
Signal threatens to dump US market if EARN IT act passes - tzm
https://uk.pcmag.com/security-5/125569/messaging-app-signal-threatens-to-dump-us-market-if-anti-encryption-bill-passes
======
mikece
1\. The police are either lazy or incompetent if they say they cannot trace
criminals because of E2E secure chat.

2\. You don't need to know the contents of a chat to glean massive amounts of
metadata. FB Messenger and WhatsApp going truly E2E encrypted will still put
FB (and anyone serving them with warrants) to know in real time who is talking
to whom, what their IP addresses are, and possibly real location (if they are
using the app on their phone). This can be used to created a Signature
profile... many Pakistanis and Yemeni have died from a Hellfire missile strike
because they matched a pattern of activity. Google "signature strike" for more
info.

3\. The terrorists and pedophiles that are the most dangerous are using far
more sophisticated means of communication than Wire, Signal, WhatsApp, Wickr,
etc. Saying that this is "for the children" or "for our safety" is complete
bullshit and anyone saying otherwise needs to prove it.

~~~
oconnor663
> The terrorists and pedophiles that are the most dangerous are using far more
> sophisticated means of communication

The "most dangerous" part is doing a lot of work there. Just like I think law
enforcement needs to admit what they can and cannot do (e.g. they cannot
protect a golden key), I think we need to admit some things too. A lot of
dangerous criminals are stupid. Maybe not the most dangerous ones, sure. But
if law enforcement has a tactic that lets them catch, say, the stupidest 30%
of terrorists, that's an _extremely_ valuable tactic that probably saves a lot
of lives in practice. It would be wrong to claim that society loses nothing by
engineering away that tactic.

I think this sort of thing leads to a lot of frustration on both sides. As a
programmer, I find it very frustrating that law enforcement and the media
consistently get some of the most basic details wrong about how communication
and encryption work, and about the negative side effects of the new laws
they're proposing. But I assume that law enforcement folks also feel
frustrated about how people like me have no idea how they actually get their
jobs done day-to-day, or the negative side effects of the technologies we're
building.

~~~
AnthonyMouse
> A lot of dangerous criminals are stupid.

The nice thing about stupid criminals is that they tend to be indiscriminately
stupid. The ones who don't use encrypted messaging are the same ones who
proceed to brag about their crimes in front of strangers, and have their
phones turned on and with them during the commission of their crimes, and post
incriminating pictures on Facebook, and choose equally stupid and unreliable
criminal partners.

They are the low-hanging fruit, so you don't need powerful and invasive tools
to catch them because they're practically self-incarcerating. When there are
100 other ways to catch them, there's no point in paying a high price just to
have 101.

It's the non-stupid criminals that they have trouble catching, but those are
the ones this won't catch either. So you're still paying a high price for
really nothing in return.

~~~
TeMPOraL
I think you may be missing a large group of criminals in the middle. Like with
ordinary humans in non-criminal context, you have a group of indiscriminately
stupid people, a group of very smart people, and a large group - I think
majority - that just parrots what everyone else is doing or recommending
around them, with very little individual thoughts given.

You can compare it to COVID-19 reactions among the people you know. Almost
everyone now keeps distance in public, because everyone knows they should and
are expected to. But how many people don't connect this with the fact that
they should absolutely _not_ meet up with their friends now? Or that they
should absolutely _not_ visit their families this Easter? Or that it would be
wise to wash groceries and deliveries?

We could say this parroting group is doing cargo-cult OPSEC. They can know
they shouldn't brag about their crimes in person or on social media, and yet
at the same time they could easily trip using communication tools they don't
understand - unless the industry goes out of its way to make such tripping
impossible. I think this is the group the law enforcement is talking about.
Not the idiot criminals, not the smart criminals - just regular ones, who
don't understand the world they live in well, and occasionally make mistakes.

~~~
AnthonyMouse
The group in the middle is the group I'm talking about. At the far edges of
stupidity are the sort of criminals who break into an electronics shop to
steal GPS tracking devices or try to stick up a police station. The far
extremes give you 1000 ways to catch them instead of 100.

The guy who carries his phone with him during the commission of the crime is
the guy at the median.

It also doesn't hurt that the average criminal skews dumber than the average
law-abiding citizen to begin with. But even for the somewhat above average
criminal who gives you ten ways to catch them instead of a hundred, you still
don't need eleven because you only need one.

What do you suppose the percentage of criminals is who are so diligent that
having default insecure communications is the _only_ way to catch them _and_
they wouldn't have chosen a secure alternative regardless?

~~~
tortasaur
>It also doesn't hurt that the average criminal skews dumber than the average
law-abiding citizen to begin with.

Is this true? I'd be interested to see the research for this. I would believe
that the average _convict_ is dumber than the average law-abiding citizen, but
how many criminals are lumped in with the law-abiding citizens simply because
they don't say "oh yeah, I break the law all the time"?

~~~
AnthonyMouse
You're going to have the _Three Felonies A Day_ problem there, where in
practice everybody commits crimes all day long and the people "not getting
caught" is really everybody, even including people currently incarcerated who
are still guilty of many other crimes they haven't been convicted of.

But if you want to talk about, shall we say, "real" crimes then that's another
story. The solve rate for murders is actually pretty high (because they're
given significant investigative resources), to the point that the population
of convicts is probably not a terribly unrepresentative sample, and the lower
intelligence of the convicts is pretty well established.

It also depends how you measure intelligence. The IQ of people who commit
politically-motivated bombings is often significantly _above_ average, but
they also choose to commit a crime that attracts a hugely disproportionate
level of investigative resources and correspondingly has quite a high solve
rate despite the perpetrators' supposed intelligence, so maybe there are
different kinds of stupid too.

------
Thriptic
I think its better to just admit that freedoms / tech will always be misused
by criminal actors, and that's just a price we agree to pay for privacy,
security, and liberty. I don't think think that's a controversial statement,
and we make such trade offs all the time unconsciously. The United States has
largely agreed to accept a certain amount of criminal gun violence in the name
of personal gun ownership. We agree that a certain amount of money laundering
will occur due to shell corporations and foreign ownership of assets. We agree
that police have to let a certain amount of crime go unpunished in order to
protect against unreasonable search and seizure. The only difference between
those things and this is that no one has the balls to stand up and admit that
a certain amount of child abuse is an acceptable price given the stakes at
hand, even though it is true.

~~~
ngold
And you need a warrant to go through a person's mail. How is that not defacto
policy for digital privacy?

~~~
lonelappde
The EARN IT law enables warrants for digital privacy. The problem is that the
choice is between "warrants are impossible due to encryption" and "warrants
can be skipped by misbehaving actors".

There's no way to guarantee a middle ground.

------
djaque
If you haven't already, please take the time to email your federal
representatives. The EFF's tool [1] only takes a few clicks to use.

[1] [https://act.eff.org/action/protect-our-speech-and-
security-o...](https://act.eff.org/action/protect-our-speech-and-security-
online-reject-the-graham-blumenthal-bill)

~~~
thaumasiotes
> The EFF's tool [1] only takes a few clicks to use.

Your input is discounted at least in direct proportion to how little you
sacrificed in order to provide it. If you really want to make an impression,
telephone your representative.

~~~
reaperducer
_Your input is discounted at least in direct proportion to how little you
sacrificed in order to provide it._

One of my college roommates works for a congresscritter. He says, at least for
his guy, written letters still have the most impact, followed by telephone
calls. He didn't mention faxes.

E-mail and social media are waaaay down on the list because they take the
least effort and can be gamed so easily.

~~~
akeck
I'll probably send certified letters in this case.

~~~
ihaveajob
Hand delivered.

~~~
akeck
I'll break out my calligraphy pen, ink, and sealing wax.

------
viklove
EARN IT will affect all encryption software, not just Signal. This bill is
just the newest way Congress is trying to enforce required backdoors in all
apps/devices. Last time it was under the guise of protecting us from
terrorists, this time it's under the guise of protecting the children from
pedophiles. I wonder what they'll try next time, when this inevitably fails
again.

~~~
kitotik
> when this inevitably fails again

May I ask where your confidence comes from?

I’ll actually be more surprised if this _doesn’t_ go through, at least in some
form.

~~~
Nasrudith
To be fair even if they get what they think they it will fail and then they'll
pout and try to move the goal posts again like how the DMCA failed to stop
piracy or DRM from being cracked.

Of course indulging their utter folly leaves us all worse off so we need to
stop them. I notably haven't gotten even an email or after sending an email
calling out EARN IT as downright nationally suicidal given the how much of the
US economy is dependent upon secure cryptography, and the obvious relationship
between GDP and power, and that if they gave a damn about the children they
would be investing more in social services and investigation instead of trying
to seize more power.

Not sure if I reached them or got it put in a proverbial circular file or
"enemies list/ban from volunteering as disgruntled" by a staffer but the fact
they didn't send a "for the children" form letter bullshit is somewhat
reassuring that it reached a real human and they at least recognized one case
of "too pissed to even try to form letter bullshit" is a small victory and
enough negative tickmarks to say "this is a bad plan" is the current win
condition.

Of course a large victory would be dropping from sponsorship but that would be
near impossible even if I was a connected great speaker who called him out in
person.

~~~
fendy3002
That said, does DRM comes under E2E messages?

~~~
sjy
No, because if the government wants to inspect DRM-encrypted media for some
reason they can simply play it like any other customer, or order the company
that encrypted it to provide an unencrypted version.

------
AlexandrB
It's not really a "threat". I don't think Signal could legally operate in the
US with this act in place. More like saying: "If you effectively ban end-to-
end encryption, we can't offer our end-to-end encrypted chat app in your
jurisdiction any more."

~~~
pacificmint
> I don't think Signal could legally operate in the US with this act in place.

Of course they could operate. They would just have to backdoor their
encryption. Which, presumably, is what this legislation wants to achieve.

They don't want a world with no chat apps, they want a world with chat apps
they can listen to.

What Signal is saying in this blog post is that they would rather give up the
US market than weaken their encryption. Which is worth saying, because it's
probably not true for most other apps. Most corporations would not give up the
US market, no matter what compromises they have to make.

~~~
AlexandrB
> Of course they could operate. They would just have to backdoor their
> encryption.

Is it even possible to have end-to-end encryption (in the technical sense of
the term) with a backdoor? If your product's marquee feature is security via
end-to-end encryption your product is a non-starter in a jurisdiction that
bans end-to-end encryption, no?

------
flattone
The state of respect from law and corporations upon consumers is already the
single most depressing thing and now earnit. Grew up wanting to live in the
future now i just want out. Remember that 15 year joke ‘dont be evil’?

I believe i could self immolate a million times over in front of a variety of
scenes and meanings, people could call, write and click, teach and learn.
There is however an absolute, it seems, that there is no profitable path for
relatively infinite powers (politicians and corporations) to allow any
meaningful movement towards the more humanitarian, civil/passionate version of
a culture.

Instead we will visibly or not be corralled into a highly monitored and
monetized form of drone happiness. Its cool.. as long as zoom always works,
right? In a sort of twisted ‘we will do things to them but it wont happen to
us’. Perhaps quarantine brain is boiling over into my comment style.

~~~
mirimir
> The state of respect from law and corporations upon consumers is already the
> single most depressing thing and now earnit.

After five decades of the bloody War on Drugs, I have _zero_ respect for the
rule of law.

------
aeurielesn
Are companies afraid that opposing the Anti-Encryption Bill will automatically
label them as in favor of online child exploitation?

I'm honestly curious about why there's no widespread opposition to the bill
yet.

~~~
IAmEveryone
There are other methods of lobbying than just public, visible disagreement.
They probably are registering their disagreement in private talks with people
in congress.

Facebook publicly coming out against this might not be helpful: most people
just don’t care. Those that (potentially) do care are far more likely to be
mobilized by the EFF or ACLU, which they tend to trust. Facebook isn’t the
most trusted brand name in privacy, as far as I can tell. Their support might
actually be detrimental for the cause.

An open split of Silicon Valley and Republicans would also “politicize” the
issue. Almost instantly, you’d have the 35% of Trump supporters galvanizing
around the bill, even if they were previously ignorant or lukewarm on it. See
the recent train wreck around Qunines-against-covid for a great example of
this effect.

~~~
suizi
The Internet Association which represents them wrote a letter opposing it to
Congress, although there hasn't been much other noise out of them, except for
a minor statement from Facebook.

------
steindavidb
Senator Feinstein (D-CA) is a do’s-onshore of the bill. Here’s the form to
contact her office and encourage her to not support the bill:
[https://www.feinstein.senate.gov/public/index.cfm/e-mail-
me](https://www.feinstein.senate.gov/public/index.cfm/e-mail-me)

~~~
tln
do’s-onshore = co-sponsor?

Thanks for the link, I sent an email with it.

------
unknown2374
What is wrong with the wording of the title? The first line is "Signal is
warning that an anti-encryption bill circulating in Congress could force the
private messaging app to pull out of the US market." Being forced out of the
market is different than "threatening to dump the market".

~~~
dylan604
It might be a bit hyperbolic, but the end result is the same. Rather than
compromising the integrity of their app, they'd rather no longer offer it to
an entire country's market. Whether it is "dumping" the users or "pulling" out
of the market, what's the difference? Lavabit shut their entire operation down
once they were forced to compromise their system. While Lavabit didn't have
much notice, Signal is signaling their intent to their users. If that signals
their users to take action by contacting their congress critters to put
pressure, then it seems like a good idea.

------
hiq
Thread of the blog post (source of the article):
[https://news.ycombinator.com/item?id=22815112](https://news.ycombinator.com/item?id=22815112)

------
lambdasquirrel
The sheer irony being that Federal workers have started using Signal instead
of other apps, because it's encrypted.

------
ENGNR
They achieved this in Australia by saying "we don't care how you achieve both
security and putting backdoors in, just have a 'capability'". If you don't
have the ability to open a backdoor for them you've committed an offence

The best counterargument I came up with at the time is the security of our
children. Who the hell knows what teenagers are sending to each other these
days? Do we even want to know? I don't, and it's weird that Attorney General
Barr wants to open this door. Why risk letting the wrong person sneak into a
position where they can see all of our children's messages, everyone deserves
real security

------
hjkgfdfgh
If Signal were federated, there would be no single entity to shut down.
Alas...

~~~
ccktlmazeltov
Your comment makes zero sense, let me explain: most people use signal through
the iOS app. It is very easy to shut down an iOS app.

Hope you got it!

~~~
sudosysgen
If you care so much about uncensorable resilient service you probably already
use either jailbroken iOS or Android. And if you don't, then do. iOS has a 13%
market share anyways.

Hope you got it!

~~~
filoleg
> iOS has a 13% market share anyways.

Not in the US, where as of March 2020 it maintains a 60.1% share.

------
spanktheuser
So much of this conversation accepts the government’s anti-crime message is
made in good faith.

Is isn't. What‘s more, you all know that. Everyone agrees the act is unlikely
to to stop dedicated pedophiles and terrorists. The Republicans and Democrats
know that as well. Crime is a useful pretext to openly push for what they
can’t say aloud. They wish to suppress dissent.

They know the threat unbreakable encryption poses to their wealth and to their
power. It’s freedom. Freedom from detection, identification, coercion to
comply. Freedom to do what you think is right.

If it’s passed, terrorists will reasonably include domestic terrorist. Which
will broaden to include Antifa [1] and Black Lives Matter [2] in the
government’s eavesdropping. Then people who attend the same protest that BLM
or Antifa appear at will need to be monitored. And so on. This is the whole
point. Not pedophiles. Not Al Qaeda or Isis. They pose no threat to the power
of the ruling class. You do.

[1]
[https://www.washingtonpost.com/politics/2019/07/20/senators-...](https://www.washingtonpost.com/politics/2019/07/20/senators-
want-antifa-activists-be-labeled-domestic-terrorists-heres-what-that-means/)

[2] [https://foreignpolicy.com/2017/10/06/the-fbi-has-
identified-...](https://foreignpolicy.com/2017/10/06/the-fbi-has-identified-a-
new-domestic-terrorist-threat-and-its-black-identity-extremists/)

~~~
mirimir
As wealth/income inequality increases, capability to suppress dissent becomes
increasingly important. And yes, "domestic terrorism" will include anything
that threatens the wealthy.

------
DenisM
Interestingly, The term “interactive computer service” has the meaning given
the term in section 230(f)(2) of the Communications Act of 1934 (47 U.S.C.
230(f)(2)):

 _The term "interactive computer service" means any information service,
system, or access software provider that provides or enables computer access
by multiple users to a computer server, including specifically a service or
system that provides access to the Internet and such systems operated or
services offered by libraries or educational institutions._

It appears that a P2P app would be off the hook, at least for now, because
there is no "server" in the picture.

~~~
r3trohack3r
> any information service, system, or access software provider that provides
> or enables computer access by multiple users to a computer server

Wouldn't that mean every node on a P2P network would be considered a client,
server, and interactive computer service?

Another way of interpreting this, I think, is that everyone participating in a
DHT or scuttlebutt network would be responsible for every other user's
behavior on that network.

~~~
DenisM
I am thinking two phones knowing about each other's IP-6 addresses. No central
directory.

You might be right though.

------
dwheeler
If you oppose the EARN IT act (I do), and you're a US citizen (I am), then you
need to contact your US House and State representatives. It's generally easy,
fill in an online form. Obviously there's no guarantee that they'll do what
you ask, but that is the _minimum_ thing you should do.

------
yingw787
So...assuming this bill passes and Signal pulls out of the U.S., what can the
average person do to continue to access Signal's servers in other countries?
Can we VPN into an Apple computer based in the EU, build our own Signal
client, and then somehow scp the files back to the U.S.? I think TestFlight
would be out of the question, since you probably would need to sign Apple U.S.
Terms and Conditions, and because Apple Developer Program is $99 / year.

Maybe I should get a Purism phone.

~~~
paxys
Thing is the VPN service would be subject to the same law, and so the
connection would likely still be insecure.

~~~
yingw787
Hmm, okay, so I can drive over to Canada, make a developer friend there, build
an instance of the Signal iOS app using the licenses there, load it onto my
phone via TestFlight or USB stick, then drive back to the U.S. and use it
assuming TSA doesn't touch my phone?

~~~
aspenmayer
After you load TestFlight and Signal build onto your phone, make a full
encrypted local backup via iTunes.[0] Upload that backup image somewhere. Turn
off Find My (iPhone) to disable activation lock. Restore iPhone to factory
setttings. Return iPhone to factory sealed box. Optional: mail phone to self
at destination or other location of your choosing in destination. Cross
border. When at desired use location, unbox phone. Fetch backup you made
earlier. Restore backup to iPhone. Use Signal.

[0] [https://support.apple.com/guide/itunes/back-up-your-ios-
devi...](https://support.apple.com/guide/itunes/back-up-your-ios-device-
itns3280/12.9/mac/10.14)

~~~
yingw787
That sounds much more feasible! I copied and pasted your tip into my notes
app. Thanks!

~~~
aspenmayer
Another tip is that it doesn’t have to be the same phone as far as the backup
and restore is concerned. Enrollment of the TestFlight app might be impacted
if the phone changes but that’s just my concern because I haven’t tested that
part.

Here’s some links related to these ideas which may be relevant to your
interests.

[https://support.apple.com/en-us/HT208079](https://support.apple.com/en-
us/HT208079) iTunes update that allows installing apps

[https://www.idownloadblog.com/2015/12/25/how-to-download-
old...](https://www.idownloadblog.com/2015/12/25/how-to-download-older-
versions-of-ios-apps/) Charles proxy how to download specific app versions

[https://www.reddit.com/r/jailbreak/comments/auabt7/question_...](https://www.reddit.com/r/jailbreak/comments/auabt7/question_is_there_a_working_tweak_to_downgrade/)
Context for AppAdmin jailbreak tweak which allows for downgrading apps from
device via App Store

[http://www.i-funbox.com/en/index.html](http://www.i-funbox.com/en/index.html)
iFunBox lets you backup and install ipa from device via pc or Mac

[http://julioverne.github.io/description.html?id=com.juliover...](http://julioverne.github.io/description.html?id=com.julioverne.ext3nder-
installer) Jailbreak tweak to auto resign apps and install/backup from device

[https://support.apple.com/apple-
configurator](https://support.apple.com/apple-configurator) Apple Configurator
allows device management and provisioning by your whitelisted macOS devices

------
garyfirestorm
Guns kill children!! Politicians - we need to defend ourselves and our rights.
Keep the guns.

Encryption is dangerous to children Politicians - yup...take it away guys.

~~~
floren
Feinstein, one of the co-sponsors of this bill, has a pretty good track record
of going against _anything_ which could give power to the people rather than
the government, including guns. Now, that didn't stop her from being one of
the only people in San Francisco with a concealed carry permit (up until
2012)... laws for _thee_ , but not for _me_.

------
pgm8705
Presumably, this would affect Apple and iMessage as well, correct?

Hopefully, Apple will publically denounce this act, putting stronger pressure
on representatives and increasing public awareness.

~~~
maqp
Apple can already silently eavesdrop on all iMessages, because they control
the public keys inserted to your device. There are no fingerprints to verify
you're not under MITM attack so they can just start attacking everyone. Read
my longer post on this topic here:
[https://news.ycombinator.com/item?id=21425897](https://news.ycombinator.com/item?id=21425897)

~~~
saagarjha
Apple cannot do this "silently".

~~~
maximente
what evidence do you have to refute the longer post that the OP linked to
where they explain the exact mechanism that this can be done silently?

~~~
saagarjha
The fact that adding a new key is no longer silent? iMessage will alert you
when a new device is added to the account.

~~~
maqp
Does it alert you when your contact's key changes? Does it alert you when your
contact buys another iDevice and installs iMessage on it? Thought so. That's
where the attack happens, when you receive a new public key for contact's
device.

Just because your account keeps track of your devices, doesn't mean Apple
can't do this attack.

~~~
saagarjha
There’s no need to be confrontational or try to “gotcha” people here; Hacker
News is for thoughtful discussion. As for your scenario: yes, Apple could do
this. But I’m not sure what your solution to this would be? Some UI to show
the addition of a new key? Hashes that you could match? There’s no reason they
couldn’t backdoor the UI as well as the key distribution for a casual user;
and a sophisticated one who’s looking for this kind of attack can just check
the keys Apple sends them manually…

~~~
maqp
My intention was not to be confrontational. But such posts spreading
misinformation aren't really thoughtful and shouldn't be tolerated.

The standard method to detect MITM attacks from server side is with public key
fingerprints. Sure, that feature could be backdoored too, I've seen that in a
real life product. But that's only half of the equation: you need FOSS client
with reproducible builds to ensure the feature actually works. After that, the
users can verify their E2EE is working the way it should. Fingerprints alone
aren't enough.

As I point out in the long post, use Signal that allows this.

------
vibesngrooves
With all the press around EARN IT, this would be a great opportunity for
companies with even a mild focus on combating criminal activity on their
platforms (Facebook, Mailchimp, etc.) to collaborate with bureaucrats and/or
testify in congress.

Thorn seems especially poised as mitigating child abuse is the essence of
their organization. Whatever their stance, they appear to be an authority in
the private sector spearheading technical efforts to combat child abuse. If
any Thorn engineers/representatives - or any platform engineers focused on
abuse prevention - are reading, I'd love to hear your take on the proposed
legislation. It's imperative that we grant resources necessary to challenge
such a horrific human issue without sacrificing our privacy and subsequent
civil liberties

For context... [https://www.thorn.org/](https://www.thorn.org/)

------
lisper
If anyone here is interested in helping to develop E2E encryption that cannot
be shut down by the government here is my effort towards that end:

[https://github.com/Spark-Innovations/SC4](https://github.com/Spark-
Innovations/SC4)

The project has been moribund for a while because it's hard to compete with
Signal but it wouldn't take a lot of encouragement for me to take it up again.
First on the agenda is adding a ratchet. Most of the heavy lifting is already
done ([https://github.com/rongarret/ratchet-
js](https://github.com/rongarret/ratchet-js)) it just needs to be integrated.
I also have an iOS app that was kinda sorta working the last time I tried it.

------
LatteLazy
You can't maintain democracy or the rule of law with these laws in place. This
isn't about privacy, making it about that is missing the point. Privacy is a
nice side benefit, something we give up routinely for safety. Democracy isn't.

------
DeathArrow
When government agencies want to do something bad they always bring in child
exploitation, terrorism or war against drugs.

Government agencies should be able to fight crime without massively spying and
monitoring their citizens.

~~~
eru
> Government agencies should be able to fight crime without massively spying
> and monitoring their citizens.

Nor the rest of the world's citizens.

------
rlt
> Although the goal of the legislation, which has bipartisan support, is to
> stamp out online child exploitation, it does so by letting the US government
> regulate how internet companies should combat the problem—even if it means
> undermining the end-to-end encryption protecting your messages from snoops.

As usual, one of the Horsemen of the Infocalypse:

[https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse)

------
bagacrap
"Companies should not deliberately design their systems to preclude any form
of access to content"

e2e encryption only prevents certain forms of access to the content. You can
still find the physical device and (provided it's unlocked) read the messages
off it.

Encrypting on one end and decrypting on the other could theoretically be
performed manually with the message sent via an insecure channel. So is two
party encryption what's illegal now?

------
AlexCoventry
As much as I love Signal (I use it every day), wouldn't the USG, given its
values, just say "good riddance"?

~~~
hedora
Many senators use it, apparently.

Hopefully some will switch to a surveillance platform and get outed for
whatever it is senators do between screwing the country over.

 _grabs popcorn_

~~~
suizi
Some do after their security experts twisted their arms to get them to use it
over emailing each other things which could be used to blackmail them.

I wouldn't expect them to understand the consequences of what they're doing,
they likely think it magically just applies to all the people they don't like.

------
mirimir
OK, instead of "dump US market", why don't they (or someone) create a clone
that can't be fscked with? Maybe hybridize with Briar, or whatever. Take
everything off clearnet, and have everything anonymous.

I was thinking that Session/Loki was better protected, but the Loki Foundation
is likely just as vulnerable.

------
cageface
This kind of thing and the pulling of HKMaps are the main reason I'm running
Android again. Being able to run apps on my phone that my government won't
allow in an official app store is looking more and more likely to be an
essential freedom.

~~~
codeisawesome
Aren’t there many proprietary blobs starting at the SIM card level, which are
black boxes that could contain malicious code? I can’t trust Android phones
“completely” because I’m not sure just how much of it is truly open source -
so iPhone is a more convenient alternative of the same thing with at least lip
service to privacy and security...

~~~
cageface
I don't really _trust_ my Android phone but at least I have some escape
hatches.

------
suizi
[https://twitter.com/signalapp/status/1247938861184909312](https://twitter.com/signalapp/status/1247938861184909312)
Their tweet on Twitter.

------
mirimir
If EARN IT passes, and if Signal wimps out, something tougher will replace it.

------
miki123211
I just wonder what leaving the US market means. Sure, they can ban American
IPs and pull the app from Google Play, but will they still be liable if an
american gets an apk and goes through a VPN?

~~~
Etheryte
How would a company be liable if it isn't stationed in the US nor does any
business there? Asking sincerely, I don't see any way that it could be.

~~~
miki123211
It could be liable in the same way copyright violators / darknet drug store
owners are liable. If you live in a European country and host your torrent
website there, but you host Harry Potter, Star wars and so on, they can
extradite you to the U.S.

------
suizi
Related: [https://www.protocol.com/earn-it-act-hearing-
section-230](https://www.protocol.com/earn-it-act-hearing-section-230)

------
tanilama
It is only a threat if it has leverage.

Forcing Signal out of US market is the goal.

------
einpoklum
In Soviet Russia, government spy on everyone's phone.

In Capitalist America, phone spy on everyone for government.

------
lonelappde
Why can't clients encrypt client side?

Chat apps should support input plugins. If a user encrypts locally, there's
nothing the network can do about it.

~~~
t-writescode
That is how E2E works. But that means the software you’re using must be able
to communicate with your client, unless you want to copy-paste every message
into a decrypted. That’s a pain for normal communication.

Therefore, we have programs like Signal that do that for us.

~~~
mLuby
I wonder if a keyboard app could do it, since they sit between the user input
and the chat app.

It would be nice if message transportation were decoupled from composition and
consumption. Default bundling is fine for ease of use, but allow first-class
replacements.

~~~
maqp
These are called in-line encryption systems. They're generally not apps, but
separate devices with automated ciphertext transmission. I've been working on
something that does this
[http://github.com/maqp/tfc](http://github.com/maqp/tfc) and that can be
plugged to almost any transport system with relative ease. The current design
is using v3 onion services for each endpoint.

------
classified
So the US govt declares war on Math. Again. What else is new? Tech won't stop
them, we have to vote those assholes out of office.

------
sliken
Makes me wonder if Signal moved elsewhere to avoid the EARN IT act, could they
still publish their app to the Android and IOS stores?

~~~
lvs
If they had users in the US, they would be operating in US jurisdiction. I
think the only answer, if the law turns against us all, is to move to a
decentralized system like Matrix. Signal as a centralized system has a single
point of failure.

------
brocklobsta
Slowly but surely personal privacy is getting chipped away in the name of
"Good"... smh

------
throwaway55554
This just kills me: [https://arstechnica.com/tech-policy/2020/04/senator-
backing-...](https://arstechnica.com/tech-policy/2020/04/senator-backing-anti-
crypto-bill-calls-out-zooms-lack-of-end-to-end-crypto/)

~~~
RickS
There's a coherent worldview where this isn't hypocritical:

> Encryption is for hiding our comms from China and Facebook, which keeps you
> safe. Hiding your comms from America makes it harder for America to keep you
> safe. Encryption should be weak enough to let the US government have the
> knowledge it deems necessary, but strong enough to build a moat around that
> superiority.

It's misguided for a bunch of reasons that HN well understands, but it holds
water. That's what makes it scary: not that it's absurd, but that unless
you're both well educated and skeptical, it sounds downright responsible.

~~~
ummonk
People keep saying that backdoors weaken security in general, but that's
simply not true. If you create a cryptographic backdoor that only one third
party entity can access (because only they have the private key to do so),
this doesn't fundamentally make it any weaker than ordinary end-to-end
encryption (where the recipient has the private key to decrypt the messages
you send them).

~~~
saagarjha
It does, because the third party may share their keys with others.

~~~
throwaway55554
> It does, because the third party may share their keys with others.

It makes the store where the keys are kept a priority target as well.

------
GekkePrutser
This is why something serverless is needed. Then there is nobody to sue.

~~~
neets
Well there is tox and other protocols that work through Tor network

~~~
GekkePrutser
True, I will probably switch to something like that.

The problem with tor I don't like is that it's no longer the lighthouse of
freedom it once was. It's too tainted by all the perverts and heavy criminals
that abuse its power. The same happened with Freenet sadly and completely
killed it for the mainstream public. This "slimy" feeling is slowly corroding
tor as well. I can't help but feel it does need some kind of control, not
identification of peers but some kind of banhammer.

Also, the anonimity tor/tox provides is not really needed as I'll use it to
communicate with people who know who I am anyway.

Finally, tor isn't exactly serverless either. Governments could shut it down
if they wanted to. But I think they rely on it too. I'm sure they run exit
nodes to keep tabs on things and I'd imagine they use it for communication
with their own spies. After all, it was invented by the US government itself
for such reasons.

------
harikb
Can we please have new articles at least state the law correctly as anti-
security instead of anti-encryption?

------
throw7
Does Biden support the EARN IT bill?

Does Trump support the EARN IT bill?

------
president
Has anyone here actually read the full-text of the bill [1]? I don't see any
mention of banning cryptography/encryption in it at all. In fact, the only
thing that the bill proposes is the creation of a commission to establish best
practices for child exploitation. Seems a bit unfair to call this an ANTI-
ENCRYPTION bill.

[1]
[https://www.govtrack.us/congress/bills/116/s3398/text](https://www.govtrack.us/congress/bills/116/s3398/text)

~~~
mundo
Scroll down to section 6 - it amends CDA 230 to strip protections from
companies that don't follow the "best practices" (which might not involve
backdoors, but are presumed to based on past statements by the commisioners-
to-be, especially AG Barr) established by this commission.

