I'm almost 100% positive they will, there's a broad consensus among left and right that this proposal is bonkers.
What I've heard is that the only this is a proposal that child rights NGOs has been lobbying for, which I think we can both agree, are not expert in anything tech.
Assuming the OS has privileged access to everything that runs on it, the EU just has to tell the vendor to implement scanning and reporting at ring(app-1) and let the vendors scramble to figure out how to make that fever dream a reality, no? Hell, put it into the Intel Management Engine/analogue and compromise every device subsequently manufactured. The pervs (or the freedom fighters, or the tentacle hentai underground, or whatever) will just have to go back to passing hardcopy in dank backrooms of no-longer-smoky-because-they-banned-smoking-in-pubs...pubs
>It's not dark magic to host a private, e2ee chat service.
But it might be a good way to attract the attention of law enforcement.
People running PGP phone services have been arrested and prosecuted because their networks were primarily used by criminals. If you run a encrypted chat service to circumvent the law you might be held accountable for what users use your encrypted chat service for.
Remember, these are politicians. What they do doesn't have to make sense or be possible. All they have to do is pass laws. If it makes everyone a criminal that's good. The law just won't be enforced unless you rock the boat. Much like with the CFAA in the USA or GDPR in Europe.
Sometimes I wonder if criminals aren't as lazy and prone to just using what's popular as the rest of us.
How often do communications done through a wide variety of channels that wouldn't satisfy a cypherpunk from email to Whatsapp show up on evidence before court, even if the people involved knew that they could end up in court? Weren't a bunch of criminals fooled by a literal FBI phone?
It depends on the level of criminal. The larger criminal organizations had their own phone networks. But even then, it's still suffers the same issues as any other organization in that at some point some of its members are going to be top notch and great at what they do, others will be the types to do the least possible or even ignore procedures.
If i open kik in my location there's whole bunch of people openly dealing drugs.
Maybe some are lazy. But it's a two way street. They probably are capable of using more secure means but that means far less customers.
but you are missing out that the solution is to keep making it inconvenient to let people use linux and other kinds of custom devices
eventually either nobody will use that, or they'll just jump the shark and outlaw such things
I know that for example in Canada, because taxes, ALL restaurants are (were?) FORCED to use a specific sets of devices else they're branded as tax-avoiders and dealt with accordingly
I've already had trouble using banking stuff under linux, I have had to cancel some cards because they became useless without a smartphone app (the real punchline is that I got a new card that's only works on a smartphone. but at least it was like this when I signed up; they didn't change how it works under my feet)
Most Linux contributions are made by multi-billions companies like IBM/Redhat. They would not risk to contravene to law. For example that it conforms to the law, look at WiFi drivers. There are many requirement by local laws on which band to use, what kind of traffic is authorized, etc. The WiFi drivers (most of them opaque binaries) conform to each country law.
To make Linux not lawful, you would have to create your own kernel with your own altered drivers, except you can't modify binaries.
Even then how could you make you system unidentifiable? How would you have control over booting your modified Linux in a commercial computer that uses UEFI? How would you know that the commercial CPU is not phoning home through the Intel Management Engine?
You would have use a FPGA CPU, your own designed hardware and a trusted OS but at the end you will always rely on the work of thousands people and hundred companies.
Mainline WiFi drivers will easily let you break the law by just pretending to be in a place with different regulations. Assuming this ever gets implemented in Linux, there's no reason to believe you won't be able to just pretend to be in Uzbekistan or whatever where this EU law doesn't apply.
If literally every jurisdiction on Earth makes it a crime, then I guess this option would go away, but that seems unlikely to me.
> Most Linux contributions are made by multi-billions companies like IBM/Redhat.
The source code is published on the internet under the GPL. Anyone who doesn't like any of their contributions can take that one out and keep any of the others. Do you expect the Kali Linux people to include a backdoor?
> To make Linux not lawful, you would have to create your own kernel with your own altered drivers, except you can't modify binaries.
You can in fact modify binaries, it's just more work. For one person, once. Although that's fairly irrelevant because there exists hardware that doesn't require binary-only drivers.
> How would you know that the commercial CPU is not phoning home through the Intel Management Engine?
You install a firewall in front of it to detect or prevent this. Also, because it can be so easily detected and would be a scandal, it's very likely to be public knowledge if any commercial hardware in widespread use actually did this.
Are you sure the hardware you are going to use for firewall purposes is not biased towards letting the traffic from/to Intel ME to be unnoticed? What filters are you going to set?
What if your computer is still accessible for Intel ME surveillance because the VPN server is also Intel ME and they would negotiate somehow to keep having your Intel ME instance an ability to phone home? Is in possible to have a VPN provider which guarantees not having any Intel machines on the network?
> What if your computer is still accessible for Intel ME surveillance because the VPN server is also Intel ME and they would negotiate somehow to keep having your Intel ME instance an ability to phone home?
This would require the hardware backdoor to be aware of and integrate with the specific VPN that you used, which could be a version of the code published after the hardware shipped.
> Is in possible to have a VPN provider which guarantees not having any Intel machines on the network?
Irrelevant unless the code on your side could hook the VPN, though of course you could.
The better attack would be to have the compromised firmware send its packets using the addresses and ports of some existing connection regardless of its contents, and then have a compromised ISP read them. But even that could be detected by logging the packets at the clean firewall. If it records any that aren't a part of the VPN connection then you've got yourself a rat and a scandal.
The ANOM service was widely used by criminals, but instead of providing secure communication, it was actually a trojan horse covertly distributed by the United States Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP), enabling them to monitor all communications.
I want to see a mockup of the UI that Whatsapp will show for this...
I want to see some quick animation that shows each image sent being inspected for nudity, children, weapons, and a list of other things. I want to see the probability of each item shown to the user. I want the decision thresholds to be shown, and the animation showing the rest of what will happen to them if the threshold is exceeded (ie. "Report to police", "fired from job", "Judge", "Prison").
If whatsapp manage to manage to convey all that in a 3 second animation whenever an image is sent, I think users will baulk and the law will be removed.
In the future sending a WhatsApp text message such as "I stand with Palestine" will have the police knocking at your door with an arrest warrant in hand. I think Germany or the UK will be the first places to implement it. The spirit of the Gestapo and Stasi lives on.
Not specific to this, but can we just rename the "European Union" to "Big Government" at this point? It feels like every month there is something else the EU is trying to be a nanny for and it is starting to feel like they're moving towards becoming something in the vein of what China does to their citizens and internet.
The EU is nothing like China. China is basically a dictatorship, run by a single party, with a single guy on top who can make far reaching decisions. The EU is a huge collection of institutions and political parties. Even if they agree on something in the parliament and the commission, they still need all the heads
of government - from every single member country - to agree before it becomes law. And even if they manage to do that, political activists can and have brought down laws using the European court of justice. These spy laws under the guise of protecting children from sexual abuse from zealot parties have come and gone for many years now, but functioning democracies like the EU have never seen them come to fruition.
The key difference is the EU doesnt have as much enforcement ability because they are not a dictatorship and the people they are governing have higher expectations. None of which is really a credit to the EU.
The point was that these ideas are neither new nor rare. They constantly pop up everywhere. But only a functioning democracy can keep them at bay. Like it or not, it is the only thing that can protect you from mad/powerhungry people's ideas.
This is a fallacy of composition. A hearing to evaluate one proposal in one country is not 'The EU is doing a thing', any more than a hearing in a US state legislature or even in Congress is equivalent to a law being passed.
The thing is the Tech community doesn't have a clear and simple response to CSAM, although CSAM has proliferated with the growth of the internet. Nobody cares about the technical excuses; people care about the absence of any clear effort to reduce its availability and spread. Absent technical measures, people will continue to demand legislative ones.
That's another absurd point about our public debates: No one cares to share some facts. It feels like it's all based on gut feeling and emotions.
As far as I know, we don't have official numbers (at least not shared as part of the discussion). But what we know is, those scanners have a significantly high error rate and will overwhelm law enforcement with false-positives. What we also know is that law enforcement is simply not competent enough, there was a case in Germany where they just removed links in a Forum forgetting to sweep the according link targets to file hosters.
It is the issue under discussion. The justification for prohibiting the material is that its production requires child abuse. But copying doesn't require additional production. It may have even gone down if dissemination of existing images competes with new production, or wider dissemination makes it easier for law enforcement to obtain the images and use them to track down the producers. Whether or not the amount of abuse increased is then quite relevant.
No, the issue is the proliferation of CSAM. Reducing child abuse in CSAM production is only one of the reasons its prohibited. I find it hard to believe that a long time technology advocate like yourself is unaware of the fact that the circulation of older CSAM continues to hurt people who were abused in its manufacture.
Your comment unfortunately exemplifies the problem of tech people trying to define the problem away rather than directly address the harms involved or propose privacy-respecting technical solutions to proactively mitigate it.
> Reducing child abuse in CSAM production is only one of the reasons its prohibited.
It is the primary reason that it's prohibited, outweighing any other reason by an order of magnitude.
> I find it hard to believe that a long time technology advocate like yourself is unaware of the fact that the circulation of older CSAM continues to hurt people who were abused in its manufacture.
That depends on how they feel about it. If it is the case that dissemination of existing material reduces the production of new material, no one could be faulted for wanting what they went through to prevent someone else from being forced to go through it too, if at all possible.
> Your comment unfortunately exemplifies the problem of tech people trying to define the problem away rather than directly address the harms involved or propose privacy-respecting technical solutions to proactively mitigate it.
There isn't any known privacy-respecting technical solution and it may not even be possible for one to exist. You can't tell if someone's secret is unlawful without knowing what it is, but anything with access to all of everyone's secrets is inherently a comprehensive violation of everyone's privacy. Any technological solution that could be used for this could not be limited to being used for this.
Fundamentally what you're asking for is the technology to violate everyone's privacy, so that you can violate the privacy of child abusers. But the technology doesn't care what you use it for. It can't be limited to only being used against bad guys.
The EU doesn't have a patriot act; the whole body of decades of EU legislation on tech is still less intrusive than that one single act the US has in place and continues to use extensively. Not to mention that US agencies have a long history of acting outside the law, which has no real equivalent in Europe except maybe Russia. There is a reason why police agencies in Europe want more rights, currently they are very curtailed an unable to handle much of digital crime.
