164 comments

[ 3.3 ms ] story [ 233 ms ] thread
(comment deleted)
> Forcing a “duty of care” responsibility on organisations which operate online will not only drown small and medium sized companies in administrative tasks and costs, it will further accentuate the existing monopolies by Big Tech.

I often wonder about this. I mean, just the other day there was an article[1] here about sending GDPR requests to a health non-profit in order to sequence your genes for free.

The costs of each individual piece of legislation are small, but internet legislation only ever trends in the direction of "more of it". As more small costs are added (GDPR, cookie notifications, right to be forgotten, removal of Safe Harbor etc.) these costs will start to play a factor in who can run a web service and who cannot.

[1] https://news.ycombinator.com/item?id=27146975

Interesting. I don't send cookies or keep personal data, so why do I need to worry about them?

The only time I've got into issues was with an american firm using an american law (dmca) to attack me (a non-american) and my hosting company (a non-american hosting company)

> I don't send cookies or keep personal data, so why do I need to worry about them?

Can you share your website/service?

Commenting to follow up later. I'm really interested in the use case. The only thing I can think of would be a website similar to mid-2000s youtube to mp3 converters.
Alas they are all behind ssl authentication so you wouldn't be able to access them, but the stuff I currently have open includes a switch port mapper (every 20 minutes all my switches are scanned and reports generated on what's plugged in where), a firewall config interpretor (a list of current port forwards is generated), and a logging server showing me what

But if you want an example of a fully featured public site which doesn't need cookies

https://news.ycombinator.com/

Load that in lynx, which asks for every cookie, and none are set.

Now sure, if you choose to log in, then functionally you need to accept the login cookie, but that cookie isn't spammed out to you.

Under GDPR, a website doesn't need to ask for permission to have necessary cookies which enable core functionality such as security, network management, and accessibility.

> Under GDPR, a website doesn't need to ask for permission to have necessary cookies which enable core functionality such as security, network management, and accessibility.

I am not convinced this is true. See: https://law.stackexchange.com/a/32157

Also note that HN is likely in violation of this since there is no "Remember Me" checkbox when logging in. There is no indication that logins will be persistent.

Common CMSs send cookies by default. Even if you are one of those tech-inclined people using a static site generator for your own website, this is not the case for millions and millions of other websites.
Then let's replace those CMS's.

[edited with less anger]

Replace them? You need cookies for a tonne of reasons. It's really difficult to justify replacing half the web because some people abuse it. That's like replacing cars with walking because some people drink drive.
(comment deleted)
What reasons do you need the types of cookies you need to ask permission for under the GDPR?
*sigh*

Here we go again.

The GDPR has no problem AT ALL with cookies. Use as many as you like with no need for popups. However, if you are using cookies to track or personally identify me, then you need to ask my permission to do so. And so you should.

The amount of misinformation (some of it wilful) circulating about the GDPR on HN (a technical forum!) is shocking. If you consider yourself a professional developer then I strongly suggest you read a GDPR primer. There is no excuse not to. Following the GDPR will simply make your code safer when handling personal data.

Cookie notifications? You have to be actively tracking your users for those to even be relevant. You could literally do less work and avoid the need for them altogether.
GDPR, or CCPA, isn't all that costly as long as you stop thinking of user data as something for you to harvest, mine, resell and profit from. If you instead treat user data like a security liability, system designs and trade-offs will flow from there. They'll help ensure you design systems that minimise collection and anonymise things early, remove data promptly when no longer needed, and make it easy to audit what data you do hold which in turns makes supporting GDPR requests easy.

The largest cost of GDPR is making that shift for existing companies. If GDPR ends up killing a few companies because of that, I personally don't mind. And if a startup doesn't end up seeing the light of day because it's not possible for them to operate under the conditions that GDPR imposes, then from my point of view the GDPR is doing what I'd like it to do.

It's possible for you to be in violation of GDPR without "thinking of user data as something for you to harvest, mine, resell and profit from".

If it's "killing a few companies" and "a startup doesn't end up seeing the light" then "GDPR is doing what I'd like it to do."

That's a pretty shitty opinion to hold.

What did those companies and startups do wrong? I'm as tired of stupid startups as the next person, but I won't cheer for their failure unless they actually do something wrong.

How about adding third-party analytics integrations that compromise your visitors, tracks them around the web, and fail to protect that data properly as the analytics company gets acquired by another entity?

Stop saving PII for profit/exploitation reasons and you're in the clear.

> What did those companies and startups do wrong?

Well for one, they ignored users and the authorities asking them to stop their illegal data collection. No company is getting "killed" or even fined at all when they are not actively refusing to get compliant.

Especially in the UK where ICO hasn't taken any GDPR enforcement action for like 6 months.
> If you instead treat user data like a security liability

> minimise collection

> anonymise things early

> remove data promptly when no longer needed,

> make it easy to audit what data you do hold

These (and others) are the costs I am speaking of. The vast majority of HN commenters will tell you that these costs are worth the upside in user privacy (which is totally fine!).

My point here is that the costs are not fixed. Over the decades we will see other, often sensible costs added to this list. While each individual cost may be small, they do accumulate and they influence who can and cannot start a business (or even personal website!) that deals with individuals from the EU.

Large companies will always be able to pay these costs. Some small companies may not. What you make of this is up to your personal interpretation, but I will miss the web of 00's where it felt like anyone could build a website or online business with next to no overhead.

My grandma runs an online web store. She wants to know how many customers are converting and what products are popular, so I put Google Analytics on the site. Despite the issues with having to collect data, it's all she can afford to do (and quite frankly, cannot afford not to).

The infrastructure to do analytics this easily does not exist - unless you expect a 65 yr old to trawl through Apache logs on the command line? Extrapolate that to everything from audits, logging, anonymization of data and of course it's going to push people to use centralized solutions.

From my perspective open source communities seem to have an ideological issue against analytics and business data, so very few solutions exist outside of big tech. What am I to do?

Sad to see UK becoming one of the apologists of internet censorship, closing the gap to the levels of authoritarian countries.

Once you have censorship facility in place, the area of its application will only grow. The term "illegal information" is also widely used in Russia for the same purpose.

The cameras tracking everything everywhere in UK would say that it's long been an authoritarian country.

Authoritarianism is a sliding scale. From what I can gather, lots of humans that have any political pull at all tend to be authoritarian (against the kinds of people they don't like, of course).

Most cameras in the UK (I think around 95% even) are private.

Not sure why you think the UK is an authoritarian regime. Check any ranking and it is one of the freest countries out there (Heritage Ranking, for example: https://www.heritage.org/index/ranking)

He is referring to the camera network in London.
The government's camera network in London is very small, only 23708 cameras (15516 of which are from Transport of London across the tube network)[0].

It's a fairly small network for an authoritarian government.

[0]https://www.cctv.co.uk/how-many-cctv-cameras-are-there-in-lo....

In what way is that a "very small" network?

In fact, given how small London is that's a huge network.

Small London?

London's population: 8.982 million

Area: 8,382 km2.

How is that small?

Oh this is going to be fun.

I see you're referring to the "Metro area of London". when referring to that size. The size of London proper is 1,572 km2 (Wikipedia, as well)

So now, the fun question is "what area is the camera count referring to?"

Further, the quantity of cameras matters less than the areas the cameras can see that is covered.

Even further-further is how easy it is for the government to acquire the footage off those cameras.

Yet the UK has the Snooper's Charter, GCHQ and mass content policing. This is new bill is an extension of their control apparatus, not an exceptionally unique case.
They will become increasingly networked via services like Amazon Ring and it may as well be a government surveillance network.
If your definition of authoritarianism is ubiquitous video surveillance you'll have to come to terms with the fact that not only every politician is authoritarian but just about every citizen, because there's pretty strong support for these security measures.

The word authoritarianism appears to have lost all meaning in internet circles. What authoritarianism actually is, is a people being governed without their consent by a government they did not elect. If British citizens, or their representatives decide they put significant value on public safety rather than privacy that's a choice.

(comment deleted)
> lots of humans that have any political pull at all tend to be authoritarian

I think it's probably more like a survivorship bias than an innate quality. The only people who are capable of surviving in politics long enough to the point where they have any meaningful influence are the ones who know how to use the systems under their control to protect themselves while tearing down their opponents. Usually this means attempting to consolidate power in themselves, ie. authoritarianism.

Oh, I also mean regular people. The loudest voice sing songs and get articles written ... about new laws we need to add (when the old laws already cover the illegal misdeeds) to stop a new threat from coming upon us, perceived or otherwise.

edit: or making laws that are more about making it illegal to do something some people find icky or culturally unusual.

The UK was already heading down that route with the public surveillance cameras, IMHO.
And the land-grab law changes over the last 12 months.
Most cameras in the UK are private (around 95% if I recall correctly). Businesses, home cctv, doorbell cameras, etc.
> Sad to see UK becoming one of the apologists of internet censorship

Almost as if, (at this point in time), the benefits of this to the people of the country(not just you) outweigh the negatives...

Not really. This legislation is not something the electorate knew about, let alone discussed, when they were voting in the current government.

It's just one of those things a government with a large majority keeps quiet about until it's got plenty of time between elections to bring it up and push it through before the next one.

Haven't they been that for a long time? Wasn't Britain the country that pushed for that EU directive that required all ISPs to save all the traffic of their users? They were also the ones that tried doing website blacklists and are trying to censor social media (google: "girl punished for hate crime for posting rap lyrics").

What does the UK have to do so that people will accept that the UK is lying when it calls itself a free country? Start arresting people for speech? For activism? Kill protesters?

(comment deleted)
The UK has never not been eager to censor to a sometimes comical extent. Just look at the "Video Nasty" moral panic, or the hilarious dubbing of Northern Irish people on television.

https://en.wikipedia.org/wiki/Video_nasty

https://en.wikipedia.org/wiki/1988%E2%80%931994_British_broa...

Now that you mention Ireland, it occurs to me the UK plays second fiddle compared to its former colony. After achieving independence, the Irish Free State and its successor, the Republic of Ireland were dominated by right-wing, conservative, Papist and authoritarian nationalists.

Modern art and music – particularly “evil” jazz – were all banned. Our best writers had to leave the country. The writers that didn’t leave had to apply to the Department of Justice for permission to possess a copy of their own book. The video nasties of the eighties didn’t even have a chance to become a problem in Ireland.

The UK’s censorship of the Irish Republican movement paled in comparison to that of Ireland. Enforcement of Section 31 of the Broadcasting act began in the early seventies and lasted until the mid-nineties. And it was often interpreted to prevent Sinn Féin members from speaking about non-political issues. We didn’t even get to have Stephen Rae’s voice standing in for Gerry Adams.

As a young adult in the mid-nineties, censorship was still an issue: I only ever saw Oliver Stone’s “Natural Born Killers” on a very crap video in a student centre. I remember watching Robert Rodriguez’ “From Dusk Till Dawn” in a cinema in the Netherlands knowing that it was banned back at home and around the same time, I remember it being a big deal when the ban was lifted on Playboy magazine.

I have a tendency to focus on the good things in life and try not dwell on the negative. As a result, I have nostalgic memories of the nineties (formative era for music) but forget how bad things actually were in the “good old days”. A more important example I forgot to mention in my comment above was the censorship of information relating to contraception (“family planning”), abortion and anything else relating to reproductive rights.

Until the late nineties, it was illegal to provide any information about abortion services – regardless of circumstances or if the services were in other countries. Newspapers and periodicals from the UK that contained listings or advertisings for abortion services had the relevant pages removed before they could be sold by Irish newsagents. The Society for the Protection of Unborn Children successfully won cases against family planning agencies (that went all the way up to the European Court of Human Rights) and the Union of Students of Ireland for providing information about clinics in the UK that provided abortion services.

The censorship you refer to happend 30-40 years ago under Thatcher [1]. Sense prevailed and these were promptly overturned.

I'm not sure what mentioning such old events brings to the conversation, any more than a discussion of modern US censorship would benefit from discussing the Satanic Panic under Reagan.

Perhaps you would care to elaborate?

[1] Many quipd that the reason she was cremated was that a burial grave would have needed a ballroom to be built above it.

I wish there was some sort of island or safe haven country setup by cryptographers so they could safely work on crypto without legal issues or crypto being seen as a munition and a threat to government. We could call it `01` and have it in a non fourteen-eyes jurisdiction preferably as an independent nation.

We could export code containing cryptographic algorithms to countries that need it for privacy and safety reasons. Cryptography actually is needed for safety more than it is used by undesirable people to commit crimes!

We can't have communist countries in latan america because of the good ole u s of a. You think you are going to get some slight utopia that helps people b/c of their ideals? Never going to happen... sadly.
You can’t have communist countries in “Latan” America because their industrial base and population expertise is even worse than the USSR. Not to defend the CIA’s actions, but Venezuela was never going to work out.
(comment deleted)
> Cryptography actually is needed for safety more than it is used by undesirable people to commit crimes!

This is actually more because criminals on balance tend to be too dumb to hide their traces than because of any demographic truth. There are a lot of criminals.

Focusing on "crypto" is, I think, a forest for the trees argument. Look instead at anonymity for evidence of where this kind of thing goes. Put up any reasonably anonymous forum where people can interact without their identities being reveals (which often includes, but doesn't always require, some kind of crypto protocol). Within a year it will be filled with criminals. Minor criminals like drug dealers. Worse things like market manipulation and fraudsters. Weapons sales. Black market rings. Revolutionaries of all sorts and sizes. Child porn. Mail order brides and other trafficking trades.

Seriously, run a Tor exit node for a while and see where this goes.

Your neighbors in your imagined "safe haven country for cryptographers" aren't going to be who you think they are.

I recently made a federated, anonymous / pseudonymous messageboard. It took about 2 months before I had found cyber criminals had translated it into another language and were using it to sell narcotics on the darkweb.
Ironically the UK is pretty much a handful of islands. I don't think the islandness means much.
There's Liberland, an attempt at a libertarian country, but it's still far from being an actual country.
In the UK if you won't give up your password (or essentially give means to decrypt data) when requested you can get 5 years for that. Encryption will not protect against the state in this case. Likely other countries will start to copy that...
I know it's the law already, but has it actually ever been used against anyone? I always thought it would be extremely difficult to successfully prosecute because if you give them "a" password and swore it's "the" password to the best of your knowledge you couldn't be accused of maliciously refusing to cooperate. I imagine they would still throw a book at you somewhere, but probably not the 5 years under this law.
Yes! Plenty of times e.g.

https://www.techdirt.com/articles/20140116/09195525902/uk-ma...

You can Google more easily...

Yes, thank you for reminding me I can Google.

From your own link - he said he forgot the password, which(I assume) in itself wasn't enough to prosecute, it was the fact that he eventually caved in and provided it 4 months later, so they got him on purposefully obstructing justice for 4 months. It's not clear if he could be successfully prosecuted for this crime if he never remembered the password.

Here you have someone directly sentenced for not disclosing their password:

https://www.bbc.com/news/uk-england-hampshire-45365464

I mean, we can be doing this back and forth for a while, but again, to quote from the article:

"Judge Christopher Parker did not accept Nicholson's "wholly inadequate" excuse that providing his password would expose information relating to cannabis."

So basically he said "I know the password, but I'm not going to tell you". That's obstructing justice.

My point is if you say you don't remember and maintain saying you don't, can you be persecuted purely on this one law. Because so far it looks like you can't.

This is the reason America's 5th amendment exists, people have the ability to not self-incriminate because it gives way for a different form of obstruction of justice, compelling people to speak under duress mainly.

I've long wished most of the American constitution made it's way over to Britain. We've had many of the freedoms enshrined in it for centuries but a few, particularly the principle of freedom of speech, has been trampled over in the internet age.

While the fifth amendment in the US is certainly a good principle, even it doesn't (currently) appear to provide a blanket protection against providing your passwords. My (likely incomplete) understanding of the current situation is that things are still ambiguous with many nuances not yet having been settled by the courts.

On the one hand, there is federal precedent (https://law.justia.com/cases/federal/appellate-courts/ca3/17...) that the government must be able to demonstrate both that the defendant knows the password and that criminal evidence is known to exist on the device. The bar for both of these things appears to be fairly high.

On the other hand, there is precedent at the state level in Pennsylvania (https://law.justia.com/cases/pennsylvania/supreme-court/2019...) that disclosure of passwords is testimonial in nature and therefore always (I think?) protected, even if you admit both to knowing the password and to the existence of criminal evidence.

Note the different jurisdictions for the precedents here. In federal courts that fall under the third circuit (which includes Pennsylvania), the first one applies. In state courts within Pennsylvania, the second one applies. This oddity won't change until and unless the US Supreme Court chooses to hear a relevant case. So in Pennsylvania, the law is currently different depending on if the FBI or the local police is the one prosecuting you.

Also note that from the first case, failure to provide the password is a form of civil contempt and therefore confinement is limited to 18 months at most.

Ok I see you point - I have read an solicitor opinion that this may be a valid defense, however, you could likely be expected to prove that you have a medical condition or history of forgetting things. I am pretty sure you cannot just say "oh I forgot, my bad, sorry."
https://www.legislation.gov.uk/ukpga/2000/23/part/III

The police think Bob has material that they need to see.

They think that:

    The key, password, code is in the possession of the person given notice.
    Disclosure is necessary in preventing or detecting crime.
    Disclosure is proportionate.
    The protected material cannot be obtained by other reasonable means.
They serve a section 49 notice.

Bob can ignore this. But that means he may be guilty of an offence under S53.

One of the defences available is to say that he's not in possession of the key. He'd have to persuade the court that either He'd forgotten the key or your encryption was set up in a way that he'd never had the key in a memorable form.

> For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—

> (a)sufficient evidence of that fact is adduced to raise an issue with respect to it; and

> (b)the contrary is not proved beyond a reasonable doubt.

So, to answer your question: yes, a person could be prosecuted, and they'd have to prove they forgot the key. The prosecutors wouldn't have to prove that the key had not been forgotten.

Absolutely, but that loops back all the way back to my original question - has anyone ever been successfully been prosecuted for actually forgetting their password. Or at least saying "look, my passwords are auto generated and 32 characters long, I think the 5th and 8th characters were a # but I'm not sure". What then? You're not refusing to provide the password, you are just not exactly sure what it was, and if you look into my password manager you can see all my passwords are at least 32 characters long so I'm not making it up.
I don't think anyone has been prosecuted. I'm not arguing with your point - this stuff is messy. It's not clear cut. There's a combination of how the law is written, how courts have interpreted that in the past, whether that would stand up to the supreme court or the EU courts, and what you can persuade the jury and judges to believe.

If you're providing part of your password you run the risk that

i) you'll be convicted of the S53 RIPA offence (potentially 2 years for most stuff, potentially 5 years for child sexual exploitation or terrorism)

and

ii) they'll decrypt it somehow and you'll also be convicted of the original offences.

Criminals are well aware of the trade-offs of the English courts. Do you plead guilty at the earliest opportunity (and get a reduction in sentence as a result) or do you wait until the day of the trial (because many trials collapse before they get to court).

> I wish there was some sort of island or safe haven country setup by cryptographers so they could safely work on crypto without legal issues or crypto being seen as a munition and a threat to government.

This has always been a fascinating concept to me as well — but I think history demonstrates that you can't just set up a safe haven without significant international leverage, whether financial or military. And if you're actively exporting "munitions" to other countries, it's only a matter of time until someone tries to knock you off.

The more likely scenario is that your safe haven will be dependent on a larger nation-state patron—and therefore ultimately vulnerable to changes in its domestic politics. (E.g. Israel, or Taiwan.)

It's difficult to build leverage in a country the size of an island—and once you're big enough to have any leverage, autarky becomes nearly impossible as you're always dependent on someone else for logistical reasons (food, fuel, etc.). This is essentially what the Second World War was fought about; autarky lost.

> I wish there was some sort of island or safe haven country setup by cryptographers so they could safely work on crypto without legal issues or crypto being seen as a munition and a threat to government.

I wish there was some sort of island of safe haven country setup by compiler developers where C didn't have problems with memory safety.

Why is politics the only domain where HN'ers think they can make the domain's problems disappear entirely by moving it physically to an island? It's inane.

(comment deleted)
You're HN'er yourself.
To the downvoters let me explain what I meant. jancsika is an HN'er as we all are. But jancsika is on here trying to say the community as a whole is a bunch of arrogant idiots. This annoying type of comment where you make yourself seem smart by putting down the entire community has become common in this community. I see it more and more often on here.
They created it and called it rust. Time fixes all bugs.
Creating an island nation to evade laws won't work. It's the same thing as trying to evade tax laws but for content laws.

What has happened to tax havens is they are labeled tax non-compliant and then an IGO effectively embargoes them unless they turn over all tax records and come into compliance with their laws. So the same thing would apply to creating an island nation to evade some cryptography export law, or content restriction.

I don't think convincing the respective governments with arguments will work either because the incentive they have to require censorship on internet content that they are not mentioning is that they can censor it for their own purposes. For example, Russia is considering blocking Twitter entirely for having illegal content (you know what I mean by this) but I think everyone knows that's not the real reason they are considering blocking Twitter.

I don't know what the best solution is.

Well, corporations do evade taxes using island nations and other such machinery, and mostly get away with it.

It probably won't work for "just people", without strong lobby powers and corrupting financial temptations dangled before politicians.

IMHO there's no running away from resisting/circumventing oppressive legislation in our social surroundings, not by looking for far-away havens.

The Bill is arguably the biggest threat to global online freedoms that exists.

I'm surprised it has not been covered more here. It is amazingly badly written and will have huge negative consequences.

> Amazingly badly written

You know they want ambiguity. It means MPs can dismiss objectors as irrational slippery slope proponents. Then when it's appended to the statute books it only takes a few judgements to 'clarify' the law.

It's all downhill for freedom. The intention is clear. Voting is useless. The press have been silent to the point of compliance. It only takes a well placed messaging campaign and an unvigilant, ignorant public.

At least we still have beer to see us through the long haul. See you at the pub.

> See you at the pub

This is a disturbing good summary of UK politics at the moment.

While I agree with their position overall, particularly with the ambiguity of "harmfulness", I think this is not the right tack to take here:

> fails to acknowledge how actually harmful it would be for certain groups of the population to have their real life identity associated with their online identity

No nanny-state-style government is going to buy this argument for a moment, because it requires a certain level of distrust of authority that certainly won't be present in the authorities themselves. Even among the population at large, there are undeniable trends in many countries towards authoritarianism on both the left and the right that are ignored or embraced by a majority (or a large minority) of their respective bases of support.

Combined with prevailing trends against web-based anonymity and concerns over "fake news" and other amplification mechanisms for information warfare, I suspect we will see a further bifurcation into regulated, KYC-style services and unregulated, anonymous communities. Even here on HN, posters and commenters are regularly chastised for failing to adequately disclose their identities when they have a vested interest in the topic under discussion.

Rather, the privacy angle which has been so conveniently mooted by Apple lately is (in my opinion) more palatable to the general public. By giving more responsibility to the service providers, the government is also implicitly giving them more power as well (as censors, if nothing else). But in practice, most people have personally observed that when more power/information is provided to private companies, it leads to a slippery slope of monetization, advertising, and lock-in.

An appeal to this sense of unfairness and power imbalance with companies seems more "sellable" to me than convincing people their governments have nefarious/censorious motives. As a supporting argument, consider the general global consensus on gun control -- if people were willing to believe that their governments were ready to turn on them (in terms of physical oppression) at any moment, there would be more global concern about the physical power disparity between police/military and the civilian populace.

Currently (with some exceptions, e.g. the U.S.), the global consensus is that people are much more willing to trust their police/military with weaponry than their fellow citizens, based on the implicit notion that the likelihood of experiencing harm from the latter is disproportionately more likely than the former.

In contrast, as partially evidenced by the relative growth of Signal as a response to the changes in WhatsApp and the public support for app-tracking changes in iOS, people are demonstrably concerned about privacy in the commercial space.

Thus, I theorize that an appeal to privacy would be more effective: "Under the proposed changes, we would have the ability to do ____, which would exploit your personal, private information for profit. If we can do it, that means ____, ____, and ____ can do it too. Do you want your government giving even more power to private companies to profit off you?"

Agree that the way an argument for privacy is framed determines the support from the average person.

I've heard a number of times people saying that they have nothing to hide, yet would not give my unreserved access to their phone when I ask. Then I try to explain to them that Google, Apple, etc. are doing the same thing except they're not asking permission and they just don't seem to care. The convinience of having an Alexa that they can talk to whenever is worth more to them than the possibility that these companies can be listening in on them. Until an event that causes real fear of privacy loss occurs, I don't think many will take it seriously.

I've had this conversation with a relative. To them, the difference is that if I know what's on their phone I might judge them for it or tell other people, Google isn't likely to do either.
One of the most frustrating things about this legislation is that it's set up so that the only outfits with the resources to do the requested censorship would be a GAFAM. Which is utterly perverse, as on one hand the UK govt is despairing about the extent to which the UK is dependent on Big Tech social media and the control they exert on society... whilst simultaneously pushing through legislation which effectively ensures that GAFAM are the only people who can operate!

The Matrix approach to addressing abuse is https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix... (and we're in the middle of building out the first implementation of the decentralised reputation proposal right now) - but it is not pleasant to think that if a judge considered that approach inadequate, the directors of UK entities providing Matrix hosting (e.g. Element, running matrix.org on behalf of The Matrix.org Foundation) would be eligible for jail time \o/

Needless to say, we're doing our best to explain to the UK Govt that their Bill is throwing out the baby along with bathwater...

(comment deleted)
It's the same with GDPR. When I worked for a large enterprise, we had a legal/compliance team of dozens of people and a huge outsourced legal budget. When I worked in the startup of my wife, it was me implementing GDPR compliance.
But at least GDPR /is/ tractable to implement at small scale. Whereas for the OSB: if you run a smallish but popular chat/blog/forum/etc service, there literally isn’t a solution for moderation which isn’t fiendishly expensive, privacy invasive, or both.

The legislation has clearly been dreamt up by folks saying “ah ha! if we threaten the Facebook UK executive mangement team with jailtime unless they do better at filtering self-harm/CSAM/terrorism/etc then they will obviously get their house in order!”. Whereas in practice they crush their own UK-based startups instead. So frustrating.

GDPR is only tractable because 90% of companies don't implement it. In Germany thousands of companies illegally use Mailchimp for example.
I like how you, with actual concrete real-world experiences you are sharing, are being downvoted by silent armchair enthusiasts who mostly just like GDPR because they get the sense that it’s vaguely bad for Facebook.
As a private citizen I like GDPR - even if Facebook will find ways around it (but I do not really care, I've left Facebook many years ago because of privacy concerns).

As someone who implemented it in several companies, I don't like it because it hits smaller companies much harder than bigger ones, and because it tries to be technology agnostic it is quite fuzzy, compate to something like SOX or PCIDSS (which I also implemented as CTO). In Germany at least data protection agencies declared they will go after companies that use e.g. Mailchimp.

As both a private citizen, and one who implements it, I hate it. It’s increased regulation around a subject that I was not doing in the first place (I don’t care what you’re doing online, never tracked, etc) that only increased the cost of business. We need more competition, not less.
> It’s increased regulation around a subject that I was not doing in the first place

Maybe you were handling personal data correctly. Very many were not (witness numerous data breaches and private data exploited that was held for no reason). Therefore regulation was needed.

> We need more competition

Competition is good. A race to the bottom is not.

Where does relaxed regulation and the reintroduction of morality into business mean a race to the bottom?

It also could’ve been implemented in such a way where there were no required new positions and the gov spent tax dollars to write a greatly detailed dummies guide to GDPR, how to implement it, etc so that smaller companies without the resources would have just as much of an advantage.

I am curious what about Mailchimp make them illegal to use ?

On the face of it they seem to have support for the required stuff: https://mailchimp.com/gdpr/

I was also curious, so I found this:

https://edpb.europa.eu/news/national-news/2021/bavarian-dpa-...

The core: ... transfers of personal data to the U.S.- were not lawful.

So the problem is that an US company cannot be GDPR compliant, because that conflicts with US law. Which sucks for mailchimp but makes sense.

(comment deleted)
A US company can be compliant. They just have to host EU user data in the EU.
Judging from this

> Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881)

It might not be just a matter of where the data is stored, but also who can get access to it. From my reading, any US based conpany would be affected.

This feels like a super huge impact that would have made more waves, but the ruling also seems recent. And perhaps there will be more twists and turns yet ?

There was a contract between the US and EU that was supposed to address this: https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield

As described in the Wikipedia article, the contract has been thrown out by the European Court of Justice for exactly the reasons stated by the parent comment.

> [Standard contractual clauses] do not necessarily protect data in countries where the law is fundamentally incompatible with the Charter of Fundamental Rights of the EU and the GDPR, like the US.

They would need to a have an independent legal entity in the EU on top of hosting data in the EU, perhaps only owning shares in that entity. The construct would need to be setup in a way that three letter agencies in the US (and courts) would have no way of forcing the US company to hand over data - not sure this is possible IANAL.
Wait, is that really the standard? Wouldn't that imply that virtually any service doing business with EU customers would need to be either a multinational business or based in the EU? And just buying server hosting in the EU won't actually change that much about data access; if I'm a purely American business and I buy hosting in the EU, I think I'm still subject to US data requests. None of that goes away as far as I know, so I don't see how a hosting restriction would even help unless I literally move my business to the EU.

I thought that I understood GDPR at least reasonably well: be specific about what data you collect, don't collect unneeded data, allow deletion of data, and a couple other minor caveats. But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?

That can't possibly be what the law actually says; nobody except the biggest US companies would be able to do any business online with EU customers if that was the case. What am I missing?

It's most specific to the US because of CLOUD ACT and FISA courts. It would be the same for countries that have a similar structure in place.

If you're an US company you would at least need to setup a independent EU subsidiary that you do not directly operationally control (perhaps owning shares works).

So what are the full implications of that? I hate FISA too, but most non-EU countries have FISA-like structures in place as far as I know.

Sublime Text 4 just came out. That's based in Australia, where courts have similar data access, including the ability to require companies to circumvent encryption. Part of the purchasing process requires providing an email and other billing information.

Is it legal to sell Sublime Text 4 to a European? If Sublime Text was based in the US, would it be legal to sell it to a European citizen? What you're implying is that the EU can't legally have access to the majority of US-based Internet services, and that just seems so extreme that I feel like I wouldn't be hearing about it on Hackernews if that was the case.

But I don't know, I can't really confidently say you're wrong. Maybe it's just been under-covered, or I'm just not paying attention to the right news sources. At the very least, this can't apply to business-necessary information, right? Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world, which seems like it would be a massive problem for the majority of the software industry.

There are a lot of software services based in countries with intrusive government data access: Fastmail (Australia), DuckDuckGo (US), Github (US), Itch.io (US). You're claiming EU residents don't legally have access to them? Again, I don't have any basis to argue that you're wrong, it's just... why wouldn't that be covered on basically every single tech blog if that was the case?

"service doing business with EU customers "

If the EU customer is a company and not a private citizen and if it does involve storing personal information of the EU customer customers.

"What you're implying is that the EU can't legally have access to the majority of US-based Internet services"

No. You as an EU company can't transfer customer data to or redirect customers to US companies in a legal way.

"Otherwise, it seems like you're saying that EU data in general can't be legally exported from the EU to most of the world"

It depends on who does the "exporting" and what the "exporting" includes. But in general yes, it can't if the citizen whos data is exported can't be guaranteed to have the same rights as with the data in the EU. That is the core of it, Facebook can't offer a website in the US that is open to the EU and take information on the website "exporting" the data by POST HTTP requests to it's servers in the US (which they don't because Ireland, but in general yes).

There is much more to it, like "Can I store customer data in Google for Business spreadsheets?"

You're probably fine with Gmail because people know that this is an US company and sending an email to an US company is something a EU citizen might want to do. It's not as clear with Fastmail. It's not clear at all if you use custom domains with both. If you use a custom domain, where the customer can't see that it's outside the EU, do you export email addresses outside of the EU e.g. to Australia? But data protection agencies in the EU will take some more time to arrive at all these finer nuances. For now they are focused on Facebook and Google, and in 2021 went one level deeper with acknowledging that it's illegal to use Mailchimp in the EU (currently, I assume Mailchimp will create an EU legal entity and host EU data in the EU in the future when pressure rises).

For large enterprise that have subsidiaries in the EU it's already illegal to transfer EU employee data to the US for processing.

"You're claiming EU residents don't legally have access to them?"

As an EU citizen you can do whatever you want with your data, so "EU residents don't legally have access to them?" is misleading, because it would not be illegal for the citizen but - if - for the company. The company has a problem if it can't prevent three letter agencies from accessing the data. If you have no assets in the EU and do not plan on visiting the EU there is not much to fear though probably. I think it might be legal - not sure I've read something about it - to process data e.g. as a hotel for EU tourists, if you delete the data afterwards. Yes the GDPR is broad.

"But if I sell software in multiple countries, and part of my account process is collecting an email address or other PII, is that not GDPR compliant unless I set up offices in the EU?"

If you sell drugs to the US you're in trouble, even if it is legal to sell drugs in the country you live in.

You as a US company probably can sell to EU citizens but IANAL. The bigger problem for the EU if you sell to EU citizens from the US is VAT. If you send physical goods then your customer needs to pay VAT at customs - as many people in the EU found out after Brexit, if you send digital goods then the customer usually doesn't pay VAT. This is what agonizes the EU more than the GDPR and is the base for France to charge digital taxes to US companies.

"I wouldn't be hearing about it on Hackernews if that was the case."

Well I've lost 100+ karma for pointing out in the last years that it is illegal for EU companies to use Mailchimp. Today is the first discussion where people agree - still I lost 10 karma.

> if you send digital goods then the customer usually doesn't pay VAT.

VAT might be annoying in the sense that it forces me to ask for an address if I'm selling software to someone who lives in the EU, but that's basically fine. I can do that as a US company, and I can pay higher taxes, that's not a problem.

But if I'm building a software company, I don't have the resources to set up a foreign company to handle everyone in the EU who wants to buy a copy of my software. In practice, that requirement would mean that most single-person software teams outside of a few allowed countries can't sell to the EU.

Eventually you just get a lawyer to answer questions like these, but it does kind of sound like if I'm understanding you correctly, I should just be excluding any EU residents from buying anything I make regardless of the privacy policy, unless I have a zero-knowledge product. Which... being zero-knowledge is tricky because VAT exists, and I don't think I can not collect EU resident billing addresses and still pay taxes in an auditable form.

Maybe that's fine though, maybe that just means in practice you have to contract billing to a company that has an EU office, and then the problem is gone.

I should have phrased this differently, I know that GDPR doesn't constrain what EU residents do. But in practice it doesn't really matter to me if it's legal for them, it matters to me if it's legal for me. I don't know, apparently I need to do more research on this.

Interesting though, I appreciate you taking the time to elaborate.

> A US company can be compliant. They just have to host EU user data in the EU.

Actually since the 2018 Cloud Act, no US company can be ever be GDPR compliant.

Here is a possible sequence of events:

1. the US has secret courts (FISA, 1978)

2. and these courts can insist on access to EU hosted data (CLOUD Act, 2018)

3. its illegal for a US corp to indicate whether such access has been demanded

4. so a FALSE 'no' must be the answer to an EU data subject asking about access to his/her data

5. which is a breach of the GDPR.

Everyone knows this. They just ignore it. The EU ties itself in knots (Schrems II) trying to justify all of this.

Thank you.

This looks like a pretry fresh ruling judging from the date of the article, good to know.

> So the problem is that an US company cannot be GDPR compliant, because that conflicts with US law.

This is completely not true. First, most US companies are GDPR-compliant because they don't gather, store and process personal data of EU citizens. Now, those that do - mainly Internet companies - they need to abide by the terms of the GDPR (or not to serve EU customers, which for some is the easiest way - like New York Daily News). If you decide to store personal data of EU citizens, you need to do it using servers located in the EU, which, depending on the nature of your business, might or might not be easy, but companies had several years to prepare for that. There is no any conflict with US law anywhere.

Personally I was in a similar position and instead of choosing Mailchimp I choose Mailerlite, which is Europe-based and, being less popular than Mailchimp, (much) less expensive for the customers I have (with mailing lists in the range of 5k-50k contacts). It has its quirks but it works and I have no much reasons to complain.

A US company can decalare themselves whatever they want, that doesn't make it legal in the EU. They don't get in trouble for saying this, EU companies are those that get in trouble when they believe the link you have provided.
What makes Mailchimp illegal? From what I can see they seem GDPR compliant
They can't be GDPR compliant if they can't prevent US three letter agencies from accessing their data - or more to the point, EU citizien need to be able to get to court with US three letter agencies to administer their rights, which they can't for various reasons, one of them that they don't know because the US has secret courts.
> The legislation has clearly been dreamt up by folks saying “ah ha! if we threaten the Facebook UK executive mangement team with jailtime unless they do better at filtering self-harm/CSAM/terrorism/etc then they will obviously get their house in order!”. Whereas in practice they crush their own UK-based startups instead. So frustrating.

Isn’t that exactly what the GDPR did? I know I pulled my apps for fear of fines and jailtime that might lead to the first country Im not allowed into.

GDPR is pretty harmless and relatively easy to implement I think
What was particullary easy implementing GDPR for you?

I found some areas particullary hard. Legitimate interest is a minefild and mostly can't be used, except e.g. delivery addresses. Finding GDPR compliant companies - with the US out of question - was also hard. Tracking and deleting data on request when storing in dozens of systems was hard - even returning all the data stored in dozens of external SaaS companies was hard (logging what you send them helps here, but doesn't address their tracking generation). They often don't give you everything you store with them back - deletion is often much easier. Tracking data in backups that needed to be cleaned on restore due to deletion requests was difficult to implement - easy in one, complicated in dozens of systems. Especially hard with AWS.

These are the most challenging I had on hand when implementing GDPR.

> What was particullary easy implementing GDPR for you?

Deleting people's private data upon request, namely when they click a button -- in my case (unlike yours) there's not many places to delete the data from.

The most challenging thing is instead writing a DPA, and wondering what to write about inspections and auditing, in a remote only company with servers in the cloud (any thoughts about that?)

I think auditing is an unsolved problem for now, I haven't heard of any implementation that works.

I would assume special companies will arise that do the auditing for you - and that work with AWS and GCP for you.

> special companies will arise that do the auditing for you

I think so too -- I had a look at Google's DPA and it seemed to me that when one agrees to Google's DPA, one agrees to trust some Google approved companies to do the auditing for everyone (for all Google cloud customers). Maybe there's not any other way to make it work (it'd be crazy with random people in their datacenters "auditing" things)

GDPR really isn’t that complicated for most purposes - it boils down to: tell your users what data you store; let them delete their data if they want; let them export their data if they want. Which is not exactly unreasonable - the only scary thing was being obligated to do it by law with threats of fines if you didn’t. It wasn’t that hard to put together, particularly if you’re a normal centralised website or app that they were aiming at.

Whereas the OSB is: “if you run a service which lets users distribute ‘harmful’ content, then you’ll get pulled up in court. Plus it’s up to you to figure out what ‘harmful’ is; you’ll know it when you see it.”. Which sounds like the opening premise of a Black Mirror episode.

I would agree in principle, in Germany/EU there is this ongoing discussion about making a carrier ("forum") responsible - which will lead to upload-filter SaaS, the way PWC does audits. Still you can fail for accounting after an PWC audit (too many public examples), but most companies that don't actively try to break the law feel kind of safe with a PWC audit. I would assume it's the same when you let an upload-filter company audit your content (but increases cost, just like PWC).

With GDPR on the other hand you can't use any US company with your customer PI data in the US and US companies hosting in the EU is a gray zone [1].

It is a challenge to find equivalent companies in the EU, e.g. good luck finding a equivalent competitor to Unbounce or Webflow. It works for MailChimp (e.g. Sendinblue) and ZenDesk, but not for some other dependencies you might have.

[1] https://en.wikipedia.org/wiki/CLOUD_Act rejections by companies need to be tested in court

> GDPR really isn’t that complicated for most purposes

You're coming at it from a position of knowledge and confidence. The guide produced by the Information Commissioner's Office for organisations has 48 sections/pages [1] and features a toolkit with 7 different self assessment quizes [2], plus an extra one to help small businesses [3]. Even the "What is personal data?" section of the site alone contains dozens of pages [4]. And obviously the regulation itself is pretty verbose [5].

Given the legal ramifications, it's a bit dismissive to say it just boils down to three phrases. Whether or not GDPR is reasonable (and I agree that it is), it's perfectly understandable that sole traders and small businesses are concerned about the resources required to understand and implement it - especially when even many large organisations currently flout it (through ignorance or negligence).

[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...

[2] https://ico.org.uk/for-organisations/sme-web-hub/checklists/...

[3] https://ico.org.uk/for-organisations/sme-web-hub/checklists/...

[4] https://ico.org.uk/for-organisations/guide-to-data-protectio...

[5] https://www.legislation.gov.uk/eur/2016/679/contents

Okay, fair enough - I agree that GDPR is certainly scary and daunting. But once you get past that, it is still something that can practically be implemented by small businesses, and generally improves things for users.

My whole point here is that the Online Safety Bill cannot be practically implemented by anyone other than massive businesses, and even then it implicitly requires massive privacy violations. Which puts in a completely different class of problem to implementing GDPR.

There will be SaaS companies soon that audit your content for you [1], the same as accounting companies that audit your taxes, because the tax code is too complicated for you to get right.

If you do this an executive and not try to circumvent or game this (like with taxes), there should be no jail time for you.

[1] not that I do like giving that power to content-auditing-companies.

It's very easy to make a checklist for GDPR compliance.

For the proposed content moderation it is pretty much impossible.

It's kinda like making a law that says you cannot make inappropriate jokes in front of the police. Who the hell gets to decide what is inappropriate? It's intentionally left vague to make everyone guilty and allow for selective enforcement.

I'm not sure I understand. A large company has a whole team and a small start-up has one person assign the task? That sounds entirely reasonable.
The large company has a whole team with expertise to work on the task - they don't implement it but handle legal affairs and the process. It is implemented by hundres of employees all over the company. A small startup has one person without a clue (and I gave talks about GDPR).
the small startup has to pay for that person that didn’t exist before, which reduces the resources available to them. it’s pretty clear why it’s a detriment to startups but not to large tech.
Something to wonder: How will these laws affect the current brain flow in the UK [0]?

> whilst simultaneously pushing through legislation which effectively ensures that GAFAM are the only people who can operate!

Considering they can get UK-based employees at a discount, that's a win for the US tech sector!

[0] https://spectrum.ieee.org/at-work/tech-careers/the-global-br...

We have a little forum with a niche community. Few months ago we have closed the registration, because of spam and also because we had people posting questionable stuff and then reporting it to the hosting provider. There is not much money from ads, it barely covers the servers. Moderators do not always have time to react quickly to something stupid.

Probably many other communities will be forced to close with either having to move to Facebook or other privacy hostile platforms.

Then there is EU terreg - we have some members from the EU, so we would have to boot them out or create a legal entity in the EU to process content removal requests as I understand, in a year or so. There is no money for that. Sad times for the internet...

> we would have to boot them out or create a legal entity in the EU to process content removal requests as I understand, in a year or so.

Have you considered just ignoring them? Provided you're not an (international) business, you can likely afford to ignore foreign governments, and if they want to block you, that's up to them.

I'm so happy that there are people out there who care about this things and have the time to invest fighting the fight. I would like to be with you there but right now my life doesn't allow the time but I'm totally with you there but only can help by throwing some money on the problem.

But a very big thank you to everyone involved!

"when we force technology companies to make calls about what is right or wrong - or what is “likely to have adverse psychological or physical impacts” on children - we end up in a dangerous place of centralising and regulating relative morals"

I told myself to laugh when I read this line. As it stands now, a small group of Facebook and Google executives determine what peasants are allowed to think and see on a daily basis based on their "relative morals". Not that politicians are any better, but at least some people did vote for them, and that counts for something.

Let's be real here, anyone with time on their hands should click on foundation, and go check each of their grant histories. I am not even going to agree or disagree with the legislation, but I'm going to bet the money trail will explain this letter.

(comment deleted)
> Whilst we sympathise with the [UK] government’s desire to show action in this space and to do something about children’s safety (everyone’s safety really)

I don't sympathize with it. A government which supports and arms near-genocidal attacks and blockades in Yemen and in Palestine - is not a legitimate actor where it comes to safety and harm prevention online. Or at the very least - where its involvement may have effect on non-UK-citizens.

The current UK politicians are so mind numbingly naive in so many ways.
That's what they want you to think. It's not naivete.
> Whilst we sympathise with the government’s desire to show action in this space and to do something about children’s safety (everyone’s safety really), we cannot possibly agree with the methods.

Respectfully, stop sympathising with authoritarians who want to take away your freedom. They are not good people. Good people aren't nosey. Good people don't deprive others of liberty. Neither do they class a whole group (Internet users and entrepreneurs) as responsible for the actions of a minority. Guilt by association and collective punishment are antithetical to any lover of freedom and life.

Their reasons of 'child safety' and 'online harms' (whatever on earth that means) are simply pretexts. They don't give a shit about children's safety. This bill will do nothing, nothing to improve the safety of children. The perpetrators will simply go after children in other ways. They won't change.

If you, Mr. MP, care about children then ask why are they drawn to bad online content? What's going wrong with families and upbringing? Start with questions that might actually address the problem rather than implicate everyone who uses the Internet!

The trajectory is to increase their power and control over your life. Again, they are NOT good people. They know EXACTLY what they are doing. They love dominating you. It's understandable why some imagine the government as simply well-meaning but misguided, for it makes our helpless subjection easier to accept. But we won't stop getting the boot from the state until we start calling their actions out as morally reprehensible.

Indeed. We know exactly how much the UK conservatives care about child safety by their decisions around funding for child protection, schooling, health and so on. The child protection argument is a smoke screen.
Ex-fucking-actly right.

Various legislation around internet-related activities cleaning to be to "protect children" only shifts government resources and funding away from the departments that actually do something real and tangible to protect children.

Child protection where I'm from only has the resources to attend to reports in which the child is in immediate, life-threatening danger.

If a politician is talking about protecting children and it doesn't include increased funding for the actual child protection agencies and education of the bottom end of society, then they're actually working against protecting children. It's gross politics and should be called out.

If I could give you 1000 upvotes, no 1000000, I would. This is a comment that should be spread far and wide.
Yeah, this is clearly a case where the harm far exceeds the damage being prevented and this isn't even considering second order effects. If everyone starts circumventing government controls then real criminals will have an easier time to hide in the crowd, it's entirely plausible for this to cause more abuse of children.

Where are all the UK politicians that actually care about their people?

This appears to be the thing that will finally take my sites offline.

I'm an individual who runs 300 forums. I do this because I believe that forums organised around an interest bring people together and help address loneliness. Further I believe that if you do that, you also help minimise the impact of depression and things like the suicide rate for middle aged men.

The forums are things like this: https://www.lfgss.com/ Cycling related. So that people come together, build friendships, and take those friendships into the real world through the interest - to go on a cycle ride.

I can't really see how I could comply with this bill at a low cost (the forums all run a deficit that I cover), and even if I did the paperwork side of things there are risks created that come with large and scary penalties for me... too large for me to consider bearing them.

There is no exemption I fit in... I run forums, and these are defined by the bill as being a regulated service.

I think you should contact the press. Maybe The Guardian? You seem like the kind of person that could help bring light and counterweight to this
Transfer them to the United States and simply ban European members?
or better, transfer them to Europe and simply ban UK.
There is a good chance a significant portion of those forums have UK members. You can't just hollow out a community like that and expect it to survive.
A tickbox asking, "If you are in the UK you cannot access this site, are you in the UK?"
If it really came to this, transfer ownership wholesale to someone who resides outside of both the UK and the EU and who isn't worried about risking UK legal ire. That way none of the current members need to be banned. (I hear Seychelles is a good jurisdiction for such things.)

Of course, the UK government might attempt to filter the website. But if SciHub is anything to go by then that might not be very effective.

OFCOM will recommend thresholds in terms of the number of users a service needs to have for the legislation to apply to it. Hopefully they'll set the threshold at Twitter scale, so unless you've got 100k/millions of users you'll probably be OK.
Is the Matrix based in the UK? I guess I don't follow why this UK specific law matters to anybody outside that country. I mean, if the Matrix is in the EU then is a UK law really relevant? If your website is not based in the UK then it's not your problem unless I'm missing something. Even if the reach of the UK was beyond its shores then the fallback is to simply ban that country's IP addresses. Sucks to be from that country but blame your government for draconian legislation.
Yes, the Matrix.org Foundation is a UK non-profit. It leans heavily on Element, the company which set up by the original Matrix team to fund Matrix, which is a UK for-profit. So if the UK govt starts incarcerating the team who created Matrix because they provide Matrix hosting, this is bad news for Matrix.
Yes that totally is terrible for them then. Hope this all falls apart for Boris.
What the US, UK, EU, Australia, Canada, etc... do have implications for the whole world. These countries all communicate and align on surveillance policy.
I guess they'll just have to try and block it. The matrix devs aren't going to give in to government nonsense. Too bad they want to make 1984 a real thing.
I realize this is about the least popular opinion you can express on HN, but I really strongly dislike the lack of engagement with the issue here.

Online abuse, of all varieties, including sexual abuse, including of children, is not a boogieman. It is not marginal. It is not so rare as to be a rounding error. It is not enough for you, personally, to not want to partake in it. A person is not bad, or evil, or morally compromised, for recognizing or wanting to mitigate this problem.

Semi-centralized control over data is not the end of the world. Most people are rightly fine with companies storing their data. The ability to enforce laws in publically shared online spaces is not an unthinkable compromise. Not all data needs to be end-to-end encrypted and immune to outside influence. Defaults matter. Purely offline methods of intervention and investigation are difficult to apply.

I understand there are significant difficulties here. I moved to DuckDuckGo for my default search engine as a response to the mess Google made wrt. COVID. I am extremely worried about how disinformation countermeasures have and will continue to be misapplied. I realize that governments are not generally trustworthy. I agree that overregulation is extremely harmful.

I just wish people would take both sides of the issue equally seriously.

In that case we should stop the online safety bill entirely because it will only end up with more child abuse in the end!
The positive part of this bill is that children will be free from risk after it passes, because actual risks to children have moved from the physical world to online now.

/s, if it wasn't obvious. Don't we have laws that protect children already?

It's clear to me that this bill is incompatible with end-to-end encrypted chat apps. It's a convenient, backdoor way of allowing the security services to read all our messages again without the government needing to ban encryption itself. I suspect this is the real motivation, especially since it was originally proposed by May.
No-one is mentioning that this bill will compel platforms to host content they do not want.

https://www.gov.uk/government/news/landmark-laws-to-keep-chi...

> All in-scope companies will need to consider and put in place safeguards for freedom of expression when fulfilling their duties. These safeguards will be set out by Ofcom in codes of practice but, for example, might include having human moderators take decisions in complex cases where context is important.

> People using their services will need to have access to effective routes of appeal for content removed without good reason and companies must reinstate that content if it has been removed unfairly. Users will also be able to appeal to Ofcom and these complaints will form an essential part of Ofcom’s horizon-scanning, research and enforcement activity.

> These are, quite frankly, steps towards an authoritarian dystopia.

Says it all.