cross-posted from: https://discuss.tchncs.de/post/48813307
!!! IF YOU ARE AN EU CITIZEN, PLEASE DO THE FOLLOWING FORM !!!
https://fightchatcontrol.eu/#contact-tool
Be especially sure to select your home country’s permanent representation in the Committee, but selecting everyone the website proposes is a very good idea (and done by default).
Raise your voices and flood their inbox, this might be the last chance we ever get
Still can’t fucking believe Denmark, my country, supports this. Yeah, it got revised thanks to Denmark, but it shouldn’t be revised, it should be killed.
Un-fucking-believable 😡
Who do we need to kill?
Question for a the Fight Chat Control website: My country’s primary language is not English, do I need to translate the e-mail?
Cough, Briar, Cough, Cough SSB cough.
I’m tired, boss.
So am I, but they are not.
I feel you
What is this Law Enforcement Working Party?
What is its relationship to the Council?That’s not a surprise, but that’s sad!!
Let’s continue to fight against!!!
outlaws anonymous communication by requiring every citizen to verify their age before accessing a service
This is likely to be the case in practice, but technologically, it does not have to be the case.
If the age verifiers (which IMO should be the governments themselves[1], but could also be a private third-party, as long as it’s not the same as the social media company) only ever receive a blinded token representing the user, verify the user’s age, and then the user brings that token back to the social media site, unblind it, and present them the signed token, there is no way for the age verifier to track which sites a person visits, and no way for the sites to have any detail about who their users are (other than what they already have).
obviously, it actually shouldn’t be anyone at all: parents should be put in charge of their own kids, and maybe given the tools with robust parental control software to handle it client-side. Government server-side age verification is just not a good option. But if we assume they’re going to do that, we should at least discuss the way it could be done in the least-bad way. ↩︎
Or we just sell anonymous age verified serial numbers at gas stations like prepaid phone cards.
Yeah, but then you can just share them with anyone. In this case, privacy always contradicts effectiveness, and that is why we need to fight the whole idea of age verification altogether.
Why is this specifically relevant to Linux users?
Well,
- controlling end-to-end encrypted messages is only possible if either the keys/certificates are not secret (which is possible with TLS), or the software on the end-users device is not controlled any more by the user (but perhaps by law enforcement, or companies). This overturns the basis of any FLOSS software system where trust is based on transparency and user control.
- age verification will typically done by a form of attestation, a highly problematic concept. Again, this would require to run software on the users device which can’t be controlled by him or her, which is deceptively called “trusted computing”. (Technically, age verification could be done by other means, but this is not what these proposals aim for).
- in the world of public-key cryptography, which is what TLS , GnuPG, and most other modern systems are based in, encryption and digital signatures are nothing but two sides of the same coin: Who breaks encryption keys necessarily also breaks signature keys. This means it is not possible any more to sign software such as the Linux kernel, or Email clients, or browser packages. Or even banking apps or bootloaders for smart phones. Which means to give control away to the entities, groups or induviduals controlling these keys. Ironically, this will make computing lot less safe, and also undermine trust in communication networks, because communication where we can’t be sure that the communicated symbols are genuine is for humans as worthless as the numbers on fake money. (As a corollary, it is also bad for business: All business is based on some amount of trust. Would you do important business with somebody if the only communication channel you have happens to be a messanger which is a compulsory liar?)
To sum up, this is a massive transfer of control.
These politicians really aren’t afraid of those they were elected to represent…
For their sake I hope they stop this FAFO, before more damage is done.him or her
Just say them
Just a question from my ignorance: but is this really enforceable, outside of mainstream apps/services? What happens if someone creates a custom app relying on a custom sever and uses it only among few trusted people?
mainstream
is the keyword here. Mainstream is really big.
They come for the lions share first. You do nothing because you think you’re unaffected. Then later they will come for you. And nobody will do anything for you either.
Of course, professional criminals like yourself (sarcasm) will find a way to escape the law. But I doubt it’s nice to live on the edge of society like that anyway, being unable to interact with most services.
Just an example: Of course you can use a private email service. You don’t need to give a copy of all your communications to Google Mail or outlook. Or medical data.
But what helps that, if 97% of the people you communicate with (including your doctor) use outlook or gmail, and all messages you write them are kindly stored there “for them”?
For the moment, that would not be enforceable in respect to people with technical knowledge. Enforcing it would require authoritarian control and even China’s Great Firewall has way to circumvent it.
On the other hand, this is already far more difficult than you might think. You could not install such an app from a server authenticated with TLS because the TLS keys might be subverted - the certification chain has national institutions as the top certificate authorities. You would also not be able to install such an app on an Android phone because Google has decided it needs developer attestation to install apps in a way accesible to end users. You can run Linux now but if all that is taken seriously, your options to run Linux might become limited. E.g. you already can’t run many banking apps on phones with user-controlled OS software. Railway apps like the German one already don’t work. In future, you might not even be able to use a municipial library’s or bookstore’s website this way.
But more to the point, the real application case for this kind of civil rights is not some nerd kids which want to play DnD or minecraft on their own server or test their self-written IRC service. The real application case is what we see in the US, people being dragged out of their house and disappearing just because of their ancestry, how they look, being poor or the area they live in. They don’t have time to compile software or configure port-knocking protocols.
Somebody has called these systems of “democratic” mass surveillance uncovered by Snowden “Turnkey Dictatorship” . I for sure wish they would have been wrong.
Well… I assume that might be illegal. Or maybe these rules would only apply to public software? For sure it wouldn’t be enforceable, and it would still allow criminals to use it to communicate privately between each other, but it would make it harder to exploit mainstream public apps (e.g.: WhatsApp) to scam or exploit weaker individuals.
So after opening the link I can select my concerns, insert my name and then send, right?
Why don’t you just try it? 😉
But the answer is: yes.Because after trying it wasn’t even remotely clear if I was doing it correctly and if any recipient was actually selected, so I decided to ask since it’s a pretty important thing that I must not fuck up and I can’t go for trial and error.
Doesn’t it open your email program with all selected addressees?
What did you expect to go horribly wrong?
