Hacker News new | past | comments | ask | show | jobs | submit login
CSAR: European Parliament rejects mass scanning of private messages (edri.org)
477 points by pera on Nov 30, 2023 | hide | past | favorite | 92 comments



Finally. As a next step, we need mechanisms to prevent the constant rehashing of these attempts to break security. Otherwise, it will get through during a crisis or via fatigue.


Per the article

> At the same time, we are still far from the end of the legislative process. This means that we must stay alert to how the other two law-making institutions – the Council of EU Member States and the European Commission – respond

To be able to fight these ludicrous attempts at privacy, we must put a spotlight on those behind these proposals (lobbyists). Coincidence or not, it wasn't transparent, but at least some journalists investigated https://privatecitizen.press/episode/160/


The engineers behind the scan laws

https://twitter.com/echo_pbreyer/status/1721558597769818496

Inc. people from Google. Deserve to called out.

The shady politics and the corruptive US software companies that pushed for this:

https://balkaninsight.com/2023/09/25/who-benefits-inside-the...


Your first link is a set of experts that the EU Commission consulted while developing their regulations. It does not mean those folks were necessarily "behind" the regulations, so I would not call out anyone on that list.

Some of the folks on that list are certainly pro-scanning: it's an absurdly biased list. But to me that's reflective of the EU Commission having a desired policy from the start, then mainly seeking out experts who could help them achieve their goal.


I didn’t check all of the people but picked 2 names at random and they were policy people not engineers.


Also, while the most egregious part might be cancelled, these type of bills often still bring along their slightly less bad, but still fairly ugly brothers.

So private message scanning is off the table, we now just save meta data and build a communication graph for every citizen for the last 10 years.

No idea if this bill includes such laws, but that is usually the strategy to get people distracted.


It's the sucker-punch of legal maneuvers.


The Parliament is very much the junior member compared with the Council and Commission


It still has ultimate veto powers.


I've been unable to find an instance of the European Parliament vetoing legislation


Plenty. Some recent examples:

https://www.reuters.com/world/europe/european-parliament-scr...

https://agenceurope.eu/en/bulletin/article/13274/20

https://www.thejournal.ie/emissions-trade-system-fit-for-55-...

(Somewhat unsurprisingly, being currently dominated by right-wing parties, it happens often on "green" legislation...)

It doesn't happen every day simply because 1) MEPs typically don't want to be seen as "Mr. No", and 2) plenary votes are the end of a long legislative process, involving several steps; the Commission will typically not bring legislation to the floor if it understands, in previous committees, that it will likely be voted down.

The process is roughly this: EU Council (i.e. national governments) agree that "we should really do something about X"; the Commission drafts legislation to that effect, and brings it to Parliamentary committees; MEPs provide feedback and instructions on how to change things; Commission decides if the changes are acceptable, and if not they go back to Council asking "is this still ok if we do it in XY way?"; and back and forth they go, until the Commission decides to either withdraw it or put it to a plenary vote (in which case it's typically in a shape acceptable to Parliament, because nobody likes losing).


But if you look at the first case, for example that was a rejection a first reading - not a definitive killing off.

It's not quite clear what happens next - the Council of ministers may apparently decide to continue working on the legislation regardless of the Parliament's vote.

In other words - it is not evidence of an "ultimate veto power"


Council and Commission can work on whatever they want - if it's not ultimately approved by an EP plenary, it's not a Directive. Occasionally some governments will go ahead and introduce laws that they tried and failed to go past the EP, but that's just national politics in action.


They can continue to work on it, but without the parliament's approval it cannot become law.


The entire irony of this is that all rightwingers are winning local elections by blaming the EU for wokeism, while they do have majority in all the EU organizations so whatever gets through against their tastes it's only through their own failures. But who cares about the truth, if the truth doesn't get you votes at home. It's just so disappointing that the regular Joe Voter, even though very loud about "doing their own research", never actually DO their own research, just swallow whatever they're told in their bubble.


