← Back to context

Comment by mrtksn

2 days ago

FTA:

What changes with the return of Chat Control 1.0—and what stays the same:

*What is coming back:* US tech companies are once again allowed to scan private messages without a warrant or prior suspicion. This affects direct messages on platforms like Instagram, Discord, Snapchat, Skype, and Xbox, as well as emails via Google’s Gmail and Apple’s iCloud.

*What remains unchanged:* Public social media posts and files hosted in cloud storage could already be scanned without this law. Furthermore, private messages can always be reported by users, or monitored by authorities using targeted, court-ordered wiretapping.

*What is still NOT being scanned:* End-to-end encrypted chats, such as those on WhatsApp, have always been exempt from these scans. Additionally, European providers of messaging and email services have never implemented chat control measures.

So, E2E is unaffected?

The Internet Watch Foundation, the group, funded almost entirely by big tech, who pushed for this vote to be held under emergency procedure, is already at work lobbying for the end of E2EE [1].

In a couple years time, Chat Control 2.0 will come about, and the same tyrants will use the EU admission [2] that there is no evidence that suspicionless scanning of private communications has led to an increase in criminal convictions or in rescued children to argue that we need to go further, and break E2EE.

[1]: https://www.iwf.org.uk/resources/end-to-end-encryption-and-k... [2]: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

  • Why would big tech be in favor of having to scan message content? It puts more regulatory requirements in place on their activities. Would they not be in favor of _less_ regulation so they can provide services to their users with fewer legal considerations?

    If big tech _wanted_ to they could already backdoor their encryption and scan the message content, they don't need regulation to do that. The only thing that changes with regulation is that they now _have_ to, which cannot possibly be in their favor.

    • It's confusing because of the indirection.

      The Internet Watch Foundation is one of these NGOs that makes lists of hashed child porn images and URLs. All the big tech companies subscribe so they can coordinate on blocking child porn, as they are legally required to do.

      Unfortunately the IWF is also a "charity" and thus engages in political lobbying. Because like all such NGOs they have a single purpose, they lobby for making that purpose easier irregardless of other costs, which they view as out of scope. It's obviously easier to watch the internet if tech firms are forced to watch everything all the time, so that's what they're in favour of.

      People actually working at tech firms on messaging systems don't want to do this, however. So they end up funding people who are undermining their own policies. This is very common whenever NGOs get involved e.g. governments funding NGOs that directly undermine the government's own efforts.

      The fix would be for tech firms to leave the IWF and set up their own alternative organization that doesn't engage in lobbying activity. However, that would require a lot of cross-org agility that is difficult for big companies to achieve even internally, let alone across the industry, and the leadership is all thinking about AI anyway not EU stuff where they already just assume the EU is going to regulate them all the death anyway. So inertia carries the day.

    • > Would they not be in favor of _less_ regulation so they can provide services to their users with fewer legal considerations?

      Regulatory capture. If the handling of user messages requires constant scanning and there are enough rules that you need a team of lawyers, then only Google, Meta and Apple will be able to afford it.

      16 replies →

    • Regulation is a good thing for big, established incumbents who can afford expensive lawyers. It keeps them safe from competition.

    • I think this is basically correct and aligns with Facebook’s massive push toward e2ee in Messenger. They don’t want to be on the hook, and didn’t do e2ee just for the fun of it

    • Why? To know more to train AI and sell your info to third parties. To spearhead ads to you.

      Why an earth would a big tech company say no to gather more info on its users? Show me the first one

    • Because regulation (even well meaning regulation) always favors incumbents and hinders startups.

  • Do you have source for IWF funding being by big tech?

    Haven’t found anything that breaks their funding down by source and the majority on the UK govt site is from “charitable activities” (https://register-of-charities.charitycommission.gov.uk/en/ch...)

  • At this point we have no choice but to conclude that the Eu has been subverted by megacorps as badly as the US political system has been.

Guess what's coming next:

> Overview

> End-to-end encryption is a term used to describe blocking or preventing any third-party recipient from viewing, reading or becoming aware of information that one individual has sent to another. In response to growing concerns about online data security, many technology companies are adopting this strategy with potentially dire circumstances.

> The use of end-to-end encryption would prevent the companies or any third-party from detecting illegal activity occurring on their platforms, including the activity of people who use the internet to perpetuate online demand for graphic sexual abuse material of children.

> We believe personal security is extremely important and support efforts to improve online privacy. But, if this solution is implemented with no exceptions for detecting child sexual exploitation, millions of incidents of abuse will remain hidden, leaving these young victims without any help or protection from these horrific crimes.

https://ncmec.org/theissues/end-to-end-encryption

> So, E2E is unaffected?

Because its an extension of an existing bill.

After the whole internet lost its mind about Apple CSAM scanning and being horribly off target, I'd recommend to ignore news reports and go to the sources when making an opinion.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=COM...

The only issues I can see is the error rate for non-CSAM scanning and how the latest vote was conducted.

Although the scanning part, it is still law enforcement that has to review that information and determine if there is a case. Most of the those are teens sharing naked photos with other teens.

Yes.

Chat Control 2.0 was the big one in those regards.

(Also, LOL @ Skype mention.)

  • Then I'm not very moved about this. I always assumed that anything unencrypted is scanned one way or another. What I care is not having a backdoor for E2E, i.e. like client-side scanning telling me what I am allowed to talk about like with the LLMs. CSAM excuse is a great excuse to turn every conversation to what we have with AI today.

    • If reading messages that are not for ones eyes is OK, then it is a much smaller step to the next level, which is to also being able to read encrypted messages. Slowly boiling the frog.

      1 reply →

    • I assume the same, but not because it’s sanctioned. Sanctioning is a slippery slope or a degree change as has been mentioned.

    • > I always assumed that anything unencrypted is scanned one way or another

      By this logic, I should be happy if mail delivered to my address always arrives already open.

  • Don't downplay Skype, as Teams is still just rebranded Skype for Business (LYNC).

> What is coming back: US tech companies are once again allowed to scan private messages without a warrant or prior suspicion. This affects direct messages on platforms like Instagram, Discord, Snapchat, Skype, and Xbox, as well as emails via Google’s Gmail and Apple’s iCloud.

They are already allowed to do this, and already are doing this. When you provide data to the service provider in a non-e2ee fashion, it's their data as much as it is yours. They can scan it, data mine it, analyze it, whatever.

  • This is the whole point though. They are allowed to do this because of the original chat control from 2021 which was temporary and expired in march. Without chat control it is very debatable what companies can legally thanks to eprivacy directive.

And your REALLY think E2E is going to "protect" you?

If the "services" want to watch, don't worry they will, "they don't need your password". But I guess they "do" that only for the very baddies, aka child exploitation, human trafficking, terrorists, killers, drug dealers, etc.

We all know here that "information system security" does not exist, this is a fantasy: there is only some "best effort" with a wide spectrum of compromises. If somebody talks to you about "deliverable security", that guy wants to sell you something.

E2E will protect you only against John Doh, "hacker only on Sundays". And we better keep that in mind.

  • What are you talking about. You think service providers can backdoor aes-gcm? There will always be technology that they cannot get around. The only way to backdoor is to explicitly change the encryption.

    • Are you misunderstanding on purpose?

      This is not specific to 'backdooring aes-gcm implementations' at all. Read again what I wrote, namely this is the general status quo on 'information system security': they don't need your password or aes-gcm key to watch if they really want to. You would be a fool to presume anything else.