> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties
First time I am seeing an organization against this. Kudos to them for standing up.
According to the original article (Swedish: https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...), the reason for the armed forces to be against it is because they recently started advocating for its personnel to start using Signal to reduce eavesdropping, so backdooring Signal would decrease the armed forces security.
> Men Försvarsmakten är negativa och nyligen uppmanade försvaret sin personal att börja använda Signal för att minska risken för avlyssning.
In fact, they are negative because they say that this can't be done without opening up the service to vulnerabilities that could be used by others.
> I ett brev till regeringen skriver Försvarsmakten att lagförslaget inte kommer kunna förverkligas ”utan att införa sårbarheter och bakdörrar som kan komma att nyttjas av tredje part”.
> In a letter to the government, the Swedish Armed Forces writes that the legislative proposal will not be able to be implemented "without introducing vulnerabilities and backdoors that may be utilized by third parties."
Yes, but your deduction is incorrect. They're saying the SAF are negative _and_ they recommend their personell to use the service, not that they are negative _because_ they recommend it.
I don't see how you can know that "because" is incorrect. This seems like it could be possible to me:
(Possibly) SAF is negative because they use Signal, and don't want a law that would introduce vulnerabilities into Signal that could be utilized by third parties.
TOR was sort of famously contributed to by a dude in US Naval research early on, right?
They are militaries, not police or intelligence forces. The job is to be ready to do war, not nanny and snoop on civilians (Some of that might be a necessary side effect but it isn’t their reason for being).
Militaries need intelligence services to be their eyes and ears. That said, most people who are not in their country's armed forces, government, or intelligence service vastly overestimate how much another country's intelligence services actually care about them. Most people aren't that interesting and don't have any intelligence value for another country's government.
They're not using/advocating to use Signal for their military control/communication:
> This week, Brigadier General Mattias Hanson, the Swedish Armed Forces' CIO (Chief Information Officer), decided that calls and text messages that do not concern classified information should, as far as possible, be made using the Signal app. The decision aims to make it more difficult to intercept calls and messages sent via the telephone network.
Seems people were using SMS for those messages they are now advocating to use Signal for.
Also, seems they've done a review (obviously) but unclear if they had access to something internal from Signal to do the review, feels like they had to:
> The Signal application has been deemed by the Swedish Armed Forces to have sufficient security to make it difficult to intercept calls and messages.
Any decent military will be using multiple forms of communication systems.
I was a communications specialist for the Swedish Armed forces 10+ years ago, including a tour in Afghanistan and a tour in Kosovo.
We used radio links for internet that I can tell you, were more adversarial than friendly.
The Swedish military is highly capable when it comes to network communications. A small nation will have to think differently.
You could potentially use an instant messaging system in control by someone else, if you are willing and capable of sharing encryption keys with whomever you are going to communicate with beforehand.
>Because everything in Signal is end-to-end encrypted, we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure, and others while ensuring that your messages and calls remain private and secure.
Your source doesn't support your claim. The exact snippet you quoted, interpreted strictly, only means they have the option to host it across providers, not that they actually do so. It also doesn't say anything about where it's hosted. It can be hosted in AWS, GCP, and azure, but all in the US, for instance.
FYI the EU wide proposal to scan all your private messages using an AI agent on your devices also originated in Sweden by EU Commissioner Ylva Johansson in 2022.
> EU Commissioner Ylva Johansson has also been heavily criticised regarding the process in which the proposal was drafted and promoted. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the proposal. This was also highlighted by digital rights organisations, which Johansson rejected to meet on three occasions. Commissioner Johansson was also criticised for the use of micro-targeting techniques to promote its controversial draft proposal, which violated the EU's data protection and privacy rules.
I don't think anything good ever came from Ylva Johansson. Mentions of her name on something should make one automatically treat that thing with suspicion.
European armed forces should know best, given that Signal has seen actual use by Ukrainian military personnel, with Russian forces trying their best to target those encrypted communications (right now mostly by getting those smartphones from dead bodies).
The fact that proposals like this get this far, without anyone checking with the defence department and actual experts is really weird. It's not just Sweden, this is clearly a problem in many other countries.
I'd really like to know why it's so hard for politicians and police forces to understand that backdoors are dangerous.
It will be waring factions within government (which is never unitary in any country) --- here these laws/proposals/etc. probably come from domestic spying agencies and police forces in most countries. I suspect that signals intelligence agencies and offensive forces have probably mostly moved to "encryption is good" stance given the number of foreign attacks upon domestic assets (gov, biz, etc.).
However, we shouldn't underestimate the desire for foreign intelligence agencies to bait one's own domestic agencies into "spying for them". So i imagine there's some pressure from, eg., the US sigint agencies to have the EU compromise EU citizens in ways that even those very agencies may today not wish to compromise their own.
At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
As an empirical matter, encryption makes agencies like EUROPOL's jobs extremely difficult -- i imagine also because they probably struggle to get coop from domestic police forces, so cannot easily do "the physical police work necessary" to get device access.
In the end, I imagine we'll have china to thank for the end to this nonesense -- since any backdoor will immediately be a means of mass corp/gov espionage.
It's not the purpose of five eyes, it's a noted tactic.
But at the same time countries realise they are under attack economically and political from hostile cyber warefare... and so there's something self-defeating about this tactic now whereas perhaps 10-20 years ago there wasnt.
It's hard to imagine a US-China war (say by proxy in TW) or a EU-Russia war (eg., esp., by proxy in UA) "going well" under conditions of broken domestic encryption.
Eg., back when the UK mass surveillance law was passed in 2016, I imagine sigint agencies were more on-board... today I wonder if that law would now be "quietly opposed" on grounds of national defence
That's not how Sweden remained "neutral" though, although I'm not sure I'd agree Sweden been neutral since 1814, wasn't exactly neutral before/during the second world war. https://en.wikipedia.org/wiki/Sweden_during_World_War_II
Signal is headquartered in the US and presumably has no employees in Sweden (and perhaps the entire European Union).
There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship. Preemptive surrender is extremely disappointing, especially for a non-profit - there isn’t even any revenue that can be ‘fined’ by the EU!
> There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship
They can go after executives and employees of foreign companies, too. The charges may not mean much unless those employees travel through Sweden, but if the political winds change in the future then they may be able to convince other countries to enforce their charges against employees as well.
It’s reasonable for a company to avoid risking their employees becoming targets of detention for international travel.
It also more effectively highlights the political issue within Sweden if people there see the consequences of the laws of their elected officials rather than having those laws silently ignored by a company that takes the legal risk upon themselves.
Since when is there a Signal web app? I don't think there is, but even if there were then presumably it'd work the same as the desktop app: "To use the Signal desktop app, Signal must first be installed on your phone."
What's funny is that it's other EU laws from totally different parts of government which are, at the same time, pushing to allow for side loading of apps and alternate app stores on iOS and Android.
The end result of which, if done at large scale, means that an EU government couldn't ban signal, short of forcing all its domestic ISPs to be downstream of a China type great firewall, or simply null route all the IP space where signal's servers are located.
All the alternative app stores can easily be subject to the same legal requirements as Apple.
Side-loading is harder to enforce any rules over, of course.
Blocking domains is well-established at this point, thanks to the copyright industry doing a 21.5-year whack-a-mole-waltz with The Pirate Bay. Of course, this also demonstrates the limited effectiveness of domain blocking.
> Of course, this also demonstrates the limited effectiveness of domain blocking.
Extremely limited effectiveness, when VPN operators like Mullvad are corporations based in Sweden and offer 5 euro a month service to bypass whatever local "mess with internet traffic" activity, whether government-caused or not, that someone's last mile ISP is up to...
There's also the game of whack a mole with taking ownership of domains at the registrar/ICANN level through court orders, such as with the various .com or similar things that get jacked and plastered with a "DOMAIN HAS BEEN SEIZED" notice by the US feds.
Sweden is part of the expanded 5 eyes (now 14 eyes). As a workaround for restrictions on domestic spying, they subcontract their dirty work to each other. Hence, you can expect the US to assist in pressuring them (ostensibly on behalf of Sweden)
I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
Yes, Signal may be headquartered in the US, but that doesn't mean they can just ignore the laws of other countries, which is exactly what may happen here, depending on the outcome.
Sweden may propose a backdoor (a utterly shitty idea, I agree) which Signal may decline (which this submission is about). Then the next step is either Sweden giving up on the request, or placing fines on Signal until they comply or outright ban it, or Signal deciding it isn't worth it (prevent Swedish users from using Signal).
All within their capacities and rights, even though I again think it would very stupid approach.
There are only a few instances where institutional powers pass judgements that they cannot enforce. Generally doing so makes that institution look weak because it puts them in a position to have their rulings openly flouted. That's at the core of what jurisdiction means.
Sweden can fine Signal all they want but if they can't enforce the collection, they weaken their power and foster disrespect.
Singal is centralized? Can't they just block it at the border? I understand VPN or whatever, but if they're serious I hear there's a couple of countries with "pretty good" border firewalls.
Doing that would eliminate so many Swedes from Signal...
I haven't found a VPN solution for iPhone users in a couple of US states. It's like iphones are actively hostile to the very idea of a VPN. Or at least "self-hosted VPN", maybe the $20/month VPN work but that's... Sketchy.
You're making my point. Sweden would choose the most effective mechanism that they can actually enforce to deal with Signal's noncompliance. Blocking DNS or ISP access is much more accomplishable for Sweden than trying to levy fines.
Not familiar with Swedish law, but in most of the world the courts have a concept of jurisdiction. Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
I would be surprised if Swedish law allowed for prosecuting a foreign company with not one bit of operations in the country.
> a foreign company with not one bit of operations in the country.
Borrowing from how tax & law is usually applied for companies trading outside of their incorporated country, at least in many places including the EU: If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
> even if your product is purely software, you can be considered to have operations in that country
Couldn't users in pretty much every internet-connected country use VPNs and other methods of cross-borders indirection to access even those US services which explicitly block non-US IP ranges?
If this is the case, then is it not the case under the quoted reasoning above that any internet company should be expected to have operations in every other internet-connected country?
> If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
If no money is changing hands, good luck with that. (Or, rather, bad luck with that.)
(If money is changing hands, you might find your payments blocked by local payment providers, though even then that would take a while and might or might not happen.)
How are they operating? It might as well be viewed as citizens of Sweden interacting with a foreign service out of their own volition.
In general, laws are backed up by the threat of violence. To the extent that Sweden's police can't confiscate Signal's assets in the US, they do not have to comply with anything. The only leverage Sweden's government may have is ISP level censorship, which is likely to cause unintended disruptions. Signal is in turn free to attempt to circumvent the censorship.
> I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
My friend's medium size regional ISP is headquartered in the US and as a hosting company certainly has customers who violate any number of censorship, blasphemy, etc laws in Iran, Russia, Myanmar, Pakistan, Bangladesh, just to name a few.
Signal doesn't "operate" in Sweden any more or any less than any other internet based service which has zero servers, offices, bank accounts or other physical presence in the country.
While I don't personally agree with the law, I genuinely hope we witness a major corporation withdraw from a market just so we can finally observe the concrete impact of these types of threats. (Even though their position is understandable in this particular case.)
Google ultimately did that for China. The outcome in that case is that the domestic market filled in the gaps, while complying to all relevant authoritarian legislation. I do not believe that the same would happen for every market where these stunts are being pulled off, at least not to the same level of quality.
Why are European countries trying to pull one off from the China playbook, while simultaneously being shocked that companies react to authoritarian moves in the exact same way as they have done in the past, is beyond me. Is the hubris so large that they honestly can't conceive their "requirements" as being "literally the same as China?"
Having to build local alternatives probably had a positive impact on China's software industry. We're at a point today that major Chinese software/tech companies are routinely talked about on nightly news.
Well, only some claim to "remain committed to offering our users the highest level of security for their personal data" while turning off E2EE cloud storage for an entire country.
What other choice did Apple have? To ignore the law of a country where you operate just because you don't agree with the law is a terrible standard to set.
They could have done like Telegram in Russia and said that they will not care about that and work on ways to bypass any firewall that could setup the authority to block it.
As Signal are doing here, they could have refused to do business (at least, with iCloud) in that country. That's a far bigger pushback than simply capitulating to removing a relatively unknown feature.
To be clear, if they did this and the UK gov called their bluff, it'd affect me personally, but I'd rather that than swinging open the backdoors
I don't know... what else could Apple have done? Hard to determine what else they could have done besides turn off the feature in a thread on another company not just turning off a feature, but leaving a country entirely.
Once Signal is backdoored successfully (in this alternate timeline) you go after WhatsApp, RCS, whatever other encryption you can't bypass. Other countries follow suit because Sweden did it (like an infamous single study out of the Netherlands that affected global health policy.)
The goal is no privacy. Because terrorism. Or the children. Or espionage. Just pick one and speak against them directly and you'll find many arguments why the government needs access for any of those reasons. People love going to bat for giving up rights.
I forget who said it but you cannot have a civilization without secrets.
What is the state of peer to peer messengers with E2EE? Over ten years ago, Bittorrent Inc. (now Rainberry and Resilio) made a serverless chat client (Bleep IIRC). But I don't think there is anything new that is also user-friendly? (Drop-in replacement of WhatsApp, Signal, iMessage, etc.)
Peer to peer communications are difficult to combine with mobile phones (at least if you value battery life). There are various messengers out there, but they're incredibly niche and I doubt they'll ever get any decent user bases.
Tox is peer to peer and encrypted, but its UX will probably drive away anyone who wants the ease of use of Signal or WhatsApp.
I think Matrix experimented with the concept of running a server on-device, and that's one of the few alternative chat systems with decent UIs available, but AFAIK that never made it beyond the proof of concept stage.
Veilid Chat, developed by the Cult of the Dead Cow, promises to be an interesting option, but it's currently in beta and has been for a while.
> If the purpose is to stop the gang violence, why not remove the gangs from the country?
Because the stated purpose is only the sales pitch. The full list of uses will never be stated publicly, unless someone like Snowden leaks it at great personal peril.
Apple did the right thing in the UK. This means that neither politicians nor the military will benefit from E2EE, while it's clear that they wished that just the plebes would be affected by this.
Maybe all IMs should then drop encryption altogether, bringing us back to the stone age of clear text messaging (email sent unencrypted between MTAs).
Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
It seems like a lot of these proposals are coming out of Europe—assuming I’m not mistaken (and I may well be), why is Europe cracking down so much on privacy?
There is a huge section of the population who believes it's possible to strip the security of criminals using apps like Signal without it affecting everyone's security. Same in Sweden as the rest of the world.
The military of Sweden seems to get it at least, they "write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties"". The military also recently advocated for more use of Signal, so clearly they've reviewed it and find the current security good enough.
It's becoming clear that EU politicians are far too easy to manipulate by companies with products to sell.
> Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
Sweden has rapidly devolved from a high trust society to one where firearms and grenade attacks are a weekly occurence [1]. It is the perfect opportunity for law enforcement to demand more surveillance capabilities.
Sweden is having an epidemic of Crime as a Service, where minors are recruited online to do killings etc for cash. Secure messaging makes it very hard to find the leaders of these crimes.
Bullshit. Crime gangs had myriad of ways to hire youth before. There could be other ways to make sure there’s no huge pool of youth waiting to be hired. But that may be politically too hard.
Please do your research before throwing that term after me. I don't care if you think its markedly different for crime recruiting earlier. Point is contracts for killings are put online and planned through Signal. The Swedish police find it annoying as it makes it hard to find the money men. That's the reason for why Sweden want the back door. If it makes sense or not has no bearing on what I wrote.
European bureaucrats generally have little understanding of the technology they get paid to regulate, as we've seen with the their previous attempts to regulate the industry. It's very much a "vibes-based" approach. They can simply keep proposing the same regulation with a new name until it's voted through.
> European bureaucrats generally have little understanding of the technology they get paid to regulate
I'd agree with you if you just put "bureaucrats" instead of European bureaucrats, what country isn't currently led by a bunch of bureaucrats who don't seem to understand even the basics of the technology they legislate about?
I've yet to seen a country to lead the way, no wonder the rest of the countries don't seem to know what to do and just throwing stuff at the wall.
While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits who will lobby against this kind of legislative overreach and sue if the legislation passes. Obviously we have all sorts of other problems, but mostly our bureaucrats and legislators aren’t making backdoors a policy as far as ai’m aware (who knows what the CIA and FBI and NSA are up to, though?).
I assume it’s just one of those things that Swedish society is having to grapple with abruptly and that they will adapt the appropriate institutions. I have more faith in Sweden than my own country lately.
> While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits
So does Sweden, and have had strong privacy advocates for a long time. Remember that The Pirate Bay came from Sweden? It spawned a political and ideological movement (Piratbyrån & Copyleft/Kopimi) that still has some presence in Sweden and EU although doesn't seem as strong as it used to be, except for Iceland I think.
> I have more faith in Sweden than my own country lately.
Not sure what your own country is, but assuming it's US, they're pretty much equal in many ways (but not all obviously) and Sweden basically copy-pastes US political policy for the last decades, for better or worse.
Yes, my country is the US. I'm very skeptical that Sweden and the US have similar policy in the general case or in the case of privacy in particular. With respect to privacy specifically, I don't think the US has passed any "no encryption" or "mandatory backdoor" policies (I'm happy to be corrected). In the broader case, I'm of the impression that Swedish policy differs dramatically from US policy with respect to regulation, social safety net, taxation, government-owned enterprises, etc.
The politicians voting on it might not fully understand but the people pushing the regulation absolutely do. They want a popultion that hears and sees only what they want to.
The population in europe is finally (if slowly) waking up to the fact that their elected leaders do not act in their interest. This is the establishment's attempt of staying in control of the narrative so they can keep suppressing any real resistance to their rule.
Bear with me here, but I think it comes down to believing in a "benign government", coupled with a misunderstanding of the technology.
Under a benign government (as arguably we have in most of Europe), we can have a reasonable assumption that the state will act in the interests of the population. The public sector workers who have chosen that line of work probably believe in what they're doing and want to do it well.
The government has always had the ability to steam letters open, and they will always need to, in order to fulfill their duties to the population.
Of course, requests such as adding a back door to end-to-end encryption are unnecessary when they could take control of one of the devices in some fashion...
On the surface it's mostly "think of the children" and "terrorists use encryption" type arguments.
I'm sure some of the politicians advocating for this have ulterior motives, but I hope we won't get in a position where we find out what those motives are.
In Russia Internet censorship went in ten years from "we need a legal framework to block websites with child porn on a court order, why are you against it, are you a pedophile" to blocking everything that doesn't speak complimentary of the government without leaving any paper trail at all.
The reasons mostly are "they are all owned by elites whose names you're not allowed to even know and who would like to keep the serfs docile and ignorant".
I can not speak for Europe generally but Sweden has very serious problems with gang wars the last couple years, and people are really tired of them shooting each other and setting off explosives. That's the reason for this particular proposal (and many other questionable expansions of police power too).
Because European tradition is to have strong bureaucracies steering the „democratic“ processes. And encryption is a wrench hitting those mechanisms. Another one is the raise of all sorts of independent journalists/bloggers/etc.
Those themes keep recurring both on EU as well as national levels. Including nations that ain't EU members.
As a citizen of EU member, I’d love to change this discourse. But there seems to be very few options to vote for. And then such BS happens at levels that are practically out of reach of democratical process.
It's not just privacy, Europe is cracking down on freedoms generally. Free speech, the right to silence, the presumption of innocence, etc.
Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Another theory I have is that this could just be a symptom of an older and more female voter base. As women become more politically active and as older generations make up a larger share of total voters if we assume these demographics are more safety orientated on average then perhaps we should assume that safety concerns will begin to trump the desire for freedom. It's just a theory though.
> Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Or you could undo the changes that have caused that decline in social cohesion. People don't share the same values because our governments have been non-stop importing people with radically different values. Values which see it as a positive to end the lives of those who don't agree.
> Another theory I have is that this could just be a symptom of an older and more female voter base.
That voter base does vote more for the established parties and their policies that have gotten us into this compared to the population at large, yes.
Because we’re cuckolds and a politically dead society. Also very old. After you’re passed the age of 40 you’re more interested from your pension is going to get paid for when the day will come, not in abstract things like “freedom” and what have you.
Things would improve dramatically if everybody who lives off the state (including pensioners) couldn’t vote.
In some European countries public money has turned into a pretty transparent way of buying votes. These votes are used to make sure nothing ever changes.
It is incredibly dangerous to add this kind of functionality to anything. I also believe that this request is illegal with current European legislation.
I certainly hope they don’t install any kind of backdoor, because they will give unfettered access to the fbi, and they will likely use that to hunt down marginalized groups (trans women) to eliminate them.
I wonder if there is some connection between the more-spying direction of policy to Sweden's recent entry into NATO ("after 200 years of non-alignment"):
The solution to this conundrum is to decentralise these services, i.e. run your own XMPP server for your family and friends. Keep your own data where you can 'see' it, on 'the server under the stairs' with some distributed backups to 'devices under different stairs'.
This is no pie-in-the-sky statement, I've been running such a server for years and have installed several for others. System requirements and maintenance are minimal - you can run Prosody on a Raspberry Pi 1B if needed. Availability and reliability are high, it basically works as long as network connectivity and storage are available. The user experience largely depends on the client applications where Conversations on Android is probably the gold standard and in many ways comparable to Whatsapp.
When using OMEMO the server admin does not have access to cleartext communications so assuming clients are configured correctly there is not much to be gained from raiding the server. If some government entity wants to snoop on communications they'd have to gain access to at least one of the client devices since encryption is handled locally. Instead of backdooring centralised services run by Whatsapp or Signal or Telegram they'd have to get to a multitude of servers-under-stairs and client devices which makes it infeasible to use the 'dragnet approach' which is most likely the intended outcome of these backdoor laws.
Some decades ago at I heard Jello Biafra repeat his statement not to criticise the media but to become the media. This has happened, the (current incarnation of) legacy media is running on its last legs and has been overtaken by 'new' media. Here's a corollary to this statement:
Don't criticise the service providers, become the service provider
Use the internet as it was meant to be, a network of networks. Lots of networks, each running their own services with 'secure' communications between those services. I put secure in quotes because there might be a chance for some TLA or other organisation to break the encryption on one of those communication links. Even if they managed to do so they'd gain access to only a small fraction of the communications going on around the 'net.
But advocating for distributed communications only aids and abets criminals, won't you think of the children?
When guns are outlawed, only outlaws have guns. Criminals already use these services (and some of them have been broken/backdoored) so this is nothing new to them.
But you can't expect grandma to run her own server
No, I don't expect her to do so, she can use yours instead.
But but but but
You're starting to sound like a chicken.
Running this stuff is not hard. If you know how to do it, do so and help others to get started. While you're at it you can help them to secure their networks against intrusion by their service providers as well by making sure the ISP connection terminates at a router managed by the device owner, not the ISP. There is no reason to give the ISP access to your LAN since that only creates an incentive for those government entities to force the ISP to give them access to customer networks. The ISP should be used as IAP - internet access provider - and only be allowed to see whatever traffic you allow out of your network, not what goes on inside of it. That, though, is something for another post, another time.
I've been running services like this for decades, this works, it is not difficult and does not take that much time. It has only gotten easier over time, hardware has gotten cheaper and smaller, power use has gone down, performance has radically improved. This is not a pipe dream, it has been first my, then our reality for more than 30 years.
Don't criticise the service providers, become the service provider
There is a reason why Free Software (as in freedom) was invented: To ensure that those who create the software do not overpower those who use the software. The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong. And it is wrong, because to be a human in the 21st century means in most cases, that your digital devices and your digital interactions are a core part of who you are as a private person. Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
> The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong.
You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will. If the object can act in a way that favors someone else's interests over yours, you do not own it. This is true of pretty much any device running proprietary software.
A litmus test: can you make your device lie to the manufacturer's servers? Regardless of the legality or morality of doing so.
However this article is really about something else: the vulnerability of centralized services in the face of government oppression. Signal only has the ability to log messages because it is a centralized service that controls both the client and the server. The benefits of E2EE is greatly reduced if the client and the server is controlled by the same entity (tomorrow Signal can push out an update that would send a plaintext backup to their servers, and you wouldn't know it until later). Moreover, the non-free distribution mechanisms on mobile phones (stores) limits a company's ability to resist.
Also only possible because we use Signal as compiled by themselves and not by trusted third parties from a source kept clean of any future client-side backdoors. The client is open source, right? https://github.com/signalapp
I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?
Archive formats are hard to make reproducible because there are lots of ways of making different yet equivalent archives.
So it’s not surprising to me that someone would fail at this hurdle and find it frustrating to resolve.
Nix defined their own format for this to avoid this exact problem.
It seems there are multiple reasons. For one, the apk files include a digital signature and you won't have Signal's and Google's private keys available to recreate their signatures.
Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.
I don't understand how the details of the build process matter if the resulting files can be checked to be bit by bit identical? I can only think of something like Signal and Google conspiring to backdoor the binaries during the build process via this external binary blob. But if Google is part of this, they could also do it within Android which is not fully open source.
If you don't like this, you use the non-Play Store build instead (which supposedly doesn't include any binary blobs, but I haven't checked).
> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.
Yes, this is part of the problem. Application developers and the packagers should be distinct unrelated entities to reduce the chance of a malicious update being pushed to users if the developer sells out.
Splitting the developer and the packager doesn't inherently reduce the chance of a malicious update any more than using a VPN reduces the chance of being snooped on by an ISP. All it accomplishes is change who you have to trust to not be malicious. You might have good reason to believe that you can trust one party better than you can trust another, but unless you're building the package yourself there's still no guarantee that the package that you install is built from the source code you can inspect.
