92 comments

[ 3.1 ms ] story [ 77.6 ms ] thread
This will never not be in the news, will it? I feel like it's been continuously for the past 10-15 years, under various names.
I think the challenge for society here is not to simply reject attempts like this, but how to prevent them from being pushed over and over until a specific context allows it to be approved.
This is why the right to protected communication, as well as the right to control the software running on general purpose computing devices that you own (i.e. no remote attestation), must be adopted as human rights.
It's incredibly difficult to stop a well-funded, 50-year plan to subvert a democracy. The attention spans of politicians, corporations, and the public are measured in days, months, or years, not decades.

After 9/11, the Bush administration was accused of abusing the crisis to expand executive power and the national security state. Those who raised the alarm about things like the Patriot Act were often dismissed as fringe alarmists.

Now, nearly 25 years later, we're seeing the downstream effects of that gradual degradation of democratic pillars.

On both sides, voters and politicians can be influenced by propaganda and campaign finance to accept small, incremental changes that don't seem dangerous in isolation, but can cumulate to crush an empire.

Every democracy carries these risks. Do we think our opponents haven't noticed?

I was just thinking that if something like this ever does get through and become law, then creating open-source alternatives which do not obey these laws would be quite trivial. What would not be trivial would be deciding where to host the servers and source code, and how to actually get this software onto people's devices.

What country would be safe for hosting code that does this that people would also trust in general? Would this be hosted on the dark web or would someone actually be brave enough to host it on their private machines? Would there be DNS that could point to this?

Then how would you install the software? You'd need a way to side-load it, which means you'd want a way to sign it. Which means either adding a new root signing authority or being able to have an existing root authority sell you a signing certificate and not revoke it.

You kind of quickly end up in some weird dystopian cyberpunk setting thinking all of this through.

I wonder where platforms like slack would land in all of this, and how would they go about akeeping people from just using their own encryption e.g. pgp over unencrypted channels? Is public key cryptography too weak to matter?
Governments should be transparent and the people should be opaque. Any government that attempts to make things otherwise looses legitimacy.
Can anyone try to explain to be how this is not a strain of mind-reading and thought crime? I mean, sure, we’re several decades away from the big event where society will adjudicate thought-crime, but this appears to be one of the first skirmishes.
This is (mostly) about Tech companies' money, namely:

- Palantir Technologies

- 'not-for-profit' Thorn

> The Commission’s failure to identify the list of experts as falling within the scope of the complainant’s public access request constitutes maladministration. [0]

> ... the complainant contended that the precision rate of technologies like those developed by the organisation are often overestimated. It is therefore essential that any technical claims made by the organisation concerned are made public as this would facilitate the critical assessment of the proposal. [1]

> The Commission presented a proposal on preventing and combating child sexual abuse, looking in particular at detecting child pornography. In this context, it has mentioned that support could be provided by the software of the controversial American company Palantir... [2]

> Is Palantir’s failure to register on the Transparency Register compatible with the Commission’s transparency commitments? [2]

(Palantir only entered the Transparency Registry in March 2025 despite being a multi million vendor for Europol and European Agencies for more than a decade)

> No detailed records exist concerning a January meeting between European Commission President Ursula von der Leyen and the CEO of controversial US data analytics firm Palantir [3]

> Kutcher and CEO Julie Cordua held several meetings with EU officials from 2020 to 2023 - before the former stepped down from his role - including European Commission President Ursula von der Leyen, Home Affairs Commissioner Ylva Johansson, and European Parliament President Roberta Metsola.[4]

> The Ombudsman further concluded that Thorn had indeed influenced the legislative process of the CSAM regulation. “It is clear, for example, from the Commission’s impact assessment that the input provided by Thorn significantly informed the Commission’s decision-making. The public interest in disclosure is thus self-evident. [4]

> EU Ombudsman Emily O’Reilly has announced that she has opened an investigation into the transfer of two former Europol officials to the chat control surveillance tech provider Thorn. [5]

[0] https://www.ombudsman.europa.eu/en/decision/en/176658

[1] https://www.ombudsman.europa.eu/en/recommendation/en/179395

[2] https://www.europarl.europa.eu/doceo/document/E-9-2024-00016...

[3] https://www.euractiv.com/news/commission-kept-no-records-on-...

[4] https://www.euronews.com/next/2024/07/18/european-ombudsman-...

[5] https://www.patrick-breyer.de/en/chat-control-eu-ombudsman-l...

What would prevent me from writing my own program to do something simple like sending encrypted messages? Or just emails...
I guess they don’t know you can encrypt files before you send them. They don’t even have to look like encrypted files.
This was precisely some of the motivation behind pushing RCS onto Apple. The RCS spec has a termination point between providers -- a great spot to read some data for telecom providers and government agencies. Despite this, RCS is called "End to End" all the time. It's not. Use Signal or iMessage, depending on your security choices in iCloud.
Out of interest, what happens in the case of say an open source chat app developed outside the EU. Let's add that the developers are anonymous too, like truecrypt. What power does this legislation have then?
If you are a smart kid in europe learn to vibecode XChacha20 & ed25519 encryption keys for you and your friends to chat with so you can go tell your incompetent government to go fuck themselves.
Is CSA really that widespread in Europe that everyone's chat messages have to be monitored? And if it is that widespread, shouldn't they try to address it socially to prevent CSA as much as possible rather than try to catch just the subset of tech-savvy abusers, that too after they've already committed CSA?
(comment deleted)
They'll push for it repeatedly until they succeed and then it will be irreversibile.
They want the power to arrest you for your private thought crimes too.
Sounds like a complete tyrannical dystopian hell hole to live in.

But nevermind, We love the EU! /s

My answer to "think of the children" is "I am thinking of the children"

* of their rights to privacy

* their right to live in a democracy

* the value of warrant based search vs nazi SS style

* I want them to enjoy at -least- as much privacy as I currently enjoy

* I don't want rando creeps reading their personal messages and keeping them forever, there's a reason memory fades, it lets us grow as people

The fact that EU politicians exclude themselves from the ChatControl is all you need to know about this.
Can anyone explain to me what keeps anyone who doesn't want to be monitored from just sending PNGs (or similar) containing messages encrypted in each pixels LSBs?

Doesn't all that just force everyone who has something to hide to use something else, less obvious?

Ugh, I hate this but literally no one is paying attention.

Its hard because everytime this gets defeated all the EUSSR people just wait a year and try again…

The USA wants this to remain a monopoly.