Hacker News new | past | comments | ask | show | jobs | submit login
European Parliament approves mass surveillance of private communication (patrick-breyer.de)
938 points by pepperberg 83 days ago | hide | past | favorite | 415 comments

Are there any primary sources for this? I'm having trouble finding anything talking about any final legislative action involving chat control/ePrivacy etc. that isn't this random pirate party blog.

This is a much better source of information than the headline link. It describes how this came about, what its limitations are and just gives a whole lot more context.

Of course it fails to advocate - which itself may have become a vice.

Rule of thumb: If something invokes "protect the children" to justify itself or to push it's agenda, it is advocating something. Not only that it is doing so in an underhanded and emotionally targeted way. I'm not saying politico is the primary source of advocacy in this situation, but they are at least echoing it and helping frame the debate around that.

The fifth and sixth sentence of the article explicitly states the concern of child protection being used as an underhanded and emotional tactic.

While I disagree with invoking child protection as a form of political blackmail, child protection is a legitimate concern. Several populations, of which children are one, are considered vulnerable to exploitation and legislation to reduce exploitation is legitimate.

The problem lies with the fragility of our political system. It is so fragile that debating the effectiveness of the legislation can be shut down with a handful of emotionally charged words. It is so fragile that seeking alternatives which don't impact fundamental rights is overlooked in the interests of expediency.

Of course, creating such rules of thumb is a symptom of the same disease. It is a tool to discourage debate rather than encourage it.

> fundamental rights

Genuine question because I never understand what people mean when they use that phrase: how is a right fundamental? Does the cold universe assign them to us or do a set of people agree such-and-such are fundamental. If the latter, were the same rights fundamental 20,000 years ago? (Because if they are fundamental, they should stretch back to early man… earlier than even 20,000 years ago)

I think that "fundamental" doesn't mean "naturally occurring" or "universal", but rather "foundational", in the sense that more nuanced rights are based upon their basic principles.

So for example we have the principle of "freedom of speech", which might be accepted by courts and society as including a right to publish literary works that some deem offensive, but that could be considered a subsidiary or supplementary right which doesn't have the same level of protection.

More relevantly, a society might accept the principle of a "right to privacy", but might not think that grants a "right to privacy from warranted surveillance" or from "warrant-less automated mass surveillance".

Of course there will always be a tension, as rights activists will instinctively claim that denying some specific right is undermining a fundamental right, since they are sure that everyone agrees that the new right is an inherent consequence of that fundamental right, but the government will always claim that its policy doesn't impinge upon any fundamental right and that the specific new right that the activists believe in doesn't need to exist at all.

The Canadian Charter of Rights and Freedoms actually enumerates the "fundamental" freedoms separately: freedom of expression, freedom of religion, freedom of thought, freedom of belief, freedom of peaceful assembly and freedom of association.

Contrast these with the rights enumerated e.g., democratic rights (the right to vote), legal rights (freedom from unreasonable search and seizure, right to counsel), mobility rights (right to live in any province and enter and leave Canada).

The rights granted are those that build _a_ society that supports those fundamental freedoms. The fundamental freedoms themselves are not something that exist in support of anything, but are simply accepted as something that stand alone as something we demand of our government.

Do you mean that fundamental rights are anything we want them to be ? So if we want, we could decide that the right to be free of criminal activity (particularly ones that encourage or lead to degradation, depression, death, etc. of children) is more fundamental than the right of privacy ? I think there's something more to being fundamental. Otherwise it seems all very arbitrary. Calling something fundamental could change at the whim of the majority.

There's a Wikipedia page which basically says they're a set of rights that are broadly agreed to be particularly important: https://en.wikipedia.org/wiki/Fundamental_rights

For example, the Universal Declaration of Human Rights, but other countries might have determined their own (additional) set.

I would assume the name "fundamental" was chosen because all other rights derive from them, i.e. if they're taken away from you, you won't be able to preserve the non-fundamental rights.

> the Universal Declaration of Human Rights, but other countries might have determined their own (additional) set

It works in opposite way. Universal Declaration universally declares nice stuff, but member countries are free to restrict and persecute the freedom of """hate speech""", the freedom of """extremist expression""" et cetera et cetera et cetera

UDoHR is just a words, intellectuals are seduced by words and dismiss the fact UDoHR doesn't works anywhere except (maybe) America

No rights are objectively fundamental. It's subjective. If people in power don't agree to act as though certain rights are fundamental, they cease to be enforced, even if lip service is paid.

Excellent point. So I’ll ignore “fundamental right” next time I read it.

I note that the United States uses “inalienable rights”, meaning ones which can’t be given or taken away.

The only things that can’t be given or taken from me without a lobotomy are my education and internal thoughts and beliefs (that includes things like self-worth and dignity).

Inalienable is just as worthless a fundamental. Obviously the US govt takes away its citizens' rights to life, liberty and pursuit of happiness through actions such as death penalty, imprisonment, compulsory military draft, and all kinds of less severe restrictions for criminals and suspects.

That's a misunderstanding of "inalienable" or "unalienable".

An alienable right is one which can be assigned to another.

Your physical, real (land), and usefruct rights (as with intellectual property rights) can be alienated in the sense that you can be deprived of them and then they can be assigned to another entity.

Inalienable rights can be denied to you, but cannot be made alien in the sense that another receives their benefits. Your own life, your own happiness, your own liberty, among other privileges you may enjoy, can be deprived of you. But nobody else can receive their benefits.

The notion of inalienable rights is not absolutely fixed. In 1800, you would have had an inalienable right to the function of your own heart, lungs, kidneys, liver, etc. With organ transplants, these are now alienable rights, as those organs (and others) can be removed and given to others, through advances in medical technology.

Note that your usefruct rights and your property rights can be alienated, but your right to property, as a separate concept, cannot.

That is, the benefits or possession of property can be transferred to another. The ability to benefit or possess cannot. Those last can be denied, and the objects of them transferred, but the right to enjoy, much as happiness or enjoyment itself, is inalienable.


> Obviously the US govt takes away its citizens' rights

There is a system of laws enacted by representatives of the people and proven out in courts, for example Eminent Domain.

To your point, that "nation of laws" concept is tending toward more of a theoretical than practical thing.

Then they're alienable by law, not inalienable.

I tend to see rights as temporary privileges.

A right by its name can be given or taken away. I feel the discussion about fundamental rights is moot as it always depends on the powers that be. In that sense I prefer dane-pgp's explanation of these being more foundational rights.

Your thoughts and beliefs and your actions are what you are and not a right.

Privileges accorded by whom?

If Hitler came to power, let's say in an election but it doesn't matter since the right to vote is also a privilege according to your view, and said "alright, henceforth, all blacks lose the privilege of living", would you find that irrefutable and in conformity with your own logic? If Jeffrey Epstein took power and said "children may now be raped at will", is that a matter of a privilege being cancelled? Does "might make right" however you define "might"?

I certainly hope not.

Morally you and me might prefer a system where might does not make right and human rights are truly inalienable.

Practically, however, these rights are only inalienable as long as the powers-that-be (police, military, organs of the state) agree -- if hypothetical Emperor Epstein (or real-life President Ashraf Ghani) declares child rape to be legal, and police and courts obey him, then good luck going up against them...

You are mixing up two different definitions of "right". One is a legal term about what you are allowed to do or what can be done to you. That's what gp meant. And I agree that the only rights you have in that sense are ultimately those you are willing to fight and die for. If it can just be taken away it's not meaningfully fundamental, unalienable, or universal as a legal right.

The definition you used is about what's morally right and in that sense talking about fundamental rights that can't be taken away if you want to hold up some definition of human dignity makes sense, but even then it's subjective to some degree and depends on which school of thought you subscribe to.

Your example shows exactly this ditchomy. If freedom can be taken away and sexual consent ignored, those things can't be at fundamental or real as physical laws. But even so I have a hard time imagining most who see it this way would consider this as anything but reprehensible.

You have a right to liberty regardless of whether you are enslaved or free.

A right without a remedy isn't a right at all.

I don't see either your claim or WalterBright's as clearly grounded.

Each of you needs to define how you mean "right".

(NB: The definition in the OED spans 8 pages.)

Can you explain to me the context in which an unenforceable right has meaning?

I think by any definition, a right without a remedy is meaningless. If you have a right to expression but the state taxes printing presses so excessively that only the rich can print, what good is that right?

If you have the right to an attorney but cannot afford one or the cops won't let that attorney talk to you, what good is that right? If you go to trual and they say, "it's fine, your attorney is here, representing you" and you've never seen that person before in your life, that's what we call a kangaroo court.

Many would agree that you have a right to rebel if someone tries to enslave you. How did that work out for Nat Turner? These rights matter in an idealistic way? Was that Nat Turner's goal? To get 21st century people really thinking? Or did he want a family he could keep with him, his own home, his own food?

We are used to telling ourselves over and over the stories of people who believed in their rights, fought and won them. We conspicuously ignore the stories of people who believed in their rights, fought and lost and then were not just denied their rights but made into villains.

And don't even get me started on Operation Paper Clip, U.S. intelligence supported Nazi rat lines and Nuremberg.

Perhaps if you believe there is some philosophical cosmic central plexus where your case will be adjudicated after death you can believe in capital R "Rights". I do not. And so in my opinion, all rights depend on the right to enforce them.

Again, there are numerous definitions of "right". Most usages in this thread seem to fall under the OED's 9th definition, of "a legal, equitable, or moral title or claim to the possession of property or authority, the enjoyment of privileges or immunities, etc."

Whist legal rights might have some enforcement mechanism, equitable or moral rights (divorced of legal aspects) typically would not. The right is recognised or might be asserted or defended, but by other-than-legal means.

Black's Law Dictionary gives a number of definitions, though as these are (largely) specifically in the context of law, their narrowness is somewhat expected. Fundamental right however has as its first definition "a right derived from natural or fundamental law", which might be construed as at least partially exceeding legal enforcement.

The whole notion of rights can become complicated, and whilst I often agree with the sentiments or goals of those advocating for certain rights, I find the specific rationale, logic, and/or empirical grounds often weak, leaning far more on rhetoric than some basis in reality. At the extreme, for any given right, based on "natural" or "fundamental" law, it's virtually always possible to construct a competing right which negates or countermands that.

The rights of speech vs. privacy, of bearing arms vs. freedom from coercion or fear, of access to healthcare vs. freedom from supporting another, of the national right to defence vs. the right to refrain from violence (including supporting it monetarily through taxes), etc.

There's a school of thought which dismisses the notion of rights, probably most famously Jeremy Bentham. I'm not sure I fully subscribe to his views (I've only read brief summaries, and don't substantially know them), though I'm inclined that way myself.

What I see are competing sets of freedoms, privileges, responsibilities, and obligations, most of which exist, as you suggest, based on the ability to assert or defend them as a practical matter, and to that degree I think we are in some agreement. I'd be more willing generally to suggests rights in a moral sense that should be aspired to. These might be your unenforceable, but not meaningless, rights.

There's a tremendous amount of historical reletivism and present-bias in discussion of rights. There've been incredibly durable and arguably thriving societies whose rights and values systems differ sharply with those of most present-day countries. There's been a considerable movement in questions of ethics, morality, and rights within my own lifetime, within my own homeland, and those developments are far less than those experienced elsewhere over the same period.

Absolutist declarations of rights tend to end poorly.

You are free or not, regardless whether you have a right to liberty or whether your are enslaved or free.

If governments bestow rights, then the citizens have no business revolting against an oppressive government.

Governments bestow, enforce, and adjudicate legal rights.

There may well be other types of rights that are being discussed here, and much of the confusion in discussions of rights seems to revolve around disagreement on those definitions. It becomes something of a mott-and-bailey tactic, or one of terms expressed and understood quite differently by participants.

I would instead say they have no right to revolt rather than no business revolting — their business is to give themselves rights.

Because the government would never bestow them with the right to overthrow it?

That's literally what elections are.

"Fundamental" in the sense of "foundational to civil society".

Not "fundamental" in the sense of "impossible to deny".

Where fundamental rights are routinely denied, civil society is impossible.

> how is a right fundamental?

They are inalienable and bestowed by their Creator. I.e. they are part of the innate nature of human beings.

Governments can either protect those rights or abrogate them - it cannot invent them.

And yes, they stretch back to when humans became human. Though it took a while for people to formally recognize them.

So, "inalienable" I can understand.

"Bestowed by their Creator" starts leaning very heavily on a specific religion's doctrines, and given that there is no religion which is universally adhered to by all persons, dominant in all nations, or indeed acknowleging that "no religion" is the belief of a substantial portion of the population, then regardless of the legacy of the phrase, it's not especially useful in discussion and to me seems to obscure more than it reveals.

Could you choose an alternate phrasing?

How do we know what those fundamental rights are? By observing what happens to societies that have various formulations of rights. The societies that thrive are closer to the mark than societies that are mired in misery, despair, and death.

You neglected to mention any of these fundamental rights. Can you tell me one of them so I can debate you that it’s not fundamental?

> one

I'll give you three: Life, Liberty, and the Pursuit of Happiness.

None of those except life is “part of the innate nature of human beings”.

Death is also part of our innate nature, but you did not mention that one.

When someone enslaves you, then, you have no right to complain about it.

The ten commandments as benchmark and foundation applies to many common situations.

There are at least 8 ways to divide up the “ten commandments” passages in Exodus and Deuteronomy into a total of 14 commandments, the Quran has a different set (not being a religious scholar I can’t meaningfully assert how different, given linguistic drift and translation challenges).

Bushido (or the form of it on Wikipedia) has a fairly different and also interesting set.

Anton LaVey (Church of Satan) has an interesting, albeit stereotypically American, eleven.

The philosophers in this list seem to focus on commandments of rationality more than morality, but that’s not something I find hugely surprising: https://en.wikipedia.org/wiki/Alternatives_to_the_Ten_Comman...

The majority of the commandments are not rights but restrictions, the "thou shall not"s. Even the positively-phrased commandments are obligations ("honour thy father and mother...").

These are not rights.

The Ten Commandments are not a list of rights. It doesn't even say you have the right to not be a slave.

I have no rights unless others recognize and at least tacitly agree that they have obligations with respect to those rights.

As the only person left in the universe (after some cataclysm), you'd be left with obligations but no rights. The obligations would include those that arise from within yourself to prevail and try to survive as best you can. Rights? Well, who would be granting those? The innate bit refers to obligations but not rights.

Natural rights exist even when denied and infringed. Perhaps they are discovered as a consequence of human behavior, rather than molded by a grantor in acts of beneficence or compromise.

Can you name a “natural right”?

This is beautiful and spot on.

If rights are merely a fabrication of government, then it should be possible to create a communist society that works as well as a free society.

But they don't. Not even close. Something is fundamentally wrong with communist societies.

We assign those rights as a society and, more relevantly here, as a political system. The people who draft our constitutions and (like for all political norms) those who create our political discourse have more influence in defining them than the general population, but these norms have to be agreed to by a fairly large swathe of society to be effective.

> fairly large swathe of society

I don't think a majority necessarily carries power. The uber rich and intelligence agencies carry far more power than any mass of citizens.

a) I said "fairly large swathe"

b) Elites exert control by persuasion; they control the discourse, they organize larger movements, &c. There are still limits to what popular opinion will go along with.

c) Intelligence agencies are, in most rich democratic countries, not a major lever of political power. Government economic institutions, police, courts, and the like are much more influential in both day-to-day lives and in shaping popular conceptions of the "rules of the game".

You are speaking of rights. I’m speaking of “fundamental rights”. How are they different?

"Fundamental" rights are the ones whose existence is not considered a matter for debate in society.

No such right exists. Can you name one?

In the US in particular:

The right to life (in a negative, the government-shouldn't-take-it-away) is quite universally recognized - in cases where it's violated, defenders of that violation work very hard to craft a strong justification.

The right to free speech (again, in a negative the-government-shouldn't-take-it-away) sense is also a fundamental part of political discourse.

The right to private religious practice is broadly fundamental, though the right to religious practice of various sorts in the public domain (as well as the definition of that public domain) is hotly disputed.

Notably, the right to certain social goods are "fundamental" in parts of Western Europe (e.g. healthcare in the UK), but very much are not in the US. My general impression is that positive (the-government-should-provide-it) rights are much more rarely "fundamental" in the sense of being deep in a polity's consensus.

It assumes the geopolitical domination of a group who asserts the right as fundamental. In other words a world order.

A world order or just a political system like a country?

Thanks for asking this. I’ve wondered the same things. The answers so far don’t seem to really answer the question well, which makes me wonder if this is just one of those phrases that people banter about without considering if it actually means anything.

Yeah, I can’t for the life of me think of any right that is fundamental when you consider the whole of human history and societies that have existed.

