Readit NewsI love that the cookie notice on this website asks for consent to share tracking data with 766 advertising partners. I feel so comfortable with that.
Sorry about that. It's a wordpress website on the official wordpress.com hosting, it's actually wordpress that is doing all this tracking out-of-the-box.
I will check if there are options to reduce that.
Some messages could be viewed as flame/kind of abusive in the sense of criticizing a msft open source project, and they were absolutely not made in the company’s name. Obviously I deeply regret any trouble they could have caused.
Msft said it was a GitHub decision, they can’t interfere.
I would expect MSFT to process official legal requests they receive for themselves and their subsidiaries.
EDIT: After more digging, I found the contact, the terms of services here https://docs.github.com/en/site-policy/github-terms/github-t... are linking to this legal section here https://docs.github.com/en/site-policy/other-site-policies/g... that contains address and email for legal requests. This is incorrectly put in a page "Guidelines for Legal Requests of User Data" but it's not about data request, it's for all legal requests.
I've been trying to find a legal page with legal contact for GitHub since the topic was opened, with no success.
The only contact information I can find is this email for privacy requests, which should be good enough, they have to process legal requests they receive privacy@github.com
For Microsoft there is this Page https://www.microsoft.com/en-us/legal/policies AskCELA@microsoft.com
It's not clear from your messages whether you are a subscriber or your organization is a subscriber or both or neither. This affects how to access support and escalate and what claims you may have (your company should have a contract with access to enterprise support if they are customers).
It's not reasonable for GitHub to ban you with no justification and no recourse and make you lose your job.
Get a lawyer yourself. Or get your company to escalate through their support channel or legal.
Warning: We only have one side of the story. If you were posting abusive messages to Github in your name and/or in the company name, on company time. The company may review the messages and may find them abusive too and may fire you.
I'm from France, I read the Cassation ruling, and I'm law-savy.
First, we wouldn't care of what the 1st court ruled. Nobody would consider a 1st court ruling as a new statu-quo.
Content of the 7h November 2022 ruling : https://www.courdecassation.fr/decision/6368dc51f1ea8a7f744f... > It says that's an iPhone 4...
> the lower court (Cour d'Appel) ruled that the passcode is not a "cryptographic convention" (which both the Algorithm and Private Key would classify as), and consequently that the person is not guilty.
> The general prosecutor, not happy with this verdict, appealed to the higher court (Cour de Cassation), arguing that the lower court violated the law by insufficiently researching IF on the concerned iPhone 4, does the passcode is a "cryptographic convention"
Because when a Cour d'Appel applies a law, in this case, without not even research if this specific law is applicable to this specific element, it can be broken by the high court.
The Cour d'Appel did not even have to be "right" or sufficiently technically competent. The Cour d'Appel only had to declare that it researched IF on this phone, the passcode was a "cryptographic convention".
If the Cour d'Appel declared such a thing, EVEN IF IT WERE BLATANTLY FALSE (I'm not arguing myself for the correctness here of this statement), then the Cour d'Appel would be deemed to have stated its sovereign judgment on this matter.
On such a task, The Cour d'Appel could not be overridden by the higher Cour de Cassation.
(the Cour de Cassation cannot re-evaluate the sobering judgment of the Cour d'Appel).
BUT, the Cour d'Appel intended to apply the "refusing to yield the cryptographic convention == bad" law, without even researching IF beforehand this was REALLY a "cryptographic convention".
The general prosecutor leveraged this oversight by asking the Cour de Cassation to break the lower court jugement.
He won. The Cour de Cassation break the lower court ruling, and sent them back to court again. The break ruling is :
> By affirming that the passcode is not a "cryptographic convention", WITHOUT analysing the technical characteristics of the concerned iPhone4, yet essential to figure out a decision, the lower court insufficiently justified its decision
==== What I have to say on this matter
It's an old iPhone. I'm a bit lazy to Google what's the passcode is doing on the range of iOS versions supported on such an old phone.
A 4-8 digits passcode is not enough not be secure. That's weak as hell. That's only 10^8 possibilities, and the Private Key can be brute-forced in 1 second.
Still, IF on this old iPhone the weak-as-hell passcode was the Private Key of encrypted data, then it could be deemed a "cryptographic convention", and the person could be deemeded guilty.
On a RECENT iPhone, I think that this person could escape being guilty for not giving its homescreeen password or code.
On RECENT iPhone, those weak (4-8 digits) are NOT part of a "convention de déchiffrement" The passcode is neither the crypto algorithm, nor the Private Key to the data.
on recent iPhone, the password is ONLY a key to a safe : the Secure Enclave (T2 chip).
The Secure Enclave, even in rescue mode, has an API, and only accepts ~10 passcode attempts. When you succeed, you are giving a mean to decipher data. I don't even know if :
- the Secure Enclave yields back the Private Key
- or just provides an hardware API to further decrypt data.
