74 comments

[ 6.9 ms ] story [ 152 ms ] thread
(comment deleted)
Should the free movement of people outside their houses be curbed to combat child abuse/drug trafficking/burglary
While child abuse and drug trafficking were presumably not concerns, ancient Chinese cities really did implement a curfew for commoners. It was a sign of status to own a house which opened directly onto the street (making you immune to the curfew).
(comment deleted)
to what ends was this implemented? general public peace? or largely a demonstration of biopower, control?

such exercises of dominion over the population sometimes seem like justifiable steps, necessities. but whether such justifications seem or more chiefly remain plausible...

The records of the time suggest that it's just viewed as the correct order of things. It was a long time ago and it came to be unenforceable; we can't really know why it was done.
You forgot terrorism. hmmm, and viruses.
This is worse. This is like curbing door locks to combat burglary.

Like, the cops know there have been burglaries, so now everyone must leave their house open so it can be inspected for stolen goods.

It’s that stupid.

Don't worry: Children are generally considered less important than 80 year olds.
No, I will not think of the children.
Wouldn’t it better to prevent procreation? No children, no child abuse. Cant even hide abuse that doesn’t exist by keeping off the internet with it.

Makes about as much sense as banning encryption to prevent abuse.

So long as deviant minds exist, child abuse will exist. Even if you could perfectly prosecute all transmissions of the resulting artifacts.

OMG what an excellent suggestion! Banning encryption won't stop all child abuse but this totally sensible measure is guaranteed to do just that! You, sir (or madam), are a genius!

The only question in my mind now is whether we should kill all the children out there today or just sterilise everybody.

If we don't kill them, some of them might be abused between now and the time they reach adulthood. So it's pretty obvious to me that for the sake of the children we should kill all the children. It's really the only logical conclusion.

Won't somebody please think of the children! (and kill them)

(comment deleted)
No, but children should have mandatory body cams installed at birth and removed at adulthood. They’re overwhelmingly likely to be abused by family or a close family friend, and permanent body cams would curb child sex abuse.
I hate this issue.

The answer is "yes", but in practice the question isn't that simple.

The use of a technology by criminals should not necessarily mean the technology needs to be curbed.

Insofar as we know criminals are using it, I'd ask "how" - and can we innovate on the law enforcement side without unnecessarily interfering with the lives of civilians?

The answer is “no” and no. And any cases made for yes are in every time I’ve seen it, as short sighted as could be.
(comment deleted)
No, to the contrary, end-to-end encryption is crucial for protecting children.

https://blog.nucypher.com/todays-kids-need-end-to-end-encryp...

This is 100% the argument that pro-encryption people should be making everywhere.

Think of the children. Encrypt their data!

Should encryption be be curbed to combat human trafficking? Murder? Terrorism? Child abuse is a crime like any other, curbing encryption will not stop it, and would probably systemically make other non-emotional issues worse.
You know what, sure. Let's do that.

Let's destroy the entirety of online commerce.

Let's destroy the ability to digitally prove identities of corporations and people.

Let's eliminate the security and integrity of every computer system.

Let's expose every company that uses a network to connect its computers together to hackers.

Let's eliminate every viable form of DRM (actually, I'm kinda OK with that one).

Let's destroy the entire concept of proof of work.

Sure, let's "curb" encryption.

>Let's destroy the entire concept of proof of work.

Some HNers would unironically support that.

Sure, I would. Bitcoin proves that proof of work is unsustainable and uses too much energy.
Pretty sure curbing encryption would break proof of stake as well though.
Crypto-anything, minus crypto, will break. I mean, even the wallets rely on encryption (public/private key encryption, if I understand it correctly).
DRM isn't encryption just obfuscation.
HDCP. An encrypted stream with a pre-shared key, designed to prevent the interception of video and audio streams over HDMI cables.

Even DVDs data streams are encrypted, which is why the release of that magic number (AKA a pre-shared key) is such a big thing.

Even non-PoW cryptocurrencies depend on cryptographic signatures to verify and authorize state transitions on the blockchain (including value transfer). You can't have a public distributed ledger without public-key cryptography.
I'm realizing I should have said "Merkle tree" instead. But, opportunity lost.
(comment deleted)
I spent years campaigning on this issue, and I fundamentally don't think that this broad argument will work against measures that encryption opponents are likely to propose today.

There was certainly a time when governments opposed availability to the general public of transport encryption and VPNs. Some outliers still do, especially the PRC (when the other endpoint is outside the national territory).

But this isn't a mainstream position of governments in liberal democracies today. They generally accept and even promote the use and availability of encryption technology for transport encryption, authentication, and digital signatures. (Some of this may be due to political calculation either in the sense of "it would be too hard to successfully restrict these applications" or "we've decided we think the positives outweigh the negatives".) The remaining campaigns are mostly about device encryption and about end-to-end encryption for messaging.

Government agencies campaigning about those mostly think that app stores and software distribution are centralized enough that they could enforce backdoor/exceptional access rules against a few large technology companies and cover the huge majority of civilian applications. It doesn't feel like they're wrong about that these days, does it?

(Some recent laws which have already been enacted in certain jurisdictions only kick in when a company has a specified number of users in a particular territory. The enforcement mechanism is typically fines or blocking, or in some cases the threat of arrest of local company representatives, who may also be explicitly required to exist.)

I read the article, which mirrors your points. And what I'm seeing is a bunch of politicians who are ignoring reality for politicial points, using their favorite horsemen of the Infosec apocalypse.

Breaking, excuse me, backdooring encryption (including MITM attacks) breaks the trust model which makes our modern devices, communication, and commerce (which fundamentally relies on secure communication between verified parties) work.

> It doesn't feel like they're wrong about that these days, does it?

If you mean they can/should force companies to break encryption - yes, yes they are. Period.

I don't mean they should, but I mean that if they created laws that were only able to be enforced against a few large tech companies -- including in their roles as intermediaries in software distribution -- most people's access to end-to-end messaging encryption and full-device encryption without backdoors would evaporate quickly.

Edit:

> Breaking, excuse me, backdooring encryption (including MITM attacks) breaks the trust model which makes our modern devices, communication, and commerce (which fundamentally relies on secure communication between verified parties) work.

I would very much like this argument to work, but I don't think it does.

First, even with backdoored messenger apps and disk encryption, you can still use HTTPS, and apps can still consume HTTPS APIs.

Second, even with backdoored messenger apps and disk encryption, you can still use digital signatures in electronic payment protocols.

Third, even with backdoored messenger apps and disk encryption, you can probably still use digital signatures to authenticate software releases and updates. (Although there are many governments interested in tampering with this, so it could easily become another battleground -- and one that I hope the governments would find much more politically difficult.)

Most people are already used to having some intermediary (1) possess plaintext of their conversations, and (2) be the authority for them for introducing and confirming contacts. While I think end-to-end encryption represents enormous progress compared to this, I'm not sure there's a political groundswell of support for it when most people don't know what it is and most people don't know if they're using it, or when. (Though I encourage people to continue trying to explain it and make more people care about it more.)

Along with everything I posted in the original comment.

There is no picking and choosing. These idiots, excuse me, politicians, need to understand that.

Sorry, I don't think I understand your argument. Could you try it a different way?

In the 1990s crypto war there were great points to be made that encryption and authentication are technologically dual to each other, that encryption algorithms are simple, and that knowledge of cryptographic techniques can no longer be monopolized by governments. There were also great points to be made that businesses and governments strongly desired modern encryption technology, and that protecting individuals against mass surveillance sounded like a good idea from the vantage point of many different political and ethical theories. So, the 1990s encryption control approach was super-fragile because it was notionally based on controlling access to knowledge (and also the nationalist part about preventing that knowledge from reaching foreigners, or something).

One classic artifact of the old crypto war (you know, when crypto meant "cryptography") is the RSA e-mail signature / t-shirt

http://www.cypherspace.org/rsa/

while another is CipherSaber, the attempt to get people to learn how to implement the RC4 cipher from scratch

http://ciphersaber.gurus.org/

Both of these seem to be based on the shared understanding between the government and privacy activists that knowing how to implement cryptographic primitives is a super-big deal that must either be strictly controlled or made ubiquitous (depending on your view of the moral valence of civilian cryptography).

In the present environment, we have a ton of centralization in software and computing infrastructure and passivity on the part of technology users. Individual governments have already met with tons of success in censoring particular apps from app stores, without purporting to suppress knowledge of how to implement cryptographic software or anything. These app stores have tons of power over most people's experience of technological capabilities. Governments and others are learning to directly influence the exercise of that power, exactly as the free software movement feared throughout the past couple of decades. If a government's model of controlling encryption is to say that apps in app stores must have, or must not have, particular characteristics, then I don't see how those apps are going to remain mainstream, except in a handful of cases where there's a lot of backlash from banning them or blocking a particular product.

Nonetheless, "encryption" as a category of technology itself remains totally mainstream even in, say, China, and is used for tons of information security applications other than really strong confidentiality against the state. You could learn about the RSA algorithm in a computer science class in China, just as you could in the United States. You could even implement the RSA algorithm (or call into a library that implements it) in software development in China. Your difficulties might begin only when you tried to use it as part of an end-to-end encrypted instant messaging protocol in an app that you published in an app store (and mainly if the that app became popular). On the other hand, if you had an HTTPS endpoint for an e-commerce API in China, and you had all of the licenses that the government expected, I don't think the government would have the least bit of objection to that.

Edit: There is one thing that I still think might push in the other direction, which is governments' rivalry with each other. As I've said before, you could have a Brazilian in France using a Korean app to talk to an American in South Africa (and in the present day, you probably do!). No backdoor proposal has made clear which of those states do or don't get to use the backdoor, or how anyone knows, or how a state can ever guarantee that a particular foreign state doesn't use it. ... But on...

What they are wrong about is that backdoors would only be "exceptionally used". It might be that way for a couple of years, then there will be a terrorist attack or a major child abuse scandal, new laws will be passed eroding legal protections, and before you know it any random official will be happily looking into your private conversations.

Think I'm exaggerating? This has already happened in the UK, RIPA bill was passed to "fight terrorism and child abuse" and ended up used by local officials to identify people who let their dog shit on the sidewalk.

https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...

> and cover the huge majority of civilian applications

And only a minority of criminal applications.

Only stupid criminals will use compromised applications. Smart criminals will use other methods.

<--- this is what I was going to say.

...Except that I would have added that it's already easy enough to catch the stupid criminals without breaking everybody's encryption...because they're stupid. Good old regular police work of the type that has been around for over a century will catch these people just as effectively.

So you see: The whole "backdooring encryption" thing is useless for its stated purpose.

> "The reality is end-to-end encryption will drastically reduce the amount of CSAM material reported to authorities," Mr Bason tells the BBC. "To me, the trade-off is not worth it."

The software firm created by Brian Bason:

https://www.bark.us/

> Bark's affordable, award-winning dashboard proactively monitors text messages, YouTube, emails, and 30+ different social networks for potential safety concerns, so busy parents can save time and gain peace of mind.

Looks like end-to-end encryption is a direct threat to his business.

(comment deleted)
It’s really baffling how clueless these lawmakers (still) are when it comes to technology… but they just might not care and are just trying to push some new surveillance agenda again…
The majority of child abuse isn't filmed or transmitted. Therefore, if the goal is truly to reduce child abuse, the best law would be to remove front doors and make house walls out of glass. By allowing others to look into your home and listen to your conversations, they can verify that no abuse is occurring, and easily collect evidence when it does occur.

Don't like that idea? Why? It's not like you have anything to hide, right? You're a stand-up, law-abiding citizen. So what does it matter if people can look inside your home and listen to your private conversations?

^ This is the argument I use whenever someone says they think encryption should be ended. I think because digital data isn't physical, and therefore doesn't feel intimate, people's immediate reaction is, "Only criminals who have something to hide would want encryption!" When you add a tangible, physical element to the conversation--a conversation taking place within a house with doors and walls--suddenly people understand why even "harmless" conversations deserve privacy and respect, and why non-criminals would be pro-encryption.

> By allowing others to look into your home and listen to your conversations, they can verify that no abuse is occurring, and easily collect evidence when it does occur.

CPS can do that if they have a warrant.

(comment deleted)
That's a clear strawman. There's a big difference between no privacy at all, and no privacy only in those cases requiring government investigation. There are also restrictions of police investigations by law, requiring warrant, and other stuff that are the real way you're supposed to be protected from the government.

The real problem is that while some western government have rule of law and can be relatively expected to be just, other governments are not, and it's bad setting the precedent of government intervention because many non western governments can't be trusted with it.

It's not like the government and its numberless agencies care about warrants when it comes to violating people's digital privacy. They just take whatever they want and ask questions later. Cryptography is essentially digital self-defense and is absolutely necessary.

If the authorities want data they should have to physically seize the device containing it and hope it's not encrypted.

I think you are wrong.

> There's a big difference between no privacy at all, and no privacy only in those cases requiring government investigation.

if the government gets to decide whenever it feels like if you have (or had) privacy, you have none.

this isn't a case of just vs unjust governments. there is a large extant question of a more fundamental individual right, of whether a human is allowed privacy, or whether their home is expected to be able to tell on them when the man comes & asks it.

there are huge massive reactionary negative afraid forces & fearmongers out there who will use any extremist cases they can get their hands upon to shrill-ly cry that we must do something, that we must protect some vulnerable people or defend against some predator. some are sincere. most are shallow, lying, disinformationing propoganda agents, waging a war of opinions to justify the intrusion & disruption they ulteriorly seek. some are honest at least with themselves about this deception, but others simply let themselves be blown into their extremist beliefs, let their fears take them over.

privacy is not real when it's decided upon ex post facto, at the convenience of the nation. no matter the nation.

> fundamental individual right

Indeed, this is the classic Locke vs. Rousseau argument of whether rights preexist governments, or are just a function of the "general will".

As governments are just aggregations of humans, Rousseau's vaguely super-human view of government seems a pleasant myth when we see the evils of racism repackaged as "Affirmative Action".

you took a general sound basis & used it to project a very specific political qualm. disingenuous lead in & disappointing & sad self serving end.

unlike you, I will say this is just my personal belief: affirmative action is good. we should socially work to afford some egaitarianism & equitability amid systems which favor specific classes.

we ought be promoting the individual positive & negative liberties of all. adjusting systems of power to share some opportunity ought give a wider range of people a chance to participate. being denied a long held privilege of position that others were not usually afforded is not a deprivation & does not infringe upon the denied person's liberty.

No bad idea is laundered by making it policy. 23 chromosome pairs = human. All ideas above that are vulnerable corruption, even the well-intentioned ones.

So, no.

This is not an invalid criticism.

But, on the other hand, I really really like the analogy. It illustrates some of the issues very clearly.

Maybe a slight improvement on the analogy would be to say "install video cameras in every room of your house" rather than "make the walls out of glass".

> There's a big difference between no privacy at all, and no privacy only in those cases requiring government investigation.

This is valid only if we assume a perfect government with no hidden interests, perfect government actors with no personal motive and only for those non citizen-hostile governments, like dictatorships.

Reminder:

> 8.3.4. "How will privacy and anonymity be attacked?"

> like so many other "computer hacker" items, as a tool for the "Four Horsemen": drug-dealers, money-launderers, terrorists, and pedophiles.

* https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...

* https://groups.csail.mit.edu/mac/classes/6.805/articles/cryp...

Yes, it's extremely tiresome seeing people summon those same boogeymen over and over. It's gotten to the point I assume anyone who even mentions those things has an agenda to push.
Should procreation be curbed to combat child abuse?
no, the question doesn't even make sense, these governments are nazis
The state won't blanket ban encryption because it's useful to the operation of companies. The way I see it going down is by asking these questions:

Who will have access to encryption (the privilege of security)?

and

Who gets to decide who has access to encryption?

The state can take away voting rights, gun rights, right to movement, right to serve on a jury, right to public benefits, and the right to parental benefits. Why shouldn't the state also assume it has the ability to decide who has access to the right of security through encryption? If actual momentum builds toward reducing encryption access, expect to see ex-felons being forbade security. Who will object?

They cannot restrict anything unless they end computing freedom first.
They can certainly criminalize encryption for individuals. Criminalization is orthogonal to restriction.
It is important that any discussion that leads with "think of the children" is immediately turned into "Yes, let's think of the children. Here is a four point plan to address poverty, systemic racism, education and opportunity..."

"Oh, but this is free and those things cost billions of pounds!" Actually no, this is not free. This prevents protecting banking. It prevents protecting oil pipelines. The cost of breakable encryption is billions or trillions.

My brother spent several years doing legal aid in the UK, and my mum is on children's panels. There's plenty the government can do to reduce child abuse that doesn't involve encryption, but it chooses not to.

So here we have one group that is looking at a visual evidence of child abuse, and determining that we should not have encryption because then we wont have visual evidence of child abuse - as if child abuse started in 1993. Another that runs a business which makes the claim of having identified hundreds of child predators and informed the FBI - with no fact checking from the BBC or presumption of innocence or linking to other stories of AI bias...

Meanwhile, there are no social workers. No teachers. No opportunity besides crime. And is killing a kid child abuse? What if the kid is black, and the police did it?

Here's the test: sure, government, here's a list of things you can do to stop child abuse. Encryption is last on the list. You can get to that after you've addresses all the other, vastly larger, problems.

Child abuse survivor here. I'd like to review some history.

For the entire history of police, until 1990 or so, children who had experienced abuse knew to not go to the police. It wasn't worth getting gaslighted or worse. In no way were cops there for us. Not only did we know it, so did abusers.

What changed? Sounding klaxons over child abuse began to draw press attention - then political power and fat budgets for LEO and NGOs. Once abused children became a sure path to the cash and power, police leadership and politicians suddenly cared like they never, ever had before.

This anti-encryption farce is no different. Damaged kids are the means to their ends - for LEO to acquire even more new surveillance powers along with the stacks of cash needed to deploy them - and as virtue-flags for politicians to wave before uncritical voters.

Those of us who were hurt before it was profitable to care - we aren't a fan of seeing kids' pain traded like a commodity.