People in Reddit and sometimes here always praise the EU as some bastion of privacy, and I always got downvoted when I said that this isn’t always true. And now here we are. I hope people don’t forget this after a month, like they always do.
They will, and you’re screaming into the wind sadly.
What you can do is never forget and base your voting decisions to include this as a priority going forward. Endorse and support companies that protect privacy.
It’s a long uphill battle and every little thing can help no matter how small.
Maybe say this after this passes.
That’s the attitude I was talking about 😄
Yeah, no. What’s likely to happen is that you will remember this, completely miss the memo that the law didn’t pass and then go on spreading misinformation about the EU.
This is almost definitely not going through the ECJ. If they pass this directive I’m gonna take my chances.
Thanks to the Matrix protocol there is no chance of getting rid of E2EE communication anyway. There is no feasible way to stop decentralized communication like that, no without killing the internet.
Also I would add, not like this is unanimously supported in EU among memberstates. So this isn’t a done deal, this is a legislative proposal. Ofcourse everyone should activate and campaign on this, but its not like this is “Privacy activists vs all of EU and all the member state governments” situation. Some official government positions on this one are “this should not pass like it is, breaking the encryption is bad idea”.
Wouldn’t be first time EU commission proposal falls. Plus as you said ECJ would most likely rule it as being against the Charter of Rights of European Union as too wide breach of right to privacy.
just in time.
connect the dots.
Would a way to legally bypass this be an app that can “encrypt” your text before your send it. The government would be able to see all of your messages but it would be scrambled in a way that they couldn’t read it.
Something where both people would install the same text scrambling app and generate the same key to scramble all text (would need to do in person). They would then type all their text into the app and it would scramble it. The user would then copy The Scrambled text and send it over any messaging platform they want. The recipient would need to copy the text and put it back into the scrambling app to descramble it.
This is how PGP works and is pretty widely used. https://en.m.wikipedia.org/wiki/Pretty_Good_Privacy
Just imagine the headline we’d see in the west if this was happening in China.
And the EU is wondering why they’re having an image problem
deleted by creator
Yeah… Because hampering legal encryption will totally hamper all those who just continue to use the methods we have today.
Terrorists will have no problem writing their own encryption program, and more ordinary citizens will install malicious apps from unofficial app stores.
Writing your own is hard. They won’t have a problem illegally using Signal
Writing ur own is not hard i did it at 16 without chatgpt its piss easy.
I’ve done it at 15, now I’m 16 ;)
Gotta one up me u little shit.
Nar thats cool keep the passion make cool shit name ur variables sensibly try avoid cpp at all costs.
e2e is pretty simple. I agree with your second sentence, though.
Ah… terrorist, the magic word. That’s why you can’t have a SIM card which is not tied to your ID or passport in EU since 2015. Terrorists actions allowing an state entity throwing 4000t of explosive on civils in a weekend… yep yep…
more seriously (though I wasn’t totally kidding), your non-tech relatives and friends are all on whatsapp/insta/messenger, good luck to move them.
And everyone else will have their shit dumped out in the open when ai starts breaking through all the back doors and manipulating officials into clearing them
You’ll never decode me and my brother’s Pig Latin
Wait for the LLM’s based on pig Latin
GPT4 can already infer and translate pig latin
No need for a pig latin specific LLM
Well, that guys brother is already screwed
I would be wary of this messaging.
There were a number of other times when it was being reported that the EU was going to do some moustache twirling kind of manoeuvre, and so far it was always deeply misreported - it was going to be the end of privacy but if you read the actual proposal it was actually sensible and not remotely close to what news said about it.
I haven’t read this proposal yet, but I wouldn’t be surprised if this was the same as always.
“I have done 0 research on the issue, here is my reasoning on why it is a non-issue.”
That’s not what I said. What I said is: until now similar headlines and articles were bullshit, so I’m skeptical of this one too, exercise caution
I guess that’s fair since most of these tend to be clickbait, but in this case these proposals are genuinely extremely bad, because adding client side scanning to E2E messaging and photos is only one overreaching policy away from being a full backdoor for other purposes in the name of “public safety” since the technology would already be implemented, which would absolutely be the end of private messaging and secure encryption.
What is the problem if it’s client side though? Traffic is still not intercepted, communication is still private. Going from here to a full blown backdoor seems a bit far fetched…
“What’s the problem if the government had one random inspection of your house per year. Nobody entering or leaving your house is getting searched, just the house itself and whatever you store in it. Your house is still private. Nobody else is getting let in, just the government.” They’ll only use this new search power to look for pedophiles. Promise.
The problem is you have a right to privacy. The government should have to prove a reasonable basis to suspect you of a crime to violate it, and at least in theory that authority is overseen by an independent judiciary. Owning a phone isn’t a reasonable basis to suspect you of a crime and read all your text messages. Privacy and free speech are basic human rights, they are necessary for democracies to function properly and for us to advance as a civilization and share information and ideas and grow.
No ok that’s fine but if the check is client side, it happens offline and no data is sent to the servers unless a match is found, your privacy is still yours unless you’re sending CP no?
deleted by creator
I’d be curious how sensible you’ll find this proposal.
Well, they’ll never be caught in a Google location dragnet and arrested, dontchaknow? That’s all just fake news!! /s
People like that never think beyond the simplistic view of the moment.
They don’t believe innocent people have been jailed on bad evidence, or that the government would lie and use this stuff against someone, despite it being in the news almost daily.
So you’re completely uninformed and yet chime in with your opinion? The danger is real and this isn’t a reporting issue.
@makeasnek
Imagine a data leak in such a situation.Although some US corporations such as Meta are already scanning European messages for previously classified CSAM ‚only‘
This is news to me, does anyone have any more detail?
What fucking fascists.
Is it related to the topic, or just saying it? 😂
Fascism, authoritarianism, totalitarian dystopian thinking, it’s all the same to me when it comes to the State overstepping and blatantly looking to pass laws that remove the right to privacy and autonomy from citizens. I’m no leftist ideologue, I skew libertarian right (although I couldn’t describe all the nuance of my views within the context of a simple label), but if there’s one thing we have in common, it’s our hatred of government overreach and corporate control of the masses.
Fuck authoritarianism. Fuck collectivist bullshit. Never stand for the trampling of your rights.
Can this be circumvented somehow? And how would apps with end to end encryption work if a person in a non-EU state spoke to someone inside the EU?
Lrf. (Rot. 13)
Anything can be circumvented, VPNs, Tor, I2P, and some other more unknown apps like briar. The issue will become will using those services become illegal too, and the barrier of entry becoming too high for those outside of the technical world. Signal will definitely just pull support for the EU, so you’ll have to trick it into thinking you’re not in the EU. But now you’re at risk of running a foul with the law.
I’m curious if only particular apps/software is going to be monitored this way? I mean, if I encrypt outside a messaging app like Signal or outside mail, using OTP, OpenPGP, AES-256or or something similar, or using a combination of VPN, Tor and Cryptpad för creating messages, meaning that when the message is entered into the monitored app, it is already encrypted?
That’s exactly why a law like this wouldn’t make sense, even if you don’t care about privacy.
To enforce a ban of encrypted messaging, any software capable of encryption would have to be banned. Next step almost every existing operating system would have to be banned as well.
m
Making it illegal only hampers those that follow the law.
Criminals, by definition, already don’t follow the law.
Thing is, there are a load of people who don’t have the know how, time and/or care to use an alternative. That goes for scum bags sharing child porn, terrorists teaching how to make an easy pipe bomb, journalists reporting on local corruption, people sending flirty sexts to their spouses, activists trying to get a movement going, anti-vax groups, people trying to source dubiously legal and/or ethical drugs/medicines… and so on.
Banning it in mainstream apps and legal stores makes it harder - and harder to know if you can trust an app (is this niche one I found through pirates-r-us forum really trustworthy) - and easier to spot and target those who use illegal/minority options.
So I think you would catch and block a load of CSAM, even though obviously not all.
Exactly. When privacy is criminal, only criminals will have privacy.
I have helped a little with some ongoing research on the subject of client-side-scanning in a European research center. Only some low level stuff, but I possess a solid background in IT security and I can explain a little what the proposition made to the EU is. I am by no means condemning what is proposed here.I myself based on what experts have explained am against the whole idea because of the slippery slope it creates for authoritarian government and how easily it can be abused.
The idea is to use perceptual hashing to create a local or remote database of known abuse material (Basically creating an approximation of already known CP content and hashing it) and then comparing all images accessible to the messaging app against this database by using the same perceptual hashing process on them.
It’s called Client-Side-Scanning because of the fact that it’s simply circumventing the encryption process. Circumvention in this case means that the process happens outside of the communication protocol, either before or after the images, media, etc, are sent. It does not matter that you use end-to-end encryption if the scanning is happening on you data at rest on your device and not in transit. In this sense it wouldn’t directly have an adverse effect on end-to-end encryption.
Some of the most obvious issues with this idea, outside of the blatant privacy violation are:
- Performance: how big is the database going to get? Do we ever stop including stuff?
- Ethical: Who is responsible for including hashes in the database? Once a hash is in there it’s probably impossible to tell what it represent, this can obviously be abused by unscrupulous governments.
- Personal: There is heavy social stigma associated with CP and child abuse. Because of how they work, perceptual hashes are going to create false positives. How are these false positives going to be addressed by the authorities? Because when the police come knocking on your door looking for CP, your neighbors might not care or understand that it was a false positive.
- False positives: the false positive rate for single hashes is going to stay roughly the same but the bigger the database gets the more false positive there is going to be. This will quickly lead to problems managing false positive.
- Authorities: Local Authorities are generally stretcht thin and have limited resources. Who is going to deal with the influx of reports coming from this system?
I get the concept but this doesnt realy offer any advantages over just not encrypting anything at all. The database being checked againts can still just include a hash of somethibg the governemnt doesnt like and boom u have a complete tool for absolute cencoring of everything.
Thanks for the explanation. Do you know how they’re planning to implement this client side scanning? Take an iPhone for example— where Apple has already ditched their plans to do the same device-wide. Is it planned for WhatsApp, Signal etc. to be updated to force perpetual scanning of the iPhone’s photo album? Because that can be turned off quite easily at the OS level.
The only way I could see them doing it is by scanning any image that is selectively chosen to be sent before the actual message itself is sent—i.e. after it’s selected but before the send button is pressed. Otherwise it’s breaking the E2E encryption.
Is that the plan?
Client-Side-Scanning is going to be implemented by the messaging app vendor. This means that it’s limited by OS or Browser sandboxing . Therefore it’s definitely limited to what the messaging app has access to. However, I’m not sure what the actual scope would be, meaning if all accessible images are going to be scanned or only the one being transmitted to someone.
What stops you from using a free software client that verifiably doesn’t do so? The mainstream messengers were not safe already anyway.
This is a really nice summary of the practical issues surrounding this.
There is one more that I would like to call out: how does this client scanning code end up running in your phone? i.e. who pushes it there and keeps it up to date (and by consequence the database).
I can think of a few options:
- The messaging app owner includes this as part of their code, and for every msg/image/etc checks before send (/receive?)
- The phone OS vendor puts it there, bakes it as part of the image store/retrieval API - in a sense it works more on your gallery than your messaging app
- The phone vendor puts it there, just like they already do for their branded apps.
- Your mobile operator puts it there, just like they already do for their stuff
Each of these has its own problems/challenges. How to compel them to insert this (ahem “backdoor”), and the different risks with each of them.
Another problem: legislation like this cements the status quo. It’s easy enough for large incumbents to add features like this, but to a handful of programmers trying to launch an app from their garage, this adds another hurdle into the process. Remember: Signal and Telegram are only about a decade old, we’ve seen new (and better) apps launch recently. Is that going to stop?
It’s easy to say “this is just a simple hash lookup, it’s not that big a deal!”, but (1) it opens the door to client-side requirements in legislation, it’s unlikely to stop here, (2) if other countries follow suit, devs will need to implement a bunch of geo-dependant (?) lookups, and (3) someone is going to have to monitor compliance, and make sure images are actually being verified–which also opens small companies up to difficult legal actions. How do you prove your client is complying? How can you monitor to make sure it’s working without violating user privacy?
Also: doesn’t this close the door on open software? How can you allow users to install open source message apps, or (if the lookup is OS-level) Linux or a free version of Android that they’re able to build themselves? If they can, what’s to stop pedophiles from just doing that–and disabling the checks?
If you don’t ban user-modifiable software on phones, you’ve just added an extra hurdle for creeps: they just need to install a new version. If you do, you’ve handed total control of phones to corporations, and especially big established corporations.
M
I’m deeply against this ridiculous proposal.
But scanning of messages already happens, tbf, for spell checking, emoji replacement, links to known infectious sites.
Photo copiers do client side scanning to prevent copying of money.
There are precedents.
I hate this proposal. But let’s be straight about the facts: The phone has full access to everything you send and receive already. This isn’t the same as having an encryption back door.
There are precedents, but we can forego these if we want. I don’t have to use Google’s keyboard. I can even degoogle my phone with Graphene OS. Some black boxes remain of course but they are small and relatively secure. Meanwhile a client-side scanner is adding an unavoidable increase to the attack surface. That’s a weakened security environment. And not just for your cat videos, but for journalists and others dealing with sensitive materials.
I can’t wait to see how many horrible implementations devs come up with because this feature provides no value for their employers.
Hehe, this reminds me this: https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html
False positive… but the damage is done, and I don’t know if google finally stopped to accuse him, police already freed him as it was a medical photo.
