> Under the EU Internet Forum, the Commission has launched an expert process with industry to map and preliminarily assess, by the end of 2020, possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications, and to address regulatory and operational challenges and opportunities in the fight against these crimes.
It is a spectacular overreaction to equate this to "EU wants to ban encryption". This will never happen.
The bit about Facebook's planned end-to-end encryption ends with:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
I read this as "Okay, fine, we can't ban end-to-end encryption and we cannot backdoor it. What can we do?" If that is what they mean, it seems a reasonable enough question to ask.
> possible solutions focused on the device, the server and the encryption protocol
Looks like they're going to find ways to read our messages before they are encrypted and sent. Why would anyone continue to use a communications application that's known to do this?
My guess: Client-side scan for certain keywords to identify grooming and some kind of signature-based identification of known child-porn media. Basically what I assume Messenger does today, but on the local devices instead.
The general public won't care until we're halfway down a slippery slope, and then people will just switch to whatever platform is perceived as more secure/popular at that particular moment in time.
What if hashes of known-bad content are stored locally on the device, and sending content that matches against those hashes is not allowed. Or, the user could appeal if they think there's a false positive. This can be used for CP but also for known-bad fake news or inflammatory content. Clearly, the content hash DB needs to be scope down, and what goes in there should be chosen with democratic principles, and stand scrutiny in the courts. If done thoughtfully, it seems like a feasible solution.
Changing a hash is incredibly easy, you could just change some Metadata and the hash would change. And any perceptual hashing algorithms would naturally lead to false positives.
Also this would likely be quickly commandeered for copyrighted work (honestly pretty surprised it hasn't happened already).
Yes, it would have to be a perceptual hash. False positives will occur, so there needs to be a way to appeal or remediate the algorithmic decision. We already apply this approach in a bunch of places. I believe the major personal cloud storage providers (OneDrive, etc) already do such scanning.
>This can be used for CP but also for known-bad fake news or inflammatory content.
It worries me that anyone thinks it would be a good idea to have "fake news" and "inflammatory content" blocked at the device level. Obviously cloud providers can do whatever they want (though I doubt it catches any more than the lowest hanging fruit, encrypting then uploading would be uncatchable), but the idea that my device will have a list of disapproved content, and I'll have to appeal to the government to be allowed to view it in case of false positives? The day that becomes a reality freedom will truly be dead.
I didn't say it would be at the system level. I'd expect this to happen per app. It's similar to how photo manipulation software can detect currency. I doubt every such app complies, and certainly the system screenshot tool does not.
They are not against it, they say it makes precenting child porn dissemination more difficult, which seems like a rather obvious truth. They say Industry and government need to work together SNF try and see what can be done about it without breaking privacy.
what can be done about it without breaking privacy
Well, the answer is: nothing. Let's take an analogy:
> Industry and government need to work together to try and see what can be done about me talking to my wife without breaking privacy.
If I want to speak to my wife in private, that's between me and my wife only. If industry and/or government want to have a say in that, they're going to need to control or monitor anything I say to my wife. The very act of desiring to control requires subverting privacy.
Of course, there are fruitful discussions to be had about the extent of privacy itself, the extent of private communication, and the extent of control that might be admissible. But to pretend that there is a perfect solution that doesn't affect privacy is either a foolish or deliberately malicious position to take.
"The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia" - Australian ex-Prime Minister Malcolm Turnbull (while he was Prime Minister).
While the EU is at it, they should do one for free energy.
Get just the right panel of experts together, and hopefully they can handwave all those troublesome laws of physics away as well.
> Last year, Facebook announced plans to implement end-to-end encryption by default in its
instant messaging service. In the absence of accompanying measures, it is estimated that this
could reduce the number of total reports of child sexual abuse in the EU (and globally) by
more than half and as much as two-thirds, since the detection tools as currently used do
not work on end-to-end encrypted communications.
Do you imagine that this "expert process" will come up with a way to preserve message privacy while also flagging which messages are illegal? What else could the purpose of it be than to recommend requiring providers to MITM their customers' messages?
(Although I agree that the title should be changed to "ban end-to-end encryption"; certainly the suggestion that the EU would try to ban encryption generally is an exaggeration)
I can think of a very obvious one, identify and refuse to send messages that the client app decides are child porn. No intrusion.
Or perhaps add a counter to the account when it's detected. Minimal intrusion, single flag defining the message.
You don't need to mitm things to implement _some_ mitigations.
Before the inevitable - a method that is not 100% reliable in stopping something is not useless. Otherwise we may as well make it as easy as possible to share child porn because it wouldn't make a difference.
FB also already proposed one where users can report encrypted messages and send an unencrypted log to them from their client device.
Since most existing child abuse imagery is reported by users that see it somehow - this seems like a reasonably pro-privacy way to keep the same amount of reporting.
Banning encryption, completely neutralizing and circumventing the encryption... The effect is the same: the government will be able to read the messages.
"Banning encryption" is such a dumb premise. If I lived in some future, hellish Europe, I'd simply mail USB drives with GPG keys on them to the people I love. Costs $15 if you buy the drives in bulk. After that, chat away using PGP encrypted messages. Good luck, EU.
This kind of response saddens me every time I get it.
Every time governments start scaring people about pedo-terrorists behind every corner and start demanding censorship/mass surveillance/back doors, the standard response from fellow people in tech fields seems to be "this doesn't concern me, I will just do $CIRCUMVENTION".
It utterly misses the point. The issue here isn't a technical one. If a law is proposed that you can see as morally, ethically flawed and outright dangerous to society, the response definitely shouldn't be to laugh it off and pretend it doesn't concern you.
>If a law is proposed that you can see as morally, ethically flawed and outright dangerous to society, the response definitely shouldn't be to laugh it off and pretend it doesn't concern you.
Especially when we are the experts who are best equipped to argue against it.
It's ironic how the very expertise that makes us technologists able to solve these problem for laypeople, can blind us to the issues that come with having this technical world-view. We shouldn't expect computing to be at the top of people's minds, because they often, rightly, have more dear things to worry about.
the problem is not that you won't be able to use encryption (software), it's that if the police suspect you of anything and you have encrypted data that you're not willing to unlock you'll be punished by full extend of the law.
But I think that could lead to better encryption software with plausible deniability like Veracrypt has
It's not that. You can already be charged with obstruction of justice in many countries if you refuse to provide keys for encrypted drives. This is about prohibiting encrypted messaging in the first place. WhatsApp et al will be denied market access, app/play store entries for all encrypted chat apps will be removed or have versions shipped without encryption etc.
The average HNer won't be that affected but the general public will. Access to encryption will be greatly reduced and most people won't even care or notice.
One time pads are pretty great. Unbreakable with brute force attacks, indistinguishable from random numbers so you have plausible deniability about whether you're actually storing encrypted data.
1) you get a notice either from a judge or the police to provide unspecified assistance with an investigation (you are not told even 5 minutes in advance WHAT assistance, and there is a default gag order: if you inform a customer or ... that you handed over their info, you go to jail)
2) if you refuse to do something they charge you with a crime, not providing encryption keys is such a crime
3) look like EU "average" sentence is 2 to 5 years prison, plus 50k euros
One time pads are obviously encrypted, meaning if you see one you know they're a key to something, so if you refuse to decrypt what is encrypted with them (or can't, let's not pretend these people know or care about what is and isn't possible beyond obvious cases like whatsapp), and a police officer cares, you may very well have a choice: decode or face 2 years prison. JUST for not giving a police officer full access, for example, to your phone, nothing else.
If your threat model includes the threat of your government torturing you for information, then you don't need to worry about whether they are able to decrypt your data because they could just as easily plant some false evidence, or simply "disappear" you.
Specifically on the issue of plausible deniability, though, you probably don't want just a 1 GB blob of random-looking data, you want a file system with various levels of "secret compartments" which open up depending on which key you use to open it.
The game theory is that this prevents the attack you describe (and after which Assange named this countermeasure) because you could never prove to your torturers that you have given them the last key, and thus you would have no reason to comply.
> If your threat model includes the threat of your government torturing you for information, then you don't need to worry about whether they are able to decrypt your data because they could just as easily plant some false evidence, or simply "disappear" you.
wrt a 'rubber hose attack' I'm really talking about general coercion, not actual torture. A court could jail you for contempt you until you produce the information it's demanding.
That deniability is plausible to no one but cryptographers. People don't generally keep gigabytes of random data on their hard drives for their entertainment. Of course the assumption will be that it's encrypted data, because the probability of it being anything else is vanishingly low.
Just use an email server outside the EU that will not respond to EU warrants. Almost all email transfers are protected by TLS these days. So the authorities won't know you are using encryption in the first place. If they suspect you of something they would have to come to you to get your IMAP password to check if your email is encrypted.
PGP is, as before, a technical counterargument to this sort of oppression. Perhaps the powers that be need to be again reminded of its existence. After all, the proposal is to backdoor all encryption software. That is simply impossible.
That future is not going to happen. Read the underlying documents and this lobby article just misrepresents what is in the actual legal/policy documents
First off PGP is not a great security tool, second of all the EU can just stop the GPG encrypted messages at the service provider level.
The ultimate solution against government stupidity like this is a full mesh based “internet” that is based on connections between homes without using an ISP. It is not going to happen for obvious reasons (90% of population is non-technical for starting).
> The ultimate solution against government stupidity like this is a full mesh based “internet” that is based on connections between homes without using an ISP.
Completely agree. Communications infrastructure has always been centralized. Service providers are easy targets for governments. We'll never be free from their tyranny until we have completely decentralized networks.
I think the parent comment was going to mail such drives, and good luck getting the EU to agree on blocking anything on their independent providers level.
They've been pretty good at banning things at the provider level. Sites in the UK seemingly get banned by everyone as soon as the government requests it. Similar in Germany, and they go out of their way to analyze most or enough torrent data going through I believe all ISPs to detect what you pirate. Doing the same for detecting encryption doesn't seem farfetched.
Great is subjective but GPG is pretty good and could be argued as great. It was based on “Pretty Good Protection.”
EU can’t stop GPG encrypted messages at the service provider level because the content looks like any other base64 traffic or can easily be made like that.
Well, depends how it's sent. The header information in an encrypted message is unencrypted. Using an MUA, the body of the message will be sent as an inline attachment. The contend definition of the boundary for the attachment is Content-Type: application/pgp-encrypted, which is trivial to detect. A encrypted attachment that uses a generic application/binary or text/plain starts with -----BEGIN PGP MESSAGE----- or 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 47 50 20 4d 45 53 53 41 47 45 2d 2d 2d 2d 2d, which again is trivial to detect.
Edit: I'm not suggesting PGP itself is bad because of this. There are many other reasons why you should consider other methods of sending messages securely that aren't email or PGP.
What I meant is it’s trivial to change the content type and to change the attachment format so it doesn’t match specific GPG formats.
The content type is done now for convenience, but there’s nothing stopping me from using GPG to generate a message and send it with the content type of a text file or zip or whatnot.
Of course there are other methods, but GPG is free, stable and works as expected.
Email on the wire is mostly all TLS encrypted these days. Generally offline encryption like PGP encrypted email is moe secure than, say, instant messaging:
I’ve thought about this since last year, and I can’t understand how this proposal has been able to survive this long. First of all, the EU is very pro-business, which means it should be pro-encryption. Second, the structures of its governing bodies does not make it very prone to populism. Based on what I know from this Kurzgesagt video: https://youtu.be/h4Uu5eyN6VU
Is this all some hidden plot to turn the EU into a totalitarian state? I’m (half) joking, but I really can’t see the motivation.
Left-wing eurosceptics try to present the EU as being pro-business (and anti-worker), while right-wing eurosceptics believe the EU is anti-business with all its regulations affecting companies.
It's technically possible that both sides are right in their criticism, but the fact that neither side seems to acknowledge the other suggests that both aren't seeing the full picture.
I don't understand how it's in any way feasible. Do none of these people own laptops with sensitive business or political information? How do they think they're going to protect any of it without strong encryption? Or all the sensitive data on their phones or other mobile devices? How do you secure anything ever against espionage without strong encryption? Have these people not put any thought into this?
AFAICS no one is trying to literally ban encryption, the headline seems very exaggerated to me.
Looking at some of the EU documents linked, I don't see any real intention to ban E2E encrypted communications - at most the documents are saying that child abusers using E2EE is a problem, or explaining various technical possibilities to try to catch them (with or without breaking E2EE).
I'll be concerned when there is an actual proposal mandating backdoors or banning encryption.
If you are an EU resident, you can lookup representatives of your country at "Members of the European Parliament[1]".
Send them an email, give them your thoughts, or just bookmark their MEP profile, for now, if it seems too daunting.
This advice applies to both anti and pro-encryption voices (and unrelated political topics even).
Also,
If the topic applies to your industry and profession (probably a few here on HN) - maybe you have the insights, resources or industry reputation required to find solutions to the stated dilemma of
Please forgive me if I'm misunderstanding the scope of the proposal, but without a modifier "Ban E2E Encryption" would mean:
* Any party who is the exclusive holder of the private key of an asymmetric key (and uses it) is basically in violation of the proposed law(s)?
* So, literally, someone who uses an SSH-only server (given all data-in-transit is also encrypted) is in violation of the laws (given they aren't willing to provide the private key when asked)?
* No more end-to-end encrypted communication with your attorney or physician?
* A student project that implements a one-time-pad is illegal now too?
* What about encryption that is e2e for all intents and purposes, but is briefly decrypted, then re-encrypted on a zero-log private (proxy) server as one of its hops in the round-trip?
* Does this mean quantum encryption is completely banned now?
* By that measure, quantum internet is completely illegal, no?
* What about the fact this means governments will have to go through hoops to get a special blessing to use it--meaning they'll use it less often in practice (humans)--meaning more of their confidential data will be snooped. How about the fact that traffic that looks like e2e is probably now gov. traffic--making all of that traffic a more identifiable target?
I'm obviously preaching to the choir here...the problems abound--would love to hear more y'all hypotheticals that illustrate how garbage this is.
There is no real proposal to ban encryption - the title is hyperbole.
They are looking for possible solutions to reduce child abuse with the industry, not proposing anything.
It could still be they'll arrive at some problematic proposal later on, but from my reading of the linked documents straight-out breaking/banning E2E encryption is not really on the table.
Can someone explain to me exactly how the EU plans to ban encryption? Like, what's the mechanism to stop an EU citizen hosting their (whatever) in a country that does support E2E? Or how, practically, you stop anyone from using X service which provides strong encryption on their computer or servers at home?
I'm naive about such matters but from where I'm standing I can't see how this is even vaguely enforceable?
Remember: every time a government cites child pornography or terrorism as the reason ban cryptography or otherwise limit human rights, they are just using an excuse.
Please read the underlying documents and not this fearmongering. There is no such plan.
Just click the first link titled 'upcoming plans for communication surveillance' and actually read the document (or just CTRL-F 'encryption') to see how misleading this lobby letter is. It is a communication about child porn/abuse outlining measures for prevention, rehabilitation, etc. It doesn't say anything about banning encryption, just as one of many points it points out that increased encryption is making detection of child porn/abuse difficult and that government and industry should set up an expert group to discuss what can be done without breaking privacy.
So total bs article. I used to be a customer at mailbox but am right now very happy I moved away already...
Why do you say that? Do you really think that noone can have a genuine interest in combating child pornography or terrorism?
My intuition is exactly the opposite: That many have a legitimate wish to combat both child porn and terrorism. Many people work with that every day and obviously they want to do a good job. And one effect of limiting crypto would help that. (That doesn't mean in itself crypto should be limited; but I don't see how writing one side off as "just an excuse" and basically offering a conspiracy theory helps anyone. Better to just say "it's unfortunate about child porn and terrorism, but it's the price that must be paid / here's another way to combat that", if that is what you mean.)
I agree with him because of what has already happened in Australia when it comes to metadata collection.
It was touted as anti terrorism and anti child pornography, 2 years after it came in the agencies that applied for (and receieved) access to people's viewing habits were released, and it was near every agency.
I'm not sure politicians care about these issues at all. State surveillance will most likely be used to fight political opposition instead. Fighting child abuse and terrorism are legitimate activities but politicians use them as distractions meant to make people accept total surveillance. People believe governments have their best interests in mind when in reality governments want to protect themselves from the people.
Child abuse is the perfect political weapon. Who would dare argue against such a thing? It'd be social and political suicide. All kinds of laws are passed based on the premise that it protects the children. It implies anything is justified in the fight against child abuse. There is no stop they won't pull.
> it's unfortunate about child porn and terrorism, but it's the price that must be paid
Exactly. It's bad but that doesn't mean there are no limits to how far governments can go in their attempts to combat it. Government agents already routinely violate all kinds of human rights in their fight against terrorism.
If they have a genuine interest in combating child pornography or terror, they would be proposing things that actually make a difference to those problems.
Encryption is such a small part of those crimes that it would make almost no difference to the level of crime whether it exists or not.
According to another poster, there were in fact here other proposals and crypto was a small part of it. And that small part was, quoting the text:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So -- you may say that you know that this project is hopeless and a foregone conclusion. But will every politician trust that -- or will they make a panel of experts to explore solutions and tell them for sure that you can't meaningfully limit encryption in the first place, and even if you did you can't do it without violating privacy, as is presumed here?
Don't attribute to malice what can be attributed to technical ignorance.
We need encryption to do peaceful things like economic transactions on the internet and private conversation. We don't need assault rifles for anything but murder. So no it's not the same.
> We don't need assault rifles for anything but murder.
We don't need encryption for anything but hiding illegal activities. You have nothing to fear if you're not a criminal.
See what I did there? Neither argument is good.
Just like the overwhelming majority of people that own so-called Assault Rifles never use them for anything except peaceful recreation - the overwhelming majority of people that use encryption never use it for anything except peaceful online activities.
Why would we ban one and not the other? Both are used by criminals to commit acts which are already illegal. Making them doubly-illegal accomplishes nothing.
Not encryption so to speak, but people have use vulnerabilities in devices to cut off power. I suppose in a hot region one could take out many elderly this way. Some time ago, the power companies were doing rolling blackouts that contributed to the demise of many elderly.
Heh. I guess if you ban encryption, then only criminals will have encryption plays here - as then encrypting your shit via ransom-ware will be SUPER prevalent
I don't understand this argument. They use food and water, too. And roads. We never talk about banning those, because the benefit to society is greater than the risk.
Suppose you had a choice between living in country A or country B. Country A bans encryption but allows assault rifles. Country B bans assault rifles but allows encryption. Which would you choose?
I think it is obvious that country B is the better choice than country A. A lot of people (including myself) have zero interest in the hobby of recreational assault rifle ownership. But banning encryption has the potential to cause massive harm, both economic, and in terms of freedom of speech and freedom of thought. If the government wants to control what you say and think, taking away your freedom to communicate out of the government's hearing is a great first step. By contrast, taking away the freedom to own assault rifles has far less impact – I don't have that freedom in the country in which I live, and I don't even notice it, because I have no interest in owning one. But I definitely would notice if the government tried to ban encryption.
It may seem like a minor detail but there's a very substantial functional difference between "rifles" and "assault rifles": assault rifles can fire as fully-automatic "machine guns".
There is no such thing as "recreational assault rifle ownership". I posted in detail about this in another comment [1], but "assault rifles" are machine guns and are highly regulated in the United States. You can't buy or own one without a special federal permit from the ATF which has a high bar to get. You also can't buy any gun under normal circumstances without an FBI background check.
What everybody is talking about when they say "assault rifle" are actually just "rifles", which function the same way as other hunting rifles and handguns, merely having a different form-factor. AR-15s (ArmaLite Rifles) for example are just normal rifles, not assault rifles. There are many variants, but plenty of AR-15s will fire the same 9mm ammunition that handguns fire. (Caliber has nothing to do with the classification; that's just an example.)
I'm not even sure that individual people can legally possess machine guns in the US. From what I recall you essentially need to form a corporation and apply for it to become a firearms dealer, and get approved; and then the corporation may buy and possess them. The ATF probably tracks every legally sold and owned machine gun in the US. There is very limited "recreational" use of machine guns: you can go to Las Vegas and pay to fire a machine gun that's mounted to the ground, and whose firing angle is limited. That's about the extent to which any normal person (civilian) will ever legally interact with a machine gun or assault rifle in the USA.
For those who want to use informed language to have a precise discussion, please use the term "rifle" if that's what you mean, and avoid using the FUD term "assault rifle" (unless that's what you mean), usage of which has been polluted by poor journalists and opinion-providers that use sloppy language (and an expired law that
skissane points out below).
When people say "assault rifle" in the US context, they often mean rifles to which the former "Federal Assault Weapons Ban" applied [0]. That is a semiautomatic rifle having certain features–which is not what is called an "assault rifle" in military or policing contexts (the later are automatic weapons). You can disagree with calling semi-automatic rifles "assault rifles", but they are rifles that fall under the legal definition of "assault weapon" that existed in the US from 1994 to 2004 (and which some US politicians would like to reinstate), so calling them "assault rifles" does have a legitimate basis.
That is a good point that I had forgotten about, the law that briefly classified certain semi-automatic rifles as assault rifles.
But that law is expired, as you note, and semi-automatic rifles are no longer legally or by militaries to be considered assault rifles. Selective fire is the supposed to be the distinguishing feature of that term and concept.
That was an unfortunate way to name the law, messing up technical language. Should have just called it the "Excessively Dangerous Firearms" ban or something.
I'm surprised the law withstood constitutional scrutiny. Any idea if any challenges of it went to SCOTUS?
Well, 10 years is not exactly "briefly". And Biden has announced he wants to bring the Federal Assault Weapons Ban (FAWB) back–although I doubt he'd get it through Congress–red state Democrats like Senator Manchin are unlikely to vote for it, and the Democrats only have a bare majority in the Senate. Still, maybe some future election will deliver a Democratic President with a bigger majority in the Senate and House, and then a FAWB comeback might actually happen.
FAWB challenges never went to SCOTUS, as far as they got was Circuit Court of Appeals where they failed. Note the ban expired before DC v Heller, when SCOTUS switched from treating the 2nd Amendment as essentially a dead letter to treating it as a live provision; so it is not very clear how current jurisprudence would treat it.
I think some conservatives on SCOTUS would want to overturn a renewed FAWB, but they'll struggle to come up with logic to allow them to do that without threatening the federal (near-)ban on automatic weapons, which is something they probably don't want to overturn. I think in the end they'd uphold Congress and the States banning particular categories of weapons, so long as the categories are not so broad as to constitute an effective ban on owning weapons for self-defence.
True, 10 years isn't a short time in a human life, and probably reprogrammed a lot of people's thinking during that time. It depends what timescale you consider. It's arguably brief on the scale of the lifespan of the US Constitution.
There is apparently debate about the etymology of the term. In English it may be fairly recent; others attribute the concept to the German military in World War 2. From the Wikipedia page on Assault Rifle:
> Conservative writer Rich Lowry said that assault weapon is a "manufactured term". Joseph P. Tartaro of the Second Amendment Foundation (SAF) wrote in 1994: "One of the key elements of the anti-gun strategy to gull the public into supporting bans on the so-called 'assault weapons' is to foster confusion. As stated previously, the public does not know the difference between a full automatic and a semi-automatic firearm."
> Two scholars have written: "One problem inherent in the study of [assault weapons (AW)] is that the classifications of AW are based on cosmetic features of firearms... For instance, the Colt AR-15 series of semi-automatic rifles—the civilian version of the fully automatic M-16 rifle issued to U.S. soldiers—was subject to the 1994 AW restrictions, but the Ruger Mini-14 rifle was not banned. Yet, the Mini-14 is the same caliber, has a similar barrel length, the same semi-automatic action, and can use magazines that hold 30 rounds of ammunition. The only real meaningful difference between the two firearms is cosmetic: The AR-15 rifle looks more dangerous." (citations omitted)
I'm fairly sure such a ban would not survive a challenge with the current SCOTUS, but I'm curious whether any cases made it to SCOTUS challenging the ban while it was active, with the court as it was then. (Any constitutional lawyers on the thread want to pop in?)
This is a weird choice to present the reader, as it can only tell you which freedom is more critical, not whether they are of similar form (and, FWIW, they are at least so clearly related that the United States regulates encryption largely as part of arms regulations and treaties).
Encryption seems directly related to freedom of speech, freedom of thought, and privacy rights, in a way which gun ownership issues are not.
Encryption directly protects your freedom of thought by making it possible to communicate your thoughts to others without the government being aware of them, hence making it difficult for the government to punish you for sharing those thoughts if it disapproves of them.
Owning a gun doesn't directly protect your freedom of thought. Maybe you could argue that a gun can indirectly protect your freedom of thought, since if the government tries to restrict your freedom of thought, you can respond by violently overthrowing the government using your gun. However, in practice, that is very unlikely to work – an attempt to use your gun to violently overthrow the government is far more likely to result in your own death (or spending the rest of your life in prison) than in any actual change in the government or its behaviour. Even if you had a million fellow citizens with their own guns supporting you, you'd still struggle to win against the tanks, fighter jets, bombers, drones, missiles, etc, of a modern military.
But note how the encryption ban comes about after the firearm ban in the country of discussion.
Firearms rights (at least in the US) were intended as protection from tyrannical governments more so than even self protection. Though I acknowledge that today the US government is too powerful for citizens with firearms to prevent any tyranny.
> Firearms rights (at least in the US) were intended as protection from tyrannical governments more so than even self protection.
The same argument could also apply to encryption. That is, it can offer you protection from a tyrannical government in addition to protecting your information from criminals.
I do agree with you. I'm just pointing out that both are intended as rights of a sovereign individual to protect oneself from both other individuals and government.
I need encryption to make sure nobody is listening to my sensitive conversation like legal/psychological counseling. It can be actually more secure than in-person conversation.
Recreational ones are not "needs". Your analogy seems flawed.
Imagine needing legal help during the pandemic and not being able to privately speak to a lawyer without being absolutely sure someone isn’t going to listen in and try some old fashioned parallel construction.
Murder? Self defense is not murder. But again my point was not that they are similar, just that they are valuable, difficult to control, and law enforcement wants a monopoly on them.
I can understand owning a pistol for self defence, but what situation does a civilian need an assault rifle in?
Surely it'd just get in the way massively in any kind of home invasion scenario and if you end up firing it the bullet will go through 3 houses and hit someone's dog
What about owning an assault rifle shooting range? I think those owners need assault rifles for things besides murder. I get your point but try not to be an absolutist.
You don't _need_ to own an assault rifle shooting range. So you don't _need_ assault rifles. We _need_ encryption to have functioning society. Everyone needs to be able to visit their bank website, email, etc without being robbed, stalked, spied on.
I am okay with being an absolutist about civilians not needing assault rifles. If we're talking about self defense and hand guns, maybe we can have a conversation, but omg what is anyone doing with an AR-15? You can say "having fun" but pretty sure anyone who's being fair would admit that's way past what anyone needs for self defense. Having one very specific sort of fun is not a need or a good justification for the damage these things do to the net safety of our society.
In countries where assault rifles are banned, these things generally still are possible. With strict rules, for example you're only allowed to have your rifle and ammo at a shooting range, and psychological review of everyone involved.
Besides all that, it very much is a hobby for people. Much less a need than encryption, which is required to keep simple things like ordering something online secure.
And historically the worst bad actors have been governments (in terms of body count). Which is why both guns and crypto help level the playing field a bit more.
Crypto helps level the playing field, because particularly in a democracy the ability to disseminate information is super important; it can help unseat bad people in power.
Guns do NOT help level the playing field. Your government is way more powerful than any number of automatic weapons you might possess. Your government could simply freeze your bank accounts. They could take away your passport. They don't even need guns to hurt you.
That doesn't make them at all the same. Just a few differences:
* Crypto has not killed people, guns cause mass shootings at schools, malls, and movie theaters.
* Crypto makes certain classes of theft impossible. Guns make revenge possible, and threats possible. Guns do not make any classes of theft impossible.
* Crypto increases our civil liberties (freedom of assembly, speech), and overall safety (bank website is trustworthy). Guns decrease our confidence that our kids won't be shot at school, that we won't be attacked at a movie theater or a bar.
* If everyone has crypto we truly are safe. If you let everyone have a gun, would you feel safe? The best you can hope when that one crazy person shoots your family member is that you shoot them back, but you don't get your family member back do you? Guns don't _prevent_ crime effectively but crypto sure does. They can deter, they can administer payback, but they are generally a destructive force vs a preventative one.
If people could trust each other, then we wouldn't need crypto in the first place. Just like if we could trust others not to attack us, we wouldn't need weapons for self defense.
You can use a non-automatic rifle or shotgun for this. You don't need an assault rifle. And we can talk a lot about carve-outs for folks like this, or just admit that they are rare and like any creature in the free market, they need to adapt to a changing landscape of rules and regulations.
I think the main thing they want to ban is end to end encryption. That you really don’t need. They are probably fine encrypting your connections to various companies since they can subpoena records
What do you mean by "assault rifle"? It's a term used by the media but it's often misused.
The "scary black painted rifles" (e.g. AR-15s) that most civilians own are not "assault rifles". (Note that the acronym in AR-15 is ArmaLite Rifle and does not mean assault rifle: see https://en.wikipedia.org/wiki/ArmaLite_AR-15 ) Civilian AR-15s and generic versions are not assault rifles.
The distinction is that rifles like AR-15s fire one bullet per trigger pull–they are semi-automatic, just other rifles, functionally the same as many hunting rifles and handgun, just larger than handguns and more accurate at longer ranges. (Some hunting rifles may be bolt-action rather than semi-automatic)
Actual "assault rifles" are distinguished by having a feature called "selective fire" which switches between being firing like a semi-automatic rifle, and firing continuously like a fully-automatic "machine gun". See https://en.wikipedia.org/wiki/Assault_rifle
Actual "machine guns" with fully automatic firing are highly regulated in the US and it's not easy for a regular person to obtain one. (For example, the Las Vegas shooter modified a regular rifle with a "bump stock" to transform a regular rifle into something that behaved like a machine gun–something that has subsequently been banned.)
Examples of actual assault rifles are the US military's M16 and the AK-47. You won't see a typical civilian possess these, unless they go through a special process of obtaining a federal permit from the Bureau of Alcohol, Tobacco, and Firearms (ATF). Because you are correct that the purpose of such weapons is military warfare; and even in the military, fully automatic fire in modern combat is used in specific circumstances (typically as suppressive fire against a large enemy force; whereas the vast majority of shots taken by soldiers would be in single-shot mode).
However there are plenty of justifiable reasons for people to possess firearms, whether rifles or handguns, such as hunting, sport shooting at a range, or personal protection (self-defense, assuming the attacker dies, is not murder).
An additional reason is that firearm ownership is protected by the US Constitution in its 2nd Amendment; and one of the reasons for its protection by the constitution is to ensure that the population can defend itself against tyranny by its own government.
(Read about the history of why it was added as an amendment; or read the US Supreme Court decision in District of Columbia v. Heller, the text of which is very readable – once you get past its analysis of the language and grammar of the amendment to ascertain its precise meaning – and provides a history of the rationale of the text and the historical reasons for its protection as a right. It analyzes the language used in the Constitution and other legal documents, carefully deconstructs the grammar in the sentence, and concludes:
> (...) We start therefore with a strong presumption that the Second Amendment right is exercised individually and belongs to all Americans. (...)
There's a lot of detailed analysis that goes into the definition of "arms" as being non-military weapons that individuals might use for hunting or self-defense; the historical protection of that right; and why it's an individual right for all Americans.)
I can respect people's opinion who wish that firearm ownership was not permissible–it's an understandable perspective, especially for those who have been affected as victims by gun violence; however, the respectable path to "solve" that problem is for the United States to amend its constitution and modify or remove the 2nd Amendment. If that's the wish of the people I can respect it. However, it's hard for me to respect the "tricks" that states or municipalities try to pull, such as banning guns on public property (which Seattle tried to do, which was overruled by the courts–helped by the Washington State Constitution's pre-emption clause, which protects firearm ownership and forbids municipalities from limiting that right); or states like California that require a permit and make getting it burdensome.
> It's like banning assault rifles to prevent mobsters from getting hold of them.
Obvious bait is obvious but whatever, I'm in...
Is it the same, though? Is it really?
On one side we have literal implements of death responsible for countless accidental and/or illegal deaths, and the other we have some encryption software.
Like any abuse fighting, your goal is not to make guns impossible to get (which is impossible), your goal is to make it as expensive as humanly possible, which decreases how many people have them and increases overall societal safety.
Also mobsters get rid of guns that killed people because they can lead to stiffer penalties. So taking legal guns out of circulation and then making strong deterrents for possession of illegal guns does help achieve this aim, you're decreasing the overall supply and driving up their prices.
I think the hope isn’t that mobsters would choose to stop buying guns out of respect for the law, but rather that it will literally be more difficult for mobsters to buy guns because of actual enforcement of the law.
Countless doesn’t seem totally accurate. Last I checked the FBI census a few years back showed 318 deaths over a year due to long guns in the United States. That includes shotgun, rifle, and scary “assault” weapons.
Handguns on the other hand kill 100x-200x the same amount of people. Seems like if gun control proponents wanted to reduce harm, they’d focus on handguns first.
I’m not sure why you need to split your focus on handguns versus long guns. I bet most gun deaths are caused by right-handed people too, but that doesn’t mean we should focus on gun laws for right-handed people first.
Because that's what politicians do. Tons of talk about banning "weapons of war" that are rarely used to kill anyone, meanwhile handguns are used for murder/suicide much more often, but they rarely make the news because they aren't scary looking, and because the majority of crimes with them are committed by minorities, so Democrats don't want more restrictions on them.
And before anyone says it, no, that last part is not some right-wing racist conspiracy. A couple of years ago in Maryland, the governor wanted harsher punishments for people using handguns to commit crimes because of how bad gun violence is in Baltimore, and the state Democrats said it was a racist policy because it would mostly affect minorities. They didn't want to seem soft on gun violence though, so they banned bump stocks, which have never been used to commit a crime in Maryland, and which the ATF says are trivial to reproduce using belt loops and rubber bands.
No idea since homicide by drowning is notoriously hard to prove[0], but the median pool is more likely to drown someone than the median "assault weapon" is to kill someone.
~10 million swimming pools in the US vs. ~20 million "assault weapons," and there are fewer murders annually with long guns of all types (of which "assault weapons" are a small subset) than there are pool drownings. Also pools disproportionately kill kids, while most victims of gun violence ate adults.
The moment encryption becomes illegal is the moment political dissidents, whistleblowers, reporters and every person in between are criminals.
We forfeit our freedom to express any idea or thought that deviates from the current list of acceptable thought patterns.
Suddenly you and all your thoughts or actions are subject to tracking by any government, any government official, any corporation and any malevolect actor.
The government already has a monopoly on violence, what's next?
Those implements of death have been tools of liberty, stability, and safety in the hands of hundreds of millions of people across the world in the last several hundred years.
The world, under its thin, patchy veneer of peace and prosperity, is still a savage place. Ask the IDF, Ukraine, South Korea, etc.
> But in the fight against child pornography, domestic politicians and legislators have identified [end-to-end encryption] as the core problem and would prefer to ban it.
There's no logic to this. These people already access banned child pornography. They aren't going to hesitate to use encryption to do so, banned or not.
The encryption tech already exists and is widely and freely available and a ban doesn't change that. A ban could keep good encryption out of popular, high-profile platforms. But these people are already seeking out the dirty, dark corners of the web, and I'm sure will have less trouble adjusting to this than almost anyone else. My random guess is they will be communicating and sharing images via encrypted blockchains that are ostensibly (or even mainly) for something else, or some such.
I view it differently in that even if breaking encryption allows for the arrest and wiping out of all child pornography, the damage to the non-porners is too great to warrant.
Similar to how a jury trial requires unanimous agreement among 12. This leads to some true criminals not being convicted, but it provides the benefit of many more innocents not being wrongfully convicted.
I think the “criminals will break the law anyway” is a dead end as it bypasses the moral decision that society needs to make of whether privacy is worth some tiny percent of evil doing.
One day we’ll have the ability to have mental implants that block bad things. Similarly, we’ll need to decide whether that is worth implementing if it means bad trade offs. The argument isn’t that criminals will skip the implants, I think the important argument is whether putting implants in all the non-criminals is worth the effort.
There's no logic in it as the article misstates the acural legislation and intention. Read the linked documents and its pretty obvious (I left a longer comment below).
> The Commission announced that it will propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities by the second quarter of 2021. The announced legislation will be intended to replace this Regulation, by putting in place mandatory measures to detect and report child sexual abuse, in order to bring more clarity and certainty to the work of both law enforcement and relevant actors in the private sector to tackle online abuse, while ensuring respect of the fundamental rights of the users, including in particular the right to freedom of expression and opinion, protection of personal data and privacy, and providing for mechanisms to ensure accountability and transparency.
If the measures to detect certain kinds of content are "required" and "mandatory", that rules out end-to-end encryption.
Sure, they promise to use their powers to snoop only for good. Perhaps this commission means it, too. Just not sure why it would only be used for good, though.
I see multiple posts in this thread that seem to have the same generous reading of this that you have. But I don't see where that is coming from. They seem to be clearly calling for regulations that will not for allow end-to-end encryption.
Not to rehash other discussions in this comment area, but there are many ways to do more than what is currently done. As you quote they want any changes to preserve privacy which means certainly no end to E2E.
After reading the source material, this HN post sounds like political spin bullshit that's arguing in bad faith - but it would take more time than I have right now to figure out the truth.
I haven't read it yet - but I'd guess my comment below that I made without reading it is probably not understanding what it actually proposes.
Edit2: Skimming it - it's not even clear to me it's about encryption at all? But about allowing creating laws around getting companies to participate in blocking child abuse imagery (that many are already doing voluntarily)? Am I missing something? I don't see anything about requiring unencrypted communications of these companies. It sounds like it's even just allowing certain practices that may have already been in place prior to some other EU privacy law?
---
Child abuse imagery is a real problem and though I'm sympathetic to the difficulty fighting it, encryption ban is not the right tradeoff.
FB has actually implemented something good here, basically encrypted communication but users can report imagery (so a user can choose to send an encrypted log of a chat to FB for review).
I have a friend at whatsapp and a lot of work goes into shutting down groups sharing child abuse imagery and clever ways to detect them even though they're encrypted (sometimes you don't even need to be that clever really).
It's possible to see this as an enormous societal problem that deserves attention, and think that an encryption ban is still a bad idea for all the reasons technical people think it is. Like most things, the policy argument here is nuanced. Just because banning encryption is the wrong thing to do does not mean that the child abuse imagery concern is false or misplaced.
I think the argument in favor of encryption becomes stronger when conceding the severity of the child abuse imagery issue. Dismissing it out of hand is simplistic.
"the European Union plans to abolish the digital privacy of correspondence."
to which I can only say: [citation needed]
In fact, as far as I know there is only a discussion piece circulating with perhaps some debatable wording, but there is no proposed legislation whatsoever to justify this claim. (Feel free to correct me, authors of the letter or others.)
I would think that meaningful contributions to any discussion do not begin with outrageous claims.
If this ever happened/happens anywhere, a great pastime would be to start sending streams of random data to people across the internet. Since random data is indistinguishable (theoretically) from encrypted data, I'm sure you'd waste a lot of the regulators' time. You'd almost force them to ban anything that _looks like_ random data, or give up on enforcing the ban on cryptography altogether.
Surely you'd need the recipient to actually save the random data (unless you think that regulators are going to be breaking every TLS connection and checking the contents of every packet).
I think people already make efforts to avoid being swamped with unwanted data, so anti-spam and anti-DDOS systems would probably block you and delete your streams without any human noticing.
I think there is too much focus on child molestation. When this happens it’s terrible and should of course be stopped. But I think the bigger problem, which is arguably worse because it can last so much longer, is child exploitation.
Is it easier for an exploited child to escape the exploitation in a world with encryption, or a world without encryption?
A bit disappointed about the blind commenting here. I have just read the Commission Communication (pdf linked at the top of the article) and can't find anything on prohibiting encryption. They write a few times about how increasing default encryption will make law enforcement more difficult but the only action proposed on encryption is:
> One of the specific initiatives under the EU Internet Forum in 2020 is the creation of a technical expert process to map and assess possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications, in full respect of fundamental rights and without creating new vulnerabilities criminals could exploit. Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.
So they want to see what can be done without breaking encryption, I guess this could be e.g. hash checks or things like that.
The rest of the Communication is about prevention, victim support and rehabilitation, so really about pedophilia/child abuse, not encryption as a main issue.
There is also a 3-layer-deep link[1] to a proposed new regulation (=eu-wide law) which puts an obligation on providers to detect and report or delete child abuse materials. No mention of encryption and its just four articles if you scroll down to the end, so look for yourself if that sounds problematic. The intro page [2] says it actually just provides a legal base for providers to scan data as another regulation that already allowed this is running out. I have no specific expertise on the matter but assuming that that does not seem problematic?
The issue seems to be that police/ courts/NGOs/... basically have no chance to police as thesr networks are inaccessible and extremely complex to pursue anything. Seems obvious that the onus must be on the providers to do their duty - we all know what a cesspit the internet can be. If Telegram doesn't delete CP (or say beheading videos, calls for lynching, rape videos, ...) then who could possibly do it?
So the legislation here is intended to give providers the legal right to check content. What's the alternative? Should the internet simply be lawless?
I'm worried that this would be used to combat things other than child abuse. A system they're after will likely be easily extendable to detect and report anything the authorities decide is wrong.
And of course, it's almost certainly going to be an opaque blob that users can't truly understand, despite any assurances given to the contrary.
They’ll find ways around these like mailing each other material.
I honestly always see these overreaches as those in power want to stay ahead of money making news/tips they can take advantage of for their portfolios. Or even better, know what their enemies are talking about in regards to them. Even if it’s voters who don’t like them.
In times where one of the biggest messaging application providers is able to leak hundreds of millions of personal records, I'd rather don't want governments to make laws to expand that risk to all of my private conversations as well.
I have some dumb questions - how do you ban encryption? How do you ban open source tools that implement encryption? Do you fine and jail people who have the code on their devices? How do you implement the policy of banning certain types of code? How about SSH? Are corporations and banks included in the ban?
I don't think you can. Its like banning bitcoin - you can't unless you ban the internet altogether.
Western lawmakers really don't understand tech or the second order consequences of their actions. Do they think they get to keep encryption for "national security" for themselves while the citizens don't? Hello, do you realize the signal protocol is open source?
My prediction - EU and US lawmakers die of old age before writing even one definitive line of policy that would regulate encryption. Or regulation fails completely, like how the EU tried to regulate data collection via GDPR but we got annoying pop ups instead.
Governments can ban anything through denying infrastructure. Think alcohol regulations, you can say that “are they going to ban chemistry” but as it turns out they can indeed ban chemistry. You can distill alcohol at home but if you want to do business through any infrastructure that’s possible thanks to the existence of the government(legal systems, banking etc) you will have to ask for permission despite the fact that the government doesn’t have any influence over the laws of nature.
> Western lawmakers really don't understand tech or the second order consequences of their actions
our political systems blow in terms of getting people that know this stuff to legislate on it. Closest we've had to the US throne was Yang (?) and I've heard him talk and I don't think he's fam.
What the EU actually proposes to do is self-contradictory. It's like appointing a panel of physicists to study creation of a perpetual motion machine. If there are any actual experts appointed, they've vote to disband the panel immediately.
"""Under the EU Internet Forum, the Commission has launched an expert process with industry to map and preliminarily assess, by the end of 2020, possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications, and to address regulatory and operational challenges and opportunities in the fight against these crimes."""
The day a politician tells a mathematician what to think is the day a mathematician instructs a politician on how to think.
Real criminals have good opsec, it's part of the job. Non-criminals want provable privacy and security. Deluded and ignorant politicians want a PR stunt with good optics.
If I, as a relatively mathematical individual, employ mathematical methods of communication there is literally nothing any government can do about it. I can even obfuscate. Judge in court tells me what for? I tell judge in court what for. Contempt of court? Ab-so-fucking-lutely. Qualms? Zero. I've no dependants. Fallout of jailing someone for defending their privacy? All the way up to revolution. Jailing 80% of a population because they know how to use a one-time-pad, or a free, libre, and open source solution such as Matrix? Sure. Let me know how that works out.
What on earth is it with modern governments wanting to control every aspect of citizen lives ? Why can't they just leave stuff well alone. I think first world politicians and bureaucrats (and second world too now) have far too much copious amounts of free time in the Internet era. This is always the problem with Big Govt.
C'mon... as if banning cryptographic messagery services would end criminals from encrypting their messages and sending the payload in plain text like they were doing since internet's inception
Every time Russian government introduced new measures to restrict freedom of internet users, they have launched a campaign explaining that it is necessary to protect the children!!!
Don't you want to protect the children, you monsters??!!!
I know we don't like when people cite child pornography as a reason, but child pornography is a real issue. It is spread via any and every kind of social media. Kids are groomed into sending their photos online. Enforcing encryption will make it harder to detect these kinds of distribution.
Better programs for kids to learn what grooming is. Better training for teachers and other people who work with kids a lot to see the signs of abuse. Better enforcement of child pornography laws. More money for investigating child pornography and trafficking.
But not banning encryption. Encryption is a tiny piece of the child pornography puzzle and will have little effect whether it exists or not.
Smarter kids to prevent grooming and sending pics (btw, in most states this turns kids into child porn producers a more serious crime than child porn viewer).
To stop the adults abusing kids it’s hard like any other crime.
Sadly when end to end encryption gets blocked the highest number of convictions will probably be 12 year olds, since they are probably less likely to be able to get around controls.
It is a spectacular overreaction to equate this to "EU wants to ban encryption". This will never happen.