Comment by harrisoned
1 day ago
Even if you are not in the EU, this will affect you. Some countries really like to copy such regulations from others. Once services starts complying, other governments will go like "if you did for them, you can do it for us, right? so it's not technically impossible", and things only get worse from there. Not all services will simply block the EU as well, which would be better to send a stronger message if approved.
I really fear where this is headed.
Centralized messaging services won't last long, their capture is sadly inevitable. In the long run, only self-hosted/decentralized protocols can resist what's coming.
In the meantime though, Signal specifically should not do something stupid like blocking the EU, which is basically surrender. They are a non-profit headquartered in the US, so there are zero business risks to non-compliance - nothing in the EU to fine or seize. And the EU has no jurisdiction over servers in the US, all they can do is build their own Great Firewall. (However, they might pressure AWS to deplatform Signal - hopefully the team is prepared for the possibility that self-hosting will be necessary soon.)
> Centralized messaging services won't last long, their capture is sadly inevitable. In the long run, only self-hosted/decentralized protocols can resist what's coming.
Very much. I also fear they coming for this, we already have instances of where using secure alternatives tags you as a criminal[0], so i don't doubt a future where non-approved applications will get you in trouble. With everything happening around Android locking itself down[1] and Windows being a spyware[2] anybody who wants privacy will be 'different', and can be tagged and excluded from parts of society for not using the same services.
[0]: https://news.ycombinator.com/item?id=48815196
This is why you should be building parallel networks and even institutions, as the Czechs did under Soviet rule (look up “Parallel Polis”). Mutual aid will become critical.
2 replies →
If I was signal CEO I would have self hosted years ago! There's many reasons for signal to be not on AWS.
I wish you were right, but the EU only needs Google and Apple, both having big EU businesses, to block Signal.
Google is already working on closing the possibility to install apps from outside the app store, Apple has been like that since forever. The fact that a few technically savvy users with rooted phones will still be able to use Signal doesn't mean anything. It will be dead if the EU decides they don't want it.
Signal is quite likely to fail on account being a single organizational entity running the service and refusing to adapt their protocol for federation. In fact, it might already have happened (partially) and you wouldn't know, because they're US-based. The US has the National Security Letters mechanism:
https://en.wikipedia.org/wiki/National_security_letter
the government can compel entities to let them access their systems and keep it a secret.
Also, if Signal runs on AWS, that is another potential vector of surveillance.
This is existing regulation being extended. It allows sites to scan messages. Not mandates.
These kind of responses is why it is hard to trust privacy advocates on HN. They are high on rhetorics, but half the time dont know what they are talking about.
I hope I'm being pessimistic about that. If I'm wrong, great.
I did saw it was an extension of the 1.0. To my understanding, "allows to scan" can also mean enabling a pipeline for accepting requests of scanning lawful content because, well, they can. In practice, it creates a mechanism to crawl people's information because when they feel like. While the law do make it explicit that this 'allowance' should not be used for anything else outside of the scope, i can't trust they won't. Once the mechanism is there, and that is valid for other countries, it might be used for stuff outside this scope since it's possible.
I work in the ISP field, and this happened in another context. First, a pipeline was built to block sites without a judge, because doing it only with court orders made it to difficult. After a few months of many ISPs complying the scope grew, now they can target piracy websites at will, and you must comply. Why stop there?
My fear is that this sets an example. I hope I'm wrong, but i don't trust them. There's a reason it was rejected before and it is being passed like that now.
Sorry for copypaste, but I still hope people will see true intentions of govt.
Just a recap how it happened in Russia:
1. First, year ~2015 legal framework was created under disguise of banning pirated media(specifically torrents.ru)(legislative push). State-wide DNS ban introduced. Very easy to circumvent via quering 8.8.8.8
2. Then, having legal basis, govt included extra stuff in banned list(casinos, terrorist orgs, etc)(executive push). IP bans introduced, applied very carefully.
3. Legal expanded allowing govt to ban specific media on very vague criterias(legislative push). IP blocks tried on some large websites. DPI hardware mandated to be installed by ISPs to filter by HTTPS SNI(executive push).
4. At ~2019 Roskomnadzor(RKN) created, special govt entity which enforces bans without court orders(legislative push).
5. ~2021 sites become banned if they are not filtering content by Russian laws by request of RKN(executive push). VPN services were obligated to also DPI-filter traffic(legislative push).
6. ~2023 Crackdown on VPN started(executive push). Popular commercial services were IP-banned, OpenVPN and IPSec connections selectively degraded by DPI.
7. ~2025 Heavy VPN filtering(vless, wireguard, etc) introduced(executive push). Performance of certain sites were degraded(youtube, twitter, etc).
Yes - this allowed companies like Google, Facebook, Snapchat etc to do what they already do (voluntarily) in the US and other territories - scan unencrypted user-uploaded or shared media for matches against NCMEC hashes, and image classifiers trained to find novel CSAM.
When you hear of "person arrested after NCMEC cyber tip" that's what this enables - people sharing or storing CSAM that was caught by this scanning, reported to NCMEC, and then sent to local authorities.
I have zero problems with Chat Control 1.0 as the existing derogation brought the EU into line with the rest of the world. Chat Control 2.0 is problematic however, but again, is not what's being voted on here.