Here's an overview of the political composition of the European Parliament: https://en.wikipedia.org/wiki/European_Parliament#Elections

How do you reckon it is "dominated by right-wing parties"? Those parties make up about 20% of the parliament, whereas left-wing parties make up some 35% (with the rest being centrists and 'other').


You have a weird definition of left and right.

If you think that Social democrats (S&D; center-left) are "left", then Christian democrats and conservatives (EPP; center-right) are "right". Those two are the traditional mainstream left-wing and right-wing groups in Europe. With these, we have 141 seats for the left and 178 seats for the right.

Then we have more radical parties with a clear position on the left-right axis. The inconveniently named The Left in the European Parliament have 37 seats, while their right-wing counterparts are ECR (66 seats) and ID (60 seats). This brings the total to 178 seats for the left and 304 seats for the right.

There are also two centrist-groups: Greens/EFA (72 seats) and ALDE (102 seats). The former is a weird amalgamation of greens, regional parties, independents, and pirates ranging from left to center. The latter consists of center to center-right parties that usually have some connection to the liberal tradition. But in some cases, the party in ALDE is more conservative and less liberal than their national counterpart in EPP. If we include these centrist groups in the calculations, the balance shifts further to the right.

Finally there are 49 MEPs outside the major parties, bringing the total to 705.


EPP is a right-wing party. Its basically a mix of christian democrats (basically catholics), conservative (Les Republicains, amny others) and some liberals-conservatives (pro free-trade, anti union, pro-immigration if it makes labor cheaper, but also really conservative on according right to those migrants). It is also pro EU, in a weird way (Forza Italia is a member).

ALDE-PACE is basically Emmanuel Macron's party, so more socially liberal, and by that i mean he does accept that gay people do exist and can do whatever they want, if they want (the bar is low). They also are very pro-immigration in sectors that boost economies, but accept that immigrant workers can have equal rights. Extremely pro-Europe. I'd call them right-wing, but to be fair, only its leader is, most party members are pretty much center, center-right (they would be liberal-democrat in the US), and they push a lot of the legislation the greens want to pass, for multiple reasons (the green are seen as an "acceptable compromise", citing an EPP member i ate with).

I would not call the current Green left-wing either, its a torn party. I guess after the Covid and last summer, the wars and the resulting immigration, a lot of young people joined, and politically active young people are more left-wing, but the leaders are more center, center-left. But they hold major power on the left and can work with the other center party, and sometimes even the EPP. They are also on point (and have/propose good formations) with privacy and civil liberties, which might seems left-wing if you're in the US, but to me it's basically to political proposition of the old french party "les radicaux" which was so much in the center they split in two 30 years ago).


I guess your definition of "right-wing" is a bit different from mine. "Centrists" in post-WW2 Europe are largely conservative: fundamentally religious, pro-business, anti-immigration. That, to me, is right-wing - respectable, not touting nazi tattoos (mostly), but still fundamentally reactionary in nature. Those blocs are usually allied with "liberal" parties, a term which in Europe carries right-wing connotations because "liberalism" is meant in the original economic sense: free-trade, unbridled capitalism, etc. Occasionally they ally even with ultra-right parties, which often include real neofascist / neonazis.

If you consider them like that, traditionally-conservative parties account for over 65% of current MEPs.


Predictably, someone comes along to argue that anyone who is not fully in the left must therefore be right-wing. Don't you see that the word 'centrist' indicates people who are in the center, and therefore by definition not right-wing?

Oh, and that 'mostly'? Take it down a notch. There are no actual nazis in the European Parliament.


Neonazi maybe not (yet), but neofascists for sure: https://www.tandfonline.com/doi/pdf/10.1080/23248823.2023.22...

The "centrism" framing, btw, is fundamentally useless. In postwar Europe, PSE parties are left-wing and PPE parties are right-wing; other parties are fundamentally defined by their primary relationship with one of these two. The "centrism" mantra is reactionary twaddle to justify one's ideological vacuum.


If only EPP parties were really right-wing. I say this as an actual conservative. EPP parties generally are "our position is whatever the left espoused ten years ago". Which is, basically, a very progressive position.


Traditional European parties have been converging towards the center. That's largely thanks to the EU, which is a centrist project founded on ideas such as social liberalism and pro-market policies. Social democratic parties have also become pretty right-wing by their traditional standards, largely due to Third Way politics that have been dominant since the late 90s.


"Centrists" are right wing in European politics.


Once i read an analysis comparing EP legislative action to action of national parliaments and it said that EP has much higher rate of rejecting legislation.

It makes sense - in parliamentary democracy, the coalition in government has majority in parliament and government members are often party leaders (or other important people in parties), so legislature could be pushed through parliament by party lines.

In EP there is much weaker connection between government (EU Commission) and EP, which makes EP more independent.


Finally, some good name and shame. I hope someone well-funded exposes these people for who they are and turns public opinion against them en masse.


Absolutely this. They just keep trying, one angle or another. They'll be back for another try in a year or three, with new arguments, and having purchased a few more politicians. In the worst case, they'll do something like the USA: institute secret programs that do whatever the heck they want, with no oversight.

Part of the problem is that there are no negative consequences. Again, look at the US: Snowden reveals massive, illegal surveillance. Consequences to politicians and government officials: zero.


The mechanisms are in place .. literally nobody was paying attention.

They spent millions on campaigns advertising this stuff and asking for feedback only to get <100 views on youtube videos about the subject.

They need to start working together with higher education institutions or something rather than just hoping that people will take an active interest, instead of everyone going about their lives and only finding out when the laws are being ratified.


Yep, the standard playbook on this stuff is to table it for 6 months, at which point you reintroduce. Repeat ad infinitum until it passes. If at any point there's a crisis that can be used, reintroduce immediately.


So it needs be enshrined in a constitution I wager.


Well, the trick is, a surefire way to make voters angry in large part of the continents (or, well, large part of France anyway) it so put "Constitution" and "Europe" in the same sentence - so there is not much of a place to enshrine that at the EU level.

Besides, every member state's constitution probably already has a variant of "privacy is a fundamental right except in cases defined by law".

I will argue that we _definitely do_ want cases where privacy is not 100% respected (sadly, "investigating crime" is not always a red herring, newspeak, lobbying propaganda, etc...

People really do that for a living, and in the common interest.)

In the end, it will always be a policymaker's job to draw the lines.

What I would love to enshrine in a constitution is that "People shall choose policymakers wisely.". But I'm not sure of how to enforce that :/


I think the 4th amendment did a good job and is quite specific. The courts rewrote it judicially.

> The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized


The Fourth Amendment protects the physical, yet other amendments also address privacy in different ways. The First Amendment protects the mind and arguably one's spirit, the Third Amendment is a specific type of physical protection, the Fifth Amendment also protects the mind, the Ninth Amendment protects the existence of privacy, and the Tenth Amendment lets states implement greater privacy protections as they see fit.

Given privacy is fundamentally related to the expression of free will, it's not surprising so much touches it.


> The Fourth Amendment protects the physical,

That's a narrow reading of it. "Papers and effects" ought to extend to our data as well, something the authors could not have called out more explicitly at the time of its writing. Call it inconvenient or impractical, whatever, but it's ridiculous to conclude their intent was that government can spy on presumed innocents as long as they don't make a physical mess.

I think third party doctrine is also a pile of crap... and that data brokers shouldn't have a square inch of legal ground to stand on. GDPR sets a good example in that regard.


I completely agree, and computing has flipped the table on our understanding of the Fourth Amendment. In fact, our technological development and privacy concerns are proportional, which says something quite profound. Are you familiar with Kyllo v. United States and Carpenter v. United States? If not, you'll probably find them intriguing.

Third-party doctrine is indeed a pile of crap. Still, the fact remains that zero-cost (okay, effectively zero-cost) digital information breaks virtually all historical ownership models which legal systems protect. GDPR is okay, but compliance with it is so burdensome to small businesses that corporate-driven cloud infrastructure is the only way to survive.


I'll look into those cases, thanks!


While I agree it does a good job, ‘unreasonable’ is a term that’s up to the implementer


It essentially is. The right to privacy is part of the Charter of Fundamental Rights of the European Union, which is enshrined into law as part of the Treaty of Lisbon.


Yes, the Treaty of Lisbon plus the Charter act as the de-facto EU constitution.


No rights enshrined in a constitution is guaranteed or respected, anywhere in the world. First, in come countries legislation breaching constitutional rights appear all the time and the burden is on the people to fight that legislation that is presumed valid. Second, people believe that some rights are no longer aligned with the modern times (see USA second amendment) and are willing to remove it. Third, constitutional rights that are not completely removed are brutally "regulated", with the same effect, and most people agree with that or actively support it.

In summary, there are no rights that are guaranteed even if they are in a constitution.


It's already enshrined in the constitution of at least one European country, the right to privacy.


It is in Italy's ("Freedom and secrecy of correspondence and any other communication cannot be violated"), but I didn't think this was particularly unique?

(Note that this article of the constitution doesn't include E2E encryption because there's a carve out for the judiciary to limit this freedom).


What’s deeply funny is how Italy is also where a lot of police spyware industry got its start in Europe (HackingTeam and fellow travellers).


It should be illegal to even propose this and it should be equalled to hate crime.

People who think this is okay, to the point that they want to enact this in law should be cast out of the society.


It seems dangerous to make proposing laws in a parliament illegal, don't you think? Anything should go in a parliament. I'm also not sure hate speech could be illegal when a member of parliament speaks in parliament, typically parliamentary debate is more widely protected.


Are you saying that it should be perfectly acceptable for legislators to propose a law e.g. to kill all men over 60 in gas chambers and that it should be treated seriously and let go all the way through legislative process?


Even more: that is currently the case in liberal democracies AFAIK. Any legislator can propose any law. It's then up to the legislative process to decide whether it should be accepted or not. (Possibly, a constitutional court could roll back laws that violate the constitution.)


My favorite solution: Those who vote for legislation found to be anti constitutional by the respective courts lose their passive voting rights and must leave Parliament immediately.


That's the European way. Keep voting until the desired result is obtained.


Forbid politicians to lie to and deceive the public, that's it. * Suddenly democracy works.

* (except about personal matters)


> Forbid politicians to lie to and deceive the public, that's it.

Forbidding something is never “it”. People do prohibited things all the time.

“Prohibit” is not “magically prevent”.


To be clear this would not prevent every instance of lying, but the current state is in most cases manifest shameless lying or deceits that surface some years later, so it would be a stratospheric improvement, in my opinion.


Of course forbid with very strong penalties and no statute of limitations...


By whom are laws enforced, and by whom are those people appointed and to whom do they answer?

Or, to take another angle, why don't the prohibitions in FISA effectively stop the government from abusing foreign intelligence apparatus for domestic spying?


Because the US are messed up on so many levels.

Of course the judicial, legislative and executive branches should be independent and they're not that much right now.

In any case, even in such a system the proposal might have more positive than negative effects, and maybe lead to gradual improvements to everything else.


Or it might make things even worse. After all,the FISA court system itself was created in response to abuses by the CIA and FBI (and others) as a way to check their power. Instead, it became a (secret and opaque) rubber stamp that approves over 99% of all warrant applications.


No one is proposing anything secret and opaque


Yes, you're just proposing making it a crime for politicians to lie without addressing who/what will determine that they're lying and how, and can't seem to see any possible problems or abuses of your proposed system.


Your issue seems to be with enforcing any rule or law on politicians, rather than with my sketch of proposal.

If you instead only think that politicians should be subject to different judicial procedures than normal people, that's something we might agree; I don't see additional problems with including lying to the public to the crimes addressed through them.

Such procedures are actually often flawed, so the effectiveness of the rule might be diminished, but I don't see it as increasing the risk of political prosecution.

It's just a further crime, and you would need a reasonable threshold to initiate investigations or indictments, so, yes, I don't see big risks about it.

I do see how democracy has a very hard time instead when its voters are drown in lies.


Let me make this as simple for you as I can. Are the following statements truthful statements or lies (or something else entirely)?

Trans women are real women.

Climate change isn't real.

White people are more likely to commit violent crime than black people.

Black people are more likely to commit violent crime than white people.

Black people and white people are equally likely to commit violent crimes.

Men are more likely to commit violent crimes than women.

Fermented grapes drinks aren't champagne unless they come from the Champagne region of France.

Air-cured meat products aren't Biltong unless they were made in South Africa.

Chinese corporations steal IP from Western corporations on a massive scale.

Chinese corporations don't steal IP from anyone.

And so on and so on. If telling lies is now a crime (whether for everyone or just for politicians is largely irrelevant here) then who gets to determine which of the statements above are truth or lies or neither? Who gets to determine whether to prosecute or not? What standards of proof will be required for the judge, jury, etc.?

And most important of all, what protections are in place to keep entryists from taking control of the institutions that make these decisions, now that you've given them a galaxy-sized incentive to do so as a way to control and attack their political enemies?


Those statements are lies if there is, or at a certain point surfaces, enough evidence that the person uttering them was not expressing an opinion but intentionally lying.

If there isn't enough evidence nothing happens (not even investigations).

And the person determining whether to prosecute, the standards of proof etc. are the same as those for any other crime to which politicians can be subjected.

The risks of people "taking control of the institutions" are just the same as with the other crimes applicable to politicians; again you seem to be arguing for general immunity for politicians more than against this specific proposal


Well then there's no nicer way to put this, you're utterly naive about how political and legal systems work the whole world over. I'm not arguing for immunity for politicians, if I had my way all politicians would be launched into the sun (though they'd be quickly replaced by yet more politicians).

I'm arguing that a law like you're proposing will inevitably be enforced unequally, be enforced against people who spoke unpopular truths that powerful people claimed were legally lies, and will be used by powerful interests to suppress their enemies. This isn't pessimism, this is a "this has happened anytime this or anything similar to it has been tried" and anyone with the most basic understanding of human nature could see that.


I'm not sure if you understand the difference between saying something false and lying.

Do you have some example where "this or anything similar to it has been tried" ?

In countries with poor institutions anyhow, powerful people don't need this law to suppress their enemies, any existing law applicable to politicians can be used!

If I'm utterly naive with no understanding of human nature though we could just stop it here.


besides the fact that you’re essentially running on a platform of “make crime illegal”, you run into the obvious problem of who decides what a lie is? who decides whether a lie has taken place?


Lying is currently usually protected for politicians, not illegal.

Lies are obvious in most cases, and I think there are established judicial systems to assess if a crime has been committed or not...

Of course investigations and indictments have to occur only with sufficient elements to suspect a malfeasance, we're not arguing for wiring politicians to mind readers


And that exactly is why we absolutely have to keep the veto power of member states in the EU. The only reason why they backed down is because few countries said "there is no chance in hell we're agreeing to this". If we were making laws based on simple majority few biggest countries plus a couple others forced/bought into submission could override everyone else.


Not simple, but qualified majority, would be better than a single country being able to stop any process. The Polish Lithuanian Commonwealth learned this the hard way, where every Sejm member could veto any legislation, so the country stagnated until it was picked apart by neighbourds.


Are you saying you think the EP voted to reject the mass scanning provisions because a member state promised to vote this?


Yet you'll often see the exact opposite argument made against the Electoral College and the Senate in US politics


Mass surveillance is, like most absolute power, cancer of the soul. I have read your email, and your IMs; I know first-hand how it corrupts a person. I can, without hesitation, guarantee that the situation is like that in the movie Elysium[0]: "They will hunt you to the edge of the earth for this [capability]."

The most salient point, I think, is that it is worthless, from a LEO perspective, to tap into communication systems used by the masses--whether through provider taps or client-side scanning like Apple's purported CSAM AI--unless what you're really after is a way to monitor the general public at large.

There's no way in hell that a nefarious player with technical resources, or chops themselves, would use one of these public systems to communicate with their compatriots. There are infinite and myriad bespoke channels of covert communications that these laws would never be able to touch which are much more likely to be the hubs of serious malfeasance.

[0] https://youtu.be/qUQQerrs52w?t=54


As shown by recent wiretappings, politicians have the most to lose if they give their chat logs away to a smaller, unelected group of people. It's a sure way of losing their power and becoming a puppet.


> As shown by recent wiretappings, politicians have the most to lose if they give their chat logs away to a smaller, unelected group of people.

Surely the creators of the policy will not forget to exclude themselves from being affected.


>It's a sure way of losing their power and becoming a puppet

They're already blackmailed puppets to the spy agencies, that's why they keep pushing this stuff. There's a reason none of the people Epstein was accused of trafficking young girls to went to jail.


Unless they team up of course


Here in Norway we (unfortunately) passed a law which allows our intelligence service to read all meta-data of traffic which crosses our borders.

Which makes no fucking sense, as pretty much all data crosses borders now. When you use facebook/twitter/tiktok/gmail/whatever, you have zero knowledge what (geolocation) server instance the owners of those products are using.

And even if one service uses one "local" (as in within borders) server, many of the others could very well not.

This is of course in the name of fighting terrorism, which makes up for such a small percentage of all data traffic, that it might as well be ZERO.

Terrorism and CP, the two things that will usher in lots of overreaching laws.


That's half the battle.

Now the real fight begins. We need every message sent or received by the politicians who supported this absurd proposal to be public record. The public's need to stop abuses of power outweighs privacy rights they do not value.


That's why we need to continue developing apps that are cryptographically open and secure.

Then it doesn't matter what the government wants, they will have simply no ways to read my texts.

The issue is that only the technically and privacy savy will be able to continue to encrypt their message. The masses will happily comply and continue using facebook messenger/whatsapp or whatever new bigtech "cool app of the day" full of backdoor.


Awesome day for privacy ! They'll try again with another name in three months and it'll pass tho


For now. See you at the next attempt.


I mean, even if messages are encrypted in the wire, surely most platform holders will comply to law enforcement requests. Exposing your messages from databases, logs, analytics, installing keyloggers..

Most of people use smartphones and there isn't secure smartphone platform. Even on PC, all you can do is to hope nothing in the chain leaks your messages.


I think the public outcry made this outcome inevitable, and this is good to see!


There is no such thing as mass scanning. Because the cost of scaling anything digital is almost 0, every ability to break encryption or scan is mass by nature.


No one would need to control every single bit that passes through the internet. The governments would just need to force most major social media and chat platforms to let them get a peek at user data, and that'd be more than enough to get information on most people.


I regret that the discussion about message encryption is so black and white. Encryption is being used to evade prosecution for crimes such revenge porn, CSAM and criminal conspiracy. For one, I would not mind if encryption was forbidden for group chats bigger than 10 people, or that large groups are forbidden to share encrypted images.


How's that justifiable in any way but "I feel like it'd be nice"? Like, what's the logical process that dictates that being in a group of more than specifically 10 people in likely to cause illegal activity? Why can I talk privately with 9 people, but not 10?

My point is that all this legislation is pushed as anti-criminal because it's the best spotlight to put mass data surveillance under. In reality, the powers that governments will reap from this ability stretch much further. Would you be okay with the exact same measures in real life? Should large gatherings of people require everyone to wear a wiretap, lest they conspire to commit something illegal? Should we mandate inspection of every postal package, just in case there are drugs or other illegal contents?


Would that put a stop to these types of criminal activity? (No)


They would just set groups of 5 people creating rings with token connected to outside networks. Did it solve anything as you said? No. On encryption, with base64 and rotations over text you get nonsense and still plain text.


Once you have it in place there's suddenly a good argument for "if 10, why not 9?" -> "if 9, why not 8?" etc etc. --> 5. ---> 2.


Then make everyone group >10 people go outside nude to any event/concert, just to be sure.


EU governance structure is set up so that a EU parliament resolution has basically the status of a People's Choice Award.


In some sense, a constant pressure from the lawmakers to compromise privacy is vital for encryption to evolve.

No law should be able to break into private messages, and so I think CSAR should be passed, because as a consequence, new encryption schemes would be developed to counter it.


I think you don't understand what encryption is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: