IT companies warn in open letter: EU wants to ban encryption(mailbox.org)
mailbox.org
IT companies warn in open letter: EU wants to ban encryption
https://mailbox.org/en/post/it-companies-warn-eu-plans-to-ban-encryption
229 comments
"Banning encryption" is such a dumb premise. If I lived in some future, hellish Europe, I'd simply mail USB drives with GPG keys on them to the people I love. Costs $15 if you buy the drives in bulk. After that, chat away using PGP encrypted messages. Good luck, EU.
the problem is not that you won't be able to use encryption (software), it's that if the police suspect you of anything and you have encrypted data that you're not willing to unlock you'll be punished by full extend of the law.
But I think that could lead to better encryption software with plausible deniability like Veracrypt has
But I think that could lead to better encryption software with plausible deniability like Veracrypt has
It's not that. You can already be charged with obstruction of justice in many countries if you refuse to provide keys for encrypted drives. This is about prohibiting encrypted messaging in the first place. WhatsApp et al will be denied market access, app/play store entries for all encrypted chat apps will be removed or have versions shipped without encryption etc.
The average HNer won't be that affected but the general public will. Access to encryption will be greatly reduced and most people won't even care or notice.
The average HNer won't be that affected but the general public will. Access to encryption will be greatly reduced and most people won't even care or notice.
It seems more than a few countries already treat refusing to reveal your password or keys as contempt of the court or a breach in its own right:
https://en.wikipedia.org/wiki/Key_disclosure_law
https://en.wikipedia.org/wiki/Key_disclosure_law
> it's that if the police suspect you of anything and you have encrypted data
So, back to steganography, then?
So, back to steganography, then?
One time pads are pretty great. Unbreakable with brute force attacks, indistinguishable from random numbers so you have plausible deniability about whether you're actually storing encrypted data.
Are they unbreakable by the technique actually used by the average EU country though ?
https://en.wikipedia.org/wiki/Key_disclosure_law
Generally it goes like this
1) you get a notice either from a judge or the police to provide unspecified assistance with an investigation (you are not told even 5 minutes in advance WHAT assistance, and there is a default gag order: if you inform a customer or ... that you handed over their info, you go to jail)
2) if you refuse to do something they charge you with a crime, not providing encryption keys is such a crime
3) look like EU "average" sentence is 2 to 5 years prison, plus 50k euros
One time pads are obviously encrypted, meaning if you see one you know they're a key to something, so if you refuse to decrypt what is encrypted with them (or can't, let's not pretend these people know or care about what is and isn't possible beyond obvious cases like whatsapp), and a police officer cares, you may very well have a choice: decode or face 2 years prison. JUST for not giving a police officer full access, for example, to your phone, nothing else.
https://en.wikipedia.org/wiki/Key_disclosure_law
Generally it goes like this
1) you get a notice either from a judge or the police to provide unspecified assistance with an investigation (you are not told even 5 minutes in advance WHAT assistance, and there is a default gag order: if you inform a customer or ... that you handed over their info, you go to jail)
2) if you refuse to do something they charge you with a crime, not providing encryption keys is such a crime
3) look like EU "average" sentence is 2 to 5 years prison, plus 50k euros
One time pads are obviously encrypted, meaning if you see one you know they're a key to something, so if you refuse to decrypt what is encrypted with them (or can't, let's not pretend these people know or care about what is and isn't possible beyond obvious cases like whatsapp), and a police officer cares, you may very well have a choice: decode or face 2 years prison. JUST for not giving a police officer full access, for example, to your phone, nothing else.
> One time pads are obviously encrypted
Not obviously - you could have a 1GB blob of encrypted data, or a 1GB blob of random numbers, so there is plausible deniability.
You're right that they're vulnerable to a rubber hose attack, but it's not a slam dunk case in court.
Not obviously - you could have a 1GB blob of encrypted data, or a 1GB blob of random numbers, so there is plausible deniability.
You're right that they're vulnerable to a rubber hose attack, but it's not a slam dunk case in court.
If your threat model includes the threat of your government torturing you for information, then you don't need to worry about whether they are able to decrypt your data because they could just as easily plant some false evidence, or simply "disappear" you.
Specifically on the issue of plausible deniability, though, you probably don't want just a 1 GB blob of random-looking data, you want a file system with various levels of "secret compartments" which open up depending on which key you use to open it.
The game theory is that this prevents the attack you describe (and after which Assange named this countermeasure) because you could never prove to your torturers that you have given them the last key, and thus you would have no reason to comply.
https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29
Specifically on the issue of plausible deniability, though, you probably don't want just a 1 GB blob of random-looking data, you want a file system with various levels of "secret compartments" which open up depending on which key you use to open it.
The game theory is that this prevents the attack you describe (and after which Assange named this countermeasure) because you could never prove to your torturers that you have given them the last key, and thus you would have no reason to comply.
https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29
> If your threat model includes the threat of your government torturing you for information, then you don't need to worry about whether they are able to decrypt your data because they could just as easily plant some false evidence, or simply "disappear" you.
wrt a 'rubber hose attack' I'm really talking about general coercion, not actual torture. A court could jail you for contempt you until you produce the information it's demanding.
wrt a 'rubber hose attack' I'm really talking about general coercion, not actual torture. A court could jail you for contempt you until you produce the information it's demanding.
That deniability is plausible to no one but cryptographers. People don't generally keep gigabytes of random data on their hard drives for their entertainment. Of course the assumption will be that it's encrypted data, because the probability of it being anything else is vanishingly low.
>But I think that could lead to better encryption software with plausible deniability like Veracrypt has
That works for encrypted drives and whatnot but it doesn't look especially applicable for any real-time communication.
That works for encrypted drives and whatnot but it doesn't look especially applicable for any real-time communication.
Except it is. IS used facebook for a lot of their communication. Imagine a code like:
"Ten camels drink from the water at $some oasis".
Meaning:
"Attack $city at 10 AM tomorrow"
Or
"Meet at $place at 10 tomorrow".
This has been documented extensively. All was perfectly legible by whoever can read conversations on facebook, but the meaning is lost.
"Ten camels drink from the water at $some oasis".
Meaning:
"Attack $city at 10 AM tomorrow"
Or
"Meet at $place at 10 tomorrow".
This has been documented extensively. All was perfectly legible by whoever can read conversations on facebook, but the meaning is lost.
Okay, yes sure but it does seem limiting.
Just use an email server outside the EU that will not respond to EU warrants. Almost all email transfers are protected by TLS these days. So the authorities won't know you are using encryption in the first place. If they suspect you of something they would have to come to you to get your IMAP password to check if your email is encrypted.
PGP is, as before, a technical counterargument to this sort of oppression. Perhaps the powers that be need to be again reminded of its existence. After all, the proposal is to backdoor all encryption software. That is simply impossible.
PGP is, as before, a technical counterargument to this sort of oppression. Perhaps the powers that be need to be again reminded of its existence. After all, the proposal is to backdoor all encryption software. That is simply impossible.
This already is a law in the UK. It is 5 years for not disclosing password.
The Regulation of Investigatory Powers Act 2000 - https://www.legislation.gov.uk/ukpga/2000/23/contents
It's a bit of a beast.
It's a bit of a beast.
dang so that means 5 years for forgetting your password too
Cut to LE carrying around encrypted thumb drives to plant as evidence.
Doesn’t even need to be encrypted; It could just be random data. Sufficient encryption is indistinguishable from random noise.
Damn thank god for the 1st amendment.
wow that is scary.
"Politics doesn't affect me" is unfortunately not true these days.
Where “these days” is “the last two decades”, as far as RIPA goes.
If they make it illegal they can just kick down your front door, arrest you and take your computer and your encryption keys.
First off PGP is not a great security tool, second of all the EU can just stop the GPG encrypted messages at the service provider level.
The ultimate solution against government stupidity like this is a full mesh based “internet” that is based on connections between homes without using an ISP. It is not going to happen for obvious reasons (90% of population is non-technical for starting).
The ultimate solution against government stupidity like this is a full mesh based “internet” that is based on connections between homes without using an ISP. It is not going to happen for obvious reasons (90% of population is non-technical for starting).
> The ultimate solution against government stupidity like this is a full mesh based “internet” that is based on connections between homes without using an ISP.
Completely agree. Communications infrastructure has always been centralized. Service providers are easy targets for governments. We'll never be free from their tyranny until we have completely decentralized networks.
Completely agree. Communications infrastructure has always been centralized. Service providers are easy targets for governments. We'll never be free from their tyranny until we have completely decentralized networks.
> service provider level
I think the parent comment was going to mail such drives, and good luck getting the EU to agree on blocking anything on their independent providers level.
I think the parent comment was going to mail such drives, and good luck getting the EU to agree on blocking anything on their independent providers level.
They've been pretty good at banning things at the provider level. Sites in the UK seemingly get banned by everyone as soon as the government requests it. Similar in Germany, and they go out of their way to analyze most or enough torrent data going through I believe all ISPs to detect what you pirate. Doing the same for detecting encryption doesn't seem farfetched.
> Sites in the UK seemingly get banned by everyone as soon as the government requests it
I live in the UK this is not correct, these are voluntary agreements by ISP's and you can opt out of the default filtering.
I think the only time something has been blocked here it was due to a Court Order: https://www.virginmedia.com/help/list-of-court-orders
I live in the UK this is not correct, these are voluntary agreements by ISP's and you can opt out of the default filtering.
I think the only time something has been blocked here it was due to a Court Order: https://www.virginmedia.com/help/list-of-court-orders
I mean that's still a fair amount of sites. I recognize and have used plenty of those.
Great is subjective but GPG is pretty good and could be argued as great. It was based on “Pretty Good Protection.”
EU can’t stop GPG encrypted messages at the service provider level because the content looks like any other base64 traffic or can easily be made like that.
EU can’t stop GPG encrypted messages at the service provider level because the content looks like any other base64 traffic or can easily be made like that.
Well, depends how it's sent. The header information in an encrypted message is unencrypted. Using an MUA, the body of the message will be sent as an inline attachment. The contend definition of the boundary for the attachment is Content-Type: application/pgp-encrypted, which is trivial to detect. A encrypted attachment that uses a generic application/binary or text/plain starts with -----BEGIN PGP MESSAGE----- or 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 47 50 20 4d 45 53 53 41 47 45 2d 2d 2d 2d 2d, which again is trivial to detect.
Edit: I'm not suggesting PGP itself is bad because of this. There are many other reasons why you should consider other methods of sending messages securely that aren't email or PGP.
Edit: I'm not suggesting PGP itself is bad because of this. There are many other reasons why you should consider other methods of sending messages securely that aren't email or PGP.
What I meant is it’s trivial to change the content type and to change the attachment format so it doesn’t match specific GPG formats.
The content type is done now for convenience, but there’s nothing stopping me from using GPG to generate a message and send it with the content type of a text file or zip or whatnot.
Of course there are other methods, but GPG is free, stable and works as expected.
The content type is done now for convenience, but there’s nothing stopping me from using GPG to generate a message and send it with the content type of a text file or zip or whatnot.
Of course there are other methods, but GPG is free, stable and works as expected.
Email on the wire is mostly all TLS encrypted these days. Generally offline encryption like PGP encrypted email is moe secure than, say, instant messaging:
* https://articles.59.ca/doku.php?id=em:emailvsim
* https://articles.59.ca/doku.php?id=em:emailvsim
A classic: https://xkcd.com/538
Replace the drugs with a warrant and the wrench with the threat of criminal punishment and expense of lawyer and court fees.
Replace the drugs with a warrant and the wrench with the threat of criminal punishment and expense of lawyer and court fees.
[deleted]
This kind of response saddens me every time I get it.
Every time governments start scaring people about pedo-terrorists behind every corner and start demanding censorship/mass surveillance/back doors, the standard response from fellow people in tech fields seems to be "this doesn't concern me, I will just do $CIRCUMVENTION".
It utterly misses the point. The issue here isn't a technical one. If a law is proposed that you can see as morally, ethically flawed and outright dangerous to society, the response definitely shouldn't be to laugh it off and pretend it doesn't concern you.
Every time governments start scaring people about pedo-terrorists behind every corner and start demanding censorship/mass surveillance/back doors, the standard response from fellow people in tech fields seems to be "this doesn't concern me, I will just do $CIRCUMVENTION".
It utterly misses the point. The issue here isn't a technical one. If a law is proposed that you can see as morally, ethically flawed and outright dangerous to society, the response definitely shouldn't be to laugh it off and pretend it doesn't concern you.
>If a law is proposed that you can see as morally, ethically flawed and outright dangerous to society, the response definitely shouldn't be to laugh it off and pretend it doesn't concern you.
Especially when we are the experts who are best equipped to argue against it.
Especially when we are the experts who are best equipped to argue against it.
It's ironic how the very expertise that makes us technologists able to solve these problem for laypeople, can blind us to the issues that come with having this technical world-view. We shouldn't expect computing to be at the top of people's minds, because they often, rightly, have more dear things to worry about.
What are they going to do anyways? Jail everyone? Ban the browser? Encryption can be developed on top of any communication protocol anyways.
What are they gonna do, round up ALL the Jews. C'mon it's 1932, nothing like that could happen in less than 10 years!
Require backdoors in apps available in the Apple and Google App stores. That will steer loads of people away from using e2ee encryption.
That future is not going to happen. Read the underlying documents and this lobby article just misrepresents what is in the actual legal/policy documents
Feather-net for the win, no need for mail company. Just buy some pigeons...and train them:
https://spectrum.ieee.org/tech-talk/computing/networks/pigeo...
https://spectrum.ieee.org/tech-talk/computing/networks/pigeo...
Using PGP is illegal now. Checkmate.
If you are an EU resident, you can lookup representatives of your country at "Members of the European Parliament[1]".
Send them an email, give them your thoughts, or just bookmark their MEP profile, for now, if it seems too daunting.
This advice applies to both anti and pro-encryption voices (and unrelated political topics even).
Also,
If the topic applies to your industry and profession (probably a few here on HN) - maybe you have the insights, resources or industry reputation required to find solutions to the stated dilemma of
(i)security/privacy
vs
(ii)child safety/law enforcement e.g. [2].
[1] https://www.europarl.europa.eu/meps/en/home
[2] https://www.interpol.int/Crimes/Crimes-against-children
Send them an email, give them your thoughts, or just bookmark their MEP profile, for now, if it seems too daunting.
This advice applies to both anti and pro-encryption voices (and unrelated political topics even).
Also,
If the topic applies to your industry and profession (probably a few here on HN) - maybe you have the insights, resources or industry reputation required to find solutions to the stated dilemma of
(i)security/privacy
vs
(ii)child safety/law enforcement e.g. [2].
[1] https://www.europarl.europa.eu/meps/en/home
[2] https://www.interpol.int/Crimes/Crimes-against-children
Remember: every time a government cites child pornography or terrorism as the reason ban cryptography or otherwise limit human rights, they are just using an excuse.
CameronNemo(3)
Why do you say that? Do you really think that noone can have a genuine interest in combating child pornography or terrorism?
My intuition is exactly the opposite: That many have a legitimate wish to combat both child porn and terrorism. Many people work with that every day and obviously they want to do a good job. And one effect of limiting crypto would help that. (That doesn't mean in itself crypto should be limited; but I don't see how writing one side off as "just an excuse" and basically offering a conspiracy theory helps anyone. Better to just say "it's unfortunate about child porn and terrorism, but it's the price that must be paid / here's another way to combat that", if that is what you mean.)
My intuition is exactly the opposite: That many have a legitimate wish to combat both child porn and terrorism. Many people work with that every day and obviously they want to do a good job. And one effect of limiting crypto would help that. (That doesn't mean in itself crypto should be limited; but I don't see how writing one side off as "just an excuse" and basically offering a conspiracy theory helps anyone. Better to just say "it's unfortunate about child porn and terrorism, but it's the price that must be paid / here's another way to combat that", if that is what you mean.)
If they have a genuine interest in combating child pornography or terror, they would be proposing things that actually make a difference to those problems.
Encryption is such a small part of those crimes that it would make almost no difference to the level of crime whether it exists or not.
Encryption is such a small part of those crimes that it would make almost no difference to the level of crime whether it exists or not.
According to another poster, there were in fact here other proposals and crypto was a small part of it. And that small part was, quoting the text:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So -- you may say that you know that this project is hopeless and a foregone conclusion. But will every politician trust that -- or will they make a panel of experts to explore solutions and tell them for sure that you can't meaningfully limit encryption in the first place, and even if you did you can't do it without violating privacy, as is presumed here?
Don't attribute to malice what can be attributed to technical ignorance.
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So -- you may say that you know that this project is hopeless and a foregone conclusion. But will every politician trust that -- or will they make a panel of experts to explore solutions and tell them for sure that you can't meaningfully limit encryption in the first place, and even if you did you can't do it without violating privacy, as is presumed here?
Don't attribute to malice what can be attributed to technical ignorance.
I agree with him because of what has already happened in Australia when it comes to metadata collection.
It was touted as anti terrorism and anti child pornography, 2 years after it came in the agencies that applied for (and receieved) access to people's viewing habits were released, and it was near every agency.
https://www.google.com/amp/s/amp.theguardian.com/technology/...
It was touted as anti terrorism and anti child pornography, 2 years after it came in the agencies that applied for (and receieved) access to people's viewing habits were released, and it was near every agency.
https://www.google.com/amp/s/amp.theguardian.com/technology/...
> Why do you say that?
I'm not sure politicians care about these issues at all. State surveillance will most likely be used to fight political opposition instead. Fighting child abuse and terrorism are legitimate activities but politicians use them as distractions meant to make people accept total surveillance. People believe governments have their best interests in mind when in reality governments want to protect themselves from the people.
Child abuse is the perfect political weapon. Who would dare argue against such a thing? It'd be social and political suicide. All kinds of laws are passed based on the premise that it protects the children. It implies anything is justified in the fight against child abuse. There is no stop they won't pull.
> it's unfortunate about child porn and terrorism, but it's the price that must be paid
Exactly. It's bad but that doesn't mean there are no limits to how far governments can go in their attempts to combat it. Government agents already routinely violate all kinds of human rights in their fight against terrorism.
I'm not sure politicians care about these issues at all. State surveillance will most likely be used to fight political opposition instead. Fighting child abuse and terrorism are legitimate activities but politicians use them as distractions meant to make people accept total surveillance. People believe governments have their best interests in mind when in reality governments want to protect themselves from the people.
Child abuse is the perfect political weapon. Who would dare argue against such a thing? It'd be social and political suicide. All kinds of laws are passed based on the premise that it protects the children. It implies anything is justified in the fight against child abuse. There is no stop they won't pull.
> it's unfortunate about child porn and terrorism, but it's the price that must be paid
Exactly. It's bad but that doesn't mean there are no limits to how far governments can go in their attempts to combat it. Government agents already routinely violate all kinds of human rights in their fight against terrorism.
Such a fitting username.
Please read the underlying documents and not this fearmongering. There is no such plan.
Just click the first link titled 'upcoming plans for communication surveillance' and actually read the document (or just CTRL-F 'encryption') to see how misleading this lobby letter is. It is a communication about child porn/abuse outlining measures for prevention, rehabilitation, etc. It doesn't say anything about banning encryption, just as one of many points it points out that increased encryption is making detection of child porn/abuse difficult and that government and industry should set up an expert group to discuss what can be done without breaking privacy.
So total bs article. I used to be a customer at mailbox but am right now very happy I moved away already...
Just click the first link titled 'upcoming plans for communication surveillance' and actually read the document (or just CTRL-F 'encryption') to see how misleading this lobby letter is. It is a communication about child porn/abuse outlining measures for prevention, rehabilitation, etc. It doesn't say anything about banning encryption, just as one of many points it points out that increased encryption is making detection of child porn/abuse difficult and that government and industry should set up an expert group to discuss what can be done without breaking privacy.
So total bs article. I used to be a customer at mailbox but am right now very happy I moved away already...
Yeah - this linked article is total bullshit, at best it's misleading political spin arguing in bad faith.
This is the actual proposal: https://digital-strategy.ec.europa.eu/en/library/interim-reg...
https://news.ycombinator.com/item?id=26826599
I think when we something that plays right into an existing confirmation bias it's important to be extra skeptical of its claims to offset that.
This is the actual proposal: https://digital-strategy.ec.europa.eu/en/library/interim-reg...
https://news.ycombinator.com/item?id=26826599
I think when we something that plays right into an existing confirmation bias it's important to be extra skeptical of its claims to offset that.
See also: cryptocurrencies.
[deleted]
I think there is too much focus on child molestation. When this happens it’s terrible and should of course be stopped. But I think the bigger problem, which is arguably worse because it can last so much longer, is child exploitation.
Is it easier for an exploited child to escape the exploitation in a world with encryption, or a world without encryption?
It’s not an easy question to answer.
Is it easier for an exploited child to escape the exploitation in a world with encryption, or a world without encryption?
It’s not an easy question to answer.
I'm worried that this would be used to combat things other than child abuse. A system they're after will likely be easily extendable to detect and report anything the authorities decide is wrong.
And of course, it's almost certainly going to be an opaque blob that users can't truly understand, despite any assurances given to the contrary.
And of course, it's almost certainly going to be an opaque blob that users can't truly understand, despite any assurances given to the contrary.
>In the fight against child pornography
Can't we simply ban cameras?
Can't we simply ban cameras?
Or children if we are being really serious about the whole problem.
As crazy as that would be, it's actually a much better solution. Heck, it would even be better if they wanted to ban all images on the internet.
But of course, banning encryption isn't actually about protecting children
But of course, banning encryption isn't actually about protecting children
This always stops people in their tracks.
I’ve thought about this since last year, and I can’t understand how this proposal has been able to survive this long. First of all, the EU is very pro-business, which means it should be pro-encryption. Second, the structures of its governing bodies does not make it very prone to populism. Based on what I know from this Kurzgesagt video: https://youtu.be/h4Uu5eyN6VU
Is this all some hidden plot to turn the EU into a totalitarian state? I’m (half) joking, but I really can’t see the motivation.
Is this all some hidden plot to turn the EU into a totalitarian state? I’m (half) joking, but I really can’t see the motivation.
I've never heard anyone, ever describe the EU as pro-business.
Left-wing eurosceptics try to present the EU as being pro-business (and anti-worker), while right-wing eurosceptics believe the EU is anti-business with all its regulations affecting companies.
It's technically possible that both sides are right in their criticism, but the fact that neither side seems to acknowledge the other suggests that both aren't seeing the full picture.
It's technically possible that both sides are right in their criticism, but the fact that neither side seems to acknowledge the other suggests that both aren't seeing the full picture.
I recommend to read the actual proposal rather than this fearmongering.
I don't understand how it's in any way feasible. Do none of these people own laptops with sensitive business or political information? How do they think they're going to protect any of it without strong encryption? Or all the sensitive data on their phones or other mobile devices? How do you secure anything ever against espionage without strong encryption? Have these people not put any thought into this?
AFAICS no one is trying to literally ban encryption, the headline seems very exaggerated to me.
Looking at some of the EU documents linked, I don't see any real intention to ban E2E encrypted communications - at most the documents are saying that child abusers using E2EE is a problem, or explaining various technical possibilities to try to catch them (with or without breaking E2EE).
I'll be concerned when there is an actual proposal mandating backdoors or banning encryption.
Looking at some of the EU documents linked, I don't see any real intention to ban E2E encrypted communications - at most the documents are saying that child abusers using E2EE is a problem, or explaining various technical possibilities to try to catch them (with or without breaking E2EE).
I'll be concerned when there is an actual proposal mandating backdoors or banning encryption.
They don't think the rules will apply to them.
I imagine exceptions will be built into the laws exempting certain government agencies and businesses or types of business.
Every time Russian government introduced new measures to restrict freedom of internet users, they have launched a campaign explaining that it is necessary to protect the children!!!
Don't you want to protect the children, you monsters??!!!
Don't you want to protect the children, you monsters??!!!
I know we don't like when people cite child pornography as a reason, but child pornography is a real issue. It is spread via any and every kind of social media. Kids are groomed into sending their photos online. Enforcing encryption will make it harder to detect these kinds of distribution.
What is the answer?
What is the answer?
Better programs for kids to learn what grooming is. Better training for teachers and other people who work with kids a lot to see the signs of abuse. Better enforcement of child pornography laws. More money for investigating child pornography and trafficking.
But not banning encryption. Encryption is a tiny piece of the child pornography puzzle and will have little effect whether it exists or not.
But not banning encryption. Encryption is a tiny piece of the child pornography puzzle and will have little effect whether it exists or not.
Dont let your kid videochat on the internet? Maybe?
Smarter kids to prevent grooming and sending pics (btw, in most states this turns kids into child porn producers a more serious crime than child porn viewer).
To stop the adults abusing kids it’s hard like any other crime.
To stop the adults abusing kids it’s hard like any other crime.
>in most states this turns kids into child porn producers a more serious crime than child porn viewer
This is even worse than the OP
This is even worse than the OP
Sadly when end to end encryption gets blocked the highest number of convictions will probably be 12 year olds, since they are probably less likely to be able to get around controls.
Once all the kids are safely in jail, can we have our private conversations back?
> Under the EU Internet Forum, the Commission has launched an expert process with industry to map and preliminarily assess, by the end of 2020, possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications, and to address regulatory and operational challenges and opportunities in the fight against these crimes.
It is a spectacular overreaction to equate this to "EU wants to ban encryption". This will never happen.
It is a spectacular overreaction to equate this to "EU wants to ban encryption". This will never happen.
If you search for the word “encrypt” in this document, you’ll see that they are against Facebook end-to-end encrypting messenger: https://ec.europa.eu/home-affairs/sites/default/files/what-w...
I don’t think this is an overreaction.
I don’t think this is an overreaction.
They are not against it, they say it makes precenting child porn dissemination more difficult, which seems like a rather obvious truth. They say Industry and government need to work together SNF try and see what can be done about it without breaking privacy.
So total opposite of how you read it.
So total opposite of how you read it.
what can be done about it without breaking privacy
Well, the answer is: nothing. Let's take an analogy:
> Industry and government need to work together to try and see what can be done about me talking to my wife without breaking privacy.
If I want to speak to my wife in private, that's between me and my wife only. If industry and/or government want to have a say in that, they're going to need to control or monitor anything I say to my wife. The very act of desiring to control requires subverting privacy.
Of course, there are fruitful discussions to be had about the extent of privacy itself, the extent of private communication, and the extent of control that might be admissible. But to pretend that there is a perfect solution that doesn't affect privacy is either a foolish or deliberately malicious position to take.
Well, the answer is: nothing. Let's take an analogy:
> Industry and government need to work together to try and see what can be done about me talking to my wife without breaking privacy.
If I want to speak to my wife in private, that's between me and my wife only. If industry and/or government want to have a say in that, they're going to need to control or monitor anything I say to my wife. The very act of desiring to control requires subverting privacy.
Of course, there are fruitful discussions to be had about the extent of privacy itself, the extent of private communication, and the extent of control that might be admissible. But to pretend that there is a perfect solution that doesn't affect privacy is either a foolish or deliberately malicious position to take.
"The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia" - Australian ex-Prime Minister Malcolm Turnbull (while he was Prime Minister).