It's all based in trust in the packager and only the packager—there are no checks and balances. The only reason why splitting up the responsibilities might help is if you find the F-Droid maintainers to be inherently more trustworthy than the Signal developers, not due to simply separating the concerns.
Without reproducible builds, this just means you have to trust the packager instead of the developer. Sometimes that's a good trade-off, but you still haven't really solved the problem, just moved it.
With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.
Packagers have proven to be more reliable. Sometimes they make mistakes but there's no case of a packager ever selling out (correct me if I'm wrong.) On the other hand, there are numerous cases of developers selling out.
That does not solve the problem. A country can forbid F-Droid and Debian and anything else that is not in a short list of vetted app stores that comply with the law of that country to backdoor everything.
> to own an object means to subject it fully to your own will
Not by a long shot. Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
I'm not saying I'm a fan of even more exceptions of that kind, but I don't think there are any particular inherent rights arising from property ownership beyond from what society agrees on there are (e.g. the first sale doctrine for physical media). That's what makes it even more important to codify these rights.
> Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
These aren't counterexamples, they prove the rule. A US passport literally has the text "this passport is the property of the United States" printed inside of it, and I imagine the same is true in most countries: you are the recipient of a passport, not the owner of one.
The same applies to copyrighted images— when you purchase a book you own the physical copy and can fully subject it to your own will, but you don't own the right to make additional copies of it. You own the copy, not the intellectual property.
As for currency, it may not legally be the property of the US government like a passport, but I would argue that the fact that you can't modify it does in fact mean that you don't own the bill, the bill is a representation of an abstraction of "money" that you do own.
Afaik currency (as in the physical banknote) is actually state property too. What you really own is a promise from the national/federal bank to pay you the value that is written.
Yeah, that has been my understanding, but I couldn't find a citation for that right away, so I didn't want to assert it confidently. But I've heard the same thing.
Note that I said "can", not "legally can". You can destroy currency, alter passport, reproduce copyrighted images if you want to. There may be legal consequences but you can. You can also stab a person with a knife you own, even if you will be punished for it. I'm not talking about rights, but capabilities.
You can't make your phone lie to an app developer about its location, rooted status, etc. You can't make your HP printer print with unsanctioned ink. Therefore, you do not own them.
I also can't make a pen and a sheet of paper contain a proof showing whether P is equal to NP. Does that mean I don't own them either?
Now you could of course say that the difference is somebody having intentionally designed an object in a way that makes it capable of withholding some functionality from me but not others, and I'd agree.
But all in all, I just don't think "property rights" is the right lens to think about computing devices.
You can do what you want with the bike, but your analogy falls flat because it implies that despite you owning the bike you get to drive through your neighbours living room: because your right to own a bike somehow trumps their right to own land and a home.
> Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
There’s no warrant protection in this bill. They want to keep a copy of everyone’s data so they can look back at old stuff after the fact.
Even if there was warrant protection, I’d still be against it. People have traditionally had the right to speak to each other without giving a transcript to the police. I think it’s unreasonable to make that illegal.
Sure but I was responding to the point that a diary can't be searched. It can be. The key difference is that doing this for analog conversations was expensive for the police as it required them to devote finite human time. Digital is not the case.
Comparing to analog is I think flawed because even if it mapped 1-to-1 it does allow for a level of search that is problematic given the low cost of digital surveillance.
Yes but people can genuinely forget the exact words they spoke time ago, even one minute ago, or a whole conversation. Examples: Who did I talk to yesterday? Did I met that neighbor of mine yesterday or was it the day before? I don't know.
Unfortunately, when we switched from letters to emails, the legal privacy protections we enjoyed back then, were not carried over do the digital realm. We're still suffering and have to use encryption to protect ourselves from the lack of legal protection.
Legal protections are great and everything, but if I had to choose between abstract legal protections or concrete protections based on physical properties, I'll choose the later every time. Obviously both is ideal, but I'd use encryption for most of my correspondence regardless of my levels of legal protection.
It may be wrong, but it proves that technology can't beat politics and policy.
The issue with Apple caving to UK demands regarding encryption, and now Signal being in a similar situation, shows that you can't just focus on technology and ignore policy and politics.
And you'll find out that a ton of people here on HN will care, but most of the public won't.
People should take XKCD 538 really to heart (The 5$ wrench one). It's not the same point, but very similar.
https://xkcd.com/538/
We technologists will probably be able to circumvent any Signal-ban. But we don't exist in a vacuum, we are a small part of a larger society. Who's at the other end of your conversation?
Most 'regular/normal' people won't and most importantly - don't want to - jump through the technical hoops to keep using Signal.
Although the downside of the official app stores is clear, the alternative might result in a swift return to the '90s and '00s where malware and viruses were rampant. Pick your poison.
I think malware and viruses are less common for many reasons, but I suspect increased awareness and security posture (including the architecture of modern OS) has more to do with this than "walled gardens." Malware does make it onto closed app stores, and many users (e.g. on Windows) still don't use app stores.
The answer you're looking for is probably to build more decentralized, FOSS software with better UX. Much easier said than done of course.
> It may be wrong, but it proves that technology can't beat politics and policy.
It very much can. In a battle between human force and physics, physics win every time. If I send an encrypted email to you, you have the choice to not give up the key, even if you'll be in jail. With physical letters, you don't have this option. Technology gives you the ironclad ability to keep a secret, only limited by the fortitude of your character.
You clearly haven't felt a 5$ wrench on your body. Giving up your secrets under torture isn't a character flaw, it's what will happen to 99.99% of people under torture.
I can't help you if you don't believe that this is true.
And I hope you understand that 5$ wrench is a euphemism for what would 'really' happen.
All this to say that no, technology does not triumph over politics and policy.
Technology very much does. It's the flesh that has a hard time triumphing over force. To counteract this, you can also engineer a system that can resist it through e.g. split secrets on multiple people located in different jurisdictions.
If you split a secret over two people, first, we use the 5$ wrench on one of you to identify the other and the rest is easy.
If the second person is somewhere else in a different jurisdiction, how are you going to communicate with each other to get the two halves of the secret together to encrypt/decrypt messages? It's an unworkable situation.
As I see it, you create a fantasy situation that would not work if you just want to communicate with people in a secure way. No amount of technology or encryption is going to work, especially in the real practical world.
Not fully, but making transacting in Bitcoin outright illegal would probably go a long way to making it completely unattractive to 99% of all potential users.
And if Apple and Google were forced to remove all wallets from their app stores, it would largely be game over.
In addition, simply taking out the on/off ramps, such as Coinbase, would destroy the utility of cryptocurrency as well, since the grand majority of folks dealing in the stuff are only interested in flipping it for more cash money on the other end by finding the next sucker in the chain.
Very few people actually care about the principles of Bitcoin and the like. Maybe the core devs and some very early adopters?
I think a large part of the success of Bitcoin can be explained by the combination: It allows people to say (and even believe!) that they're in it for the ideology, while the real motivation is primarily that of capital gains.
Whether it's useful to the current "grand majority" or not / holds the value it does today is orthogonal to whether the technology can be stopped and whether it still provides value to those who continue to use it.
I did worry this example would be too political, hence including the BitTorrent example as well.
Much like how PGP was disseminated by Phil Zimmermann, and then the government decided to come down on him like the plague in the early 90s. What the US government didn't know was that it was too late and such technology was out in the zeitgeist. Bitcoin is in a similar situation.
The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough. I say this as someone who is absolutely not a fan of the project and find the perverse incentives in PoW especially to be pure garbage, but I am also a realist.
When you have folks like Peter Zeihan declaring that Bitcoin *will* go to zero - that is, I think, the epitome of hubris. We don't know what will happen next, and with our current administration, I'm only seeing Bitcoin become more influential in the interim, much to my chagrin.
> The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough.
This is my point - the technology is out of the bottle. You can't stop it. You can disincentivize its use in all sorts of social and legal manners, but to go all the way back to my original comment: you can stop Apple (Coinbase) from operating, you can penalize individuals for using encryption (or cryptocurrency in this case), but encryption (and blockchain) still exists and can be self-hosted, and individuals can continue to utilize those tools.
Again, look at torrents. Its primary use case is illegal. What.CD, Oink, even TPB (at various points) have all been taken down. Yet torrenting still enjoys widespread use across the globe.
I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
>I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
This part does terrify me. Too many hedge funds and more common investment vehicles have gotten exposure to this. If there ever is a huge rugpull, regular folks will get nailed. Sad times.
The antidote to XKCD 538 can be steganography. They won't beat you with a $5 wrench if they don't suspect you of doing anything at all. End-to-end encryption can become illegal, but as long as you can run arbitrary code on your machine, you can hide and decode messages with steganography. JavaScript can do the job, so even locked down mobile devices will work if you go to CodePen, JSFiddle, JSBin, etc.
Steganography isn't some magic shield to avoid surveillance though. If authorities are already monitoring you for some other reason, then they can burn a zero-day exploit and see anything you do on your device. And if your entire city is covered in cameras with facial recognition, well... you can have your secret messages but I don't know what kind of resistance you're going to be putting up. So to some degree you're right that you can't fully ignore policy and politics.
Not sure how to get most of the public to care though. I get most people have more immediate concerns in there lives, and crime is a legitimate issue, but even a cursory knowledge of history will show the hell life can be under authoritarian governments. I think far too many people think "it can't happen here", which seems insane considering how often it has occurred even in liberal democracies (Spain, Portugal, Germany, Italy, Argentina, Chile, and many more.) In less liberal and less stable democracies, it has happened even more times. I'm not sure why people have some unfounded faith that their government could never become authoritarian and oppressive.
I'm not saying take down every CC camera and get rid of intelligence agencies -- they are important tools for fighting crime. But there's a difference between a few traffic cameras and CC cameras in places people would presumably commit a crime, and burning targeted exploits for surveillance of truly notorious criminals, and just mass surveillance through banning end-to-end encryption. With zero-day exploits, the government is inherently limited in the surveillance they can do, so it's a limiting factor on their potential for abuse, as the more they use it, the more likely they are to be discovered and patched. But with no end-to-end encryption, the potential for abuse is limitless.
>The issue with Apple caving to UK demands regarding encryption
Apple "caving" would've looked different; in fact, we probably never would have known, given the insidious nature of the underlying statute in the UK.
Apple is making noise about the fact that they pulled the product, and the tech press is making it clear WHY even though Apple itself is legally prohibited from giving any additional context.
I feel like that was probably the best move available to them given the cards dealt. Fighting in secret courts is unlikely to be fruitful.
Removing the advanced encryption option for new accounts is really 'caving' to the demands of the government in my view.
And in time, they will also remove the e2e encryption on existing accounts using the e2e feature to comply with UK demands.
They may have sounded the alarm, which I appreciate, but they still have to 'cave' and do as the UK government tells them or they have to cease operations in the UK.
What I'm really noting here is that Apple had no good options.
Capitulating would've meant giving the UK government the back door they wanted. They didn't do that. They complied in a loud and public way, which unmistakably shined a light on the insane request.
The only other options for them were withdrawal from the UK market entirely, or a secret court fight they'd probably lose.
To me, their actual response reads more like malicious compliance than "caving," which usually implies giving up completely.
> It may be wrong, but it proves that technology can't beat politics and policy.
There's definitely a strain of thought which perceives almost everything in society as being outcroppings of the progress of technology (however you define that), and especially in the 1990s imagined/expected everything to fall over under the mantle of "information wants to be free" etc.
I think you're right that this is an intellectual dead-end. Many of us lived through the 90s hype wave and into now, and have watched things take a complete circle. The Internet didn't transform society into utopia, the real-world dystopia transformed the Internet into a high definition image of itself.
I think that this highlights exactly why we need decentralized, open source software.
Back when Moxie Marlinspike made a thoughtful critique of Web3 (the most thoughtful one I had read, actually), I put together a reply. It’s worth a read for anyone on HN who cares about user freedom and how society is structured:
A note to the younger HN crowd who may have grown up with locked-down devices: the “hacker ethos” used to mean the freedom to tinker and buuld your own. It wasn’t always the case. The Personal Computer and Apple came about through the Homebrew app. And before that, Steve Jobs and Wozniak were even building blue boxes for “phreakers”:
Before he became a corporate golden boy, Mark Zuckerberg built Synapse for regular users and open sourced it instead of selling it to Microsoft and wanted to build Wirehog, but Sean Parker proudly said he and Peter Thiel “put a bullet in that thing”
I don’t want to just be the “wake up sheeple” guy or some unkempt Stallman clone. But there is a real culture clash between the hackers and the corporations, and I feel like the HN denizens who knee-jerk downvote of anything decentralized today don’t get the point of open source decentralized hacker ethos and how the people who practice it produce the next big thing. Working for FAAMGA and “the cloud” ain’t it folks. Here’s why “the cloud sucks” by Steve Wozniak: https://gizmodo.com/why-the-cloud-sucks-5932161
In short — read my rejoinder to Moxie Marlinspike, in my first link. It is ironic because all these years later, I end up being right: it is exactly his company that’s getting hit with this, exactly because it is centralized.
And if you are Moxie or Durov and think your centralized company has somewhere to run… here is the bigger picture around the world — governments are coming for you and the war on user freedom is coming through you: https://community.qbix.com/t/the-global-war-on-end-to-end-en...
This principle seems out of touch with most people’s reality: products hardly ever do everything you want and often work against you. If someone has a device that doesn’t do what they want and there’s no setting to change its behavior, replacing it is usually the only practical option. (Or if it’s a problem with an app, they might be able to install a different app.)
If there is a free software license, it’s of no direct use to them. Only software developers care about such things. (There is an indirect effect on what software is available.)
> If there is a free software license, it’s of no direct use to them.
It's of indirect use; they could use a modified version of the software that does what they want, created by someone else. This is why you generally don't see user-hostile features in Free Software; someone would just fork the project and edit them out.
The problem is that some forks are malware [1], so switching to a fork by developers you don't know is risky. How do non-technical users learn which software developers to trust?
Worst-case, they could hire someone they trust to review the source code.
More realistically, you generally don't have to switch to a fork in the first place because the mere threat of a fork is enough to prevent the deployment of user-hostile features. And when a project does get forked it's often a highly publicized affair with a lot of community drama which produces no shortage of information about who's trustworthy and who's not.
This is only somewhat true for the software most popular with technical users - the sort of thing the average Hacker News reader might be familiar with.
There is a long tail of malware in app stores, despite the efforts of app vendors to police such things. Nobody would be bothering to fork them because most technical users don't care about them, but they still attract lots of victims.
Example: malicious Chrome extensions. Authors of Chrome extensions receive enticing offers to sell and sometimes they do.
Yes, malware does exist in app stores. I don't really see how that's related to Free Software though?
When I say user-hostile features I'm not talking about malware. Yes, I suppose theoretically you could fork a Free Software malware app and make it not-malware, but that's not what I'm talking about here. I'm talking about things like Samsung putting ads on your TV home screen[1], or BMW charging a monthly subscription to access your car's seat heaters[2], or Sweden trying to install a backdoor in Signal. With Free Software, users get the final say on whether those features are installed on their devices or not.
If malware isn’t user-hostile, I don’t know what is? It works both ways. A fork can fix something that’s user-hostile, but it can also introduce malware into an otherwise useful app that didn’t already have it, and many users won’t know which one to install. There’s no guarantee that any security researcher is watching. In practice we rely largely on reputation, and sometimes that’s the blind leading the blind.
Users don’t get final say in what their devices do unless a software developer is willing and able to help them. Most are actually pretty helpless on their own.
I can speak for german law: If you buy something, it becomes your property, and you have full power of disposal ("Verfügungsgewalt") over it. If vendors deny you from exercising this right, they are violating their part of the purchase contract.
Rights are of limited use if there's no practical way to exercise them. Hiring a software developer to change an OS or an app is rarely a practical option for most consumers.
Correct. It's not practical because those apps usually aren't Free Software and because the hardware or firmware they're running on often aren't Free and include anti-features that prevent you from installing Free alternatives.
If they were Free, users wouldn't necessarily even need to hire a developer to change their app or OS; those changes would most likely already exist in some form somewhere and the user could simply purchase the modified version.
You can install Linuxor a custom ROM. And if the manufacturer has DRM like SecureBoot in place to prohibit that, you can file for damages and basically get the device for free.
Unfortunately, the philosophy of Free Software does not account for the scale at which software is being run now.
Having the source code to a printer driver available is a completely different thing than being dependent on a platform, because all your friends and relations are using it.
Personally, I'd only trust a governmental agency to provide such services, which makes the article we're discussing ironic at the least, or complicated.
A government run social anything would be the most milquetoast experience, wouldn't it?
I suppose if I needed to make sure there was a public immutable record of something it would be useful. Like "I made this thing no later than this post"
> Personally, I'd only trust a governmental agency to provide such services,
I can't see why you'd say that.
Governments (and private corporations) are not operated to faithfully serve the public, certainly not the public as a set of individuals and small groups of people. It's not that "government services are bad", but rather, than governments, even democratically-elected ones, are practically certain to wiggle out of the straightjacket of strict protection of individual needs and interests for legitimate or illegitimate "greater good"; specifically, they will not resist the desire and the interest to spy on you. And the potential for government abuse of private information is quite high.
"There is only one essential difference between a monarchy and even the most democratic republic—in the former, bureaucrats oppress and plunder the people in the name of the monarch; in the latter, they do it in the name of the people's will." - Statism and Anarchy
The core problem isn’t the form of government, but the concentration of power itself.
"Personally, I'd only trust a governmental agency to provide such services" I understand where you're coming from, "the ultimate goal of a company is to profit and so we can not trust it to protect their users/consumers interests instead of their own" but... you know that it is always the government that will put you in prison, or send you to war right? That it is a blob of power, controlled by people right? This goverment = good that you see people believing these days is such a childish view of reality.
you know that it is always the government that will put you in prison, or send you to war
You're merely playing word games here. A person keeping another human being against their will is called slavery or abduction instead of prison. Similarly, it's only called war when it's a government doing it, otherwise it's called activism, terrorism, or gang warfare (note the overload of the term).
The main difference between a corporation and a real democratic government is that a government is accountable to all its citizens, instead of its shareholders. I understand that this is a difficult concept to grasp for US citizens, but the rest of us living in actual European democracies don't deserve your childish derision. No system is perfect, but don't make the mistake of thinking that the US government is the best (or even a good) example of democracy out there.
So much this! The internet does not have to be a monolith controlled by the mega-corp/govt flavor-of-the-month. It originally was (and still can be) a network of smaller federated ecosystems controlled by individuals or smaller groups.
Government and charity can be corrupted (and usually are, to at least a small degree). Private industry is corrupt bt default: to the extent possible, it will intentionally serve owners at the expense of other stakeholders.
This is not a knock against private industry in general. Capitalism's greatest strength is precisely that it harnesses corruption toward productive ends through private industry.
Nonetheless, it's unsurprising that people would take a chance at less-corrupt versions of key infrastructure. My preference would be to do this through charity, which worked pretty well for e.g. Mozilla for a while - but I wouldn't call other directions naive.
There are a lot of pragmatic pro-government people here, holding tightly to the
"51% > 49%" core principle of democracy, which sadly turns into a mess at the scale of humanity, just like any other model we've invented so far. There isn't a real alternative for us collectively now but to submit to power – so any even slightly anarchistic views are not welcome here most of the time...
> This government = good that you see people believing these days is such
> a childish view of reality.
There are plenty of immature ideas about running human affairs going
around. History has shown that a social contract obtained by popular
assent is the only viable choice, unless you relish war, insurrection,
terrorism, and social collapse [0].
Government is good almost by definition because we grant its existence
on that basis of benevolence. Indeed one should be ready to defend
good government and lay down ones life to make it good, including
overthrowing existing bad government.
This was well established 80 years ago and we seem to have forgotten.
I know there are some around here agitating for tyranny and
dictatorship. That in my opinion is the "childish view", a result of
too much screen-time and a lack of life experience.
Would you be willing to fight for good government? [1]
I believe the citation falls under "street smarts" as the WikiLeaks press release mentioned Signal explicitly. Whether this was a subtle outing the origin of the tool itself is left as an exercise for the reader.
Regardless, the threat vector is accessing the data before encryption anyway. And drawing attention to yourself by running certain apps and services in the first place.
There's a lot of mathematicians in maryland and those who studied the history often land on "if they want you, they got you."
The US does not have a law requiring all messaging applications to store historical messages and provide access for law enforcement to decrypt and view all messages.
The US may (or may not) be capable of decrypting Signal messages themselves -- but that is a different issue. The US does not (currently... it HAS been discussed previously) ban the use of any particular encryption techniques because US agencies are incapable of breaking those techniques. And there ARE techniques that US agencies are incapable of decrypting.
There is no evidence or reason to believe that US intelligence agencies can access signal messages when used properly.
It would be much simpler for them to compromise the phones of targets vs break the signal protocol. This is generally true of secure communication systems, the flaws tend to be in usage and endpoint security, not in the protocol implementation.
Right. I have zero illusions about the presence of many critical security vulnerabilities in my smartphone. Just look at how many are fixed each month.
However, i have also reason to believe that the cryptography of my encrypted messaging app Signal is sound and there's no backdoor.
Indeed. One of the most important properties of a cryptosystem is its resistance to ordinary human screw-ups. And that's before you get to intentional co-operation.
> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties
First time I am seeing an organization against this. Kudos to them for standing up.
According to the original article (Swedish: https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...), the reason for the armed forces to be against it is because they recently started advocating for its personnel to start using Signal to reduce eavesdropping, so backdooring Signal would decrease the armed forces security.
> Men Försvarsmakten är negativa och nyligen uppmanade försvaret sin personal att börja använda Signal för att minska risken för avlyssning.
In fact, they are negative because they say that this can't be done without opening up the service to vulnerabilities that could be used by others.
> I ett brev till regeringen skriver Försvarsmakten att lagförslaget inte kommer kunna förverkligas ”utan att införa sårbarheter och bakdörrar som kan komma att nyttjas av tredje part”.
> In a letter to the government, the Swedish Armed Forces writes that the legislative proposal will not be able to be implemented "without introducing vulnerabilities and backdoors that may be utilized by third parties."
That specific quote is in the original comment of this thread :)
Yes, but your deduction is incorrect. They're saying the SAF are negative _and_ they recommend their personell to use the service, not that they are negative _because_ they recommend it.
I don't see how you can know that "because" is incorrect. This seems like it could be possible to me:
(Possibly) SAF is negative because they use Signal, and don't want a law that would introduce vulnerabilities into Signal that could be utilized by third parties.
This was already commented by the original comment in this thread and is not mutually exclusive to GP's comment. What is your point?
Makes sense, the entire point of Signal is no backdoors. If you add one, you might as well make the app illegal.
TOR was sort of famously contributed to by a dude in US Naval research early on, right?
They are militaries, not police or intelligence forces. The job is to be ready to do war, not nanny and snoop on civilians (Some of that might be a necessary side effect but it isn’t their reason for being).
Militaries need intelligence services to be their eyes and ears. That said, most people who are not in their country's armed forces, government, or intelligence service vastly overestimate how much another country's intelligence services actually care about them. Most people aren't that interesting and don't have any intelligence value for another country's government.
And SELinux was given to us by the NSA.
I question the use of an instant messaging service hosted in another country for your armed forces, is that a good idea, especially now?
As good as Signal is I mean, you will want something under your control.
They're not using/advocating to use Signal for their military control/communication:
> This week, Brigadier General Mattias Hanson, the Swedish Armed Forces' CIO (Chief Information Officer), decided that calls and text messages that do not concern classified information should, as far as possible, be made using the Signal app. The decision aims to make it more difficult to intercept calls and messages sent via the telephone network.
https://www.forsvarsmakten.se/sv/aktuellt/2025/02/forsvarsma...
Seems people were using SMS for those messages they are now advocating to use Signal for.
Also, seems they've done a review (obviously) but unclear if they had access to something internal from Signal to do the review, feels like they had to:
> The Signal application has been deemed by the Swedish Armed Forces to have sufficient security to make it difficult to intercept calls and messages.
Any decent military will be using multiple forms of communication systems.
I was a communications specialist for the Swedish Armed forces 10+ years ago, including a tour in Afghanistan and a tour in Kosovo.
We used radio links for internet that I can tell you, were more adversarial than friendly.
The Swedish military is highly capable when it comes to network communications. A small nation will have to think differently.
You could potentially use an instant messaging system in control by someone else, if you are willing and capable of sharing encryption keys with whomever you are going to communicate with beforehand.
Is Signal hosted in just 1 country?
Good question! I assumed it was US only but things have changed a while back after it becoming popular it seems. Going by https://signal.org/blog/signal-is-expensive/
>Because everything in Signal is end-to-end encrypted, we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure, and others while ensuring that your messages and calls remain private and secure.
Your source doesn't support your claim. The exact snippet you quoted, interpreted strictly, only means they have the option to host it across providers, not that they actually do so. It also doesn't say anything about where it's hosted. It can be hosted in AWS, GCP, and azure, but all in the US, for instance.
Apple took the same stance during the San Bernardino case!
FYI the EU wide proposal to scan all your private messages using an AI agent on your devices also originated in Sweden by EU Commissioner Ylva Johansson in 2022.
> EU Commissioner Ylva Johansson has also been heavily criticised regarding the process in which the proposal was drafted and promoted. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the proposal. This was also highlighted by digital rights organisations, which Johansson rejected to meet on three occasions. Commissioner Johansson was also criticised for the use of micro-targeting techniques to promote its controversial draft proposal, which violated the EU's data protection and privacy rules.
I don't think anything good ever came from Ylva Johansson. Mentions of her name on something should make one automatically treat that thing with suspicion.
You know it's a banger proposal when even the Swedish armed forces tells you "Please don't".
European armed forces should know best, given that Signal has seen actual use by Ukrainian military personnel, with Russian forces trying their best to target those encrypted communications (right now mostly by getting those smartphones from dead bodies).
The fact that proposals like this get this far, without anyone checking with the defence department and actual experts is really weird. It's not just Sweden, this is clearly a problem in many other countries.
I'd really like to know why it's so hard for politicians and police forces to understand that backdoors are dangerous.
It will be waring factions within government (which is never unitary in any country) --- here these laws/proposals/etc. probably come from domestic spying agencies and police forces in most countries. I suspect that signals intelligence agencies and offensive forces have probably mostly moved to "encryption is good" stance given the number of foreign attacks upon domestic assets (gov, biz, etc.).
However, we shouldn't underestimate the desire for foreign intelligence agencies to bait one's own domestic agencies into "spying for them". So i imagine there's some pressure from, eg., the US sigint agencies to have the EU compromise EU citizens in ways that even those very agencies may today not wish to compromise their own.
At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
As an empirical matter, encryption makes agencies like EUROPOL's jobs extremely difficult -- i imagine also because they probably struggle to get coop from domestic police forces, so cannot easily do "the physical police work necessary" to get device access.
In the end, I imagine we'll have china to thank for the end to this nonesense -- since any backdoor will immediately be a means of mass corp/gov espionage.
> At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
The exact purpose of Five Eyes?
I'm shocked, shocked! there's gambling going in here!
It's not the purpose of five eyes, it's a noted tactic.
But at the same time countries realise they are under attack economically and political from hostile cyber warefare... and so there's something self-defeating about this tactic now whereas perhaps 10-20 years ago there wasnt.
It's hard to imagine a US-China war (say by proxy in TW) or a EU-Russia war (eg., esp., by proxy in UA) "going well" under conditions of broken domestic encryption.
Eg., back when the UK mass surveillance law was passed in 2016, I imagine sigint agencies were more on-board... today I wonder if that law would now be "quietly opposed" on grounds of national defence
They haven’t been in a war since 1814, so they’ve had lots of time to develop other competences.
I hear they also make amazing sourdough and can discuss the Beatles catalog at depth.
as a general rule countries that succeed with a policy of neutrality do so by having their military strong enough that they're mot worth fucking with.
> having their military strong enough
That's not how Sweden remained "neutral" though, although I'm not sure I'd agree Sweden been neutral since 1814, wasn't exactly neutral before/during the second world war. https://en.wikipedia.org/wiki/Sweden_during_World_War_II
Signal is headquartered in the US and presumably has no employees in Sweden (and perhaps the entire European Union).
There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship. Preemptive surrender is extremely disappointing, especially for a non-profit - there isn’t even any revenue that can be ‘fined’ by the EU!
> There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship
They can go after executives and employees of foreign companies, too. The charges may not mean much unless those employees travel through Sweden, but if the political winds change in the future then they may be able to convince other countries to enforce their charges against employees as well.
It’s reasonable for a company to avoid risking their employees becoming targets of detention for international travel.
It also more effectively highlights the political issue within Sweden if people there see the consequences of the laws of their elected officials rather than having those laws silently ignored by a company that takes the legal risk upon themselves.
The app stores are run by companies with a presence in the EU.
You don't need to get Signal from an app store (unless you're on iOS I guess)
For 99% of people the effect is the same as blocking the app.
In the EU, Apple must support side loading and other app stores.
But those are also vulnerable to these laws, no? App sideloading seems the only escape.
Even then the webapp should work
Since when is there a Signal web app? I don't think there is, but even if there were then presumably it'd work the same as the desktop app: "To use the Signal desktop app, Signal must first be installed on your phone."
What's funny is that it's other EU laws from totally different parts of government which are, at the same time, pushing to allow for side loading of apps and alternate app stores on iOS and Android.
https://www.google.com/search?q=apple%20eu%20alternative%20a...
The end result of which, if done at large scale, means that an EU government couldn't ban signal, short of forcing all its domestic ISPs to be downstream of a China type great firewall, or simply null route all the IP space where signal's servers are located.
All the alternative app stores can easily be subject to the same legal requirements as Apple.
Side-loading is harder to enforce any rules over, of course.
Blocking domains is well-established at this point, thanks to the copyright industry doing a 21.5-year whack-a-mole-waltz with The Pirate Bay. Of course, this also demonstrates the limited effectiveness of domain blocking.
> Of course, this also demonstrates the limited effectiveness of domain blocking.
Extremely limited effectiveness, when VPN operators like Mullvad are corporations based in Sweden and offer 5 euro a month service to bypass whatever local "mess with internet traffic" activity, whether government-caused or not, that someone's last mile ISP is up to...
There's also the game of whack a mole with taking ownership of domains at the registrar/ICANN level through court orders, such as with the various .com or similar things that get jacked and plastered with a "DOMAIN HAS BEEN SEIZED" notice by the US feds.
Sweden is part of the expanded 5 eyes (now 14 eyes). As a workaround for restrictions on domestic spying, they subcontract their dirty work to each other. Hence, you can expect the US to assist in pressuring them (ostensibly on behalf of Sweden)
I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
Yes, Signal may be headquartered in the US, but that doesn't mean they can just ignore the laws of other countries, which is exactly what may happen here, depending on the outcome.
Sweden may propose a backdoor (a utterly shitty idea, I agree) which Signal may decline (which this submission is about). Then the next step is either Sweden giving up on the request, or placing fines on Signal until they comply or outright ban it, or Signal deciding it isn't worth it (prevent Swedish users from using Signal).
All within their capacities and rights, even though I again think it would very stupid approach.
There are only a few instances where institutional powers pass judgements that they cannot enforce. Generally doing so makes that institution look weak because it puts them in a position to have their rulings openly flouted. That's at the core of what jurisdiction means.
Sweden can fine Signal all they want but if they can't enforce the collection, they weaken their power and foster disrespect.
Singal is centralized? Can't they just block it at the border? I understand VPN or whatever, but if they're serious I hear there's a couple of countries with "pretty good" border firewalls.
Doing that would eliminate so many Swedes from Signal...
I haven't found a VPN solution for iPhone users in a couple of US states. It's like iphones are actively hostile to the very idea of a VPN. Or at least "self-hosted VPN", maybe the $20/month VPN work but that's... Sketchy.
You're making my point. Sweden would choose the most effective mechanism that they can actually enforce to deal with Signal's noncompliance. Blocking DNS or ISP access is much more accomplishable for Sweden than trying to levy fines.
Not familiar with Swedish law, but in most of the world the courts have a concept of jurisdiction. Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
I would be surprised if Swedish law allowed for prosecuting a foreign company with not one bit of operations in the country.
> a foreign company with not one bit of operations in the country.
Borrowing from how tax & law is usually applied for companies trading outside of their incorporated country, at least in many places including the EU: If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
> even if your product is purely software, you can be considered to have operations in that country
Couldn't users in pretty much every internet-connected country use VPNs and other methods of cross-borders indirection to access even those US services which explicitly block non-US IP ranges?
If this is the case, then is it not the case under the quoted reasoning above that any internet company should be expected to have operations in every other internet-connected country?
> If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
If no money is changing hands, good luck with that. (Or, rather, bad luck with that.)
(If money is changing hands, you might find your payments blocked by local payment providers, though even then that would take a while and might or might not happen.)
> they operate?
How are they operating? It might as well be viewed as citizens of Sweden interacting with a foreign service out of their own volition.
In general, laws are backed up by the threat of violence. To the extent that Sweden's police can't confiscate Signal's assets in the US, they do not have to comply with anything. The only leverage Sweden's government may have is ISP level censorship, which is likely to cause unintended disruptions. Signal is in turn free to attempt to circumvent the censorship.
> I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
My friend's medium size regional ISP is headquartered in the US and as a hosting company certainly has customers who violate any number of censorship, blasphemy, etc laws in Iran, Russia, Myanmar, Pakistan, Bangladesh, just to name a few.
Signal doesn't "operate" in Sweden any more or any less than any other internet based service which has zero servers, offices, bank accounts or other physical presence in the country.
While I don't personally agree with the law, I genuinely hope we witness a major corporation withdraw from a market just so we can finally observe the concrete impact of these types of threats. (Even though their position is understandable in this particular case.)
Google ultimately did that for China. The outcome in that case is that the domestic market filled in the gaps, while complying to all relevant authoritarian legislation. I do not believe that the same would happen for every market where these stunts are being pulled off, at least not to the same level of quality.
Why are European countries trying to pull one off from the China playbook, while simultaneously being shocked that companies react to authoritarian moves in the exact same way as they have done in the past, is beyond me. Is the hubris so large that they honestly can't conceive their "requirements" as being "literally the same as China?"
Having to build local alternatives probably had a positive impact on China's software industry. We're at a point today that major Chinese software/tech companies are routinely talked about on nightly news.
Would you want to be reliant on American companies right now?
Not wanting to be reliant on american companies because of the data and technological sovereignty is admirable.
Not wanting to be reliant on American companies because they don’t allow you to spy on your own citizens as much as you want through…
[dead]
Someone is always willing to bend towards what the market requires - including complying with whatever insanity gov wants
Let them. If you bend you reduce the options for people who do not want that.
Have you ever read the book The Corporation? It goes into some detail about why corporations can't do that. Not "won't" - can't.
i did not read the book but i did read the news when google gave up on serving censored search results in china
Unlike a certain big tech giant who pretends to care about privacy until it cuts into their profits.
All of them?
Well, only some claim to "remain committed to offering our users the highest level of security for their personal data" while turning off E2EE cloud storage for an entire country.
What other choice did Apple have? To ignore the law of a country where you operate just because you don't agree with the law is a terrible standard to set.
> Signal to leave Sweden if backdoor law passes
Terrible yes, but given Musk-X-Brazil, at this point the Rubicon of "setting" such standards has already been crossed.
(Even if the result was Musk being humiliated).
What else could they have done?
They could have done like Telegram in Russia and said that they will not care about that and work on ways to bypass any firewall that could setup the authority to block it.
Are we talking about Apple? How can they operate in a country they are banned in? They are predominantly a hardware company.
As Signal are doing here, they could have refused to do business (at least, with iCloud) in that country. That's a far bigger pushback than simply capitulating to removing a relatively unknown feature.
To be clear, if they did this and the UK gov called their bluff, it'd affect me personally, but I'd rather that than swinging open the backdoors
Not put absolute profit over principles? Or at least don't advertise they do?
No, what specific action would you have had them do?
> Signal to leave Sweden if backdoor law passes
I don't know... what else could Apple have done? Hard to determine what else they could have done besides turn off the feature in a thread on another company not just turning off a feature, but leaving a country entirely.
Who would make that decision? What would happen next after they did?
No, some of them don't even bother pretending they care about your privacy.
What would even be the point of Signal if there’s a backdoor? This isn’t just principled, it’s necessary for business.
Once Signal is backdoored successfully (in this alternate timeline) you go after WhatsApp, RCS, whatever other encryption you can't bypass. Other countries follow suit because Sweden did it (like an infamous single study out of the Netherlands that affected global health policy.)
The goal is no privacy. Because terrorism. Or the children. Or espionage. Just pick one and speak against them directly and you'll find many arguments why the government needs access for any of those reasons. People love going to bat for giving up rights.
I forget who said it but you cannot have a civilization without secrets.
Swedenherald and their 807 vendor buddies value your privacy.
Original article (in Swedish, but the interview with Whittaker is in English): https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...
[dead]
Some background: Lots of stories in the media in Sweden recently about how murders are now ordered via chat apps. Today in fact, there was one about a Snapchat murder. https://www.aftonbladet.se/nyheter/a/8qL3A1/uppgifter-missta...
Which bill are they talking about? Chat control?
What is the state of peer to peer messengers with E2EE? Over ten years ago, Bittorrent Inc. (now Rainberry and Resilio) made a serverless chat client (Bleep IIRC). But I don't think there is anything new that is also user-friendly? (Drop-in replacement of WhatsApp, Signal, iMessage, etc.)
Peer to peer communications are difficult to combine with mobile phones (at least if you value battery life). There are various messengers out there, but they're incredibly niche and I doubt they'll ever get any decent user bases.
Tox is peer to peer and encrypted, but its UX will probably drive away anyone who wants the ease of use of Signal or WhatsApp.
I think Matrix experimented with the concept of running a server on-device, and that's one of the few alternative chat systems with decent UIs available, but AFAIK that never made it beyond the proof of concept stage.
Veilid Chat, developed by the Cult of the Dead Cow, promises to be an interesting option, but it's currently in beta and has been for a while.
> Matrix experimented with the concept of running a server on-device
https://arewep2pyet.com/
Session, SimpleX, Jami, Briar are a few.
Jami is supposed to be encrypted, distributed, opensource, and cross platform, though I haven't personally used it:
https://jami.net/
If the purpose is to stop the gang violence, why not remove the gangs from the country?
> If the purpose is to stop the gang violence, why not remove the gangs from the country?
Because the stated purpose is only the sales pitch. The full list of uses will never be stated publicly, unless someone like Snowden leaks it at great personal peril.
That's a huge challenge isn't it? Unless you do it like in El Salvador.
How would that be?
Interesting that the Swedish military agrees it's a bad idea.
Apple did the right thing in the UK. This means that neither politicians nor the military will benefit from E2EE, while it's clear that they wished that just the plebes would be affected by this.
Maybe all IMs should then drop encryption altogether, bringing us back to the stone age of clear text messaging (email sent unencrypted between MTAs).
Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
> Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
Most of gov regulation works like that. You can have guns but only registered ones. Machines guns illegal unless it’s military etc
It seems like a lot of these proposals are coming out of Europe—assuming I’m not mistaken (and I may well be), why is Europe cracking down so much on privacy?
There is a huge section of the population who believes it's possible to strip the security of criminals using apps like Signal without it affecting everyone's security. Same in Sweden as the rest of the world.
The military of Sweden seems to get it at least, they "write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties"". The military also recently advocated for more use of Signal, so clearly they've reviewed it and find the current security good enough.
It's becoming clear that EU politicians are far too easy to manipulate by companies with products to sell.
> Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
https://news.ycombinator.com/item?id=43171861
Sweden has rapidly devolved from a high trust society to one where firearms and grenade attacks are a weekly occurence [1]. It is the perfect opportunity for law enforcement to demand more surveillance capabilities.
[1] https://la.stnight.in/Sweden/
Step 1: allow a million people from low trust societies to immigrate to a nation of 10 million in a short span of time.
Step 2: Sweden becomes the gun crime capital of Europe.
Step 3: Change your society to a low trust society, dismantling all the wonderful things social services and liberal institutions.
Sweden is having an epidemic of Crime as a Service, where minors are recruited online to do killings etc for cash. Secure messaging makes it very hard to find the leaders of these crimes.
Bullshit. Crime gangs had myriad of ways to hire youth before. There could be other ways to make sure there’s no huge pool of youth waiting to be hired. But that may be politically too hard.
Please do your research before throwing that term after me. I don't care if you think its markedly different for crime recruiting earlier. Point is contracts for killings are put online and planned through Signal. The Swedish police find it annoying as it makes it hard to find the money men. That's the reason for why Sweden want the back door. If it makes sense or not has no bearing on what I wrote.
I’m throwing that term at Swedish police, not at you.
Gangs would find another communication channel before the law is put into effect. Yet backdoor would be there forever.
European bureaucrats generally have little understanding of the technology they get paid to regulate, as we've seen with the their previous attempts to regulate the industry. It's very much a "vibes-based" approach. They can simply keep proposing the same regulation with a new name until it's voted through.
> European bureaucrats generally have little understanding of the technology they get paid to regulate
I'd agree with you if you just put "bureaucrats" instead of European bureaucrats, what country isn't currently led by a bunch of bureaucrats who don't seem to understand even the basics of the technology they legislate about?
I've yet to seen a country to lead the way, no wonder the rest of the countries don't seem to know what to do and just throwing stuff at the wall.
While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits who will lobby against this kind of legislative overreach and sue if the legislation passes. Obviously we have all sorts of other problems, but mostly our bureaucrats and legislators aren’t making backdoors a policy as far as ai’m aware (who knows what the CIA and FBI and NSA are up to, though?).
I assume it’s just one of those things that Swedish society is having to grapple with abruptly and that they will adapt the appropriate institutions. I have more faith in Sweden than my own country lately.
> While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits
So does Sweden, and have had strong privacy advocates for a long time. Remember that The Pirate Bay came from Sweden? It spawned a political and ideological movement (Piratbyrån & Copyleft/Kopimi) that still has some presence in Sweden and EU although doesn't seem as strong as it used to be, except for Iceland I think.
> I have more faith in Sweden than my own country lately.
Not sure what your own country is, but assuming it's US, they're pretty much equal in many ways (but not all obviously) and Sweden basically copy-pastes US political policy for the last decades, for better or worse.
Yes, my country is the US. I'm very skeptical that Sweden and the US have similar policy in the general case or in the case of privacy in particular. With respect to privacy specifically, I don't think the US has passed any "no encryption" or "mandatory backdoor" policies (I'm happy to be corrected). In the broader case, I'm of the impression that Swedish policy differs dramatically from US policy with respect to regulation, social safety net, taxation, government-owned enterprises, etc.
The politicians voting on it might not fully understand but the people pushing the regulation absolutely do. They want a popultion that hears and sees only what they want to.
The population in europe is finally (if slowly) waking up to the fact that their elected leaders do not act in their interest. This is the establishment's attempt of staying in control of the narrative so they can keep suppressing any real resistance to their rule.
Bear with me here, but I think it comes down to believing in a "benign government", coupled with a misunderstanding of the technology.
Under a benign government (as arguably we have in most of Europe), we can have a reasonable assumption that the state will act in the interests of the population. The public sector workers who have chosen that line of work probably believe in what they're doing and want to do it well.
The government has always had the ability to steam letters open, and they will always need to, in order to fulfill their duties to the population.
Of course, requests such as adding a back door to end-to-end encryption are unnecessary when they could take control of one of the devices in some fashion...
On the surface it's mostly "think of the children" and "terrorists use encryption" type arguments.
I'm sure some of the politicians advocating for this have ulterior motives, but I hope we won't get in a position where we find out what those motives are.
In Russia Internet censorship went in ten years from "we need a legal framework to block websites with child porn on a court order, why are you against it, are you a pedophile" to blocking everything that doesn't speak complimentary of the government without leaving any paper trail at all.
The reasons mostly are "they are all owned by elites whose names you're not allowed to even know and who would like to keep the serfs docile and ignorant".
I can not speak for Europe generally but Sweden has very serious problems with gang wars the last couple years, and people are really tired of them shooting each other and setting off explosives. That's the reason for this particular proposal (and many other questionable expansions of police power too).
As opposed to the US, where this spying is done illegally and no one gives a shit?
Because European tradition is to have strong bureaucracies steering the „democratic“ processes. And encryption is a wrench hitting those mechanisms. Another one is the raise of all sorts of independent journalists/bloggers/etc.
Those themes keep recurring both on EU as well as national levels. Including nations that ain't EU members.
As a citizen of EU member, I’d love to change this discourse. But there seems to be very few options to vote for. And then such BS happens at levels that are practically out of reach of democratical process.
It's not just privacy, Europe is cracking down on freedoms generally. Free speech, the right to silence, the presumption of innocence, etc.
Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Another theory I have is that this could just be a symptom of an older and more female voter base. As women become more politically active and as older generations make up a larger share of total voters if we assume these demographics are more safety orientated on average then perhaps we should assume that safety concerns will begin to trump the desire for freedom. It's just a theory though.
> Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Or you could undo the changes that have caused that decline in social cohesion. People don't share the same values because our governments have been non-stop importing people with radically different values. Values which see it as a positive to end the lives of those who don't agree.
> Another theory I have is that this could just be a symptom of an older and more female voter base.
That voter base does vote more for the established parties and their policies that have gotten us into this compared to the population at large, yes.
Glaring example supporting the first hypothesis is that Denmark reinstated blasphemy laws in 2023. https://en.wikipedia.org/wiki/Blasphemy_law#Denmark
[dead]
Because we’re cuckolds and a politically dead society. Also very old. After you’re passed the age of 40 you’re more interested from your pension is going to get paid for when the day will come, not in abstract things like “freedom” and what have you.
Things would improve dramatically if everybody who lives off the state (including pensioners) couldn’t vote.
In some European countries public money has turned into a pretty transparent way of buying votes. These votes are used to make sure nothing ever changes.
Because JD Vance is right.
It is incredibly dangerous to add this kind of functionality to anything. I also believe that this request is illegal with current European legislation.
And people say the US is authoritarian. You can't burn books in Denmark without going to jail and now Sweden wants to spy on all your messages.
I certainly hope they don’t install any kind of backdoor, because they will give unfettered access to the fbi, and they will likely use that to hunt down marginalized groups (trans women) to eliminate them.
I wonder if there is some connection between the more-spying direction of policy to Sweden's recent entry into NATO ("after 200 years of non-alignment"):
https://www.nato.int/cps/en/natohq/news_223446.htm
Sweden has been sharing info with its neighbours and the US for a long time. See SIGINT Seniors Europe for example
How are these politicians so clueless?
They aren't. They know very well what they are doing.
Actually, they are totally clueless many of them.
The solution to this conundrum is to decentralise these services, i.e. run your own XMPP server for your family and friends. Keep your own data where you can 'see' it, on 'the server under the stairs' with some distributed backups to 'devices under different stairs'.
This is no pie-in-the-sky statement, I've been running such a server for years and have installed several for others. System requirements and maintenance are minimal - you can run Prosody on a Raspberry Pi 1B if needed. Availability and reliability are high, it basically works as long as network connectivity and storage are available. The user experience largely depends on the client applications where Conversations on Android is probably the gold standard and in many ways comparable to Whatsapp.
When using OMEMO the server admin does not have access to cleartext communications so assuming clients are configured correctly there is not much to be gained from raiding the server. If some government entity wants to snoop on communications they'd have to gain access to at least one of the client devices since encryption is handled locally. Instead of backdooring centralised services run by Whatsapp or Signal or Telegram they'd have to get to a multitude of servers-under-stairs and client devices which makes it infeasible to use the 'dragnet approach' which is most likely the intended outcome of these backdoor laws.
Some decades ago at I heard Jello Biafra repeat his statement not to criticise the media but to become the media. This has happened, the (current incarnation of) legacy media is running on its last legs and has been overtaken by 'new' media. Here's a corollary to this statement:
Don't criticise the service providers, become the service provider
Use the internet as it was meant to be, a network of networks. Lots of networks, each running their own services with 'secure' communications between those services. I put secure in quotes because there might be a chance for some TLA or other organisation to break the encryption on one of those communication links. Even if they managed to do so they'd gain access to only a small fraction of the communications going on around the 'net.
But advocating for distributed communications only aids and abets criminals, won't you think of the children?
When guns are outlawed, only outlaws have guns. Criminals already use these services (and some of them have been broken/backdoored) so this is nothing new to them.
But you can't expect grandma to run her own server
No, I don't expect her to do so, she can use yours instead.
But but but but
You're starting to sound like a chicken.
Running this stuff is not hard. If you know how to do it, do so and help others to get started. While you're at it you can help them to secure their networks against intrusion by their service providers as well by making sure the ISP connection terminates at a router managed by the device owner, not the ISP. There is no reason to give the ISP access to your LAN since that only creates an incentive for those government entities to force the ISP to give them access to customer networks. The ISP should be used as IAP - internet access provider - and only be allowed to see whatever traffic you allow out of your network, not what goes on inside of it. That, though, is something for another post, another time.
I've been running services like this for decades, this works, it is not difficult and does not take that much time. It has only gotten easier over time, hardware has gotten cheaper and smaller, power use has gone down, performance has radically improved. This is not a pipe dream, it has been first my, then our reality for more than 30 years.
Don't criticise the service providers, become the service provider
There is a reason why Free Software (as in freedom) was invented: To ensure that those who create the software do not overpower those who use the software. The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong. And it is wrong, because to be a human in the 21st century means in most cases, that your digital devices and your digital interactions are a core part of who you are as a private person. Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
> The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong.
You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will. If the object can act in a way that favors someone else's interests over yours, you do not own it. This is true of pretty much any device running proprietary software.
A litmus test: can you make your device lie to the manufacturer's servers? Regardless of the legality or morality of doing so.
However this article is really about something else: the vulnerability of centralized services in the face of government oppression. Signal only has the ability to log messages because it is a centralized service that controls both the client and the server. The benefits of E2EE is greatly reduced if the client and the server is controlled by the same entity (tomorrow Signal can push out an update that would send a plaintext backup to their servers, and you wouldn't know it until later). Moreover, the non-free distribution mechanisms on mobile phones (stores) limits a company's ability to resist.
Also only possible because we use Signal as compiled by themselves and not by trusted third parties from a source kept clean of any future client-side backdoors. The client is open source, right? https://github.com/signalapp
(Reproducible builds is a cool technique.)
I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?
Can you point out where it says it won't be a reproducible output?
https://github.com/signalapp/Signal-Android/blob/main/reprod...
I skimmed and didn't see that but the "apkdiff" script extracting the apk because "diff doesn't work well on zips" made my gut twitch.
Why can't I sha256sum the two apk?
Archive formats are hard to make reproducible because there are lots of ways of making different yet equivalent archives. So it’s not surprising to me that someone would fail at this hurdle and find it frustrating to resolve. Nix defined their own format for this to avoid this exact problem.
It seems there are multiple reasons. For one, the apk files include a digital signature and you won't have Signal's and Google's private keys available to recreate their signatures.
Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.
A significant improvement.
/s
I don't understand how the details of the build process matter if the resulting files can be checked to be bit by bit identical? I can only think of something like Signal and Google conspiring to backdoor the binaries during the build process via this external binary blob. But if Google is part of this, they could also do it within Android which is not fully open source.
If you don't like this, you use the non-Play Store build instead (which supposedly doesn't include any binary blobs, but I haven't checked).
> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories. Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.
I’m throwing a +1 your way. Hiding development for a year to launch a get-rich-quick coin isn’t the way a trustworthy FOSS organization should behave.
As someone who got their whole network to switch to Signal before that happened, it was absolutely disgusting watching that all play out.
https://molly.im for a more FOSS and safer fork of Signal
Yes, this is part of the problem. Application developers and the packagers should be distinct unrelated entities to reduce the chance of a malicious update being pushed to users if the developer sells out.
F-Droid and Debian/etc show how this is done.
Splitting the developer and the packager doesn't inherently reduce the chance of a malicious update any more than using a VPN reduces the chance of being snooped on by an ISP. All it accomplishes is change who you have to trust to not be malicious. You might have good reason to believe that you can trust one party better than you can trust another, but unless you're building the package yourself there's still no guarantee that the package that you install is built from the source code you can inspect.
It's all based in trust in the packager and only the packager—there are no checks and balances. The only reason why splitting up the responsibilities might help is if you find the F-Droid maintainers to be inherently more trustworthy than the Signal developers, not due to simply separating the concerns.
Without reproducible builds, this just means you have to trust the packager instead of the developer. Sometimes that's a good trade-off, but you still haven't really solved the problem, just moved it.
With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.
Packagers have proven to be more reliable. Sometimes they make mistakes but there's no case of a packager ever selling out (correct me if I'm wrong.) On the other hand, there are numerous cases of developers selling out.
That does not solve the problem. A country can forbid F-Droid and Debian and anything else that is not in a short list of vetted app stores that comply with the law of that country to backdoor everything.
A sovereign country creating and enforcing domestic laws is not a problem that can be overcome with software.
You don't need to run the server to backdoor the client. You just need access to push updates to the client. It doesn't matter who runs the server.
> to own an object means to subject it fully to your own will
Not by a long shot. Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
I'm not saying I'm a fan of even more exceptions of that kind, but I don't think there are any particular inherent rights arising from property ownership beyond from what society agrees on there are (e.g. the first sale doctrine for physical media). That's what makes it even more important to codify these rights.
> Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
These aren't counterexamples, they prove the rule. A US passport literally has the text "this passport is the property of the United States" printed inside of it, and I imagine the same is true in most countries: you are the recipient of a passport, not the owner of one.
The same applies to copyrighted images— when you purchase a book you own the physical copy and can fully subject it to your own will, but you don't own the right to make additional copies of it. You own the copy, not the intellectual property.
As for currency, it may not legally be the property of the US government like a passport, but I would argue that the fact that you can't modify it does in fact mean that you don't own the bill, the bill is a representation of an abstraction of "money" that you do own.
Afaik currency (as in the physical banknote) is actually state property too. What you really own is a promise from the national/federal bank to pay you the value that is written.
Yeah, that has been my understanding, but I couldn't find a citation for that right away, so I didn't want to assert it confidently. But I've heard the same thing.
Note that I said "can", not "legally can". You can destroy currency, alter passport, reproduce copyrighted images if you want to. There may be legal consequences but you can. You can also stab a person with a knife you own, even if you will be punished for it. I'm not talking about rights, but capabilities.
You can't make your phone lie to an app developer about its location, rooted status, etc. You can't make your HP printer print with unsanctioned ink. Therefore, you do not own them.
I also can't make a pen and a sheet of paper contain a proof showing whether P is equal to NP. Does that mean I don't own them either?
Now you could of course say that the difference is somebody having intentionally designed an object in a way that makes it capable of withholding some functionality from me but not others, and I'd agree.
But all in all, I just don't think "property rights" is the right lens to think about computing devices.
You can also not use a service. I think anonymity is a better measure than the ability to lie for co-operative systems.
> You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will.
Let’s explore that.
If the law says I can’t ride my motorcycle the wrong way down the street, does that mean I don’t own it?
What about if we add traffic cameras that absolutely guarantee I will be prosecuted?
What about it if we add a black box that reports transgressions automatically to the authorities?
What about if the black box automatically cuts power to the engine?
I don’t think ownership is a binary using your criterion, or perhaps it’s simply that different people will put the dividing line in different places.
You don't own the streets.
You can do what you want with the bike, but your analogy falls flat because it implies that despite you owning the bike you get to drive through your neighbours living room: because your right to own a bike somehow trumps their right to own land and a home.
> Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
Which police with a warrant can very much do.
There’s no warrant protection in this bill. They want to keep a copy of everyone’s data so they can look back at old stuff after the fact.
Even if there was warrant protection, I’d still be against it. People have traditionally had the right to speak to each other without giving a transcript to the police. I think it’s unreasonable to make that illegal.
Sure but I was responding to the point that a diary can't be searched. It can be. The key difference is that doing this for analog conversations was expensive for the police as it required them to devote finite human time. Digital is not the case.
Comparing to analog is I think flawed because even if it mapped 1-to-1 it does allow for a level of search that is problematic given the low cost of digital surveillance.
Testimony under oath can be compelled
In theory. In reality, no. "I don't remember/I don't recall" is a famous dodge.
Yes but people can genuinely forget the exact words they spoke time ago, even one minute ago, or a whole conversation. Examples: Who did I talk to yesterday? Did I met that neighbor of mine yesterday or was it the day before? I don't know.
They are not the same thing.
That is a significant hurdle. They have to do it for each individual target, show up in person and each case can be contested in court.
Scalable surveillance is different, just as scalable weapons are different.
It’s a good thing we have FISA then to protects us from the scalable surveillance. /s
Or, for that matter, analog correspondence or notes can absolutely be subpoened in many sorts of court proceedings, including civil.
Unfortunately, when we switched from letters to emails, the legal privacy protections we enjoyed back then, were not carried over do the digital realm. We're still suffering and have to use encryption to protect ourselves from the lack of legal protection.
Legal protections are great and everything, but if I had to choose between abstract legal protections or concrete protections based on physical properties, I'll choose the later every time. Obviously both is ideal, but I'd use encryption for most of my correspondence regardless of my levels of legal protection.
It may be wrong, but it proves that technology can't beat politics and policy.
The issue with Apple caving to UK demands regarding encryption, and now Signal being in a similar situation, shows that you can't just focus on technology and ignore policy and politics.
And you'll find out that a ton of people here on HN will care, but most of the public won't.
People should take XKCD 538 really to heart (The 5$ wrench one). It's not the same point, but very similar. https://xkcd.com/538/
> technology can't beat politics and policy.
It often only can't in a world of mandatory centralized app stores. That's not the only possible world.
We technologists will probably be able to circumvent any Signal-ban. But we don't exist in a vacuum, we are a small part of a larger society. Who's at the other end of your conversation?
Most 'regular/normal' people won't and most importantly - don't want to - jump through the technical hoops to keep using Signal.
Although the downside of the official app stores is clear, the alternative might result in a swift return to the '90s and '00s where malware and viruses were rampant. Pick your poison.
I think malware and viruses are less common for many reasons, but I suspect increased awareness and security posture (including the architecture of modern OS) has more to do with this than "walled gardens." Malware does make it onto closed app stores, and many users (e.g. on Windows) still don't use app stores.
The answer you're looking for is probably to build more decentralized, FOSS software with better UX. Much easier said than done of course.
> It may be wrong, but it proves that technology can't beat politics and policy.
It very much can. In a battle between human force and physics, physics win every time. If I send an encrypted email to you, you have the choice to not give up the key, even if you'll be in jail. With physical letters, you don't have this option. Technology gives you the ironclad ability to keep a secret, only limited by the fortitude of your character.
You can always burn a physical letter or delete a file.
This bill is akin to making it illegal to destroy your own correspondence.
You clearly haven't felt a 5$ wrench on your body. Giving up your secrets under torture isn't a character flaw, it's what will happen to 99.99% of people under torture. I can't help you if you don't believe that this is true.
And I hope you understand that 5$ wrench is a euphemism for what would 'really' happen.
All this to say that no, technology does not triumph over politics and policy.
Technology very much does. It's the flesh that has a hard time triumphing over force. To counteract this, you can also engineer a system that can resist it through e.g. split secrets on multiple people located in different jurisdictions.
If you split a secret over two people, first, we use the 5$ wrench on one of you to identify the other and the rest is easy.
If the second person is somewhere else in a different jurisdiction, how are you going to communicate with each other to get the two halves of the secret together to encrypt/decrypt messages? It's an unworkable situation.
As I see it, you create a fantasy situation that would not work if you just want to communicate with people in a secure way. No amount of technology or encryption is going to work, especially in the real practical world.
Did Apple cave to UK's demands? I thought instead they removed their product from the market, like Signal.
We're talking about companies though, not technology. Something like Bitcoin or BitTorrent can be regulated, but not stopped.
Not fully, but making transacting in Bitcoin outright illegal would probably go a long way to making it completely unattractive to 99% of all potential users.
And if Apple and Google were forced to remove all wallets from their app stores, it would largely be game over.
Transacting in Bitcoin is already unattractive to 99%+ of potential users.
In addition, simply taking out the on/off ramps, such as Coinbase, would destroy the utility of cryptocurrency as well, since the grand majority of folks dealing in the stuff are only interested in flipping it for more cash money on the other end by finding the next sucker in the chain.
Very few people actually care about the principles of Bitcoin and the like. Maybe the core devs and some very early adopters?
I think a large part of the success of Bitcoin can be explained by the combination: It allows people to say (and even believe!) that they're in it for the ideology, while the real motivation is primarily that of capital gains.
Whether it's useful to the current "grand majority" or not / holds the value it does today is orthogonal to whether the technology can be stopped and whether it still provides value to those who continue to use it.
I did worry this example would be too political, hence including the BitTorrent example as well.
Much like how PGP was disseminated by Phil Zimmermann, and then the government decided to come down on him like the plague in the early 90s. What the US government didn't know was that it was too late and such technology was out in the zeitgeist. Bitcoin is in a similar situation.
The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough. I say this as someone who is absolutely not a fan of the project and find the perverse incentives in PoW especially to be pure garbage, but I am also a realist.
When you have folks like Peter Zeihan declaring that Bitcoin *will* go to zero - that is, I think, the epitome of hubris. We don't know what will happen next, and with our current administration, I'm only seeing Bitcoin become more influential in the interim, much to my chagrin.
I think we're in agreement.
> The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough.
This is my point - the technology is out of the bottle. You can't stop it. You can disincentivize its use in all sorts of social and legal manners, but to go all the way back to my original comment: you can stop Apple (Coinbase) from operating, you can penalize individuals for using encryption (or cryptocurrency in this case), but encryption (and blockchain) still exists and can be self-hosted, and individuals can continue to utilize those tools.
Again, look at torrents. Its primary use case is illegal. What.CD, Oink, even TPB (at various points) have all been taken down. Yet torrenting still enjoys widespread use across the globe.
I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
>I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
This part does terrify me. Too many hedge funds and more common investment vehicles have gotten exposure to this. If there ever is a huge rugpull, regular folks will get nailed. Sad times.
The antidote to XKCD 538 can be steganography. They won't beat you with a $5 wrench if they don't suspect you of doing anything at all. End-to-end encryption can become illegal, but as long as you can run arbitrary code on your machine, you can hide and decode messages with steganography. JavaScript can do the job, so even locked down mobile devices will work if you go to CodePen, JSFiddle, JSBin, etc.
Steganography isn't some magic shield to avoid surveillance though. If authorities are already monitoring you for some other reason, then they can burn a zero-day exploit and see anything you do on your device. And if your entire city is covered in cameras with facial recognition, well... you can have your secret messages but I don't know what kind of resistance you're going to be putting up. So to some degree you're right that you can't fully ignore policy and politics.
Not sure how to get most of the public to care though. I get most people have more immediate concerns in there lives, and crime is a legitimate issue, but even a cursory knowledge of history will show the hell life can be under authoritarian governments. I think far too many people think "it can't happen here", which seems insane considering how often it has occurred even in liberal democracies (Spain, Portugal, Germany, Italy, Argentina, Chile, and many more.) In less liberal and less stable democracies, it has happened even more times. I'm not sure why people have some unfounded faith that their government could never become authoritarian and oppressive.
I'm not saying take down every CC camera and get rid of intelligence agencies -- they are important tools for fighting crime. But there's a difference between a few traffic cameras and CC cameras in places people would presumably commit a crime, and burning targeted exploits for surveillance of truly notorious criminals, and just mass surveillance through banning end-to-end encryption. With zero-day exploits, the government is inherently limited in the surveillance they can do, so it's a limiting factor on their potential for abuse, as the more they use it, the more likely they are to be discovered and patched. But with no end-to-end encryption, the potential for abuse is limitless.
>The issue with Apple caving to UK demands regarding encryption
Apple "caving" would've looked different; in fact, we probably never would have known, given the insidious nature of the underlying statute in the UK.
Apple is making noise about the fact that they pulled the product, and the tech press is making it clear WHY even though Apple itself is legally prohibited from giving any additional context.
I feel like that was probably the best move available to them given the cards dealt. Fighting in secret courts is unlikely to be fruitful.
Removing the advanced encryption option for new accounts is really 'caving' to the demands of the government in my view.
And in time, they will also remove the e2e encryption on existing accounts using the e2e feature to comply with UK demands.
They may have sounded the alarm, which I appreciate, but they still have to 'cave' and do as the UK government tells them or they have to cease operations in the UK.
What I'm really noting here is that Apple had no good options.
Capitulating would've meant giving the UK government the back door they wanted. They didn't do that. They complied in a loud and public way, which unmistakably shined a light on the insane request.
The only other options for them were withdrawal from the UK market entirely, or a secret court fight they'd probably lose.
To me, their actual response reads more like malicious compliance than "caving," which usually implies giving up completely.
> It may be wrong, but it proves that technology can't beat politics and policy.
There's definitely a strain of thought which perceives almost everything in society as being outcroppings of the progress of technology (however you define that), and especially in the 1990s imagined/expected everything to fall over under the mantle of "information wants to be free" etc.
I think you're right that this is an intellectual dead-end. Many of us lived through the 90s hype wave and into now, and have watched things take a complete circle. The Internet didn't transform society into utopia, the real-world dystopia transformed the Internet into a high definition image of itself.
I think that this highlights exactly why we need decentralized, open source software.
Back when Moxie Marlinspike made a thoughtful critique of Web3 (the most thoughtful one I had read, actually), I put together a reply. It’s worth a read for anyone on HN who cares about user freedom and how society is structured:
https://community.intercoin.app/t/web3-moxie-signal-telegram...
A note to the younger HN crowd who may have grown up with locked-down devices: the “hacker ethos” used to mean the freedom to tinker and buuld your own. It wasn’t always the case. The Personal Computer and Apple came about through the Homebrew app. And before that, Steve Jobs and Wozniak were even building blue boxes for “phreakers”:
https://www.youtube.com/watch?v=HFURM8O-oYI
Before he became a corporate golden boy, Mark Zuckerberg built Synapse for regular users and open sourced it instead of selling it to Microsoft and wanted to build Wirehog, but Sean Parker proudly said he and Peter Thiel “put a bullet in that thing”
https://techcrunch.com/2010/05/26/wirehog/
I don’t want to just be the “wake up sheeple” guy or some unkempt Stallman clone. But there is a real culture clash between the hackers and the corporations, and I feel like the HN denizens who knee-jerk downvote of anything decentralized today don’t get the point of open source decentralized hacker ethos and how the people who practice it produce the next big thing. Working for FAAMGA and “the cloud” ain’t it folks. Here’s why “the cloud sucks” by Steve Wozniak: https://gizmodo.com/why-the-cloud-sucks-5932161
In short — read my rejoinder to Moxie Marlinspike, in my first link. It is ironic because all these years later, I end up being right: it is exactly his company that’s getting hit with this, exactly because it is centralized.
And if you are Moxie or Durov and think your centralized company has somewhere to run… here is the bigger picture around the world — governments are coming for you and the war on user freedom is coming through you: https://community.qbix.com/t/the-global-war-on-end-to-end-en...
This principle seems out of touch with most people’s reality: products hardly ever do everything you want and often work against you. If someone has a device that doesn’t do what they want and there’s no setting to change its behavior, replacing it is usually the only practical option. (Or if it’s a problem with an app, they might be able to install a different app.)
If there is a free software license, it’s of no direct use to them. Only software developers care about such things. (There is an indirect effect on what software is available.)
Yes, because we largely don't have Free Software.
> If there is a free software license, it’s of no direct use to them.
It's of indirect use; they could use a modified version of the software that does what they want, created by someone else. This is why you generally don't see user-hostile features in Free Software; someone would just fork the project and edit them out.
The problem is that some forks are malware [1], so switching to a fork by developers you don't know is risky. How do non-technical users learn which software developers to trust?
[1] https://www.securityweek.com/malware-delivered-via-malicious...
Worst-case, they could hire someone they trust to review the source code.
More realistically, you generally don't have to switch to a fork in the first place because the mere threat of a fork is enough to prevent the deployment of user-hostile features. And when a project does get forked it's often a highly publicized affair with a lot of community drama which produces no shortage of information about who's trustworthy and who's not.
This is only somewhat true for the software most popular with technical users - the sort of thing the average Hacker News reader might be familiar with.
There is a long tail of malware in app stores, despite the efforts of app vendors to police such things. Nobody would be bothering to fork them because most technical users don't care about them, but they still attract lots of victims.
Example: malicious Chrome extensions. Authors of Chrome extensions receive enticing offers to sell and sometimes they do.
Yes, malware does exist in app stores. I don't really see how that's related to Free Software though?
When I say user-hostile features I'm not talking about malware. Yes, I suppose theoretically you could fork a Free Software malware app and make it not-malware, but that's not what I'm talking about here. I'm talking about things like Samsung putting ads on your TV home screen[1], or BMW charging a monthly subscription to access your car's seat heaters[2], or Sweden trying to install a backdoor in Signal. With Free Software, users get the final say on whether those features are installed on their devices or not.
[1]: https://www.reddit.com/r/samsung/comments/184a1j6/why_do_i_h...
[2]: https://www.bbc.com/news/technology-62142208
If malware isn’t user-hostile, I don’t know what is? It works both ways. A fork can fix something that’s user-hostile, but it can also introduce malware into an otherwise useful app that didn’t already have it, and many users won’t know which one to install. There’s no guarantee that any security researcher is watching. In practice we rely largely on reputation, and sometimes that’s the blind leading the blind.
Users don’t get final say in what their devices do unless a software developer is willing and able to help them. Most are actually pretty helpless on their own.
I can speak for german law: If you buy something, it becomes your property, and you have full power of disposal ("Verfügungsgewalt") over it. If vendors deny you from exercising this right, they are violating their part of the purchase contract.
Rights are of limited use if there's no practical way to exercise them. Hiring a software developer to change an OS or an app is rarely a practical option for most consumers.
Correct. It's not practical because those apps usually aren't Free Software and because the hardware or firmware they're running on often aren't Free and include anti-features that prevent you from installing Free alternatives.
If they were Free, users wouldn't necessarily even need to hire a developer to change their app or OS; those changes would most likely already exist in some form somewhere and the user could simply purchase the modified version.
You can install Linuxor a custom ROM. And if the manufacturer has DRM like SecureBoot in place to prohibit that, you can file for damages and basically get the device for free.
OP is not out of touch, OP is literally saying that this is happening and that it is a bad thing.
Unfortunately, the philosophy of Free Software does not account for the scale at which software is being run now.
Having the source code to a printer driver available is a completely different thing than being dependent on a platform, because all your friends and relations are using it.
Personally, I'd only trust a governmental agency to provide such services, which makes the article we're discussing ironic at the least, or complicated.
A government run social anything would be the most milquetoast experience, wouldn't it?
I suppose if I needed to make sure there was a public immutable record of something it would be useful. Like "I made this thing no later than this post"
But who would use it?
> Personally, I'd only trust a governmental agency to provide such services,
I can't see why you'd say that.
Governments (and private corporations) are not operated to faithfully serve the public, certainly not the public as a set of individuals and small groups of people. It's not that "government services are bad", but rather, than governments, even democratically-elected ones, are practically certain to wiggle out of the straightjacket of strict protection of individual needs and interests for legitimate or illegitimate "greater good"; specifically, they will not resist the desire and the interest to spy on you. And the potential for government abuse of private information is quite high.
Bakunin put it best:
"There is only one essential difference between a monarchy and even the most democratic republic—in the former, bureaucrats oppress and plunder the people in the name of the monarch; in the latter, they do it in the name of the people's will." - Statism and Anarchy
The core problem isn’t the form of government, but the concentration of power itself.
"Personally, I'd only trust a governmental agency to provide such services" I understand where you're coming from, "the ultimate goal of a company is to profit and so we can not trust it to protect their users/consumers interests instead of their own" but... you know that it is always the government that will put you in prison, or send you to war right? That it is a blob of power, controlled by people right? This goverment = good that you see people believing these days is such a childish view of reality.
you know that it is always the government that will put you in prison, or send you to war
You're merely playing word games here. A person keeping another human being against their will is called slavery or abduction instead of prison. Similarly, it's only called war when it's a government doing it, otherwise it's called activism, terrorism, or gang warfare (note the overload of the term).
The main difference between a corporation and a real democratic government is that a government is accountable to all its citizens, instead of its shareholders. I understand that this is a difficult concept to grasp for US citizens, but the rest of us living in actual European democracies don't deserve your childish derision. No system is perfect, but don't make the mistake of thinking that the US government is the best (or even a good) example of democracy out there.
So much this! The internet does not have to be a monolith controlled by the mega-corp/govt flavor-of-the-month. It originally was (and still can be) a network of smaller federated ecosystems controlled by individuals or smaller groups.
Government and charity can be corrupted (and usually are, to at least a small degree). Private industry is corrupt bt default: to the extent possible, it will intentionally serve owners at the expense of other stakeholders.
This is not a knock against private industry in general. Capitalism's greatest strength is precisely that it harnesses corruption toward productive ends through private industry.
Nonetheless, it's unsurprising that people would take a chance at less-corrupt versions of key infrastructure. My preference would be to do this through charity, which worked pretty well for e.g. Mozilla for a while - but I wouldn't call other directions naive.
There are a lot of pragmatic pro-government people here, holding tightly to the "51% > 49%" core principle of democracy, which sadly turns into a mess at the scale of humanity, just like any other model we've invented so far. There isn't a real alternative for us collectively now but to submit to power – so any even slightly anarchistic views are not welcome here most of the time...
> This government = good that you see people believing these days is such > a childish view of reality.
There are plenty of immature ideas about running human affairs going around. History has shown that a social contract obtained by popular assent is the only viable choice, unless you relish war, insurrection, terrorism, and social collapse [0].
Government is good almost by definition because we grant its existence on that basis of benevolence. Indeed one should be ready to defend good government and lay down ones life to make it good, including overthrowing existing bad government.
This was well established 80 years ago and we seem to have forgotten.
I know there are some around here agitating for tyranny and dictatorship. That in my opinion is the "childish view", a result of too much screen-time and a lack of life experience.
Would you be willing to fight for good government? [1]
[0] https://en.wikipedia.org/wiki/Social_contract
[1] https://cybershow.uk/blog/posts/soe/
[dead]
[flagged]
> Or do they want us to believe 3-letter U.S. agencies don't have access to Signal right now? Is this some publicity stunt?
[Citation needed]
I believe the citation falls under "street smarts" as the WikiLeaks press release mentioned Signal explicitly. Whether this was a subtle outing the origin of the tool itself is left as an exercise for the reader.
Regardless, the threat vector is accessing the data before encryption anyway. And drawing attention to yourself by running certain apps and services in the first place.
There's a lot of mathematicians in maryland and those who studied the history often land on "if they want you, they got you."
I'm on the same page with you, mathematicians and the math itself. I'm not a complete stranger to whats and hows of the craft either.
I honestly wanted a source to investigate the claim further, not to stab the commenter.
OTOH, you have given a couple of leads, which I can follow deeper. Thanks!
[dead]
The US does not have a law requiring all messaging applications to store historical messages and provide access for law enforcement to decrypt and view all messages.
The US may (or may not) be capable of decrypting Signal messages themselves -- but that is a different issue. The US does not (currently... it HAS been discussed previously) ban the use of any particular encryption techniques because US agencies are incapable of breaking those techniques. And there ARE techniques that US agencies are incapable of decrypting.
There is no evidence or reason to believe that US intelligence agencies can access signal messages when used properly.
It would be much simpler for them to compromise the phones of targets vs break the signal protocol. This is generally true of secure communication systems, the flaws tend to be in usage and endpoint security, not in the protocol implementation.
Right. I have zero illusions about the presence of many critical security vulnerabilities in my smartphone. Just look at how many are fixed each month.
However, i have also reason to believe that the cryptography of my encrypted messaging app Signal is sound and there's no backdoor.
Indeed. One of the most important properties of a cryptosystem is its resistance to ordinary human screw-ups. And that's before you get to intentional co-operation.