Germany is not supporting ChatControl – blocking minority secured
digitalcourage.social1096 points by xyzal 2 days ago
1096 points by xyzal 2 days ago
Glad we could delay it for now. It will come back again and again with that high of support though. Also the German Bundestag is already discussing a compromise: https://www.bundestag.de/presse/hib/kurzmeldungen-1108356. They are only unhappy with certain points like breaking encryption. They still want to destroy privacy and cut back our rights in the name of "safety", just a little less.
I also think this is just a delay, not a final win. Also, this page hasn't been updated yet: <https://fightchatcontrol.eu/>
I recently heard a political discussion about this topic and was disappointed by the lack of technical competency among the participants. What we're talking about here is the requirement to run a non-auditable, non-transparent black box on any device to scan all communications. What could possibly go wrong with that?
What does a "final win" even look like? The powers that want this will simply propose it over and over and over until they win once, and then it's basically law forever. The "against" team needs to win every time, forever.
It's always just a delay until the next round with these guys.
Chat control has already been voted down more than once in the past.
They will keep at it until they succeed [1]. The playbook was copied from the tobacco & oil industry and perfected by hollywood.
1: https://en.wikipedia.org/wiki/Regulation_to_Prevent_and_Comb...
> keep at it until they succeed
Is there any EU process to codify principles (e.g. Human Digital Rights) that need to be upheld in future attempts?
The EU article #8 of human rights [1] is deliberately loosely defined, both sounding nice at the first glance, while allowing for Chat Control style surveillance.
Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his
private and family life, his home and his
correspondence.
2. There shall be no interference by a public
authority with the exercise of this right except
such as is in accordance with the law and is
necessary in a democratic society in the interests
of national security, public safety or the economic
well-being of the country, for the prevention of
disorder or crime, for the protection of health or
morals, or for the protection of the rights and
freedoms of others.
> requirement to run a non-auditable, non-transparent black box on any device to scan all communications
I wasn't exactly thrilled at the prospect of some kind of encryption backdoor, but hearing it put like this genuinely horrifies me. Like a vulnerable keylogger on every device.
I mean, could the solution just be for tech-literate people to red-team the shit out of it and show how vulnerable and stupid it is?
Is this a good time to plug the creation of chat protocols running over distributed hash tables (DHT) (essentially a decentralized way of creating mini message servers) and with forward security and end-to-end encryption? I made a POF in Rust but I don't have time to dev this right now. (Unless angel investors to help me shift priorities lol...)
Here's whats coming: Devices will be locked down by remote attestation and hardware secure models by the vendors like google, apple and microsoft. Only registered devs will be allowed to make software for those devices. They simply won't run unless the software is backed by a google/Apple/MS signed certificate. They'll make chat software that doesn't run chat control illegal. If you make it, you'll lose your signing certificate and no one will be able to run it. Sure there will be nerds running modified devices with no check but it's about compliance for > 99% of the people. No one you care for will use that software because they won't be able to run any banking software, other chat software, social media apps etc. on their phone if they jailbreak it.
... which then enables Apple/MS/Google to either forbid real encryption, or allow for silently replacing the app on your phone with one that breaks your encryption.
It’s not. This is a political problem, not a technical one.
I beg to differ. As long as we have gentlemen like Pavel Durov getting arrested at French airports, it's definitively at technical question. A decentralized and distributed chat protocol with distributed devs and owners would make it impossible to arrest any one individual, and it would make it exceedingly hard to censor such a platform. But you are perhaps a fed? xD
Investigate steganography. Otherwise they will just make using particular applications servicws illegal and selectively enforce it. That's why this problem is not technical
If you need a specialized vacuum to collect shit from the floor, how about... not shitting on the floor in the first place.
> Investigate steganography. Otherwise they will just make using particular applications servicws illegal and selectively enforce it.
This isn't quite accurate. It's hard to ban things that are widely used.
Because of its design, it's very difficult to censor email. You could order some large provider to do it but then people could use a different one. You can get email for free from a provider in another jurisdiction. It's not that hard to start a new one. Trying to ban interoperability with mail servers in other countries would cut you off from the world. It creates a cost for a government that wants to do it, which is a deterrent, and even if they try it's hard to enforce.
That isn't what happens when everyone is using Facebook, because then a sufficiently major government can just order Facebook to do whatever authoritarian thing under threat of criminal penalties and there is no switching to another provider or operating your own Facebook server while still being able to communicate with the people using the existing system.
You want authoritarianism to have legal friction and technological friction against it. They're not alternatives to each other, they're checks and balances.
People keep repeating this defeatist drivel but it's just not true. It's still up in the air whether you can defeat a law using technical measures, but it is a thoroughly settled matter that you cannot legislate away mathematics.
We saw how laws completely failed to make encryption illegal in the 90s as open source encryption code spread rapidly on the internet. "Exporting" encryption software was illegal in many countries like USA and France but it became impossible to enforce those laws. A technical measure defeated the law.
Encryption is just maths. It is the law being unreasonable here, and it will be the law which will ultimately have to concede defeat. UK is the perfect example here - Online Safety Act's anti-E2EE clauses have been basically declared by Ofcom to be impossible to implement and they are not even trying anymore.
"I can still use GPG" isn't a win condition you seem to think it is. Authoritarian governments will be perfectly happy to let you continue using GPG as long as the remaining 99% of society continues using monitored/censored communication apps.
Also you will be easily identified as problematic by your use of GPG/PGP.
VPN's provide privacy by blending your traffic with others. If you stand out...
Conversely, as long as the people they actually want to target (dissidents, journalists, ...) use non-compromised E2EE it's not very useful for NSA/GCHQ etc to harvest info about all the cat videos everyone else is watching.
It won't help you with those specific cases no, but Chat Control would be the perfect tool to monitor and stop the spread of information between regular citizens who are trying to organize against the government, just look at China.
It's not your cat videos they're interested in. When people are protesting against the government it's vitally important that they're able to get information out as quickly as possible, to as many people as possible. If the government can slow that momentum down then opposition fizzles out. Chat Control would do a great job in service of that goal, it's large scale crowd control, not a targeted attack.
But it makes the people they want to target very easy to spot - just look at who doesn't watch cat videos. The absence of data is data itself.
No disrespect intended, but "it's still technically possible" doesn't matter. We, as enigneers, tend to think in absolutes (after all, something either works or it doesn't). Politicians are perfectly happy with a law that is only 80% effective - they would argue that sometimes people break laws against murder, but that doesn't mean laws against murder should be thrown on the scrapheap.
Most people obey the law most of the time. Doing a technical end-run around the law (a) leaves you with very few people to talk to (b) makes you stick out like a sore thumb, at which point you're vulnerable to the $5 wrench.
Here's a funny story for you.
Did you know that porn was quite severely censored in Norway up until the 90's? But suddenly, the censorship stopped. Why? Because of the distributed quality of the internet.
While the Norwegian state may still wish to continue censoring porn in Norway, they deemed the task too difficult and too invasive to continue, so they just dropped it entirely (except of course for certain extreme fringe cases).
I was personally shown clips by the Norwegian Board of Film Classification in the early 2000's showing both grey zone depictions, and clearly illegal depictions of film violence per the law. I am still traumatized from seeing some of that s*t. Legally btw, since they are a state authority tasked to categorize and censor such media, and also educate people with the right degrees. Yet in that meeting, when I asked them how they're handling censorship now, they kind of just threw their hands up in the air and told me directly that "We only give advice on cinema films these days. Look, we can't very well censor the entire internet without also using either extremely invasive or unfair strategies. If you really want some violent or pornographic movie, you're probably gonna get it no matter what we try to do."
So, the morale of this story is, make something ubiquitous enough, or hard enough to censor, and some states might just give up. If you build a truly decentralized system, good luck censoring it. And that was pretty much it for Norway. They had given up on the idea of preventing people from seeing violent or pornographic contents on the internet.
Within political science we speak about effective ways to participate politically. Sometimes that's not screaming slogans outside some government buildings. Sometimes that's simply building resilient and forward secure distributed systems.
Btw. as a side note, the bad guys are still taken. Instead of thought policing entire populations, they're now tending to the guys doing actual harm. The anti encryption bills are just smoke and mirrors to get you to give up essential liberties, so they get more control. It has little or nothing to do with protecting children and you know it.
> People keep repeating this defeatist drivel but it's just not true.
It is not defeatist drivel to argue for political action rather than trying to hit everything with a technological hammer.
> We saw how laws completely failed to make encryption illegal
In the USA free speech rights defeated that law.
> Encryption is just maths.
But nothing in those maths guarantee you the ability to use them legally.
> It is not defeatist drivel to argue for political action rather than trying to hit everything with a technological hammer.
I'd say it's actually worse than defeatist drivel, since it actively discourages an entirely feasible strategy of making bad laws difficult/impossible to enforce, and instead encourages people to squander their efforts and resources on fighting all-or-nothing political battles in the context of utterly dysfunctional institutions riddled with perverse incentives that no one at all in the modern world seems to be able to overcome.
The "political, not technical" argument is equivalent to telling people concerned about possible flooding that instead of building levees, they should focus all their efforts on trying to drain the ocean.
> entirely feasible strategy
Who will host the code? What App Store will you publish in?
The developers and the FOSS community generally; F-Droid is a good app store for FOSS, but there's no inherent need for app stores in the first place.
Duplicating the tremendous success of the Linux ecosystem is a worthy goal, but even at the outset, the idea is to reach the 1% of users who want such a solution and are willing to invest thought and effort into it, and let it gradually become viable for incrementally wider adoption. Trying to target the 99% who don't care in the first place wouldn't make much sense.
Right, you need an end-to-end ecosystem. Delivery, ease of use, trustable code and audit, good math, community, financial incentives. Still much more enduring solution than an eternal political battle, IMO.
> it is a thoroughly settled matter that you cannot legislate away mathematics.
I don’t think this protects us. I view the “encryption is maths” position as referring to backdoor keys.
But this time they figured out client-side mandated spyware is a viable way of breaking e2e without contradicting mathematics.
I hate to get dystopian but we can all see where this is going; “Trusted Hardware” is mandated to run your Government ID app and Untrusted Hardware is illegal because it’s only for criminals and terrorists. Your Trusted Device performs client-side content scanning, it’s illegal to install an untrusted app, and all app developers are criminally liable to monitor for Harmful Content on their services.
This is what we are fighting against. They keep trying and they are getting closer to succeeding. And none of this is incompatible with mathematics; it’s a pure rubber-hose attack on the populace.
Its both, ultimately politics is not all-knowing and you can't stamp out all technical solutions.
Like, breaking encryption is just not possible if the encryption is set using a proper algorithm. Governments try, and they try to pass laws, but it's literally impossible. No amount of political will can change that. Ultimately I can write an encryption algorithm or use GPG or something and nobody on Earth, no matter how motivated or how rich, can read what I encrypted, provided I do not let out the key. If I just keep the password in my head, it's impossible.
So, until we invent technology to extract secrets from a human brain, you cannot universally break encryption. Its just not possible. Doesn't matter if 7 billion people worldwide vote for that. Doesn't matter if Elon Musk wants it. Doesn't matter if the FBI, CIA, and the NSA all work together.
It's not a technical problem. Chat Control wasn't about breaking encryption, it would bypass encryption with client-side scanning. It targets the apathetic 99% of the population who won't have the energy or knowledge to do anything about it.
It's also not a technical problem because technical solutions (like GPG) already exist. The problem is political (stopping these authoritarian laws) or should that fail, social (convincing people to inconvenience themselves with alternative communication apps that aren't available on app stores)
> It targets the apathetic 99% of the population who won't have the energy or knowledge to do anything about it.
That's the same 99% of the population whose motivations and priorities define the incentive structures applicable to politics. If 99% of the population don't care about your issue, you're not going to win the political fight without quite a lot of leverage attached to entirely unrelated issues.
So the choice is between creating impediments to the enforcement of this bad policy, and at minimum using technology to establish a frontier beyond which it can't reach -- one that is at least available to those motivated to seek it out -- or instead surrendering completely to politics controlling everything, with it being almost a certainty that the political process will be dominated by adverse interests.
> If 99% of the population don't care about your issue, you're not going to win the political fight
Indeed, that's why I'm not very hopeful about the future of our privacy.
We will need technical solutions to Chat Control of course, but that's just the last step. First we need to crack open iOS and Android with anti-trust enforcement. An uncensored chat app is useless if we can't install it on our devices without government approval.
Unfortunately a significant portion of the tech community is in favor of these walled ~~prisons~~ gardens. Anything we try to do is doomed to fail without freedom to do what we want with devices we own, so until we get past that hurdle I'm hopeless that we'll be able to do anything about Chat Control.
> Indeed, that's why I'm not very hopeful about the future of our privacy.
I'm not very hopeful about politics generally, for that very reason. The obvious solution is to work to make politics less of a determinant of outcomes.
> First we need to crack open iOS and Android with anti-trust enforcement.
Another political solution? Not going to happen. We need to work towards a functional mobile OS ecosystem that isn't controlled by Apple, Google, or the government. That won't be easy, and won't offer any immediate short-term options, but work is already in progress, and will in the long run be far more effective than waiting for politics to save us.
> Another political solution? Not going to happen.
I hold out some hope that the EU "faction" responsible for the DMA makes enough progress in the coming years to make the lives of Chat Control proponents difficult by fighting for viability and complete independence of third party app stores. That's why I think it's critical for the EU to strike down Apple's (and now Google's) notarization process.
I'd also invite those who support walled gardens and attack the EU for the DMA to rethink their position because if authoritarian legislation like Chat Control succeeds in the EU, it's definitely coming to the US next.
Of course an independent OS would be the dream but I'm even less hopeful about that.
> The obvious solution is to work to make politics less of a determinant of outcomes.
This statement is meaningless. You can’t finance, develop, build, sell, and operate an OS and phone in a vacuum outside the reach of “politics”.
Nobody has the resources like an Apple or a Google to develop an open mobile OS that will be able to run on any hardware