While the EU is at it, they should do one for free energy.
Get just the right panel of experts together, and hopefully they can handwave all those troublesome laws of physics away as well.
While the EU is at it, they should do one for free energy.
Get just the right panel of experts together, and hopefully they can handwave all those troublesome laws of physics away as well.
[deleted]
The bit about Facebook's planned end-to-end encryption ends with:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
I read this as "Okay, fine, we can't ban end-to-end encryption and we cannot backdoor it. What can we do?" If that is what they mean, it seems a reasonable enough question to ask.
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
I read this as "Okay, fine, we can't ban end-to-end encryption and we cannot backdoor it. What can we do?" If that is what they mean, it seems a reasonable enough question to ask.
> possible solutions focused on the device, the server and the encryption protocol
Looks like they're going to find ways to read our messages before they are encrypted and sent. Why would anyone continue to use a communications application that's known to do this?
Looks like they're going to find ways to read our messages before they are encrypted and sent. Why would anyone continue to use a communications application that's known to do this?
> Why would anyone continue to use a communications application that's known to do this?
Network effect. Most people are not using Whatsapp because it is E2EE, they are using it because all their friends are.
Network effect. Most people are not using Whatsapp because it is E2EE, they are using it because all their friends are.
What if hashes of known-bad content are stored locally on the device, and sending content that matches against those hashes is not allowed. Or, the user could appeal if they think there's a false positive. This can be used for CP but also for known-bad fake news or inflammatory content. Clearly, the content hash DB needs to be scope down, and what goes in there should be chosen with democratic principles, and stand scrutiny in the courts. If done thoughtfully, it seems like a feasible solution.
Changing a hash is incredibly easy, you could just change some Metadata and the hash would change. And any perceptual hashing algorithms would naturally lead to false positives.
Also this would likely be quickly commandeered for copyrighted work (honestly pretty surprised it hasn't happened already).
Also this would likely be quickly commandeered for copyrighted work (honestly pretty surprised it hasn't happened already).
This is already done extensively: https://en.wikipedia.org/wiki/PhotoDNA and https://blog.cloudflare.com/the-csam-scanning-tool/
Yes, it would have to be a perceptual hash. False positives will occur, so there needs to be a way to appeal or remediate the algorithmic decision. We already apply this approach in a bunch of places. I believe the major personal cloud storage providers (OneDrive, etc) already do such scanning.
>This can be used for CP but also for known-bad fake news or inflammatory content.
It worries me that anyone thinks it would be a good idea to have "fake news" and "inflammatory content" blocked at the device level. Obviously cloud providers can do whatever they want (though I doubt it catches any more than the lowest hanging fruit, encrypting then uploading would be uncatchable), but the idea that my device will have a list of disapproved content, and I'll have to appeal to the government to be allowed to view it in case of false positives? The day that becomes a reality freedom will truly be dead.
It worries me that anyone thinks it would be a good idea to have "fake news" and "inflammatory content" blocked at the device level. Obviously cloud providers can do whatever they want (though I doubt it catches any more than the lowest hanging fruit, encrypting then uploading would be uncatchable), but the idea that my device will have a list of disapproved content, and I'll have to appeal to the government to be allowed to view it in case of false positives? The day that becomes a reality freedom will truly be dead.
I didn't say it would be at the system level. I'd expect this to happen per app. It's similar to how photo manipulation software can detect currency. I doubt every such app complies, and certainly the system screenshot tool does not.
> Why would anyone continue to use a communications application that's known to do this?
Are you kidding? Almost nobody will care about that. This isn't even a new threat. It's common practice already.
Are you kidding? Almost nobody will care about that. This isn't even a new threat. It's common practice already.
My guess: Client-side scan for certain keywords to identify grooming and some kind of signature-based identification of known child-porn media. Basically what I assume Messenger does today, but on the local devices instead.
The general public won't care until we're halfway down a slippery slope, and then people will just switch to whatever platform is perceived as more secure/popular at that particular moment in time.
The general public won't care until we're halfway down a slippery slope, and then people will just switch to whatever platform is perceived as more secure/popular at that particular moment in time.
Where do they say they are against it? Can you quote precisely what you are referring to?
They seem to just explain the problem it causes and calls for finding new approaches since current ones are made ineffective.
They seem to just explain the problem it causes and calls for finding new approaches since current ones are made ineffective.
That is not my read at all:
> Last year, Facebook announced plans to implement end-to-end encryption by default in its instant messaging service. In the absence of accompanying measures, it is estimated that this could reduce the number of total reports of child sexual abuse in the EU (and globally) by more than half and as much as two-thirds, since the detection tools as currently used do not work on end-to-end encrypted communications.
Seems more like stating a fact.
> Last year, Facebook announced plans to implement end-to-end encryption by default in its instant messaging service. In the absence of accompanying measures, it is estimated that this could reduce the number of total reports of child sexual abuse in the EU (and globally) by more than half and as much as two-thirds, since the detection tools as currently used do not work on end-to-end encrypted communications.
Seems more like stating a fact.
That's not even the proposal they're talking about, this is: https://digital-strategy.ec.europa.eu/en/library/interim-reg...
Also as the other comments said, even in the one you link they're discussing the true issues that exist and what to do in that context.
Also as the other comments said, even in the one you link they're discussing the true issues that exist and what to do in that context.
End to end in chat?
They blacklist articles in chat already.
So there is some level of man in the middle already.
So there is some level of man in the middle already.
Do you imagine that this "expert process" will come up with a way to preserve message privacy while also flagging which messages are illegal? What else could the purpose of it be than to recommend requiring providers to MITM their customers' messages?
(Although I agree that the title should be changed to "ban end-to-end encryption"; certainly the suggestion that the EU would try to ban encryption generally is an exaggeration)
(Although I agree that the title should be changed to "ban end-to-end encryption"; certainly the suggestion that the EU would try to ban encryption generally is an exaggeration)
I can think of a very obvious one, identify and refuse to send messages that the client app decides are child porn. No intrusion.
Or perhaps add a counter to the account when it's detected. Minimal intrusion, single flag defining the message.
You don't need to mitm things to implement _some_ mitigations.
Before the inevitable - a method that is not 100% reliable in stopping something is not useless. Otherwise we may as well make it as easy as possible to share child porn because it wouldn't make a difference.
Or perhaps add a counter to the account when it's detected. Minimal intrusion, single flag defining the message.
You don't need to mitm things to implement _some_ mitigations.
Before the inevitable - a method that is not 100% reliable in stopping something is not useless. Otherwise we may as well make it as easy as possible to share child porn because it wouldn't make a difference.
Perhaps the app itself can use ml to detect flag and prevent known images from being sent...
"Why is Whatsapp using up my phone's battery?"
I'm opposed to this on other grounds, but computing and checking a single hash for each image wouldn't be that big a burden.
Agreed. You mentioned ML though, and that's a different matter.
Checking hashes is definitely viable, but only works for known good examples.
Checking hashes is definitely viable, but only works for known good examples.
FB also already proposed one where users can report encrypted messages and send an unencrypted log to them from their client device.
Since most existing child abuse imagery is reported by users that see it somehow - this seems like a reasonably pro-privacy way to keep the same amount of reporting.
Since most existing child abuse imagery is reported by users that see it somehow - this seems like a reasonably pro-privacy way to keep the same amount of reporting.
Banning encryption, completely neutralizing and circumventing the encryption... The effect is the same: the government will be able to read the messages.
Lets ban children
Why this old news-not-news reappear every few months?
> Is Europe about to ban E2E Encryption?
> No.
https://www.google.com/amp/s/techcrunch.com/2020/11/09/whats...
> Is Europe about to ban E2E Encryption?
> No.
https://www.google.com/amp/s/techcrunch.com/2020/11/09/whats...
C'mon... as if banning cryptographic messagery services would end criminals from encrypting their messages and sending the payload in plain text like they were doing since internet's inception
Ban HTTPS, just must be joking. Or ban books or our minds from reimplementing it?
Descentralization must happen before this
> But in the fight against child pornography, domestic politicians and legislators have identified [end-to-end encryption] as the core problem and would prefer to ban it.
There's no logic to this. These people already access banned child pornography. They aren't going to hesitate to use encryption to do so, banned or not.
The encryption tech already exists and is widely and freely available and a ban doesn't change that. A ban could keep good encryption out of popular, high-profile platforms. But these people are already seeking out the dirty, dark corners of the web, and I'm sure will have less trouble adjusting to this than almost anyone else. My random guess is they will be communicating and sharing images via encrypted blockchains that are ostensibly (or even mainly) for something else, or some such.
There's no logic to this. These people already access banned child pornography. They aren't going to hesitate to use encryption to do so, banned or not.
The encryption tech already exists and is widely and freely available and a ban doesn't change that. A ban could keep good encryption out of popular, high-profile platforms. But these people are already seeking out the dirty, dark corners of the web, and I'm sure will have less trouble adjusting to this than almost anyone else. My random guess is they will be communicating and sharing images via encrypted blockchains that are ostensibly (or even mainly) for something else, or some such.
I view it differently in that even if breaking encryption allows for the arrest and wiping out of all child pornography, the damage to the non-porners is too great to warrant.
Similar to how a jury trial requires unanimous agreement among 12. This leads to some true criminals not being convicted, but it provides the benefit of many more innocents not being wrongfully convicted.
I think the “criminals will break the law anyway” is a dead end as it bypasses the moral decision that society needs to make of whether privacy is worth some tiny percent of evil doing.
One day we’ll have the ability to have mental implants that block bad things. Similarly, we’ll need to decide whether that is worth implementing if it means bad trade offs. The argument isn’t that criminals will skip the implants, I think the important argument is whether putting implants in all the non-criminals is worth the effort.
Similar to how a jury trial requires unanimous agreement among 12. This leads to some true criminals not being convicted, but it provides the benefit of many more innocents not being wrongfully convicted.
I think the “criminals will break the law anyway” is a dead end as it bypasses the moral decision that society needs to make of whether privacy is worth some tiny percent of evil doing.
One day we’ll have the ability to have mental implants that block bad things. Similarly, we’ll need to decide whether that is worth implementing if it means bad trade offs. The argument isn’t that criminals will skip the implants, I think the important argument is whether putting implants in all the non-criminals is worth the effort.
There's no logic in it as the article misstates the acural legislation and intention. Read the linked documents and its pretty obvious (I left a longer comment below).
From your linked document:
> The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.
If the measures to detect certain kinds of content are "required" and "mandatory", that rules out end-to-end encryption.
Sure, they promise to use their powers to snoop only for good. Perhaps this commission means it, too. Just not sure why it would only be used for good, though.
I see multiple posts in this thread that seem to have the same generous reading of this that you have. But I don't see where that is coming from. They seem to be clearly calling for regulations that will not for allow end-to-end encryption.
> The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.
If the measures to detect certain kinds of content are "required" and "mandatory", that rules out end-to-end encryption.
Sure, they promise to use their powers to snoop only for good. Perhaps this commission means it, too. Just not sure why it would only be used for good, though.
I see multiple posts in this thread that seem to have the same generous reading of this that you have. But I don't see where that is coming from. They seem to be clearly calling for regulations that will not for allow end-to-end encryption.
Not to rehash other discussions in this comment area, but there are many ways to do more than what is currently done. As you quote they want any changes to preserve privacy which means certainly no end to E2E.
[deleted]
This violates my human right to send random garbage messgages to my friends
What on earth is it with modern governments wanting to control every aspect of citizen lives ? Why can't they just leave stuff well alone. I think first world politicians and bureaucrats (and second world too now) have far too much copious amounts of free time in the Internet era. This is always the problem with Big Govt.
A bit disappointed about the blind commenting here. I have just read the Commission Communication (pdf linked at the top of the article) and can't find anything on prohibiting encryption. They write a few times about how increasing default encryption will make law enforcement more difficult but the only action proposed on encryption is:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So they want to see what can be done without breaking encryption, I guess this could be e.g. hash checks or things like that.
The rest of the Communication is about prevention, victim support and rehabilitation, so really about pedophilia/child abuse, not encryption as a main issue.
There is also a 3-layer-deep link[1] to a proposed new regulation (=eu-wide law) which puts an obligation on providers to detect and report or delete child abuse materials. No mention of encryption and its just four articles if you scroll down to the end, so look for yourself if that sounds problematic. The intro page [2] says it actually just provides a legal base for providers to scan data as another regulation that already allowed this is running out. I have no specific expertise on the matter but assuming that that does not seem problematic?
The issue seems to be that police/ courts/NGOs/... basically have no chance to police as thesr networks are inaccessible and extremely complex to pursue anything. Seems obvious that the onus must be on the providers to do their duty - we all know what a cesspit the internet can be. If Telegram doesn't delete CP (or say beheading videos, calls for lynching, rape videos, ...) then who could possibly do it?
So the legislation here is intended to give providers the legal right to check content. What's the alternative? Should the internet simply be lawless?
1. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=69213
2. https://ec.europa.eu/digital-single-market/en/news/fighting-...
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So they want to see what can be done without breaking encryption, I guess this could be e.g. hash checks or things like that.
The rest of the Communication is about prevention, victim support and rehabilitation, so really about pedophilia/child abuse, not encryption as a main issue.
There is also a 3-layer-deep link[1] to a proposed new regulation (=eu-wide law) which puts an obligation on providers to detect and report or delete child abuse materials. No mention of encryption and its just four articles if you scroll down to the end, so look for yourself if that sounds problematic. The intro page [2] says it actually just provides a legal base for providers to scan data as another regulation that already allowed this is running out. I have no specific expertise on the matter but assuming that that does not seem problematic?