What I mean is that on recent iPhone, the passcode is NOT part of the "cryptographic convention". It only unlocks a safe : the Secure Enclave.
That would be the same thing as storing the Private Key in a safe.
On iPhone4, probably the passcode IS used as a seed to regenerate the Private Key, and as such refusing to give it to police is breaching the law.
On iPhone with Secure Enclave + T2, probably the passcode is not used as a seed, because that would be weak as hell. refusing to give it to police is possibly not a breach of law.
Your example of 10^8 combination, a 8 digit passcode on an iPhone 4, means a policeman would have to sit on a desk and try combinations for hundreds of years. This is likely to be determined as unbreakable protection by a court.
The document in page 11-12 goes into what may constitute cryptographic conventions.
It considers all recent iPhone and Android phones to be. It considers all systems for unlocking a mobile phone to be, as there is no other ways to access data on the phone otherwise, given normal technical knowledge and no specific software or hardware.
Wait, is refusing to give up your encryption keys actually a crime in France (not only the UK)? I thought (though it’s been several years since I’ve looked that up) it was only an aggravating circumstance if the encrypted material in question has been used to commit a different crime and you have been convicted of that.
It can be, under the article 434-15-2 that is about that. The decision today is an explanation to French courts about how to interpret and apply this law. The context is a person formally arrested for drug possession and trafficking, who was formally requested under this law to unlock their phones (allegedly used for drug trafficking) and refused.
Rough quick translation: "Is punished by 3 years of prison and 270 000 euros fine, the action, for whoever has the knowledge of the secret means to decrypt cryptographic means likely to have been used to prepare, facilitate or carry out a crime, to refuse to submit said ways to authorities or apply them, upon official request under II and III of criminal code. If refused, and providing or applying said means would have allowed to prevent a crime or reduce harm, punishment is increased to 5 years and 450 000 euro fines".
French: "Est puni de trois ans d'emprisonnement et de 270 000 € d'amende le fait, pour quiconque ayant connaissance de la convention secrète de déchiffrement d’un moyen de cryptologie susceptible d'avoir été utilisé pour préparer, faciliter ou commettre un crime ou un délit, de refuser de remettre ladite convention aux autorités judiciaires ou de la mettre en oeuvre, sur les réquisitions de ces autorités délivrées en application des titres II et III du livre Ier du code de procédure pénale. Si le refus est opposé alors que la remise ou la mise en oeuvre de la convention aurait permis d'éviter la commission d'un crime ou d'un délit ou d'en limiter les effets, la peine est portée à cinq ans d'emprisonnement et à 450 000 € d'amende."
It seems to me this English article does not reflect the actual decision of the court in French.
See judgment here and attached PDF (in French) https://www.courdecassation.fr/toutes-les-actualites/2022/11...
The case was a person who was arrested for drug possession and trafficking, they were requested to give their passcode to unlock 2 phones allegedly used for trafficking, they refused then were further charged for not giving their password.
1) 15th May 2018 - First court ruled on drug trafficking but rejected the charges for not giving the passcode to unlock the phone, considering that a screen passcode is not a cryptographic mean to make the data on the phone unreadable or inaccessible.
2) 11th July 2019 - Escalated to the court of Appeal, same result.
3) 13th October 2020 - Escalated to the cour de cassation, who ruled that the law was incorrectly applied and sent back the case to the court. The cour de cassation doesn't rule cases, it only rules on whether a specific law was correctly applied by the court. (A decision of the court de cassation, like this one, explains how a law is meant to be interpreted and applied by the courts).
4) 20th April 2021 - The court of Appeal, repeated the initial result (home screen passcode is not a cryptographic mean to protect data) and dismissed the charges AGAIN.
5) Yesterday - Escalated to the cour de cassation AGAIN, who ruled that the law was incorrectly applied AGAIN, and sent back the case to the court AGAIN.
6) Future - This is pending another trial, from the court of appeal.
My understanding of the cour de cassation explanations, the home screen may or may not constitute a cryptographic mean to make the data unreadable or inaccessible, that depends on the phone. The court needs to rule on whether it is for that specific phone in that specific case.
For the HN audience who is technical and some of you actually make the phones. Most modern phones including all Apple and most Android have cryptographic means to protect all the data on the phone, it's effectively not possible to access contacts, messages, photos, storage, etc without having the home screen password. (Please consider that historically, it was often possible to take out the sim card or the storage SD card or use other tools to read the content of the phone, but not anymore)
My understanding is that the next ruling will have to consider whether these technical protections render the data inaccessible to the police. If yes and the data is deemed required for a criminal investigation, the suspect is required by law to disclose their passcode, or risk up to 3 year of prison and 270 000 euros.
https://news.ycombinator.com/item?id=38260935
I've ran the same on my computer at home and I also got double digit percent difference on a 32 cores AMD.