61 comments

[ 5.4 ms ] story [ 134 ms ] thread
More in-depth information:

https://netzpolitik.org/2021/eu-commission-why-chat-control-...

Including for example:

"According to a legal opinion by Prof. Dr. Ninon Colneric automated scanning could indeed be illegal. Surveillance without a specific reason or reasonable suspicion is prohibited in the EU due to the fact of its violation of fundamental rights. The European Court of Justice has repeatedly confirmed this view and, for example, reproved the retention of data on a number of occasions.

Nevertheless, attempts to revive the data retention zombie with legal tricks have not died down. The demand can be found regularly in council papers of various EU countries. Thus, this type of mass surveillance is still part of the German Telecommunications Act („Telekommunikationsgesetz“), although being currently suspended."

The open letter, linked in the article, is also a good read:

https://www.patrick-breyer.de/wp-content/uploads/2021/11/202...

Notably:

"Individuals, businesses and government rely on end-to-end encryption to safeguard their personal, commercial and state secrets. The safety of individuals (e.g. witnesses, officials) depends on secure encryption protecting their confidential communications. Backdoors can and will be abused by criminals, foreign intelligence services and forces that seek to destabilise our society. The Commission keeps reiterating its commitment to not generally weaken encryption, but “client-side scanning” would do exactly this."

A question I have about this topic: Banks and other organizations, including governments themselves, mandate that specific kinds of information be kept secret. An example of this is the information I need to log in to my bank account.

How am I supposed to comply with these requirements if every device I use is compromised?

> reproved the retention of data on a number of occasions

Source?

Quoting for example from https://curia.europa.eu/jcms/upload/docs/application/pdf/202..., "The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security":

"Thus, in the judgment of 8 April 2014, Digital Rights Ireland and Others (C-293/12 and C-594/12) (see Press Release No 54/14), the Court declared Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54), invalid on the ground that the interference with the rights to respect for private life and to the protection of personal data, recognised by the Charter of Fundamental Rights of the European Union (‘the Charter'), which resulted from the general obligation to retain traffic data and location data laid down by that directive was not limited to what was strictly necessary. In the judgment of 21 December 2016, Tele2 Sverige and Watson and Others (C-203/15 and C-698/15) (see Press Release No 145/16), the Court then interpreted Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) ('the directive on privacy and electronic communications')."

Use encrypted messaging apps so that they can't be scanned.
The article says “The EU Commission wants all smartphones to search messages and photos for allegedly suspicious content before they are sent via encrypted messaging services.”
It just seems like we're moving trust further and further down the stack. Sure, you can do verification of your OS, but then the question becomes can you trust your firmware, hardware, etc.
It seems to me the real question becomes can you trust governments? Increasingly the answer seems to be “no, not at all”

Treating the public like the enemy is a good way to destroy trust in all its forms.

> can you trust your firmware, hardware, etc.

Nope. We'll never have truly free computing until we can make our own hardware at home. Just like we can make free software at home.

Governments will eventually decide that unrestricted computers that run arbitraty code are too subversive. They turn laws into a joke. They destroy entrenched business models. Stuff like copyright barely makes any sense now that networked computers exist. Encryption alone is a potent enough weapon to defeat militaries

They don't want the masses to have access to such a poweful thing. Industries and governments are completely aligned on this matter.

Sounds like Apple led the way here. Good job!
You should put a /s when you're being sarcastic on the internet. Otherwise people might think you're misanthropic.
So then you just sideload the messaging app instead of using the official build that complies with the legal system. Just like many crime groups do already - look at the EncroChat phones that gangs were using.

This just isn't enforceable. Yet more laws made by people that don't understand the technology.

How is that going to help you? Googles recent android version are also making sure you can't change the default camera app for in app photos. So you'd have to run a bunch of third party apps in conjunction.

It's possible, just really inconvenient. Except for the "few" people running their custom rom android phones.

So anyone who is acting nefariously can circumvent with bit of work, and the rest of us are subject to another vector of mass surveillance.
So roll back to a previous version and start there. Android is open source. No reason a community couldn't fork it, maintain it and do what they want with it.

Jailbreaking is also a thing. Modifying the OS enough to break through vendor imposed restrictions. Why is that implausible for this example?

I'm not saying it's easy. There are certainly limitations due to the secure boot process of Android devices. But what if there was a way to change the root keys? Then it's an open game. Black market for devices with modified keys, unique per device, sign the image loaded on them to ensure the same level of security, and then load whatever you want.

This idea that our corporate overlords define what we are able to do is the only thing stopping us from proving otherwise. If someone says something is impossible, you ask for proof, question them, check their work. You don't accept and move on. This is a foundation of security research - any business claiming their product is "hack proof" is just asking to be hacked. Same goes here - if the vendor says you're not allowed to do something, you find a way around it.

> "So then you just sideload the messaging app instead of using the official build that complies with the legal system"

That's not how computers work.

The scanning would take place at the lowest possible layer (ie. keyboard input, or kernel-mode input driver, etc), such that the user-mode software itself wouldn't be able to bypass the scan. It could also happen at the hardware layer.

You'll need to bring your own hardware/software to ensure you're not being monitored.

Like I replied above. Having your own hardware is pointless if the people you're talking to are having their devices scanned.
But... That's exactly how computers work.

If you had a look at EncroChat at all, you'd see that they were running a custom Android OS with a bunch of their own apps on it.

Yes, we can take it to hardware level, however, that's not what was being discussed. The idea of mandating app developers to use the scanning tech can be trivially circumvented. i.e. Law makers not understanding the technology.

Mandating a hardware implant to achieve the same goals is a better understanding of the technology involved, but that ends badly for everyone. At least with software, a vulnerability can be fixed. In hardware, you're stuck with buying a new device or living with the vulnerability. Not to mention it's an open statement that the law makers want to spy on you.

Doesn't have to be enforceable. If the people whom you're talking to have their messages scanned, then your messages get seen also.
EncroChat was literally taken over by law enforcement, backdoored and the entire network was compromised. Not a good example :-)
yeah that whole app and network was an FBI plant from the beginning...
Conspiracy theories aren't helpful.
is it a conspiracy theory?
With no proof, yes it's a conspiracy theory. As others have stated, there is another app linked in the wiki article about EncroChat which was developed by the FBI, with evidence to back that up.
Ah OK yeah I had the app name mixed up. I was thinking of the ANOM app that was developed by the FBI.
So we just gonna ignore the years it was used and unbroken? Now EncroChat is gone, I'm sure there's a few new ones out there in its place.
There should be legal repercussions against anyone even suggesting something as blatantly illegal and tyrannical/totalitarian as this. Have we learn nothing from communism?

Globally destroying web experience by mandating super-useless, super-obnoxious Cookie prompts on all web pages is one thing, but setting things up for "Equilibrium" or "1984" type of society is a whole new level, and I'm not sure if sheer stupidity can be claimed on this one.

I strongly hope that Google & Apple are already planning lawsuits against this. My next phone will be an Android with custom ROM if this passes with no protest.
You expect resistance from Apple? To me it sounds exactly like what they are trying to push.
Have we learned nothing from communism?

You mean countries that decided to call them that or communism theory?

Cause idk democracy is pretty shit when you take north korea as a prime example.

> Globally destroying web experience by mandating super-useless, super-obnoxious Cookie prompts on all web pages is one thing

Nobody did that.

And yet they are on every website I visit and annoy me endlessly.
Enable the annoyances filters in ublock origin settings, gets rid of a lot of them, but not all
Wow, cool! I hadn't even seen that before. I enabled all the annoyances filters -- let's see what happens. I tip my hat off to you :)
Do you know what's funny? The sites make a big show of how they are "made to show this annoying popup", right

But funnily enough, the other 10 popups/banners/sliders etc to sign for their newsletters, promotions, etc are all voluntary then?

Yes, but they are not mandated by anyone.
We should monitor the EU ministers' private messages to make sure they aren't discussing subversive ideas such as totalitarian surveillance.
> Have we learn nothing from communism?

no? I mean, right now in most countries instead of "to protect the children" you could use the excuse of "to stop misinformation", "to prevent damage from antivaxxers" and the majority will cheer your censorship efforts.

How is this different from India in Kashmir?
The actual joint statement linked to in the article (https://slovenian-presidency.consilium.europa.eu/media/x3rjw...) does not mention mandatory screening. It is a more high-level declaration about working against child abuse without specifics.

Personally I still consider it unlikely that the actual proposal, whenever it comes, would include mandatory screening of encrypted communications of the kind depicted in the article. It would not pass parliament.

It will more likely aim to legalize the current practice of voluntary screening (which is temporarily allowed for 3 years, granted in July 2021) or something similar.

I am not sure it goes through any parliament.It doesnt have to pass parliament to become EU law. I guess it would be EU regulation, which can be created by either EU council or EU commission and has to be implemented eu wide.

EU parliament can voice, but not block.

Oh no, more unsubstantiated FUD by this guy?

Actually the last I heard, the latest proposals had the chat monitoring removed, but I can't find the link now

now that apple has shown the world that Pandora's box is open it is a foregone conclusion that on device scanning will be implemented on android as well. and not just for images of course, but all device contents.

apple:

  - “Let us be clear, this technology is limited to detecting CSAM [child sexual abuse material] stored in iCloud and we will not accede to any government’s request to expand it,”
also appel:

  - “These decisions are not always easy, and we may not agree with the laws that shape them,” the company said. “But our priority remains creating the best user experience without violating the rules we are obligated to follow.”
the on-device method will 100% absolutely be abused in due time. apple will simply claim it is a new system, not the previously used CSAM method, and then hide behind their "lawful obligation".
> apple will simply [...] hide behind their "lawful obligation".

Not sure why you expect Apple to fight your legal battles, since they are simply selling tools (iPhones) that have to comply with the local laws. Would you want random OEMs to skip the local laws they do not like?

If you do not agree with the laws in your country, you need to work to change them.

It's a little more than "expecting apple to fight your legal battles", when apple's demonstration of their capabilities is the motivation for the legal changes to begin with.
We should take the evolution of facial recognition as a model. The technology improved and capabilities were demonstrated and put in practice. But thanks to sufficient pushback from the society at large, many places are passing laws against facial recognition.
Would you support a feature that made your car report you to the authorities every time you drove over the speed limit? Or, would you support listening devices installed in your car, with specific filters in place, which only report you to the authorities if you, say, threaten to kill the president? If the above sounds creepy or invasive (which they do to me), then Apple's actions should seem creepy or invasive to you as well.

Also, many laws are routinely broken by convention. If you drive in the US for example you will see that the speed limit, by convention, is most often the minimum acceptable speed, with a 10-15 mph buffer; ie, a speed limit of 65 means the majority of cars will drive at 65-75 mph. Also, laws are routinely added but rarely removed.

(comment deleted)
So then we create systems which send 10 nonsense emails with occasional flagged words along with every one real message, inundating them with so much data they cannot begin the handle it.

They already cannot handle the reams of financial reporting data they began requiring a few years ago - burdens which have made good companies shut down because the increased overhead was so great that doing business was no longer feasible.

These politicians are so ignorant of technology and real life itself that it’s a wonder we keep electing them.

Who shut down?
They can absolutely handle the data, because all they have to do is collect it not analyse it.

The data's use isn't just in real time on ingestion. It allows them to examine anyone they want under a microscope forever after.

Once the collection has been running for a while: If I'm in power today and I don't like something you said today, I can look over your entire life history, and that of your parents and all other associates, and find all kinds of things to make you disappear, even if you never actually did anything wrong.

But you don't have access to that same power to discredit me or to defend yourself.

> So then we create systems which send 10 nonsense emails with occasional flagged words along with every one real message, inundating them with so much data they cannot begin the handle it.

Which will then get you charged with wasting police time, covering criminals or worse. Also, it will be pretty obvious that all those reports originate from you, unless you have a massive amount of burner phones - which are, by the way, also on their legislative way out.

I wonder if government will ever shift focus to the OS layer? Seems like surveillance of keyboard apps and app metadata would be more difficult to casually get around.
Recent and related:

EU Chatcontrol 2.0 [video] - https://news.ycombinator.com/item?id=29066894 - Nov 2021 (197 comments)

Previously:

Messaging and chat control - https://news.ycombinator.com/item?id=28115343 - Aug 2021 (317 comments)

EU Parliament approves mass surveillance of private communications - https://news.ycombinator.com/item?id=27759814 - July 2021 (11 comments)

European Parliament approves mass surveillance of private communication - https://news.ycombinator.com/item?id=27753727 - July 2021 (415 comments)

Indiscriminate messaging and chatcontrol: Last chance to protest - https://news.ycombinator.com/item?id=27736435 - July 2021 (104 comments)

IT companies warn in open letter: EU wants to ban encryption - https://news.ycombinator.com/item?id=26825653 - April 2021 (217 comments)

Others?

The only thing I've searched for through TFA is the excuse^wreasoning: children or terrorism? Ah, it's the former in this case.

This surveillance bingo is always two-squared.

Once again, technology causes disruption to those in power. Thus, those in power dictate that technology must be tightly controlled with the rulers having access to superior technology than the ruled.