall into the mass surveillance target.
Now most people do not have crazy security requirements and just want to be able to send a simple text message to a friend and be notified instantly without participating in mass surveillance. So why even using a formal Chat app that will be target by a regulation like Chat Control or kicked out of the App store?
Something like Gotify [0] or ntfy [1] are almost enough for most users. It has the whole free from Google and Apple push notification system figured out. You would just need to modify a bit the app to exchange keys with a QR code for individual topics (that you would use as contact or groups).
In a way we just need MQTT servers, a client with reliable push notifications and a manual key exchange mechanism. That would be really hard for govs to target.
- [0] https://gotify.net/
- [1] https://ntfy.sh/
cryptography?
I would just find a simple SSH application and give it to all of the chat participants.
Then I would establish a 1U server that I own and control, or even a raspi in my own house, and have everyone log in to run some simple (and old) version of 'talk' - presumably one that has a "wall" feature.
Very simple and very low trust.
Further, the exploit(s) required to infiltrate this are extremely valuable and also hyper specific.
I would have to be an extremely valuable and urgent target for any actor to burn an honest-to-god OpenSSH 0day on ... or a remote root FreeBSD exploit of a system running nothing but OpenSSH.
Bonus points if no ports are open and you have to knock ... which suggests a threat model of remote root vuln on a system with no ports open.
FWIW I have no use for such an edifice.
Building on your idea, wouldn't using 'talk' over a private yggdrasil mesh (so not connected to public peers) [0] or tinc be an elegant solution ?
What I am not sure is I believe you still need to have at least 1 peer with a fixed IP address (so not a mobile phone) for a yggdrasil to work.
- [0] https://www.complete.org/easily-accessing-all-your-stuff-wit...
Go even further: Meshtastic (https://meshtastic.org/). P2P E2EE texting, primarily via LoRa mesh (a mesh of long-range low-bandwidth direct radio connections) plus MQTT backup, with surprisingly nice UX even for non-techies. You can message people directly, or create encrypted groups too.
In effect, you broadcast your message (encrypted) via LoRa (travels a couple of kilometers through apartment blocks in a big city, or up to hundreds of kilometers in open countryside with line-of-sight), and then anybody else with meshtastic rebroadcasts it, up to 3 hops by default. Works OK for local chat through normal nodes, or really well if somebody within a few kilometers has a router on a roof/big hill nearby (map of opted-into-mapping public nodes: https://meshmap.net/ - IME that's about 10% of actual nodes). Optionally uses MQTT when there's any kind of internet connection available so you can chat long-range too (there's a public MQTT server available, or you can run your own) although that's not really the main use case.
No paid intermediaries or services involved, doesn't require a cell plan or internet or anything, even if the whole world collapses, you just keep on texting (for as long as you have battery).
Requires either a tiny radio gateway (e.g. https://lilygo.cc/products/t-echo-meshtastic) that you connect through with your phone via BT, or you can get a standalone device (https://lilygo.cc/products/t-deck-plus-1) but <$100 in either case. Low-bandwidth though: only text & GPS, no pictures or audio. And obviously, this is pretty deep in the weird nerd shit so it might be a hard sell for your grandparents, and by its nature it's mostly useful for the local area chat anyway. Perfect for trips to low connectivity zones though (hiking, skiing, etc).
Now the most exiting project in that space IMHO is Reticulum because you can transparently mix transports: any radio (incl LoRa), TCP, UDP, etc. [0]
Their Sideband app [1] is not as polished as Meshtastic but you can start over the standard Internet, or I2P, yggdrasil and slowly introduce LoRa among your group of friends over time and if necessary.
Their LXMF messaging format is also interesting.
Those people are really doing a fantastic work.
- [0] https://reticulum.network/manual/interfaces.html
- [1] https://github.com/markqvist/Sideband
- [2] https://github.com/markqvist/LXMF
Isn't this a good sign? When the US Gov has enough trust to use it internally and officials are already using it for their communications, would this not mean that the service is truly encrypted.
They could have some sort of switch for it, but the frontend is open-source and that's where the encryption happens.
I think it's probably a good thing to explore a wider range of ideas, even if many of the ideas suck and end up being scrapped.
If you look at actual history of Chat Control: it always had majority support, and it was always a blocking minority that stopped it.
Dead Comment
Now, at the moment, I don't have a good english language source, but I am sure someone else could provide one?
Here is a german language one[0], from netzpolitik.org, who follow chat control for years now an have many articles going in depth about this. I am sure you could use translation software to read it until someone provides a better source. (And if you have not heard of this, you should!)
And while someone already linked to patrick breyers website[1] which has a good overview, I do so again so maybe more people will see it. This thing is not new, but it is also not easily ignored and everyone should be informed whats going on here. They will try to pass this again and again since they have done for years now and it's mostly been close calls until now.
[0] https://netzpolitik.org/2023/anlasslose-massenueberwachung-r...
[1] https://www.patrick-breyer.de/en/posts/chat-control/