The issue seems to be that police/ courts/NGOs/... basically have no chance to police as thesr networks are inaccessible and extremely complex to pursue anything. Seems obvious that the onus must be on the providers to do their duty - we all know what a cesspit the internet can be. If Telegram doesn't delete CP (or say beheading videos, calls for lynching, rape videos, ...) then who could possibly do it?
So the legislation here is intended to give providers the legal right to check content. What's the alternative? Should the internet simply be lawless?
1. https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=69213
2. https://ec.europa.eu/digital-single-market/en/news/fighting-...
After reading the source material, this HN post sounds like political spin bullshit that's arguing in bad faith - but it would take more time than I have right now to figure out the truth.
Edit: Here's the actual regulation in question: https://digital-strategy.ec.europa.eu/en/library/interim-reg...
I haven't read it yet - but I'd guess my comment below that I made without reading it is probably not understanding what it actually proposes.
Edit2: Skimming it - it's not even clear to me it's about encryption at all? But about allowing creating laws around getting companies to participate in blocking child abuse imagery (that many are already doing voluntarily)? Am I missing something? I don't see anything about requiring unencrypted communications of these companies. It sounds like it's even just allowing certain practices that may have already been in place prior to some other EU privacy law?
---
Child abuse imagery is a real problem and though I'm sympathetic to the difficulty fighting it, encryption ban is not the right tradeoff.
FB has actually implemented something good here, basically encrypted communication but users can report imagery (so a user can choose to send an encrypted log of a chat to FB for review).
I have a friend at whatsapp and a lot of work goes into shutting down groups sharing child abuse imagery and clever ways to detect them even though they're encrypted (sometimes you don't even need to be that clever really).
See this: https://www.nytimes.com/interactive/2019/09/28/us/child-sex-...
It's possible to see this as an enormous societal problem that deserves attention, and think that an encryption ban is still a bad idea for all the reasons technical people think it is. Like most things, the policy argument here is nuanced. Just because banning encryption is the wrong thing to do does not mean that the child abuse imagery concern is false or misplaced.
I think the argument in favor of encryption becomes stronger when conceding the severity of the child abuse imagery issue. Dismissing it out of hand is simplistic.
Edit: Here's the actual regulation in question: https://digital-strategy.ec.europa.eu/en/library/interim-reg...
I haven't read it yet - but I'd guess my comment below that I made without reading it is probably not understanding what it actually proposes.
Edit2: Skimming it - it's not even clear to me it's about encryption at all? But about allowing creating laws around getting companies to participate in blocking child abuse imagery (that many are already doing voluntarily)? Am I missing something? I don't see anything about requiring unencrypted communications of these companies. It sounds like it's even just allowing certain practices that may have already been in place prior to some other EU privacy law?
---
Child abuse imagery is a real problem and though I'm sympathetic to the difficulty fighting it, encryption ban is not the right tradeoff.
FB has actually implemented something good here, basically encrypted communication but users can report imagery (so a user can choose to send an encrypted log of a chat to FB for review).
I have a friend at whatsapp and a lot of work goes into shutting down groups sharing child abuse imagery and clever ways to detect them even though they're encrypted (sometimes you don't even need to be that clever really).
See this: https://www.nytimes.com/interactive/2019/09/28/us/child-sex-...
It's possible to see this as an enormous societal problem that deserves attention, and think that an encryption ban is still a bad idea for all the reasons technical people think it is. Like most things, the policy argument here is nuanced. Just because banning encryption is the wrong thing to do does not mean that the child abuse imagery concern is false or misplaced.
I think the argument in favor of encryption becomes stronger when conceding the severity of the child abuse imagery issue. Dismissing it out of hand is simplistic.
In times where one of the biggest messaging application providers is able to leak hundreds of millions of personal records, I'd rather don't want governments to make laws to expand that risk to all of my private conversations as well.
Please forgive me if I'm misunderstanding the scope of the proposal, but without a modifier "Ban E2E Encryption" would mean:
* Any party who is the exclusive holder of the private key of an asymmetric key (and uses it) is basically in violation of the proposed law(s)?
* So, literally, someone who uses an SSH-only server (given all data-in-transit is also encrypted) is in violation of the laws (given they aren't willing to provide the private key when asked)?
* No more end-to-end encrypted communication with your attorney or physician?
* A student project that implements a one-time-pad is illegal now too?
* What about encryption that is e2e for all intents and purposes, but is briefly decrypted, then re-encrypted on a zero-log private (proxy) server as one of its hops in the round-trip?
* Does this mean quantum encryption is completely banned now?
* By that measure, quantum internet is completely illegal, no?
* What about the fact this means governments will have to go through hoops to get a special blessing to use it--meaning they'll use it less often in practice (humans)--meaning more of their confidential data will be snooped. How about the fact that traffic that looks like e2e is probably now gov. traffic--making all of that traffic a more identifiable target?
I'm obviously preaching to the choir here...the problems abound--would love to hear more y'all hypotheticals that illustrate how garbage this is.
* Any party who is the exclusive holder of the private key of an asymmetric key (and uses it) is basically in violation of the proposed law(s)?
* So, literally, someone who uses an SSH-only server (given all data-in-transit is also encrypted) is in violation of the laws (given they aren't willing to provide the private key when asked)?
* No more end-to-end encrypted communication with your attorney or physician?
* A student project that implements a one-time-pad is illegal now too?
* What about encryption that is e2e for all intents and purposes, but is briefly decrypted, then re-encrypted on a zero-log private (proxy) server as one of its hops in the round-trip?
* Does this mean quantum encryption is completely banned now?
* By that measure, quantum internet is completely illegal, no?
* What about the fact this means governments will have to go through hoops to get a special blessing to use it--meaning they'll use it less often in practice (humans)--meaning more of their confidential data will be snooped. How about the fact that traffic that looks like e2e is probably now gov. traffic--making all of that traffic a more identifiable target?
I'm obviously preaching to the choir here...the problems abound--would love to hear more y'all hypotheticals that illustrate how garbage this is.
There is no real proposal to ban encryption - the title is hyperbole.
They are looking for possible solutions to reduce child abuse with the industry, not proposing anything.
It could still be they'll arrive at some problematic proposal later on, but from my reading of the linked documents straight-out breaking/banning E2E encryption is not really on the table.
They are looking for possible solutions to reduce child abuse with the industry, not proposing anything.
It could still be they'll arrive at some problematic proposal later on, but from my reading of the linked documents straight-out breaking/banning E2E encryption is not really on the table.
Ah, got it, thanks.
[deleted]
I have some dumb questions - how do you ban encryption? How do you ban open source tools that implement encryption? Do you fine and jail people who have the code on their devices? How do you implement the policy of banning certain types of code? How about SSH? Are corporations and banks included in the ban?
I don't think you can. Its like banning bitcoin - you can't unless you ban the internet altogether.
Western lawmakers really don't understand tech or the second order consequences of their actions. Do they think they get to keep encryption for "national security" for themselves while the citizens don't? Hello, do you realize the signal protocol is open source?
My prediction - EU and US lawmakers die of old age before writing even one definitive line of policy that would regulate encryption. Or regulation fails completely, like how the EU tried to regulate data collection via GDPR but we got annoying pop ups instead.
And btw, criminals use tor, not i-message. SMH.
I don't think you can. Its like banning bitcoin - you can't unless you ban the internet altogether.
Western lawmakers really don't understand tech or the second order consequences of their actions. Do they think they get to keep encryption for "national security" for themselves while the citizens don't? Hello, do you realize the signal protocol is open source?
My prediction - EU and US lawmakers die of old age before writing even one definitive line of policy that would regulate encryption. Or regulation fails completely, like how the EU tried to regulate data collection via GDPR but we got annoying pop ups instead.
And btw, criminals use tor, not i-message. SMH.
You don't ban the tools, but you hold up dissidents that refuse to hand over their keys in prison as contempt of court, that is what happens in the UK at the moment: https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...
That is interesting, I did not know that.
Governments can ban anything through denying infrastructure. Think alcohol regulations, you can say that “are they going to ban chemistry” but as it turns out they can indeed ban chemistry. You can distill alcohol at home but if you want to do business through any infrastructure that’s possible thanks to the existence of the government(legal systems, banking etc) you will have to ask for permission despite the fact that the government doesn’t have any influence over the laws of nature.
> Western lawmakers really don't understand tech or the second order consequences of their actions
our political systems blow in terms of getting people that know this stuff to legislate on it. Closest we've had to the US throne was Yang (?) and I've heard him talk and I don't think he's fam.
our political systems blow in terms of getting people that know this stuff to legislate on it. Closest we've had to the US throne was Yang (?) and I've heard him talk and I don't think he's fam.
Taken to an extreme, banning encryption is like criminalizing math.
the main claim of the letter reads:
"the European Union plans to abolish the digital privacy of correspondence."
to which I can only say: [citation needed]
In fact, as far as I know there is only a discussion piece circulating with perhaps some debatable wording, but there is no proposed legislation whatsoever to justify this claim. (Feel free to correct me, authors of the letter or others.)
I would think that meaningful contributions to any discussion do not begin with outrageous claims.
"the European Union plans to abolish the digital privacy of correspondence."
to which I can only say: [citation needed]
In fact, as far as I know there is only a discussion piece circulating with perhaps some debatable wording, but there is no proposed legislation whatsoever to justify this claim. (Feel free to correct me, authors of the letter or others.)
I would think that meaningful contributions to any discussion do not begin with outrageous claims.
What the EU actually proposes to do is self-contradictory. It's like appointing a panel of physicists to study creation of a perpetual motion machine. If there are any actual experts appointed, they've vote to disband the panel immediately.
"""Under the EU Internet Forum, the Commission has launched an expert process with industry to map and preliminarily assess, by the end of 2020, possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications, and to address regulatory and operational challenges and opportunities in the fight against these crimes."""
"""Under the EU Internet Forum, the Commission has launched an expert process with industry to map and preliminarily assess, by the end of 2020, possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications, and to address regulatory and operational challenges and opportunities in the fight against these crimes."""
Can someone explain to me exactly how the EU plans to ban encryption? Like, what's the mechanism to stop an EU citizen hosting their (whatever) in a country that does support E2E? Or how, practically, you stop anyone from using X service which provides strong encryption on their computer or servers at home?
I'm naive about such matters but from where I'm standing I can't see how this is even vaguely enforceable?
I'm naive about such matters but from where I'm standing I can't see how this is even vaguely enforceable?
> Can someone explain to me exactly how the EU plans to ban encryption?
They aren't, that's the simple answer.
They aren't, that's the simple answer.
If this ever happened/happens anywhere, a great pastime would be to start sending streams of random data to people across the internet. Since random data is indistinguishable (theoretically) from encrypted data, I'm sure you'd waste a lot of the regulators' time. You'd almost force them to ban anything that _looks like_ random data, or give up on enforcing the ban on cryptography altogether.
Surely you'd need the recipient to actually save the random data (unless you think that regulators are going to be breaking every TLS connection and checking the contents of every packet).
I think people already make efforts to avoid being swamped with unwanted data, so anti-spam and anti-DDOS systems would probably block you and delete your streams without any human noticing.
I think people already make efforts to avoid being swamped with unwanted data, so anti-spam and anti-DDOS systems would probably block you and delete your streams without any human noticing.
Every time I see this I realize just how little people realize what makes the world run around them.
Do they not realize that their worlds would cease to function without encryption?
Do they not realize that their worlds would cease to function without encryption?
Good luck with that EU, it's dead on arrival.
The day a politician tells a mathematician what to think is the day a mathematician instructs a politician on how to think.
Real criminals have good opsec, it's part of the job. Non-criminals want provable privacy and security. Deluded and ignorant politicians want a PR stunt with good optics.
If I, as a relatively mathematical individual, employ mathematical methods of communication there is literally nothing any government can do about it. I can even obfuscate. Judge in court tells me what for? I tell judge in court what for. Contempt of court? Ab-so-fucking-lutely. Qualms? Zero. I've no dependants. Fallout of jailing someone for defending their privacy? All the way up to revolution. Jailing 80% of a population because they know how to use a one-time-pad, or a free, libre, and open source solution such as Matrix? Sure. Let me know how that works out.
Telephone/email/registered post your representatives today if an EU citizen. Tell them to study http://people.math.harvard.edu/~ctm/home/text/others/shannon...
Otherwise ignore this pathetic grandstanding by vacuous vainglorious amadáns.
The day a politician tells a mathematician what to think is the day a mathematician instructs a politician on how to think.
Real criminals have good opsec, it's part of the job. Non-criminals want provable privacy and security. Deluded and ignorant politicians want a PR stunt with good optics.
If I, as a relatively mathematical individual, employ mathematical methods of communication there is literally nothing any government can do about it. I can even obfuscate. Judge in court tells me what for? I tell judge in court what for. Contempt of court? Ab-so-fucking-lutely. Qualms? Zero. I've no dependants. Fallout of jailing someone for defending their privacy? All the way up to revolution. Jailing 80% of a population because they know how to use a one-time-pad, or a free, libre, and open source solution such as Matrix? Sure. Let me know how that works out.
Telephone/email/registered post your representatives today if an EU citizen. Tell them to study http://people.math.harvard.edu/~ctm/home/text/others/shannon...
Otherwise ignore this pathetic grandstanding by vacuous vainglorious amadáns.
There is a longstanding thread of political thought in the UK about banning encryption https://www.wired.co.uk/article/uk-encryption-whatsapp-amber...
They’ll find ways around these like mailing each other material.
I honestly always see these overreaches as those in power want to stay ahead of money making news/tips they can take advantage of for their portfolios. Or even better, know what their enemies are talking about in regards to them. Even if it’s voters who don’t like them.
I honestly always see these overreaches as those in power want to stay ahead of money making news/tips they can take advantage of for their portfolios. Or even better, know what their enemies are talking about in regards to them. Even if it’s voters who don’t like them.