Hacker News new | past | comments | ask | show | jobs | submit login
PyPI Was Subpoenaed (pypi.org)
1153 points by quercusa 10 months ago | hide | past | favorite | 597 comments



> We have waited for the string of subpoenas to subside, though we were committed from the beginning to write and publish this post as a matter of transparency, and as allowed by the lack of a non-disclosure order associated with the subpoenas received in March and April 2023.

That's suspiciously specific. Sounds to me like they also received some other subpoenas they aren't allowed to talk about.


Yep, I was thinking the same thing. What a beautiful way of communicating that.


What a weird way to think about such events.

Such subpoenas are clandestine surveillance of citizens by their state. The problem with such types of surveillance in particular is the lack of accountability.

How does the ethical use of this prolematic tool get ascertained? Where and how is the democratic oversight implemented? How is misuse treated and prevented?


as a foreigner (in terms of the US), I've never understood how these gag orders are compatible with the First Amendment

often there's posts on HN about how the UK and all other Western European countries are totalitarian because they don't have unrestricted free speech

but then apparently the police (FBI) can restrict the free speech of Americans without any court involvement at all?

I really don't understand


Civil rights, including those in the First Amendment, are not absolute. Regarding speech, you also can't harass people, threaten them, defraud them, incite violence, distribute copyrighted information that isn't yours, interfere with others' activities (sing loudly in a movie theater), etc. Private entities such as your employer can restrict your speech in many ways.

> often there's posts on HN about how the UK and all other Western European countries are totalitarian because they don't have unrestricted free speech

I haven't seen these posts. Do you have an example handy?


> I haven't seen these posts. Do you have an example handy?

here's one from earlier in the week: https://news.ycombinator.com/item?id=36000459

they're pretty common, here's another one: https://news.ycombinator.com/item?id=35617773


In the GGP you wrote,

> often there's posts on HN about how the UK and all other Western European countries are totalitarian because they don't have unrestricted free speech

I don't see that in the comments you cite - nothing related to totaliterianism, unrestricted free speech, or comparison to the US. The comments just look like critiques of some laws related to speech, similar to critiques of US laws. Maybe I misunderstand.


I don't have a source handy, I can find one later if you desire. During Melbourne's lockdowns there was consistent criticism from US based commenters about the lack of freedoms in Australia.

edit:

https://news.ycombinator.com/item?id=28651811

https://news.ycombinator.com/item?id=28523358 (this entire comment section, probably: https://news.ycombinator.com/item?id=28522599)

https://news.ycombinator.com/item?id=35105640


funnily enough, the USA has much less protective laws against self incrimination than e.g. Denmark. In Denmark, you, as charged, may lie on the stand however much you please.


Only in your own defense or in defense of your closest loved ones, I believe. If it's like in Norway.


yea, against self incrimination, as mentioned


In the US you just have to shut up. It also saves you from getting caught in a lie.


The astonishing amount of people incarcerated without a process tells a different story.


How many are incarcerated without a process?


I'm not the GP, but here are some ways:

Something like 95% of criminal cases are resolved with plea deals and not trials, and legal representation from public defenders has very limited resources.

Cash bail results in many people imprisoned without trial: After arrest, the court requires bail. Poor people can't afford it, so they are jailed until trial, which can be over a year. The impacts go beyond the (very serious) loss of freedom: They lose jobs, their family loses income, dependents (children, elderly) lose caregivers.


Firstly, though I see the concept behind cash bail I don't agree with it. But people has a misconception of the likely result of removing it.

Judges now, don't need or required to use cash bails, they choose to, they can release people without cash bail now. either into the person's own recognizance, or even into the care of others.

If a judge doesn't feel the person is likely to return to their following court date, and they can't leverage financial burden as a means to insure it, they are likely just to forego the process and hold them.


In California "at least 1,317 people have been waiting in county jails for more than 3 years. For 332 of them, it’s been longer than 5 years."

Source: https://calmatters.org/justice/2021/03/waiting-for-justice/


Both the California and US constitutions guarantee a right to a speedy trial, and California criminal code has specific provisions on how quickly trials must begin. Who is holding the California government responsible for this? What an outrage.


Wowzer, right. That is...pretty compelling. And incredibly illegal. Does California not know it doesn't have a right to just incarcerate people for no official reason?


Shutting up and refusing to answer a question makes it very clear that you have something to hide, much more than a lie.

I'm not sure whether that's good or bad. I guess it depends on what you are accused of.


> Shutting up and refusing to answer a question makes it very clear that you have something to hide

It really doesn't, at least in a court of law. Although if the police are interrogating you, they will almost certainly try to convince you that it does.


(obligatory IANAL disclaimer)

I don't think you're ever required to any answer any questions from the police, whether avoiding self-incrimination or otherwise. You're only required to answer a question in court, and even then only if the answer wouldn't be self-incriminating (or a few other narrow exceptions I think; the concept of the court not being allowed to compel someone to testify against their spouse is a common trope in media, although I'm honestly not certain how accurate it's portrayed). You also aren't required to take the stand when accused of a crime; while you can choose to do so, you're also free to just have your lawyer make your case via the questioning of witnesses instead of having to answer questions directly yourself.

That said, my understanding is that you're _not_ allowed to plead the 5th if the answer wouldn't actually be self-incriminating, so it's a weird thing where you're only allowed to not answer a question by essentially stipulating that you _did_ do something illegal that would be disclosed if you answered truthfully. If they can prove you weren't actually avoiding answering due to self-incrimination but plead the 5th anyways, I'm pretty sure you can be charged with contempt of court. Having never been on a criminal jury, I can't say I know exactly how it would play out in deliberations, but it's hard for me to imagine that it doesn't affect things at all; even if a jury isn't technically allowed to consider it an admission of guilt, from a legal perspective pleading the 5th seems pretty explicitly either a non-legally-admissible admission of guilt or a crime of contempt of court in itself, so I don't see how the law isn't basically forcing the jury to conclude that you've committed a crime one way or another. The question would then boil down to which of the two crimes the jury thought you had committed (the one you were accused of or contempt of court), and while they're not supposed to be deciding the question of the latter, it seems likely that the jury's view will be tainted by this.

Of course, all of this only applies if you did actually commit a crime; if you genuinely didn't commit any crimes, you wouldn't be lying under oath when stating that instead of pleading the 5th. The jury still might think you did commit the crime though and are just doubling down on lying under oath to try to hide that, though.


That’s not the case.

If you choose to plead the fifth, the prosecution is absolutely forbidden from bringing that up the courtroom, much less using it to insinuate your guilt.

Any lawyer in the US will tell you not to speak to the police or prosecutor. At all.


Not true. In the Kyle Rittenhouse case, despite being nationally televised to millions, the prosecutor questioned why he didn't answer questions post arrest


And the judge immediately halted the trial, reamed out the lawyer as being unimaginably unprofessional, and threatened that he might toss the whole case if the prosecutor ever insinuated something like that again.


yes, and there is a high chance that with either a less vigilant judge, or a less caring defence (see: public defender), it would not have been stopped.

The point is: this case was televised to millions and he STILL questioned it.


The point is that the DA in that case was incredibly unprofessional across the board, and this was just one of many bad decisions he made.


Is it actually? I've often heard the advice from the US lawyers to answer no questions.


Or say "I don't recall". That's a popular one with politicians.


Then following up on blibble's question: What is the difference to the UK and other western countries that mostly also have free speech with what looks to me very similar restrictions?

Honest question, like blibble, I don't really understand it either?


The US's first amendment is rather unique amongst Western nations. Basically it says "the government cannot infringe on this inalienable right", that is the government cannot govern speech. Here's the actual language

    Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
The key phrase "or abridging the freedom of speech, or of the press".

As far as I know, this kind of language is absent from other Western nations. For example, Canada jails people for criticizing those of Islamic persuasion. [0] Note, the article doesn't record what the accused actually said. Here's a wikipedia overview of hate speech laws by country [1], though it is wikipedia, so take it with a grain of salt. Here's a somewhat relevant piece from Reason that takes an anti-hate-speech stance [2] where the author details the unconstitutionality of hate speech laws.

"Free speech" as we understand it in the US is unique in the world.

As far as the restrictions at state and federal level, these are considered unconstitutional, and you'll see a large number of them struck down in various courts across the country. Those in power definitely seek to expand their powers and fortunately we have a law that allows the citizenry to push back against that.

[0] https://www.cbc.ca/news/canada/hamilton/muslim-hate-1.614516...

[1] https://en.wikipedia.org/wiki/Hate_speech_laws_by_country

[2] https://reason.com/2021/05/20/teen-arrested-under-connecticu...


Rather than posting a poorly-worded, short-on-facts news story about the guy in Hamilton saying some hate speech, you could cite the actual Canadian Criminal Code which is far more specific and worthy of discussion: https://www.criminal-code.ca/criminal-code-of-canada-section...

This is what the guy was charged with violating (as per https://hamiltonpolice.on.ca/news/hamilton-police-charge-mal... )

Framing it as "Canada jails people for criticizing those of Islamic persuasion" is disingenuous, as if Canada specifically has laws about some specific religion or faith.


Without knowing what was actually said that the courts deemed to be promoting hatred, "Canada jails people for criticizing those of Islamic persuasion" is a valid interpretation. Citing vague laws doesn't make this any more reasonable.


IMO the worthwhile fact to share on an HN thread is "in Canada there are specific laws against inciting hatred through speech etc." and linking that criminal code entry, rather than mentioning and linking a specific news case that we have no real details on. At least the criminal code is a clearly-defined thing we can learn from and internalize, rather than a specific case where the public was not given enough information to make an informed judgement about (as per most news stories, IMO).


Both are important really - the law and how it is interpreted by the courts. That we don't know the details of the case doesn't make it less concerning - on the contrary, media not reporting the relevant facts (in this case, what exactly was said/done) only makes this more concerning. Especially if the lack of reporting is due to fear of running foul of the same censorship laws.


It seems kinda arbitrary

Earlier it was listed "..you also can't harass people, threaten them, defraud them, incite violence, distribute copyrighted information.."

So where are these exceptions innumerated? Just purely from a technical point of view, why can defrauding be made illegal, but hate speech can not?

It actually seems the number of exceptions is quite limited - so I never understood why they were not spelled out explicitly (like in an subsequent constitutional amendment for instance). It seems to undermine the authority of the bill of rights. The original text makes no provision for exceptions...


