79 comments

[ 3.3 ms ] story [ 81.4 ms ] thread
Lawmakers in general have less than one percent knowledge on what they make laws on. I look forward to them all logging in remotely after the ban.

The key change is needed with things such as meshtastic and lora. Taking things out of the hands of regulators is key

Stuff like this really reminds me how nobody is actually in control. Entire countries are just going where ever the rivers takes them with those supposed in charge not knowing any better and often worse than the rest and functionally being so clueless they’re passengers too
Republican lawmakers, in this case.
In Wisconsin, this means there's a good chance the Democratic governor will veto it, probably with widespread public support.
Why ban VPNs when you can freely force social networks like HN to tie nickname registration to an state issued digital ID certificate to guarantee freedom of speech and legal accountability?

https://old.reddit.com/r/XGramatikInsights/comments/1ovd88s/...

Because you can't freely force social networks like HN to tie nicknames to a state IDs. Just because some politician said that doesn't make it so.
> you can freely force social networks like HN to tie nickname registration to an state issued digital ID certificate to guarantee freedom of speech

Nothing guarantees free speech like making it trivial to keep a copy of everything everyone says that can always be tracked back to their real identity! No way that could have a chilling effect on perfectly normal speech.

It's funny how democratic countries copy whatever laws authoritarian regimes passed, but with a 5-year lag.
The Great Firewall dates from 2003 and we still don't have a Great British Firewall so the lag seems longer.
Could be more serious than that, maybe it's not a lag. Maybe they are becoming.
Isn't it Wisconsin law that lets the Governor change any numeric digits in a law while it's on his or her desk?

One of the most bizarre legal opinions I've ever heard of, but if they used any digits in the writing of the law those are up for grabs. Law makes a 30 day window or something? The governor can just change it to a million days with a stroke of the pen and then sign the edit into law with the same pen!

20 years ago the boogeyman was "the terrorists!" And now the boogeyman is "not the children!!" Or "immigrants!!" Depending on your audience's political views, but the ultimate goal is more surveillance, more control and more power abuse by who’s in control.
That doesn't match what I've seen in UK politics.
(comment deleted)
>So when Wisconsin demands that websites "block VPN users from Wisconsin," they're asking for something that's technically impossible. Websites have no way to tell if a VPN connection is coming from Milwaukee, Michigan, or Mumbai. The technology just doesn't work that way.

https://youtu.be/Pr4v725LPOE?si=ih3gfTSpiHumtrFs&t=79

"That's not how apps work"

"Then make it work you think we are stupid but we are not, we know" VPNs have something to do with IPs which are necessarily geolocatable , and also users need to make an account to connect to a VPN, you can just ask them what country and State they are in.

Being willfully obtuse draws no sympathy, and will not exclude companies from compliance

They probably know that the technology doesn't work this way. But such law will force websites to block ALL VPN connections even for users not from Wisconsin, and that's the plan.
I'm reminded of efforts in the 1990s to ban strong encryption in email and websites because governments tried to tell us it was used by drug dealers and pedos to do their nefarious activities.

Yes, governments really did want to force us to use HTTPS with only broken/weak crypto.

Same propaganda, different buzzwords.

Well, let’s be honest — users of VPNs regularly don’t know what they are doing, too.

Can’t count how often I‘ve heard otherwise technologically literate people saying how they use a VPN (NordVPN e.a.) because „something something security“.

No surprise, "Something something security" is the exact promise of many youtube ads, often spoken by people who know better.
>Businesses run on VPNs. Every company with remote employees uses VPNs. Every business traveler connecting through sketchy hotel Wi-Fi needs one. Companies use VPNs to protect client and employee data, secure internal communications, and prevent cyberattacks.

Oh look, someone's conflating business VPNs and consumer VPNs again. This time to legitimize consumer VPNs.

The cited laws propose to ban pornography for minors, and ban VPNs that hide geolocation and their use in accessing pornography. Nothing to do with businesses using private VPNs to encrypt employee traffic.

>Vulnerable people rely on VPNs for safety. Domestic abuse survivors use VPNs to hide their location from their abusers.

Woah, maybe VPNs have some uses I haven't considered, let's take a look at the linked article.

>Use a virtual private network (VPN) to remain anonymous while browsing the internet, signing a new lease or applying for a new home loan. This will also keep your location anonymous from anyone who has gained access to or infiltrated your device.

I think the loan thing is rubbish I don't get it, and it's unaffected by the law. But the idea of installing a VPN in case the device is compromised might make sense, if the device is compromised it might still be trackable, especially while downloading the VPN, but maybe if it connects at startup, and the RAT isn't configured to bypass the VPN bridge, it might work.

Quite a stretch if you ask me. And again, not relevant to adult sites blocking VPNs.

The rest of the example are the usual "people use it to evade the government and regulations but it can be THE BAD GOVERNMENt AND REGULAtiONS"

As someone born in a post‑Soviet country with rather many odd digital laws--including one requiring that any use of encryption be registered with the department of commerce and the secret service (meaning no TLS unless you get a permit)--I can clearly see the endgame of similar proposals.

These laws aren’t meant to be followed. Their text is deliberately vague, and their demands are impossible by design. They aren't foolish, or at least their ignorance isn't needed to explain the system's broader function. They are meant to serve as a Chekhov's gun that may or may not fire over your head, depending solely on whether the people holding it decide like you.

In peaceful times, they fade into the background, surfacing only when it’s convenient to blackmail some company for cash or favors. In times of crisis, they declare a never-ending war on extremism, sin, and treason, fought against an inexhaustible supply of targets to take down in front of their higher‑ups, farming promotions, contracts for DPI software, and jobs updating its filters.

Historically, such controls were limited by the motivation and competence of the arms dealers, usually taking the form of DNS or IP blocks easily bypassed with proxies. With modern DPI, it's entire protocols going dark. Even so, those able to learn easily find a way around them. The people who suffer most are seniors, unable even to call family across the border without a neighbor's help, and their relatives forced into using least trustworthy messengers (such as Botim, from the creators of ToTok, a known UAE intel operation [0]) thinking they're the only way to stay in touch, not knowing how or wanting to use mainstream IM over a VPNs that may or may not live another month.

If wherever you are your votes still matter, please fight this nonsense. Make no mistake, your enemies are still more ridiculous than Voltaire could hope they'd be, but organizing against or simply living through a regime constantly chewing on the internet's wires is going to be a significantly greater inconvenience than taking _real_ action now.

[0] https://en.wikipedia.org/wiki/ToTok

> Chekhov's gun that may or may not fire over your head

A more apt metaphor might be Damocles’ sword?

> These laws aren’t meant to be followed

Selective enforcement should be illegal - people practicing it should be put in prison, the law should be auto-repealed, any past sentences cancelled and the people sentenced should be compensated.

This should be written into every constitution, just like free speech and the right to kill when killing is right ("right to bear arms").

Agree. Good intentions. How do you practically approach this? Which incentives would you suggest to steer the system that way? What will keep the system from slipping back to selective enforcement?
Wisconsin "porn" websites will just move out of Wisconsin.

The bill reads like you would think from someone who's been talking with the ceo of an age verification company. The bill gives the website two options: use a _commercial_ age verification product tied to gov't id checking, or "digitize" the web user's gov't id.

And cue the rise of self-hosted VPNs. 1 click to get a VPS instance, install VPN software, and make a connection. Automatically destroy the instance with another click or after a certain amount of time.
Tailscale makes this trivial, which is why I'm worried about governments starting to block the Tailscale control servers. Which I think China already does.

I don't know if Tailscale has any plans to make their service more censorship resistant, but I hope they do.

I did this for years during the early 2010s, but given the IP ranges of most the major VPS players are widely known, many sites and services now just block them outright. It got to the stage I had to stop doing it. I suspect it has only gotten worse now many sites are trying to prevent scraping for AI training as well.

If your primary focus is just reaching region blocked content, Self hosted VPNs can work great if you have access to a residential IP in your target country- I've taken advantage of family member's domestic connections instead of VPSes now, as I was lucky enough to have family in the regions I wanted. Devices like the Apple TV can function as a Tailscale exit node too, which greatly simplified deployment.

A device-side IP filter locked behind a password that parents can configure in the device's settings would be much more effective and easier to implement than censoring the Internet. This should be the default solution, yet it's never brought up for whatever reason.

Not to mention these online content censorship laws for kids are wrong in principle because parents are supposed to be in control of how they raise each of their own kids, not the government or other people.

And these laws make authoritarian surveillance and control much easier. It's hard to not see this as the main objective at this point. And even if it isn't, this level of stupidity is harmful.

The goal is controling the flow of information online. "protecting the children" may or may not be a sincere concern but ultimately censorship is what is desired here.
I think Hanlon's razor probably applies here. There's no way the average Wisconsin legislator understands this bill.
It is the objective, it's always been the objective. The worst part is that I bet these people don't even think of themselves as authoritarian so much as they stumble into it through a combination of selfishness, ignorance, and complete disregard for ethics. They like money and power, more information means more of both, darn the torpedos, tap the lines, hit the gas and all of a sudden it's oops all facism.
These are religious fanatics trying to ban porn because they believe it's evil. All the rest is dressing to advance that cause and isn't worth spending too much time trying to make sense of.

They'd latch on to whatever reason they'd think would stick.

IP filter? So what you do when you block the entire cloudflare, CloudFront, Amazon and Google cloud ip ranges?

What's left?

There are better solution than blocking IPs.

Whether it's intentional or not, these laws open the door to mass surveillance under the guise of "protection"
This has existed for well over a decade for iOS. I don’t use Android so I can’t speak to it.
> parents are supposed to be in control of how they raise each of their own kids

You realize that a lot of parents support this sort of thing because they are not technically sophisticated enough to control it themselves? Or they simply think that it has no place in polite society? That is why politicians enact these laws, because they are hearing from constituents that they want it.

> You realize that a lot of parents support this sort of thing because they are not technically sophisticated enough to control it themselves?

We can make it so that it's as easy as changing the settings on their child's phone and then setting a password to lock that setting. The technical barrier isn't high.

> Or they simply think that it has no place in polite society?

That doesn't justify giving the government the tools to crush free speech on the Internet, which threatens the very existence of polite society. The current wave of authoritarianism around the world is a direct consequence of undemocratic governance systems on the Internet. In hindsight, it was kind of our fault. Failing to foresee its civilization-scale impact, we did not design the Internet with democratic principles in mind. This eventually resulted in large social media and cloud services platforms with enough users to sway elections, that operate under opaque centralized moderation and curation mechanisms. This became a real problem when smartphones were invented and most of human communication suddenly got moved online: freedom of speech has been de facto damaged for almost two decades now.

But it's a problem that can reverse itself, if we can figure out a way to neutralize the Internet's implicit incentives that encourage the centralization of compute and storage (which is equivalent to the centralization of power when most communication occurs online). And as you might guess, such solutions require a free enough Internet to create and deploy. That's why we must push back against these Internet control laws in the meantime, otherwise governments will simply use these legal tools to suppress attempts to decentralize the Internet, and we'd end up with authoritarian regimes all around the world.

I wonder if all of the journalism on Epstein would be considered "Sexual content" and if journalists would be forced to self-doxx to report in these states
I've been thinking a lot about VPNs lately, mainly for 2 reasons:

1) In my home state I can no longer access Pornhub

2) Last month I visited Mississippi and could not access BlueSky, even though I can from my home state.

[I personally blame this on the "holier then thou", "don't tread of me" conservatives who cannot resist the urge to try to rule over the activities of others.]

I haven't selected a VPN provider because I have heard that a lot of websites create barriers to people who use VPNs. For example, I've seen people say that couldn't access Reddit via a VPN.

You can access Reddit from a VPN while signed into Reddit.
I've not had much problem. Never had that problem with Reddit. I use the free veepn browser extension.

Accessing imgur from the UK has been a bit tricky. Sometimes they limit certain IP addresses like the US one usually doesn't work but the Singapore one does (slowly) for some reason.

"Here's what happens if VPNs get blocked: everyone has to verify their age by submitting government IDs, biometric data, or credit card information directly to websites—without any encryption or privacy protection."

Can someone explain how this is true? Even if there is not a VPN, there should be https encryption and privacy protection.

If you have https encryption and privacy protection, how is the VPN ban going to be enforced?
"Here's what happens if VPNs get blocked: everyone has to verify their age by submitting government IDs, biometric data, or credit card information directly to websites-without any encryption or privacy protection.

We already know how this story ends. Companies get hacked. Data gets breached. And suddenly your real name is attached to the websites you visited, stored in some poorly-secured database waiting for the inevitable leak. This has already happened, and is not a matter of if but when. And when it does, the repercussions will be huge."

Then

"Let's say Wisconsin somehow manages to pass this law. Here's what will actually happen:

People who want to bypass it will use non-commercial VPNs, open proxies, or cheap virtual private servers that the law doesn't cover. They'll find workarounds within hours. The internet always routes around censorship."

Even in a fantasy world where every website successfully blocked all commercial VPNs, people would just make their own. You can route traffic through cloud services like AWS or DigitalOcean, tunnel through someone else's home internet connection, use open proxies, or spin up a cheap server for less than a dollar."

EFF presents two versions of "here's what will happen"

If we accept both as true then it appears a law targeting commercial VPNs would create evolutionary pressure to DIY rather than delegate VPN facility to commercial third parties. Non-commercial first party VPNs only service the person who sets them up. If that person is engaged in criminal activity, they can be targeted by legislation and enforcement specifically. Prosecution of criminals should not affect other first party VPNs set up by law-abiding internet users

Delegation of running VPNs to commercial third parties carries risks. Aside from obvious "trust" issues, reliability concerns, mandatory data collection, potential data breach, and so on, when the commercial provider services criminals, that's a risk to everyone else using the service

This is what's going on with so-called "Chat Control". Commercial third parties are knowingly servicing criminals. The service is used to facilitate the crime. The third parties will not or cannot identify the criminals. As a result, governments seek to compel the third party to do so through legislation. Every other user of the service may be affected as a result

Compare this with a first party VPN set up and used by a single person. If that person engages in criminal activity, other first party VPNs are unaffected

EFF does not speculate that third parties such AWS, DigitalOcean, or "cheap server[s] for less than a dollar" will be targeted with legislation in their second "here's what will happen" scenario

Evolutionary pressure toward DIY might be bad news for commercial third party intermediaries^1

But not necessarily for DIY internet users

1. Those third parties that profit from non-DIY users may invoke the plight of those non-DIY users^2 when arguing against VPN legislation or "Chat Control" but it's the third parties that stand to lose the most. DIY users are not subject to legislation that targets third party VPNs or third party chat services

2. Like OpenAI invoking the plight of ChapGPT users when faced with discovery demands in copyright litigation

(comment deleted)
It appears the bill would exempt AWS, DigitalOcean and "cheap server(s) for less than dollar"

"(b) No Internet service provider or its affiliates or subsidiaries, search engine, or cloud service provider shall be held to have violated sub. (2) on the basis of the entity having provided access or connection to or from a website, content on the Internet, or a facility, system, or network not under that entitys control, or the entitys provision of communicating, transmitting, downloading, intermediate storage of, providing access software for, or other services that communicate ...

(c) No Internet service provider or its affiliates or subsidiaries, search engine, or cloud service provider shall be held to have violated sub. (3) on the basis of the entity having provided access or connection to or from a website, content on the Internet, or a facility, system, or network not under that entitys control, or the entitys provision of communicating, transmitting, downloading, intermediate storage of, providing access software for, or other services that communicate ..."

The bill restricts "persons" from knowingly retaining identifying information on users. This is some peculiar wording maybe trying to allow for some loophole where automated retention of information is exempted

"Under the bill, persons that perform reasonable age verification methods may not knowingly retain identifying information of the individual attempting to access the website after the individuals access has been granted or denied"

"(b) A person that performs a reasonable age verification method in compliance with par. (a) may not knowingly retain identifying information of the individual attempting to access the website after the individuals access has been granted or denied."

The EFF title is inaccurate

The bill does not "ban" VPNs

It does not create illegality

It creates potential civil liability for certain businesses, and only if and when someone sues and wins

Couldn't all of this be handled by META tags, request/response headers and some "they'll obviously do it" laws aimed at operating systems, device manufacturers and browser companies?
You don't need to burn books if you can just ban access to them!
After Wisconsin finds out how to reliably filter vpn, they can then teach Netflix and Akamai how to do it.

Last time I checked modestly reliable geoblocking existed, and completely unreliable vpn blocking.

A friend told me that when he comes across a site for which Nordvpn is blocked, he just changes IP. Latest the third one always works, even on YouTube (he is all about privacy).

Of course, what if I use an SSH tunnel instead as that normally suffices a lot easier for me. It's basically the same underlying libraries? They would have to regulate the use of libssl, libcrypto, etc. This makes no sense lol.

Am I going to find myself in jail one day for "Unregulated use of a private/public key pair?"

Part of the problem is that in order to prove your age you need to hand over a bunch of unrelated data about yourself. Why do they need to know my name, address, signature, and what I look like? They don’t even need to know my actual age, just that I’m over 21. Laws like this would go down a lot better if there were privacy-respecting ways of verifying age.