In recent times the EU member states seem to take many steps backwards in terms of civil rights and general freedoms, including the proposed Chatcontrol legislation, the one above, and many others.
Furthermore, because the “west” is typically seen as better than the “east”, such a law, if passed would be adopted rather quickly by countries outside the EU member states. This has happened with the NetzDG social media laws in Germany and similar onerous laws being adopted in other countries; EFF has lots of articles regarding it.
Specific to the subject matter of this article, even China is doing a better job by mostly censoring at the ISP level and investing in entropy analysis of network streams.
The precedent here is that any of the 200 nations of the world now can arbitrarily tell browsers what to do. It's forcing the browser to be non-neutral to content & sites, forcing it to become a regulatory agent.
Right now it also sounds like thr government is basically sending letters. How does a browser maker know what letters to trust & which are outright bogus or someone in thr government overstepping their bounds? What is the expected maintenance burden we are putting on folks making browsers?
Are there any limits to this rule? What happens if elinks browser or w3m doesn't update itself? How will the government figure out who to send updates to?
It is likely that using an "illegal" browser would be a thing? What, you use this thing called "curl"? Must be an illegal tool.
I've talked a bit too much about Stallman's "The Right to Read", but this paragraph seems prescient, except that the "root password" he talks about would be some form of hardware-assisted cryptographic attestation today.
> It was also possible to bypass the copyright monitors by installing a modified system kernel. Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.
I speak french, and I read the mentioned article of the law project and the part referenced in other laws, here are what I find useful to juge it :
Basically, if a website is deemed be illegal, a notification is sent to browser makers and to the website owner.
The website owner has 5 days to answer and defend themselves.
Browser makers are forced (as a cautionary measure) to make the browser display a warning upon browsing this website for 7 days following the initial notification. The warning should detail the danger of visiting this website.
If at any point the investigation deems the website is not doing illegal stuff, browser makers are sent another notification telling them to remove the warning.
If the investigation deems the website to be illegal, browser makers will have to block access to this website for 6 months.
If at any point the website is not doing illegal stuff anymore, the block will be removed.
Where I used "illegal" here I actually mean that the website is doing one of these things (explicitly written in the law/referenced laws):
- Identity Theft
- Illegally collecting personal data or using it in a illegal way
- Accessing or maintaining access to a restricted system (basically hacking)
- Collecting, giving access, or making tools that allow fraudulent payment.
If the owner of the website starts a complaint and starts defending themselves, all blocks are suspended for the duration of the procedure.
What I think of it :
It seems to be actually well intentioned given the restricted aim of what is an "illegal" website, it's not about piracy or anything. What is written in the law is really and exactly about websites that harm their users.
The only problem would be if this law gets more edits and starts including other types of infractions
How do they plan to make the software vendors comply? I don't think my Firefox build by Debian would give a shit about any such list. And than, what? How could anybody even detect that I'm using an "illegal web browser"?
The problem is of course, that this whole process will be automated. Think how youtube handles copyright or other complaints, but applied to the whole internet by law.
If a website is found to be doing illegal shit beyond some reasonable doubt, why the fuck aren't these websites taken down and their operators arrested instead of showing some nebulous warning?
You can't take down sites that are not within your borders or TLD, and if they don't cooperate.
Also, something can be illegal in a place, but not in some other place.
So the country where something is hosted can just apply their law.
For a long time, torrent websites have been hosted in Sweden, for exemple, where they were fully legal.
As long as they don't break laws in Sweden, they're fine.
In the same fashion, China can't take down the sites it finds illegal at home. The UK will never take down felons at "BBC.com". China can only block them through the GFC
> - Illegally collecting personal data or using it in a illegal way
In GDPR times, nearly every website is collecting personal data illegally (no clear consent, GA, US data transfers, etc.).
Good luck to them to enforce this.
Governmental oppressive control of the web always starts as “a way to protect the children”, and before you know it web browsers are forced to stop citizens visiting pornhub or casino sites.
Surely everyone knows this is not to protect people from fraud. It's to protect politicians and other public figures from the repercussions of being widely hated. The solution to this problem is simply to stop interfering with people's lives in a negative way. If you don't interfere with people's lives at all, they will have no reason to hate you and this approach costs nothing.
IMO, it's not the government's job to protect people from their own failure to identify a fraud. The government cannot protect people from fraud any more than it can protect them from going bankrupt due to poor management of their personal finances. It's a lesson they have to learn on their own.
Also, I simply won't believe that narrative while gambling is still legal and while the government itself uses the monetary system to run the economy like a game of musical chairs.
> IMO, it's not the government's job to protect people from their own failure to identify a fraud.
I really don't understand this stance. If it isn't a governments job to protect people from fraud, and people should learn on their own, why stop there? Why have any food standards, learn to check every item of food you consume? Why protect from violence when people should just learn where not to go, what not to say...
I also agree with this. Regulations don't work and tend to serve the interests of incumbents who can afford to work around them.
I would prefer it if governments would get rid of all regulations entirely and, instead, they would remove the concept of 'limited liability' entities - That way if a company harms people, the directors could be pursued legally and could potentially even be held criminally liable. IMO, the most effective form of regulation is self-regulation; it needs to start in the mind of the person who is making product decisions (they are best placed to understand their product and their customers after all) - The way to do that is by making sure that people are held fully responsible for any harm that they cause. Even if someone is partially responsible for causing harm, they need to be held liable.
Note that this does not require the government to create new laws; it merely requires that the government remove old ineffective laws which protect people from being held fully liable for their actions.
This level of liability will make it impossible for corporations to exist... But that would be a good thing. How many times have corporations like JP Morgan been fined for violating regulations? The fact is that they are simply not equipped to be responsible for their own actions at the scale that they're operating.
The modern idea of governments trying to prevent harm before it happens instead of merely punishing it after the fact is deeply flawed. The best way to prevent crime is by punishing it relentlessly and making an example out of the perpetrators. It has always worked that way. Let producers know that they're responsible, that they're the ones taking the risk and that the penalties are harsh.
What modern governments are doing with regulations is essentially taking responsibility away from the people who are causing harm.
Then instead of fostering a mindset of "We don't want to put sucralose in our product because we don't want to risk going to jail or being sued if some of our customers get cancer and a causal link is established in the future", we foster a mindset of "Look, sucralose is legal, if we put sucralose in our products within the allowed guidelines and people get cancer, it's the government's fault because they said it was safe."
Such lists already exist, for example in Italy there's a number of official government blocklists that the ISPs are already obligated by law to apply using their DNS servers and soon at the IP level, once the latest law is implemented.
In typical Italian style, the blocklists are actually published as a set of HTML articles on various government websites, that must be scraped and parsed by the ISPs using toolkits like https://github.com/mphilosopher/censura.
The latest proposal now additionally requires acknowledgement through PEC, i.e. domains to block will be sent by rightholders through certified emails to ISPs, and upon processing them ISPs *must* send an acknowledgment in the form of another certified email within 30 minutes, or else sanctions will follow.
This latest proposal has rightfully caused an uproar of the ISPs in groups like itnog (https://t.me/IT_NOG/106605/106606), considering that most PEC providers only offer a few GBs of space, there's already a high risk of ack emails being lost (with subsequent sanctions), not to mention that the concept of automating domain distribution and acknowledgment using email instead of a simple JSON-RPC API is ridiculous, but that's what you get when bureaucrats make technical proposals :)
By the way, the existing Italian lists are all already public (except for the CSAM lists which require a decryption key), that hasn't bothered anyone given that right now, blocks are only made at a DNS level, completely ignoring the existence of DoH :P
(Well actually not completely ignoring DoH, there's another not-yet-applied Italian law that requires ISPs to completely ban DoH, but it has kind of gone under the radar since it's essentially inapplicable without DPI (and even then, the upcoming ECH standard will make it practically impossible to block DoH providers that use ECH))
The US government released the contents of all the hard drives found in Osama Bin Laden's compound, and me and my friends spent a few days looking through it out of curiosity. A lot of knitting tutorials and old cartoons in there.
The way that kind of censorship works is that they will block 1 legit site that they don't like for every 100 actual scam sites which 'deserve' to be blocked. You won't even be able to tell which is which. It will literally look like a long list of spam sites and everyone will thank the government for doing a great job protecting them as they always do. Whenever western governments do truly evil stuff, there is almost always a very good cover narrative.
Or especially Signal and Tor. But only if you're a leftist! Because leftists must of course be using those things to plot terrorism. Being a leftist while using privacy tech was a core part of the reasoning for the cops arresting those people.
So nothing new. To the state all hackers (in the original meaning of this word) have been criminals since forever. Knowledge and skill are very dangerous traits, you know?
In Germany we have even dedicated anti-hacker legislation. Hacking stuff is indeed illegal. You may end up in jail for "hacking"…
That's likely "the freedom" they are always talking here about in the west. /s
All "dual use" tools (like a simple port scanner!) can bring you into jail. That's a fact. The law doesn't have any exceptions for "friendly use"… (No matter what some "experts" cited on Wikipedia may say. That's just the usual German Wikipedia blow smoke…)
> Of course, governments have a responsibility to protect all
Absolutely not.
Government's job is to enforce laws and protect the national territory.
But my personal protection is my sole responsibility.
If someone endangers me by not respecting the highway code, the police needs to stop them, it's their job.
But do I agree to have the government mandate that I wear a safety belt? No. If I'm stupid enough to not wear it, I'm fine to not be entitled to claim damages in case of accident.
Of course you can make an argument that not wearing my safety belt has a cost to society (or not having that domain suppression list) and that therefore it should be banned. And I hear the argument. But in the end it comes down to what do you want the government's role to be: protect your freedom or protect you from your own stupidity?
I'm happy to have laws that prevents causing harm to other people (the highway code for example, or for the food industry to have a responsibility to not poison their customers).
But I'm not happy to have laws that stop me from growing my own food, without having to lab-test it, if I don't intend to sell it.
If you don't wear a seat belt, you're a risk to others. In the event of a collision, you can very easily become a meat missile capable of significant harm.
As you said: "But my personal protection is my sole responsibility.". If your personal protection is your sole responsibility then from that must(?) follow that the protection of anything that you own is solely your responsibility.
> But if I'm trying to interpret, no, I disagree with the right to shoot people just because they're trespassing.
> Ok, so this is why browsers pushed so hard for DNS-over-HTTPS! It makes it inevitably the single-point-of-censorship.
DoH actually makes it harder for the government to censor domains as the browsers don't use the ISP-provided DNS infrastructure any more, which is why the French governments wants to force browser vendors to do it instead.
Browsers didn't push for DoH because they wanted to be the target for censorship demands, they pushed because DNS manipulation by everyone from governments and ISPs to a ton of middlebox vendors got out of hand - DNS ossified particularly because of the latter - and on top of that because DNS was cleartext and leaked metadata to everyone able to install a sniffer along the path.
Agreed, but if they are going to implement censorship I'm all for doing it in an incompetent way.
Meanwhile, this proposal will likely not fly because it's going to be impossible to implement, either imperfectly or even at all.
A bigger problem is if they catch on to the fact that France is dependent on a handful of large ISPs and that they can do this far more effectively at the ISP level.
Its a form of de-platforming, and de-platforming is effective (not 100% effective ofc; "build your own platform" becomes "compile your own browser"); apologies to John Gilmore.
I'm for all sorts of government regulations. Most around social services. The EU makes me feel like my crazy uncles ranting about the EU. Does anyone think that the EU could regulate themselves into a second tier market for tech products(they get the same products but not on the same schedule. The release is based on a second level of development to meet the EU specifications.)
I could concede that all of their goals are worthy but I feel like I have a Project Manager defining tech solutions.
What do you expect from a government that has criminalised DNA based paternity tests done without the consent of the mom. Yes, if you have doubts about your wife's loyalty and want to silently do a DNA test with your supposed child to make sure you are the actual father, you need your wife's consent. If you do it without her consent, you will go to jail. I know it's off topic, but that's the first thing that comes to my mind whenever i hear the word "France".
Note: France might be the most authoritarian country of the western world (depending if you count Eastern Europe, Turkey or Israel in the western world). Not disputing that.
However, this seems misleading [0]. To me, it's clear that what's illegal are private genetic tests.
It's a law from 97 also.
And if you have doubts, you have to go see a judge:
""Si vous saisissez un juge pour établir ou contester un lien de filiation, vous pouvez lui demander un test de paternité.
Le test peut être refusé par le juge uniquement pour un motif légitime.
Vous n'avez pas à réunir des preuves ou indices de la paternité pour obtenir le test.""
It's a law from 97. Probably at the time, the only reason you had to make a test was for paternity/fraternity, and I'm not shocked that any country think privacy and not giving your DNA to unknown labs under unknown entities is a good idea. Probably even worse, is giving your children's DNA toaan unknown party. In France, the parents do NOT have total power over their children.
I think the law is old and should be updated, to authorize personal tests at will (why not), but restrict testing a child privately (for obvious reasons).
> Yes, if you have doubts about your wife's loyalty and want to silently do a DNA test with your supposed child to make sure you are the actual father, you need your wife's consent. If you do it without her consent, you will go to jail.
Uh yeah, because that's extremely creepy and fucked up?
Isn't this something that technically already exists? It seems to me the government is demanding thst browsers have that capability; not that the companies would have to use that feature. But (1) it may actually not be technically possible right now? Or (2) the wording is confusing enough that it is essentially forcing the use, not just "having the ability"
They can run their own DNS servers, publish the lists, but it can't be the browsers enforcing it. Otherwise it's an idiotic path towards jailbreaking browsers.
I don’t imagine a lot of child porn browsing happens on Lynx.
In practice a government only needs to mandate their blocklist with Google, Apple, Microsoft and Mozilla. The first three are cloud and OS vendors, so they already collaborate with Western governments on many kinds of content filtering and monitoring projects. Only Mozilla has any sort of independence in the browser market.
If it's just a about adding the means then uBlock origin fits the bill.
I can't make heads or tails of the translated piece of law though so I can only assume that giving people to ability to exercise control over what they see or don't see online wasn't the intended purpose.
to complete the picture, in the previous week alone :
- a court found that is was illegal to have covered a feminist book shop in during the visit of a minister, to hide content about cases he was involved in. [1]
- the agreement of one of the largest anti-corruption NGO was cancelled, making it more difficult for them to bring corruption cases to court. [2] they had their nose in what is becoming a state scandal (Affaire Kohler)
- an ecologist NGO was disbanded by the same minister involved in 1 [3]
- and you must have seen the guy who was shot dead by the police. The police then made up a story that was debunked by a witness on social media. [4]
It follows months of protests being forbidden using anti-terrorism laws [5], and parliament being bypassed so hard that the Council of Europe raised questions about democracy [6]
Telegram was also blocked during a whole day, and connection attempts were logged, all of that "by accident" [7]
So if the current government wants a law to be applied, like web censoring, they will explore any means for that.
I don't really see the problem as anybody can use an open source browser compiled without those, assuming there is any kind of benefit to access those blocked domains, which is doubtful.
The general population will not use such custom-compiled browsers, which fulfills the aim of security without having to threat user with any kind of punishment.
The natural next step is outlawing dangerous extremist browsers that fail to implement The List. Is there some reason you don't want to protect children and fight terrorism? What do you have to hide?!?
It's a complete misnomer to try and frame this as a security issue, it's not about security, it's censorship. The government has no business saying what websites you can read just as the government has no business saying which books you can read or which newspapers.
Yet people will still have access to these websites if they want, so it makes more sense to have been designed to prevent accidental, unwilling, or unaware access.
> The government has no business saying what websites you can read just as the government has no business saying which books you can read or which newspapers.
This is, unfortunately, not true since some years.
United States has freedom of speech as a constitutionally protected right. Prostitution is a commercial service within the realm of government regulation. Copyright laws are a mixed bag of nice and terrible, but it's still more than possible to express an idea derived from copyright material in a different way without verbotem duplication.
Furthermore, because the “west” is typically seen as better than the “east”, such a law, if passed would be adopted rather quickly by countries outside the EU member states. This has happened with the NetzDG social media laws in Germany and similar onerous laws being adopted in other countries; EFF has lots of articles regarding it.
Specific to the subject matter of this article, even China is doing a better job by mostly censoring at the ISP level and investing in entropy analysis of network streams.