> Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
I wonder why there has been such silence on this, with the exception of a handful of well written blog posts. The scope of such a dragnet, the economic impact, the societal damage, all seems rather broad. Yet why don't any major operators in the EU take a stance? Is it really so below the radar, or being kept so below the radar?
Just the network egress costs to whatever state sanctioned scanner gets built will in aggregate probably exceed a few hundred MEUR yearly.
> I wonder why there has been such silence on this
Yes, I would think that if there were any real journalism left, they would be all over this. For the sake of their profession, and the protection of their sources.
Sure, but the way this was written it also includes everything from Gmail to root access servers hosted by Hetzner. Gmail has been doing this for years, but (I assume) not Hetzner. If even hosting providers are dragged into this the scale grows dramatically. Can Hetzner really not even be bothered about having to comply with such ridiculous requirements?
To give a simple example: imagine a script that constantly dumps /dev/urandom into JPG-like files nonstop onto a 16 TB disk, then repeats. I've seen enterprise systems that aren't so dissimilar. If indeed the EU commission wants all files scanned, then will Hetzner need to spy on all of their machines at least enough to check for compliance? I'm guessing their board members think it can't possibly be so dumb, or stand to gain handsomely and privately.
Big tech would be for this -- it would create a huge moat in terms of costly and complicated compliance overhead that would keep small challengers and startups out.
Complicated or costly regulation is a regressive tax -- it affects smaller companies a lot more than larger ones and tends to prevent new entrants to a market.
That's exactly my point though. Google, AWS, Meta etc all stand to gain from this. But plenty of middle tier providers are entirely silent even if it poses a potentially existential threat. Some people are going to get rich from this of course, but many will be ruined.
And that's before even accounting for the lives to be destroyed by a blurry photo of a tree being classified as abuse material.
This is because they are one audit away from being off the market. This is how companies stay silent in authoritarian regimes. One wrong comms and company is toast.
Except that it creates a market for circumvention tech that would also cut Big Tech out from understanding what its users are saying to each other.
Age restriction laws don't stop underage folks from doing anything, they just increase the market demand for VPNs, and improve VPNs so they get less easily detected. The net result is that platforms can't use IP addresses to meaningfully infer anything about their users.
Same with this. This legislation will create a demand for private encryption tech that isn't part of the platform. Someone is going to provide that and make money, and in the process may remove the demand for the platform in the first place.
I get the logic you're talking about, and agree that they must be thinking this, but it's very short-sighted.
Totally. This is exactly the problem with things like Chat Control in the EU and KOSA in the US. They will just introduce the same bill over and over and over again until they get the desired result.
What we need is for legislatures to pass "NO Chat Control" and "NO KOSA" bills that specifically block this behavior, but unsurprisingly governments don't seem to be too keen about limiting their own rights, only those of their citizens.
A lot of these laws are now attempting to apply extra-territorially, e.g. to servers and companies in the US just because people in the UK are connected to the same internet, with punishments meted out if any part of that company does any business in the UK even if it's unrelated.
It might be interesting to go the other way: Get it put into the constitution of a major country that these kind of backdoors are banned world-wide and you can't do business in that country if any part of your enterprise implements them anywhere else.
To begin with this would make it harder to pass laws like this in other places -- domestic companies with international operations would put up stronger opposition because it would compromise their ability to do business elsewhere, and legislators might actually be concerned about that. And then on top of that it would force the companies to choose which subset of the world they want to operate in, allowing people in oppressive countries to pick up uncompromised devices from the places where compromised devices are banned.
The US constitution already has a provision against unreasonable search properly enshrined, and well tested in courts. Things like KOSA can be rejected as clearly violating it.
The EU does not seem to have such simple and ironclad norm.
Ah, that constitution must explain why we never see people being abducted in broad daylight by goon squads in the US, right? Because anything that clearly violates the constitution would obviously never happen there. Because you're the best country. The greatest.
I'm not sure if the 4th amendment applies to deportation of non-citizens, and secondly you would have to take it to supreme court to find out.
In comparison to the US constitution, EU "norms" might as well be toilet paper. For example, they have some notion of "free expression" which sounds like free speech but is defined to be so weak as to be useless. The european public broadly does not seem to care, they certainly aren't willing to kill for their rights.
Other commenters already mentioned that the current situation in the US shows how fragile this "ironclad" norm is. Aside from that, though, the fourth amendment wouldn't necessarily prevent a law that requires companies to scan the data and creates certain liabilities if they don't. The weakness in the US's version of such "rights" is that none of them are actually guarantee that any individual rights are to be protected against all comers; they restrict the government from doing certain things but allow private actors to do those same things.
I mean that'd certainly be nice, and it is also their only job, but even if they wanted to do it in regular legislation that'd be better than nothing.
Make a law that says companies have to protect the data of their citizens without the possibility of any intentional backdoor, perhaps. Make a law that says companies can't require people to dox themselves with ID scans simply to use a publicly available internet platform that provides no services in the physical world. Make a law that says OS developers can't create client-side scanning services that upload results off-device without revocable user consent.
True, and this is also the case in many other countries. Even if it is revocable by future legislation though, having pro-privacy laws on the books to prevent the current executive powers-that-be from abusing them would still be helpful.
It’s this. Even when an effort fails, there are no consequences for the politicians behind it. Nobody gets voted out of office. Nobody loses power. All they need to do is wait a year or two or five and try again. Eventual success is almost guaranteed.
Trust only software and systems you control and even then, approach with a hefty amount of side-eye.
Cable everything is dead. FOX is doing relatively well, but they reach maybe 1% or 2% of the population, and presumably that's almost all already unshifting right-wing people. I'm not saying it's impossible that it's a propaganda power center, but I don't personally know how that would work. It feels like a leftover enemy from the early 2000s that just doesn't make sense post-internet.
"According to data from Nielsen, Fox News — from the period spanning June 20 through Sept. 1 — finished as the no. 1 network in all of broadcast television during the primetime hours of 8-11 PM. During those hours, Fox News averaged 2.43 million total nightly viewers in primetime — topping ABC at 2.38 million, NBC at 2.21 million, and CBS at 2.03 million. It is the second time in the network’s history they accomplished that feat — with the other coming in the summer of 2020."
Whlie it sounds accurate that maybe 1-2% of the population watches it live, it is also the most highly rated and influencing "news" outlet in the US. Their reach is far deeper than 1-2%. It gets retweeted, talked about, and trickles down. It sure seems like at least 1/3rd of the population has a FOX brainworm infection. I've seen in on 24/7 in hotels and some sport bars or restaurants too.
"It sure seems like at least 1/3rd of the population has a FOX brainworm infection" - you had me right until you pulled this completely out of thin air.
All the main news outlets totalling less than 9 million viewers? That's not compelling at all.
Appreciate it- thanks for the feedback. I was admittedly being inflammatory, much in the spirit of the network we are discussing. In my perception it was not always this way and when it first came out I remember liking it. It was generally "fair and balanced" as their slogan was (they dropped it around 2017 when Obama left the WH). I have only been paying attention the last 30 years or so, and what started with AM radio on the fringe seems to have become mainstream in the last 25 years since 9/11 basically and has accelerated to the point we are at now in the US.
If I gather right-wing propaganda retweets, what fraction do you think will be retweets of FOX clips versus retweets of a right-wing propaganda twitter account? I don't have a methodology in mind, but I'm curious and will come up with something if you think substantially higher than me (<10%). I don't see why anyone would center FOX in the current media landscape. Musk alone has more than an order of magnitude more reach.
My understanding is that Nielsen does track what people encounter at hotels etc. (though only recently), so that should be included (?)
Exactly. Come to the Midwest and you'll see Fox News on in bars, oil change waiting rooms, dentist offices, etc. The other thing to keep in mind is that thanks to the electoral college, that percentage of viewers translates to a higher percentage of electoral votes.
> The other thing to keep in mind is that thanks to the electoral college, that percentage of viewers translates to a higher percentage of electoral votes.
Except that it's the opposite. The Dakotas are over-represented in the electoral college but getting them from 60% Republican to even 99% Republican wouldn't gain them a single electoral college vote. Meanwhile states like Michigan and Ohio where changing minds could change outcomes are under-represented in terms of electoral college votes.
But the vote allocations are the least impactful part of the electoral college. If you got rid of the +2 electoral college votes for each state independent of its population, votes in Arizona would still matter more than California. The primary thing the electoral college does isn't to give red states slightly more power than blue states, it's to give swing states dramatically more power than safe states.
> If you got rid of the +2 electoral college votes for each state independent of its population, votes in Arizona would still matter more than California.
There's a bit more to it than the +2 electoral votes from the senate, because even within the House the representations are skewed due to the strange decision to cap the size of the House at 435 seats while guaranteeing each state at least one seat. Thus California has 52 times as many reps as Wyoming although its population is about 67 times greater.
> The primary thing the electoral college does isn't to give red states slightly more power than blue states, it's to give swing states dramatically more power than safe states.
Strictly speaking this too could be changed to some extent without changing the electoral college itself, namely by states switching to allocate their electoral votes in proportion to the popular vote, instead of winner-take all. That is entirely possible now and two states already do it, but it has minimal effect because those states are tiny. But if, for instance, you could win 20 EVs in CA by winning ~40% of the popular vote, you can bet that some campaign dollars would shift to CA from, say, Ohio, because Ohio doesn't even have a total of 20 EVs. You could win more EVs in California while losing the election than you could by winning in Ohio! But most states will not do this because usually the party that wins all the EVs is also the party that controls the state government, and they don't want to give away half their EVs to the other party.
But what about all the re-presentations of the same content in YouTube clips, etc.? It's true that cable as a delivery mechanism is declining but that doesn't necessarily mean stuff like Fox as a content source is declining in influence.
We've been mostly deplatformed for any kind of organized action against it, there's just writing an email to your MEP or... a change.org petition. Yes really. Nothing official one could sign their name under.
But even so, the commission does whatever it wants anyway, they are complete autocrats when it comes to law proposal, it's up to the parliament and the courts to something about it afterwards. And they should given that it's unconstitutional in many EU countries and incompatible with GDPR as it currently exists.
Would it be correct to compare the EU's autocratic pronouncements to Presidential executive orders in the US? In the sense that they can pass whatever they want with little feedback but then the courts can tear them apart?
It's ridiculously different, there's no single person or country that can do anything like that
there are multiple ways to make EU law, there are regulations (that apply directly) and directives that member states need to implement (basically ratify)
the Commission proposed something and then the Council votes on it and then there's the EP which votes on it
the treaties have some areas that are under "Special legislative procedures" where the EP cannot propose amendments, but still has consent power, but in some cases like internal market exemptions and competition law only consultation right
I assume from your comment history you are from the USA.
It’s surprising how quickly you have forgotten CISPA, EARN IT, etc - which were much more invasive proposals than chat control (slurping of all data of everyone, not just client side scanning for csam).
Of course, now you just cram unrelated shit into “big beautiful bills”, speed it through with minimal oversight using loopholes, and hope no one will notice. Has no one told you how fkin insane that is?
Not at all, the Commission and the Council together can do a lot but it's important to understand both are collective bodies formed by governments of member states and can only act in some limited areas (defined very exactly by the various treaties). But then most of the important decisions have to be approved either by the directly elected Parliament or by all national parliaments (like some international agreements). And that's for legislation that doesn't have to be transposed into national law (can be applied directly), but most of the legislation has to be transposed and the member states have some leeway there.
Unlike the president the EU commission are unelected and the commission is the only branch of government which can propose laws, however they can't force anything through in the same way the US president can with an executive order (it must go through parliament).
I guess it's good/bad, but in different ways to the US. It's bad in the sense EU citizens can't elect the people proposing their laws, but it's good in the sense that the commission can't just force things through without approval from the parliament which consists of MEPs which europeans elect.
As far as I'm aware the courts function in more or less the same way. Here in the UK parliament is sovereign and therefore can overrule any court decision with new law. This isn't true for the EU and I believe it also isn't true in the US.
The EU Council is the highest body in the EU (not the Parliament, especially not the Commission - who are basically the civil service or secretariat for the EU).
The EU is founded on the pooled sovereignty of the member states (unlike in the US, where the reverse is the case). The Council represents those member states (each has a seat), and so holds this pooled sovereignty.
On the open internet? The drone strike in January that made headlines was not quite that simple. The drones were directed using dead reckoning. The drivers of the trucks were not informed what was happening with their cargo. Even the American government was kept in the dark.
Not at all. Ukraine had operatives inside Russia. The trucks were not driven in from outside Russia. The system was assembled inside Russia. Also, every single drone had its own pilot: https://www.bbc.com/news/articles/cq69qnvj6nlo
That's also just one of many operations inside Russia. There's lots of sabotage and assassinations that have been done.
You just can't do operations like that without secure communications.
How? If they're end-to-end encrypted, they really can't be monitored unless there's a flaw in the encryption system. Don't trust messages to systems that aren't auditable.
Chat control will require client-side AI scanning of all messages, bypassing end-to-end encryption. Since the AI will be an unauditable blackbox, it will make it effectively illegal to have secure end-to-end encryption.
Installing open source software on phones is becoming more and more difficult. It used to be the case that bootloaders were generally unlocked or unlockable. That is no longer true, including on Android. Google is also planning on banning APKs from unregistered sources soon.
We need end-to-end encryption on phones to have reasonably convenient privacy. We can definitely lose that, and open source software won't help.
Worse, once phones are locked down desktops and laptops can be locked down as well.
How long until hardware vendors prevent you from installing a certified OS that is specifically not anything like linux? Before you call it a conspiracy, know that we are already there with our phones, which represent an overwhelming share of consumer compute use today.
The thing is although your exact message text is end-to-end encrypted, the messages are scanned locally on the device and information about your messages is sent out-of-band to whereever it needs to go.
This illustrates why I'm so skeptical of all these "end to end encrypted" closed source solutions like WhatsApp: yes, they're end to end encrypted so the server doesn't necessarily get to see what's going on, but what's the point in that when I can't trust the client?
> Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
This is buried too far down the page, which is written quite poorly. A lot of meandering and jumping to a CTA and a bunch of anxiety and fear before even stating concretely what it even is. Even the section called “What is Chat Control?” takes five paragraphs before it tells you what it is.
The page talks about wearing people down, but these kinds of pages wear me down too. I want sober, calm presentation of a problem, why I should care, and what to do about it. I have enough frenetic sky is falling anxiety in my life already!
Don't worry people. If you are not a European let me tell you how it goes.
The 'Unofficial' boss of European Union is Germany. If Germany will vote against it, more countries will back off and it won't pass. If Germany wants ChatControl, it's over. It will pass and all other undecided countries will support it.
> ... The 'Unofficial' boss of European Union is Germany. ...
I disagree with this sentence. The unofficial bosses are both Germany and France. Which is also the reason why the people in the richer EU countries will suffer economically when the upcoming bailout for France /will/ happen.
Probably better for you guys that UK is out now, our government would have been salivating at the thought of spying on every citizen without repercussions
As both an EU citizen and a computer programmer, I applaud this article, and I generally agree with its sentiment. But let's be realistic. Chat control is going to happen sooner or later. This is a Hacker News forum. The audience here is very knowledgeable about computer science and fully aware of how technologically impractical the idea of fighting CSAM in this way is. But the general public is somewhere else entirely. They genuinely believe that this will help, to whatever they think it will help. They have no idea that real CSAM distributors will simply adapt by encrypting files into ZIP (or whatever) with strong passwords or using different channels. I've tried explaining this to some of my non-IT friends and family members. I think they now think I'm a pedophile. It's kind of stupid for a father of two teenage daughters, but that's the general public. They want it; they'll get it.
I dont think it should be taken as a given that it'll happen. While this may be something the public is generally in favour of or ambivalent towards, there's a LOT of EU countries and MEPs that are not at all in favour of this, and already a few EU countries whose courts have ruled that this would violate their constitutions.
While its certainly possible it'll happen, it's far from certain. It can be stopped. Of all the currently 'undecided' countries, if just Germany came out against it, that'd be enough to sink it. Germans are pretty pro-privacy people, and the government would win no popularity by supporting it. Even if the German government supported it though, the German MEPs would likely still end up mostly voting no
I know there are some countries that are surprisingly sane in this respect, and Germany is one of them. Also, the EU parliament is probably still mostly against it, too. So it will certainly be some time before this happens. However, we should never underestimate the "salami" method, this matter will certainly go through.
> Chat control is going to happen sooner or later.
Even if that is true—which you don’t know, because you cannot predict the future—later is definitely better than sooner. Later is worth fighting for.
Your defeatist attitude is exactly what these bad actors want, you’re playing right into their hands. Thankfully not everyone thinks like you, or Chat Control would have passed first time and no positive change would have been enacted ever about anything.
I beg your pardon. :) I already explained that I did my part and the result was hopeless. Perhaps you should do your part, too. Don't bother arguing on Hacker News, because it has no material effect on the EU population outside the narrow IT crowd.
Besides, I'm not a defeatist at all, because I know GnuPG! However, the non-IT EU civilians who also coincidentally agreed with this, are unfortunately lost.
Of course the elephant in the room is all of this content and bad behavior predates the internet entirely. The internet is used because it is more convenient than mailing polaroids to a dead drop address. Not because it enables anything that wasn't happening previously. Makes it a little easier perhaps, but even that is arguable given the oversight today.
