> The government, and prominent child protection charities have long argued that encryption hinders efforts to combat online child abuse - which they say is a growing problem.
So take using a sledgehammer to crack a nut.
What they should be doing, is rather then increase the risk of for the majority who use encryption for valid reasons (privacy, not nefarious), is invest in services to allow individuals to gain help, in a manner where they won't be ostracised and at risk, all from trying to come forward and get help to amend their behavior.
I am father myself, and like a majority (being a parent is a moot point really) am appalled and disgusted by CP, but me being that way won't stop individuals from succumbing to obtaining CP. Some of them do this even though they know it could trash their seemingly normal life (they often have their own families who are totally unaware). This to me suggests there is some sort of psychological disorder at play, and these people need professional help and intervention.
Trying to snoop on everyone, to seek these people out won't achieve anything. They are willing to offend even with extreme risks already in place (being labelled as a pedophile for the rest of your life). Them being snooped on won't stop it all, the same vicious cycle will continue to play out, but now with all of us lacking a basic right to privacy.
Make no mistake: the Online Safety Bill has absolutely nothing to do with protecting children. End-to-end encryption is the first line of defence against government approved mass surveillance. If it falls, the rest will follow. It will only be a short period until the operation is expanded under the guise of additional "protections" against the citizens.
The "children" excuse + most of the population saying "I don't need privacy, I have nothing to hide" is a double whammy against any form of encryption and it's just a matter of time before our Internet privacy rights are completely stripped away.
A huge educational campaign is necessary to convince people and the average politician that being pro-encryption doesn't mean being criminals or pedophiles. So it's a lost battle already, and the intelligence services everywhere know it's just a matter of time.
Eventually a pro-privacy activist will be found with child pornography and everybody will cheer and applaud any form of privacy-stripping law.
The children angle is insidious, and where the discussion keep devolving even in tech-savvy forums like this one, instead if seeing it's convenient and very effective marketing to hide anti-privacy goals.
I see you posting an opinion I agree strongly with here often. Glad you’re still at it.
I will offer a positive side to this situation. Their war against math proves the math works and they don’t have an internal workaround. Since a war against math is bound to fail in long term (just like the war on vegetables aka “war on drugs”), short term victories of oppression won’t shut down the future.
The children angle is insidious, especially when whistle blowers, reporters, and power players in revealing high up people involved in pedophilia seem to all magically have unfortunate accidents. It is a tool to emotionally manipulate a population which is ravenous against pedophilia. A very effective one. I look forward to the day these people are all held accountable.
There is already a more subtle problem here, at least in countries with case law. The people who end up on trial trying to defend encryption are typically guilty (as very roughly 90% of people who go to trial are). Many of them are guilty of things that most of us look very strongly down upon, like possessing and sharing child sexual abuse material. Thus if you want to set a strong precedent for protection of encryption, you end up defending exactly this sort of person.
The entire rhetorical position is difficult. One of the (somewhat implicit) rules of public discourse seems to be "assume good faith". To make the argument that people should have freedom from government requires an acknowledgement that government officials regularly do more harm than good. It is insanely challenging to carry that position in a debate. Keep your eye out for the handful of people who manage to do it without being tarred as crazy. That rhetorical imbalance makes it safe and straightforward for power politicians and police to argue that they should get to read everyone's emails.
It is tricky to understand why centralised power is a terrible thing that will lead to corruption and injustice. Implementing a system that tolerates privacy requires the bureaucracy to not grasp power. We've always been lucky in a sense that a critical mass of people learned they need to fight to protect freedom as an ideal, even if they can't exactly explain why or if the details seem to lead to bad outcomes (see also "fight for your right to say it"). It may be the only defence against a Stalinist- or Maoist-style collapse.
> That rhetorical imbalance makes it safe and straightforward for power politicians and police to argue that they should get to read everyone's emails.
The fundamental problem is that given any permission (an extension of trust), individuals will--100% of the time--abuse it in the absence of oversight.
It's not a matter of if/when, only a matter of to what degree. But being individuals, we are empowered to choose how we grant or revoke such permissions to other individuals. If you stop trusting your spouse, you can revoke their access to your email.
Government is a superset of Individuals. There is no greater clique they are accountable to. Any permission extended (surrendered) to it is an implicit conversion of ownership. If you stop trusting your government to act responsibly with surveillance, you can't revoke that permission. It's no longer yours.
...like the toy you hand over to the playground bully because he "just wants to see it for a second." He was polite enough to state the conditions of release upfront-- but nothing on the playground compelled him to actually abide by his own terms. You find out too late he's a liar, and if you're lucky, you'll get your toy back, when he's done with it, and likely in pieces.
It's frustrating trying to protect children from amorphous threats whose access methods are abstract, virtual and obfuscated by incomprehensible technology and encryption. The question is always whether we maintain absolute anarchy or accept nanny-state dystopia.
Maybe it's time we consider kicking kids off the internet altogether before surrendering any more personal rights to a bully with the weight-class of an entire institution.
> requires an acknowledgement that government officials regularly do more harm than good
I don't think it's that. The argument should be similar to the Veil of Ignorance: do you want every conceivable future government to have these powers?
Well, hypothetically, if the government on average does more good than harm why would you not want that? Sure you'd get Hitler-lite on occasion, but that would be balanced out by anti-Hitler-lite doing good.
