So, this is basically legislation that supposedly legally requires web browsers to include government root certificates. Classy.
How does this even work with open source software? If I distribute a patchset to Firefox to make it not trust the government certificates, would I be breaking the law? The implications of this sort of law seem to me to run quite a bit deeper than just "oh no MITM bad".
No. Just like with TLS, those websites will not work.
Government surveillance, just like Google, Microsoft, Apple, Cloudfare, etc. surveillance is not good. But for me, if it's Google who sells (or gives) data to the government or is directly the government who takes it, makes no difference. I am still screwed. Certificates issued by governments can be good for a variety of reasons (ID, passport). But as it looks now, it is Stalin's and Dulles' wet dream.
There is a substantial difference between direct and indirect surveillance. The government cannot imprison you if you prevent a company whom the government is siphoning data from from spying on you. But if you try to shield yourself from the government’s direct surveillance, you may suffer consequences in the future as the laws evolve.
Take Sweden for example. First the politicians legislated that ISPs are forced to provide data to the government about its users. Then when some ISPs like Bahnhof started advertising that they don’t save logs, shortly after it became a legal obligation to do so. If ISPs don’t comply, they could be criminally charged under the law.
EU countries generally aren't authoritarian regimes, and it's easier to argue that it wouldn't be as likely to be abused in the EU. The countries also have legislation and other controls to curb abuses of powers granted to the authorities. It may not be 100% but it's different than in an authoritarian regime where curtailing dissent seems like an obvious goal, not just a potential and somewhat unlikely side effect.
With that said, it still always seems shortsighted to me to abandon fundamental principles for circumstantial or narrow gains.
my point is, if EU normalizes this behaviour, other countries will find it easier to propagate this idea that this is something necessary or important to guillible masses and give EU as the shining example of "why would EU do it unless they have good reason?" and other BS.
Unless there are consequences for politicians who push these kinds of laws, we will remain in a perpetual cat and mouse game. I fear that eventually these things do get passed if these tyrants are persistent enough. Do we have a list of names and connections so that we know who is working to undermine our security?
This is more than just about security - this is about the basic freedom of users choosing what kind of software they wish to run, and who they wish to trust. Looking at it from the point of view of "merely" enabling state-sponsored MITM greatly understates how severely this legislation infringes personal autonomy.
How does this even work with open source software? If I distribute a patchset to Firefox to make it not trust the government certificates, would I be breaking the law? The implications of this sort of law seem to me to run quite a bit deeper than just "oh no MITM bad".