This "bad behavior" could easily regress into encrypted files stored on CD-R discs and distributed via the postal service at any time. However, we will all suffer from an invasion of privacy due to constant, non-transparent online monitoring. The real criminals won't notice anything, and the rest of us will simply accept that we are being constantly watched by mega-corporations, the police, and the government.
I don't really understand this attitude because clearly if this passes, it will create a (black) market of new communication tools to bypass this and so on and will end up locking down every connected device so we can't run anything that is not government approved. It does not matter there will be ways around this - what matters is they will be illegal. So no, this can't be allowed to happen.
Some thoughts if you have them, are illegal to express, even in private, for your own consumption. This is the law that means none of our devices or possessions are protected from snooping.
You have a tough challenge to convince me it’s anything other than a mundane device to give some groups an information advantage over others in their own society, for the unfair pursuit of political and economic advantage.
In other words, the people in power get to dictate which thoughts you're allowed to have/express? Even in the privacy of your own house? And if the people in power decide acts of kindness or expressing love for your children are illegal…?
Rather, the expansion of surveillance legislation in 1986, and 2001, introduced the idea that private material on your computer can be criminal, which opened the door to government installed malware to monitor you, whereas before that, criminal activity involving information was restricted to communication or social organization. Then later in 2003 with the introduction of private contractors to implement this tech, there was a further expansion in the people who had access to this information. An example of what happens when people have this power is captured in this Bloomberg article [1] and this New Yorker article [2]. And we know that some Silicon Valley leaders do not believe in market fairness/competition.
In the UK we take this a step further – if you're by an abortion clinic and the police believe you could be praying in your head for those getting an abortion they can charge you.
There are also examples where the people have been charged for retweeting opinions or sharing lyrics which are considered grossly offensive. Although I suppose in these cases you could at least argue something is being expressed.
I am curious what would happen if one of those people tried to pray while having a sign above their head that said “I’m praying for <favorite sports team> to win their next game”
> In its decision, the court reasoned that his prayer amounted to “disapproval of abortion” because at one point his head was seen slightly bowed and his hands were clasped.
I'm all for women's rights, but that's not how to do it
> The safe zone, introduced in October 2022, bans activity in favour or against abortion services, including protests, harassment and vigils.
> During the case, brought by BCP Council, the court heard Smith-Connor had emailed the council the day before to inform it about his silent vigil, as he had done on previous occasions.
> On the day, he was asked to leave the area by a community officer who spoke to him for an hour and 40 minutes - but he refused.
So he told the council he was going to have a silent vigil against abortion, and then it had to take place within the buffer area to protect women from anti-abortion activism.
He was totally free to walk a few yards away and do whatever he wanted, but he refused.
Sounds like he wanted to stir the pot to preserve the right to menace women seeking medical care.
It tells a lot about echo chambers that the first article google showed me for "man charged for praying abortion" is the adf one and you presumably got the bbc one. Anyway, there's nothing to see here, the UK banned vigils in front of abortion clinics, he got charged for keeping a vigil somewhere not allowed, so no thoughtcrime involved.
Freedom of speech and banning vigils/demonstration is a different debate that we already have all the time...
Looking at the long list of faces for my country, it boggles my mind how all these people are fine letting the police just scan their phone, photos, messages at will, as if they don't have significant others or medical pictures on their phones, including of their children.
Do they think they're above it? Are they stupid and don't know what they vote for?
> Do they think they're above it? Are they stupid and don't know what they vote for?
They're somewhat out of touch with tech, and caught up in police narratives around encrypted apps blocking their attempts to find pedos. Tech firm lobbyists sell them some lies about the capabilities of these systems.
Ultimately these are politicians stuck in the notion of "but the police can open your [physical] letters, this isn't any different" completely unaware of how times have moved on.
Matters like how people are already being harassed by CSAM being sent to their DMs, how people raid discord servers and try to have them taking down by spamming CSAM, etc, are completely lost on these politicians.
On top of that it's just cowardice. Not daring to be seen as "aiding pedos".
From Patrick Brewer's analysis [0] it seems like written into the proposal is to enable members of the government to have access to excepted systems, if applied for things like law enforcement or "national security." If I had to guess, at least a few MEPs expect they will be able to use such an exemption for their personal communications.
I expect moms sharing bathtime pictures and videos with each other to get caught up in this as the censors get aroused by the content and project their own feelings of arousal and cognitive dissonance onto the parents sending bobbies and armed police to kick down doors. The legal costs and permenant damage to reputation will undoubtedly destroy many people.
“We want to be able to look into all your private spaces to ensure you’re not a child rapist. If you’re not ok with that you must be a child rapist. Now. Do you support keeping our children safe?”.
This needs to be a South Park episode if it isn’t already.
Funniest part is, current EU politicians are setting these systems up just as nationalist and authoritarian politicians (their adversaries) start to dominate the scene. Introducing this now seems like self-sabotage.
While I agree with you about rising authoritarianism, I'm confused what this has to do with nationalism. Chat Control is being created by the EU, a supranational organization. If anything, this sort of transnational authoritarianism is a bigger threat, and likely to promote nationalist backlash.
Of course there are mechanisms to defeat privacy-invading software (and hardware), but the point is that most ordinary people don't want to. Most ordinary people actually want to hang out on the same social networks that all their friends and family are on, they want to watch the same TV shows, they want to be able to easily make payments at their local restaurants and the grocery store, they want to be able to use public transport etc etc.
When forced to choose, it turns out that convenience beats privacy for almost everyone.
I'm well aware of the tendency of societies to accept convenience over privacy, of the underlying risk of surveillance at scale and of the stripping of privacy from off-the-shelf applications that users are unlikely to abandon.
You seem to be assuming I was making a case that people will just get around these invasions of privacy en masse, and I'm not making any such case. Nor were my questions designed to undermine the original article or to dismiss the harms or the totalitarian nature of these laws.
More difficult privacy means less privacy for everyone, and it means no privacy for the bulk of the population. I agree.
So I don't need a lecture in how my questions misalign with the absolute need to preserve encryption. My questions are geared toward understanding what individuals can do in a society which has already turned completely into a panopticon. And I don't think it's useless to ask those questions, nor to educate people in how to protect themselves in such a situation, even if the task seems hopeless on a mass scale. Such a situation appears increasingly inevitable in the West, and I think it's valuable to take whatever lessons we can from societies that are already further down this road. My family fled a totalitarian dictatorship long before such powerful surveillance technologies could even be imagined. I think knowing how people cope with and attempt to preserve a modicum of provacy under the present conditions in modern dictatorships is instructive in preparing at least some part of our population for it.
If you are starting from the point of view that Chinese society is a panopticon, and that no other society has ever experienced or had to deal with anything comparable, but totalitarian laws are about to make it inevitable in the west, and therefore it's important for someone to ask questions on HN if people in China can obtain phones that allow them to avoid state spyware... I don't know what to say. The line of questioning comes across as nonsequitous in a discussion of the proposed regulations and how they might affect people in the EU.
The answer you seem to be looking for is that in China, just like in every other country, there are devices that exist which do not come with a state spyware component that is constantly transmitting everything to the authorities. Some devices are locally manufactured, others are imported, some are regulated, others are not, and people communicate using those devices and others, across all forms of media, including face-to-face.
To elaborate: China isn't a totalitarian hellscape where everyone has a gun pointed at their head and they're all forced to use the same, identical, CCP-branded phone or else face execution. It's a huge, diverse country filled with millions of hackers and entrepreneurs, people with different interests, people with different means. There are countless devices and app stores and popular trends. Regulations are often unclear and are enforced differently in different regions and by different layers of the bureaucracy. Not everybody's threat model is the same. Just as in the west, people find ways to communicate that meet their comfort level - sometimes that's through systems monitored by the authorities, other times not. There's no one special technology or technique.
The main difference in China is that citizens can be disappeared without much recourse because the legal system is opaque and there is no free press or democratic process to hold the government to account. But that's not the case in most of the EU. There is certainly democratic backsliding happening in parts of the EU, but that's a separate discussion.
Add to that - most normal, everyday people are entirely in favour of invasive government monitoring if it can be painted as being 'for the children' or 'to catch terrorists'.
So it's not a case that convenience beats privacy, AFAICT they're largely in favour of giving up that privacy anyway.
As someone who's only visited, a foreign phone with foreign SIM will get you out. But I think using VPN on a Chinese SIM is somewhere on the range of very difficult to completely impossible these days.
> somewhere on the range of very difficult to completely impossible these days.
It’s completely fucking trivial, there are a gazillion services and a number of well supported v2ray/ss/etc. capable VPN apps. SIM has nothing to do with VPNs after all (except in the DPI sense but various protocols already bypass that).
The Chinese SIM is the key. If you are a foreigner and want to use a phone, either use a burner phone with a Chinese SIM or use international roaming with a non-Chinese SIM. You should not use a Chinese SIM.
Other restrictions are tied to the account which are based on the region of the Apple account, so any phone with a Chinese account will have various restrictions.
The article gives some examples of scope creep but missed the biggest one IMO: copyright enforcement. I suspect if you follow the money, copyright is what keeps things like Chat Control coming back. Fully expect Sony, Disney and other IP to be added to the list of flagged content, keeping us safe from dangerous pirates.
it would be great if this article actually explained what Chat Control is somewhere at the top. it says it will, but I’m quite a few paragraphs in and have no idea what I’m supposed to be mad about yet
If you follow the link for "Chat Control" in the first sentence, and then scroll down for a while, you will find a subsection titled "What Is Chat Control". Probably they assume that if you do not know what it is, you should not care about it.
From that section:
> "In 2021, the EU approved a derogation to the ePrivacy Directive to allow communication service providers to scan all exchanged messages to detect child sexual abuse material (CSAM). Although this first derogation was not mandatory, some policymakers kept pushing with new propositions.
> A year later, a new regulation (CSAR) was proposed by the European Commissioner for Home Affairs to make scanning messages for CSAM mandatory for all EU countries, and also allow them to break end-to-end encryption. In 2023, the UK passed a similar legislation called the Online Safety Act. These types of messaging mass scanning regulations have been called by critics Chat Control."
People who know about it are generally already annoyed. The trouble is most people don't know what it is, and those are the people who should be targeted
right and if you read that subsection, it does not tell you what Chat Control is. which I find odd. it just goes on about how bad it is (after making an analogy earlier about police entering my home every morning). am I missing the explanation in the article of what Chat Control actually is?
the article also explicitly says it affects non-Europeans. I’m interested! I just can’t figure out what it is
A bit of a scroll past the probably justified but still alarmism is the actually bad proposal.
> The most recent proposal for Chat Control comes from the EU Council Danish presidency pushing for the regulation misleadingly called the Child Sexual Abuse Regulation (CSAR). Despite its seemingly caring name, this regulation will not help fight child abuse, and will even likely worsen it, impacting negatively what is already being done to fight child abuse (more on this in the next section).
>The CSAR proposal (Chat Control) could be implemented as early as next month, if we do not stop it. Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
ah this is the relevant piece, which I did skim over given I was getting annoyed at paragraph after paragraph not telling me what it is:
> Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
I shared your comment with the author and we're going to reorder some of the sentences in a little bit to highlight the fact it's a backdoor earlier. We've talked about Chat Control so much over so many years (because it keeps reappearing) that it's easy to forget many haven't heard of it lol
I think one source of confusion is that many probably see "Chat Control", expecting it to be a reference to one specific proposal or legislation (a la "GDPR" or "DMA"), while it's an umbrella term you use to group different proposals pushing the same agenda and end-results. Readers look for one face to point at but it's a hydra and they just leave confused.
Clearly defining the term and its intended meaning would do well, I think.
I mean, if someone has an end to end encrypted conversation, it's encrypted when it gets to the carrier, and the carrier shouldn't (technically, not anything related about whether they are allowed to or not) be able to decrypt the conversation.
If the carrier is terminating the connection, then it's either not end to end encrypted, or it's broken.
edit: sorted the grammar/punctuation at the end to improve clarity
Of all the arguments presented I'm surprised to see absent the one that seems most obvious to me: encryption is just math, there's no way to actually ban it. If criminals think their conversations are going to be detected they aren't going to just say "oh well let's not crime now". They are going to simply spin up their own e2e encrypted channels. The software is nearly trivial, the technical barriers are very low - it's hard to think why it won't happen.
So then what? They start outlawing encryption altogether? knowledge of math? How would you claw back all the public and freely available software that people can already use to encrypt messages to each other?
Sure you can. For example, UK will jail you if you refuse to disclose a cryptographic key for something encrypted that the court wants to see, so long as the judge is convinced that you know it. I could easily see that extending to steganography: "there's no rational justification for you to have this file, and statistical analysis patterns show that it likely has a steganographic payload".
"Sir, those are just internet memes I've been sharing with a friend of mine"
The whole point of this technique is that with sufficiently low information density the data is not recoverable unless you know what you're looking for, because it's indistinguishable from noise.
I mean, not just the UK - it eventually changed in the US, but anything deemed too strong to crack was classified as a munition for a while in the 90s and 00s, and some things are still banned from being shipped to some places -
I'm sure many core proponents of Chat Control would like to also make it illegal to "hide" from scanning by applying your own encryption (and, even if not caught directly, it would add to the list of crimes someone might be charged with) but that large of a change probably puts it too far outside the Overton Window of today in a single push.
> Any image file or an executable program can be regarded as simply a very large binary number.
This had never occurred to me before but is totally obvious in hindsight. An interesting corollary is that, given an infinite natural number space, all programs that have ever and will ever exist can be found as a single point on this natural number plane. The larger the number, the more complex the program. What else is emergent from this property?
They control the guns, so you can't fight back with bullets. They control the airwaves, so you can't fight back with ideas. You're running out of options.
Democracy is being served. People want this stuff. HN people maybe not, but let's not pretend we represent anything but a noisy minority. It's entirely democratic AFAICT, "think of the children" and "think of the terrorists" won the argument some time ago.
Free speech is not held as an absolute in many countries as it is in the US, and never has been. It is in a bad state in some places (the UK seems to be performing poorly on this measure) but a lot of places feel the right to spew whatever toxic lies spring to mind without consequences might not be entirely healthy either.
Justice? I think justice is performed better in many European nations than most of the rest of the world.
And freedom... lots of people like to claim the US is the most free place on earth, but it's really not clear that's true. There are freedoms in other countries not enjoyed in the US. Here in Australia for example, I am free to collect the rainwater and filter it for my drinking-water supply, something that's not true in every state.
The point is that things can be bad without being melodramatically the end of democracy.
Is this an authoritarian move that ought to be spoken against by those who know and care? Absolutely. Does it mean that there's no more democracy in Europe? No, that's a little ridiculous.
The Usual. Govt trying to harness private systems for the purpose of public surveillance.
They do this using warrants. And subpoena.
We need a personal declaration of rights that says private systems are not in anyway obligated to extend the reach of govt surveillance networks, without the consent of the private party.
It is a small protective measure. The next step will be for govt to bully everyone to give consent to their surveillance systems … or else.
But as of right now, the law is arbitrarily taking for granted that private surveillance systems belong to govt regulations.
This is one of many laws the EU and member states are pushing in order to implement more online surveillance. I always wonder why individuals (representatives) would push for these kind of surveillance laws? I think politicians usually pass laws which help themselves or their lobbies gain power and influence on economical levels, but I wonder why anyone would push for these kind of legislation even before an authoritarian state is on place. What is there to gain on an individual level?
Even if a system doesn't look authoritarian, corruption happens all the time. Those involved in corruption naturally want more power for themselves. Additionally some people actively thirst for more power for whatever reasons, and most people don't want to be constrained in their jobs, and they are all aligned in expanding governmental power. You need some discipline to commit to the idea that "I don't want the ability to see encrypted chats, even if that makes my job 90% easier to do", and I don't trust most people to have it.
Weird the countries that are all in agreement with chat control all have migration/integration related problems now at odds with local european population that have grown fatigue to the excessive empathy and virtue signaling that have eroded their own identity and safety.
Could it be that this is a last ditched attempt to presumably stop a civil war that seems to be brewing by predominantly muslim vs european populations?
If this isn't a sign that the integration and the multicultural experiment has failed completely in Europe then I don't know what. A free democratic society that is peaceful would never need wide surveillance net like this.
It seems that non of the HN comments touch on the internal demographic tensions that has been going on for quite sometime. Western Europe and Scandinavia reminds me very much of Lebanon before civil war broke out between the Muslims and Christians.
Can you expand more on how many of the key seeming counterexamples to this in the map support this conclusion (e.g. DE should be the most red of them all, no?) or how the desire for CSAM surveillance is a proxy for the mixing rate of different religions in the regions? It feels unlikely we will agree about it, but I'm curious what you're seeing in this data that makes it seem so clearly the causal reason to you.
Regarding all the chat control posts, I've not seen any comments regarding the potential use for homomorphic encryption to abide by this law: if chat control is only used for the detection of CSAM (which is another issue in itself; Apple, for instance, already solved this with NeuraHash), then could "allowing the government to snoop" be letting them have the homomorphically encrypted ciphertext?
Disclaimer that I actually don't know what the full extent this chat control law is asking for, except for the fact that it will deeply compromise encryption
so you encrypt your image, send it to the government, the government runs its CSAM detector on the encrypted image and gets... an encrypted result.
then what? you decrypt the answer and send it back to them? promise that you totally didn't change the answer?
FHE is the wrong tool for the job. you'd want verifiable computation (e.g. ni-ZKP) instead. both are too complex and faaar too computationally expensive for actual use.
This is 1984 installing a camera in your room to monitor your private conversations and criminalize them.
That's it.
It means that the government asserts the right to bug all your conversations. They've already assured the right to put you in prison for dissenting with the government on policy and you have little to no recourse. Now it's this.
You loved this during covid, you'll love this now, "or else". Signed, your local nanny state.
You're right. I've been comparing it to 1984 all this time, when in fact it literally is 1984 just with modern technology. It's interesting how the story 1984 strikes a chord in many people, but something like Chat Control just seems normal. I guess having a camera in your house feels more invasive on a visceral level, despite the fact that we're now putting our whole lives on our phones and online services.
This is a terrible article about what sounds like a legitimate problem. Even in the section, "What is Chat Control?", the answer to the question is buried in the middle of the seventh paragraph.
If the writer of this post wants people to oppose it, they really should do a better job of explaining at the very top what "it" is.
I think you're being hyperbolic. It wasn't terrible, but I do agree, I had to dig for "What is Chat Control". It read to me like a panicked person, repeatedly saying, "You've gotta hear this..." over and over, before getting to the point.
Would chat control also force open source software to put in backdoors? Like if users run their own little servers somewhere, and those load websites, or they sideload apps to the app store (thanks to EU hehe).
I'd personally like to have a FOSS, privacy-aware CSAM (or even generic gore/porn) detector I could plug into Matrix/Lemmy/Mastodon servers. something self-hostable, so I could run those services without worrying about pedos and trolls ruining my platform.
I'm not sure if something like it exists. I'm not sure if it could exist. PhotoDNA (the old CSAM detector) ended up being somewhat reversible, so that you could actually turn signatures back into obscene material. because of this, the signature databases were shared under strict NDA, only to large players.
probably the most realistic solution is a generic porn classifier convnet. if it blocks adult porn, it should block CSAM too (hopefully?)
they are not reliant on image hashes, and reversibility concerns apply less because the dataset used to train it was presumably legal (if distasteful.)
Sometimes I think if this stuff ever got really bad, abandoning smart phones altogether wouldn’t be so bad.
I’m already taking most photos with a dedicated digital camera and they are so much better than phone captured images. I hate social media these days and am waiting to give myself a reason to delete all the apps and my accounts entirely. The internet is a shithole, most my search is done through LLMs and my interaction with people is through comment sections. I have no interest in being in group chats, I’d rather meet up with people in person and socialize that way.
It’s not the end of the world if smartphones just become a convenient way for governments to track you, there is totally a different way to live without them, and maybe it’s simple and beautiful.
If you really have a serious use case for peer to peer end to end encryption, you should be using something like Meshtastic.
The only long term solution for this is for people to use more different platforms. Communities should be seeking out new platforms, building their own chat platforms with their own protocols. There is no such thing as a single 'decentralized protocol' - There are incompatible protocols and then there are centralized protocols. When it comes to censorship resistance, incompatibility is a feature. Lack of adoption (unpopularity) is a feature.
If other people around you recognize the name of a chat platform you're using, then it's not decentralized and it's almost certainly monitored.
I fear we're long past the point of no return. We are exactly one 'policy update' away from not being able to install non-compliant messengers on our phones. Sure, there are still some devices that will let you unlock the bootloader and you can still sideload unverified apps, but let's be honest, most people today barely manage to install an app from the store. If installing a decentralized messenger is more involved than that, 99% of people aren't going to do it.
those platforms will be banned. this will doom Signal, the fediverse, and countless smaller platforms. anything that isn't compatible will become illegal.
As many, many critics have pointed out, the EU claiming to defend human rights, protect free speech, and respect personal privacy, is demonstrably nothing more than a fictional moral high ground.
Russia and China are in your face and obvious about where they stand, and don't mind being a boolean of true. The EU just prefers some subtlety with more politically correct and polite wording, and prefers a float of 0.92.
Part of me almost prefers the Singapore model. Clear rules, even harsh rules, but near-total do-whatever-you-want if it's not on the list. None of this gray-area nonsense. Uncertainty is a form of oppression, and the US/EU are masters in that regard.
I think the issue is that the EU believes to do these things above corruption. In a sense, if you think you are upholding human rights, free speech, and personal privacy, you don't think it is required to offer people ways to hide from the government.
The government thinks the rule of law itself is good enough. Even if they are aware of your speech and it criticizes or shock or whatever the currently elected, they believe nothing could be done against you because the rule of law would protect your right to do so.
Therefore they assume if you have to be secret about it, you must be doing something illegal, otherwise they don't see why you would worry about the government being able to know you are doing it, since they could not do anything against you.
Here for example, they assume that it would only be used to catch and prevent CSAM, which is illegal. But that it would never be abused to prevent legitimate legal free speech, or that it would be done in a way that your privacy is respected because the rule of law won't allow other use of "snooping", etc.
And to be honest, I don't know if they are completely wrong or right. It's a different perspective, one that relates to "gun control" as well.
In the US, people have zero trust of government, and feel like at any point they need to be armed and have the means to hide, escape, and rebel against it. That means secure communication channels, bearing arms, etc.
In the EU, generally people assume that the systems in place will protect the institutions and upheld the rule of law, constitutions, democratic freedoms, etc. And people trust the system in place, so they don't see why individual citizens should be allowed to have weapons, places to hide, etc., and see that more in practice as something that enables crime.
Generally, the counter argument to the American stance is that the power imbalance is too big anyways, it's the system that must be protected and needs to be trusted, if the system becomes corrupt, no amount of civilian weapon and hiding places could match the power the state has, so it's a futile attempt that just ends up benefiting criminals.
The problem with that framework is that even if you believe the EU Governments are the "good guys", it's not going to be just them who get access to the data.
It opens it up potentially to anyone with the means to infiltrate these systems - rogue employees of the companies running the messaging and cloud services, cyber criminals who will be able to hack into them, foreign states who will be able to hack it (we very recently saw this how China had infiltrated CALEA backdoors into telephone systems around the world for many years).
Which of course is part of the reason that companies are so on-board with end to end encryption in the first place - being able to ensure that rogue employees can't access customer's private messages and files, and that if cyber criminals hack in and infiltrate data that there are no encryption keys accessible is a huge benefit to them - but the moment you try to open it up to "lawful intercept" you open it up to all the unlawful intercept too...
Realistically the EU only cares about protecting their citizens from private companies, and especially American ones. When it comes to government overreach they know virtually no bounds.
Then the US on the other hand does decently protect its citizens from the government itself (well, this recent year/administration notwithstanding), only because the US government knows full well they can just turn around and grab all the data they want from the private American companies they don't regulate at all.
Even without Chat Control, I still self-censor even in private communications. The majority of people you chat with show complete disregard for your privacy. They piss on it. There are very basic requirements that a minuscule amount of people follow, like: full-disk encryption, using a password manager, being aware of your rights to protect yourself against searches, having good computer hygiene and competency. The level of incompetency and ignorance when it comes to privacy & security makes me deeply angry and frustrated to a level that brings me to nihilism and misanthropy
"People showing disregard for your privacy" is a matter of scale when going from analog to digital, it's at least not inconsistent.
e.g. If you engage in private spoken conversation, most people are not going to treat your conversation as if it's privileged, avoiding any mention of it in casual conversation, and refusing to divulge any details to law enforcement.
Yeah, bullshit. "Tell us this thing or you are going to jail. Might have a trial in a week or a month."
I promise you you aren't the main character in your friends' lives and they will absolutely give up information on you to save their career and their family.
Even in places with generally strong protection against state search you have almost no privacy if someone drags you into civil court. Not only can state opponents attack you there including through pretextual claims, but you're also open to attack by numerous non-governmental entities.
Online/electronic privacy advocacy is in my view overly fixated on direct state invasions via law enforcement powers and corporate surveillance through ad data, while largely ignoring threats via hacking or civil litigation.
The best policy is to not record things that shouldn't be made public. The next best step is to not retain recorded things longer than needed. Modern software/operating systems largely make either of those steps quite difficult, leaking tons of data with every use, making it impossible to reliably delete material, etc. But nothing less is effective against the full spectrum of threats, not even strong encryption. (but obviously strong encryption is good and critical for what you do record and retain!)
> making it impossible to reliably delete material
That said, SSD's have improved the situation a lot with TRIM. While previously deleting a file wouldn't actually destroy any data until it was overwritten. With TRIM in most cases for files more than a few KB almost all the data will be physically destroyed soon after TRIM is called. It depends on settings. But that's commonly either immediately, or about once a day (the default on Android).
If you read the forensics literature TRIM has caused them enormous problems by radically reducing the amount of data available.
I wonder why there has been such silence on this, with the exception of a handful of well written blog posts. The scope of such a dragnet, the economic impact, the societal damage, all seems rather broad. Yet why don't any major operators in the EU take a stance? Is it really so below the radar, or being kept so below the radar?
Just the network egress costs to whatever state sanctioned scanner gets built will in aggregate probably exceed a few hundred MEUR yearly.
Yes, I would think that if there were any real journalism left, they would be all over this. For the sake of their profession, and the protection of their sources.
But I don't think mainstream journalism points out computer nonsense because they're so intertwined with it all.
I mean, "we have a surveillance state" first points to "advertising" which is their revenue stream.
To give a simple example: imagine a script that constantly dumps /dev/urandom into JPG-like files nonstop onto a 16 TB disk, then repeats. I've seen enterprise systems that aren't so dissimilar. If indeed the EU commission wants all files scanned, then will Hetzner need to spy on all of their machines at least enough to check for compliance? I'm guessing their board members think it can't possibly be so dumb, or stand to gain handsomely and privately.
Another one: it's holiday season, a clever time to get things through.
Another one: most EU parties stand for it, even my usual go-tos, namely Greens, S&D, and The Left.
Complicated or costly regulation is a regressive tax -- it affects smaller companies a lot more than larger ones and tends to prevent new entrants to a market.
And that's before even accounting for the lives to be destroyed by a blurry photo of a tree being classified as abuse material.
Age restriction laws don't stop underage folks from doing anything, they just increase the market demand for VPNs, and improve VPNs so they get less easily detected. The net result is that platforms can't use IP addresses to meaningfully infer anything about their users.
Same with this. This legislation will create a demand for private encryption tech that isn't part of the platform. Someone is going to provide that and make money, and in the process may remove the demand for the platform in the first place.
I get the logic you're talking about, and agree that they must be thinking this, but it's very short-sighted.
What we need is for legislatures to pass "NO Chat Control" and "NO KOSA" bills that specifically block this behavior, but unsurprisingly governments don't seem to be too keen about limiting their own rights, only those of their citizens.
Pass your 'no KOSA' law. And then when they want KOSA, they just pass KOSA with a sentence that says this KOSA law supersedes prior 'No KOSA' laws.
You need to limit their power to do that and the only way is constitutionally.
It might be interesting to go the other way: Get it put into the constitution of a major country that these kind of backdoors are banned world-wide and you can't do business in that country if any part of your enterprise implements them anywhere else.
To begin with this would make it harder to pass laws like this in other places -- domestic companies with international operations would put up stronger opposition because it would compromise their ability to do business elsewhere, and legislators might actually be concerned about that. And then on top of that it would force the companies to choose which subset of the world they want to operate in, allowing people in oppressive countries to pick up uncompromised devices from the places where compromised devices are banned.
The EU does not seem to have such simple and ironclad norm.
For reference, the EU does have an equivalent norm: https://fra.europa.eu/en/eu-charter/article/7-respect-privat...
In comparison to the US constitution, EU "norms" might as well be toilet paper. For example, they have some notion of "free expression" which sounds like free speech but is defined to be so weak as to be useless. The european public broadly does not seem to care, they certainly aren't willing to kill for their rights.
Leaving aside everything else wrong with it: in the absence of due process, that can happen to citizens too.
Make a law that says companies have to protect the data of their citizens without the possibility of any intentional backdoor, perhaps. Make a law that says companies can't require people to dox themselves with ID scans simply to use a publicly available internet platform that provides no services in the physical world. Make a law that says OS developers can't create client-side scanning services that upload results off-device without revocable user consent.
Trust only software and systems you control and even then, approach with a hefty amount of side-eye.
Whlie it sounds accurate that maybe 1-2% of the population watches it live, it is also the most highly rated and influencing "news" outlet in the US. Their reach is far deeper than 1-2%. It gets retweeted, talked about, and trickles down. It sure seems like at least 1/3rd of the population has a FOX brainworm infection. I've seen in on 24/7 in hotels and some sport bars or restaurants too.
All the main news outlets totalling less than 9 million viewers? That's not compelling at all.
My understanding is that Nielsen does track what people encounter at hotels etc. (though only recently), so that should be included (?)
Except that it's the opposite. The Dakotas are over-represented in the electoral college but getting them from 60% Republican to even 99% Republican wouldn't gain them a single electoral college vote. Meanwhile states like Michigan and Ohio where changing minds could change outcomes are under-represented in terms of electoral college votes.
But the vote allocations are the least impactful part of the electoral college. If you got rid of the +2 electoral college votes for each state independent of its population, votes in Arizona would still matter more than California. The primary thing the electoral college does isn't to give red states slightly more power than blue states, it's to give swing states dramatically more power than safe states.
There's a bit more to it than the +2 electoral votes from the senate, because even within the House the representations are skewed due to the strange decision to cap the size of the House at 435 seats while guaranteeing each state at least one seat. Thus California has 52 times as many reps as Wyoming although its population is about 67 times greater.
> The primary thing the electoral college does isn't to give red states slightly more power than blue states, it's to give swing states dramatically more power than safe states.
Strictly speaking this too could be changed to some extent without changing the electoral college itself, namely by states switching to allocate their electoral votes in proportion to the popular vote, instead of winner-take all. That is entirely possible now and two states already do it, but it has minimal effect because those states are tiny. But if, for instance, you could win 20 EVs in CA by winning ~40% of the popular vote, you can bet that some campaign dollars would shift to CA from, say, Ohio, because Ohio doesn't even have a total of 20 EVs. You could win more EVs in California while losing the election than you could by winning in Ohio! But most states will not do this because usually the party that wins all the EVs is also the party that controls the state government, and they don't want to give away half their EVs to the other party.
But even so, the commission does whatever it wants anyway, they are complete autocrats when it comes to law proposal, it's up to the parliament and the courts to something about it afterwards. And they should given that it's unconstitutional in many EU countries and incompatible with GDPR as it currently exists.
there are multiple ways to make EU law, there are regulations (that apply directly) and directives that member states need to implement (basically ratify)
the Commission proposed something and then the Council votes on it and then there's the EP which votes on it
this one is a regulation proposal
https://en.m.wikipedia.org/wiki/Regulation_to_Prevent_and_Co...
the treaties have some areas that are under "Special legislative procedures" where the EP cannot propose amendments, but still has consent power, but in some cases like internal market exemptions and competition law only consultation right
https://www.consilium.europa.eu/en/council-eu/decision-makin...
It's something a Nazi regime would implement today had it existed.
There is no one in the EU that would tell those people are you fkin insane and give them a sack?
It’s surprising how quickly you have forgotten CISPA, EARN IT, etc - which were much more invasive proposals than chat control (slurping of all data of everyone, not just client side scanning for csam).
Of course, now you just cram unrelated shit into “big beautiful bills”, speed it through with minimal oversight using loopholes, and hope no one will notice. Has no one told you how fkin insane that is?
The EC can’t pass anything.
Unlike the president the EU commission are unelected and the commission is the only branch of government which can propose laws, however they can't force anything through in the same way the US president can with an executive order (it must go through parliament).
I guess it's good/bad, but in different ways to the US. It's bad in the sense EU citizens can't elect the people proposing their laws, but it's good in the sense that the commission can't just force things through without approval from the parliament which consists of MEPs which europeans elect.
As far as I'm aware the courts function in more or less the same way. Here in the UK parliament is sovereign and therefore can overrule any court decision with new law. This isn't true for the EU and I believe it also isn't true in the US.
The EU is founded on the pooled sovereignty of the member states (unlike in the US, where the reverse is the case). The Council represents those member states (each has a seat), and so holds this pooled sovereignty.
In the end, these organisations want to slice and dice private conversations. It will be a goldmine for AI training and hence the push and silence.
This is all corrupt.
[0] https://www.theatlantic.com/technology/archive/2018/08/the-a...
If you give away something for nothing, that usually means you're a sucker. But it takes a real genius to justify giving everything away for nothing.
If online privacy was that impossible Ukraine couldn't successfully organize sabotage operations in Russia. They do it all the time.
That's also just one of many operations inside Russia. There's lots of sabotage and assassinations that have been done.
You just can't do operations like that without secure communications.
Some combination of cowardice, conflict of interest, and fear of ICE.
How? If they're end-to-end encrypted, they really can't be monitored unless there's a flaw in the encryption system. Don't trust messages to systems that aren't auditable.
Yes, it is that fascist.
We need end-to-end encryption on phones to have reasonably convenient privacy. We can definitely lose that, and open source software won't help.
Worse, once phones are locked down desktops and laptops can be locked down as well.
No you will not have freedom to choose how to use your own property.
this is happening now on most* services.
* ok, not every single one.
This is buried too far down the page, which is written quite poorly. A lot of meandering and jumping to a CTA and a bunch of anxiety and fear before even stating concretely what it even is. Even the section called “What is Chat Control?” takes five paragraphs before it tells you what it is.
The page talks about wearing people down, but these kinds of pages wear me down too. I want sober, calm presentation of a problem, why I should care, and what to do about it. I have enough frenetic sky is falling anxiety in my life already!
The 'Unofficial' boss of European Union is Germany. If Germany will vote against it, more countries will back off and it won't pass. If Germany wants ChatControl, it's over. It will pass and all other undecided countries will support it.
Thankfully, Germany (so far) is against it.
I disagree with this sentence. The unofficial bosses are both Germany and France. Which is also the reason why the people in the richer EU countries will suffer economically when the upcoming bailout for France /will/ happen.
While its certainly possible it'll happen, it's far from certain. It can be stopped. Of all the currently 'undecided' countries, if just Germany came out against it, that'd be enough to sink it. Germans are pretty pro-privacy people, and the government would win no popularity by supporting it. Even if the German government supported it though, the German MEPs would likely still end up mostly voting no
Even if that is true—which you don’t know, because you cannot predict the future—later is definitely better than sooner. Later is worth fighting for.
Your defeatist attitude is exactly what these bad actors want, you’re playing right into their hands. Thankfully not everyone thinks like you, or Chat Control would have passed first time and no positive change would have been enacted ever about anything.
You have a tough challenge to convince me it’s anything other than a mundane device to give some groups an information advantage over others in their own society, for the unfair pursuit of political and economic advantage.
[1] https://www.bloomberg.com/features/2018-palantir-peter-thiel...
[2] https://www.newyorker.com/magazine/2010/09/20/the-face-of-fa....
fuck this attitude with a rake
There are also examples where the people have been charged for retweeting opinions or sharing lyrics which are considered grossly offensive. Although I suppose in these cases you could at least argue something is being expressed.
Could they still arrest you?
> In its decision, the court reasoned that his prayer amounted to “disapproval of abortion” because at one point his head was seen slightly bowed and his hands were clasped.
I'm all for women's rights, but that's not how to do it
> During the case, brought by BCP Council, the court heard Smith-Connor had emailed the council the day before to inform it about his silent vigil, as he had done on previous occasions.
> On the day, he was asked to leave the area by a community officer who spoke to him for an hour and 40 minutes - but he refused.
- https://www.bbc.com/news/articles/c4g9kp7r00vo
So he told the council he was going to have a silent vigil against abortion, and then it had to take place within the buffer area to protect women from anti-abortion activism.
He was totally free to walk a few yards away and do whatever he wanted, but he refused.
Sounds like he wanted to stir the pot to preserve the right to menace women seeking medical care.
Freedom of speech and banning vigils/demonstration is a different debate that we already have all the time...
Do they think they're above it? Are they stupid and don't know what they vote for?
I do not understand.
They're somewhat out of touch with tech, and caught up in police narratives around encrypted apps blocking their attempts to find pedos. Tech firm lobbyists sell them some lies about the capabilities of these systems.
Ultimately these are politicians stuck in the notion of "but the police can open your [physical] letters, this isn't any different" completely unaware of how times have moved on.
Matters like how people are already being harassed by CSAM being sent to their DMs, how people raid discord servers and try to have them taking down by spamming CSAM, etc, are completely lost on these politicians.
On top of that it's just cowardice. Not daring to be seen as "aiding pedos".
[0] https://www.patrick-breyer.de/en/posts/chat-control/
Yes, the lawmakers literally exempt themselves from this law in this law.
Are you going to the the "pedo" that is against protecting the children and catching predators?
I know it's diseingenuous but these laws are crafted with that in mind.
People that might take a real chance in challenging this are weeded out long before they get to these positions.
This is already happening. This is not about that.
This needs to be a South Park episode if it isn’t already.
How hard is it to disable the state spyware on a phone you buy there?
Can you buy a phone from outside China, put in a Chinese SIM card, and do everything over a VPN? Or will they shut down your connection?
Of course there are mechanisms to defeat privacy-invading software (and hardware), but the point is that most ordinary people don't want to. Most ordinary people actually want to hang out on the same social networks that all their friends and family are on, they want to watch the same TV shows, they want to be able to easily make payments at their local restaurants and the grocery store, they want to be able to use public transport etc etc.
When forced to choose, it turns out that convenience beats privacy for almost everyone.
I'm well aware of the tendency of societies to accept convenience over privacy, of the underlying risk of surveillance at scale and of the stripping of privacy from off-the-shelf applications that users are unlikely to abandon.
You seem to be assuming I was making a case that people will just get around these invasions of privacy en masse, and I'm not making any such case. Nor were my questions designed to undermine the original article or to dismiss the harms or the totalitarian nature of these laws.
More difficult privacy means less privacy for everyone, and it means no privacy for the bulk of the population. I agree.
So I don't need a lecture in how my questions misalign with the absolute need to preserve encryption. My questions are geared toward understanding what individuals can do in a society which has already turned completely into a panopticon. And I don't think it's useless to ask those questions, nor to educate people in how to protect themselves in such a situation, even if the task seems hopeless on a mass scale. Such a situation appears increasingly inevitable in the West, and I think it's valuable to take whatever lessons we can from societies that are already further down this road. My family fled a totalitarian dictatorship long before such powerful surveillance technologies could even be imagined. I think knowing how people cope with and attempt to preserve a modicum of provacy under the present conditions in modern dictatorships is instructive in preparing at least some part of our population for it.
The answer you seem to be looking for is that in China, just like in every other country, there are devices that exist which do not come with a state spyware component that is constantly transmitting everything to the authorities. Some devices are locally manufactured, others are imported, some are regulated, others are not, and people communicate using those devices and others, across all forms of media, including face-to-face.
To elaborate: China isn't a totalitarian hellscape where everyone has a gun pointed at their head and they're all forced to use the same, identical, CCP-branded phone or else face execution. It's a huge, diverse country filled with millions of hackers and entrepreneurs, people with different interests, people with different means. There are countless devices and app stores and popular trends. Regulations are often unclear and are enforced differently in different regions and by different layers of the bureaucracy. Not everybody's threat model is the same. Just as in the west, people find ways to communicate that meet their comfort level - sometimes that's through systems monitored by the authorities, other times not. There's no one special technology or technique.
The main difference in China is that citizens can be disappeared without much recourse because the legal system is opaque and there is no free press or democratic process to hold the government to account. But that's not the case in most of the EU. There is certainly democratic backsliding happening in parts of the EU, but that's a separate discussion.
So it's not a case that convenience beats privacy, AFAICT they're largely in favour of giving up that privacy anyway.
It’s completely fucking trivial, there are a gazillion services and a number of well supported v2ray/ss/etc. capable VPN apps. SIM has nothing to do with VPNs after all (except in the DPI sense but various protocols already bypass that).
Are you referring to something specific? Or you are just guessing?
Other restrictions are tied to the account which are based on the region of the Apple account, so any phone with a Chinese account will have various restrictions.
From that section:
> "In 2021, the EU approved a derogation to the ePrivacy Directive to allow communication service providers to scan all exchanged messages to detect child sexual abuse material (CSAM). Although this first derogation was not mandatory, some policymakers kept pushing with new propositions.
> A year later, a new regulation (CSAR) was proposed by the European Commissioner for Home Affairs to make scanning messages for CSAM mandatory for all EU countries, and also allow them to break end-to-end encryption. In 2023, the UK passed a similar legislation called the Online Safety Act. These types of messaging mass scanning regulations have been called by critics Chat Control."
the article also explicitly says it affects non-Europeans. I’m interested! I just can’t figure out what it is
> The most recent proposal for Chat Control comes from the EU Council Danish presidency pushing for the regulation misleadingly called the Child Sexual Abuse Regulation (CSAR). Despite its seemingly caring name, this regulation will not help fight child abuse, and will even likely worsen it, impacting negatively what is already being done to fight child abuse (more on this in the next section).
>The CSAR proposal (Chat Control) could be implemented as early as next month, if we do not stop it. Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
> Chat Control would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."
thanks!
Clearly defining the term and its intended meaning would do well, I think.
How the hang are they planning to do that?
I mean, if someone has an end to end encrypted conversation, it's encrypted when it gets to the carrier, and the carrier shouldn't (technically, not anything related about whether they are allowed to or not) be able to decrypt the conversation.
If the carrier is terminating the connection, then it's either not end to end encrypted, or it's broken.
edit: sorted the grammar/punctuation at the end to improve clarity
So then what? They start outlawing encryption altogether? knowledge of math? How would you claw back all the public and freely available software that people can already use to encrypt messages to each other?
This is the direction places like the UK have gone in, yes. Can't decrypt something? Then we assume it is illegal content.
The whole point of this technique is that with sufficiently low information density the data is not recoverable unless you know what you're looking for, because it's indistinguishable from noise.
https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...
"It's just math, you can't ban it" has never been true.
This had never occurred to me before but is totally obvious in hindsight. An interesting corollary is that, given an infinite natural number space, all programs that have ever and will ever exist can be found as a single point on this natural number plane. The larger the number, the more complex the program. What else is emergent from this property?
https://en.wikipedia.org/wiki/The_Library_of_Babel
https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...
The next step is to control your mind.
Democracy is being served. People want this stuff. HN people maybe not, but let's not pretend we represent anything but a noisy minority. It's entirely democratic AFAICT, "think of the children" and "think of the terrorists" won the argument some time ago.
Free speech is not held as an absolute in many countries as it is in the US, and never has been. It is in a bad state in some places (the UK seems to be performing poorly on this measure) but a lot of places feel the right to spew whatever toxic lies spring to mind without consequences might not be entirely healthy either.
Justice? I think justice is performed better in many European nations than most of the rest of the world.
And freedom... lots of people like to claim the US is the most free place on earth, but it's really not clear that's true. There are freedoms in other countries not enjoyed in the US. Here in Australia for example, I am free to collect the rainwater and filter it for my drinking-water supply, something that's not true in every state.
Is this an authoritarian move that ought to be spoken against by those who know and care? Absolutely. Does it mean that there's no more democracy in Europe? No, that's a little ridiculous.
They do this using warrants. And subpoena.
We need a personal declaration of rights that says private systems are not in anyway obligated to extend the reach of govt surveillance networks, without the consent of the private party.
It is a small protective measure. The next step will be for govt to bully everyone to give consent to their surveillance systems … or else.
But as of right now, the law is arbitrarily taking for granted that private surveillance systems belong to govt regulations.
especially technology
especially information technology
politicians are selected for being people-oriented therefore most are hopelessly underinformed
and it's very very very easy to get caught up in ideologies
and then means to an end seems like business as usual
https://en.wikipedia.org/wiki/Samizdat
Could it be that this is a last ditched attempt to presumably stop a civil war that seems to be brewing by predominantly muslim vs european populations?
If this isn't a sign that the integration and the multicultural experiment has failed completely in Europe then I don't know what. A free democratic society that is peaceful would never need wide surveillance net like this.
It seems that non of the HN comments touch on the internal demographic tensions that has been going on for quite sometime. Western Europe and Scandinavia reminds me very much of Lebanon before civil war broke out between the Muslims and Christians.
As long as you know when you're being used by their fake services.
Disclaimer that I actually don't know what the full extent this chat control law is asking for, except for the fact that it will deeply compromise encryption
then what? you decrypt the answer and send it back to them? promise that you totally didn't change the answer?
FHE is the wrong tool for the job. you'd want verifiable computation (e.g. ni-ZKP) instead. both are too complex and faaar too computationally expensive for actual use.
>Apple, for instance, already solved this with NeuraHash
"Solved"
That's it.
It means that the government asserts the right to bug all your conversations. They've already assured the right to put you in prison for dissenting with the government on policy and you have little to no recourse. Now it's this.
You loved this during covid, you'll love this now, "or else". Signed, your local nanny state.
https://en.wikipedia.org/wiki/Regulation_to_Prevent_and_Comb...
EU's latest attempt to squash privacy rights.
If the writer of this post wants people to oppose it, they really should do a better job of explaining at the very top what "it" is.
I'm not sure if something like it exists. I'm not sure if it could exist. PhotoDNA (the old CSAM detector) ended up being somewhat reversible, so that you could actually turn signatures back into obscene material. because of this, the signature databases were shared under strict NDA, only to large players.
probably the most realistic solution is a generic porn classifier convnet. if it blocks adult porn, it should block CSAM too (hopefully?)
they are not reliant on image hashes, and reversibility concerns apply less because the dataset used to train it was presumably legal (if distasteful.)
I’m already taking most photos with a dedicated digital camera and they are so much better than phone captured images. I hate social media these days and am waiting to give myself a reason to delete all the apps and my accounts entirely. The internet is a shithole, most my search is done through LLMs and my interaction with people is through comment sections. I have no interest in being in group chats, I’d rather meet up with people in person and socialize that way.
It’s not the end of the world if smartphones just become a convenient way for governments to track you, there is totally a different way to live without them, and maybe it’s simple and beautiful.
If you really have a serious use case for peer to peer end to end encryption, you should be using something like Meshtastic.
If other people around you recognize the name of a chat platform you're using, then it's not decentralized and it's almost certainly monitored.
Russia and China are in your face and obvious about where they stand, and don't mind being a boolean of true. The EU just prefers some subtlety with more politically correct and polite wording, and prefers a float of 0.92.
Part of me almost prefers the Singapore model. Clear rules, even harsh rules, but near-total do-whatever-you-want if it's not on the list. None of this gray-area nonsense. Uncertainty is a form of oppression, and the US/EU are masters in that regard.
The government thinks the rule of law itself is good enough. Even if they are aware of your speech and it criticizes or shock or whatever the currently elected, they believe nothing could be done against you because the rule of law would protect your right to do so.
Therefore they assume if you have to be secret about it, you must be doing something illegal, otherwise they don't see why you would worry about the government being able to know you are doing it, since they could not do anything against you.
Here for example, they assume that it would only be used to catch and prevent CSAM, which is illegal. But that it would never be abused to prevent legitimate legal free speech, or that it would be done in a way that your privacy is respected because the rule of law won't allow other use of "snooping", etc.
And to be honest, I don't know if they are completely wrong or right. It's a different perspective, one that relates to "gun control" as well.
In the US, people have zero trust of government, and feel like at any point they need to be armed and have the means to hide, escape, and rebel against it. That means secure communication channels, bearing arms, etc.
In the EU, generally people assume that the systems in place will protect the institutions and upheld the rule of law, constitutions, democratic freedoms, etc. And people trust the system in place, so they don't see why individual citizens should be allowed to have weapons, places to hide, etc., and see that more in practice as something that enables crime.
Generally, the counter argument to the American stance is that the power imbalance is too big anyways, it's the system that must be protected and needs to be trusted, if the system becomes corrupt, no amount of civilian weapon and hiding places could match the power the state has, so it's a futile attempt that just ends up benefiting criminals.
It opens it up potentially to anyone with the means to infiltrate these systems - rogue employees of the companies running the messaging and cloud services, cyber criminals who will be able to hack into them, foreign states who will be able to hack it (we very recently saw this how China had infiltrated CALEA backdoors into telephone systems around the world for many years).
Which of course is part of the reason that companies are so on-board with end to end encryption in the first place - being able to ensure that rogue employees can't access customer's private messages and files, and that if cyber criminals hack in and infiltrate data that there are no encryption keys accessible is a huge benefit to them - but the moment you try to open it up to "lawful intercept" you open it up to all the unlawful intercept too...
Then the US on the other hand does decently protect its citizens from the government itself (well, this recent year/administration notwithstanding), only because the US government knows full well they can just turn around and grab all the data they want from the private American companies they don't regulate at all.
Two approaches with the same outcome, absolutely.
e.g. If you engage in private spoken conversation, most people are not going to treat your conversation as if it's privileged, avoiding any mention of it in casual conversation, and refusing to divulge any details to law enforcement.
I promise you you aren't the main character in your friends' lives and they will absolutely give up information on you to save their career and their family.
Online/electronic privacy advocacy is in my view overly fixated on direct state invasions via law enforcement powers and corporate surveillance through ad data, while largely ignoring threats via hacking or civil litigation.
The best policy is to not record things that shouldn't be made public. The next best step is to not retain recorded things longer than needed. Modern software/operating systems largely make either of those steps quite difficult, leaking tons of data with every use, making it impossible to reliably delete material, etc. But nothing less is effective against the full spectrum of threats, not even strong encryption. (but obviously strong encryption is good and critical for what you do record and retain!)
That said, SSD's have improved the situation a lot with TRIM. While previously deleting a file wouldn't actually destroy any data until it was overwritten. With TRIM in most cases for files more than a few KB almost all the data will be physically destroyed soon after TRIM is called. It depends on settings. But that's commonly either immediately, or about once a day (the default on Android).
If you read the forensics literature TRIM has caused them enormous problems by radically reducing the amount of data available.