Of course, the damage the bad apples do far outweighs the benefits of the good so that argument doesn't hold. A century of good governance with global assistance barely balanced out the damage Hitler triggered in 5 years. Destruction is easy and creation is hard. And that plays out on the small scale too with small numbers of corrupt officials undoing huge amounts of work by good people.
If we had perfect information, we'd find that the spying apparatus of the 5 Eyes has done far more bad than good to the general welfare. The political corruption that must be causing is immense, we already know that every president since Obama has been targeted by the intelligence apparatus in some form. It is unlikely it ends there.
I'm less sure about the situation in the UK, but they generally follow the US trend.
>Make no mistake: the Online Safety Bill has absolutely nothing to do with protecting children.
I don't think that's entirely true.
I am sure many MPs, charities, and campaigners do only see this as an issue of child (and more generally, public) safety.
I think the difficulty has always been explaining to laypeople that allowing any kind of monitoring or surveillance significantly weakens the security of encrypted messaging.
I think of it another way. The bill itself isn’t anything to do with protecting children - but lots of people (MPs, charities, campaigners) have been misled into supporting it. It’s what makes “think of the children” the best way to pass bad legislation. Not only does it make it very hard to object to a bill that won’t actually help children, but you get lots of free support from well-meaning people who don’t understand the implications of the bad legislation they’ve been conned into fighting for!
>Make no mistake: the Online Safety Bill has absolutely nothing to do with protecting children
Exactly, they could start teaching law in a concept understandable manner from primary school age, concentrating on what can cause the damage mentally and physically, like the spread of germs from a young age. But they dont, so kids cant even protect themselves in an offline world and the state gets to maintain its air of pseudo respectability whilst most people dont understand how the state is causing lifelong trouble.
I’m sorry, but if that’s your idea of freedom, you can fucking keep it. Our police, though not saints, don’t shoot unarmed people. At least in Britain we are free from being shot in school.
On the other hand, Britain's obsession with banning knives/sharp objects appears to be unique - many countries have no such restrictions and yet they don't seem to have a stabbing epidemic.
>many countries have no such restrictions and yet they don't seem to have a stabbing epidemic
Are you implying there's a stabbing epidemic in Britain? (apologies if I'm misunderstanding that)
Britain doesn't have a stabbing epidemic[1]. It's a meme
Media attention made the obsession, not whatever actually happens in the real world. Ah, if only people cared as much about heart and brain diseases :(
> Are you implying there's a stabbing epidemic in Britain?
No, my point is that the insane knife restrictions we have aren't actually necessary since many countries lack such restrictions and still don't end up with a stabbing epidemic as a result.
The fact that the police does confiscate sharp objects and arrests and prosecutes people leaves you with two possibilities:
1) There is in fact a need to curb knife crime, without these measures people would die a lot more.
2) There is no significant risk of knife crime, UK uses arbitrary law application to harass undesirable individuals and/or instill a "harmless mindset" into its subjects.
Guns are definitely a major problem - a lot of people who shouldn't have access to guns do and use them. I'm not talking about intentional, targeted murders or settling gang disputes - those will happen anyway regardless of the law.
However, easy access to guns mean that people in an unstable mental state might use one to commit (mass?) murder in an act of folly that they would otherwise not do (or at the very least significantly reduce the amount of victims if they had to use a knife instead of a ranged weapon).
Yes, America has an incredibly violent "macho" culture for a so-called first world country, in general and not just as it pertains to firearms. It's probable that the high rate of gun ownership is a symptom of this rather than a cause. But given that this is the case, proliferating the means for people to easily murder each other in such a society is obviously going to exacerbate things.
the total number of unarmed shootings by police each year in the US is in the double digits in a country of 400m. how many kids got raped in rotherham?
Yet there are significantly more British citizens moving to America than the reverse. So they do seek the American Freedom and Constitution. Massive brain drain (despite the predictions it would flow the other way around thanks to the 2016 election).
It doesn't automatically follow that people moving to America means they want the American Freedom (proper noun?) and Constitution. As for the brain drain aspect, it's said that people who move from New Zealand to Australia raise the average IQ of both countries; they are very obviously moving for the higher salaries rather than freedom and constitution.
Your freedoms end where my freedoms begin, and guns are just a tool to change that dynamic. They serve no other purpose, unless we're talking hunting, for which you can still get guns, after some education.
I don't get how Americans seem to think it makes sense to require a license to drive a car but not to own a gun? Who is more dangerous, a guy driving a sedan or one holding an AR?
Because one is protected from government in the Constitution. It literally says that the government cannot infringe on one's right to keep and bear arms. It doesn't say the government allows you to have them. It says the government cannot disallow you from having them.*
*Note: the government could disallow one from having them so long as that person goes through due process, at which point Constitutional restrictions placed upon the government are relaxed in specific areas.
How can self defense not be a natural right?
Someone comes into your home is beating your child and you're not home.
Should your wife be forced to fight a man twice her size with her natural hands or is it ok for her to shoot the guy trying to kill her kids?
Same situation. You are home. Should you be forced to engage the criminal with your bare hands knowing that if you lose the fight your kids will be murdered?
The context here is owning something to provide "effective self defense" - so where do we draw the line? Can I decide that only owning a gun is not enough against the other gun owners so I need something more effective?
GP's claim is this right justifies owning a weapon that can easily kill. That's far beyond "effective" in my view.
Sorry, I think having to watch my family get killed by someone because I am unable to defend them would be pretty emotional.
I think that's the definition of effective. Someone breaks into my home high on pcp, the most effective way to stop them hurting my family is killing them. Is that not a true statement? What is a more effective way to do it, knowing that failure potentially means the death of your kids? I'm not going to engage them with a tazer, there's the chance they will walk right through it, then what?
Anthony Smith, the current #5 ranked light heavyweight in the UFC is 6'4 and probably walks around at 230lbs. A guy on drugs broke into his house and Smith fought him and could not put him down. This is a guy that could defeat 99% of people on earth in a fight. I'm a big strong guy, Smith would absolutely murder me. Why would a normal civilian choose to fight a home invader with their fists when a more effective option is available? What if 2 people break in?
"Can I decide that only owning a gun is not enough against the other gun owners so I need something more effective?" I don't think firing a rocket launcher at someone in your house is going to be as effective as a firearm due to the potential for collateral damage. Also tanks play hell with my new wooden floors. Claymore mines are always a risk when stumbling around in the dark when the dog has to go outside. There is no other rational more effective choice than a firearm for someone defending their home provided they know how to use it.
If you're real argument is that no one should be able to kill someone else even if they are a home invader here to murder your family then Im not sure what to say. I guess I would like to know what you would do in that situation knowing what losing means.
Respondents here are missing what (I think?) is the joke here, which is that "natural rights" aren't really a thing, except as an arbitrary label. It's never been a very sturdy concept, unless some radical, new defense of them has been discovered and overcome the copious objections of critics, since I last checked.
It's fine to like and defend liberties often labeled "natural rights", but justifying them on the basis of their being "natural" doesn't tend to be a strong line of argument—while it does open up room for making jokes by intentionally confusing two senses of "natural", which one may as well since the word doesn't carry much meaning in the phrase "natural rights" anyway.
"Except you can't kill someone with encryption."
You can damn sure wreck their lives without it though. Lets say a generally good guy is thinking about running for office. He has a encrypted chat with some old friends where they occasionally make off color jokes about whatever protected class happens to be in favor at the time, gay, trans, black, whatever.
He runs for office and the people in power simply pull up his chat logs, accuse him of being a racist and thats it for him. This is just one obvious example but there are millions. He is in an open marriage, gay, a swinger, satanist, you name it, it will be used against him.
Its a way for the government in power to stay in power.
Hacking individuals in this way is already done via targeted 0-day exploits. The targets are more likely to be journalists and activists (for their sources) though.
The noided assumption is that politicians and business leaders self-compromise in order to boost their chances of career success (and/or that they see getting compromised by Epstein et al as a career perk rather than a career mistake). It's the same principle as cops only being able to get promoted if they're known to be on the take.
This sort of law enables dragnet surveillance. Domestic Intelligence are always looking for new ways to take temperature readings on agitation before it boils over into public protest and to identify previously unknown community leaders that should be placed under more direct surveillance.
Gun deaths include suicide and justified homicide, not just murder. More than a half of American gun deaths are non-criminal. American non-gun murder rate murder rate exceeds UK total murder rate, so I'd say the reason is not guns.
> the Online Safety Bill has absolutely nothing to do with protecting children.
I wish people would acknowledge both sides of the coin instead of simply pretending the other side doesn't exist.
Yes society uses surveillance to identify and prosecute criminals (of various ilks, including those who abuse children). If you render that surveillance impossible by construction then people who might previously have been caught will not be.
Instead you pretend that the only goal here is am authoritarian state straight from 1984.
The risk of the second is one reason not to do it. IMO it's easier to think what happens when you make it easier for people to be blackmailed, manipulated, impersonated, defrauded. But again, that's just an opinion.
Do you think pervasive spying would have made it more or less likely that the Jeffrey Epstein case made it to the public eye? Running a paedophile ring is not some small thing that is easy to hide. In all the cases I've taken note of (in churches, schools, local clubs, etc) the problem is almost never that the crime is unknown, it is that the perpetrators have too many tools to shield themselves from consequences and discredit the victims. In the future, maybe tools like going through people's internet history or planting fake evidence using their online accounts.
Society shouldn't use surveillance to identify criminals. We'd look back at dragnets to catch runaway slaves or hunt down the homosexuals with horror (as, indeed, we generally do in states that successfully institute mass surveillance to catch criminals). As recently as a few years ago, 'criminals' were people found outside their own homes and places like China were successfully catching them much to the net loss for everyone. There is a strong - indeed, overwhelming - link between places with good privacy, good protection of freedoms and citizens living happy prosperous lives.
The people pushing mass surveillance know all this. It has been bought up every time some bright spark comes up with the idea of rolling out mass surveillance. These people understand the societal consequences that they are ushering in. Too many of them understand what they are doing to pretend they have pure motives. This is empowering the worst of the authoritarians.
30% of child sexual abuse is done by family members. 60% of child sexual abuse is done by acquaintances. 10% is done by strangers, and I am willing to bet that a good fraction is of that is done offline.
If we want to protect children, why are we completely ignoring those 90%? Where are the bills mandating installation of cameras in all households with children?
If you want to protect children from strangers on the internet, perhaps fund schools so they can properly teach children that the internet can be a dangerous place. Bills like this aren't going to do shit to protect children.
I remember the UK using its anti-terrorist laws to freeze Icelandic banks assets during the financial crisis. There is a probability 1.00 that this will be used for purposes that have absolutely nothing to do with the pretext used to pass the bill. So it's a pointless exercise to debate about that pretext. The only thing that matters is what right does that give the government?
If this is the case, why is the issue of child _privacy_ (and the effect of losing it upon passing of this bill) not considered as part of the "concerns" for online safety (and carefully omitted as part of the risk assessment)?
This is not some spectrum with safety (but loss of freedom) and danger (with freedom) on each end. The results of this bill will be both less freedom and less safety.
> encryption hinders efforts to combat online child abuse
So do opaque walls and the absence of surveillance cameras in cars and homes. Oh don't worry - the recordings will be securely stored, and only available with a court order, only issued for "serious" crime!
It's strange that as surveillance proliferates, the shrinking scraps of privacy we have left are deemed a growing problem, not a vanishing one.
I don't think breaking encryption is a good idea, but I will say that until recently law enforcement could tap phones, rip open envelopes, and get a court order to break into your house and search it. There was never the level of privacy against law enforcement that encryption offers.
> rip open envelopes, and get a court order to break into your house and search it
One limiting factor was that this wasn't scalable - so a lot of people would be comfortable with it because there is little potential for widespread abuse - there just aren't enough resources to search & monitor everyone's mail and houses at all times.
There are no such limitations online, so better protections such as encryption are required to counterbalance it.
> One limiting factor was that this wasn't scalable - so a lot of people would be comfortable with it because there is little potential for widespread abuse - there just aren't enough resources to search & monitor everyone's mail and houses at all times.
It's recently started to emerge that US opened and censored all international mail 1950-1989. We're talking millions of letters a week. It started as a measure to remove all reference to US use of biological weapons in the Korean War and grew from there. (the third season of the Blowback Podcast did a couple of interviews which covered it really well.)
I agree, but that still isn't a net loss in privacy. We can still communicate the way we could, except now we also would like an unbreakable way of communicating online.
I understand of course that scale is an issue online, but that doesn't affect the idea that encryption gives us basically unbreakable communication over a distance, and removing it is not eroding our last vestiges of privacy.
The fact that most communication has moved online means that there's significantly less physical mail traffic than back in the day, so maybe physical mail is not secure either if total capacity is now below what the government can monitor?
It's making privacy more expensive and rare, while making surveillance cheaper and more common. Do we have to wait until it is literally impossible to share a single word in private before we start to worry?
That’s rubbish. Two people could go somewhere they wouldn’t be heard and have a private conversation. Encryption provides no more challenge to investigation than that option that has existed forever…
It is, because this used to apply to most conversations. Even when overheard, they would likely be forgotten by who heard them, not have heard everything, not known who was talking, etc. If the conversation became interesting for an investigation, simply finding a witness would take significant time from limited police officers, the witness may not wish to cooperate, their memory would be imperfect, and perhaps most importantly, it would quickly become common knowledge, via gossip, what the police is snooping for.
Now most conversations have moved online, and a secret record can be cheaply created of exactly who is talking to who, when, how often, and in the absence of encryption, even what they are saying. Phones we all carry, even without spyware apps, can be located through signal triangulation, before we even get to facial recognition and omnipresent cameras, smartphone or otherwise.
That, theoretically, we can recover some of the privacy we used to have (so long as we don't get targeted surveillance, which has become so effective defeating it is nearly hopeless), does not mean that, in practice, privacy has been massively eroded for the average person.
"Think of the children" is one of the 4 horsemen of the infocalypse. It was never about stopping CP. It's about justifying laws that take away privacy, no matter how flimsily.
Really hard to imagine a sane and rational policy maker naming encryption as something that compromises safety. If anything, it facilitates it. But then again, this isn’t about policy, it’s about control and surveillance.
Indeed: it is worthwhile to note the nefarious absence of the role of privacy in the laid out "risk assessment" of children's usage of a service, in part 3, chapter 2, point (6) of the bill.
Yes. I don't want to live in a world where my kid sends someone a picture of immigrants on a boat and gets a criminal record. It's just a step between abolishing encryption and this.
And the next step is wide scope censorship like that instituted by the CCP. The ideas that we should censor politically inconvenient truths like the migrant crisis are already in the UK.
I agree.
Next step. Majority of CP is filmed in homes where children live. To protect the children every home must have a government monitored camera in it so that the safety of the children can be insured. You don't have anything to hide do you? No criminal activity going on?
There is no way this doesn't quickly turn into full government monitoring of everything being sent over technology. Before that even, I assume the search for CP will be done via image hashes provided by a government database. Whats to stop the government from simply putting a hash of information it does not want public? The snowden files or something similar. Quickly identify and remove leakers.
And this is from country where certain celebrities abused children for decades in plain site without any encryption. Where children of entire towns were mass-abused also in plain site and under the nose of police. Where members of Royal family are known kiddy fiddlers without anything serious happening to them.
Last I checked, and it's been awhile, Wire is not only centralized, but also keeps contact lists online --- in other words, they've kept an SQL database of who's talking to whom across their whole service, serverside.
If that's changed (or if someone wants to point out that I'm wrong about that, which is always possible), I'd appreciate the update.