Even breathing — the most basic need — can be argued as not a right but something that the universe requires as a need to live. If breathing and life were “fundamental rights”, then there would be a provision in the laws of nature for them.

Rights presuppose justice. When I say that I have a right to something, it means that something is owed or due to me from others for some reason. Justice, like all of morality (see "natural law theory"), presupposes human nature. Human beings are rational animals with the freedom to choose according to (or against) what is rational. If we lacked, by nature, either rationality or free choice, it would not make any sense to speak of the exercise of justice and therefore of rights because if I can't understand, then I cannot be expected to choose according to the objectively good, and if I cannot choose freely then I cannot opt for the good.

What is good for human beings is objectively true as determined by human nature. It is objectively harmful, for example, to starve. It is objectively harmful to cut off one's right arm. It is also objectively harmful to take drugs that frustrate the exercise of reason because this is opposed to being the kind of thing you are, a human being. The same can be said for the misuse of the body and its faculties in various ways. They work against their healthy function and your well-being.

Now, by nature, as I already said, human beings are rational animals, that is, it is our nature to be rational. We are also social animals. Thus, our own flourishing as individual human beings is also social. A society in which justice isn't practiced is no good for the human beings that are a part of it. Justice means that we can make claims, at least under certain conditions. It is of course unjust to make claims upon others that are not warranted, so we must determine what exactly constitutes a just and legitimate claim. This presupposes rationality (you cannot have a claim to what is absurd or evil) and relational (some relations are voluntary, others are not, but the nature of the relationship will inform us of our obligations and claims) and conditioned by other factors (a criminal forfeits certain rights by virtue of having committed an injustice).

I will agree with you, though, that "fundamental rights" is unclear. If they mean something like what I've described, as something that is determined by human nature, then sure, they're fundamental in the sense that they have an objective ground in human nature. But if they are understood as somehow absolute in the sense that a criminal could go around murdering people and still maintain a claim to his own life, then no.

Fundamental is whatever the politicians and the rich decide it's fundamental. For example the right to live is fundamental except if you live in a conflict zone (US with its shootings included).

> legislation to reduce exploitation is legitimate

The problem is they don't reduce it. It doesn't prevent the abuse and rape nor does it prevent the trade. They install mass surveillance that catches some idiots.

It sounds like you’ve lifted your ethics from an episode of The Simpsons

People should judge things like this based on the content and context of the legislation, not based on a 3 word summary of its justification. There’s your rule of thumb

Seems like a rule that fails pretty fast if children actually need protecting.

I’m really shocked at how causally some HN commenter will discount the very real problem of online child pornography. It honestly disgusts me how people will hardly acknowledge it’s a real problem.

The legislation: https://www.europarl.europa.eu/doceo/document/TA-9-2021-0319...

Press release: https://www.europarl.europa.eu/news/en/press-room/20210701IP...

Summary from the above link:

> Service providers can continue applying voluntary measures to detect, remove and report child sexual abuse content

> National data protection authorities will have stronger oversight of the technologies used

> Temporary solution for maximum three years

According to the text of legislation, looks like this kind of scanning was allowed until Dec 21st 2020 when it become affected by a stricter privacy directive, and this reallows such scanning.

I have not been able to find anything about final legislation either, though I did find some references [0] to the chat control legislation from June: [1].

I haven't read through it all, but the notable paragraph seemed to be:

  This  Regulation  therefore  provides  for  a  temporary  derogation  from  Article  5(1)  and Article    6    of    Directive    2002/58/EC,    which    protect    the    confidentiality    of communications  and  traffic  data.
'derogation' being a partial repeal of a law.


[1]: https://www.europarl.europa.eu/RegData/docs_autres_instituti...

Edit: It does seem that the intention here was to allow tech companies that were previously scanning for child abuse to continue to do so after December 2020, see politico.eu article

In [1], pages 10 and 11 are the actual directive, the rest is the reasoning. And, although I don't know the previous directives and regulations, it reads as if this is essentially an extension of an exception to the ePrivacy directive for another five years.

Birgit Sippel says in her statement to the president of the parliament [2]: > Dieses Gesetz ist eine Übergangslösung für drei Jahre. Die Kommission hatte versprochen, noch vor der Sommerpause einen neuen, dauerhaften Rahmen für die Aufdeckung von Kindesmissbrauch vorzuschlagen. Jetzt dauert es noch bis September oder Oktober. Dafür erwarte ich einen deutlich verbesserten Vorschlag. Die langfristige Lösung muss sich mindestens an den Datenschutzgarantien der temporären Lösung orientieren. Sie muss zwingend Lösungen für das gezieltere Scannen privater Kommunikation finden, sonst wird sie vor nationalen und europäischen Gerichten kaum Bestand haben.

Translated (by myself): > This law is a short term solution for three years. The commission promised a permanent solution to combat child abuse before the summer break. Now, this will take until September or October. Thus, I await a much better proposal. The long term solution must have at least the same guarantees for data protection as the short term solution. It [the long term solution] must have solutions for purposeful/targeted ("gezielt") scanning of private communication, otherwise it will not hold up in front of national or European courts.

So maybe things do not change that much right now.

But back to [1], I am especially curious about article 3(e): > the provider annually publishes a report on its related processing, including on the type and volumes of data processed, number of cases identified, measures applied to select and improve key indicators, numbers and ratios of errors (false positives) of the different technologies deployed, measures applied to limit the error rate and the error rate achieved, the retention policy and the data protection safeguards applied

Do you know if and where such statistics are published? (today?)

[2]: https://www.europarl.europa.eu/doceo/document/CRE-9-2021-07-...

Yeah, this is a fair assessment.

The main article is sensationalistic and overblown.

People react strongly to such things because we’ve all lived long enough to see new powers targeted at bad actors eventually abused by law enforcement.


It's not overblown. The horror that is the "Patriot Act" was temporary, until it wasn't. It only expired in December 2020, 19 years later, because Trump threatened to veto it if he didn't get his way, and as a result it expired because nobody chose to vote on it. If I was a betting man, I would assume it's still in use even when expired.

So, temporary laws can last for decades.

> I have not been able to find anything about final legislation either

It's here:


Looks like it has a more restrictions and a reduced time period (3 years) than the proposal you linked, and some requirements to feed statistics back to monitor the performance of the law.

What could possibly go wrong with this legislation?

Yep this https://www.patrick-breyer.de website is the worst example of self-referencing I have ever seen :(

Just to clarify a point for discussion: this is already the law in the USA, and always has been [0]. European privacy law formerly prohibited private entities from reading personal communications, and handing them over warrantlessly to governments (as I understand it (?)); but this was never a thing in the US.

[0] https://en.wikipedia.org/wiki/Third-party_doctrine

From that source:

In 1986, the United States Congress updated the Omnibus Crime Control and Safe Streets Act of 1968 by enacting the Electronic Communications Privacy Act which included an updated "Wiretap Act" and also extended Fourth Amendment-like protections to electronic communications in Title II of the Electronic Communications Privacy Act, known as the Stored Communications Act.

In Carpenter v. United States (2018), the Supreme Court ruled warrants are needed for gathering cell phone tracking information, remarking that cell phones are almost a “feature of human anatomy”, “when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user”. and that

[cell-site location information] provides officers with “an all-encompassing record of the holder’s whereabouts” and “provides an intimate window into a person’s life, revealing not only [an individual’s] particular movements, but through them [their] familial, political, professional, religious, and sexual associations.”[5]


From https://www.legalmatch.com/law-library/article/e-mail-and-wa...

Are there Any Laws that Protect Your Email Privacy?

Under the Electronic Communications Privacy Act (ECPA), police can access emails without a warrant if the emails are stored in the cloud and at least 180 days old. However, this law is outdated and lawmakers are attempting to pass the E-mail Privacy Act. This would update the ECPA by requiring warrants for all email searches. At the moment, in July 2018, the ECPA has yet to pass.

E-mails that are in remote storage and opened or older than 180 days do not require a warrant. Instead, the police only need to obtain an administrative subpoena. Administrative subpoenas are issued by federal agencies without any approval by a judge, so they are much easier to obtain.

So.. run your own email server in your basement if you're concerned (which would require a warrant). Or try end-to-end encryption solutions.

Think you're glossing over the distinction between compelling material (by warrant, subpoena, &c.) -- what the Fourth Amendment covers -- and private entities voluntarily giving the government material that third parties have entrusted them. Nothing regulates the latter: that's the third-party doctrine.

> Nothing regulates the latter

That's not true. The Stored Communications Act _does_ regulate this. In fact, it was passed in response to concerns that the third-party doctrine would mean that nothing would be protected from the government if it was stored by a third-party service provider.

The law says that the contents of communications may not be divulged unless certain conditions are met, even voluntarily. See 18 U.S. Code § 2702.

The people you're replying to aren't glossing over it, the posted article (and the comments predicting the end of the European tech industry) is glossing over it. "European Parliament approves mass surveillance" really means "European Parliament suspends portion of privacy law that prevents third parties from voluntarily monitoring information entrusted to them" - as they're able to do in the US.

The European Parliament isn't (in this action, at least) compelling anyone to surveil anything.

This is a bizarre distinction to make when the third party doctrine has resulted in mass surveillance in the US.

> The European Parliament isn't (in this action, at least) compelling anyone to surveil anything.

Why shoot down something that you're adding to the article? Who said the European Parliament was compelling anyone to do anything?

This is true.. not much to be done with the major providers are all in bed with the Feds. I mean, the telcos literally allow the Feds to port mirror all their traffic. End to end encryption on your own encrypted storage perhaps.

I'm not sure if "allow" is the right word here. Really the NSA can set up another Room 641A at any company they want regardless of that company's wishes and with a national security letter the company can be prevented from even telling anyone (like their customers or the media) about it. I was furious when Obama granted telecom companies immunity from prosecution for their role in the warrantless spying, but really it's not exactly fair to pushing people who are strong-armed into compliance.

Perhaps, but if it became public that my telco was allowing NSA to backdoor comms, I’d say the devil made me do it, too.


There is a fairly large caveat to this and it happens to also deal with children.

18 U.S. Code § 2258A - Reporting requirements of providers

In short, it requires ESPs to report incidents of child exploitation that they become aware of to the National Center for Missing & Exploited Children.

According to NCMEC's published data there were over 20 million reports in 2020. The latest breakdown by ESP I could find was from 2019, which shows facebook making 15 million reports.


EDIT: Here's the 2020 report:


That's what ECPA says, but the Fourth Amendment does apply to e-mails as well as ECPA. Today, pretty much no significant commercial e-mail provider is going to give up e-mail contents without a warrant, even when over 180 days old.

In 2010, the Sixth Circuit held ECPA to be unconstitutional as it relates to email and compelled disclosure without a warrant (at least for large volumes of private email) [0]. This hasn't been tested at the Supreme Court, although the Warshak opinion has been cited approvingly, mostly because providers don't disclose content without a warrant so nobody has had a case to take up.

Carpenter shows 4A can protect metadata under some circumstances too (for more than 7 days of CSLI), even if law enforcement obtain a court order, which requires less evidence than a search warrant.

[0] https://en.wikipedia.org/wiki/United_States_v._Warshak

Those are great. Thanks for posting a very clear summary of two important points. It seems to be very hard to find and define on your own. Too bad they didn't make the same thing for credit card transactions, which are almost, and becoming more so, part of our anatomy. (Will the rules change if they are (injected chips, for instance.)

This makes the EU look pretty hypocritical for striking down the "Privacy Shield" agreement that they had with the US for GDPR.

In fact, I have to wonder if this will put that ruling in danger of being overturned now?

(And how much do you want to bet that the lawyers at Facebook are gearing up for that very fight right now?)

So it is okay then.

Then when EU will start running concentration camps for thought criminals, we will say it's okay China already do it...

It seems that the Four Horsemen of the Infocalypse [0] are as obvious as they are effective.

[0]: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...

It's becoming scary how dangerous legislation is passed under the guise of protecting against "child exploitation". It's basically political suicide for politicians to vote against it (since the public cannot understand the nuance).

Up to people who do understand it to expose the ones voting for it.

EU Politicians pass anti-privacy legislation to 'protect' us from terrorism....

Which is caused by the open borders and migrant settlement programs promoted by the EU in the first place.

Convenient isn't it?

EU internal borders are open, the external ones are not. It’s a bit like the USA in that regard, biggest difference is our versions of California and Louisiana have their own national languages.

Reminder that even Johnny Rotten of the Sex Pistols knew 25 years ago that Jimmy Savile was abusing children and the BBC upper management must have known many more details about their star, than Johnny Rotten.

Not only was nothing done but BBC's upper management escaped any responsibility for the protection they gave Savile.

One could mention the Dutroux affair, British PM Ted Heath, and many more scandals... yet it does seem that the European elite excuse themselves and instead invade everyone else's privacy instead.

Facebook fails to go after child pornography despite it's insane panopticon.

Every time a surveillance system and violation of privacy rights is advertised in the EU as a solution against child abuse and trafficking I ask myself how such a system could have changed the outcome of a case like Dutroux. Would have been the dozens of witnesses and police officers involved in the investigation suicided a way sooner, later, more silently, or at all? We will never know...

> Previously secure end-to-end encrypted messenger services such as Whatsapp or Signal would be forced to install a backdoor.

This is surely a fantastic extrapolation of this author. The chance of this happening is zero, which is also the chance of this being explicitly stated in the legal text.

It would be a disaster of course. And extremely controversial. Which is why it doesn’t just get passed under the radar, even as a temporary measure.

Isn’t there a copy of the actual legal text anywhere? Or a sober analysis of that text that isn’t made by a member of the pirate party?

Edit: Here https://www.europarl.europa.eu/RegData/docs_autres_instituti...

It doesn’t mention encryption, back doors, or forcing any entity to do anything. It does mention allowing companies to temporarily continue current monitoring for child abuse under certain conditions. What exactly is the outrage about?

But it did get passed under the radar. No one knows about this except for techies, and even then it was quite easy to miss.

The legislation would not have passed under the radar if it does what the author claims e.g require backdoors or similar.

The reason it didn’t raise many eyebrows is because it doesn’t mention this.


> For autumn 2021, European Commission announced that it will propose a follow-up legislation that will make the use of chatcontrol mandatory for all e-mail and messenger providers. This legislation might then also affect securely end-to-end encrypted communications.

So far nobody is reporting on this.

So he is outraged by this and the worst thing is… not in this legislation but in a potential follow up legislation that might contain those bad parts?

At this point I'm assuming you are arguing in bad faith. Again, no one is reporting on this. People should be made aware that if the vote happens, they can nag their reps beforehand. But they aren't being made aware.

You must be misunderstanding what I’m arguing.

I’m saying nothing about the actual law passed or how it wasn’t reported on.

What I’m saying is that the article linked talks about banning encryption or mandating back doors, and that law would be very controversial (much more than this one) so that law couldn’t just be passed unnoticed.

The future law text about banning encryption might be written some day and I too hope we have plenty of time to nag reps before it ever gets to a vote. This could be years from now, if ever.

nah, you are bsing, the article is about legit concerns, you failing to see any of that or naively/foolishly believing the innocence of the legislators is your own problem.

Why would a company in the US (Signal) decide to comply with the doctrine of another country, especially a doctrine antithetical to their entire business?

Well, zero is not just a really small number.

But to answer "why" would involve unpacking many direct and indirect motivations. First, I would never trust that any corporation has any doctrine that they would or could stand by ad infinitum given the right pressures.

At the end of they day you're talking about humans. A group of self-interested humans. A group of self-interested humans whose makeup changes as directors and executives rotate out. A group whose intentions can be undercut by an individual. Think you that the "Snowden" move doesn't happen the other way around? Probably more frequent that the intelligence communities infiltrate private organizations with rogue contractors than they experience it themselves. Probably really dang easy to be honest.

Since it came up earlier, I might just casually point to AT&T letting the NSA (or whomever) mirror all the traffic running through their network[0]. That would seem antithetical to their business, but obviously there are competing motivations. Where are those motivations sourced? Who makes the call? We don't know. I guess that's my point - you can't put faith in opaque decision making processes. I wouldn't rely on them, is all I'm saying. You could say the risk is low, but it's definitely not zero.

[0] https://www.propublica.org/article/nsa-spying-relies-on-atts...

My point originally not whether anyone would comply, but whether such a measure would ever be worded, let alone enforced.

The op article doesn’t convince.

Do they want everyone to switch en masse to end-to-end encrypted communications? Because this is how you encourage that.

The vast majority of people do not care. Politicians will say this is to stop pedophiles, and if you speak up against surveillance, you’re labeled as a pedophile and ignored.

Plus, let’s be real, end to end encryption doesn’t exist if you’re using any sort of pre-built app. It’s encrypted-looking to most people, but the people who matter always get back door access.

Don't care or don't perceive the threat clearly?

I’ve seen both when trying to advocate against the UK’s Investigatory Powers Act.

> Plus, let’s be real, end to end encryption doesn’t exist if you’re using any sort of pre-built app. It’s encrypted-looking to most people, but the people who matter always get back door access.

Why do you think this is the case? I know for a fact (with a reasonably high level of confidence) this is not so.

More end to end encryption use only means more laws banning encryption faster.

Or do you really think that when for example DoH gains wider adoption all the countries using DNS based blocking will go "Oh well guess the techies got us".

Good luck with that - the genie's out of the bottle.

End to end encryption is vital to the operations of modern businesses, it's not going anywhere anytime soon.

You'd be surprised then how fast things bend and eventually break under government rule.

Agreed. Most people, when confronted with the choice of jail vs. doing what they are told, will do what they are told.

This works best if the individuals or companies doing this have a meaningful presence in your country and/or consider it a sufficiently relevant market.

If they don't, your critical infrastructure (Internet) just stops working until you conform to the standards set by those who write the software.

Sure, and then the governments are forced to tell the intelligence agencies they can no longer afford all the we-told-you-so consequential successful hacks that happened because of the back doors they demanded.

And the competent criminals will still be able to roll their own encrypted communications from existing open source libraries.

Counterpoint: China does modern business just fine.

Businesses will need to have a license and keep logs of such communication.

E2E encryption is? Or encryption in general? SSL is not E2E. The data isn’t encrypted at rest in most places.

I want E2E encryption as much as the next person, but we need to make sure we’re honest about its use cases

The only distinction there is Client/Server vs Peer/Peer, peer discovery is a thing, but other than that it's fundamentally the same problem with the same solution(s).

The world has a poor history on banning the application of math.

laughs in Mandarin

Well, I shouldn’t do that. Suffice to say, it’s simply a fact that China bans VPNs, and pretty much everyone goes along with it. People fear jail.

It’s hard (but not impossible) to imagine Europe and the US doing that. NordVPN is practically a household name, at least on YouTube.

President Pooh bans VPNs but pretty much everyone uses them and jumps over the great wall.

People just have a 'compliance' phone when authorities ask to rummage through it.

> People just have a 'compliance' phone when authorities ask to rummage through it.

Does this ever work? Depending on the jurisdiction, law enforcement authorities can easily get a warrant to enter your home and search through everything to ensure that they find all of your devices.

VPNs are not illegal in China and are part of doing business/daily life. China is authoritarian, but at least smart. They understand that the great firewall can reduce the free flow of information to a respectable degree and thus they implemented it. They also understand that going after VPNs is futile with the current technology.

Which is ironically self defeating after major multiple security product breaches. Laws banning encryption or requiring backdoors as well as the practice of secret court warrants discourage fundamental investment in strong encryption products and standards.

Doesn't help if you don't control the ends of the end-to-end part. We don't control iOS nor Android on most devices.

In general this holds: There's no privacy on the internet.

Security researchers will always break into, reverse engineer, and scrutinize OS firmware and apps.

They’re not going to find every backdoor. But I’m sure their work serves as a deterrent to some degree. Vendors aren’t going to deploy backdoors unless some state actor forces them to, and even then chances are they’re caught and called out.

Security researchers will also happily sell their tools to law enforcement and other agencies. Companies like cellebrite specialize on that.

In short, if you are being targeted (and, granted, the chance of that is pretty low), your data and communication is not secure. It's an economical question, not a technological question. (the FBI paid $1.3m in one case to get access to a phone).

If you care about it, switch to Librem 5 or Pinephone.

Neither of these can access the financial services provided by my bank nor the infrastructure provided by my city

This is worrying. I always thought about this since I have long-standing user experience with privacy-related stuffs and the more you block, the less you can use. But being unable to access financial services or city infrastructure provided by your city makes me think that either these services are terrible or the privacy phones are breaking something. Case in which I am most curious to find out what exactly are they breaking and how are those things both essential and privacy related? - I'm unsure if my sentence makes sense, English is not my first language.

Removal of KEYGEN feature from Firefox and other browsers was a major mistake in this regard.

My bank(s) used password+client certificate, but now they have switched to proprietary mobile OTP apps. (also due to some directives). For some stuff, SMS codes are used.

Also, I've seen CA's simply deliver the .P12/.PFX file now instead of securely generating the key on the client and then signing it.

Seems like your government supports the duopoly, which you should fight against.

It mentions in the article that even apps like Signal would have to install backdoors that they can use.

Crypto is just about worthless without personal computing.

That can't happen with open-source, whether it's "free" or not.

While true, an adversarial government can pass new laws to restrict access or installation of software it deems dangerous. Politicians, uh, find a way.

Open source. That means that they'd have to either prevent the downloading of the source, prevent it compiling, or prevent running something that you compiled on your own box. Any of those three seems to be guaranteeing that Europe will not have any leading role in computers for the foreseeable future. Any of those three also seems almost impossible to enforce.

There's no way to build apps locally on most smartphones which are the majority of end user devices.

Open source practically died with personal computers.

When did personal computers die? Most desktops and laptops are fairly open and although android phones are not as open you can build software on your laptop/desktop for usage on your phone.

You could also use something like pinephone or librem. You wont have access to a lot of android tech but the most important functionality. A web browser, sending sms, email, making calls all work.

I agree. Currently not many people use open source on their phones, but that could change, and things like F-Droid are ready to be used.

It wasn't that long ago that encryption was banned in France.


In the US, forcibly including certain code in your program would be a 1st amendment violation.

I can envision all sorts of workarounds to this constitutional issue. And, Congress does this sort of thing all the time.

Signal didn't publish the source for their server-side from 20 April 2020 to 6 April 2021 while they secretly added a cryptocurrency payment system. Open source is only open if the source is available (and yes -- if their end-to-end encryption system is working properly than even a notional malicious server would not be able to intercept message contents, but could of course provide metadata, and also you have no way of verifying that the app you install via whichever app store you install Signal from was built from any given source).

That's absolutely not true, since Google is now signing app distributions and can easily swap them out. Additionally, there's no guarantee that Signal is shipping the same code to the app stores.

The whole stack needs to be open source and user modifiable, though. Signal is open source, but if Apple is one day compelled to ban non-backdoored versions from the App Store, nobody can use it on an iPhone.

it can if you don't compile the source yourself, a la the app store

That's not how this works in practice

xkcd is a just a comic - please don't make it a conversation killer.

Well, to revive this conversation.

States have access to "a monopoly of legitimate violence". We grant them that in order for them to be able to keep the peace, you know, law and order.

Everything else can be boiled down to this. No matter how many bits of encryption keys are used, someone with a chloroform infused rag and a wrench can visit any of us at any moment. And it's actually part of what we, collectively, as citizens, have granted as a power to the state.

I might be too influenced with Brazil I watched recently, but the monopoly on necessary violence is not without restrictions ( which is why there is an outcry when the outer bands are pushed too far ). Granted, the fact is that the bands are now hidden from public view only to resurface when a whistleblower lets the population know. Still, basic principle remains. There are limits to violence goverment can legitimately engage in.

> someone with a chloroform infused rag and a wrench can visit any of us at any moment

That's where engineering comes into play, maybe materials science to build suitable systems to defend against such physical attacks. And, you can't just ban engineering.

Unless I become Robert Johansson[0], my imagination and capacity for material engineering is not going to be enough to simultaneously have a life and protect against a single sufficiently motivated individual, let alone a nation state putting a lawful (by its standards) order against me.

I’m only even safe from nutcases because the nation collectively has enough experience dealing with people who think they know better.

[0] https://en.wikipedia.org/wiki/Dennis_E._Taylor

> someone with a chloroform infused rag and a wrench can visit any of us at any moment.

Phrased like this it sounds like you are implying that the legal system in any EU country has no power over goons with wrenches, and everybody is effectively living in a police state. Why even bothering to pass laws around encryption?

To be precise, the article says that apps like Signal are to be the target of a follow-up regulation scheduled for coming September. It also emphasizes citizens' strong opposition to this prospect.

Fingers crossed, but is it enough? What can we do to prevent this sh*tload?

Seems like the same legal body that made these laws would outlaw that activity.

Yeah, but how sustainable is the EU really, in the long term? I’m still convinced it will either dissolve or devolve into a rump organization within my lifetime.

EU gets a lot of stick but deep below, the boring stuff keeps it together.

Brexit showed just the enormous depth of high quality glue keeping all remaining countries together.

So I don’t think the EU will be collapsing any time soon, certainly not for rational reasons.

Yeah, but how much of that boring stuff requires the full matter of what the EU has become? That’s why I could see a rump sticking around or getting folded into some other institutions, if full dissolution never quite happens.

Again, Brexit shows, imho, that you can’t have the boring stuff without the tight integration. There are no duties because taxes are harmonised. There are no import/export controls because norms are identical pan-EU.

The UK wanted to drop the tight integration and acceptance of common goals, but keep all the tax and trade benefits. But the logical hurdles turned out to be insurmountable. Want to sell fish tax-free? Well let us fish in your waters. Want to sell frictionless to our markets? Accept our standards. So what should the common ground be for digital services?

Initiatives like this, good or bad, represent the EU’s drive to combat big issues facing the world, and again need to be tackled for the EU to remain relevant; it can’t just stick to subsidising farming, that is so 1950s.

I spoke once to a senior economist (can’t remember the name sadly) who made a good point: EU is often compared to national governments, and looks sluggish by comparison. But the real comparisons would be to other enormous bureaucracies: US federal government, China, UN etc. And when you make this comparison, it is in fact quite favourable for the EU. Basically, scaling is hard, and the EU is not bad at it.

> Basically, scaling is hard, and the EU is not bad at it.

It's not scaling economically though, is it?

What makes you say that? Mass media, especially English speaking mass media, have been EU polyannas since its inception. It's bad for their status quo.

"Brexit shows, imho, that you can’t have the boring stuff without the tight integration"

This is definitely not true. There are tons of 0-tarrif trade agreements in this world, and even those without border checks for commercial goods - all without political integration.

NAFTA/USMCA have been doing this for 35 years and it's very effective.

Brexit doesn't show 'how good the EU is' it shows the opposite: that UK, Switzerland and Norway well get along quite well outside of the political body.

The EEC was entirely uncontentious - everyone wants some version of that. No arguments from anyone there.

But the argument that the 'Political Layer over the EEC, i.e. the EU, is necessary' might have some merit, but it's probably more complicated, and it might not even be true.

The real comparison is no between EU/US/China - but between the EU and a more comprehensive version of the EEC - i.e. some kind of 'deep trade integration' but without a political body, and without an ECJ with 'Legal Supremacy'.

This surveillance issue highlights one of those areas where I'm not so sure the EU would be perfectly ideal for supranational laws. Treaty-based regulation - for sure. But laws under ECJ Supremacy ... I'm not so sure. It's going to be interesting to see how this jives with the German Basic Law and their de-facto opt-out over constitutional issues.

It's all stick, no carrot. Unsustainable.

The EU has a lot of carrot for countries like Poland or Lithuania. Even longer term members such as Belgium, etc, that don't have such history with the Soviets know they are better off being in the EU than splintered.

What is the 'carrot' for Spain, France, Italy that goes beyond what the EEC provided?

Why would a 'really great trade agreement' not provide 'most, if not all of the carrot' with respect to economic upsides?

Does the EU political apparatus an ECJ, i.e. beyond comprehensive trade agreements, provide carrots?

Well, one carrot for Spain was the assistance it received during the last financial crisis[0], and France probably likes being able to project its influence onto neighbouring countries through its position in the EU.

Less reductively, I think that a major benefit of a political union is that it gives some degree of democratic legitimacy to decisions made about difficult region-wide issues like trade policy, consumer protection, immigration, the environment, and anti-trust law, to name but a few.

All of those matters could in theory be settled via multi-lateral treaties, but they would probably be hard to reach flexible compromises over while still being overseen by representatives voted for by the public with a mandate for deciding on those supranational issues.

[0] https://en.wikipedia.org/wiki/European_debt_crisis#Spain

Those are not very good carrots.

Why bother with barely a vaneer of legitimacy at the EU level which has a democratic deficit?

Why not have an EEC that casts flexible treaties over immigration, environment and anti-trust on as as-needed basis, with actual elected represented 'regular' national MPs dedicated to those issues at the European level? i.e. Boris would have 5 Cabinet Ministers for major European level issues and a European ministry?

That way have the benefits of some degree of coherence without the sovereignty problem.

So your solution to the "democratic deficit" of the EU is to give Boris more power? He already has, in practice, all the power of the unelected head of state at his disposal, plus the unelected House of Lords, based on a voting system which put him into power with 44% of the popular vote.

"He already has, in practice, all the power of the unelected head of state"

B.J. is an Elected Head of state. He won his mandate in a very clear and unambiguous election, the primary issues of which concerned not only on his leadership and tenure, but also the pivotal issue of Brexit. The election had very high participation rate, and the UK public was very well informed with respect to the stakes involved. B.J. doesn't have absolute power and both his party and opponent MPs can challenge his authority.

The EU meanwhile, has barely any democratic legitimacy.

The President of the Commission and members of the Cabinet - those that enact legislation - are unelected.

Ursula Von Der Leyen did not stand for election. She was plucked from obscurity by Macron and Merkel after the EU elections, in a closed, backroom deal in which voters had no effective influence. The protocols by which she was chosen are not codified, in fact, it's only recently agreed to (Treaty of Lisbon) elected MEPs should even have to be consulted.

Von Der Leyen was not introduced to the public before the election, she didn't go on a media circuit so as to be introduced to the public of various countries where people could learn about her or her platform. There were no editorials, there was no media vetting, there were no interviews, there was no pragmatic by which voters could even learn about their would be leader. She was imposed in EU voters, probably less than 2% of whom had even heard of her.

EU elections have very low rates of participation, EU voters have very low awareness of any of the material issues, MEPs have very little ability to influence legislation and very limited ability to censure leaders.

So yes, Boris Johnson (and Macron, and Merkel) have considerably more legitimacy than any members of the EU apparatus, and that might very well serve as a better basis for European citizens to influence the establishment of rules or laws via treaties as opposed to the very indirect democratic mechanisms of the EU.

> B.J. is an Elected Head of state.

Just so we're using the same terms, here, I think it is conventional to describe Johnson's role as "head of government".[0]

> members of the Cabinet - those that enact legislation - are unelected.

The Commissioners are appointed by the heads of government of the member states, exactly the process you suggested in your earlier comment. If you think that Boris would be limited to picking ministers who had actually gone to the trouble of winning an election, then you'll be surprised to read about the 19 unelected ministers that Boris has chosen.[1]

> Ursula Von Der Leyen did not stand for election.

While Boris did manage to win 25,351 votes in his constituency, and 92,153 in his leadership election, there is nothing preventing a UK prime minister from gaining power through a backroom deal, such as Theresa May's unopposed leadership "election" in 2016, or Brown taking over from Blair in 2007.

This is of course accepted since the PM must hold the confidence of the parliament, but the same is true of the Commission President, who must receive the approval of an absolute majority of MEPs.[2] In fact she (together with her Commission) was elected with 461 votes to 157.[3]

> She was imposed [on] EU voters, probably less than 2% of whom had even heard of her.

I agree that this is a failing of the process and the political culture of the EU.

> EU elections have very low rates of participation, EU voters have very low awareness of any of the material issues

That could be interpreted as meaning that a large proportion of EU citizens don't feel particularly affected by the EU's decisions, which would mean that the EU is (correctly) leaving national issues to national politicians (who then influence the decisions of the Commission through their appointed commissioner).

> MEPs have very little ability to influence legislation

Any influence the MEPs lack just means more power to the national governments who control their respective commissioners. I don't see how this process is any worse than having an unelected House of Lords which contains hereditary peers.

> and very limited ability to censure leaders.

MEPs have the power to call a Vote Of No Confidence in a Commission, which can lead to its dismissal. This came close to happening in 1997 during the BSE crisis.[4]

> So yes, Boris Johnson (and Macron, and Merkel) have considerably more legitimacy than any members of the EU apparatus

If by "any members of the EU apparatus" you mean "specifically Ursula Von Der Leyen" then you almost have a point. I would also be more convinced if you had limited the first part of your statement to just Merkel, as I believe that Germany's electoral system is more proportional than the UK's and doesn't have the "safe seats" problem of FPTP. (The two-rounds system that Macron was elected under has its own problems).

As a thought experiment, imagine that Biden had won the presidency with just 44% of the popular vote, and that win also granted him an effective super-majority in both houses of Congress (since the UK only requires a simple majority to force through constitutional changes). I can only imagine that scenario leading to civil war in the US, and yet this equivalent situation in the UK lets some people think they can throw stones at the EU's democratic character.

[0] https://en.wikipedia.org/wiki/List_of_current_heads_of_state...

[1] https://bylinetimes.com/2021/02/19/brexit-revives-the-power-...

[2] https://www.europarl.europa.eu/news/en/faq/8/how-are-the-com...

[3] https://www.europarl.europa.eu/news/en/press-room/20191121IP...

[4] https://www.politico.eu/article/meps-split-over-vote-of-no-c...


I’m not saying this is a good idea, only that it’s not in the brink of falling apart. And I reckon this is the last thing that would break it. Farming subsidies or carbon credits if anything. Again, the boring stuff.

Yeah, farming subsidies alone could keep the EU afloat for years - we simply can't get by without them.

Well, I'm assuming that's one of the things that total pervasive surveillance and control of communication is meant to address.

Seems like acting with that intent with this power is an easy way to accelerate the EU’s own dissolution.

The Warsaw Pact, the Cold War, the Iron Curtain across Europe and the Berlin Wall, as well as the communist surveillance States that still-living Europeans lived within and remember well enough was not that long ago.

They probably make the argument to themselves that none of those people had anywhere near the amount of data they will have. I guess it remains to be seen how long an intelligence agency can hold a country together when they have access to a large portion of every private conversation between citizens.

From the article:

> The European Commission has already announced a follow-up regulation to make chat control mandatory for all email and messaging providers. Previously secure end-to-end encrypted messenger services such as Whatsapp or Signal would be forced to install a backdoor.

I don't think that's true. Most people use Facebook Messenger or WhatsApp; privacy isn't really a selling point for the majority of people. "I've nothing to hide" is the common response.

Whatsapp is end to end encrypted.

The backups aren't. Same with iMessage. end-to-end has become a marketing buzzword, any large scale deployment gets backdoored (via either key or plaintext escrow) at the endpoints, to FISA/PRISM providers who have to turn it over to the state without a warrant.

China has the same setup with providers in their country.

WhatsApp and iMessage simply aren't private when the providers get ~100% of the plaintext transiting the service within 24 hours (immediately in the case of iMessage, as thanks to "Messages in iCloud" (cross-device sync) being on by default, the MIC sync key is escrowed to Apple in a non-e2e backup, permitting them to decrypt the sync traffic in realtime).

Truly private, easily accessible, society-wide private communications are a threat to sovereignty, and governments know this, which is why even europe (leading the way on individual privacy and rights on this planet, in general) is reluctant to permit it. Same goes for truly censorship-resistant, easily accessible payment systems. They allow you to coordinate (private/uncensorable messaging) and pay for (uncensorable payments) an army outside of state prerogatives, in theory.

> [...] as thanks to "Messages in iCloud" (cross-device sync) being on by default [...]

Messages in iCloud is off by default AFAIK.

It's not, but in the case of Messages in iCloud being off, the actual plaintext of the iMessages themselves is included in the (non-e2e) iCloud Backup (which I am 100% positive is on by default).

In the case of MIC being on, then the MIC sync key is included in the (again, non-e2e) iCloud Backup.

MIC on = MIC sync key escrow via iCloud Backup (realtime iMessage content decrypt)

MIC off = iMessage plaintext escrow via iCloud backup (nightly)


Before you mention "but you can turn off iCloud Backup!": these default settings affect all of your conversation partners, too, so even if you disable iCloud Backup, it's likely that your messages are still getting escrowed from the devices of the people you talk to.

For the purposes of an eu law requiring facebook to scan messages, facebook can’t scan icloud backups.

Any law that the EU can apply to Facebook to scan messages readable by Facebook that transit Facebook's service, the EU can apply to Apple to scan messages readable by Apple that transit Apple's service.

Would apple/google be able to comb through that data though? WhatsApp backups are not e2e encrypted, but they're still encrypted with a key generated by Facebook the moment you login to your account, and probably refreshed periodically. Technically, Facebook would be the only one capable of turning the encrypted backup into plaintext, so if google wanted to do something with your messages backup it would have to knock at Facebook's door first.

This kind of cooperation is definitely illegal in this moment and I'm nut sure future legislation will require services to set up persistent encryption keys exchange among services so that a backup file that is supposed to be encrypted on a cloud storage can be continually scanned for harmful/unlawful content by another service. If the EU or any government wanted to set up such kind of monitoring, they will require these services to adapt in a way that these kind of gimmicks with backups and encryption keys are not needed

The metadata hosted on Facebook's servers is worth more than the actual content.

People keep repeating this trope about metadata being worth more than content. Where does this come from?

I can understand that metadata is valuable -- of course it is. You can learn a lot from metadata. But more valuable than the actual content? Give me a break.

Something can be bad without being literally the worst thing ever. Pointless exaggeration like this does nothing for the cause of privacy.

I think it's important to consider scale when discussing metadata vs raw content

Getting high precision is difficult when done on "all content", especially considering the multitude of languages and dialects in Europe. At a certain point, more data does not result in better output, sometimes it's actually detrimental

The patterns that arise from metadata are much more generalisable and there's less of it, so it's easier to search through

Metadata interesting lets you hone in on what you want to inspect full content on. It's definitely an upgrade

The article is a bit older, but metadata analytics can be used to "unveil" the key conspirators that led to what we today know as the "American Revolution"[1] - please note how little data they use to find out who calls the shots, and whom you might want to disappear if you wanted to keep the colonies closely aligned with George III.

Widespread enough, this can be used to find dissidents today, suppressing ethically legitimate uprisings against injustice.

[1] https://blog.wolfram.com/2017/06/29/analyzing-social-network...

Metadata is highly structured, standardized, and easily understandable by machines. Content is not.

Because processing is easier for metadata but analysis of it can answer many questions.

Direct communication is only interesting for direct surveillance.

If I hand something in plaintext to another private party, I already assumed they are legally within their rights to read it. It's on me to encrypt if I don't want it read.

You think Europe will allow end-to-end for much longer?

Yes. Saying otherwise is hyperbolic. The European Commission uses and recommends Signal themselves.


Hypocrisy is not something our governments are immune from, and the words of commissioner Johansson are not encouraging:

> She wants tech companies to face mandatory detecting and reporting obligations

> “The problem is that many of these communications are now being end-to-end encrypted,” she said, whereby only the users exchanging messages have access to the content.

> While encryption is "really important," she said, "we don't want pedophiles to be able to do whatever they want, to not be seen, we have to protect [children] so this is not an easy challenge to tackle.”


As long as politicians pretend that you can have both I'll assume they are either disingenuous or ignorant and I won't be at ease.

That only means that the EU is confident it can break Signal's encryption if the need arises.

Which, of course, is actually an argument AGAINST using Signal.

In recent months they also promised to strengthen law and access to privacy and anonymity, make it a human right. Talk is cheap.

> ...has already announced a follow-up regulation to make chat control mandatory for all email and messaging providers. Previously secure end-to-end encrypted messenger services such as Whatsapp or Signal would be forced to install a backdoor.

It's easy to recommend "end-to-end" when you're about to force a backdoor into it.

>It's easy to recommend "end-to-end" when you're about to force a backdoor into it.

I'm not surprised that HN readers think politicians are all so dumb that they recommend their own staff use Signal and then recommend to break Signal. This kind of news pop up all the time and in almost all instances it turns out it isn't what is actually happening. Discussing it on HN -especially when it is the EU, Russia or China- is a complete waste of time as almost every single comment is low effort or trolling. We all know that the EU won't have backdoored Signal any more today than the next ten times this gets discussed on HN. It's all smoke and mirrors.

> We all know that the EU won't have backdoored Signal any more today than the next ten times this gets discussed on HN. It's all smoke and mirrors.

How can you say that it's not only the stated goal but they have been making real progress towards it?

Real progress would be something that can force Moxie Marlinspike, who lives in the US, to introduce a backdoor.

They can't easily shut the service down without risking a lot of unwanted public attention. When "why can't I message grandma" is answered with "here's the list of politicians that caused that because they want to spy on your messages", those politicians will have a bad time. I think Signal is popular enough in Europe to be protected by this.

Isn't the EU fighting against encryption as well?

I am proud to live in a country that is not doing this. Openly. Yet. At least now they have to build a parallel construction to prosecute you for whatever they find, which takes some effort. Yay team.

Sounds like the US when you mention parallel construction but since the laws are way way worse than this one in the states I'm guessing it is somewhere else?

Would any email provider protect me from this, get my emails actually delivered and ideally work with my own domain? Not that I see myself switching after 15 years and 6 Gmail accounts but if I am to I'd rather know who I'd use.

And no I won't risk setting it up myself and risk missing on some portion of my emails like I've had happen at workplaces before we'd sigh and switch to Google.

For Chat tg/signal seem like they would but I am less sure what the best option is for email.

The problem with email is that it’s federated; any email is as secure as the least secure mail server it’s being sent from or two. Even if you use something super duper secure in a polity that respects privacy, it does you no good if you send an email to Gmail who immediately hands it over to one or more government bodies.

There is an obvious solution, do not send emails to gmail addresses.

... or to domains that use gmail.

Possible to find out using dig but not as simple as avoiding gmail addresses.

Only if the domain uses google's MX as the public facing MX. If it delivers to an intermediate MX for filtering or archiving or ??? and then redelivers to google, it's not visible.

Of course, if you don't set the public MX to google, blackberry phones won't use the right SMTP for outgoing mail, and then mail will fail DMARC, because you can't actually configure the SMTP server anyway. Hope they fixed that in BB10, before they stopped selling phones.

> If it delivers to an intermediate MX for filtering or archiving or ??? and then redelivers to google, it's not visible.

That is a) a very odd and theoretical setup b) probably would cause Google's MX to reject most messages for SPF failures

You don’t even need MX trickery to make this an issue; how many people who moved over to Gmail setup forwarding rules from their old email address to Gmail? You’d never be able to tell from the outside that your messages are going to an unsafe location

This is not theoretical, if you've got say support@example.com that goes to your support queue, and employee@example.com that goes to your employee, and you want employee email on G Suite, your options are:

a) have your own MX that handles support mail and forwards employee mail to Google MX; G Suite provides a not exactly public domain you can forward to and you can whitelist your forwarder(s) IPs so Google uses the received headers for spam checking and SPF checks. If you don't setup the whitelist properly, a lot of mail will bounce or get flagged, yeah; but Google isn't dumb, they detect mail forwarding IPs with good behavior and will eventually semi-whitelist them without intervention.

b) The opposite way, where google is public MX and then delivers either specific addresses or unhandled wildcards to your MX to manage the support queue. (Or you might also forward it to a third party).

c) some people use third party email archival services (for example, ProofPoint) or virus scanning that shows as the public MX, and then forwards to some other MX for actual delivery

> a very odd and theoretical setup

Nope, I use https://mxguarddog.com/ for one of my domains. That acts as a spam filter, but also hides the ultimate MX host.

You can give out this advice, very few people will follow it. Given the choice between giving up some privacy and the convenient of sending an email to a friend or colleague using gmail, the vast majority of people will choose the latter. Meaningful improvements to privacy must come with negligable convenience tradeoffs if you want people to actually adopt them.

If you want your email reliably encrypted, encrypt it yourself. GPG works the same regardless of the provider.

Only if you assume that the only valuable thing in your communications is the content, which is simply not true. Metadata, who is speaking to whom and when, is incredibly valuable as a surveillance tool.

and I guess that using GPG will instantly flag you as suspect :-(

Please do it. The more "suspects" there are, the better for everyone.

Would Switzerland need to comply with this regulation? Thinking of e.g. ProtonMail for their EU customers.

i don't think they're a part of the EU. don't quote me on that though

> For Chat tg/signal seem like they would but I am less sure what the best option is for email.

Something that doesn't store the chats in a decryptable form on their servers is probably preferrable. So Telegram out and Signal, Threema or WhatsApp in.

Friendly reminder that WhatsApp is far out: it uploads all data unencrypted to at least one cloud if on of the participants have backups enabled.

So Signal, Matrix or possible Threema (I don't know it) is in.

Personally though, I use Telegram and I drive an ordinary car, not an armored one.

No matter which chat service you use, any recipient could potentially upload the unencrypted data to a cloud backup service. If you don't trust the intended recipients with the data then you shouldn't share it with them in the first place.

Have my upvote.

This is a great - and often forgotten I think - point.

I guess my point is that in WhatsApp it is so easy to stumble into doing it, and that it sends it directly to the cloud.

For clarification: I'm certainly annoyed at Google for a number of reasons, but I don't think their security record is worse than everyone else's. Quite the contrary.

Telegram supports E2E encrypted secret chats.


Which noone uses. Even Facebook Messenger supports "secret chats". Telegram is not secure.

I don't know what kind of usage numbers their secret chats have, but if that's the case maybe that's a sign most people prefer the convenience of non E2E chats to the security of E2E? And if someone is just a tiny bit interested and motivated the secret chats are there if they want them.

In fact, I'd argue that it's better to use encrypted chats in a common chat client than having to explain why you use a specific encrypted client if you ever find yourself in a situation where that's necessary, like a border crossing or police interaction.

Except on desktop and on GNU/Linux phones.

A bit of self-promotion, why not: also Collaborative Groups in :-P

Can this be true?

I'm having a hard time understanding how they can stand for internet privacy and legal mass surveillance simultaneously.

A decade ago I watched a documentary about MEP explaining how it happens that crappy law is made in EU. MEPs are too busy to read and understand what they are voting for or against. Law they are discussing often has 100s of pages, a few of such per day. One of the "ACTA" branded regulation was 800+ pages and the document changed daily. MEP have armies of secretaries and interns who as supposed to filter the important content and feed it MEPs directly. In meantime MEPs have meeting with lobbying groups and have their regular duties. They usually vote for what their group is voting for, or, lobbyists.

I've seen a similar documentary a while ago, where it became apparent that some MEP's are so busy that lobbyist groups completely wrote their proposal documents and deposited them at their office to have them 'go with the flow' without any scrutiny whatsoever. Though officially all is legal, it strongly reeked of corruption, especially with some MEP's doing that very frequently.

As a reminder of what the EU has done previously: https://en.wikipedia.org/wiki/Data_Retention_Directive

>According to the Data Retention Directive, EU member states had to store citizens' telecommunications data for a minimum of six months and at most twenty-four months.

And they knew that this was illegal. They did it anyway. Same political body that now talks about protecting privacy.

> In September 2005, during the United Kingdom's presidency of the European Council, a plenary session was held concerning the retention of telecommunications data, chaired by the UK's Home Secretary.

Maybe the values of British society really are different from those of the rest of Europe... Anyway, there should be less of a push within the EU for introducing these illegal directives now.

You're not wrong about that. The UK has tried this again just for Britain, but the EHCR denied them.

It's the "it's OK when we do it" rationale

They are for privacy against everyone else, not against themselves.

Because politicians want to look tough on child abuse.

Really? Child abuse stats are dropping like a stone. It's getting so bad that truly ridiculous things are being treated as child abuse, like for example a not-quite-divorce. Not "a bad divorce". Not "parents fighting".

Not divorced. Separated (meaning living apart for whatever reason, without getting legally divorced). I'd say for what time period, but there is literally no time period given. When kids are asked any time period is taken.

Siblings ... insulting each other ... is now child abuse. Seriously.

Serious medical problems of any caretaker figure ... is child abuse. WITHOUT any further qualification.

And of course, government facilities, whether homeless, or at this point even any hospital, all constitute child abuse. This is apparently not a problem, only parents are problematic ...


Meanwhile, of course, the reputation of services attempting to address child abuse is atrocious. Violence is a constant everywhere in youth services in pretty much all countries. Both violence by youth services personnel, violence among kids within youth services, violence outside of youth services itself, but directly related (e.g. the police forcibly moving foster kids, or the reverse, drug couriers or prostitution rings "recruiting" in youth services, often with help from officials and/or caretakers)

And we all know their reputations when it comes to raising succesful kids:


Child abuse, itself, is dying. Less and less convictions, every year again. But there is ever more interference in the life of children by the government, with demonstrated atrocious results. And they want to be tough on child abuse? This will destroy far more kids' lives than it will save ...

As with terrorism, if the bad thing is happening more, the government says "We need more power to stop this!", and if the bad thing is happening less, the government says "Look at what we've achieved with these powers! Obviously they are working, so give us more!".

There's no contradiction if you take the privacy part as what it is: marketing BS. It's not something the EU would ever actually defend or protect on principle. Any appearance to the contrary is coincidental, like the GDPR.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact