Comment by palata
2 days ago
> it's not like internet is made of a few select providers
In practice it is. Almost all messaging happens on a few apps.
> also the most widely available apps already comply to the single police request to access conversations from suspects
That is not true: Signal is widely available and doesn't do that. WhatsApp probably doesn't do it either.
Don't get me wrong: I am against ChatControl as well. I believe that security comes at the cost of freedom, and it is a choice to be made on a case-per-case basis. Removing E2EE for everybody is not worth it, because criminals will always be able to use encryption one way or another. The problem is that politicians don't seem to understand it.
They do understand it but what they want is not just criminals' data but all of us.
They want to pick the easy fruit. The dumb criminals that would do that sort of thing over whatsapp.
Yes, but this easy fruit has a flavor of the week:
https://stateofsurveillance.org/news/ben-werdmuller-signal-z...
https://www.whitehouse.gov/presidential-actions/2025/09/coun...
> Common threads animating this violent conduct include anti-Americanism, anti-capitalism, and anti-Christianity; support for the overthrow of the United States Government; extremism on migration, race, and gender; and hostility towards those who hold traditional American views on family, religion, and morality.
Like, you can get 30 years in prison now for moving some boxes with zines in them, just because you are anti-fascist.
Yes, this is American politics; but don't think that the benevolent overloads of the EU don't plan for this same outcome: Already in many European countries, I can go to prison for just saying, "Free Palestine". They want it so that people cannot even say that in private.
7 replies →
WhatsApp already does it for unencrypted messages for about half of the EU under the purview of the rules of lawful interception obligations for NI-ICS, as well as Norway, Switzerland and the UK.
When they want to read encrypted messages they seize the phone and use Cellebrite or similar 3rd Party tooling to gain physical user-level access. No need for cert-pinning or esoteric MITM attacks.
N.B. China does not allow WeChat to have e2e encryption.
> When they want to read encrypted messages they seize the phone
That is very, very different from mass surveillance.
The whole point of end to end encryption is that providers cannot comply with police request to access conversations. A properly secured system would make it impossible without compromise of your device. Now i don't know what signal does, but I am almost certain WhatsApp can just lie about your contacts keys and man in the middle the connection.
> Now i don't know what signal does
That makes me question how much you know about end-to-end encrypted messengers, because Signal is the gold standard.
> I am almost certain WhatsApp can just lie about your contacts keys and man in the middle the connection.
The problem there is that WhatsApp is not open source, so you can't check. So obviously you have to trust. But there are many, many employees who have access to the WhatsApp sources, so if it was not implementing what it says it is, chances are that someone would have said it. Also thanks to the EU DMA we have some protocol published by WhatsApp.
> But there are many, many employees who have access to the WhatsApp sources, so if it was not implementing what it says it is, chances are that someone would have said it.
No one in Microsoft, Yahoo, Google, Facebook, AOL, Skype, or Apple said anything about PRISM. We had to wait for the NSA whistleblower. So the argument someone would say something does not really stand up to historical precedent.
I looked a bit into it and yeah they have a key transparency mechanism where they store a blockchain on s3.
So supposedly they can't just add a key for a user in secret. But still what if they do it in public does the client refuse to send messages to new keys?
It's not like we are all spending all our time going over a random s3 bucket to say `Aha, I am sure Bob didn't add this new key because he logged in from his desktop. It has to be a man in the middle`
Can they just siphon keys of your device? Can they just deploy a special version to just your device without the vast majority of engineers in meta even knowing about the compromised version? No one knows. Well no one in public.
The gold standard would be personally managed keys, exchanged and signed by your contacts in person, open source software that is not auto-updating, distributed over a channel that does not know your identity.
1 reply →
[dead]
> The problem is that politicians don't seem to understand it.
The problem is that politicians were corrupted by power.
This is an extremely naive view of politics in complex systems like the EU. We're not talking about the US of French president here. The people in the 27 EU countries elect their EU representatives, and nobody knows them. People usually vote for a party, and they usually don't care much about the EU, except for complaining.
It feels like people who are against the EU vote for far-right politicians (the ones that are against the EU).
EU politicians are elected by the people and they represent what the people from the 27 member countries voted. Which is different from e.g. the US president, where the people don't really have much choice. Same in France, where people voted against the far-right and not at all for Macron.