AFAIK that's still the case. Who messages who is saved with matrix as well though. This shouldn't be a comprehensive list of what's better than signal only a list of everything available in the space. Imho everything in the list is better than telegram and whatsapp, but depending on your use case nothing is good enough and you must fall back to briar or something similar.
If you don't mind the lack of polish I've been using Jami for secure communication and even file sharing and I've gotten a couple lay people set up and running without much trouble. Set up is pretty easy. They don't even need you to give them an email address, but it's different. It's not going to look or act like Signal.
What I loved about Signal on mobile was how it handled both encrypted messaging and plain old SMS/MMS in the same app and I don't have a real alternative for that.
Telegram is, I believe, generally worse than Signal for privacy.
Both have FOSS clients and offer E2E chats (good), although Telegram doesn't make them the default. Both require the use of phone numbers for identification and store some of your metadata in their central servers (bad). Both dabbled with the idea of privacy-preserving monetization via cryptocurrencies, and both failed spectacularly (funny).
Telegram is run by a swashbuckling Russian expat in Dubai; Signal is run by an American security nerd. You might prefer your metadata to be in Pavel Durov's hands than Moxie Marlinspike's, depending on your threat model, but probably not.
Honestly, this government has some balls. Signal won't be the only one leaving the UK - it's becoming a really poor place to live with high taxation, stalling economy, low consumer rights, environmental protections being stripped away and erosion of civil liberties and rights to privacy.
Only when there's enough brain drain might they backtrack but politically we have a party in power that is susceptible to infighting and not at all focussed on actually serving its citizens.
Many of the people who make those universities reputable are foreigners. If the UK goes down an extreme path, the ones who are there will start leaving and new ones will stop coming.
There was a story about researchers leaving because they wouldn't take part in European funded work anymore... that's that sort of bureaucratic stuff that researchers will not put up with when they feel like they're not able to keep up with their peers.
It is dual French and British. That said, France's record on freedom of encryption is not that stellar either, even if it is not as bad an enemy of the Internet at the UK. Element should preemptively move its HQ to Iceland or similar.
> The European Commission went a step further on the 11 May 2022 by presenting a proposal which would make chat control mandatory for all e-mail, chat and messenger providers and would even apply to so far securely end-to-end encrypted communication services ... All of your chat conversations and emails will be automatically searched for suspicious content. Nothing remains confidential or secret. There is no requirement of a court order or an initial suspicion for searching your messages. It occurs always and automatically.
One way to increase awareness of these proposals would be for E2EE messengers to include an in-app notice and call to action, for customers in affected countries.
> One way to increase awareness of these proposals would be for E2EE messengers to include an in-app notice and call to action, for customers in affected countries.
I think this is a really cool, low-cost/effort way to raise awareness.
Makes me wonder if this could be used against those apps somehow. We all know some countries' governments are quite coerceful and scummy...
Have you considered moving the HQ to some more privacy-friendly place? (Switzerland would be an obvious choice, but I've heard good things about Seychelles too, for example.)
> The government said its proposal was not "a ban on end-to-end encryption".
> Critics say companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law.
So, what's going on here? Is it going to be E2EE between user and user and then also a copy E2EE between user and the government? What a time to be alive.
Or is the law going to require them to scan encrypted messages for child abuse and terrorism content? Unless they are required to hand over the keys then... how is that going to work?
Government policy on encryption (along with many other things including Brexit) relies on "magical thinking". They don't understand the problem so they assume there's an easy solution that's just being withheld from them by nefarious third parties.
What stops a company from making a PWA that ignores the UK rule? UK can't block it, especially if they host on aws or gcp servers. So long as the company isn't headquartered in the UK, nothing can be done.
If governments suddenly wanted to ban fire extinguishers, I think most people would be very concerned about what these authorities might be planning, but instead of fire, when they go to ban the tools we use to protect ourselves from crime and corruption, they get the benefit of the doubt?
There is no principle for anti-encryption policy, it's not worth arguing with them, as these policymakers are not moved by reason. You can only organize and get them out.
I'm picturing a webcomic where a ~25 year-old's boyfriend asks her for some nudes, she strips to take them and freaks out because [politician] is suddenly sitting there, leering and smiling. "Oh don't mind me, I'm just here to protect children and prevent terrorism."
(3) A proactive technology requirement may be imposed in a confirmation decision only for the purpose of complying with, or remedying the failure to comply with, any of the duties set out in—
(a) section 9(2) or (3) (illegal content),
(b) section 11(2) or (3) (children’s online safety),
(c) section 23(2) or (3) (illegal content),
(d) section 25(2) or (3) (children’s online safety), or
(e) section 33(1) or 34(1) (fraudulent advertising).
and clause 202(1)(a) then defines "Proactive technology" to mean:
202 “Proactive technology”
(1) In this Act “proactive technology” means—
(a) content moderation technology,
(b) user profiling technology, or
(c) behaviour identification technology,
In other words, the Bill gives the industry regulator the ability to impose a requirement that communication apps implement content moderation technology - which for an end-to-end encrypted system, obviously means the ability to scan and exfiltrate encrypted content to moderators (as how else can you moderate content). As a result, anything that whatever scanning technology deems illegal would have to end up in an unencrypted moderation queue (presumably provided by the app vendor?!), thus completely violating the encryption privacy guarantees. For instance, folks in Ukraine using Signal/Element/etc to discuss being bombed might end up with their messages exfiltrated by the scanning software to a moderation queue because they include the word 'bomb', which is then a sitting target which bad actors would use to gather intelligence and entirely sidestep encryption.
This is LITERALLY the online equivalent of putting a CCTV camera in everyone's bedroom, hooking it up to an machine learning classifier to detect 'illegal activity', and then sending unencrypted recordings to a moderation queue run by the CCTV vendor.
It's terrifying, and we have to stop it, before it sets a precedent that the EU follows with ChatControl, or that the US follows (or uses it as an excuse to remove E2EE entirely).
The way to stop it is to yell about it loud on social media, talk go the press, and if you're in the UK, write to your MP (they do actually read these letters).
Signal & others, if you're reading this: we need to coordinate on an open letter to UK Parliament (probably the House of Lords Committee) to present a united front against this; please ping me at matthew[at]matrix.org to sync.
The OSB is alarmingly advanced through the legislative process, and we are running out of time to stop it.
>and if you're in the UK, write to your MP (they do actually read these letters)
I've written to my MP on a number of things I'm passionate about, and he has written back on every occasion. The problem is that he's disagreed with me on all of these points, so I've stopped bothering. He's Conor Burns, for the record.
I have a question: what does it mean for the _users_ of messaging applications? If the OSB passes am I still within my rights to PGP encrypt my messages before sending them?
That may depend on whether operating systems (including app stores and package managers) are also regulated, e.g. via the EU Cyber-Resilience Act, https://news.ycombinator.com/item?id=34760173
In the current wording: yes, you can go encrypt your messages with PGP before sending them.
However, the worst-case scenario is that Ofcom would then say to Apple and Google: "Hey, you are communication service providers (thanks to iMessage and Google Messages/Chat/etc). We believe you are failing to adequately block illegal content. Therefore we legally require you to perform content moderation. And given you also provide the operating system for your services, and given you've already demonstrated you are willing to do client-side scanning at the OS layer (https://www.siliconrepublic.com/enterprise/apple-csam-child-...) clearly we expect you to scan for illegal content in the OS. Therefore, please scan all content for illegal content, otherwise we'll send your UK-based staff to jail. By the way, have you considered putting scanning in the graphics pipeline? Then we can make sure that you do OCR and image-classification on all pixels that users see, to make sure that after users PGP-decrypt their messages we can spot words like 'bomb' or worse, and send evidence through Apple/Google's moderation teams, so they can be able to block the illegal content and uphold their obligations to report CSAM etc to the authorities."
To be clear, this is a worst-case scenario, but it's the logical extrapolation of what the OSB allows. (That said, IANAL).
> The government, and prominent child protection charities have long argued that encryption hinders efforts to combat online child abuse - which they say is a growing problem.
Translation: can u give us a backdoor in Signal, plz? for the kidz, promiss.
I'd like to think that the UK is small enough of a market for Apple to not give a single flying fuck about the govt forcing them to compromise E2E crypto.
Apple willingly handed over all iCloud data on Chinese citizens upon request. They don't care about privacy at all. They won't abandon the U.K. They'll comply with every single legal directive, as they have pledged to do on multiple occasions.
Thankfully the internet is (almost) entirely decentralized, so it doesn't really matter.
No matter what ban on Signal the UK puts in place, I'm relatively confident that everyone who already uses Signal will be able to find a way how to keep using it.
This is part of Boris Johnson's Red Meat™ tactics. Red Meat tactics means pushing clickbait/culture war bullshit ideas that are idiotic, cruel, or non-working. The goal is to stir up fight over them.
Boris has build his career on running across rivers on the backs of alligators. He avoids being caught by scandals, lying, fraud, infidelity, abuse by throwing Red Meat to distract.
I wish this older generation of politicians who grew up without the internet would hurry up and retire, and let some people who have at least a vague grasp of technology take over. It is painful to watch these people grapple incoherently with the basic idea of how encryption works and what is fundamentally possible or impossible to achieve.
Setting aside the question of whether signal are the good guys or not it's important for non-UK people to understand the political context here.
The conservative party is eating itself. They have forced 2 leaders to resign in the last year and are trailing in the polls so are terrified of the next election. They won convincingly at the last election on the basis of a "red wall" strategy that involved an appeal to traditionally labour voters who were Euroskeptic and by throwing dog-whistles about immigration to appease people on the right wing of their own party who were thinking of defecting to the UK independence party. All that support is unravelling and they ended up having to do a humilitating deal with the Unionist party in Northern Ireland which is unravelling because their policies there (the so called "Northern Ireland protocol") threaten to undo the peace process and importance of preserving the peace process is just about the only thing the two sides in Northern Ireland agree on.
There is also a cost of living crisis with strikes across multiple groups of public sector workers.
So right now there is lots of "Performance politics" with policies designed to look tough and appeal to socially conservative right-wingers in an effort to shore up a weak government. Just this week we had the policy to insist that asylum seekers fill in a questionnaire in English no matter where they came from, and now this which they can spin as being tough on crime. I would highly doubt any of the people behind this bill have any interest in the technical pros and cons.
So what is Labour's position on this? Aren't they demanding the exact same thing using slightly different rhetoric?
The only principled parliamentary opposition to undermining encryption that I'm aware of has been coming from David Davis, conservative MP and arch-brexiteer [1].
Maybe there are others like him, but this is by no means a polarising issue in British politics.
Probably. One of the problems of "tough on crime" framing in politics is no politician wants to be seen as "weak on crime" so it ends up being a race to the bottom on civil liberties.
I like when commercial conservatives like to blame the government for always being too big, inefficient and useless, and then go around and sign off all of their rights to privacy of communication thinking that government is going to do a better job with their private messages (or otherwise using their private communications only for the specific reasons they state, such as child abuse) compared to everything else they do.
incredible if UK were to ban Signal, but I guess national sovereignty and security are always going to be higher priorities for the state than user sentiment
Sovereignty on Internet in the Internet age is a nonsense; Internet is not the possession of a government, participating to the Internet at country level (dot uk) is voluntary, if UK wants to get out of Internet as a mesh of interconnected computer networks then it is free to go back to the Dark Ages.
Security is another practical nonsense. You don't need to use Signal to encrypt things, anonymous or encrypted communications existed since the dawn of times and will continue to exist no matter what the governments want to do. Criminals will always be able to use one time pad encryption at will, so raping everyone's rights to communication and privacy in the name of security and sovereignty is just a false pretext.
>Sovereignty on Internet in the Internet age is a nonsense; Internet is not the possession of a government,
The digital world of the internet exists within physical, analog metal boxes that reside within and thusly are subject to the legal jurisdictions of countries.
Internet can exist without a country or more. It cannot exist if all the countries decide to shut down all the infrastructure in their territories, but Internet can thrive without UK, while UK cannot live without Internet, not today.
They're not really small state, and have never been. They're small state about certain things.
They're small state about consumer protections to make it easier for their corrupting donors to pillage Britain and it's workers. They're small state about not letting public bodies solve big problems like forbidding councils from building houses.
They're big state about controlling the population. They're big state about centralizing government control. They're big state about gerrymandering to impose a minority view on the population.
Remember that they passed an online snooping bill which requires ISPs to log everyone’s internet activity and made it available to all kinds of organisations? They made MPs exempt.
They don’t want to - or have to - live under their own rules.
Isn't this situation the entire purpose of Signal..? Don't they already operate in the most authoritarian countries in the world? I don't understand why they would walk.
You have to consider how this would happen. If the government bans E2EE, Apple and Google will have to ban E2EE from their UK stores.
Apps like Signal will then have to make a choice. Either publish an app that does not use E2EE or get removed from the app stores. What Signal are saying is that they would accept the ban rather than publish an app with weakened encryption.
Apple users will not be able to make their own choice. Android users will be able to make their own choice thanks to side-loading.
There are problems with using a browser for delivery of any secure elements. It's slightly better than nothing, but if the govt can coerce Apple into blocking Signal from the app store, then they can coerce Apple into compromising their browser to deliver a modified Signal web-app for certain people.
I believe the problem is, UK is extremely powerful in terms of asking “please ban this and that app from app stores”, so they can effectively block it (unlike say Russia, which tried to block Telegram and failed spectacularly).
You can use leaving as a point of leverage in a country that allows for open debate about end-to-end encryption. You can claim that being in the country is at odds with the country's principles and threaten to pull out, or actually pull out, to make the users in that country aware that their basic privacy is being pulled away from them.
In a country with an authoritarian regime, being an option under the radar provides may be a better option.
There is a difference between an APK being installable or downloadable from a store and your CEO getting into legal heat because they won't backdoor their encryption.
They operate where this is possible; if, for example, Signal operates in North Korea it is not because they have offices there, but because some people in NK can get a client and connect. If Signal would have offices in NK, it is guaranteed they will get to jail, not passing Go and not collecting 200, so Signal is not really operating in the countries you mentioned but users can utilize Signal there.
In UK if Signal has any offices or employees, the UK government can force Signal to either put a backdoor in the product or move out of the country. The second choice is what Signal said it will do, it makes perfect sense - leave instead of bend over.
He doesn't care about the billions they lose because of Brexit either, or about all the UK expats that now need to leave their cosy retirement homes in Spain and France. Boris cares mostly about Boris.
Some people do care though, and most of those people vote. Anyway, Boris doesn't matter anymore.
Unfortunately and remarkably — even when combined with "repeatedly lost jobs due to dishonesty" — that hasn't been sufficient for him to be rendered politically irrelevant.
He seems to be the only Tory politician that has any charisma and the party doesn't appear to have any workable ideas as their previous 12 years in power haven't shown them to be effective.
Rewatching HIGNFY recently, and Johnson somehow (to my introspective horror) managed to come across positively even when he was squirming at Ian Hislop asking about the audio recording of Johnson conspiring to assault a journalist.
I half-remember a phrase, but not where from: "people don't remember what you said, just how you made them feel".
I know at least one person that voted Conservative because Johnson made him laugh on HIGNFY. If only he could have been kept as a media personality and not been given power.
How is that different from the CIA being able to sniff and access their servers thanks to the US patriot act? will they 'walk' from the US too? [1]
Oh, my bad, i almost forgot! it's the tech that's being tested to power the digital online passport, we'll get to see it first with twitter [2], then meta, then it'll expand everywhere else
Ahh, the joy of the bitcoin, who said china was evil with their social credit system? <:P (i did my best to picture a clown face)
The existence of the patriot act makes everything obvious
Signal seems to have lost the plot, after everything that went down -- the exodus, sudden interest etc etc, right when they prioritised that crypto thing above everything else and actually released it. In my circle across 4 continents only one person knew about that damn crypto. Heard of it. That niche. But then maybe Signal is supposed to be “that niche”.
I don’t know how they spin it (that is if at all they bother), or anyone else tries to explain it, it just doesn't make sense. It simply does not. I’d say it is worse or weirder than Firefox’s Pocket moment, but somehow on the same lines. I uninstalled Signal when that feature was released. I still install it now and then for an hour or so just to spin it, but earlier, whatever those few friends were on it, I used to try to use it. Now I don’t. Now for me Singal is just a useless relic.
Maybe it still works for Snowden and people who are at risk and I hope it keeps working for them. But if they are the only target audience then Signal is already irrelevant and they CAN BE replaced by that small target audience and them “walking” from UK or anywhere else for that matter really doesn’t matter.
I honestly don’t understand what this “crypto thing” you mention is or has any relevance with the discussion.
I use Signal every day to communicate with my friends. None of them is a software developer or a technical person. If you are not the target audience of Signal, it does not mean that nobody else is.
Ironically, to actually use this and obtain mobilecoins you need to go through KYC and provide detailed personal information from your name to your great-grandmother's blood group
Doh. I often get confused when people use "crypto" to refer to cryptocurrencies rather than cryptography and encryption when the context isn't obvious.
If you're talking about a product specifically built around cryptography, I'm definitely going to not think that the context is actually cryptocurrency without any other clues.
Guess I just spent too long being interested in and reading up on crypto before bitcoin was invented.
I will say it again, something has got to give. You can't have humane treatment of child rapists and fear government overreach.
It is in fact possible to backdoor communication systems for lawful intercept access. It is possible to also design public auditing of such systems so that a warrant or lawful order being used to intercept communications can be logged and audited by the public. Warrants are not forever secret, with that stipulation a check against abuse of lawful intercept can be incorporated into non-E2E encrypted protocols.
However, what I have learned is that it isn't just privacy or government overreach technophiles like many on HN seem to use as a reason but also a desire to undermine legitimate lawful intercept in foreign countries.
"What if the Chinese government intercepts dissident communication" they're the legit authority there, it will be publicly audited still but they have every right to do so and you have no say in what a foreign government does in their own jurisdiction.
The internet itself should be eradicated if we can't do everything at all costs to prevent harm against the weakest.
Isn't your argument essentially saying that a nation's sovereign body, no matter what their laws, are not only expected, but also justified and morally correct in enforcing those laws, without any regard to the nature of those laws?
By this argument, one would believe that it is imperative for communications networks to assist Nazi Germany in the location and rounding up of undesired people as a part of Gleichschaltung, and that to not do this is to cede power to pedophiles.
Yes that is my argument. Until Nazis try to invade your country. However, you are free to stop providing seevices entirely in that country if you disagree with their laws.
> It is in fact possible to backdoor communication systems for lawful intercept access
Possible? Yes. Desirable? Absolutely not.
> Warrants are not forever secret
Says who?
> check against abuse of lawful intercept can be incorporated into non-E2E encrypted protocols.
Those checks are already woefully inadequate. There are plenty of examples of abuse of authority/access that just happened to be caught and went on for years. Somehow you claim this is going to stop happening if we give governments MORE surveillance authority?
> The internet itself should be eradicated if we can't do everything at all costs to prevent harm against the weakest.
At least you admit that eradication of the internet is your end goal.
Then let's bring back public executions and cruel punishment. You know what else isn't desirable? Tolerating CSAM.
> Says who?
Alright, then secrecy of the warrant fails public audit checks.
> Those checks are already woefully inadequate. There are plenty of examples of abuse of authority/access that just happened to be caught and went on for years. Somehow you claim this is going to stop happening if we give governments MORE surveillance authority?
They already have authority just not the technical ability. You should use legal and political avenues to address a naughty government. Tolerating CSAM because you refuse to accept political realities or convince your ow citizens on the matter is a terrible thing. I don't what you are referring to regarding inadequate checks, I am proposing a system similar to CT logs for PKI except new encryption can't happen without public audit log of LEO authorizarion to intercept traffic.
> At least you admit that eradication of the internet is your end goal.
If the choice is between tolerating CSAM and eradicating the internet, the choice is easy for me, why isn't it for you? Fortunately, as you obviously know but chose to ignore for the sake of maligning me, we don't need to eradicate the internet in order to do our best to get rid of CSAM so clearly you knew that wasn't my intention but you misconstructed what I said for the sake of internet rage.
So take using a sledgehammer to crack a nut.
What they should be doing, is rather then increase the risk of for the majority who use encryption for valid reasons (privacy, not nefarious), is invest in services to allow individuals to gain help, in a manner where they won't be ostracised and at risk, all from trying to come forward and get help to amend their behavior.
I am father myself, and like a majority (being a parent is a moot point really) am appalled and disgusted by CP, but me being that way won't stop individuals from succumbing to obtaining CP. Some of them do this even though they know it could trash their seemingly normal life (they often have their own families who are totally unaware). This to me suggests there is some sort of psychological disorder at play, and these people need professional help and intervention.
Trying to snoop on everyone, to seek these people out won't achieve anything. They are willing to offend even with extreme risks already in place (being labelled as a pedophile for the rest of your life). Them being snooped on won't stop it all, the same vicious cycle will continue to play out, but now with all of us lacking a basic right to privacy.