More generally, the EU has some stupid laws but also plenty of important ones that either bring greater good (safe products in the supermarkets, trade standards, common procurement rules, accountability of what national governments do on economic policy and debt levels, ...) or good for a specific sector (strong data protection and rights for instance, tech standards like usb c, etc). Here the discussion is not even about a law but about a proposal for a law where different people and bodies express different views. EU lawmaking is lengthy and quite transparent so you have these discussions often and at various points in the process, which is unusual compared to many national contexts. And it lends itself to viewing and overstating different views. It doesn't help that there are many lobby groups that sound like semi-EU bodies when they are in reality just industry groups of various kinds that make broad demands which are then echoed in the press as some kind of EU positon.
I'm sorry you've been led to have such a negative emotional reaction to the EU, but it just doesn't mirror the actual facts.
Most of them don't even allow you to opt out, they just say "we use cookies" and there's an accept button. Yes, I recognize that's malicious compliance and not necessarily the fault of the GDPR.
> The thing is the Tech community doesn't have a clear and simple response to CSAM
The Automotive community doesn't have a clear and simple response to bank robbery. Nor are they expected to, because they are not a law enforcement agency.
> The Automotive community doesn't have a clear and simple response to bank robbery. Nor are they expected to, because they are not a law enforcement agency.
Measures against auto theft are well established to have brought down incidence of robbery, because it makes it harder to get a getaway car. And the auto industry has absolutely been given the responsibility of overseeing that.
Maybe every car should have a tracker, camera, and audio mic feeding back to the police, just in case someone in some car somewhere is driving drunk and talking about it. Then we can immediately dispatch an officer. Also, it’ll be easy to track stolen cars right? You might even catch other crimes, so it’s like a win-win-win, right?
Does that seem reasonable? If not, then phone scanning probably is not reasonable either.
> Measures against auto theft are well established to have brought down incidence of robbery, because it makes it harder to get a getaway car.
Measures against theft are driven by the market because car buyers don't want their cars to be stolen. Some incidental effect on getaway cars is nothing they had an obligation to provide.
And it's questionable whether that is even true, because anyone could just steal an older car or different make with no such anti-theft features, or use their own car and steal someone else's license plate.
Your point is spot on, but I fully expect this to change when (if) self driving cars happen. I see absolutely no chance that automakers arent forced to create government mandated overrides for police or whomever. In fact I think it’s plausible that self driving cars are not allowed on the road without centralized control from the very beginning. Not as some exception, but as a primary feature for controlling traffic as a whole.
That's a single point of failure. The centralized system goes down and your whole country's transportation system is dead. Politicians may want that but it's an extraordinarily bad idea and it's possible that there are enough people who understand that in e.g. the military with the political influence to prevent it.
It also kind of defeats the entire concept of self-driving cars, which is that they can work without that. They have to be able to work in places with bad wireless reception or a power outage in the traffic control system, not only because of the single point of failure but because things like that could happen while the vehicle is in motion.
Meanwhile there is no legitimate reason to make them mandatory because people already have the incentive to use a system that provides quicker routes. There is no law requiring people to use Waze, but they do.
I have never heard anyone blame automative manufactures for the use of getaway cars, nor have I ever heard anyone in that industry vocally minimizing the problem of vehicular crime to avoid some commercial inconvenience. The nearest thing I can think of is manufacturers ignoring the legal requirement for front license plates in their designs.
> I have never heard anyone blame automative manufactures for the use of getaway cars
This is exactly my point. Yet we have people trying to get tech corporations to act in the role of law enforcement, which they ought not to be doing and certainly ought not be to required to by law.
> nor have I ever heard anyone in that industry vocally minimizing the problem of vehicular crime to avoid some commercial inconvenience.
If you have people demanding that all cars come with government tracking devices under the pretext they could be used in bank robberies and someone in the auto industry notices that bank robberies aren't actually all that common, what should they do? Pretend it to be otherwise?
This is not a matter of commercial inconvenience. The economic cost of writing or installing the code is not the issue. The issue is that this is totalitarianism which once installed would not be limited to enforcing laws against child abuse. One of the reasons privacy is a human right is to protect the public against abuses of the state. It doesn't cease to be a right because the state finds it inconvenient -- the state is meant to find it inconvenient.
There are lots of things you can do to reduce child abuse, the problem is conservatives hate anything that means sex is not taboo. The result is that they block any kind of meaningful sex ed, and make manipulating and abusing children much easier - manipulating children by telling them people will think they're sluts, or their parents will abandon them, or better yet that the victims are responsible are all standard tricks of abusers.
Then you get the constant negligible sentences when "good" people are found to be pedophiles, the constant victim blaming in courts (apparently "well look how they were dressed", "they were drinking", etc are still real defenses in the US). Look at the abuse received by people who reported that "great" coach in the US, when suddenly sports was more important than child abuse. Then of course you have the constant church coverups that are routinely ruled legal, and then the victims get called scammers.
This is before you get to the abuse of children allowed by people who are trying to "stop their child being LGBT", which is literally torture, but again 100% ok because the people doing it are the conservatives who fight actual meaningful changes to protect children.
Instead what we get is police saying we need to have an unauditable system to report the content of people's phones with no warrant. Ignore the immense cost of false accusations, ignore the documented failures of these systems, ignore the incredible scope for abuse by other people (is it CSAM, or is just LGBT content? because plenty of US states and countries consider them equal). Is it reporting to parents? Plenty of child abusers will want to know if their children are looking at anything LGBT related so they have an excuse to abuse their children.
Or maybe it's protest pictures, or pro-democracy material - once you've shipped this for CSAM, plenty of countries will immediately say "now you can do that, also include this opaque database of criminal images".
Or it could be Iran saying "images of women without a hijab should be reported".
You need to understand, once you say "a persons device should report a specific kind of content on a device to any entity", the technology is in place, and the original "specific kind" becomes whatever the country says a legal requirement, and it's legally required to report to the government.
The EU is speed running totalitarianism with good PR. What happened to the free market only and the absolutely swearing up and down it would stay that.
“Think of the children” is, as usual, just to get the foot in the door. They use it as a justification, because it works.
Of course CSAM is bad, shouldn’t we do everything in our power to prevent it? If you implement client-side scanning, you will catch some rookies. Some old pervs that don’t know how to use encryption manually, or use Matrix. They will use them to show how effective the system is…
with the exception that it doesn’t work against anyone who knows anything about computers. And I think the regulators know it, they aren’t dumb (imo). It’s, like I said earlier, an excuse to expand the scope of scanning later.
And of course in the released minutes the details of which idiot made which claim are redacted.
So much for the transparency and accountability they’ll no doubt promise will be there for the process of accusations (not that this makes the idea any better, useful, or more palatable), which need not apply to themselves.
This is standard acces to document request protocol across Europe. You are not going to make your staff targets of the internet mob (see Trump and the names of jurors). You can deduce these were likely actually low level staff (contrary to what the article claims) as names of actual high level staff would normally not be blacked out, although I don't know Europol, as a police body they might have different safety protocols.
Sorry this is not quality journalism and you misunderstood the message further.
1. The meeting tool place after the commission made it's proposal, meaning that contrary to the way the article sets it up, the meeting couldn't have shaped the proposal.
2. The screenshot of a meeting report states that Europol wants access to the same info as Member States for specific cases, contrary to your summary it doesn't say anything about access to all data.
3. That police agencies want to include further areas into the legislation is not unusual. That doesn't guarantee it will happen, nor does the police body speak for the executive or legislators or represent the EU views as a whole.
I do think the proposals go a bit too far, on the other side the whole tech world assumption that anything has to stay lawless is just absurd. No one can deny there is a problem with pedophile material and to say to protect the purity of free speech all such issues have to stay unaddressed is just a position blind to reality.
> No one can deny there is a problem with pedophile material and to say to protect the purity of free speech all such issues have to stay unaddressed is just a position blind to reality.
This is not about free speech at all. Free speech is about the government not censoring public speech and publication. Publishing this kind of material is already an exception of free speech and nobody disagrees with that.
This proposal is about the private communication of all citizens. Not only is it a disproportional measure, it's also ineffective. It will not reduce the demand for this material and will only stop a particular method of distribution. The bad actors will just move to other methods including non-digital or steganography, on unmonitored or hacked devices. Just like the war on drugs doesn't work, they will find a way.
But in the meantime this will deeply undermine the privacy of all people and this tooling will inevitably be used for more purposes than originally proposed. As this linked article shows.
And in order for this to work it will basically have to make FOSS operating systems illegal because as long as the user can modify their OS they can remove this scan. This is one of the reasons I consider it disproportional. Or if implemented on the messaging side only (which is easier to bypass than in the OS), it will make open messaging apps illegal.
It's so disheartening to follow these. Time after another we hear about some insane Orwellian plot to exploit our deepest secrets. All spun so that the masses will think it's for some noble cause like protecting the children when really it's anything but. And it never stops! Tackle one and it's back a year later in some even more devious form like a fucking Hydra. I'm just so tired I wanna move into a cottage in the woods.
> shouldn’t we do everything in our power to prevent it?
I'm more concerned about the original abuse. The pictures are obviously an issue as they create a market _for_ abuse, but if you're not targeting the original crime, I don't think you stand a chance of actually improving the world by destroying rights.
Are they thinking of the children when they raid dad's home because a picture of a kids genitals went to a physician for tele-medicine?
Are they thinking of the kids when they come for dad when dad really doesn't like his pictures scanned and self-hosts his infra and uses a Linux based phone?
This law or proposal is so fundamentally absurd, instead of the EU or member states coming up with a proposal like Frontex but for hosting a centralized CSAM + other horrible potentially illegal images/links/videos hash/identifiers, where anyone with a website can pay lets say 20€ a month to access the API to scan images/links/videos instead it has to be the most dumbest "private market will regulate it" which effectively means, everything and anyone has to be scanned.
“Private market will regulate it” in this context doesn’t mean “no rules, they will sort it out on their own”, but “we don’t care and don’t know how they will comply with that law, and we won’t assist them in any way either, they will figure it out on their own.”
This is more about paying attention to the context in which the phrase was said. A lot of things get confusing or might mean a total opposite of what you think they do, when the relevant context isn’t taken into the account.
“Private market will regulate itself” isn’t some technical term with a precise meaning that can be misused. It can “regulate itself” by not having any restrictions imposed on it, but i can also be said to “regulate itself” by exploring different solutions to challenges presented by legal requirements with no clear solution path.
However, I see your point here, because most of the time when people just say “private market will regulate itself”, they talk about heavily unregulated market situations.
That just makes it essentially the same as using HTTPS in 2012 or so. It may draw attention briefly, but then you get to have a conversation that might go something like:
"We ought to put this guy on a list for using encryption (HTTPS, Matrix) everywhere" ->
"We can't use dragnet surveillance because the people are on the list for evading dragnet surveillance" ->
"There's too many people to monitor, too many small servers to crack and backdoor, and the list is mostly just people running their own innocuos server anyways"
Subsequently, you may draw some attention at first, but if you spread attention thin enough it can effectively round to zero - especially if the activity drawing attention becomes moderately commonplace.
I would like to see an open discussion include the people who actually investigate CSAM crimes to talk about the tools they have and their limitations etc. to give people real context about what they might need for new laws.
Not that we should give law enforcement everything they want to do their jobs, but a voice coming from people with actual experience would help.
I get the sense that nearly everyone on both sides of this issue is entirely guessing.
> I get the sense that nearly everyone on both sides of this issue is entirely guessing.
I would hope that people base their political positions on strong evidence and/or the voices of subject matter experts. Alas, political positions are more based on what people want to be true, rather than what is true.
I would like evidence that police actually use the tools and evidence they already have. There are currently more than 25 thousand rape kits in the US alone that have not been tested.
That is the entire answer for "is there any interest in solving sex crimes". If the police do not have the time or the money to do the most basic work possible having already made rape victims sit through the incredibly invasive process of taking the rape kit, why should we think that anything that gives them access to the content of people's devices is going to be used for any kind of sex crime inquiry?
Police do not care about sex crimes. CSAM detection is just their new angle to get unfettered warrantless access to everyone's data. Europol representatives have already explicitly stated that that's what they want this for.
Still flabbergasted how effective the lobbying circles around Thorn have been in recent years. I wish no less than this law getting sent to Spam and Ylva Johansson, the accountable EU commissioner, to be forced to step back.
The EU legislator Martin Sonneborn, member of the German satirist party "Die Partei", is proven he was right when in beginning of the legislature he just enumerated all the criminal and semi-criminal acts of several members of the current EU commission. Led by von der Leyen who also has a horrible track record in German politics. "Europa nicht den Laien überlassen"
It's actually not funny anymore because those people are destroying everything.
Now now, millionaires need hobbies too. They can't swing for the outer edges of the atmosphere so decimating privacy on the Internet will have to do I guess. Ashton's urge to protect the children apparently trumps the privacy of 450 million EU citizens and you would think he'd be able to extend some of that zeal to adult victims of abuse as well but going by his letter to the jury on behalf of Danny Masterson, you'd be wrong.
From my understanding, Johansson is also the Commissioner who, after it coming to light that the Europol had had a little too much fun mass collecting data and gleefully violating EU citizens' privacy rights, stepped into action that resulted in an effort to pass a new law that retroactively made everything the Europol did legal.
It's the 1,5min speech where Sonneborn enumerated some cases, unfortunately in German. AFAIR when he held it, I researched a couple of names and issues he mentioned that didn't look too polemic. In general, he (and his team) is doing what I'd call "trustworthy research" packed up into satire.
I think I'll end up applying a sliding cap to the cameras of my phone, to be sure I count up to ten before taking a picture. God forbids sharing it online.
But what if a friend of mine sends me a handmade meme with a child that is not recognized as safe by the AI?
Well, I guess that there will be thousands of parents under investigation and in the news before I pick my turn from the random distribution of the false positives. It's going to be interesting for the politicians in charge.
No, you're missing the point. It's nothing to do with remotely taking a photo, nor whether or not you publish online.
It's a "all devices need to scan all data and report if anything looks illegal". So yeah, if someone sent you malicious data you could end up being arrested and paraded through the press before silently being release with your life and google search forever tainted.
It's particularly stupid because the government is essentially saying "manufacturers must search your device, and then report the content, and that is probable cause to justify a search warrant", which is obviously absurd.
All this will do is imperil the freedom of hundreds of millions of Europeans and drive the kiddy fiddlers to services that won't comply with EU surveillance: it is therefore a foregone conclusion that it's going to happen.
I wonder what will happen if I just refuse. Get rid of apps or phones that scan. What are they going to do, really? I mean really? Am I going to jail? And for how long?
Me a father, hard working, tax paying, I just don’t want my messages scanned, are they going to put me in prison?
Never trust a government that claims it supports privacy. Maybe it supports some privacy regulations, just like it supports anti-privacy regulations here or with financial privacy. The thing the EU really supports is regulation and not privacy.
There's a tight relationship between wealth and democracy and we all always assumed that democracy drove wealth but what if wealth drives democracy and as the EU gets poorer we can expect it to backslide
105 comments
[ 2.9 ms ] story [ 191 ms ] threadWhat I've heard is that the only this is a proposal that child rights NGOs has been lobbying for, which I think we can both agree, are not expert in anything tech.
Either a Matrix Server or even NextCloud chat will do the job just fine. Then just sideload an APK which is rather trivial
But it might be a good way to attract the attention of law enforcement. People running PGP phone services have been arrested and prosecuted because their networks were primarily used by criminals. If you run a encrypted chat service to circumvent the law you might be held accountable for what users use your encrypted chat service for.
Remember, these are politicians. What they do doesn't have to make sense or be possible. All they have to do is pass laws. If it makes everyone a criminal that's good. The law just won't be enforced unless you rock the boat. Much like with the CFAA in the USA or GDPR in Europe.
How often do communications done through a wide variety of channels that wouldn't satisfy a cypherpunk from email to Whatsapp show up on evidence before court, even if the people involved knew that they could end up in court? Weren't a bunch of criminals fooled by a literal FBI phone?
I am often dumbfound by the exsessive paper trail people leave for all kind of things...
eventually either nobody will use that, or they'll just jump the shark and outlaw such things
I know that for example in Canada, because taxes, ALL restaurants are (were?) FORCED to use a specific sets of devices else they're branded as tax-avoiders and dealt with accordingly
I've already had trouble using banking stuff under linux, I have had to cancel some cards because they became useless without a smartphone app (the real punchline is that I got a new card that's only works on a smartphone. but at least it was like this when I signed up; they didn't change how it works under my feet)
It's far more difficult than that.
Most Linux contributions are made by multi-billions companies like IBM/Redhat. They would not risk to contravene to law. For example that it conforms to the law, look at WiFi drivers. There are many requirement by local laws on which band to use, what kind of traffic is authorized, etc. The WiFi drivers (most of them opaque binaries) conform to each country law.
To make Linux not lawful, you would have to create your own kernel with your own altered drivers, except you can't modify binaries.
Even then how could you make you system unidentifiable? How would you have control over booting your modified Linux in a commercial computer that uses UEFI? How would you know that the commercial CPU is not phoning home through the Intel Management Engine?
You would have use a FPGA CPU, your own designed hardware and a trusted OS but at the end you will always rely on the work of thousands people and hundred companies.
If literally every jurisdiction on Earth makes it a crime, then I guess this option would go away, but that seems unlikely to me.
The source code is published on the internet under the GPL. Anyone who doesn't like any of their contributions can take that one out and keep any of the others. Do you expect the Kali Linux people to include a backdoor?
> To make Linux not lawful, you would have to create your own kernel with your own altered drivers, except you can't modify binaries.
You can in fact modify binaries, it's just more work. For one person, once. Although that's fairly irrelevant because there exists hardware that doesn't require binary-only drivers.
> How would you know that the commercial CPU is not phoning home through the Intel Management Engine?
You install a firewall in front of it to detect or prevent this. Also, because it can be so easily detected and would be a scandal, it's very likely to be public knowledge if any commercial hardware in widespread use actually did this.
Then you use default deny and allow only e.g. a VPN connection.
This would require the hardware backdoor to be aware of and integrate with the specific VPN that you used, which could be a version of the code published after the hardware shipped.
> Is in possible to have a VPN provider which guarantees not having any Intel machines on the network?
Irrelevant unless the code on your side could hook the VPN, though of course you could.
The better attack would be to have the compromised firmware send its packets using the addresses and ports of some existing connection regardless of its contents, and then have a compromised ISP read them. But even that could be detected by logging the packets at the clean firewall. If it records any that aren't a part of the VPN connection then you've got yourself a rat and a scandal.
https://en.m.wikipedia.org/wiki/ANOM
I want to see some quick animation that shows each image sent being inspected for nudity, children, weapons, and a list of other things. I want to see the probability of each item shown to the user. I want the decision thresholds to be shown, and the animation showing the rest of what will happen to them if the threshold is exceeded (ie. "Report to police", "fired from job", "Judge", "Prison").
If whatsapp manage to manage to convey all that in a 3 second animation whenever an image is sent, I think users will baulk and the law will be removed.
The thing is the Tech community doesn't have a clear and simple response to CSAM, although CSAM has proliferated with the growth of the internet. Nobody cares about the technical excuses; people care about the absence of any clear effort to reduce its availability and spread. Absent technical measures, people will continue to demand legislative ones.
Do you know if actual child abuse also proliferated?
As far as I know, we don't have official numbers (at least not shared as part of the discussion). But what we know is, those scanners have a significantly high error rate and will overwhelm law enforcement with false-positives. What we also know is that law enforcement is simply not competent enough, there was a case in Germany where they just removed links in a Forum forgetting to sweep the according link targets to file hosters.
Your comment unfortunately exemplifies the problem of tech people trying to define the problem away rather than directly address the harms involved or propose privacy-respecting technical solutions to proactively mitigate it.
It is the primary reason that it's prohibited, outweighing any other reason by an order of magnitude.
> I find it hard to believe that a long time technology advocate like yourself is unaware of the fact that the circulation of older CSAM continues to hurt people who were abused in its manufacture.
That depends on how they feel about it. If it is the case that dissemination of existing material reduces the production of new material, no one could be faulted for wanting what they went through to prevent someone else from being forced to go through it too, if at all possible.
> Your comment unfortunately exemplifies the problem of tech people trying to define the problem away rather than directly address the harms involved or propose privacy-respecting technical solutions to proactively mitigate it.
There isn't any known privacy-respecting technical solution and it may not even be possible for one to exist. You can't tell if someone's secret is unlawful without knowing what it is, but anything with access to all of everyone's secrets is inherently a comprehensive violation of everyone's privacy. Any technological solution that could be used for this could not be limited to being used for this.
Fundamentally what you're asking for is the technology to violate everyone's privacy, so that you can violate the privacy of child abusers. But the technology doesn't care what you use it for. It can't be limited to only being used against bad guys.
More generally, the EU has some stupid laws but also plenty of important ones that either bring greater good (safe products in the supermarkets, trade standards, common procurement rules, accountability of what national governments do on economic policy and debt levels, ...) or good for a specific sector (strong data protection and rights for instance, tech standards like usb c, etc). Here the discussion is not even about a law but about a proposal for a law where different people and bodies express different views. EU lawmaking is lengthy and quite transparent so you have these discussions often and at various points in the process, which is unusual compared to many national contexts. And it lends itself to viewing and overstating different views. It doesn't help that there are many lobby groups that sound like semi-EU bodies when they are in reality just industry groups of various kinds that make broad demands which are then echoed in the press as some kind of EU positon.
I'm sorry you've been led to have such a negative emotional reaction to the EU, but it just doesn't mirror the actual facts.
> which has no real equivalent in Europe
> which has no real equivalent in Europe
What a joke, now I know you're just trolling or are just that ignorant of history.
The Automotive community doesn't have a clear and simple response to bank robbery. Nor are they expected to, because they are not a law enforcement agency.
Measures against auto theft are well established to have brought down incidence of robbery, because it makes it harder to get a getaway car. And the auto industry has absolutely been given the responsibility of overseeing that.
Does that seem reasonable? If not, then phone scanning probably is not reasonable either.
Measures against theft are driven by the market because car buyers don't want their cars to be stolen. Some incidental effect on getaway cars is nothing they had an obligation to provide.
And it's questionable whether that is even true, because anyone could just steal an older car or different make with no such anti-theft features, or use their own car and steal someone else's license plate.
It also kind of defeats the entire concept of self-driving cars, which is that they can work without that. They have to be able to work in places with bad wireless reception or a power outage in the traffic control system, not only because of the single point of failure but because things like that could happen while the vehicle is in motion.
Meanwhile there is no legitimate reason to make them mandatory because people already have the incentive to use a system that provides quicker routes. There is no law requiring people to use Waze, but they do.
https://www.sfgate.com/cars/article/Front-license-plate-cars...
This is exactly my point. Yet we have people trying to get tech corporations to act in the role of law enforcement, which they ought not to be doing and certainly ought not be to required to by law.
> nor have I ever heard anyone in that industry vocally minimizing the problem of vehicular crime to avoid some commercial inconvenience.
If you have people demanding that all cars come with government tracking devices under the pretext they could be used in bank robberies and someone in the auto industry notices that bank robberies aren't actually all that common, what should they do? Pretend it to be otherwise?
This is not a matter of commercial inconvenience. The economic cost of writing or installing the code is not the issue. The issue is that this is totalitarianism which once installed would not be limited to enforcing laws against child abuse. One of the reasons privacy is a human right is to protect the public against abuses of the state. It doesn't cease to be a right because the state finds it inconvenient -- the state is meant to find it inconvenient.
Then you get the constant negligible sentences when "good" people are found to be pedophiles, the constant victim blaming in courts (apparently "well look how they were dressed", "they were drinking", etc are still real defenses in the US). Look at the abuse received by people who reported that "great" coach in the US, when suddenly sports was more important than child abuse. Then of course you have the constant church coverups that are routinely ruled legal, and then the victims get called scammers.
This is before you get to the abuse of children allowed by people who are trying to "stop their child being LGBT", which is literally torture, but again 100% ok because the people doing it are the conservatives who fight actual meaningful changes to protect children.
Instead what we get is police saying we need to have an unauditable system to report the content of people's phones with no warrant. Ignore the immense cost of false accusations, ignore the documented failures of these systems, ignore the incredible scope for abuse by other people (is it CSAM, or is just LGBT content? because plenty of US states and countries consider them equal). Is it reporting to parents? Plenty of child abusers will want to know if their children are looking at anything LGBT related so they have an excuse to abuse their children.
Or maybe it's protest pictures, or pro-democracy material - once you've shipped this for CSAM, plenty of countries will immediately say "now you can do that, also include this opaque database of criminal images".
Or it could be Iran saying "images of women without a hijab should be reported".
You need to understand, once you say "a persons device should report a specific kind of content on a device to any entity", the technology is in place, and the original "specific kind" becomes whatever the country says a legal requirement, and it's legally required to report to the government.
Of course CSAM is bad, shouldn’t we do everything in our power to prevent it? If you implement client-side scanning, you will catch some rookies. Some old pervs that don’t know how to use encryption manually, or use Matrix. They will use them to show how effective the system is…
with the exception that it doesn’t work against anyone who knows anything about computers. And I think the regulators know it, they aren’t dumb (imo). It’s, like I said earlier, an excuse to expand the scope of scanning later.
Europol wants unfettered, unfiltered access to all scanned data, regardless if there's a crime or not.
And they want to inject all of that into their Police AI (which they also want unregulated).
It's going to be awesome future.
So much for the transparency and accountability they’ll no doubt promise will be there for the process of accusations (not that this makes the idea any better, useful, or more palatable), which need not apply to themselves.
1. The meeting tool place after the commission made it's proposal, meaning that contrary to the way the article sets it up, the meeting couldn't have shaped the proposal. 2. The screenshot of a meeting report states that Europol wants access to the same info as Member States for specific cases, contrary to your summary it doesn't say anything about access to all data. 3. That police agencies want to include further areas into the legislation is not unusual. That doesn't guarantee it will happen, nor does the police body speak for the executive or legislators or represent the EU views as a whole.
I do think the proposals go a bit too far, on the other side the whole tech world assumption that anything has to stay lawless is just absurd. No one can deny there is a problem with pedophile material and to say to protect the purity of free speech all such issues have to stay unaddressed is just a position blind to reality.
This is not the whole tech world's position. Why make up an equally bad opposing position instead of just saying "this regulation is going too far"?
This is not about free speech at all. Free speech is about the government not censoring public speech and publication. Publishing this kind of material is already an exception of free speech and nobody disagrees with that.
This proposal is about the private communication of all citizens. Not only is it a disproportional measure, it's also ineffective. It will not reduce the demand for this material and will only stop a particular method of distribution. The bad actors will just move to other methods including non-digital or steganography, on unmonitored or hacked devices. Just like the war on drugs doesn't work, they will find a way.
But in the meantime this will deeply undermine the privacy of all people and this tooling will inevitably be used for more purposes than originally proposed. As this linked article shows.
And in order for this to work it will basically have to make FOSS operating systems illegal because as long as the user can modify their OS they can remove this scan. This is one of the reasons I consider it disproportional. Or if implemented on the messaging side only (which is easier to bypass than in the OS), it will make open messaging apps illegal.
by these two actions combined this anti-freedom garbage (further consolidating and centralizing powers) will work effectively
I'm more concerned about the original abuse. The pictures are obviously an issue as they create a market _for_ abuse, but if you're not targeting the original crime, I don't think you stand a chance of actually improving the world by destroying rights.
Are they thinking of the children when they raid dad's home because a picture of a kids genitals went to a physician for tele-medicine?
Are they thinking of the kids when they come for dad when dad really doesn't like his pictures scanned and self-hosts his infra and uses a Linux based phone?
“Private market will regulate itself” isn’t some technical term with a precise meaning that can be misused. It can “regulate itself” by not having any restrictions imposed on it, but i can also be said to “regulate itself” by exploring different solutions to challenges presented by legal requirements with no clear solution path.
However, I see your point here, because most of the time when people just say “private market will regulate itself”, they talk about heavily unregulated market situations.
That might be the best way to get authorities interested in you, once that shit starts going down.
"We ought to put this guy on a list for using encryption (HTTPS, Matrix) everywhere" ->
"We can't use dragnet surveillance because the people are on the list for evading dragnet surveillance" ->
"There's too many people to monitor, too many small servers to crack and backdoor, and the list is mostly just people running their own innocuos server anyways"
Subsequently, you may draw some attention at first, but if you spread attention thin enough it can effectively round to zero - especially if the activity drawing attention becomes moderately commonplace.
Not that we should give law enforcement everything they want to do their jobs, but a voice coming from people with actual experience would help.
I get the sense that nearly everyone on both sides of this issue is entirely guessing.
I would hope that people base their political positions on strong evidence and/or the voices of subject matter experts. Alas, political positions are more based on what people want to be true, rather than what is true.
That is the entire answer for "is there any interest in solving sex crimes". If the police do not have the time or the money to do the most basic work possible having already made rape victims sit through the incredibly invasive process of taking the rape kit, why should we think that anything that gives them access to the content of people's devices is going to be used for any kind of sex crime inquiry?
Police do not care about sex crimes. CSAM detection is just their new angle to get unfettered warrantless access to everyone's data. Europol representatives have already explicitly stated that that's what they want this for.
The EU legislator Martin Sonneborn, member of the German satirist party "Die Partei", is proven he was right when in beginning of the legislature he just enumerated all the criminal and semi-criminal acts of several members of the current EU commission. Led by von der Leyen who also has a horrible track record in German politics. "Europa nicht den Laien überlassen"
It's actually not funny anymore because those people are destroying everything.
From my understanding, Johansson is also the Commissioner who, after it coming to light that the Europol had had a little too much fun mass collecting data and gleefully violating EU citizens' privacy rights, stepped into action that resulted in an effort to pass a new law that retroactively made everything the Europol did legal.
any chance anyone can link or give some suggestions of search terms to try to find this?
It's the 1,5min speech where Sonneborn enumerated some cases, unfortunately in German. AFAIR when he held it, I researched a couple of names and issues he mentioned that didn't look too polemic. In general, he (and his team) is doing what I'd call "trustworthy research" packed up into satire.
But what if a friend of mine sends me a handmade meme with a child that is not recognized as safe by the AI?
Well, I guess that there will be thousands of parents under investigation and in the news before I pick my turn from the random distribution of the false positives. It's going to be interesting for the politicians in charge.
It's a "all devices need to scan all data and report if anything looks illegal". So yeah, if someone sent you malicious data you could end up being arrested and paraded through the press before silently being release with your life and google search forever tainted.
It's particularly stupid because the government is essentially saying "manufacturers must search your device, and then report the content, and that is probable cause to justify a search warrant", which is obviously absurd.
Me a father, hard working, tax paying, I just don’t want my messages scanned, are they going to put me in prison?
Normal citizens on the other hand are presumed guilty unless proven otherwise...
This is the mentality that made Brexit happen. We can't let this Orwellian surveillance happen and then later try to fix the damage they've done.