Hacker News new | past | comments | ask | show | jobs | submit login
Earn-IT threatens encryption and therefore user freedom (fsf.org)
990 points by lelf on March 11, 2022 | hide | past | favorite | 201 comments



I feel like they missed the primary point which is that E2E encryption is the primary thing protecting everyone from hackers/criminals/other-governments. Without it the criminals WILL have access to your systems and data and then you can basically say goodbye to anything being valuable at all.

Locking your door at night is a poor metaphor. A criminal can literally infiltrate and search through every unsecured computer connected to the internet in a matter of minutes and using almost no resources and with little risk. This drastically diverges from physical assets.

Making encryption illegal will ensure that only criminals use it, thus making only criminals safe online.


>Locking your door at night is a poor metaphor.

It is a poor metaphor because locks prevent invasion not enable privacy.

Banning encryption is such an attack on privacy that it's closer to banning clothes and easing concerns by making looking at naked people illegal.

Encryption is the fundamental unit of network privacy.


> Banning encryption is such an attack on privacy that it's closer to banning clothes and easing concerns by making looking at naked people illegal.

This is completely missing the point of why one needs privacy. Lack of it harms journalism and activism, making the government too powerful and not accountable. If only activists and journalists will try to have the privacy, it will be much easier to target them. Everyone should have privacy to protect them. It’s sort of like freedom of speech is necessary not just for journalists, but for everyone, even if you have nothing to say.


The right to privacy, and protections against unreasonable search and seizure are enshrined in the U.S. Constitution after all!


Yes, and the government has created convenient carve outs for its self. For example in Carroll v. United States, the judicial branch surrendered its authority to authorize searches to the executive branch. For searches of your vehicle, all the police need is probable cause. The police, of course, determine if they have probable cause. So this makes the 4th amendment irrelevant in these circumstances.

Throughout US history, there is a march towards ignoring citizens rights, through political, judicial, and bureaucratic maneuvering. The constitution is a piece of paper. There are people who’s full time job is to separate your understanding of your rights from what is written in that document. When they’re clever enough, they will allow state violence to be imposed on you with no repercussions.


> For example in Carroll v. United States, the judicial branch surrendered its authority to authorize searches to the executive branch.

The judicial branch can choose not to enforce the Constitution, contrary to its duty and purpose, but what they can't do—what no branch of the government can do without amending the Constitution—is legally authorize any agent of the government to perform a search or seize property (i.e. issue a warrant—whether they use that term or not) without "probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The text is perfectly clear and permits no exceptions or "carve outs". I doubt the intent was for the police to issue their own warrants, but even if the judiciary grants them that power they still have to fulfill the requirements.

Of course if you're just saying that what they can get away with in practice and what the Constitution actually allows are two different things, I agree. There are rights, constitutional and otherwise—and then there is power. Every time they do this, however, it undermines whatever legitimacy or respect they might have otherwise had. Any thug can steal your stuff or invade your privacy and have a chance at getting away with it. To the extent a government wants its actions to be seen as legitimate it can't afford to ignore that "piece of paper" it was founded on.

> The police, of course, determine if they have probable cause.

What counts as "probable cause" is indeed the weakest part of the 4th Amendment. At the very least, if a given "cause" does not lead to the target's conviction in a majority of cases, of a crime sufficient to justify the search, then you cannot reasonably consider it "probable". Unfortunately that can only be observed in retrospect. It would have been better to require full compensation to the victim for any search or seizure which does not lead to their conviction, ensuring that the incentives are properly aligned.


> The police, of course, determine if they have probable cause. So this makes the 4th amendment irrelevant in these circumstances.

Can't you go to the court if you disagree that they had a probable cause?


If you're rich or can afford the months of devoting your life to that, yes.


Unreasonable search and seizure is written out explicitly but privacy is not.


If you want to stick with the house metaphor, then curtains, blinds, fences and doors would fit the comparison.


I considered writing that it's more like building your house out of glass.

The important point I'm trying to convey is that banning encryption is so extreme that it makes invasion of privacy something that someone can accidentally do. You have to try not to look, similar to if a person was nude in front of you against their will.


Just ban walls in washrooms.

You have nothing to hide there, do you, citizen?


I think that's a pretty good metaphor. I have been stuck on the parallels between locks and encryption for a while. This kinda cleared that up.


You can't have security without privacy.


The FSF isn't the EFF. The FSF is supposed to advocate why the stupid law is an affront to user freedom and the EFF is meant to be advocating why the stupid law makes people vulnerable to criminals.

The FSF has a complicated and niche advocacy position, they should stay focused. If they don't advocate software user freedom, nobody will. In this case, there are already lots of people against encryption restrictions.


Seems to me that banning encryption would thoroughly limit software freedoms. Ie:can't use anything secure, thus can't freely choose your toolset.


That is probably why the FSF has published an article with the title "EARN-IT threatens encryption and therefore user freedom".

But the point that the FSF needs to focus on is that EARN-IT is bad because it limits user freedom. The fact that users may choose to use that freedom to protect themselves from criminals isn't the issue. There might be an obvious and compelling reason users need freedom or there might not be. The FSF doesn't need to care and should be against the bill regardless.

Much like how the FSF doesn't care about whether the GPL is economic or not - they think software projects should all be licensed under it (or an equivalently free license). The point isn't whether freedom is good or necessary. That is taken as a priori truth. The point the FSF advocates is whether users have it.



> Without it the criminals WILL have access to your systems and data

Replacing criminals and state overreach with foreign adversaries may be more salient.

Our encryption debate came of age after the Cold War. The boogeymen of that era have been surpassed. We have new ones, and they're more sinister than thieves and more tangible than a your government turning on you.


> Replacing criminals and state overreach with foreign adversaries may be more salient.

For you and me, certainly. For the members of Congress you need to convince of this? They ARE the state. Outside of a few ideological libertarians, protecting the people from the state is not on their agenda.


> For the members of Congress you need to convince of this? They ARE the state

We agree in a limited sense. (There are lots of politicians who genuinely believe in curtailing state power.)

Arguments about state overreach won’t convince a power-hungry vote chaser. Talk about foreign adversaries will.


What's lots, and how much does it cost to change their opinion?


How much do they want to be friends with the 3-letter agencies affected by their decisions?


Those would be the same ones demanding christian based laws?


> Replacing criminals and state overreach with foreign adversaries may be more salient.

Or if you're in the US, depending on your audience, Donald Trump or Joe Biden.


On what occasion have any of these new cyberattacking boogeymen-on-steroids done anything to anyone?

I'm going to continue to worry about criminal fraud and my own government, rather than ghosts with foreign names.


> what occasion have any of these new cyberattacking boogeymen-on-steroids done anything to anyone?

One of them is invading its neighbor.

> I'm going to continue to worry about criminal fraud and my own government

That's fine and these are things to worry about. But if the argument wants staying power, it needs to be adaptable.


Uh, Colonial Pipeline? HSE Ireland? Stuxnet?

Take your pick, it isn't like there's a shortage!


The sheer amount of Chinese and Russian IPs showing up in my SSH logs indicate the answer is 'plenty'.


Our security doesn't matter to them, the only security they value is their security from the rest of us. This bill grants them just that.


Completely agree. Encryption is subversive. It has the power to defeat governments, judges, armies. They can't tolerate mere citizens being in possession of such technology. They are tempted by the complete visibility and control afforded by the digital world of the 21st century, but encryption is already denying them information and they can't stand it.


Which is strange because our security is their security. If we don't have security then we are more vulnerable to foreign influences. We are more vulnerable to foreign attacks. You can't have your cake and eat it too. Either everyone has security or no one does, including politicians and elites.


I don’t know if that’s entirely true. There are politicians against the second amendment but yet they have armed security guards.


You underestimate the unrelenting desire of people in power to have their cake and eat it too.


> Making crypto illegal will ensure that only criminals have the ability to use it.

The right to bear digital arms.


This is an interesting angle I´d not heard before, as cryptography had at least at some point been classified as munitions (maybe still is, I haven't been watching that).

"Okay, in that case, the constitution says you can't infringe my right to it."

Although I would fear going down that path would lead to them saying, "Well, we already infringe on access to certain kinds of munitions, so you can still have encryption, but only the stuff we have a backdoor to." which has been on the agenda before.


Interesting bit of history, PGP was publicly released by Phil Zimmermann. The US government went after him with criminal charges for violating munitions export laws.

He won because he published his source code in a printed book, and was able to effectively argue that his act was protected under the first amendment right to free speech.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...


The munitions angle for cryptography didn't prevent us from having it, but it did prevent us from EXPORTING it globally. At least if I remember the debate correctly.


We already have it. The first amendment.

> Congress shall make no law...abridging the freedom of speech...

Cryptographic communication is speech.


This makes me wonder how one would even prove that something were encrypted.

Do encrypted files/data universally follow any sort of pattern? If not, then how would they be discernible from transmitting random bits? Will that be illegal, too?

Note that I'm not talking about any specific existing encryption algorithms or protocols. I am positing that someone could devise a new one that outputs data that is indistinguishable from noise (without breaking the cipher/keys).


You could encode encrypted data in cat pictures and post them on Instagram.

It's likely completely impossible to actually ban encryption in a world overwhelmed with information flow.

Therefore, an encryption ban will only effect law abiding citizens and will give criminals a massively asymmetric weapon of power and influence.


That and I think it is pretty safe to say that the reasons most constitutions specifically prohibit governments to access these kind of private correspondance are quite obvious too.


> I feel like they missed the primary point which is that E2E encryption is the primary thing protecting everyone from hackers/criminals/other-governments.

Implementing a backdoor securely which only allows some government agencies to snoop in the decrypted data could technically be possible but I never happened to see a secure implementation of such a scheme – probably every cryptographer of name would refrain from contributing to insecurity.

So, IF a backdoor would be implemented securely, that would increase the power of the current government over all the people, including the opposition. If the US would go ahead with such legislation, countries like Hungary and Poland would follow soon, in which the new tool would be welcomed to suppress opinions diverting from the governments ideology, undermining freedom of speech further and increasing the "chilling effect".

In the mean-time, terrorists (etc.) would switch to steganography and add an undetectable layer of encryption on top.


I am starting to wonder if this bill is why CNN published an article on FB allowing some violence posts, but not others riling up people like me, who likes rules applied consistently and without favoritism.


You are right, in fact EARN-IT is very good for criminals


Missing the point is part of their strategy in passing this. They don't make these decisions without input from people who actually understand these things. They will play the tech illiterate boomer as part of the strategy. They're creating "rules for thee not for me". They will selectively choose who can and can't use things they see as a threat to their hegemony.


In that case everyone should become a criminal.


>In that case everyone should become a criminal.

While it is somewhat hyperbolic, *Three Felonies a Day"[0][1] seems relevant here.

[0] https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp...

[1] https://www.c-span.org/video/?289272-1/three-felonies-day


In my opinion it's the duty of an enlightened citizen to break unjust laws. Civil disobedience is the only thing that will right a wrong like that.


>In my opinion it's the duty of an enlightened citizen to break unjust laws. Civil disobedience is the only thing that will right a wrong like that.

You won't get an argument about that from me. I was merely pointing out that the legal landscape is already filled with land mines.

Which is why (among other things) you should never talk to the police[0].

[0] https://www.youtube.com/watch?v=hpUx-WFXT9k


"Making encryption illegal will ensure that only criminals use it, thus making only criminals safe online."

Uptown NYC has a tragically similar problem with fire arms.


"Making dealing drugs illegal will ensure that only criminals can profit off dealing drugs, thus making only criminals rich."

We can play this game all day with many forms of abolition for any good or service that has a relatively inelastic demand and/or is impossible to effectively enforce.


Ok, lets do that. "War on Drugs" has been disastrous.


100% agree.


Wrote to Dianne Feinstein of CA about being against Earn-IT act and got a letter back about how Earn IT act would prevent child sexual abuse material online. Sigh.

As disappointed as I was in the response, I'm glad that EFF makes it really easy to reach out to reps. Took me less than a minute to send out my stance against the Earn IT act to my representatives https://act.eff.org/action/stop-the-earn-it-act-to-save-our-....


This is a crtl-C ctrl-V of my own previous commentary:

I'm working on the wording of this that I intend to use in any such discussion of fake attempts at "think of the children":

Whenever a politician invokes "think of the children", ask them about their funding of Child Protection Services.

Any political action that's said to be under the umbrella of "think of the children" that doesn't provide massive amounts of additional funding into Child Protection Services (boots on the ground, education programs, etc), is hiding something, and actively working against helping children because it's distracting from the actual efforts that Child Protection Services are providing as well as spending money on entirely "something else".


I'll go one further: I have child porn of myself online and I don't support the Earn-IT Act. Then again, having my online presence wiped out after 7.5 years at the age of 12 when COPPA went into effect made me really cynical.

As did the fact that nobody listened to the few of us who were children online back then. It's always based on these weird, interesting hypotheticals.

(This isn't to minimize child abuse or trafficking, of course.)

Edit: Also I'll say as someone who's been online for almost 30 years (age 4 to now almost 34) that the harassment and sexual abuse I received/was subject to were at their highest levels from the ages of 14 to 25.


> Wrote to Dianne Feinstein of CA about being against Earn-IT act and got a letter back about how Earn IT act would prevent child sexual abuse material online. Sigh.

This is a decades-old response, along with terrorists, drug dealers, and organized crime:

* https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...

Of course if people are willing to do one illegal activity (CP), what's to stop them from doing a second illegal activity (strong crypto) to protect themselves against detection of the first activity?

We've been here before: if the US (or any other jurisdiction) limits strong crypto, it will simply be offshored:

* https://wiki.debian.org/non-US

If you're older than ~40 and were on the Internet in the 1990s, this probably isn't your first rodeo:

* https://en.wikipedia.org/wiki/Crypto_Wars


Feinstein has always been anti-encryption and pro-three-letter-agencies.


Ah yes the old child abuse argument, because it would never happen without crypto. We only have how many 1000 years of proof otherwise.

The thing is mothers really believe that. When I told a friend's wife that there should be no regulation on what people can post online she replied with "even child abuse". And I was caught unprepared. Of course I don't want children or any other people to be abused but outlawing crypto is not the solution to that problem.

Of course I'm aware that you're aware.


I sadly cannot say that I am surprised at the reply. "won't someone think of the children?" has been a convenient political go-to for so many years now.

seeing it with Earn-IT and also the "don't say gay" bill.

everyone thinks that they are "protecting the children."


This is the copy/paste response I got from Duckworth: (Which is disappointing)

Thank you for contacting me about S. 3538, Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2022. I appreciate you taking the time to make me aware of your concerns on this important matter.

The EARN IT Act would establish a National Commission on Online Child Sexual Exploitation Prevention, which would be responsible for developing recommended best practices for providers of interactive computer services, such as email or cloud storage providers or social media services like Facebook or WhatsApp. These best practices would pertain to how best to prevent, reduce or respond to the online sexual exploitation of children, in particular the proliferation of online child sexual abuse material (CSAM).

This bill would also amend Section 230 of the Communications Decency Act of 1996. Section 230 in its current form creates a so-called “safe harbor” for providers of interactive computer services from legal or civil liability for the content posted on their sites. For example, if a user posts defamatory information on Twitter that individual may be sued and held liable, but Twitter as a company may not be held liable. The EARN IT Act would require these service providers to earn that safe harbor by complying with the recommended best practices developed by the Commission. Senator Lindsey Graham of South Carolina introduced the bipartisan EARN IT Act on January 31, 2022, and it was referred to the Senate Judiciary Committee.

The proliferation of child sexual abuse material has a devastating effect on its victims, their families and their communities. Like you, I believe there is no place in society for this material. However, some internet privacy advocates have expressed concern that the EARN IT Act may unintentionally drive CSAM purveyors into the dark net, where these horrific criminals would become more difficult to track, identify and ultimately build a case that is required for a successful prosecution. Please know that I will keep your thoughts in mind should a majority of the Judiciary Committee decide to favorably report S. 3538 to the full Senate for consideration.

Thank you again for contacting me on this important issue. If you would like more information on my work in the Senate, please visit my website at www.duckworth.senate.gov. You can access my voting record and see what I am doing to address today’s most important issues. I hope that you will continue to share your views and opinions with me and let me know whenever I may be of assistance to you.

Sincerely,

Tammy Duckworth United States Senator


I'm so torn on this.

I 100% support and demand E2E encryption be legal and available for anyone to use whenever they want to.

On the other hand, I also completely agree with the need to fix Section 230. The stories I've heard about providers essentially turning a blind eye to taking down things like revenge porn after victims have won in court is a huge problem. There's an entire Darknet Diaries episode on Kik that goes into just how bad the problem really is.

Want to smear somebody? Just post a business review on Google or Yelp. The person and the business will be fairly helpless to get it taken down. One place I worked years ago saw a review posted about the business accusing one of the Director's of an affair. The review remained up for over 6 months because of the complete lack of accountability.

Something absolutely has to be done to combat that type of harassment because it's slanted way to far in favor of the harassers right now. If service providers have no responsibility to take this stuff down it's never going to get any better.


Yep, I wanted to blow my top when she sent me the same response. We really need to get rid of Feinstein!


Do politicians even read these letters?


Depends on the politician. A few years ago, I wrote emails to my US House representative and one of my senators. They didn't come from a template. I wrote a few short paragraphs stating my wish, my reasons, and a bit of praise for something they recently did.

The representative sent back an obvious copy-paste. Could've been the response to any email about the topic, and sounded like a campaign pitch.

The senator (or at least a staffer) replied with reasoning. I didn't agree with the reasoning or conclusion, but somebody definitely read my email and responded specifically to it. I appreciated the respect they showed that way.


Wrote to a state legislator regarding a specific bill.

They voted opposite of what I requested, then wrote back giving a synopsis of the bill and mentioning it passed without even mentioning their vote against the bill.


One time they sent back a letter assuming I opposed a position that I actually supported. In fact, I think the senator supported it too, but probably only got letters from people opposing it.


That's because voting literally doesn't matter. At all: https://represent.us/americas-corruption-problem/

There is nothing you can do if you live in a "safe" district.

If you live in a contested district, donate to their opponent, and send them a copy of the check, so that they can see it before they read the letter.


No. But staffers do.

Some interesting stuff here:

https://www.wired.com/story/opengov-report-congress-constitu...


The EFF sent me a letter encouraging me to contact my congressman to support a bill that would prevent federal funding of anti-encryption technologies by the FBI. (https://act.eff.org/action/speak-up-for-strong-encryption-ru...)

My representative called me to talk about it. He told me he hadn't seen the bill but he agrees that isn't where the FBI should be spending their energy. It seems like the bill never got off the ground.

My guess is the prewritten letters are probably less considered.


They almost certainly do not. However they do count them (well, maybe the intern counts them, but they are counted). And if the counts get big enough, they do start paying attention.


> And if the counts get big enough, they do start paying attention.

This is a while back, now, but I vaguely remember a Reddit AMA by people working for US federal politicians where they indicated that "big enough" is often as few as two for the right type of correspondence (bespoke letters and / or letters to the editors of voter-relevant newspapers, especially if the politician get specifically called out)

Things may well have changed in the interim, but given how often engagement begins and ends at signing on to a form letter, I wouldn't be surprised if this was still the case today.


Yes, I had the same experience with Patrick Leahey. Usually he is pretty reasonable, but here completely he (or his office) missed the mark.


I have said this before: this is a losing battle for individuals striving to protect the freedom, if we just try to do it individually. People bringing this get paid to do this during office time (and maybe after office time too by lobbyists) so they will keep at this; my protests require me to do it by taking time out of the limited time I have left after office.

Fight fire with fire, fund EFF so that we have our own well stocked army. To be clear, I'm not trivialising or belittling the impact of individual effort, just that it takes too much to be sustainable. And yes, individual and organized efforts are not mutually exclusive.


Thanks for reminding. Sent 0.026 btc to EFF.


Also EFF has always been among the charities available in Humble Bundle.


Banning encryption is basically banning certain maths. In a way, it's an affront on free speech, because it is explicitly saying speech must be done in a way that can always be eavesdropped.

An analogy I use to explain to people who don't have a technical background is, "Imagine if we made it law that every pen ever made was required to be chained to a special clipboard that makes a carbon copy of whatever the pen writes." Even when explained like that, it's clear how such a system could be bypassed and would only harm innocent users, but even worse is just how ridiculous it all seems, since this would all be because we can't subpoena a pen. Hopefully it's made clear that despite the subpoena being lawful, it simply doesn't make sense, and attaching this fictitious clipboard doesn't really help make it make more sense, since it seems even more ridiculous once it's made clear that you can't subpoena a pen. It's no difference than saying you can't subpoena math, and that's OK.

I hope as we progress technologically, every day users will understand encryption to the point where they can form their own analogies as to what a ban on encryption would even imply.


>Banning encryption is basically banning certain maths.

https://en.m.wikipedia.org/wiki/Illegal_number


Similar analogy would be, anything you say to anyone should be recorded, which can be subpoenaed.

EDIT: What happens when I send someone an email in a made-up language which only we both know?


Another analogy I like, is that it's akin to banning people from inventing new languages that nobody else understands. It's like adults banning a form of piglatin their kids made up just because they can't decipher what the kids are saying to each other.

Cryptography is just a special kind of speech/language that is theoretically impossible to understand without the consensual invitation of the speakers.


Throw away account (does not do much good with modern AI and ML). But here goes.

I am a US citizen (never left the country) and I always vote Republican. Down-vote away!

The FBI came to my house in October 2021. Two special agents (one of which I knew from prior IT Security engagements) and a 'Threat Assessment' Police Officer from the local police department.

They asked me if I was an Islamic extremist/terrorist. I am not. I am not religious at all. I am an IT security practitioner and amateur cryptographer.

I once used Tor for remote network security assessments and to maintain my privacy. I ran Tor hidden services (as experiments) and posted code showing best practices on how to do this without revealing the clear-net IP address. I no longer do this. I believe that is one reason I was targeted.

I have written one-time pad software and other cryptographic tools that may be used to evade IP/Cellular network meta-data analysis and tracking. I believe this is another reason I was targeted.

The agents told me that I was considered a threat and an extremist because someone had used my home network to search for Islamic extremist videos. I have not done this. And, to my knowledge, none of my family members have done this either.

I am not sure why this happened. I may never know. But I do know that true end to end encryption is critical to maintaining our security and privacy (assuming end devices are not compromised already). That is a big assumption IMPO.

Now, I also encourage people to not use Tor. I feel it is backed-doored and mostly controlled by Nation State actors to identify 'interesting' subjects via meta-data analysis alone.

That's my story. I hope you all do well.


>Now, I also encourage people to not use Tor. I feel it is backed-doored and mostly controlled by Nation State actors to identify 'interesting' subjects via meta-data analysis alone.

No, you should encourage them to use it as much as possible to increase the anonymity set. Tor is not 'backdoored' (it is Free Software) and it is incredibly unlikely for most relays even to be malicious. Rather, Tor has a defined threat model and in the interest of offering high performance with low latency at a low cost, eschews the so-called 'Anonymity Trilemma' and it is thus possible to trace connections through the network if you can monitor the entry stream as well as the exit stream. There are a large number of entities who control various parts of the physical infrastructure between each link of your Tor circuit, from your router, to your ISP, to the local internet exchange point, and every other hop along the way to a destination. If an adversary controls even one of these entities in between you and your chosen guard relay, and between your chosen exit relay and the destination (including even the destination logs), it may be possible to perform correlation attacks to confirm whether or not a particular user connected to a given host (something which is easier to do if the stream is more 'distinct' from other streams, as well).

Tor is a tool which serves to significantly increase the cost of undermining user privacy, and while it is true that it should not be treated as some end-all-be-all of internet privacy, I fail to understand why it should be discarded, rather than treated as just one of a number of tools in the toolkit. For example, if you are attempting to make it more difficult for these global adversaries to trace you, you may consider physical indirection (driving around), adding a layer of wireless relays before the connection to the Internet backbone, exclusion of relays in countries which your own nation can more easily influence in your torrc file, inducing dummy traffic in some capacity, preferring anonymity over pseudonymity, and a myriad of other techniques.


I know this isn't the point of your post, but what does your party affiliation mean in this context? I have known people from both parties who believed their party affiliation was central to their anti-authoritarian stance, and people from both parties who thought that their preferred form of good government would control people.

Do you think your party loyalty made you a more likely target, or should have made you a less likely target?

That said, I use Tor for anything medical related. The NSA might wonder why I am licking my paws so much, or why I keep worrying about foxtails in my ears, but they haven't knocked on my door yet.


Why do you go out of your way to protect medical information? If the government cared enough to get your medical information illegally, couldn't they just get it from your doctors? And if they did decide you were an "enemy", what good would knowing your medical information do?


Poster maybe isnt trying to hide health info from state level actors, rather limiting the layers of collections identifying them as "possible customer for __ treatments"

..hopefully they posted from tor and arent about to get a ton of popups now about "do you have foxtail in your ears"


It's mostly a matter of principle since I assume internet searches to be closer to a postcard than a letter. I could write about some health-related thing that is potentially embarrassing in a postcard, because I doubt the post office cares, or that my mail carrier reads postcards, but I'd probably prefer to put it in a letter delivered inside an envelope.

It seems like better practice to learn which sources tell mainstream, reliable information about things like bordetella vaccines and regular nail clipping, before I get really emotional about an anal gland that needs to be expressed or before my person finds a weird lump on my front leg.

More seriously, back to human medicine, I am disappointed that so many reputable medical information sources with read-only information prevent Tor network users from accessing their information even though malicious Tor users aren't able to add misinformation.


More plausibly, someone used extremely weak WiFi cryptography to access the Internet through your ISP. Even if you have a password on such services, between routers with vulnerabilities, backward compatible connectivity (E.G. for your old game consoles / appliances), and maybe even passwords guest devices have shared with the cloud; it really could be anyone who was ever near your connectivity.

I am sorry that these things happened to you, and this highlights how the rights of the accused to face their accusers, with legal representation present as well as to not be discriminated against before adjudication of those charges should be the standard and only procedures. Maybe for some highly important things these accusations might initially be under seal; but there should still be a defense present to advocate for the accused.


Why was your political affiliation relevant to that story? Peppering that non-sequitur in might mean you’re more focused on politics as teams than is warranted or justified.


Did they ever present you with evidence of anything? From what I've heard it's quite possible to identify Tor traffic if you're determined enough. Perhaps they were pressuring you because they thought you were running a relay/node?


Maxmind API's will identify Tor traffic pretty reliably fwiw.

I tried Tor one time years ago when I was testing Maxmind. It always seemed like if you were using it you'd become an exit node by default (I could be completely wrong on this, I haven't looked into deeply). Just gave me the impression that my IP address would suddenly be associated with whatever anyone else was doing and that seemed...bad.

Totally understand that there are plenty of perfectly valid uses of Tor but you don't really hear much about those.


Exit nodes are specifically set up and run, you do not become one by default. Using the Tor browser doesn't even make you a relay node: https://support.torproject.org/tbb/tbb-33/


That’s good to know.



The government arguments against encryption are so ridiculous, but we need articulate explanations like this to help refute them.

They remind me of things like: if you don't vote to ban driving, you must want children to die. After all, driving a leading cause of death among children.


It's gotten to the point that children or terrorists being mentioned at any point makes me automatically reject any argument.

Children in particular are the perfect political weapon. It's political suicide to challenge any claims because you end up looking like a pedophile.


This particular article (not the subject) looked suspicious to me, since I didn't see it contain a link to the EARN-IT bill. I respect that it was created by the FSF, but they really should link to the bill's text.

The bill's text is here. [1] I don't think it does anything that is stated in the article. It's stated purpose is to create a commission that will create recommendations that nobody will have to follow. It actually says that. Then, in Section 5, (7)(A) it explicitly says that it won't affect end-to-end encryption - it says that companies won't need to stop using E2EE and there won't be any liability created for using E2EE.

In general, I am against regulation, but this bill doesn't do what the article claims it will do. Yes, it is absolutely politicking, but it doesn't seem to do much of anything outside of wasting time and resources.

[1] https://www.congress.gov/bill/117th-congress/senate-bill/353...


The part of the bill that mentions E2EE (Section 5) is an amendment to the Communications Act of 1934, namely the famous Section 230 which contains: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."

So the EARN-IT act would seem to me to modify Section 230 to not apply in cases of child sexual exploitation law, importantly "any charge in a criminal prosecution brought against a provider of an interactive computer service under State law regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material". However despite this amendment, using E2EE would not "serve as an independent basis for liability of a provider", whatever that means.

This seems more notable to me than the whole "creating a committee to create best practices" sections but I could be misreading or misinterpreting the bill honestly, I'm no expert.


In this case, your quote is only one third of the content. You are not quoting the first sentence or the last part, which is why the quote doesn't make sense.

Your quote should read the following, where I've italicized the two parts you left out, "NO EFFECT ON CHILD SEXUAL EXPLOITATION LAW.—Nothing in this section (other than subsection (c)(2)(A)) shall be construed to impair or limit— any charge in a criminal prosecution brought against a provider of an interactive computer service under State law regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material, as defined in section 2256(8) of title 18, United States Code;"


Yes, I skipped or paraphrased those parts of the bill to keep things short in a way that I thought made sense. But I think the message is unchanged with the full text. Namely that Section 230 would be amended to also state:

"NO EFFECT ON CHILD SEXUAL EXPLOITATION LAW. Nothing in this section [NB Section 230] (other than subsection (c)(2)(A)) shall be construed to impair or limit ... any charge in a criminal prosecution brought against a provider of an interactive computer service under State law regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material, as defined in section 2256(8) of title 18, United States Code;"

And so Section 230 protections to content providers would cease to apply* in cases of child secual exploitation law, I think.

* EDIT: Except for those points that would be added to Section 230 specifically regarding E2EE


Good point. For this, I read the wording as Section 230 will not "impair or limit" child exploitation laws, not that Section 230 will cease to apply.


My interpretation is, the bill will remove liability shield for “online publisher” for CSAM. This then effectively means that no online platform may use end to end encryption to protect their user, for fear of liability.

Individual user, and those who own the content of their website, are free to use E2E if they choose to, whatever benefit that still gives.

Anticipation of this law feels like why Apple went through its CSAM debacle. Expect to see more content scanning after this passes. The CSAM DB Apple was said to be using will likely be “best practice” in how online service may get liability shield back.

I too don’t like how HN, FSF, EFF jumps straight to “encryption ban”. It spells fear that too much nuance will weaken their argument.


Everytime someone invokes an argument how taking something away by law prevents some form of crime, my answer is a simple fact:

Criminals, by definition, don't follow the law.

Now, in some cases, that isn't a problem: Guns are an obvious example, because they take resources and knowledge to manufacture, and are physical objects that can be tracked. Taking these away by law works.

But encryption isn't a physical object or something that needs to be manufactured. It's math and algorithms. It can be copied infinitely. So, if the law takes that away, law abiding people will no longer have access to the benefits, while criminals will just ... well, as criminals by definition do, ignore the law, and still use encryption.


By that argument, why have laws against stealing (criminals will just take stuff), or grevious bodily harm (criminals will just hit people), or verbal abuse (criminals will just keep shouting at people).

I don't buy this argument at all -- if we ban encryption, except for government sanctioned encryption, it will be the easiest thing in the world to detect if anyone tries sending it over the open internet.


Poor analogy.

Stealing is the actual bad behaviour, stealing itself is bad for society, anyone who steals should be punished.

Substitute "encryption" for "stealing" then you know why you're wrong.


> it will be the easiest thing in the world to detect if anyone tries sending it over the open internet.

And how shall "goverment sanctioned encryption" be distinguished from "non sanctioned encryption"? The point of (good) encryption is to make the result look like stochastically random bytes.


If government can demand the keys, they can take them and decrypt it.

You could claim you are sending packets of random bytes for no reason to a friend, but I doubt any jury would believe you.


> If government can demand the keys, they can take them and decrypt it.

The question isn't how its decrypted, the question is how to determine WHICH traffic to decrypt in order to inspect it.


“..because they take resources and knowledge to manufacture, and are physical objects that can be tracked. Taking these away by law works.”

Sorry but it doesn’t even work for physical objects. Guns are completely illegal in some cities (NYC, SF and Chicago, unless you have connections), so I suppose there’s no gun crime there, right? Or, research compliance rates when states have retroactively made certain firearms illegal and asked for citizens to turn them in or face the risk of criminal charges.

The War on Drugs has also been highly ineffective at preventing motivated individuals from obtaining certain physical objects.


> so I suppose there’s no gun crime there, right?

https://en.wikipedia.org/wiki/List_of_countries_by_firearm-r...

It works when implemented country-wide. Countries like Germany have much stricter gun laws, and as a result lower gun violence.

Obviously, the method doesn't work, when someone who wants a gun can just drive a couple hours and get one at some gun show without even leaving the country.


Good point, but guns are legal in NYC. If you have a dangerous job like a security guard, you can get an open carry permit. If you have no special circumstances, you can own a gun in your home. The gun can be transported to other destinations like a shooting range, your business, or other homes, as long as the gun is locked in a container during transit. Until recently you could only carry the gun between your home and a shooting ranges within the city, but the law was expanded due to a current lawsuit against the City.

edit: Most gun crimes in the city are done with illegal guns, 74% of which come from out of state. https://www.vox.com/policy-and-politics/2016/10/26/13418208/...


That's oversimplifying it. Banning encryption is a form of censorship (because words don't need to be manufactured), and censorship, as far, as I can tell, does have an effect.

For example, criminals who abuse children to produce pornography aren't going to follow laws against having child pornography. Does it follow that laws against the posession of child pornography have no effect in curbing abuse?

I think they do. Being seen with child pornography is a huge red flag indicating that you might be an abuser. Plus, the demand is lower. I see no reason this couldn't apply to encryption too.


Difference: There are perfectly legal reasons to generate encrypted traffic;

All payment processing (ATMs, credit cards, online shops) generate encrypted traffic. Sending legal documents, technical data, company internals, contracts, etc. generated encrypted traffic. Sending sensible personal information like medical, indurance or financial records generates encrypted traffic.

Most of these cannot be sent unencrypted, without breaking fundamental processes in our society.

And there simply is no reliable way to differentiate between encryption used for legal or illegal reasons.


I'm not seeing there is no difference, I'm saying that the methds to curb it are the same.

Pretending that you don't understand the argument of the other side ("it won't work because only criminals") won't get you any closer to a dialogue with those who say it.


I don't see why, hypothetically, they can't all be sent with encryption that the government has a secret key to decrypt.

The world worked using mail, then phones, for many decades. These were treated as "mostly secure", but could be tapped. The world basically worked fine.


> I don't see why, hypothetically, they can't all be sent with encryption that the government has a secret key to decrypt.

Because it's too risky, simple as that.

Let's say there is a single, super-secret-key, for government use only, that can decrypt any encrypted message on the planet.

What happens if this key is leaked? What if it's found out? What if the implementation of that key turns out to be buggy and is cracked? Remember, once there is such a key, it won't just be some criminals in godknowswherecountry trying to get it, it will be state-level actors with unlimited funds, resources and manpower.

If a single one of them gets their hands on this key, even ONCE, it's game over. Our modern society relies on encryption. If this key gets out, the results could be catastrophic; eg. Airplane navigational data manipulated in flight, stock market data manipulated in transit, financial transfers wide open for everyone to read and manipulate at will, control data for electrical grids, hydroelectric dams, nuclear power plants out in the open...it would be anarchy.


I feel there is already a similar problem with the internet in general -- there exist keys which could be used to sign a HTTPS certificate for any website. If you work your way up the heirachy there are some very high-value keys, and the same kind of problems you describe would occur. However, we all just seem to live with that.

Something similar could be set up with, with a collection of keys. I'm not saying it's a good idea, but we already base the security of the internet on a small number of top-level encryption keys.


Difference 1: These certificates are used for the purpose of Authentication, not Encryption. If they get compromised, bad actors can impersonate certain entities for some time, but they cannot decrypt any prior recorded traffic to these entities.

Difference 2: If something happens to these keys, the CA can simply revoke the validity of the public key. This is a major pain in the _ for everyone involved, especially since all downstream certs needs to be re-issued and signed, but it's manageable. A built-in key that is somehow algorithmically included in every encryption mechanism, cannot easily be changed when it's leaked.

Difference 3: There is no single "highest Certificate Authority", so there is no single key to compromise the whole system.

Difference 4: These keys are ordinary asymmetric keys. They are not built-in backdoors into the system.


Spot on. Criminals will not be affected by these new laws. Perhaps this one is just a precursor of another law


I've just read Orwell's 1984 (finally). There is an episode there: "Winston covered his face with his hands. 'Smith! Prisoner 6079!' yelled the telescreen, 'Uncover your face! No faces covered in the cells!" The Big Brother wants to see expressions on your face at all times, and encryption lets you cover it when you have ungood thoughts.


Where can I find more detailed information on how Earn-IT changes encryption law? I just skimmed the Wikipedia article but it doesn't seem to insist that this act changes encryption law. Just that "best practices" that would provide "guidance" to sites might include backdoors.

I'm all for encryption rights, but if I'm going to call my congressional rep, I want to know what I'm talking about, and the FSF link really doesn't explain what's going on.


The bill is written in an intentionally obtuse way so that they can say they're not banning anything; they're just giving "requirements". But the only way to meet the bill's requirements is to eliminate E2EE.


This comment is written in an intentionally "hand wavey" way so that they can say nothing substantive about the proposed bill text, but maintain an air of alarmism.


The act says that a commission will be formed, and describes how members of the commission should be chosen. The commission chooses what the exact best practices will be.

Full bill here: https://www.congress.gov/bill/117th-congress/senate-bill/353...


I keep thinking that if encryption was an actual weapon, and keys actual ammunitions¹, they would be much easier to defend than they actually are. Funny that: cryptography is relatively harmless, making it all the more immoral to restrict it. But that same harmlessness make it that much harder to defend. I mean, just try to take away nukes from a nuclear capable nation, or guns from a Texan village. Maybe you can, but the costs of doing so tend to give pause.

[1]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...


I'm not even a US/UK/EU citizen.

Is there any way I can contribute?

Or do I just sit and watch the world burn as policymakers elsewhere indirectly make policies that might inadvertently affect people far far away as well?


There are groups that are trying to counter it that you can donate to and/or work with. The media, including social media, likes "This person from ____ is worried about how ____ will impact Americans and the rest of the world" narratives, if you feel like writing or reaching out to journalists that report on these topics.


Learn cryptography, write cryptographic software, it's really important that people out of the US do so. Because if a bill like this passes we will need software without backdoors.



I'm just worried that in the rare event that I travel to the west will somebody be like "Well, here's the foreigner who funded to sabotage what our government wanted! Go away!" and get myself banned from entering <Western-country>.

Off-topic: Happy to see your reply here, Beej. I love the books you have authored :)


EFF really failed to connect the dots here.

I don't see how, from a plain reading of the bill's text, one can argue what their letter claims.

Can someone connect these dots?


On behalf of one of those countries, I’m sorry.


Ah don't be it's not your fault.


Every time one of those moronic bills show up I wonder if they know they are making the entire US banking system and online marketplaces vulnerable to Chinese and Russian hacking.

And what is that for? Some false promise of security? People who commit real crimes will just use illegal tools and would rather be prosecuted for """illegal use of real encryption""" than for whatever they are doing

Meanwhile people who actually need it for legitimate reasons are endangered by this law


It's even better when you say: hey remember those videos of Russian police stopping people and demanding that they get to search peoples messages? If EARN IT had passed then the Russian government could just remotely search everyone's message history. The arguments about "only legal" access fail miserably. (This is before we consider the copious examples of illegal searches by the US government)


Look Russia and see what happens. They are actively monitoring and censoring 140M citizens. Fortunately Russians are using Signal/Telegram[1] to avoid those censorship.

This is not a tradeoff between just privacy and child safety. This is the matter of freedom and democracy.

[1]: I would say Telegram is available option for privacy but Telegram has pretty much possibility to be attacked than Signal...


It's not even necessary to emphasize on user freedom. The safety aspect is more important to emphasize. Unencrypted or weakly encrypted communication is a severe threat to every (even very lawful and perfectly conventional) user safety and even national security. Limiting encryption is a gravely mistake for any nation in the modern word context. Only incompetent or malevolent policymakers can lobby it. Sure, universal right for strong encryption has its downsides but the opposite is not possible to afford anymore.


Step1: Ban naming legislation. The number 1 reason why people go along with these is naming. Patriot Act, Eliminating Abusive and Rampant Neglect of Interactive Technologies, etc.


Have our rights deteriorated so much, that so many words must be expended to justify not wanting to live in a panopticon?


Could it be suggested that banning end-to-end encryption may put citizens, businesses,institutions & infrastructure at risk from hostile nations (Russia in this instance), who may seek this as a potential attack vector?

Therefore we position EARN-IT as a national security threat over individual privacy.


How serious should we really take such initiatives? Since the 1990s, the topic has popped up regularly, but apparently by people with little technical expertise or economic imagination. Regardless of how less these people value free speech, any state with a market economy, i.e. in which economic activities are based on the initiatives of its citizens, must protect the secrecy of communications between its citizens simply for economic reasons. Otherwise, the country's economy would be fundamentally exposed to foreign powers, putting national security at the highest risk: financial transactions could be more easily manipulated, trade secretes more easily stolen, etc.


Just enjoy what little online freedom you have while it's here. It doesn't matter if this bill passes or not, the fact that 99% of the general population just don't think about or care about this sort of thing means that we will eventually lose this war.

Politicians also don't know a damn thing about it, but the incentives are very strong for them to insert more gov. into everyone's life, so that is what will inevitably happen.

Sorry about being the party pooper, especially on a Friday, so just enjoy your PGP, E2E encryption, Tor, Btc, etc. while you still can (the more you do, the better our chances of keeping them for longer).


Why don't those congresspersons start with setting up public web cameras in their offices and allow public access to all their emails and conversation recordings?


I've written my senators, and I encourage everyone to do the same.

Also, I have a website that you can point politicians to: https://everyoneneedsencryption.gavinhoward.com/ .

Suggestions welcome on how to improve that site.


The difference between hackers and our enemies is that we value reason, logic and consistency whereas the political classes deal in emotion, and expedient affect (truth and consistency are irrelevant). Trump and Putin use the same play-book, and other leaders are learning from them [1]

Many comments here declare voting as irrelevant and ineffectual. This leaves a sense of learned helplessness in challenging dangerous political forces.

But hackers seem to be overlooking important ideas that we should know better about. Voting may not work on the individual level, but it works at scale, and we are really good at scaling things. Emotion is a much more powerful tool than reason, and influence is really just social engineering at scale. We are good at social engineering. Modern propaganda is as much technical craft as a creative one. We are great at both.

The British Saatchi campaign is a flop, almost a laughable example of how disconnected from people they really are. What makes information war interesting is that highly polished short documentaries and video clips are not expensive or difficult to produce. The EFF already tried their hand with "The Corruptibles", which I think was very promising.

The EFF are wasting their time writing blog posts that preach to the choir and only a handful of regular readers will see. I know because that's what I do, and as a writer I am realising that I speak almost entirely to those whose minds don't need changing.

What's needed is a fight with the politicians on their own ground with funny, viral, highly emotive, slickly produced influence materials that show how ridiculous any attack on E2E technologies really is at this time in history. I think the EFF could better use their resources this way.

[1] read about Vladislav Surkov and the tactics of discombobulation.


How many protests are in the form of e.g. bank and payment information? I mean if the argument for breaking encryption is terrorists, then the argument against it would be criminals stealing your banking info.


Lawmakers losing touch with reality day by day. Technology has left these old crooks in the last century and they can't cope with things they don't even understand.


Have you ever considered the following possibility:

Perhaps Lawmakers belong a different class than you and that they are fully aware of what they are doing. Perhaps they actually want to rule over you by removing your rights one by one.


I don’t understand why folks don’t just point out any back doors in these services will be abused or hacked eventually. Do our leaders want their own personal correspondence—-to their big donors, bankers, brokers, interns, mistresses, drug dealers, coup instigators—-available to the FBI or the media too?


Leaders are "special". These bans are for people like us, not for them. I'm sure everyone in the government will be using effective encryption. They just don't want the masses using it against them because then it's subversive.


At this point, they don’t care. Plenty of politicians have had criminal investigations and have had zero consequences. Hell, one man won a reelection while he was in jail. Matt Gaetz is still walking around free even.


It’s entirely possible I don’t understand how technology works, but I don’t understand how some sort of government encryption backdoor of various protocols would work.

Software, devices, protocols etc are not just used in a single country. They are used worldwide. If a backdoor needs to be supported for a several dozen governments, each with various levels of security practices, there’s no way it stays secret for long. It’s only a matter of time before a country or state like Georgia gets it’s old poorly configured IT infrastructure hacked and the attackers now have access to some backdoor keys. How do governments revoke old keys and create new ones across all applicable devices? It’d be pretty hard to do that without going to companies and saying “fix” or “get me that” with some type of warrant or court order. That is kinda like what we have now which is mostly limited user information located in the cloud somewhere.

I think the larger issue is that there is a coordinated push to get complete government access to everything. This is happening at a time where dystopian surveillance is not only quickly becoming possible, but also profitable. The government has the right to pretty much everything legally, but the potential for misuse in situations where the government gets access everything is really high. The ability for citizens to combat that misuse is reduced the more government gets.

This is my understanding of things. Let me know how I’m wrong.


It's not really about backdoors; they just want everything to go through servers which will archive unencrypted copies of everything so that it can be subpoenaed later.


I wrote to my representatives on both political sides, and all insisted that it “won’t affect encryption.” Either I don’t understand enough about EARN-IT, or they don’t understand enough about encryption, because that doesn’t make much sense from what I’ve read.


I will still use strong open source encryption. I don't give a crap about laws other than the laws of physics. For me, I don't need a law to tell me how to be a good and ethical person. I know it already.


The fact that this kind of idiocy even makes its way to law makers frightens me greatly (whether it passes or not). We're going to be in a world of hurt


How is the banning encryption NOT a First Amendment issue like it used to be in the 90s?

I can't see a US court preventing free speech, so why prevent someone digital free speech?


How would you ever secure a server without encryption? How would "they" (corrupt politicians) ever hide their corruption without encryption. Oh no wait it's of course not them who are abusing it, ever. It's only "them" as in the others that are criminals. It's not like they are not humans, no they are of course better humans who never error, who never steal, who are always honest and straightforward.

Never mind NSA and the likes still recording every little data fragment we transmit. That's fair and just, because they're the good guys. They would of course never spy into my sex video chat with my girlfriend.

It's the age of struggle of the rulers vs the oppressed. Ideally it wouldn't be like this, but ultimately that's what it is.

Less privacy is never the better option.

I wonder how we can ... change ... I know: end to end encryption and encryption in general should be a basic human right in the information age.

It opens the bigger question, do we need to be ruled at all. I say yes we need rules but do we need oppression, censorship and removal of privacy?

Isn't that what all the western propagandists accuse Russia/Putin of, correctly I might add?


I have a feeling in 10 years I will be a criminal in the whole anglosphere.


Fund EFF, FSF amd ACLU


Devil's advocate: encryption is also what's stopping users with locked-down devices (increasingly common and hard to avoid) from having freedom to run and/or modify the software they use.

It's a tough situation. Encryption can be used for good or bad (and even the definition of what's "good" or "bad" encryption varies depending on who you ask). Unfortunately, I see it increasingly being used to oppress users, in the form of DRM and other "security" features.

Perhaps classifying encryption as munitions makes the most sense, if you support 2A rights.

On the other hand, it's just maths. Maths which anyone can theoretically do.

I don't know if there is a good solution to this problem.


What does any of this have to do with the EARN-IT act? This all appears to be just claims about possible uses of encryption with no particular relation to the subject of the article. If these other uses of encryption you're discussing wouldn't be affected by the EARN-IT act, then they aren't relevant here.


I'm saying that "the war on encryption" isn't all one-sided.


The article is about the EARN-IT act specifically. If your points only relate to the war on encryption in general, and not the EARN-IT act specifically, then they do not bear on the article.


I'd imagine that companies would get licenses to use encryption in limited and restricted circumstances, such as for DRM or basic system security. The user won't be able to use strong encryption, but only backdoored or weak encryption to keep the average attacker out.


But I'd assume that license wouldn't be an easy thing to get. So it would be rich companies getting it.

It would price innovation out of the market.

Also, not sure what you mean by weak encryption. An average attacker now has access to decrypting tools out of the box (with a few Linux distros) so wep isn't stopping anyone really. Even noobs can be trained to crack with an hour of youtube.


> but only backdoored or weak encryption to keep the average attacker out.

I realize this is likely not your argument but the only thing that does is delay the access to data, not prevent it.

Private keys will eventually leak, if not publicly, through nation state espionage.

Weak encryption prevents the average attacker today but not the average attacker in the future.


The same cryptography that protects us from them will also protect them from us. The key issue is who owns the keys to the machine.

We'll never be truly free until we can literally manufacture our own free chips at home just like we can make our own free software at home. There should be no big chip manufacturing company they can target with regulation or make agreements with. It's either this or eventually free computers will no longer exist. Just like the radio situation where your software has to be approved by some government agency to make sure it won't cause interference.


I don’t feel the FSF’s statement benefits the movement against this bill as much as the EFF or ACLU or Fight for the Future statements.

The FSF is stuck in the 80s on everything - whether it be dealing with Stallman or specifying acceptable ways to load firmware, and has failed to accomplish almost anything since GPLv3 in 2006. And after recent events, I’d almost consider dismissing them from involvement in the movement.



I don't think you understand or appreciate the work that FSF does and the comment about Stallman is irrelevant in this regards. I don't see you advocating for MIT to be closed down.


Since 2006, what have they accomplished?

Bug fixes, sure. They managed to alienate a bunch of people from gcc, which was fun. Their anti-DRM campaign is over a decade old and is running on fumes with no accomplishments.

This is the same organization that when Windows 8 came out, they protested outside Microsoft stores and handed out copies of GNU Trisquel - an OS with only FOSS code back in 2012, which to this day runs on very few systems and likely caused everyone who got copies to look on open source as a buggy flop and actively undermined the cause.

I could go on.


Yes, we should all give up and just adopt Microsoft Linux cause clearly whatever company is able to buy adoption is the best choice.


could you explain your firmware comment?


You can ask @marcan42 who is porting Linux to Apple Silicon for more information.

https://mobile.twitter.com/marcan42/status/10406262109994311...


That thread is pretty persuasive, but I don’t know if he’s attacking a straw-man. Sadly, as seen in some comments here, more than a few people have an irrational animosity towards the FSF. Can anyone present a steel-man of the FSF position?


Free software has never been about demanding corporations open source their intellectual property. For example, Stallman didn't bring a bunch of protesters to Digital Equipment Corporation and the Bell System to beg that they relicense PDP and UNIX as GPL. What Stallman did was create an entirely new operating system that is not UNIX which let freedom loving people use UNIX while escaping the restrictions that were imposed upon users of UNIX.

Richard Stallman wrote at length in the past about how he feels it's ethical to use non-free systems to build free systems if there's no viable alternative. But you can only do that if there's a clean division between what you're doing and what the hardware vendors are doing. Unfortunately it's messy in the embedded world. These makers don't abstract the products they build like Intel does. They rely on legal means instead to secure their advantage. While many corporations might view an agreement to access those bits under restrictive terms as a good thing, it can lead an open source dev to feel like the proprietary stuff, which they intend to decouple themselves from and ultimately escape, is instead being rubbed in their faces. No one wants to be constantly reminded of all the freedom they don't have.

So in other words, it's just a compromise. I'm sure if they could find someone willing to manufacture a truly libre phone, they would have used them instead. I think the FSF has a good understanding of the open source developer's needs / wants / desires and this compromise is perfectly in keeping with that. Perhaps one day they'll attain the obvious end game of a libre phone, which would be a ham radio that looks like iphone with unfettered access to ss7. It will be anarchy. https://youtu.be/eXnvTwRBrgc


>Are you "hiding" when you lock the door of your home every day, just because the government is not permitted to enter it without a warrant

If this is your reason then I would say you are trying to hide.

>Is it "hiding" to seal the envelope of the card you're sending your Valentine?

Yes, the point is to keep it a surprise.

>helps protect queer youth from intolerant violence (at home and abroad, as in Ghana).

E2EE doesn't prevent a parent from taking their phone and seeing their messages. These kids aren't communicating to their friends over their parent's IRC server. Most parents aren't technical and wouldn't even know how to MITM even an unencrypted messaging app.

>helping victims out of these relationships by enabling them to contact friends for help

Again most people don't know how to MITM this traffic. Especially if you are using mobile data.

Even in regard to whistleblowers they only need anonymity. They want to do the opposite of hiding their messages. They want the opposite. For as many people as possible to see their messages.


Even if most people don't have the technical chops spy on traffic themselves, I can imagine a world where there are companies that provide such things as products / services. (Probably there are already a few companies like this, I haven't checked.) For example one might be able buy a gizmo with an antenna that listens in on people's wifi and mobile connections. If end to end encryption was banned, I'm guessing that spying on that non-encrypted traffic would take about $50 and an afternoon of setup, and would not require any special skills.


>I'm guessing that spying on that non-encrypted traffic would take about $50 and an afternoon of setup, and would not require any special skills.

I could see it even becoming a feature in consumer grade network equipment. A bit like HDCP circumvention in video capture boxes or region free playback in optical media players. All you'll have to do is shop around.


Thankfully with the mass adoption of HTTPS most messages are going to be encrypted over the person's network you are using.


And with the law. We whould have a backdoor in tls. And HTTPS will be meaningless


It's possible that the commission will require ISPs to block non-backdoored TLS. But I'd consider that to be more of a worst-case scenario, rather than something that's particularly likely to happen. More likely outcome is companies that store user messages on their servers won't be allowed to provide end to end encryption, and would be forced to store the messages on their servers in plaintext, or using backdoored encryption. The bill allows for differing requirements for different kinds of services, so hopefully ISPs would not have much of a change from the current situation.

Of course, even just that scenario is bad enough. It would mean that the police, the FBI, the NSA, people at the messaging company, and hackers who breach the company's security would all be able to read those messages.


No we wouldn't. This law doesn't even ban E2EE. E2EE eliminates any liability of transferring the messages.


True, and definitely a good thing.


They are comparing to the word "hide" in the context authorities use it, e.g. "nothing to hide". They are not drawing comparisons using the word generically, and they make this explicit. Your two assertions seem to ignore this (i.e. it seems like you're "playing word games").


At least with locking your door because you are afraid the government is going to break in to your house without a warrant is the same. If someone is doing this either they have done something illegal, e.g. "have something to hide", or they are have a mental issue where they have problems with trust and are overly paranoid.


Everyone has something to hide from public view, at least in the sense that you don't want anyone (government or civilian burglar) being able to steal your stuff or know what sort of stuff you have on your hard drive. And by everyone, I include regular people who might have a regular desktop or laptop without disk encryption.


>Everyone has something to hide from public view

But we aren't talking about making something public. We are only talking about a case where the government already has a warrant.


There's literally no difference. None. This was tried before with special locks that 'only the TSA had the keys to open'. The keys were posted online for anyone to make their own. It's also been tried commercially with various DRM and failed.

There is no such thing as a 'government only, and only with a warrant' backdoor. There is either private or not private.


The problem with TSA keys is that they are all the same, can easily be cloned, and couldn't be rotated.

It is possible to design a system where judges have their own hardware keys. Hardware keys can not be cloned assuming strong tamper protection. If a hardware key gets stolen it can be revoked as being valid and a judge can be issued a new one.

DRM is different because the client ultimately has to have the keys to decrypt the content they have been permitted access to.


Shot in the dark here? Which Government are you talking about? Saudi? Where being gay is a death sentence? No? How about the US where being Japanese was illegal? China's got the most people, perhaps we take a wold wide vote to see? Biggest land mass? Millionaires per population (the 1%)?

Who would control the creation of the keys? I mean which tech vender would control access to my android phones encryption? My phone was made in China, and the chips inside it were made in China. They also have the most people, so it seems fair they control the keys.


No, we're not. We're talking about the EARN-IT act, which wants to legally require all website owners to report all kinds of things to law enforcement, without any probable cause that anyone has commmitted a crime and without any kind of warrant.


We were on a tangent. E2EE isn't even banned by the bill so it's all somewhat off topic to talk about.


> E2EE isn't even banned by the bill

Not explicitly, no. But it is not feasible for applications to comply with the provisions of the bill while still supporting E2EE, so the bill's effect will be to largely eliminate the use of E2EE.


What is an example of a right that you think people should have (by law), which constrains the government in some way?


The right to not be randomly murdered by the government.


Why are you afraid of the government randomly killing you? I think you only have to think about that if you're doing or planning something very illegal. People who have problems with trust and are overly paranoid might fantasize about that sort of thing, but the average citizen who doesn't do anything wrong will be fine.


> Most parents aren't technical and wouldn't even know how to MITM even an unencrypted messaging app.

Give it a couple of weeks and someone will have put together surveillance and parental control system for it.


>Give it a couple of weeks and someone will have put together surveillance and parental control system for it.

????? CSGO chat is unencrypted. It's been more than a few weeks since source games have been out. Show me this parental control system you theorize would have been created.


> Even in regard to whistleblowers they only need anonymity. They want to do the opposite of hiding their messages. They want the opposite. For as many people as possible to see their messages.

This website is freeeeeeeee




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: