from Hacker News

The latest EU plan to outlaw encryption and introduce communication surveillance

by New_California on 11/22/21, 5:00 PM with 251 comments

  • by dang on 11/22/21, 6:58 PM

    Recent and related:

    EU interior ministers welcome mandatory chat control for all smartphones - https://news.ycombinator.com/item?id=29200506 - Nov 2021 (59 comments)

    EU Chatcontrol 2.0 [video] - https://news.ycombinator.com/item?id=29066894 - Nov 2021 (197 comments)

    Previously:

    Messaging and chat control - https://news.ycombinator.com/item?id=28115343 - Aug 2021 (317 comments)

    EU Parliament approves mass surveillance of private communications - https://news.ycombinator.com/item?id=27759814 - July 2021 (11 comments)

    European Parliament approves mass surveillance of private communication - https://news.ycombinator.com/item?id=27753727 - July 2021 (415 comments)

    Indiscriminate messaging and chatcontrol: Last chance to protest - https://news.ycombinator.com/item?id=27736435 - July 2021 (104 comments)

    IT companies warn in open letter: EU wants to ban encryption - https://news.ycombinator.com/item?id=26825653 - April 2021 (217 comments)

    Others?

  • by jacquesm on 11/22/21, 5:30 PM

    This won't work for the same reason it didn't work last time (see: Clipper chip): you can't outlaw math. Phil Zimmermann showed this exhaustively, why the EU wants to ram their head into the same stone I do not know but the end result is quite predictable.

    Besides that, all they will end up with is more information on how to make chocolate cookies and who is sleeping with who, it won't tell them where the next terror attack is going to take place or who will do it.

  • by kreeben on 11/22/21, 6:12 PM

    This is a plan, not a law. It will never become law, because over my dead body.

    If it turns into law I'll stop going to work. If I do that the project I'm in will fail, followed by my team collapsing, followed by my whole office revolting, followed by my employer crashing, followed by several Swedish cities turning to the streets in anger, followed by the whole of Sweden disintegrating, followed by the whole of Europe proclaiming "our know-it-all moral compass is gone" followed by Europe wide collapse, then American collapse.

    Don't you worry for once second, peps, I got this.

    - Very powerful EU citizen

  • by bko on 11/22/21, 5:26 PM

    I don't follow this closely but from headlines I've seen it appears as Europe goes after encryption more than the US. They also go pursue what many people consider "good" internet regulations as well, like right to be forgotten, and whatever the hell those cookie warnings are about.

    I can't help but to think they are two sides of the same coin. Meaning that consumer friendly internet regulations we can all more or less agree on (e.g. let me cancel subscription online), is very correlated to consumer hostile ones (e.g. banning encryption and restricting ISPs).

    Am I thinking about this wrong?

  • by heywherelogingo on 11/22/21, 5:47 PM

    The EU's overbearing character has been visible for a long while. It is the primary reason I supported brexit. It is working towards turning the union into a single country, has bitten off more than it can chew, and is looking increasingly despotic and dystopian.

  • by d--b on 11/22/21, 6:18 PM

    Honest comment: I thought the UK was pushing these kind of laws to the EU. I am actually surprised that the effort is still there after Brexit.

  • by AnssiH on 11/22/21, 5:58 PM

    There is no actual legal proposal at all to introduce mandatory screening (yet, anyway).

    In my opinion, such legislation would be unlikely to pass EU parliament. It is more likely that the current temporary rules allowing voluntary screening get reworked into a permanent legislative proposal.

    AFAIK the only relevant official procedure here is this initiative that sought feedback from affected parties (and it does not mention mandatory screening - instead it asked for opinions on what should be done): https://ec.europa.eu/info/law/better-regulation/have-your-sa...

  • by bruce343434 on 11/22/21, 5:48 PM

    As an EU citizen what can I do about it? Patrick Breyer's last call to action about Chat Control lead to almost nothing: only the Netherlands and Germany voted against, and barely at that.

  • by squarefoot on 11/22/21, 6:34 PM

    Any good cartoonists out there? We may soon need the EU equivalent of this: https://i.imgur.com/D93heEo.jpg

  • by ben_w on 11/22/21, 5:57 PM

    I wish I knew how to make it plain to the politicians and law enforcement officials who ask for this why it must not happen.

    It would literally be less bad for all display and input devices to have a (password protected, randomly created at time of manufacture) police access mode, than to ban cryptography.

    I talked to my local MP about the UK’s Investigatory Powers Act when that came up. I still don’t understand why the UK decided to allow the Welsh Ambulance Service in particular to access, without a warrant, the recent “internet connection records” of everyone except sitting MPs and certain protected professions.

  • by vmoore on 11/22/21, 5:50 PM

    This reads like a premature encryption death notice. Encryption isn't going away anytime soon. Ban encryption and you essentially ban using The Internet in any meaningful way. That said I don't trust Whatsapp to NOT read my messages since it's closed source, and there's no way of knowing if your messages are truly private & secure.

    GCHQ even proposed a 'ghost protocol'[0] so they can play Mallory in your comms. Infact I don't even trust the phone itself, since they /ship/ with Google/Apple-sponsored malware and phones are being hacked all the time.

    Messenger apps are strange because they all have different caveats to each, and I've tried them all. For example: Signal requires a phone number, which by design, can leak your 'meatspace' identity. Some people don't like that, so they use Matrix (which has its own caveats too).

    Personally, if the authorities go after messaging apps, it's not a big hit for me, since I don't use them heavily. I can see why businesses would take a hit since they want to protect business secrets, and protestors would take a hit & can't organize etc, but it won't affect me heavily. YMMV.

    [0] https://www.wsws.org/en/articles/2019/07/06/gchq-j06.html

  • by zahllos on 11/22/21, 7:01 PM

    I did some digging, because every time I have heard of ChatControl I have seen all this talk about what the EU plans to do and no evidence.

    https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE... is the strategy document.

    So far, there is a temporary derogation from the ePrivacy Directive (https://www.europarl.europa.eu/RegData/docs_autres_instituti...). The ePrivacy directive as part of the EECC forbids (for the sake of discussion) email providers from scanning Maildirs, even if those maildirs are cleartext (as is the case for the majority of providers, s/Maildir/backend storage). The temporary derogation lets them scan for CSE in these sources.

    I don't see any proposed regulation explicitly targeting end-to-end encryption, but their strategy document does seem to label end-to-end as a problem, citing the NCMEC (US). The project is here: https://ec.europa.eu/info/law/better-regulation/have-your-sa... .

  • by analyte123 on 11/22/21, 5:31 PM

    Can someone explain the legal structure under which the EU parliament can (according to this post) dictate laws for service providers inside all of the sovereign nations inside the EU? I would've thought that this was outside the scope of the EU -- is there some kind of "commerce clause" type loophole for this, or was power constitutionally transferred to the EU parliament at some point? If a member nation refused to obey an EU law (or whatever it is), what sort of punishment or sanction could be applied to them?

  • by jonstaab on 11/22/21, 6:01 PM

    Because the only way to fight slavery is with more slavery, obviously.

  • by motohagiography on 11/22/21, 6:37 PM

    It clicked for me that the real danger posed by encryption to these governments is that it can guarantee truth. When everything is narrative, even something as simple as a commitment hash for a document removes discretion from the sovereign body because it encapsulates a non-repudiable truth. Irreversible processes (like blockchains) constrain the effect of rule by fiat. The people who write these censorship and anti-encryption regulations aren't worried about secrecy or even crime, violance, and abuse, they just fear being accountable to truth.

    The real danger of encryption, and in particular blockchains, is that it can subordinate the legitimacy of the state and its policies and actions to a test of truth, and this is why they hate it. The abuse and terrorism arguments are red herrings for this to distract from this fundamental dynamic.

  • by cblconfederate on 11/22/21, 5:38 PM

    All this fuss just to catch a few terrorists and then release them again as has happened so many times.

  • by johnnyApplePRNG on 11/22/21, 5:51 PM

    If there is a silver lining to this cryptocurrency madness, it could be that it's educating the public on just how great cryptography really is.

    These attempts at outlawing encryption of any form should be met with a lot more pushback from now on.

  • by stavros on 11/22/21, 5:21 PM

    I don't understand how the same institutions can come out with something as good as the GDPR and as bad as this bullshit. It's very tiring to have to fight against these things all the time, and it feels like our concerns aren't being heard.

  • by BTCOG on 11/22/21, 7:03 PM

    We are globally quickly slipping down the slope into some disgusting hybrid of Huxley's Brave New World information inundation, and Orwell's 1984. Throw in there that humans are now able to own less and less each passing year. Who can say with certainty what the end goal is, but these things should not be playbooks!

  • by progforlyfe on 11/22/21, 5:53 PM

    Does this mean that one day https will not be allowed in the EU and companies will have to go back to supporting http?

  • by vegai_ on 11/22/21, 6:00 PM

    I think it's pretty naive to think that digital privacy allowing spreading of child sexual abuse material is going to be accepted in the long run. If we don't figure out a better answer to how we can have one without the other then we're gonna lose digital privacy.

  • by 29athrowaway on 11/22/21, 6:57 PM

    There will always be steganography. Hide information in things. Like the red channel of a specific section of a cat picture, in diagonal strides or something. Good luck finding that shit.

  • by rrll22 on 11/22/21, 5:25 PM

    To be safer, I would rather have everyone tracked except me, because I know how to use encryption tools. If criminals want unencrypted communications, that's also their choice.

  • by Nitramp on 11/22/21, 7:08 PM

    Here's a probably truly unpopular opinion: I think it's reasonable policy to enable police, after a judgement by an impartial judge, to surveil suspects, encryption or not.

    This has worked reasonably well for decades, in Europe's liberal democracies, for pain old telephone, mail, searching apartments, etc. Yes, there have been mistakes and failings, but by and large this system works, and prevents substantial harm.

    These powers need an actually independent judiciary in a strong legal system (ie. not the us). And they need to be kept out of the hands of secret services (as opposed to genuine police work overseen by judges in the public record).

  • by e0a74c on 11/22/21, 6:24 PM

    And Osama wins again.

  • by delusional on 11/22/21, 7:41 PM

    Does anyone here actually read the resolution before they go claim that the EU is "outlawing math". This is about punching very small and specific holes in the GDPR to allow service providers to scan for CSAM. It does not make it illegal to create technology that can't be intercepted. It removes the excuse that you can't provide the government with data because that would be violating GDPR.

    Additionally, service providers MUST inform you that you they have scanned your data for CSAM: "Service providers should inform users in a clear, prominent and comprehensible way that they have invoked the exemption provided for in the Regulation"

  • by pantulis on 11/22/21, 5:57 PM

    Beware, this comes from the guys that managed to put a freaking cookie layer on almost every website in the world.

  • by DeathArrow on 11/22/21, 5:47 PM

    Maybe it's time for the EU to end. Peoples of Europe are tired of EU beaurocrats eroding their rights and going against their interest. Or it's time for the EU to be reformed.

  • by peter_retief on 11/22/21, 6:46 PM

    Why does this sound like an unlikely development?

  • by sebow on 11/22/21, 6:05 PM

    Pretty sure this was in Brussel's crosshair for years(as in 5+ years, to be precise). And no, the bureaucrats and politicians don't give a rat's ass about your privacy, security, or data.In the vast, vast majority of cases it's the opposite.GDPR was not only useless in protecting customer's data, it was actually used as a tracking mechanism, but don't let me spark your bubble.

    The EU should either reform or it will die off, and for good reasons.Obviously if the latter is to happen it will take at least a decade or two, but the cracks have begun to show frankly since it stopped being merely an economic union.

  • by no_wizard on 11/22/21, 6:58 PM

    I feel the EU has both good privacy things (GDPR was a good step forward, not perfect, but arguably good, forcing things like the right to be forgotten), and then they have these widely anti privacy ideas like the ones presented in this article.

    Why the disconnect? That's my fundamental question.

  • by albertopv on 11/22/21, 6:16 PM

    GDPR would be dead for me the instant this should became law.

  • by 1cvmask on 11/22/21, 5:22 PM

    Big difference between de jure and de facto. We already have de facto surveillance in the US and the 5 eyes jurisdictions. Some of the other EU countries are also in on it.

    They just want to add a de jure veneer to it.

    For de facto leadership follow the US example. For de jure leadership follow the Australian/Chinese model.

  • by Shadonototra on 11/22/21, 5:20 PM

    it's essential for security

    to the people who complain, we didn't hear you when the US kept (is still is) massively tracking you

    and let's not talk about all free apps on your favorite smartphone, they track you to death

    but who cares, nobody should track me for everyone safety! only for everyone's lack of privacy!

  • by megous on 11/22/21, 5:48 PM

    Ban encryption.... hmm, that's certainly one way to get rid of cryptocurrency and solve those pesky ransomware attacks. Good! I didn't read past the title, so I may be wrong about the actual contents of the article.