It’s not strictly about the words in those exceptions.

In the case of fraud, it’s not the speech itself, it’s the part where someone gives you money (or other consideration) under some agreement or understanding, and doesn’t actually get what was promised. There’s nothing intrinsically wrong with what you promised, it’s your failure to deliver.

Threatening people? The illegal part is not that you used words at them specifically, it’s that you caused them to credibly fear for their life and safety. You could just as well do that without words, just standing outside their place with a baseball bat making menacing gestures. Harassment similarly may use words, but the objectionable part is often subjecting them to your words or actions or presence directly, to cause distress, instead of leaving them alone in peace.

“Hate speech” as a problem generally is about the content of the speech itself. You might wish to convince people that others in a group are bad and worthy of being considered bad. Your audience is typically people like yourself, or third parties who you wish to sway, and if you are in a public place you are mostly not following around an individual to be hated, or telling them you are about to do them violence. (If you do, it may in fact be harassment or intimidation.)


Given that some things that don't use words—for instance, art, money—have been ruled as being considered equivalent to speech for the purposes of First Amendment protections, I don't think the rationale you give there is likely to be the one used to justify the listed exceptions to the First Amendment.

In all the cases listed, the speech in question is being used to directly and (at least usually) intentionally harm or interfere with another person. I believe this is a case where looking to the Framers' intent rather than the strict wording of the amendment is worthwhile in determining how best to apply it. It seems obvious that they did not intend to make all forms of fraud and threats legal with no recourse (and I imagine there is some jurisprudence that cites specifics to this effect).


The specifics have been determined in case law. I'm not a lawyer, so I can't give a more detailed example. I can, however, give some examples (Mass Media Law at Utah State comes bubbling back into my mind, what a fun class).

Yelling "fire" in a crowded theater, for example [0]. Another comment in this thread talks about the "clear and present danger" doctrine that came from the case. That case was followed by the Brandenburg v. Ohio [2] case in 1969, which instituted the current methodology used for determining what is "allowed" speech. That rule/methodology is called the "imminent lawless action" rule.

[0] https://supreme.justia.com/cases/federal/us/249/47/

[1] https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_the...

[2] https://supreme.justia.com/cases/federal/us/395/444/


Yeah, I'm not a lawyer but the system seems honestly nonsensical. They found the law inconvenient, so the court just effectively added a "clear and present danger" clause to the law. If there were problems with people abusing their freedom of speech, then you'd think the natural response would be to amended the bill of rights - and not just a bunch of unelected judges dreaming up something that seems "reasonable"


I honestly can't speak to "reasonable", but this format of jurisprudence has been common for the better part of 4000 years (see Jewish law and case law that pops up in the Bible's old testament, especially the tanach).


Mostly right, but [0] is out-of-date, was overturned, and is a zombie free speech trope that is resistant to any headshot ever tried: https://www.theatlantic.com/ideas/archive/2019/08/free-speec...


I find the debunkers of this myth to be overzealous, or at least confusing.

You can be charged with a crime if you knowingly, falsely yell "fire!" in a crowded theater and someone gets hurt as a result.

The case you linked is not actually a ruling on whether you can do this.


The biggest problem with the trope is that it plants in people's heads the idea that there was EVER a Supreme Court case where the defendant was accused of yelling "fire!" in a crowded theater.

In reality, the phrase was an analogy used to justify the conviction of a man who committed the heinous crime of… making and distributing leaflets opposing the draft in World War I. So for all the high minded rhetoric in the First Amendment, it may not provide all that much protection if your speech inconveniences the government sufficiently.

One might also be tempted to draw inferences from the fact that Schenk, the man whose speech was considered not worth protecting, was a socialist pacifist, while Brandenburg, whose free speech was considered more worthy of protection, was a KKK leader promoting violence against Blacks and Jews. In the US, protecting the civil rights of Nazis has become a litmus test of civic virtue across the political spectrum. Unfortunately, that protection is extended far less vigorously and consistently to other political views.

https://en.wikipedia.org/wiki/Schenck_v._United_States

https://en.wikipedia.org/wiki/Brandenburg_v._Ohio

https://en.wikipedia.org/wiki/National_Socialist_Party_of_Am...


Hmm it sure sounds like "government abridging the freedom of speech of individuals" to me


Case law doesn’t exist in the United States of America. You might be thinking about medieval England, or ancient Persia, where a king or judge’s word becomes law. In the USA, people are judged individually and are equal before the law. One exception, that is traditional, but not enumerated in law, is that the Supreme Court can strike down a law that it deems unconstitutional, but may not amend or make new laws itself. Lower courts havee Ed no such power.


That's completely wrong.

First, every court of appeal can strike down a law as unconstitutional. The Supreme Court is only special in that there is no further appeal.

Second, case law absolutely determines the interpretation of each text, and each court is mildly bound by its own precendent (via stare decisis), and completely bound by the precedent of superior courts.

Third, there is no tension between these facts and people being judged individually and being equal before the law. The law must (in principle) be applied equally to everyone.


> First, every court of appeal can strike down a law as unconstitutional.

Any federal court, not just the courts of appeal.


Wow, American exceptionalism claims have now gone so farad to claim that freedom of speech is unique to America!

Not even the historical claim holds, as constitutional protections for free speech in France and Sweden predate the American constitution.

> For example, Canada jails people for criticizing those of Islamic persuasion

He was arrested, presented to court, and acquited. Therefore he was not "jailed". Also: the charge was inciting/organising a hate crime, in the wake of a killing of a Muslim father and his 15-year old daughter, not "criticising those of Islamic persuasion".

Don't be a liar, it doesn't help your argument.


> Also: the charge was inciting/organising a hate crime

True, but we don't know what the man actually said. So whether the charge was true or not remains solely decided by those policing speech.

> He was arrested, presented to court, and acquited.

Thank you for pointing this out. I should have been more careful in my reading of the source material.


Could it be possible to illustrate with an example just for clarity? How does this compare to, say, the Netherlands? For example what are things that are possible in the United States that are not possible in the Netherlands? I would assume there are things that are not legal but not penalised in the latter but under certain conditions would be addressed and penalised and there's no way around it, but would like to know of an example just to make it super clear for me. Thanks!


A politician in the Netherlands got a crowd chanting "Do you want more or fewer Moroccans?" "Fewer! Fewer! Fewer!" [0].

A court found him guilty for "groepsbelediging", insulting a part of society, which is a crime. He did not get a punishment.

That's the only example that comes to my mind of something that the courts found not allowed in the Netherlands.

[0]: https://www.youtube.com/watch?v=BaB75uznT8o


In the US it is legal to advocate hate, such as denying Holocaust or promoting National Socialism or white supremacy. The courts have repeatedly struck down bans on hate speech. Not sure about the Netherlands, but this is illegal in many European countries.


Idk the US specifics but hate speech in Spain is something govt has used to prosecute others in the name of so many things and in so many situations that to me, it means nothing. Just having a negative opinion is "hate speech" if the right person gets annoyed and goes for you.

It is a very powerful tool to shut up adversaries and it is extremely harmful for real opinions and real free speech.


If you're itching to speak freely, we'd love to have you in the US. :D


Radiolab has a great episode about how this more broad application of the first amendment sort of came about due to Oliver Wendell Holmes changing his mind about what actually constitutes a "clear and present danger" between two Supreme Court cases in 1919.

https://radiolab.org/podcast/what-holmes


Why is denying or promoting something considered hate? Where is the list of things we are allowed to deny or approve of?


Because denying a group of people (say, based on ethnicity or skin color) the right to exist is equivalent to hating them.


Take a person who believes that "there needs to be a country for white people and white people are innately better able to form productive societies". This person would clearly be a white nationalist and a white supremacist, right?

But they may also have no hate towards other ethnicities or desire their deaths. If pressed, they might even say that their vision of a "pure" society isn't worth the deaths of minorities that would come about if they tried to implement it.

I think too often we confuse the stereotypical example with the definition. The stereotypical white supremacist hates minorities, but the definition itself doesn't require it (I know of no surveys that would tell us what proportion of white supremacists match the stereotype).


You can't be a white supremacist without thinking other races are inferior. That's hateful by definition. They are stereotyping an entire race in a negative manner. They are denying the basic humanity of billions for what end? The Third Reich didn't immediately start throwing Jewish people into death chambers. They had to build up to that moment by dehumanizing their victims.


> That's hateful by definition.

My whole point is that you (and many others) are using a new definition of "hate" which doesn't match the old one. "Hate" used to be an emotion, a feeling, a dislike of something and a wish to see it destroyed.

One can feel superior to something without having any dislike of it or a wish to see it destroyed. I consider myself superior in many respects to the rocks in my back garden, but I neither dislike them nor wish them destroyed.

A supremacist may consider themselves smarter or prettier or taller than some other group, but that does not necessarily mean they want to destroy the other group.


I kind of get your point (i think?) but maybe you shouldn't try to belittle the use of the word "supremacists" in the context of modern language. Try looking up a definition if you are unsure. Maybe you disagree on the definition but that is probably the mainstream one...


At your prompting I've tried to look up a definition, but there doesn't seem to be a commonly accepted one... merely usage where the scope of the terms varies from one source to another.


That is simple.

Any left-wing should be allowed, any right-wing stuff should be denied.

Few exceptions exist on the western side, Spain is probably the most remarkable case. Reason why you wouldn't often hear much about what happens there, unless it is something negative to bash the right-wing people there.


Note that including denying the Holocaust under "advocating hate" is basically making up a new concept and using an existing word (hate) for that concept.

It comes across as very dishonest.

There are people who genuinely think the Holocaust was exaggerated or didn't happen at any substantial scale who bear no ill will to Jews, seeing it simply as a question of historical fact of limited relevance to the modern day.


Denying that a targeted genocide happened or saying it's exaggerated is absolutely hateful. I'm not sure how it's of limited relevance when it's within living memory. When (some) Americans start to chant "The Jews will not replace us!" I think it's very relevant to our modern era.

I would really recommend doing a cursory, bare-minimum reading of the associated Wikipedia page [0] and citations. Plenty of historians revise the events surrounding the Holocaust to provide less biased and more nuanced information. Very different from taking an assumption as fact (the holocaust did not happen) and working backwards from that.

[0] https://en.wikipedia.org/wiki/Holocaust_denial


I think, as ever with these things, the name is misleading. It's not "hate". We've no idea what people are feeling. Why do we a) think someone feeling "hate" is enough to suspend speech, and b) think if we want to justify censorship, we can't just say it out loud?

Why not just say "we ban speech that says the Holocaust didn't happen"? Why get it classified as hate and then because somehow hate is censorable get it autocensored? It seems somehow disingenuous.


Because there's no rational or non-ideological way to deny the holocaust. The evidence is literally overwhelming.

The only reason people deny it is because of anti-semitism.


Of course there is. People might be ignorant. If a kid is just taught that the Holocaust was made up, no hate is required for them to believe it. People need to stop pretending they can divine people's emotions. What matters is their actions.


No, some haven't seen the evidence or think it's fake.


You're missing my point.

What does the word "hateful" mean? The old meaning is "full of the emotion of hate". Someone who thinks the Holocaust wasn't real could in theory have no strong feelings about it and think it has no relevance to their lives.

It is not required by definition that Holocaust denial is hateful (using traditional definition of the word "hate"). Nor is it required by human psychology (for example, you could have someone who read an unfortunate sampling of books as a child and took "disbelieve anything the victors of a war say about their enemies" as gospel and never got educated on the details).


It's a useful label to categorize and marginalize speech. This is a common tactic used in propaganda.


My goodness. That raises questions. I hope you are merely naive.

"I don't hate them! I just think they got a bit worked up over a few arrests. They're too sensitive. I don't blame them for it, but when you deal with them you've got to remember they can be prone to distorting the truth."

Come _on_


Uh, I have no idea what you're saying here. Particularly can't see any relationship between what you quote and my post.


> The US's first amendment is rather unique amongst Western nations.

> As far as I know, this kind of language is absent from other Western nations. For example, Canada jails people for criticizing those of Islamic persuasion.

The US is not unique in having constitutional protections of free speech. For example part of the Canadian constitution is the "Canadian Charter of Rights and Freedoms", which forms part of the Constitution Act 1982. Section 2 of which says "Everyone has the following fundamental freedoms: (a) freedom of conscience and religion; (b) freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication;" – that's essentially saying the same thing as the US First Amendment.

In Europe, article 9 of the European Convention on Human Rights (ECHR) protects "Freedom of thought, conscience and religion". The Convention is quasi-constitutional in nature – while it is an international treaty whose members are in theory free to leave at any time, in practice quitting it is impossible for many European countries–membership in the ECHR is a requirement for EU membership, so no EU country is going to get away with denouncing it. And many national constitutions have equivalent provisions, such as articles 4 and 5 of the Basic Law of Germany.

One difference – the text of the US constitution doesn't contain any exceptions to the 1st Amendment, whereas the Canadian constitution, the ECHR, Germany's Basic Law, etc, explicitly state that freedom of speech/etc can be subject to limitations. However, in practice, even though the US constitution never explicitly says that the 1st Amendment has exceptions, the Supreme Court has always held that it does, although the scope of these exceptions has varied due to the evolving opinions of the Supreme Court – for the first century of the US's existence, SCOTUS allowed sweeping exceptions to the 1st Amendment; in the 20th century, it narrowed the allowed exceptions significantly, and developed some highly complex case law on which exceptions are allowed.

The real difference is actually nothing to do with the text itself, it is all about case law – since the 20th century, SCOTUS has been very strict in only allowing quite limited exceptions to the 1st Amendment. Courts in Canada, Europe, etc, have always been much more liberal in allowing exceptions to the right of free speech. Now, possibly the difference between a text which provides no explicit exceptions versus a text which does may have influenced that, but I don't think it was decisive. It was not historically inevitable that SCOTUS would start interpreting the 1st Amendment much more strictly in the 20th century, if different justices had been appointed, it easily could have decided to stick with its 19th century case law which allowed greater exceptions to it. Conversely, even though Canadian/European/etc texts explicitly mention exceptions, their courts could have chosen to interpret those explicit exceptions far more narrowly, producing a result much closer to that of the US, if they had wished to do so.


Canada does a lot of things better than the US, but not free speech.

Canadian law on is nowhere near as protective as the US. Defamation has a much lower standard there.

Defamation with public figures in the US is next to impossible to win. That's not true in Canada.


Similarly, in Australia it is generally much easier to win a defamation case than in the US.

However, there is one interesting difference – under Australia's uniform national defamation law (adopted in 2005), corporations cannot sue for defamation. (There is an exception for small businesses, with less than 10 employees.) So, the recent Dominion vs Fox News lawsuit would have been impossible in Australia.


Hm, not quite sure I can follow the _unique_ part.

E.g. german constitution is quite similar:

``` Article 5 [Freedom of expression, arts and sciences]

(1) Every person shall have the right freely to express and disseminate his opinions in speech, writing and pictures and to inform himself without hindrance from generally accessible sources. Freedom of the press and freedom of reporting by means of broadcasts and films shall be guaranteed. There shall be no censorship.

(2) These rights shall find their limits in the provisions of general laws, in provisions for the protection of young persons and in the right to personal honour.

(3) Arts and sciences, research and teaching shall be free. The freedom of teaching shall not release any person from allegiance to the constitution. ```

(2) notes that there _are_ limits, but if I understood the concept of gag orders and also wolverine876's answer correct, thats the same for the US:

``` Civil rights, including those in the First Amendment, are not absolute. Regarding speech, you also can't harass people, threaten them, defraud them, incite violence, ```


I was under the impression that Germany bans Nazi symbols (with some exceptions for education/art). [1]

In comparison, Nazi symbols are protected hate speech in the US. [2]

The US has tried to ban political parties in the past but eventually courts find that sort of thing unconstitutional. [3]

[1] https://en.wikipedia.org/wiki/Strafgesetzbuch_section_86a

[2] https://en.wikipedia.org/wiki/Bans_on_Nazi_symbols#United_St...

[3] https://en.wikipedia.org/wiki/Communist_Control_Act_of_1954


In Germany Nazi symbols are strictly banned but you are allowed to name soldiers killers. My hunch is that calling a veteran or active member of the armed forces of the US a killer would not go so well and might very well end in a slander suit.

When you free speech is restricted still seems pretty arbitrary to me [shrug].


You can call US service members killers all you want. In fact "baby killer" is a relatively common refrain during protests aimed at the military. Maybe in the UK with their asinine slander laws you'd have to be more quiet but that's pretty clearly first amendment protected territory in the US.


SLAPP suits are a thing in the US. You might not go to prison for your speech but that doesn’t mean you can do it.


SLAPP suits come from massive sources of capital which have enough counsel either on retainer or simply have enough money that they don't miss ~$50k on a whim to get back at someone who they think besmirched them that one time. That doesn't really apply to US service members.


SLAPP suits are filed by the defendant, ie the person who said the thing.

They're a response to being sued. If a lawsuit is clearly bogus, you can get it thrown out extremely quickly and the other side usually has to pay your attorneys.

Not all states have them and not all states that have them, have good ones.

https://anti-slapp.org/your-states-free-speech-protection


> Strategic lawsuits against public participation, or strategic litigation against public participation, are lawsuits intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.

Anti-SLAPP suits are filed by the person who said the thing. And yes some states have good anti-slapp protections but that means the rest of Americans don’t enjoy that freedom.


You could get sued, but you would almost certainly win, as evidenced by the Westboro Baptist Church who won a Supreme Court case after being sued for witnessing their Christian faith with messages like "Thank God for Dead Soldiers" and "You Are Going to Hell" at a soldier's funeral:

https://en.wikipedia.org/wiki/Snyder_v._Phelps


This is what the article says for [0]

“Police say the man targeted people on social media and promoted hatred against them after an attack in London, Ont., in June, where four members of a family were killed.”

Does that sound like criticism to you? It reads like harassment to me.


I don't know what the man said, only what the authorities reported. This is part of the danger of "hate speech" laws; if speech is deemed dangerous, discourse can be hidden behind public safety concerns and then wholly dismissed. It is then left to those who police speech to determine what is acceptable public discourse and what is not.


In New Zealand where we don't have a specific constitution or amendments we have a set a laws ^1 that end up in the same place. An example is libel, which both countries have laws against. In NZ such laws are debated in parliament and voted on just as in the US. However in the US there was an additional objection based on it violating the first amendment but then the law was made anyway so it seems politicians in the US can make laws that override amendments in specific situations. The US also has their Supreme Court which seems to play a far more active role than NZ's and also more powerful in that it can creates precedents in the interpretation of laws for example allowing students to wear items of symbolic protest in school.

^1 In 1990 we got a law called the Bill of Rights Act which included freedom of expression.

Edit: added ^1


The UK is especially bad because of its very restrictive libel laws, since it puts the burden of proof on the defendant.


There isnt one.


A ready example: though it is clearly not appropriate to do so, in the US you can express Nazi-isms that are verboten or illegal in parts of Europe.


Five comments below this one, user all2 claims that Canada jails people for merely criticising anyone who is Islamic.


This is simply not true.


Just to clarify : What's not true is that Canada jails people for criticizing islam, not that it was claimed :

https://news.ycombinator.com/item?id=36061407#36064645


I think while this is a popular way to think about these things, it doesn't offer enough explanatory power for when things seemingly "go wrong":

Rights afforded by a state are restrictions on a state's power over its subjects. But as the state holds ultimate authority, the only way these rights are upheld in practice is through a system of self-imposed indirection and bureaucracy that mostly exists to limit the power of any one individual operating the state, rather than the state as a whole.

The First Amendment means whatever the state wants it to mean. The Supreme Court can make a case-specific ruling one way or another but it intentionally holds no direct power. A police officer can literally get away with killing you if they can construct a scenario that gives them sufficient justification to do so. The problem with intelligence agency is that by necessity they have less red tape holding them down and they're thus in practice far less limited in how much power they can wield.

States are authoritarian and oppressive by default. They're only held back by self-imposed limitations. But those limitations only exist at the behest of the states themselves. Try and openly plan to dismantle a state (using violence or not) and most states will abandon any pretense of freedom of speech in a second.


> Civil rights, including those in the First Amendment, are not absolute. Regarding speech, you also can't harass people, threaten them, defraud them, incite violence, distribute copyrighted information that isn't yours, interfere with others' activities (sing loudly in a movie theater), etc. Private entities such as your employer can restrict your speech in many ways.

That's all true and should be true, but it's also possible to take these limitations too fare, and we have.


It appears absolute to me if you sharpen the definition.

Free speech means you can express and advocate for any view point, not that you can make any sounds with your mouth in any context.


You cannot express or advocate viewpoints that "harass people (beyond a some limits), threaten them, defraud them, incite violence, distribute copyrighted information that isn't yours, interfere with others' activities (sing loudly in a movie theater), etc."

For example, someone could not express the viewpoint that 'thebigwinning sexually assaulted coworkers and stole money at their last job'. It would slander you (an exception to free speech that I omitted in the GP) and you would be entitled to damages.

Nor could someone express to an angry crowd the viewpoint that 'the bigwinning should be assaulted', nor could someone selling cryptocurrency express the viewpoint that 'cryptocurrency is a safe, stable investment for unsophisticated investors', etc.


That's exactly what I'm not saying. These contrived examples only strengthen my view.

> sing loadly in a movie theatre.

Perfect example. Inappropriately making sounds with your mouth, not holding an illegal belief.

> express to an angry crowd the viewpoint

The issue is the context of the angry crowd, not the content of beliefs. Do you believe the US will penalize me for believing crypto currency is safe and stating that publically?

> thebigwinning sexually assaulted coworkers and stole money at their last job'

They are indeed allowed to believe that. They can't be taken to jail for holding that view of me. Now if they tried to get me fired with false evidence that would be a problem. If they caused damage to my business reputation without evidence that could result in civil damages.


The examples are not contrived, they are commonplace legal issues (though any such issue is rare in any one person's life).

We are talking about speech, not thought - expression, not belief. You said "you can express and advocate for any view point", not that 'you can believe any viewpoint'.

Yes, all speech depends on context. The significance of speech is its impact on other people; it is communication. You can say whatever you want in the shower.


You are not engaging with my point and continuing to converse with the one in your head. Goodbye.


> interfere with others' activities (sing loudly in a movie theater)

This is more about private property rights, is it not? You can sing loudly in a park until local ordinances (noise, curfew) kick in.

The "movie theater" example I'm familiar with is that you can't scream "fire" in a crowded place.


you absolutely can sing loudly in a theater, but you don't have a right to demand you can keep on doing it. It's a private location, so they have every right to throw you out and ban you. similarly to how you don't have a right to say whatever you want without being moderated on Twitter or Reddit.

the fire one is basically anything that incites panic can get you into legal hot water, and if there are injuries or death as a result some form of manslaughter charges probably because ultimately you were responsible.


> you absolutely can sing loudly in a theater, but you don't have a right to demand you can keep on doing it.

good point


>incite violence

>threaten them

You absolutely can. It just has to be nonspecific. "Kill all lannisters" is fine. "Kill x lannisters in y mall at z time" is not. See : Brandenburg v Ohio, Schenk v US, Hess v Indiana.

>interfere with others' activities (sing loudly in a movie theater),

lmao what? You can absolutely do that. the theater will kick you out but you can absolutely not be arrested for it. what an absurd claim.

>you also can't harass people

You can absolutely do that, to a degree.

>distribute copyrighted information that isn't yours

Not really related to 1A

>Private entities such as your employer can restrict your speech in many ways.

That's not 1A. 1A specifically applies to the government.


You beat to exactly what I wanted to say.


Summarised as "rights [...] are not absolute", this is a really weird statement. I confess I don't understand what makes a "civil right" different from an actual "right", to you.


Here's a recent example. I've seen other examples too, it's not at all uncommon. https://news.ycombinator.com/item?id=35867043


>Civil rights, including those in the First Amendment, are not absolute. Regarding speech, you also can't harass people, threaten them, defraud them, incite violence, distribute copyrighted information that isn't yours, interfere with others' activities (sing loudly in a movie theater), etc. Private entities such as your employer can restrict your speech in many ways.

So the First Amendment is basically just the demo. And other western countries, oft criticized, just didn't have as nice a demo as that, but offer more or less the same features and gameplay.


Not so much, there is plenty of other type of speech that is protected by the first amendment and is illegal in countries that don't have such thing in their constitution. For exemple, in France, saying "Macron is trash" can get you to jail (https://rmc.bfmtv.com/actualites/police-justice/insultes-con..., https://www.lepoint.fr/societe/une-quinquagenaire-jugee-pour...)


Technically not jail, there's only a fine allowed for the crime of "outrage à personne dépositaire de l'autorité publique" (insulting a public authority figure) and "injure au président de la République" (insulting the president of the republic).

Not great, but not terrible (jail).


That's only true if you have a very surface level understand of law and how it attempts to solve real-world problems.

It's nice to say "all speech should be free!" in theory but then, when faced with a situation where a mob boss says "please go kill that person" or ringleader whips up a mob into a riot. Should a judge just say "well, he was just exercising his First Amendment rights!" and ensure no consequences befall that person?

A person enters my home and says things I find offensive. Should the First Amendment prevent me from removing that person from my home for that reason?

I decide to leak trade secrets of my employer for profit. Should the First Amendment protect me from being fired and sued for this?


>when faced with a situation where a mob boss says "please go kill that person" or ringleader whips up a mob into a riot. Should a judge just say "well, he was just exercising his First Amendment rights!" and ensure no consequences befall that person?

Isn't that covered by actual murder (or conspiracy to commit murder if it isn't seen through) charges, unrelated to free speech?

>A person enters my home and says things I find offensive. Should the First Amendment prevent me from removing that person from my home for that reason?

Isn't that covered by the right to invite (or throw out) whatever guest you want at your home? You have the same right even if they don't say things you find offensive, heck, even if they just tell you pleasant things...

>I decide to leak trade secrets of my employer for profit. Should the First Amendment protect me from being fired and sued for this?

Isn't that covered by copyright law (or similar)?

The point wasn't "practical limits to free speech" regarding a "mob hit" request or some non-existant and never argued obligation to let people in your house if they speak lest you prevent them from expression (?), but how more abstract (or open to interpretation) restrictions can be used to effectively limit actual free speech.

Not to mention "private entities such as your employer can restrict your speech in many ways", like a not so uncommon case of you saying something they don't like on your (unrelated to work) personal social media, in which they can just fire you. Or the social medium itself can censor you.

Making the FA protections kind of moot, in a time when it isn't the government that has to do the censoring anymore, while the public just gathers on 3-4 tech behemoths platforms.


> Isn't that covered by actual murder (or conspiracy to commit murder if it isn't seen through) charges, unrelated to free speech?

> Isn't that covered by the right to invite (or throw out) whatever guest you want at your home?

> Making the FA protections kind of moot, in a time when it isn't the government that has to do the censoring anymore, while the public just gathers on 3-4 tech behemoths platforms.

I don't understand your points. You're both mixing concerns and splitting them, seemingly at random.


>I don't understand your points.

Here's the Cliff Notes version:

The examples you brought up as arguments to why free speech can't be absolute (which I didn't argue for in the first place) are contrived and unrelated to free speech.

They are also already covered by existing laws, such as laws against conspiracy to commit murder, about the right of exclusion, etc. If anything I'm separating concerns, mixed up for no good reason.

As for my statement about FA, it's pointing how its protections are rendered moot, since they don't apply to private businesses and thus don't protect speech (the kind that matters, not mob hits) in places where the public discourse really happens nowadays. So, it's not "sufficient free speech protection" anymore.

I added it to further the discussion, what with FA being the very topic of this subthread, and not some randomly "mixed concern"...


> They are also already covered by existing laws

The First Amendment supersedes law by determining whether it can be law at all, so whether it's covered by "law" is actually only half the story.

> The examples you brought up as arguments to why free speech can't be absolute

I started with deliberately stupid examples to make my point: Free Speech was always clearly limited, by necessity.

> it's pointing how its protections are rendered moot

That in itself is debatable. What evidence do you bring that this is somehow worse than it used to be? It used to be the case that, to get _any_ significant speech, you had to get your work published. Now you can just shoot it off on Twitter, Reddit, HN, take your pick.


>I started with deliberately stupid examples to make my point: Free Speech was always clearly limited, by necessity.

Which is neither here, nor there. Conspiracy to commit murder, as per the "mob boss gives an order example" would always be illegal regarless of our "free speech" stance, and the First Amendment didn't come into play determining whether that "[could] be law at all".

It was rather the other way around: the First Amendment was drafted with the certainty that such a thing isn't about free speech and will always be illegal.


> It was rather the other way around: the First Amendment was drafted with the certainty that such a thing isn't about free speech and will always be illegal.

This isn’t really backing up your point that the First Amendment isn’t sufficiently protecting free speech.


I thought that the First Amendment was about not allowing government to restrict speech and doesn't cover private issues such as between individuals or between an employer and an employee?

With the mob boss example, wouldn't the charge be something like conspiracy to commit murder rather than prosecuting the instruction itself? i.e. saying the words is not in itself illegal, but the intention to conspire to get the person to commit crime on your behalf is the illegal part and the instruction is evidence.


> I thought that the First Amendment was about not allowing government to restrict speech and doesn't cover private issues such as between individuals or between an employer and an employee?

Absolutely, it is. However, I interpreted the comment I replied to as suggesting the First Amendment is not sufficient free speech protection.


> Private entities such as your employer can restrict your speech in many ways.

Fun fact: Europe actually has better protections for free speech for employees. Even if you're a hardcore Nazi taking part in actual Nazi rallies, unless you're wearing company clothing or are a high-ranking corporate official, you can't get fired for that. And when you, say, contribute to an open source project in your non-work time on your own computer, your employer doesn't get any rights to that code.


Yes, they can. They also can perform illegal searches on Americans, and routinely do. To the tune of hundreds thousands times a year: https://www.reuters.com/world/us/fbi-misused-intelligence-da...

There is absolutely no consequences to anybody for this. If you're going to ask how US citizens tolerate such blatant abuse, and why they don't do something about it - that's a very good question. Please get back to me if you find any answer to it.


Yes, the thing people gloss over is that laws are only as good as the people ruling on them, and not only is the process of selecting supreme court judges in the US a farce, one of them is openly defending his own corruption now.

In such cases, a well written, clear law on freedom of speech only increases the distance between what people think they have, and what they actually have.


Well, due process is a right co-equal to free speech, so which rights override which others in which circumstances will come down to legal precedent.

My understanding is that the FBI or other non-judicial body cannot unilaterally issue a gag order. Subpoenas and gag orders related to them are granted by judges.

(Which isn't to say that the relationship between the judicial branch and law enforcement bodies is always pure and equal)


Gag orders do require a court, just not a jury or an open hearing. I agree that they should be unconstitutional.


Well, the founding fathers intended for the First Amendment to apply only to acts of Congress, and maybe not even then (for example, just six years after ratifying the Bill of Rights, founding father and second President John Adams signed the Sedition act [0], which criminalized false and malicious statements against the government).

It took over 125 years before Supreme Courts started reinterpreting the First Amendment to apply to some government actions that weren't acts of Congress, but there are still tons of situations where regular people can restrict free speech. For example, in Frederick v. Morse, while the Olympic torch was running through some town in Alaska, a public high school student unfurled a banner that read "bong hits 4 Jesus". Despite this not being on school grounds and the student not going to school that day, the school suspended him explicitly because of the speech on his banner, but the SC said that's fine.

(Sidenote: I wouldn't look to the SC for coherent reasoning; the SC has been an absolute dumpster fire for all but the Warren court and parts of FDR's court. Hell, three current Justices (Roberts, Kavanaugh, and Coney-Barrett) worked on George W Bush's legal team in the democracy-negating Bush v. Gore case)

[0] https://en.m.wikipedia.org/wiki/Alien_and_Sedition_Acts


You seem to be misunderstanding the First Amendment. CSMA, classified information, defamation, copyright, etc. are all not permitted under the first amendment. Not to mention that gag orders are approved by a court and can be appealed.


> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

seems pretty clear to me, at least for gag orders

less so for the other stuff you mentioned (could you argue pirated Disney movies are speech? probably not)


And the writers of the 1st Amendment went on to pass the Sedition act of 1798.

> That if any person shall write, print, utter. Or publish, or shall cause or procure to be written, printed, uttered or published, or shall knowingly and willingly assist or aid in writing, printing, uttering or publishing any false, scandalous and malicious writing or writings against the government of the United States, or either house of the Congress of the United States, or the President of the United States, with intent to defame the said government, or either house of the said Congress, or the said President, or to bring them. or either of them, into contempt or disrepute; or to excite against them, or either or any of them, the hatred of the good people of the United States, or to excite any unlawful combinations therein, for opposing or resisting any law of the United States, or any act of the President of the United States, done in pursuance of any such law, or of the powers in him vested by the constitution of the United States, or to resist, oppose, or defeat any such law or act, or to aid, encourage or abet any hostile designs of any foreign nation against the United States, their people or government, then such person, being thereof convicted before any court of the United States having jurisdiction thereof, shall be punished by a fine not exceeding two thousand dollars, and by imprisonment not exceeding two years.

Welcome to America. Our laws contradict each other and its all about politics. The Supreme Court figures out where the line is drawn and what is, or isn't, legal according to the Constitution.

With regards to 1st Amendment, the limit is drawn today at Libel, Slander, "Fire in a Crowded Theater", pornography, and many other restrictions upon "free speech". Gag orders included.


> With regards to 1st Amendment, the limit is drawn today at [...] "Fire in a Crowded Theater"

No, and it never was. That was an obiter dictum that didn’t accurately reflect the state of the law in the decision in which it appeared, and the actual holding in that case itself (now regarded as an intense intrusion on core political speech) is no longer operative.

It's a catchy turn of phrase that gets stuck in the mind, but it was also an rhetorical device neither in a decision that has since been substantively overruled, not an actual example of an existing limit on free speech.


Well, if that particular phrase is poisoned, I guess I could just say "Hobbit" instead, which is owned as a trademark IIRC by the Tolkien estate and they're very litigious about it.

You can't say "Hobbit" in your own stories. But you can say "Halfling", and that's how people tend to get around that problem. Blonde Thor is Disney/Marvel (Historical Thor was a redhead IIRC, so Blonde Thor is Disney/Marvel Trademark), etc. etc. Plenty of restrictions on Free Speech in practice.


> You can't say "Hobbit" in your own stories

You can, though.

You can't use it to market your stories or other products, and there's some manners of use innthr body of a book that might run some risk of liability for dilution or tarnishment, but...


Of course you can. You can write about hobbits, make youtube videos discussing them, whatever. There's a lot of fanfic on hobbits out there. You can make fun of hobbits.

If you want to use copyrighted characters and it's not fair use, then no.


>"Fire in a Crowded Theater"

That one's apparently a myth.

https://reason.com/2022/10/27/yes-you-can-yell-fire-in-a-cro...


Libertarian website argues Libertarian viewpoints. News at 11.

I'm more inclined to believe Supreme Court Justice Alito over a Libertarian website. Especially because a sitting Supreme Court Justice literally will preside over the case and make a decision based on their own ethics/process/whatever.

An entire article that starts off with "BTW: Supreme Court Justice is wrong on subject" is... well... that's not how this works. The Supreme Court justice literally defines (or at least, is 1/9th of the definition) of our country's legal interpretation.

If the Supreme Court says "Obamacare is a tax", then its a tax. No if, and, or buts about it. It can be as ridiculous or contrived an argument they want, its the purview of the Supreme Court. They are the final say on any of these legal matters.

And unless "reason.com" (or any other libertarian source) somehow manages to get the ear of the other Supreme Court Justices to believe their argument, I think I can safely ignore their article there.

But they know that. I'm guessing they're just trying to clickbait readers and make somewhat sketchy arguments for more clicks + plant more articles that are aligned to libertarian values (as is the point of reason.com).


1. It was falsely shouting fire in a crowded theater, and it was not formative of the opinion itself (Schenck vs United States) but rather an aside.

2. Schenck vs United States was largely overturned by Brandenburg vs Ohio, but this aside was still non-jurisprudential.

3. I am unfamiliar with Justice Alito’s opinion on the matter and you didn’t cite it, so with no context I will only temporarily defer to you for the purpose of saying this: SCOTUS makes jurisprudence through the rulings and opinions they hand down when they take a majority vote in conference, draft opinions and sign on to them. One Justice does not make jurisprudence over a statement which itself was never jurisprudential.

Reason wears their ideological stripes on their sleeves, but this is still essentially a myth that doesn’t die and a fuller explanation of it isn’t a matter of ideology.

You still shouldn’t falsely shout fire in a crowded theater, as people will die. You also shouldn’t pretend a fire isn’t there or part of the show either as people will also die. Basically, if there’s a fire in a theater you’re in, just be glad for modern building and fire codes.


> 2. Schenck vs United States was largely overturned by Brandenburg vs Ohio, but this aside was still non-jurisprudential.

This here is the evolving nature of the court that I want to highlight most of all however.

In 1919, the Supreme Court believed one thing. Later, in 1969, half-a-century later, it believed another thing and overturned the earlier ruling.

As an organization, the Supreme Court tends to try to be consistent. But its not always true, and certainly in these days where we've had a dramatic change in the makeup of the court + filled it with young justices, we're going to see a big change in how the court writes opinions in the years, and decades, to come.

-----------

Laws are written. Constitutional Amendments are written. A few years ago, the 4th Amendment protected a woman's right to privacy and therefore Abortion. That's no longer true today. Etc. etc. Just a modern quickie example about how changing opinions can change our understanding of long-standing laws (or Constitutional Amendments) from the 1700s.

Generally speaking, the Supreme Court is trying to do what's right for our court system. To have laws interpreted consistently over time, and across the country.


The goal is to be consistent over time but it must also still maintain a reactionary posture to the cases brought before it. When there is a difference in opinion between earlier and later jurisprudence, later jurisprudence takes precedent and to be blunt, sometimes earlier courts get it wrong and later courts recognize this.

> A few years ago, the 4th Amendment protected a woman's right to privacy and therefore Abortion.

Due process clause of the 14th amendment actually was the citation under the portions of Roe v Wade not overturned by Planned Parenthood v Casey prior to them both being overturned in Dobbs. The due process clause is often used to read into law from the bench things which are not written into law by Congress or the States under the doctrine of substantive due process, and the issue with that doctrine comes down to: if Congress didn’t say it, and the States didn’t agree to it (Constitution), then is it really actually Federal law? So far the answer seems to be: temporarily yes, and on shaky ground until either Congress addresses it or a future court does. That a court can overturn its own precedents is why if we wish for them to stick, you write them into statute.

Going back to the First Amendment, most of the seeming contradictions in our free speech law really are addressed in the first 5 words of the First Amendment: “Congress shall make no law”. Courts are not Congress, and our Judiciaries have habits and traditions that predate the Constitution and are rooted specifically in the English common law, especially among the States which is why you can be found civilly liable for defamation in most States, and then the standard is high and the extent to which it is applicable is curtailed more with the First Amendment than it would be without it.


> Libertarian website argues Libertarian viewpoints. News at 11.

It's not just Reason or Libertarians saying that the old "fire in a crowded theater" trope is nonsense:

https://www.popehat.com/2012/09/19/three-generations-of-a-ha...

> An entire article that starts off with "BTW: Supreme Court Justice is wrong on subject" is... well... that's not how this works. The Supreme Court justice literally defines (or at least, is 1/9th of the definition) of our country's legal interpretation.

No, a majority of the current Supreme Court is what defines jurisprudence on a subject.

There are crazy (and non-crazy) minority opinions all the time that don't amount to anything. A later Supreme Court can even repudiate an earlier one.

So it's true that this could change someday, and maybe Alito would even be in the majority then, but until and unless that happens, the "fire in a crowded theater" example is still dicta from an old case that's not good law.


surely that Act is by definition unlawful?

I still don't really understand

in the UK: Parliament has unlimited power and people talk quite a bit about formal constitutions being a good model to be followed

it seems a bit sad the attempt to protect the population against government using a formal constitution doesn't seem to work in reality (even when the wording is as clear as day)


> surely that Act is by definition unlawful?

Whose definition?

Answer: The Supreme Court decides the definition of things. Its only unconstitutional if the Supreme Court says so.

That's how the USA can get away with... I dunno... the Office of Censorship in 1941. (https://en.wikipedia.org/wiki/Office_of_Censorship). Definitions change, not only due to different members on the Supreme Court, but also due to different circumstances (WW2 meant that the Supreme Court was willing to ignore the obvious incursion into the 1st Amendment, at least temporarily)

EDIT: I always forget that it was actually the Office of War Information that did the Hollywood Censorship thing (https://en.wikipedia.org/wiki/United_States_Office_of_War_In...), rather than the Office of Censorship.


> Whose definition?

I guess that's the underlying problem

I'm not sure how you fix it really, though not having direct political appointees as top judges might be a good start

(maybe put an LLM in charge of a supreme court? I kid, I kid)


You do have a King though. What would happen if the PM went to see him to form a government and they disagreed? The King is the one with armed guards, military rank and a fortress.


As part of his coronation, the King has sworn an oath to uphold the Law and to respect the primacy of Parliament. Not appointing the PM and his government has serious consequences as the PM is the leader of Parliament, which is the institution that has actually restored monarchy after the Glorious Revolution and which actually bankrolls the armed forces, and which was ultimately elected according to the Law by the citizens.


The king is the de facto ruler, to say otherwise is being pedantic.


No, this is pedantic::

De facto means in fact. Given that the king does no governing no, he is not, in fact, the ruler. You may be looking for de jure, though I question even that.


No, he's the ceremonial head of state. There's a polite fiction that all power comes from him, but he can't actually make anyone do anything.

If he tried, people would say no. If he insisted, he'd get tossed out on his ear.


The king of the UK still has to respect the Law. Being king does not mean that one can do as one pleased, or that there are no checks and balances. The last English king who tried to become an absolute ruler caused the English Civil War and was put on the chopping block by Parliament, as a matter of fact.


In the constitutions of many other countries, you will find an explicit clause saying (to effect) "rights and freedoms granted by this constitution are not absolute and exceptions can be made to them for sufficiently grave reasons".

Unlike those other countries, the US Constitution never contained such an explicit clause, but the Supreme Court has always read it as if it did. The Supreme Court feels quite justified in doing that, because if you go back and look at the debates in Congress and the state legislatures over the proposal and ratification of the Bill of Rights, it is clear that its proponents always intended it to be interpreted as if such an "exception clause" existed, even though (for whatever reason) they chose to leave it as implicit rather than explicitly putting it in the text.


Copyright is something the first amendmend explicitly carves out exactly because it is incompatible with free speech.


The first amendment must be a lot longer than I thought.


I don't like these gag orders but I can see times when they are needed. Each person has a right to a fair trial. So the courts sometimes have to suppress information from the public to avoid potential jurors seeing information about the case. They must only judge guilt based on what they hear in court not in the media.


Gag orders are rarely used for this purpose.

The information that so-and-so parties provided some information (without disclosure of that information) in response to a lawful request will usually not predudice a trial.

What gag orders are for is a) avoiding tipping off the subject of an active investigation b) avoiding general knowledge or disclosure of key sources of information and investigative methods used by law enforcement and c) concealing the general scale, nature and purpose of surveillance activities from the general public.


> Gag orders are rarely used for this purpose.

I agree, but the only time I think it's justified is when it's to protect the right to a fair trial.


So the whole of society must be kept in the dark? No, jurors should simply judge on the evidence presented in court, and those looking for unwarranted (sadly, not literally) secrecy should look for other ways to continue their insidious conspiracies against people.


>jurors should simply judge on the evidence presented in court

I don't know if humans are able to ignore evidence they have heard outside of court. We are not good at only including one set of information when making judgements.


Right, but you're advocating keeping the whole of society in the dark versus relying on twelve people to be fair, which is what they're told to do. I would say that the latter is better than the former because of the immense harm keeping the whole of society in the dark. It's a numbers game.


All of society benefits from the right to a fair trial. But, most of the time gag orders are abused and no one benefits.


The way I propose does not preclude a fair trial. The way you propose (i.e. the status quo) precludes an informed electorate and introduces perverse incentives for those in power.


I disagree but that's okay :)


Rather than disagree you might point out why with reference to the points I’ve made. Comity is only an end in itself in, ironically, cultures that do not value free speech and hence, put truth beneath social harmony. The idea that I could be put on a jury and be unwilling or unable to ignore what a journalist, of all people, had relayed about a case, is risible, and I can bet I’m not alone.


I think that the way you propose does preclude a fair trial as it biases the jury but we've already covered that and come to different conclusions.

I agree that free speech has significant value and restrictions should only be put in place when required to uphold other rights.

I'm sure you're not alone in your opinion that a jury is able to ignore what they've heard about a case in the media. However you do disagree with the current judicial system of most developed nations. That doesn't necessarily make you wrong. I think there is merit to the argument you're making, I just am not convinced that people can ignore information like that.

https://juryanalyst.com/blog/the-power-of-media-coverage-how...

https://www.canlii.org/en/commentary/doc/2019CanLIIDocs2798#...


They aren't compatible with the first amendment. But at this point, those rights are a joke and and all three branches of our government regard the constitution as toilet paper.


Having been on the receiving end a bit, the gag orders don't come from the FBI directly. The FBI can ask you not to say anything, but you can ignore that without any legal repercussions. Any gag order that matters is issued by a judge.


There are plenty of laws that aren't compatible with our constitution. Judges will laugh a lawyer out of the courtroom who uses constitutional arguments, and your case will go nowhere.


> but then apparently the police (FBI) can restrict the free speech of Americans without any court involvement at all?

are you sure about this? As far as I understand "gag orders" can only come from a judge. Of course the FBI could request strongly that you not talk about something but I'm not sure it would hold legal weight.


They do need a court. Subpoenas are issued and overseen by the judicial system, any gay order has to be signed by a judge. The FBI can't unilaterally censor you.


Our rights are written in a document. The government is made up of people. There can be a large disconnect between the two.


It’s voluntary. The only way they can shut you up if you don’t agree to is to kill you.


Free speech does not equate to unlimited absolution from consequence


the fbi is overseen by elected officials, and by laws that were voted for it. it's not perfect but that still makes a huge difference.


That explains the whole Trump Russia ties investigation by the FBI I guess?

Doesn't seem to healthy for any nation that is supposedly democratic?


Are you still like first amendement don't you number

@_sib_ra10


Look at this thread.

People engage in childish fantasies featuring themselves in imaginary subversive behavior.

It's unresolvable cognitive dissonance leading to repressing and reinterpreting the cause.


> How does the ethical use of this prolematic tool get ascertained? Where and how is the democratic oversight implemented? How is misuse treated and prevented?

I can't speak specifically to this case, but in general when asking a judge for the warrant they also provide compelling evidence that harm would come from disclosure. The judges weigh the rights of the targeted and other parties that would be subject to a gag order against the greater good.

To answer your last two questions, all gag orders eventually expire. It isn't a prohibition against the impacted party speaking out, just a delay. They can go directly to the judge or appeal to a higher court.


> It isn't a prohibition against the impacted party speaking out, just a delay.

It’s exactly this “it’s totally fair, surely it’s not ridiculous” attitude that shows how the powers control the people.

Gag orders and secrecy agreements can definitely be indefinite and regularly are.

https://web.archive.org/web/20220809113138/https://cdt.org/i...


Assuming it's always ridiculous doesn't seem like a position any more enlightened.


Possibly safer for people's rights, though.


> How does the ethical use of this prolematic tool get ascertained?

Via the judicial system

> Where and how is the democratic oversight implemented?

In congress

> How is misuse treated and prevented?

Through the judicial system and congress


The USA is a country of laws. It's possible that people submitting packages are submitting illegal malware; spyware, ransomware, software to steal crypto money, or run illegal ticket-buying bots. Ethical oversight is baked into the institutions through governance structures. Institutions aren't perfect. Also there tend to be more complaints in the media about a country's institutions than in regions where there is not a free press. So the voices complaining online don't necessarily correlate with where the problems most lie.


Describing the US as a country of laws is a little funny. The mere existence of laws does not imply much.

Your examples are even weirder. How would such malfeasance justify clandestine observations? That is clearly disproportional, thus unethical.

Claiming governance structures were "baked into" institutions is pure hopium. Democratic oversight means, there must be transparency enabling you as a citizen to detect and react to misconduct, at least by proxy.

The "free press" isn't free to report and investigate such subpoenas, obviously.


In a lot of ways, being 'a nation of laws' means the officeholders can evade any kind of personal responsibility by asserting that they're just one cog in the legal gear wheel. Which one? Well that can take years of litigation to establish.

Of course, the idea is that people are corruptible whereas laws are clear and neutral, but reality falls far short of this ideal. Any system can be gamed and ultimately captured; the more widely accountability is distributed, the less the probability of its timely application.


If law enforcement was never allowed to engage in clandestine operations then it would hamper their ability to build a case against and/or apprehend criminals. Case in point, organized crime syndicates.

This is why the majority of your fellow citizens disagree with you and are fine with the current state of affairs.


That seems like kind of a fabricated boogeyman, though. I have an extremely hard time thinking of anyone I know whose been affected by an organized crime syndicate, but I can immediately bring to mind a whole host of injustices suffered at the hands of government agencies, from bogus tickets to civil forfeiture to imprisionment for victimless 'crimes' (and that's not even accounting for blanket stuff like xkeyscore or spending my tax dollars on nonsense like the iraq war - all arguably way worse than any criminal organization without government backing could ever hope to inflict)


This is my high school buddy’s dad:

https://www.democratandchronicle.com/story/watchdog/2013/12/...

Three of my teenage friends were in his basement when the FBI kicked down the door and stormed in armed to the teeth.

Perhaps you’re fine letting thieves and murderers get the upper hand but the rest of us are not.

Consider yourself lucky that criminals haven’t had much of an impact on your life.


I think where you and I might be diverging here is in our definitions of 'thief' and 'murderer'.

I don't see a difference between, say, a capo that orders a hit, and a member of congress who votes for a foreign 'police action' - save for that the congressmember has much, much higher numbers.

Same goes for a bank robber vs. a bank exec who gets a multimillion $ payout from bailout funds - we're impressed if the bank robber cracks a million - but it's like "that makes sense" when the exec walks away with eight figures of tax dollars.

I don't know anyone whose been killed by a mob hit, but I know soldiers who have lost their lives to bullshit foreign wars, and literally everyone who pays taxes lost money to the villains in 2008.

I believe criminals have had a huge impact on my life - they just all got there through 'legitimate' channels, which IMO makes no difference to whether I'm poorer or people are dead.


Sorry, what point are you trying to make?


A very basic one: organized crime does in fact exist (contra to claims of bogeymen) and law enforcement benefits from clandestine investigations.

It is a trade-off. The downsides have been enumerated ad nauseam on hacker forums for decades and compared to the reality of organized crime comprise just a small percentage of the ill effects experienced in a relatively low corruption society like the United States.


No one is trying to claim organized crime does not exist. They are claiming that the harms from organized crime may not be as bad on the whole as the harms from some of these laws intended (at least in part) to combat it.

This does not, of course, mean that the harms to certain individuals from organized crime aren't worse. But governing based on a small number of emotional anecdotes, and ignoring the broader harms being perpetrated to placate that vocal minority, is deeply irresponsible.


What is deeply irresponsible is ignoring the benefits of clandestine operations by law enforcement in a vain attempt to adhere to some kind of free and open source information ideology.


What about a ransomware, phishing or data breach victim? Cybercrimes are often committed by organised criminals and investigating them seems like the most obvious reason for the DOJ to issue a subpoena to PyPI.


> whose been affected by an organized crime syndicate

I can’t think of anyone I know who has been affected by holes in the ozone layer. Must be a fabricated government boogeyman designed to force me to buy an inferior fridge.

Law enforcement agencies have been quite effective in controlling them over the last few decades (that and they’ve been replaced by foreign drug cartels..). It was probably quite different back in the 60s or 70s


> I can’t think of anyone I know who has been affected by holes in the ozone layer. Must be a fabricated government boogeyman designed to force me to buy an inferior fridge.

There are many [1] counties in California that come immediately to mind - but I digress.

I'll readily admit that things have changed - organized crime was indeed a much bigger problem in the past - but I might argue that even then the fault lay not with a lack of enforcement, but the existence of really, really dumb laws (prohibition). I might further argue that what organized crime is still problematic, is also a legislative rather than an enforcement issue (current prohibition, which we euphamize as the 'war on drugs').

Even if it's enforcement that's doing the work of eliminating the effects of organized crime on actual citizens - the potential for harm is way bigger from an organization with a monopoly on violence, a state mandate, and practically unlimited coffers.

1 - https://en.wikipedia.org/wiki/List_of_California_wildfires


> Ethical oversight is baked into the institutions through governance structures.

Kind of a shocking assumption to make. Over the past several decades it has become increasingly apparent how our governing structures have no inherent relationship with ethics.


You’re extrapolating incidents that are being called out in the press to improve the system onto vast legislative infrastructure that is operating day after day for 100’s millions of people in this country.


> Where and how is the democratic oversight implemented?

What democratic oversight? This is the United States we're talking about lol.


> Such subpoenas are clandestine surveillance of citizens by their state. The problem with such types of surveillance in particular is the lack of accountability.

I never know how to interpret statements like this. The fourth amendment guarantees court oversight over search and seizures. A court signs off on every subpoena issued anywhere in the USA. Are you making this argument from the perspective of "I didn't know courts were involved" or "I don't view courts as sufficient oversight".

If it's the latter... what's your alternative? Eliminate gag orders (which is all this is) entirely? You realize that there's a lot of stuff that happens in courts that we all agree should not be public, both for privacy and law enforcement reasons. Why get upset over this one particular thing?


A theoretical case were an attacker leveraged some package hosted on PyPI could maybe become aware of investigations and destroy left-over evidence. But I guess a huge packet manager like this is too generic a target for such contraint to really work.

> How does the ethical use of this prolematic tool get ascertained?

It probably doesn't get ascertained, sadly. I think the advantages for investigations that might occur if people communicate more strategically is not worth the risk of political procecussions, which I believe are on the rise for a while now.


FISA judges are the oversight on foreign surveillance, but there is no (public?) oversight of national security letters.


FISA judges are not oversight of anything, as we learned, they almost never refuse a request, and even if there's a threat of such refusal, FBI could just lie to them, and they would stamp it, and when the lie comes out, nothing happens. FISA court is just a smokescreen to provide an illusion of oversight.


Except for other "states" they don't even have the ability to communicate about subjects like this.


"Ethics" and "democracy", as if they were a real thing... Both are a tool to fights your adversaries, but they are not something you can assume as given.


It doesn't seem that clandestine.


At least they get to subtly communicate they can't talk, instead of being Jack Ma'd.

The constitutional justification is the same one behind not being allowed to yell 'fire' in a crowded theatre if there is none, or not being able to go on TV and threaten the Judge overseeing your case - 'the constitution is not a suicide pact'. [https://en.wikipedia.org/wiki/The_Constitution_is_not_a_suic...]

As to if it is being abused? Guaranteed. Being prevented? Not effectively. Only the occasional leak of the abuse and corresponding consequences (if any) seem to be counteracting it, and even then not well.

Sunlight is the best disinfectant, and most of the national security apparatus is solidly in the dark, and has been for a long time.


Sounds like they got a National Security Letter.


Does not need to be an NSL to have a non-disclosure attached. Could be a relatively minor (not very spooky) federal investigation.


How does that work with in combination of freedom of speech? Is it one of those cases, where someone has to be brave/foolish enough to disobey and take it to the supreme court?


> How does that work with in combination of freedom of speech?

The government is not preventing you from expressing your free thoughts and opinions. They are compelling you to not disclose the details of something you had no knowledge of before they asked you about it.

Nothing is stopping you from writing a blog post about how it is unfair to seek records of a potential criminal, but you cannot write about how it is unfair to seek the records of Bob Jones when you had no other reason to believe Bob was anything but a regular user.


But you could post a unique blog post such as that about every one of your users.


A judge signed off on it. Which means that the State made a case for the subpoena to include a non-disclosure.


I'm going to go ahead and guess "signed off on" was more like "rubber stamped"


Most likely... but the party who was served the order can file for appeal if they are willing to go that route. That said, it doesn't mean any such appeal with favor the party served the gag order.


And the case likely was "we swear it is very important for national security, trust us!" and that was enough. Search request is almost never refused, e.g. FISA court approves over 99% of them. And if the court already deemed the proof strong enough to do the search, surely it's strong enough to put a non-disclosure on it if asked.


> I have not received a National Security Letter.

source: https://durbin.ee/ as of Wed, May 24 at 1:45 PM PDT


Agreed. It's like the librarians who responded to the Patriot Act by putting up "The FBI has not been here" signs.


I think it just sounds like the three subpoenas they received


I'm not sure I'd call three subpoenas "a string of subpoenas" even if it's technically correct. But I'm more talking about specifically mentioning that the subpoenas from March and April 2023 don't have a gag order. Why mention those months specifically if in the other months they didn't receive any? The natural thing would have been to end the sentence six words earlier.


It sounds more like they're addressing the inevitable "why didn't you post as soon as it happened" party.


It is perfectly clear that you are correct because trying to tell anyone about confidential subpoenas could be illegal.


When it requires so much "reading between the lines" that even this community doesn't have a strong consensus on whether this is being (illegally) communicated or not, I think it's plausibly deniable, but IANAL. Contrast with well-known canaries.


Canaries that are well known would just become normal communication and thus illegal under a non-disclosure. It's just going to get worse lol.


> I'm not sure I'd call three subpoenas "a string of subpoenas" even if it's technically correct

I would if the sequence was such that the receipt of eachbof thr subsequebt ones delayed writeup of the overall incident in the interest of completeness or because there was some relationship between them

> the subpoenas from March and April 2023 don't have a gag order. Why mention those months specifically if in the other months they didn't receive any?

Because you are doing an aggregate writeup of a series of events and you want to convey when they occurred and why you are able to do a detailed writeup.


“The lack of a non-disclosure order”


Seems like the non-disclosure order did not say anything preventing them from disclosing said non-disclosure order itself


I don't think you can infer that.

A non-disclosure order probably does exist for other subpoenas.



> That's suspiciously specific. Sounds to me like they also received some other subpoenas they aren't allowed to talk about.

It could be, it could also be that they were trying to communicate both the timing of the subpoena string and why they are able to talk about it, and there aren’t any others.


It already says at the beginning when they were received (not mentioning potential others).

It's definitely unnatural to say again 'as allowed by the ones received in those months we already mentioned'.


I always wondered why you couldn't get all your subpoenas passed through an intermediary who is instructed to post about them before reading them.


Because then men with guns come and politely explain why they don't like that. But, seriously, for the same reason as you can't stand up to absolute power in any other way.


Being reminded that PyPI is a target for law enforcement makes me even more irked that they've removed end-to-end package signing without providing a replacement[0].

PGP signatures—even though rarely used—would allow someone to verify that a signed package was not modified by PyPI after being uploaded by its original author.

Without any sort of signing mechanism, we have to trust the U.S. Government to never demand that PyPI insert a backdoor, via a National Security Letter, FISA court order, or other kangaroo court process. Good luck with that.

The existing PGP signing mechanism had usability issues and security footguns[1], but was better than nothing. It's a shame they didn't roll out a more usable and secure alternative before removing the existing functionality.

[0]: https://news.ycombinator.com/item?id=36044543

[1]: https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI...


If you want to start with tinfoil hat theories, think about this:

The PGP signatures were removed, nominally because few people used them. ...but the timing of the removals is coincidental, no?

"You need to have a backdoor that lets us see who's downloading what packages and let us inject custom code to particular targets"

"That's technically impossible because of..."

"Here is a court order. Implementation is your problem. You're not allowed to tell anyone you even received a court order."

"...well, I guess signed packages have to go then..."

(:

I don't actually believe that, since PGP signing was frankly, barely used and really there's hardly any meaningful difference between a PGP you can't verify (which was most of them) and not having it; in fact the illusion of security is probably worse than not having it at all.

...but still. As you say. It sucks there's no meaningful replacement for it.


I would resign from PyPI before I ever allowed a backdoor to be installed.

I haven't explicitly asked, but I would be very surprised if any of the other PyPI admins felt differently.


PyPI is clearly a passion project for the team and Python community in general so I can't imagine that anyone would allow this or die on this hill to save their salary.

I've tried to dig around whether there's any history or potential of government stopping company from ceasing operation/resigning and honestly nothing came up that wasn't ww2 related. So, I think it's pretty safe to rule out PyPI from doing anything like this.


My comment was not meant to imply that PyPI admins would be OK with this, but the sad situation in the U.S. (and Australia, and other places) is that they'd probably face jail time if they refused to comply. You can't avoid complying with a court order by saying, "sorry, I quit." (And even if "sorry, I quit" was a valid response, you'd be facing tens of thousands of dollars in legal fees to justify it, with a gag order in place that meant you couldn't raise a legal defense fund.)

If you're looking for examples of what the NSL process is like, Nicholas Merrill's story[0] comes to mind.

Further, the fact that admins have this power—even if they'd never use it—makes them an attractive target for black hats. If backdooring packages was easier to detect, it'd be a less attractive option for those that might want to do so.

I'm still hopeful that they'll re-implement some sort of end-to-end signing mechanism, sooner rather than later. I trust PyPI and the people behind it, but I'd like to be able to verify.

[0]: https://en.wikipedia.org/wiki/Nicholas_Merrill


Well, AFAIK it's not clear that in the US the courts have the right to compel someone to modify their software in that way. The FBI holds that it does, but so far it's been fought and they've given up when they've tried it. I think if such a thing were to happen, the fundamental ability to secure any software goes out the window. Even package signing, etc go out the window because they can just compel you to produce new software, signed with your existing key.

But let's step back a moment and presume that they do have that ability to compel. The first step here is that none of the PyPI Administrators are the legal owners of PyPI, so such an order would not be sent to any of us, but rather to the PSF itself. The PSF would then be on the hook to either comply or fight said hypothetical order, but individual members of the administration team would not be, and would be free to quit. They may not be able to say why they've quit, but quitting AFAIK would be entirely possible.

The PSF, while not having Apple's war chest, does retain counsel for dealing with things like this, and I can say personally I'd spend myself broke before I'd be willing to do so.

We are going to be implementing signing, and I'm hoping we'll be able to make strong progress on that soon.


I'm the author of that post. There is absolutely no meaningful sense in which PyPI's previous PGP support was (or ever did) provide end-to-end package signing. At the absolute most, when used correctly (which, overwhelmingly, it was not), it provided one half of package signing.

The other half (key retrieval and identity binding) was never provided, because PGP as an ecosystem made doing so intractable. It was not better than nothing, because it was nothing; anything you could have done with it can be done with your own sidecar signatures.


PGP didn't make it intractable, the problem is itself intractable... you're referring to the public key infrastructure (PKI)[1] problem, which many have tried to solve and failed.

PGP can use the only known solution to the problem, which is letting several key servers be configured by the user to import keys (which can then be verified by checking the key fingerprint on another source which is "trusted", like the publisher's own website).

You can still import keys by physically exchanging trusted keys with others (so called Key Signing Party[2]) but that obviously cannot scale... or using any innovative method you come up with, but no one has found a bullet proof way to do this that's usable.

But saying PGP only solves half the problem is wrong. It solves one problem: that of how to verify a publisher's artifacts were not modified, which is valuable.

The next problem to solve is how to obtain and vet public keys from publishers. The solution could work somewhat like TLS certificates (with certificate authorities playing the role of trusted key servers) or using blockchain (perhaps a rare problem for which blockchain could actually be helpful) but both of these bring their own issues with them. If you know of a better solution, though, do bring it up instead of throwing the bathwater out with the "baby"!

[1] https://en.wikipedia.org/wiki/Public_key_infrastructure

[2] https://en.wikipedia.org/wiki/Key_signing_party


I think it’d behoove you to read the original thread from yesterday: all, and more, of this was covered!

PKI is indeed hard, but it’s not even remotely intractable. The Web PKI is a functioning PKI; yesterday’s thread explains how the codesigning scheme we’re building for PyPI is going to look very similar to the Web PKI.

At the ecosystem level, PGP was not providing resource integrity to PyPI: too many of the keys involved were weak, and only a tiny proportion of packages were even signed. Even if that proportion was 100%, PGP would have been the wrong tool for that job: PyPI already has transport and resource integrity via the right tools: TLS and digests. Using an untrusted signature for resource integrity is using the wrong tool for the job.

The original thread contains multiple references to Sigstore, which is the scheme we’re planning on building on for PyPI.


Why sign at all? Isn’t the key requirement that the component was not tampered with after upload? All you need is a hash for that…

Tracing back the code to a legal entity seems unnecessary in the majority of cases.


Signing is basically hashing + proof of who created the hash. You need either both, or a way to find which hash is correct according to someone, usually the owner of the artifact, and signing gives you just that.


Signing is only proof of identity if you (1) know the underlying identity, and (2) actually trust that identity for intelligible reasons (i.e., you can produce a formal description of the trust relationship).

Without those two conditions, a signature is a digest produced by an untrusted party. For PyPI, that means that PGP signatures are no better than (and in some senses, worse) than PyPI's own digests, since PyPI at least is a currently trusted party.


A centralized host can't ever be the only reasonable option for trust. They can be manipulated, technically or socially, and that makes everything vulnerable at once.

Both are useful.


The Web PKI is built around centralized roots of trust, and survives because of concerted efforts to make those roots resilient, trustworthy (in terms of underlying ownership), and publicly auditable (with mechanisms like CT).

To the best of my knowledge, there has never been a successful decentralized PKI. Even the most successful uses of PGP are not decentralized; they're essentially private PKIs maintained by a small set of presumed trustworthy maintainers.


PGP absolutely is decentralized - I can trust or distrust key X without communicating at all with any external PKI.

I agree that's not all that useful on a global scale - it essentially degrades to the current PKI setup then, because validating everything is expensive and doesn't need to be done by everyone every time to get nearly all of the benefit. But it is a significant difference for individuals making individual decisions.


Did you not read the parent comments? You're just repeating what was already said.


But a hash provides proof to the actual uploader of subsequent tampering. As you cannot modify the hash without the originator being aware, I think it is enough.


One half is better than nothing. Even if it just made users wonder what it was, it was better than nothing.


One half of a secure system is just an insecure system. Attackers get to pick which half to attack.


That's how security works… it's not an all or nothing process.


Every security design is built out of a matrix of factors, and some (but not all) of those factors can be made zero.

Being unable to verify your trusted identities in a PKI is one such “zero factor.” It makes the PKI strictly equivalent to (crappy) resource integrity at the best, which is when everything is signed. PGP on PyPI didn’t even manage to clear that hurdle; it was worse than nothing by virtue of advertising properties that it was incapable of providing. That too is a zero-able factor in a security design.


Actually, it very commonly is an all-or-nothing process. It doesn't matter how robust the lock on your front door is, if there is no lock on the back door, or if your window can be smashed. This especially true when it comes to cryptographic security, which is the subject at hand.

I suspect the source of your confusion comes from the idea of differential security, which is approximately "I don't need the best lock; I just need a better lock than the other guy". Again, note that this does not apply to cryptographic signing of packages. Note also that the question of whether or not your system actually is more secure than the other guy's is very much a binary distinction: it either is or it isn't. You can quantify this quite easily by counting vulnerabilities, or by analyzing the degree of access gained for each vulnerability that is encountered.

So yeah, it's one of the few things that tends to be all-or-nothing (up to some threat model, of course).


Perhaps look at Gentoo's model of a single monolithic Git repository. It is possibly the largest and most distributed Merkle tree of software distribution signatures in existence. It is updated a few times every hour by a diverse community and each commit has to be GPG signed so you have the opportunity to verify signatures by looking up developer websites, slides from FOSS conferences, etc to confirm whether the keys have been widely published.

There are some caveats:

* Avoid -9999 packages as you won't get any guarantee of authenticity of whatever will be obtained from the upstream repository, other than whatever trust you place in a X.509 certificate that in all likelihood is controlled by either Microsoft (GitHub) or otherwise accessible to Amazon, Google, etc by nature of common open source project hosting arrangements.

* When syncing your local repository, verify all changes since your last sync. This could be as simple as syncing to a point n-days ago, after which numerous developers you know have signed more recent commits on top (you at least know those developers have been impacted too if the whole repository was compromised and the compromise is now on the public record).

* You don't really know how many people are using the packages you care about, and thus how many other people across the world are also exposed to (and possibly reporting problems with) signatures that Gentoo developers have committed.

In addition to relying on existing sources such as the Gentoo Git repository, an additional way to build trust is setting up software "looking glass" tools in different jurisdictions to check that software downloaded from different carriers in different jurisdictions are all the same.

At least with these measures the attacker has to compromise everyone and make this compromise a public record, rather than just silently compromise one target.


If those agencies can order PyPI to insert a backdoor, wouldn’t they be able to coerce keyservers into updating the public key at the same time?


Trust in PGP land is end to end. The keyservers don't matter. They are only a place to pick up keys. Your software verifies that the key is unchanged in that the fingerprint is unchanged. Otherwise it is treated as a separate key. Dead simple.

The confusion here comes from the confusion in the PyPI article about PGP. The article complained that many keys could not be found on keyservers as if that mattered.

The Debian web of trust is a good example of how this stuff actually works. Before you can submit packages to Debian you have to get an existing Debian developer to sign your PGP key. In Debian the trust flows downward from older developers to newer developers.


> Before you can submit packages to Debian you have to get an existing Debian developer to sign your PGP key. In Debian the trust flows downward from older developers to newer developers.

This is not how signing works in Debian at a technical level. At at technical level uploading to Debian requires them to add your key to a list of keys maintained by the archive administrators. As a matter of policy those administrators ask you to get your key signed by an existing Debian Developer, but at no point does their upload infrastructure check that or use the Web of Trust.


That list of keys maintained by the archive administrators are signed by debian developers. That is how the archive admins can be sure that the key is in some sense legit. Otherwise where would be the root of trust?


The root of trust for uploads is the listed of signatures maintained by the archive administrators, flat out.

The requirement for having individual keys signed by Debian Developers just makes it easier for the archive administrators to decipher which keys they want to add to their root of trust. The upload system does not check those signatures at all, they do not need to exist in the slightest as far as the upload system is concerned.


this seems motivated ulterior to the topic, or making a mountain out of a small hill for other reasons. The act of approval is done approximately manually at first, with automation supporting that decision over time. Perfect machines are in short-supply, so to this day there is some manual aspect to this, which is faulted with a tone that is dire ... doesn't add up based on my understanding of this


the original uploaders key? without anybody noticing? I don't think so.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: