> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties
First time I am seeing an organization against this. Kudos to them for standing up.
According to the original article (Swedish: https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...), the reason for the armed forces to be against it is because they recently started advocating for its personnel to start using Signal to reduce eavesdropping, so backdooring Signal would decrease the armed forces security.
> Men Försvarsmakten är negativa och nyligen uppmanade försvaret sin personal att börja använda Signal för att minska risken för avlyssning.
In fact, they are negative because they say that this can't be done without opening up the service to vulnerabilities that could be used by others.
> I ett brev till regeringen skriver Försvarsmakten att lagförslaget inte kommer kunna förverkligas ”utan att införa sårbarheter och bakdörrar som kan komma att nyttjas av tredje part”.
> In a letter to the government, the Swedish Armed Forces writes that the legislative proposal will not be able to be implemented "without introducing vulnerabilities and backdoors that may be utilized by third parties."
Yes, but your deduction is incorrect. They're saying the SAF are negative _and_ they recommend their personell to use the service, not that they are negative _because_ they recommend it.
I don't see how you can know that "because" is incorrect. This seems like it could be possible to me:
(Possibly) SAF is negative because they use Signal, and don't want a law that would introduce vulnerabilities into Signal that could be utilized by third parties.
TOR was sort of famously contributed to by a dude in US Naval research early on, right?
They are militaries, not police or intelligence forces. The job is to be ready to do war, not nanny and snoop on civilians (Some of that might be a necessary side effect but it isn’t their reason for being).
The NRL originally developed onion routing and Tor. It was then open sourced, stewarded by the EFF for a few years, before becoming its own non-profit. The NRL still do a ton of work on Tor and its ecosystem, primarily through academic research and occasionally code, though the Tor Project is obviously now the biggest player in the space. The original motivation was to enable communicating with covert assets (intelligence services and the like) overseas, which requires lots of non-military cover traffic to be useful, hence the opening up. Its popularity as an anti-censorship tool has motivated a lot of the continued support from various US agencies, including the NRL. Really though, the NRL is a largely civilian institution, and while the people who work there do work for the military, they aren't typically enlisted, have limited security clearance if any, etc. It's sort of like the Navy's version of Microsoft Research, or Bell Labs.
Militaries need intelligence services to be their eyes and ears. That said, most people who are not in their country's armed forces, government, or intelligence service vastly overestimate how much another country's intelligence services actually care about them. Most people aren't that interesting and don't have any intelligence value for another country's government.
US Navy research labs developed onion routing and the core of Tor
arguably, one of the reasons it was released to the public was to get large amounts of traffic using onion routing. because if it's just 50 data steams that are entirely ONI or NSA then it's easy to hit them with timing attacks.
but 2+ million streams from all over makes it a lot easier to hide.
They're not using/advocating to use Signal for their military control/communication:
> This week, Brigadier General Mattias Hanson, the Swedish Armed Forces' CIO (Chief Information Officer), decided that calls and text messages that do not concern classified information should, as far as possible, be made using the Signal app. The decision aims to make it more difficult to intercept calls and messages sent via the telephone network.
Seems people were using SMS for those messages they are now advocating to use Signal for.
Also, seems they've done a review (obviously) but unclear if they had access to something internal from Signal to do the review, feels like they had to:
> The Signal application has been deemed by the Swedish Armed Forces to have sufficient security to make it difficult to intercept calls and messages.
Any decent military will be using multiple forms of communication systems.
I was a communications specialist for the Swedish Armed forces 10+ years ago, including a tour in Afghanistan and a tour in Kosovo.
We used radio links for internet that I can tell you, were more adversarial than friendly.
The Swedish military is highly capable when it comes to network communications. A small nation will have to think differently.
You could potentially use an instant messaging system in control by someone else, if you are willing and capable of sharing encryption keys with whomever you are going to communicate with beforehand.
>Because everything in Signal is end-to-end encrypted, we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure, and others while ensuring that your messages and calls remain private and secure.
Your source doesn't support your claim. The exact snippet you quoted, interpreted strictly, only means they have the option to host it across providers, not that they actually do so. It also doesn't say anything about where it's hosted. It can be hosted in AWS, GCP, and azure, but all in the US, for instance.
FYI the EU wide proposal to scan all your private messages using an AI agent on your devices also originated in Sweden by EU Commissioner Ylva Johansson in 2022.
> EU Commissioner Ylva Johansson has also been heavily criticised regarding the process in which the proposal was drafted and promoted. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the proposal. This was also highlighted by digital rights organisations, which Johansson rejected to meet on three occasions. Commissioner Johansson was also criticised for the use of micro-targeting techniques to promote its controversial draft proposal, which violated the EU's data protection and privacy rules.
I don't think anything good ever came from Ylva Johansson. Mentions of her name on something should make one automatically treat that thing with suspicion.
European armed forces should know best, given that Signal has seen actual use by Ukrainian military personnel, with Russian forces trying their best to target those encrypted communications (right now mostly by getting those smartphones from dead bodies).
The fact that proposals like this get this far, without anyone checking with the defence department and actual experts is really weird. It's not just Sweden, this is clearly a problem in many other countries.
I'd really like to know why it's so hard for politicians and police forces to understand that backdoors are dangerous.
It will be waring factions within government (which is never unitary in any country) --- here these laws/proposals/etc. probably come from domestic spying agencies and police forces in most countries. I suspect that signals intelligence agencies and offensive forces have probably mostly moved to "encryption is good" stance given the number of foreign attacks upon domestic assets (gov, biz, etc.).
However, we shouldn't underestimate the desire for foreign intelligence agencies to bait one's own domestic agencies into "spying for them". So i imagine there's some pressure from, eg., the US sigint agencies to have the EU compromise EU citizens in ways that even those very agencies may today not wish to compromise their own.
At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
As an empirical matter, encryption makes agencies like EUROPOL's jobs extremely difficult -- i imagine also because they probably struggle to get coop from domestic police forces, so cannot easily do "the physical police work necessary" to get device access.
In the end, I imagine we'll have china to thank for the end to this nonesense -- since any backdoor will immediately be a means of mass corp/gov espionage.
It's not the purpose of five eyes, it's a noted tactic.
But at the same time countries realise they are under attack economically and political from hostile cyber warefare... and so there's something self-defeating about this tactic now whereas perhaps 10-20 years ago there wasnt.
It's hard to imagine a US-China war (say by proxy in TW) or a EU-Russia war (eg., esp., by proxy in UA) "going well" under conditions of broken domestic encryption.
Eg., back when the UK mass surveillance law was passed in 2016, I imagine sigint agencies were more on-board... today I wonder if that law would now be "quietly opposed" on grounds of national defence
I think it's part ignorance, part exceptionalism. Backdoors sound simple, and if you're thinking about physical backdoors people are generally pretty good at protecting them. That this is largely because they have a lot of characteristics not shared by digital backdoors is easily lost on most people. These folks also tend to believe that THEY will be perfect stewards of backdoors, and anybody who loses control of them is just less competent.
That's not how Sweden remained "neutral" though, although I'm not sure I'd agree Sweden been neutral since 1814, wasn't exactly neutral before/during the second world war. https://en.wikipedia.org/wiki/Sweden_during_World_War_II
in your link there are numerous indications that Sweden keeps its military strong enough that it isn't worth fucking with, as in this quote
>Georg Homin, a captain on the General Staff, stated:
> Without a defensive force we cannot follow any policy of our own, our declarations become merely empty words and we leave the country's fate to chance, or to the decisions of others. With a defense as strong as Swedish conditions allow, we secure for ourselves the basis of a continued independent Swedish policy.
obviously strong enough that not worth fucking with is a relative thing, based on a calculation of what do you get for attacking, how much will you have to spend to get that?
Signal is headquartered in the US and presumably has no employees in Sweden (and perhaps the entire European Union).
There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship. Preemptive surrender is extremely disappointing, especially for a non-profit - there isn’t even any revenue that can be ‘fined’ by the EU!
> There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship
They can go after executives and employees of foreign companies, too. The charges may not mean much unless those employees travel through Sweden, but if the political winds change in the future then they may be able to convince other countries to enforce their charges against employees as well.
It’s reasonable for a company to avoid risking their employees becoming targets of detention for international travel.
It also more effectively highlights the political issue within Sweden if people there see the consequences of the laws of their elected officials rather than having those laws silently ignored by a company that takes the legal risk upon themselves.
What's funny is that it's other EU laws from totally different parts of government which are, at the same time, pushing to allow for side loading of apps and alternate app stores on iOS and Android.
The end result of which, if done at large scale, means that an EU government couldn't ban signal, short of forcing all its domestic ISPs to be downstream of a China type great firewall, or simply null route all the IP space where signal's servers are located.
All the alternative app stores can easily be subject to the same legal requirements as Apple.
Side-loading is harder to enforce any rules over, of course.
Blocking domains is well-established at this point, thanks to the copyright industry doing a 21.5-year whack-a-mole-waltz with The Pirate Bay. Of course, this also demonstrates the limited effectiveness of domain blocking.
> Of course, this also demonstrates the limited effectiveness of domain blocking.
Extremely limited effectiveness, when VPN operators like Mullvad are corporations based in Sweden and offer 5 euro a month service to bypass whatever local "mess with internet traffic" activity, whether government-caused or not, that someone's last mile ISP is up to...
There's also the game of whack a mole with taking ownership of domains at the registrar/ICANN level through court orders, such as with the various .com or similar things that get jacked and plastered with a "DOMAIN HAS BEEN SEIZED" notice by the US feds.
You mean because users don't know how to sideload? Maybe so far, as there's been no need. On Android it's just one pref and then you download the APK in the browser.
Since when is there a Signal web app? I don't think there is, but even if there were then presumably it'd work the same as the desktop app: "To use the Signal desktop app, Signal must first be installed on your phone."
Sweden is part of the expanded 5 eyes (now 14 eyes). As a workaround for restrictions on domestic spying, they subcontract their dirty work to each other. Hence, you can expect the US to assist in pressuring them (ostensibly on behalf of Sweden)
I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
Yes, Signal may be headquartered in the US, but that doesn't mean they can just ignore the laws of other countries, which is exactly what may happen here, depending on the outcome.
Sweden may propose a backdoor (a utterly shitty idea, I agree) which Signal may decline (which this submission is about). Then the next step is either Sweden giving up on the request, or placing fines on Signal until they comply or outright ban it, or Signal deciding it isn't worth it (prevent Swedish users from using Signal).
All within their capacities and rights, even though I again think it would very stupid approach.
There are only a few instances where institutional powers pass judgements that they cannot enforce. Generally doing so makes that institution look weak because it puts them in a position to have their rulings openly flouted. That's at the core of what jurisdiction means.
Sweden can fine Signal all they want but if they can't enforce the collection, they weaken their power and foster disrespect.
Singal is centralized? Can't they just block it at the border? I understand VPN or whatever, but if they're serious I hear there's a couple of countries with "pretty good" border firewalls.
Doing that would eliminate so many Swedes from Signal...
I haven't found a VPN solution for iPhone users in a couple of US states. It's like iphones are actively hostile to the very idea of a VPN. Or at least "self-hosted VPN", maybe the $20/month VPN work but that's... Sketchy.
You're making my point. Sweden would choose the most effective mechanism that they can actually enforce to deal with Signal's noncompliance. Blocking DNS or ISP access is much more accomplishable for Sweden than trying to levy fines.
Not familiar with Swedish law, but in most of the world the courts have a concept of jurisdiction. Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
I would be surprised if Swedish law allowed for prosecuting a foreign company with not one bit of operations in the country.
> Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
You're joining two things here which I think are important to keep separate--the demand and the enforcement.
The Province of Bumbinga can absolutely claim worldwide jurisdiction and fine Apple $1T. And they can fine them a further $1T for every day they're not paid and their waterslide is not built.
Hell, _I_ could send Apple a letter claiming they owe me a trillion dollars so I can build a waterslide.
But when Apple doesn't pay a trillion dollars... then what? Send them angry letters? Still doesn't get the waterslide built.
A legal system's power isn't the orders it's the enforcement mechanism behind it. With a local presence they have the option to seize local assets and bank accounts, forcefully close operations, arrest employees, etc.
When the company has no local presence, your only enforcement mechanism is gaining the cooperation of a foreign country, in which case the country they're headquartered in is very relevant. And they're only going to cooperate if your request aligns with their ideals and generally benefits them.
Except in the most extreme cases, it's generally not worth it to try and impose your rule outside your borders because you have no mechanism to make anyone comply. It's an empty threat. Jurisdiction in the international sense is descriptive not prescriptive. It's recognition of the limits of your authority. The outcome is the same with or without it.
Signal may have users in Sweden which Sweden sees as giving it jurisdiction. Sweden may see it being accessible at all as giving them jurisdiction. Sweden may say "screw it, we have jurisdiction over the whole world!". But their ability to enforce that more or less ends at requiring ISPs to block their traffic or asking the US government to enforce their orders within US borders, so it's kind of a moot point.
> a foreign company with not one bit of operations in the country.
Borrowing from how tax & law is usually applied for companies trading outside of their incorporated country, at least in many places including the EU: If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
> even if your product is purely software, you can be considered to have operations in that country
Couldn't users in pretty much every internet-connected country use VPNs and other methods of cross-borders indirection to access even those US services which explicitly block non-US IP ranges?
If this is the case, then is it not the case under the quoted reasoning above that any internet company should be expected to have operations in every other internet-connected country?
It's the same reason Australia and now South Africa demand payment from Meta and Google for revenues related to links going to local news sites and the like.
> If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
If no money is changing hands, good luck with that. (Or, rather, bad luck with that.)
(If money is changing hands, you might find your payments blocked by local payment providers, though even then that would take a while and might or might not happen.)
> I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
My friend's medium size regional ISP is headquartered in the US and as a hosting company certainly has customers who violate any number of censorship, blasphemy, etc laws in Iran, Russia, Myanmar, Pakistan, Bangladesh, just to name a few.
Signal doesn't "operate" in Sweden any more or any less than any other internet based service which has zero servers, offices, bank accounts or other physical presence in the country.
How are they operating? It might as well be viewed as citizens of Sweden interacting with a foreign service out of their own volition.
In general, laws are backed up by the threat of violence. To the extent that Sweden's police can't confiscate Signal's assets in the US, they do not have to comply with anything. The only leverage Sweden's government may have is ISP level censorship, which is likely to cause unintended disruptions. Signal is in turn free to attempt to circumvent the censorship.
While I don't personally agree with the law, I genuinely hope we witness a major corporation withdraw from a market just so we can finally observe the concrete impact of these types of threats. (Even though their position is understandable in this particular case.)
Google ultimately did that for China. The outcome in that case is that the domestic market filled in the gaps, while complying to all relevant authoritarian legislation. I do not believe that the same would happen for every market where these stunts are being pulled off, at least not to the same level of quality.
Why are European countries trying to pull one off from the China playbook, while simultaneously being shocked that companies react to authoritarian moves in the exact same way as they have done in the past, is beyond me. Is the hubris so large that they honestly can't conceive their "requirements" as being "literally the same as China?"
Having to build local alternatives probably had a positive impact on China's software industry. We're at a point today that major Chinese software/tech companies are routinely talked about on nightly news.
India banning TikTok did not have the same effect on the Indian software market [1]. The local competitors that cropped up were mostly disappointing and didn't outcompete YT/Instagram.
Similarly, the benefits of Sweden banning Signal would most likely accrue to WhatsApp, not any indigenous software company.
China has a user base that could make any app insanely popular. In the single country. Not to mention that EU has less people, EU is also very diverse culturally and the gap keeps widen.
Well, only some claim to "remain committed to offering our users the highest level of security for their personal data" while turning off E2EE cloud storage for an entire country.
What other choice did Apple have? To ignore the law of a country where you operate just because you don't agree with the law is a terrible standard to set.
They could have done like Telegram in Russia and said that they will not care about that and work on ways to bypass any firewall that could setup the authority to block it.
As Signal are doing here, they could have refused to do business (at least, with iCloud) in that country. That's a far bigger pushback than simply capitulating to removing a relatively unknown feature.
To be clear, if they did this and the UK gov called their bluff, it'd affect me personally, but I'd rather that than swinging open the backdoors
If it's the board that makes that decision, it's the board that holds responsibility for it. Nobody said anything about a specific person at Apple doing anything, just Apple as a company.
Would they? Of course not, but the question was what else could they do, and this is something they could (and if their fundamental motive wasn't purely profit above all else, perhaps should) do.
I don't know... what else could Apple have done? Hard to determine what else they could have done besides turn off the feature in a thread on another company not just turning off a feature, but leaving a country entirely.
I think the only way to change the decision a person or entity makes is to first understand what they are asking that person to do, and the consequences of that action.
Being unwilling to do that simply has no impact on the real world. You scream into the void.
Once Signal is backdoored successfully (in this alternate timeline) you go after WhatsApp, RCS, whatever other encryption you can't bypass. Other countries follow suit because Sweden did it (like an infamous single study out of the Netherlands that affected global health policy.)
The goal is no privacy. Because terrorism. Or the children. Or espionage. Just pick one and speak against them directly and you'll find many arguments why the government needs access for any of those reasons. People love going to bat for giving up rights.
I forget who said it but you cannot have a civilization without secrets.
It seems like a lot of these proposals are coming out of Europe—assuming I’m not mistaken (and I may well be), why is Europe cracking down so much on privacy?
There is a huge section of the population who believes it's possible to strip the security of criminals using apps like Signal without it affecting everyone's security. Same in Sweden as the rest of the world.
The military of Sweden seems to get it at least, they "write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties"". The military also recently advocated for more use of Signal, so clearly they've reviewed it and find the current security good enough.
It's not just privacy, Europe is cracking down on freedoms generally. Free speech, the right to silence, the presumption of innocence, etc.
Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Another theory I have is that this could just be a symptom of an older and more female voter base. As women become more politically active and as older generations make up a larger share of total voters if we assume these demographics are more safety orientated on average then perhaps we should assume that safety concerns will begin to trump the desire for freedom. It's just a theory though.
> Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Or you could undo the changes that have caused that decline in social cohesion. People don't share the same values because our governments have been non-stop importing people with radically different values. Values which see it as a positive to end the lives of those who don't agree.
> Another theory I have is that this could just be a symptom of an older and more female voter base.
That voter base does vote more for the established parties and their policies that have gotten us into this compared to the population at large, yes.
It's becoming clear that EU politicians are far too easy to manipulate by companies with products to sell.
> Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
Sweden has rapidly devolved from a high trust society to one where firearms and grenade attacks are a weekly occurence [1]. It is the perfect opportunity for law enforcement to demand more surveillance capabilities.
European bureaucrats generally have little understanding of the technology they get paid to regulate, as we've seen with the their previous attempts to regulate the industry. It's very much a "vibes-based" approach. They can simply keep proposing the same regulation with a new name until it's voted through.
> European bureaucrats generally have little understanding of the technology they get paid to regulate
I'd agree with you if you just put "bureaucrats" instead of European bureaucrats, what country isn't currently led by a bunch of bureaucrats who don't seem to understand even the basics of the technology they legislate about?
I've yet to seen a country to lead the way, no wonder the rest of the countries don't seem to know what to do and just throwing stuff at the wall.
While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits who will lobby against this kind of legislative overreach and sue if the legislation passes. Obviously we have all sorts of other problems, but mostly our bureaucrats and legislators aren’t making backdoors a policy as far as ai’m aware (who knows what the CIA and FBI and NSA are up to, though?).
I assume it’s just one of those things that Swedish society is having to grapple with abruptly and that they will adapt the appropriate institutions. I have more faith in Sweden than my own country lately.
> While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits
So does Sweden, and have had strong privacy advocates for a long time. Remember that The Pirate Bay came from Sweden? It spawned a political and ideological movement (Piratbyrån & Copyleft/Kopimi) that still has some presence in Sweden and EU although doesn't seem as strong as it used to be, except for Iceland I think.
> I have more faith in Sweden than my own country lately.
Not sure what your own country is, but assuming it's US, they're pretty much equal in many ways (but not all obviously) and Sweden basically copy-pastes US political policy for the last decades, for better or worse.
Yes, my country is the US. I'm very skeptical that Sweden and the US have similar policy in the general case or in the case of privacy in particular. With respect to privacy specifically, I don't think the US has passed any "no encryption" or "mandatory backdoor" policies (I'm happy to be corrected). In the broader case, I'm of the impression that Swedish policy differs dramatically from US policy with respect to regulation, social safety net, taxation, government-owned enterprises, etc.
The politicians voting on it might not fully understand but the people pushing the regulation absolutely do. They want a popultion that hears and sees only what they want to.
Sweden is having an epidemic of Crime as a Service, where minors are recruited online to do killings etc for cash. Secure messaging makes it very hard to find the leaders of these crimes.
Bullshit. Crime gangs had myriad of ways to hire youth before. There could be other ways to make sure there’s no huge pool of youth waiting to be hired. But that may be politically too hard.
Please do your research before throwing that term after me. I don't care if you think its markedly different for crime recruiting earlier. Point is contracts for killings are put online and planned through Signal. The Swedish police find it annoying as it makes it hard to find the money men. That's the reason for why Sweden want the back door. If it makes sense or not has no bearing on what I wrote.
The population in europe is finally (if slowly) waking up to the fact that their elected leaders do not act in their interest. This is the establishment's attempt of staying in control of the narrative so they can keep suppressing any real resistance to their rule.
I can not speak for Europe generally but Sweden has very serious problems with gang wars the last couple years, and people are really tired of them shooting each other and setting off explosives. That's the reason for this particular proposal (and many other questionable expansions of police power too).
Because European tradition is to have strong bureaucracies steering the „democratic“ processes. And encryption is a wrench hitting those mechanisms. Another one is the raise of all sorts of independent journalists/bloggers/etc.
Those themes keep recurring both on EU as well as national levels. Including nations that ain't EU members.
As a citizen of EU member, I’d love to change this discourse. But there seems to be very few options to vote for. And then such BS happens at levels that are practically out of reach of democratical process.
Bear with me here, but I think it comes down to believing in a "benign government", coupled with a misunderstanding of the technology.
Under a benign government (as arguably we have in most of Europe), we can have a reasonable assumption that the state will act in the interests of the population. The public sector workers who have chosen that line of work probably believe in what they're doing and want to do it well.
The government has always had the ability to steam letters open, and they will always need to, in order to fulfill their duties to the population.
Of course, requests such as adding a back door to end-to-end encryption are unnecessary when they could take control of one of the devices in some fashion...
On the surface it's mostly "think of the children" and "terrorists use encryption" type arguments.
I'm sure some of the politicians advocating for this have ulterior motives, but I hope we won't get in a position where we find out what those motives are.
In Russia Internet censorship went in ten years from "we need a legal framework to block websites with child porn on a court order, why are you against it, are you a pedophile" to blocking everything that doesn't speak complimentary of the government without leaving any paper trail at all.
The reasons mostly are "they are all owned by elites whose names you're not allowed to even know and who would like to keep the serfs docile and ignorant".
Because we’re cuckolds and a politically dead society. Also very old. After you’re passed the age of 40 you’re more interested from your pension is going to get paid for when the day will come, not in abstract things like “freedom” and what have you.
This made me immediately picture all of my 40 plus friends and colleagues and... Its completely accurate. Aging slippers-and-tea Brits in comfortable office jobs with very little mortgage stress and a lot of time to virtue signal on facebook are some of the most useless, autopilot zombies the human race has ever seen
Things would improve dramatically if everybody who lives off the state (including pensioners) couldn’t vote.
In some European countries public money has turned into a pretty transparent way of buying votes. These votes are used to make sure nothing ever changes.
Just in case you are counting, there's another proposal in France to force backdoors:
> At Tuta, we are deeply concerned about the proposed amendment to the so-called "Narcotrafic" law, which would force encrypted communication providers to implement backdoors for law enforcement. This would threaten everybody’s security and privacy and could be in conflict with European data protection legislation and Germany's IT Security Act. We urge the French National Assembly to reject this dangerous amendment. A backdoor for the good guys only is not possible.
> France is about to amend a bill against drug trafficking, the “Narcotrafic” law, which will force encrypted messaging apps like Signal and WhatsApp to backdoor the encryption for being able to hand over decrypted chat messages of suspected criminals within 72 hours of the request. In order to enforce it, the text provides for a “fine of EUR 1.5 million for natural persons and a fine of up to 2% of the annual world turnover for legal persons”. The amendment has already been passed by the Senate and is now moving fast to the National Assembly.
What is the state of peer to peer messengers with E2EE? Over ten years ago, Bittorrent Inc. (now Rainberry and Resilio) made a serverless chat client (Bleep IIRC). But I don't think there is anything new that is also user-friendly? (Drop-in replacement of WhatsApp, Signal, iMessage, etc.)
Peer to peer communications are difficult to combine with mobile phones (at least if you value battery life). There are various messengers out there, but they're incredibly niche and I doubt they'll ever get any decent user bases.
Tox is peer to peer and encrypted, but its UX will probably drive away anyone who wants the ease of use of Signal or WhatsApp.
I think Matrix experimented with the concept of running a server on-device, and that's one of the few alternative chat systems with decent UIs available, but AFAIK that never made it beyond the proof of concept stage.
Veilid Chat, developed by the Cult of the Dead Cow, promises to be an interesting option, but it's currently in beta and has been for a while.
It is incredibly dangerous to add this kind of functionality to anything. I also believe that this request is illegal with current European legislation.
> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties", reports SVT.
What is the meaning of this paragraph? Did someone from Sweden's own armed forces write to the government to dissuade them from the initiative?
I know this is a very unpopular take on HN, but coming fra Scandinavia id like the police to have a system to scan for child pornography etc. We trust our gov. Hard to believe I know.. I’m not sure if it would be technically possible to design a system where the backdoor could really only be used by the gov somehow
Apple did the right thing in the UK. This means that neither politicians nor the military will benefit from E2EE, while it's clear that they wished that just the plebes would be affected by this.
Maybe all IMs should then drop encryption altogether, bringing us back to the stone age of clear text messaging (email sent unencrypted between MTAs).
Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
I wonder if there is some connection between the more-spying direction of policy to Sweden's recent entry into NATO ("after 200 years of non-alignment"):
I certainly hope they don’t install any kind of backdoor, because they will give unfettered access to the fbi, and they will likely use that to hunt down marginalized groups (trans women) to eliminate them.
There is a reason why Free Software (as in freedom) was invented: To ensure that those who create the software do not overpower those who use the software. The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong. And it is wrong, because to be a human in the 21st century means in most cases, that your digital devices and your digital interactions are a core part of who you are as a private person. Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
> The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong.
You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will. If the object can act in a way that favors someone else's interests over yours, you do not own it. This is true of pretty much any device running proprietary software.
A litmus test: can you make your device lie to the manufacturer's servers? Regardless of the legality or morality of doing so.
However this article is really about something else: the vulnerability of centralized services in the face of government oppression. Signal only has the ability to log messages because it is a centralized service that controls both the client and the server. The benefits of E2EE is greatly reduced if the client and the server is controlled by the same entity (tomorrow Signal can push out an update that would send a plaintext backup to their servers, and you wouldn't know it until later). Moreover, the non-free distribution mechanisms on mobile phones (stores) limits a company's ability to resist.
Also only possible because we use Signal as compiled by themselves and not by trusted third parties from a source kept clean of any future client-side backdoors. The client is open source, right? https://github.com/signalapp
Yes, this is part of the problem. Application developers and the packagers should be distinct unrelated entities to reduce the chance of a malicious update being pushed to users if the developer sells out.
Without reproducible builds, this just means you have to trust the packager instead of the developer. Sometimes that's a good trade-off, but you still haven't really solved the problem, just moved it.
With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.
Packagers have proven to be more reliable. Sometimes they make mistakes but there's no case of a packager ever selling out (correct me if I'm wrong.) On the other hand, there are numerous cases of developers selling out.
Splitting the developer and the packager doesn't inherently reduce the chance of a malicious update any more than using a VPN reduces the chance of being snooped on by an ISP. All it accomplishes is change who you have to trust to not be malicious. You might have good reason to believe that you can trust one party better than you can trust another, but unless you're building the package yourself there's still no guarantee that the package that you install is built from the source code you can inspect.
It's all based in trust in the packager and only the packager—there are no checks and balances. The only reason why splitting up the responsibilities might help is if you find the F-Droid maintainers to be inherently more trustworthy than the Signal developers, not due to simply separating the concerns.
That does not solve the problem. A country can forbid F-Droid and Debian and anything else that is not in a short list of vetted app stores that comply with the law of that country to backdoor everything.
I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?
Archive formats are hard to make reproducible because there are lots of ways of making different yet equivalent archives.
So it’s not surprising to me that someone would fail at this hurdle and find it frustrating to resolve.
Nix defined their own format for this to avoid this exact problem.
It seems there are multiple reasons. For one, the apk files include a digital signature and you won't have Signal's and Google's private keys available to recreate their signatures.
Thank you for this nice response. Did you already know or did you look it up? please don't tell me you just copied and pasted my question into an input form somewhere and it gave a bunch of reasons...
Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.
I don't understand how the details of the build process matter if the resulting files can be checked to be bit by bit identical? I can only think of something like Signal and Google conspiring to backdoor the binaries during the build process via this external binary blob. But if Google is part of this, they could also do it within Android which is not fully open source.
If you don't like this, you use the non-Play Store build instead (which supposedly doesn't include any binary blobs, but I haven't checked).
> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.
> to own an object means to subject it fully to your own will
Not by a long shot. Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
I'm not saying I'm a fan of even more exceptions of that kind, but I don't think there are any particular inherent rights arising from property ownership beyond from what society agrees on there are (e.g. the first sale doctrine for physical media). That's what makes it even more important to codify these rights.
> Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
These aren't counterexamples, they prove the rule. A US passport literally has the text "this passport is the property of the United States" printed inside of it, and I imagine the same is true in most countries: you are the recipient of a passport, not the owner of one.
The same applies to copyrighted images— when you purchase a book you own the physical copy and can fully subject it to your own will, but you don't own the right to make additional copies of it. You own the copy, not the intellectual property.
As for currency, it may not legally be the property of the US government like a passport, but I would argue that the fact that you can't modify it does in fact mean that you don't own the bill, the bill is a representation of an abstraction of "money" that you do own.
Afaik currency (as in the physical banknote) is actually state property too. What you really own is a promise from the national/federal bank to pay you the value that is written.
Yeah, that has been my understanding, but I couldn't find a citation for that right away, so I didn't want to assert it confidently. But I've heard the same thing.
Note that I said "can", not "legally can". You can destroy currency, alter passport, reproduce copyrighted images if you want to. There may be legal consequences but you can. You can also stab a person with a knife you own, even if you will be punished for it. I'm not talking about rights, but capabilities.
You can't make your phone lie to an app developer about its location, rooted status, etc. You can't make your HP printer print with unsanctioned ink. Therefore, you do not own them.
I also can't make a pen and a sheet of paper contain a proof showing whether P is equal to NP. Does that mean I don't own them either?
Now you could of course say that the difference is somebody having intentionally designed an object in a way that makes it capable of withholding some functionality from me but not others, and I'd agree.
But all in all, I just don't think "property rights" is the right lens to think about computing devices.
You can do what you want with the bike, but your analogy falls flat because it implies that despite you owning the bike you get to drive through your neighbours living room: because your right to own a bike somehow trumps their right to own land and a home.
> Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
There’s no warrant protection in this bill. They want to keep a copy of everyone’s data so they can look back at old stuff after the fact.
Even if there was warrant protection, I’d still be against it. People have traditionally had the right to speak to each other without giving a transcript to the police. I think it’s unreasonable to make that illegal.
Sure but I was responding to the point that a diary can't be searched. It can be. The key difference is that doing this for analog conversations was expensive for the police as it required them to devote finite human time. Digital is not the case.
Comparing to analog is I think flawed because even if it mapped 1-to-1 it does allow for a level of search that is problematic given the low cost of digital surveillance.
Yes but people can genuinely forget the exact words they spoke time ago, even one minute ago, or a whole conversation. Examples: Who did I talk to yesterday? Did I met that neighbor of mine yesterday or was it the day before? I don't know.
Unfortunately, when we switched from letters to emails, the legal privacy protections we enjoyed back then, were not carried over do the digital realm. We're still suffering and have to use encryption to protect ourselves from the lack of legal protection.
Legal protections are great and everything, but if I had to choose between abstract legal protections or concrete protections based on physical properties, I'll choose the later every time. Obviously both is ideal, but I'd use encryption for most of my correspondence regardless of my levels of legal protection.
It may be wrong, but it proves that technology can't beat politics and policy.
The issue with Apple caving to UK demands regarding encryption, and now Signal being in a similar situation, shows that you can't just focus on technology and ignore policy and politics.
And you'll find out that a ton of people here on HN will care, but most of the public won't.
People should take XKCD 538 really to heart (The 5$ wrench one). It's not the same point, but very similar.
https://xkcd.com/538/
>The issue with Apple caving to UK demands regarding encryption
Apple "caving" would've looked different; in fact, we probably never would have known, given the insidious nature of the underlying statute in the UK.
Apple is making noise about the fact that they pulled the product, and the tech press is making it clear WHY even though Apple itself is legally prohibited from giving any additional context.
I feel like that was probably the best move available to them given the cards dealt. Fighting in secret courts is unlikely to be fruitful.
Removing the advanced encryption option for new accounts is really 'caving' to the demands of the government in my view.
And in time, they will also remove the e2e encryption on existing accounts using the e2e feature to comply with UK demands.
They may have sounded the alarm, which I appreciate, but they still have to 'cave' and do as the UK government tells them or they have to cease operations in the UK.
What I'm really noting here is that Apple had no good options.
Capitulating would've meant giving the UK government the back door they wanted. They didn't do that. They complied in a loud and public way, which unmistakably shined a light on the insane request.
The only other options for them were withdrawal from the UK market entirely, or a secret court fight they'd probably lose.
To me, their actual response reads more like malicious compliance than "caving," which usually implies giving up completely.
> It may be wrong, but it proves that technology can't beat politics and policy.
It very much can. In a battle between human force and physics, physics win every time. If I send an encrypted email to you, you have the choice to not give up the key, even if you'll be in jail. With physical letters, you don't have this option. Technology gives you the ironclad ability to keep a secret, only limited by the fortitude of your character.
You clearly haven't felt a 5$ wrench on your body. Giving up your secrets under torture isn't a character flaw, it's what will happen to 99.99% of people under torture.
I can't help you if you don't believe that this is true.
And I hope you understand that 5$ wrench is a euphemism for what would 'really' happen.
All this to say that no, technology does not triumph over politics and policy.
Technology very much does. It's the flesh that has a hard time triumphing over force. To counteract this, you can also engineer a system that can resist it through e.g. split secrets on multiple people located in different jurisdictions.
If you split a secret over two people, first, we use the 5$ wrench on one of you to identify the other and the rest is easy.
If the second person is somewhere else in a different jurisdiction, how are you going to communicate with each other to get the two halves of the secret together to encrypt/decrypt messages? It's an unworkable situation.
As I see it, you create a fantasy situation that would not work if you just want to communicate with people in a secure way. No amount of technology or encryption is going to work, especially in the real practical world.
We technologists will probably be able to circumvent any Signal-ban. But we don't exist in a vacuum, we are a small part of a larger society. Who's at the other end of your conversation?
Most 'regular/normal' people won't and most importantly - don't want to - jump through the technical hoops to keep using Signal.
Although the downside of the official app stores is clear, the alternative might result in a swift return to the '90s and '00s where malware and viruses were rampant. Pick your poison.
I think malware and viruses are less common for many reasons, but I suspect increased awareness and security posture (including the architecture of modern OS) has more to do with this than "walled gardens." Malware does make it onto closed app stores, and many users (e.g. on Windows) still don't use app stores.
The answer you're looking for is probably to build more decentralized, FOSS software with better UX. Much easier said than done of course.
> It may be wrong, but it proves that technology can't beat politics and policy.
There's definitely a strain of thought which perceives almost everything in society as being outcroppings of the progress of technology (however you define that), and especially in the 1990s imagined/expected everything to fall over under the mantle of "information wants to be free" etc.
I think you're right that this is an intellectual dead-end. Many of us lived through the 90s hype wave and into now, and have watched things take a complete circle. The Internet didn't transform society into utopia, the real-world dystopia transformed the Internet into a high definition image of itself.
Not fully, but making transacting in Bitcoin outright illegal would probably go a long way to making it completely unattractive to 99% of all potential users.
And if Apple and Google were forced to remove all wallets from their app stores, it would largely be game over.
In addition, simply taking out the on/off ramps, such as Coinbase, would destroy the utility of cryptocurrency as well, since the grand majority of folks dealing in the stuff are only interested in flipping it for more cash money on the other end by finding the next sucker in the chain.
Very few people actually care about the principles of Bitcoin and the like. Maybe the core devs and some very early adopters?
I think a large part of the success of Bitcoin can be explained by the combination: It allows people to say (and even believe!) that they're in it for the ideology, while the real motivation is primarily that of capital gains.
Whether it's useful to the current "grand majority" or not / holds the value it does today is orthogonal to whether the technology can be stopped and whether it still provides value to those who continue to use it.
I did worry this example would be too political, hence including the BitTorrent example as well.
Much like how PGP was disseminated by Phil Zimmermann, and then the government decided to come down on him like the plague in the early 90s. What the US government didn't know was that it was too late and such technology was out in the zeitgeist. Bitcoin is in a similar situation.
The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough. I say this as someone who is absolutely not a fan of the project and find the perverse incentives in PoW especially to be pure garbage, but I am also a realist.
When you have folks like Peter Zeihan declaring that Bitcoin *will* go to zero - that is, I think, the epitome of hubris. We don't know what will happen next, and with our current administration, I'm only seeing Bitcoin become more influential in the interim, much to my chagrin.
> The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough.
This is my point - the technology is out of the bottle. You can't stop it. You can disincentivize its use in all sorts of social and legal manners, but to go all the way back to my original comment: you can stop Apple (Coinbase) from operating, you can penalize individuals for using encryption (or cryptocurrency in this case), but encryption (and blockchain) still exists and can be self-hosted, and individuals can continue to utilize those tools.
Again, look at torrents. Its primary use case is illegal. What.CD, Oink, even TPB (at various points) have all been taken down. Yet torrenting still enjoys widespread use across the globe.
I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
>I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
This part does terrify me. Too many hedge funds and more common investment vehicles have gotten exposure to this. If there ever is a huge rugpull, regular folks will get nailed. Sad times.
The antidote to XKCD 538 can be steganography. They won't beat you with a $5 wrench if they don't suspect you of doing anything at all. End-to-end encryption can become illegal, but as long as you can run arbitrary code on your machine, you can hide and decode messages with steganography. JavaScript can do the job, so even locked down mobile devices will work if you go to CodePen, JSFiddle, JSBin, etc.
Steganography isn't some magic shield to avoid surveillance though. If authorities are already monitoring you for some other reason, then they can burn a zero-day exploit and see anything you do on your device. And if your entire city is covered in cameras with facial recognition, well... you can have your secret messages but I don't know what kind of resistance you're going to be putting up. So to some degree you're right that you can't fully ignore policy and politics.
Not sure how to get most of the public to care though. I get most people have more immediate concerns in there lives, and crime is a legitimate issue, but even a cursory knowledge of history will show the hell life can be under authoritarian governments. I think far too many people think "it can't happen here", which seems insane considering how often it has occurred even in liberal democracies (Spain, Portugal, Germany, Italy, Argentina, Chile, and many more.) In less liberal and less stable democracies, it has happened even more times. I'm not sure why people have some unfounded faith that their government could never become authoritarian and oppressive.
I'm not saying take down every CC camera and get rid of intelligence agencies -- they are important tools for fighting crime. But there's a difference between a few traffic cameras and CC cameras in places people would presumably commit a crime, and burning targeted exploits for surveillance of truly notorious criminals, and just mass surveillance through banning end-to-end encryption. With zero-day exploits, the government is inherently limited in the surveillance they can do, so it's a limiting factor on their potential for abuse, as the more they use it, the more likely they are to be discovered and patched. But with no end-to-end encryption, the potential for abuse is limitless.
I think that this highlights exactly why we need decentralized, open source software.
Back when Moxie Marlinspike made a thoughtful critique of Web3 (the most thoughtful one I had read, actually), I put together a reply. It’s worth a read for anyone on HN who cares about user freedom and how society is structured:
A note to the younger HN crowd who may have grown up with locked-down devices: the “hacker ethos” used to mean the freedom to tinker and buuld your own. It wasn’t always the case. The Personal Computer and Apple came about through the Homebrew app. And before that, Steve Jobs and Wozniak were even building blue boxes for “phreakers”:
Before he became a corporate golden boy, Mark Zuckerberg built Synapse for regular users and open sourced it instead of selling it to Microsoft and wanted to build Wirehog, but Sean Parker proudly said he and Peter Thiel “put a bullet in that thing”
I don’t want to just be the “wake up sheeple” guy or some unkempt Stallman clone. But there is a real culture clash between the hackers and the corporations, and I feel like the HN denizens who knee-jerk downvote of anything decentralized today don’t get the point of open source decentralized hacker ethos and how the people who practice it produce the next big thing. Working for FAAMGA and “the cloud” ain’t it folks. Here’s why “the cloud sucks” by Steve Wozniak: https://gizmodo.com/why-the-cloud-sucks-5932161
In short — read my rejoinder to Moxie Marlinspike, in my first link. It is ironic because all these years later, I end up being right: it is exactly his company that’s getting hit with this, exactly because it is centralized.
And if you are Moxie or Durov and think your centralized company has somewhere to run… here is the bigger picture around the world — governments are coming for you and the war on user freedom is coming through you: https://community.qbix.com/t/the-global-war-on-end-to-end-en...
This principle seems out of touch with most people’s reality: products hardly ever do everything you want and often work against you. If someone has a device that doesn’t do what they want and there’s no setting to change its behavior, replacing it is usually the only practical option. (Or if it’s a problem with an app, they might be able to install a different app.)
If there is a free software license, it’s of no direct use to them. Only software developers care about such things. (There is an indirect effect on what software is available.)
> If there is a free software license, it’s of no direct use to them.
It's of indirect use; they could use a modified version of the software that does what they want, created by someone else. This is why you generally don't see user-hostile features in Free Software; someone would just fork the project and edit them out.
The problem is that some forks are malware [1], so switching to a fork by developers you don't know is risky. How do non-technical users learn which software developers to trust?
Worst-case, they could hire someone they trust to review the source code.
More realistically, you generally don't have to switch to a fork in the first place because the mere threat of a fork is enough to prevent the deployment of user-hostile features. And when a project does get forked it's often a highly publicized affair with a lot of community drama which produces no shortage of information about who's trustworthy and who's not.
This is only somewhat true for the software most popular with technical users - the sort of thing the average Hacker News reader might be familiar with.
There is a long tail of malware in app stores, despite the efforts of app vendors to police such things. Nobody would be bothering to fork them because most technical users don't care about them, but they still attract lots of victims.
Example: malicious Chrome extensions. Authors of Chrome extensions receive enticing offers to sell and sometimes they do.
Yes, malware does exist in app stores. I don't really see how that's related to Free Software though?
When I say user-hostile features I'm not talking about malware. Yes, I suppose theoretically you could fork a Free Software malware app and make it not-malware, but that's not what I'm talking about here. I'm talking about things like Samsung putting ads on your TV home screen[1], or BMW charging a monthly subscription to access your car's seat heaters[2], or Sweden trying to install a backdoor in Signal. With Free Software, users get the final say on whether those features are installed on their devices or not.
If malware isn’t user-hostile, I don’t know what is? It works both ways. A fork can fix something that’s user-hostile, but it can also introduce malware into an otherwise useful app that didn’t already have it, and many users won’t know which one to install. There’s no guarantee that any security researcher is watching. In practice we rely largely on reputation, and sometimes that’s the blind leading the blind.
Users don’t get final say in what their devices do unless a software developer is willing and able to help them. Most are actually pretty helpless on their own.
Yes, forks can do anything. That's the point: to make it possible to create software that behaves the way the user wants and not just the way it was originally programed.
There are lots of ways to figure out what version to install; which is a lot better than having literally no choice because there's only one option available: the one with homescreen ads/government backdoors/seat heater subscriptions.
Will some users make the wrong choice? Yes. Is that a valid justification for treating everyone like children unable to make decisions for themsleves? Absolutely not. Just as there are other ways to prevent real-world crime than by locking everyone in concentration camps, there are other ways to prevent cybercrime than by locking everyone in an inescapable walled garden.
I can speak for german law: If you buy something, it becomes your property, and you have full power of disposal ("Verfügungsgewalt") over it. If vendors deny you from exercising this right, they are violating their part of the purchase contract.
Rights are of limited use if there's no practical way to exercise them. Hiring a software developer to change an OS or an app is rarely a practical option for most consumers.
Correct. It's not practical because those apps usually aren't Free Software and because the hardware or firmware they're running on often aren't Free and include anti-features that prevent you from installing Free alternatives.
If they were Free, users wouldn't necessarily even need to hire a developer to change their app or OS; those changes would most likely already exist in some form somewhere and the user could simply purchase the modified version.
You can install Linuxor a custom ROM. And if the manufacturer has DRM like SecureBoot in place to prohibit that, you can file for damages and basically get the device for free.
Unfortunately, the philosophy of Free Software does not account for the scale at which software is being run now.
Having the source code to a printer driver available is a completely different thing than being dependent on a platform, because all your friends and relations are using it.
Personally, I'd only trust a governmental agency to provide such services, which makes the article we're discussing ironic at the least, or complicated.
> Personally, I'd only trust a governmental agency to provide such services,
I can't see why you'd say that.
Governments (and private corporations) are not operated to faithfully serve the public, certainly not the public as a set of individuals and small groups of people. It's not that "government services are bad", but rather, than governments, even democratically-elected ones, are practically certain to wiggle out of the straightjacket of strict protection of individual needs and interests for legitimate or illegitimate "greater good"; specifically, they will not resist the desire and the interest to spy on you. And the potential for government abuse of private information is quite high.
"There is only one essential difference between a monarchy and even the most democratic republic—in the former, bureaucrats oppress and plunder the people in the name of the monarch; in the latter, they do it in the name of the people's will." - Statism and Anarchy
The core problem isn’t the form of government, but the concentration of power itself.
A government run social anything would be the most milquetoast experience, wouldn't it?
I suppose if I needed to make sure there was a public immutable record of something it would be useful. Like "I made this thing no later than this post"
"Personally, I'd only trust a governmental agency to provide such services" I understand where you're coming from, "the ultimate goal of a company is to profit and so we can not trust it to protect their users/consumers interests instead of their own" but... you know that it is always the government that will put you in prison, or send you to war right? That it is a blob of power, controlled by people right? This goverment = good that you see people believing these days is such a childish view of reality.
> This government = good that you see people believing these days is such
> a childish view of reality.
There are plenty of immature ideas about running human affairs going
around. History has shown that a social contract obtained by popular
assent is the only viable choice, unless you relish war, insurrection,
terrorism, and social collapse [0].
Government is good almost by definition because we grant its existence
on that basis of benevolence. Indeed one should be ready to defend
good government and lay down ones life to make it good, including
overthrowing existing bad government.
This was well established 80 years ago and we seem to have forgotten.
I know there are some around here agitating for tyranny and
dictatorship. That in my opinion is the "childish view", a result of
too much screen-time and a lack of life experience.
Would you be willing to fight for good government? [1]
you know that it is always the government that will put you in prison, or send you to war
You're merely playing word games here. A person keeping another human being against their will is called slavery or abduction instead of prison. Similarly, it's only called war when it's a government doing it, otherwise it's called activism, terrorism, or gang warfare (note the overload of the term).
The main difference between a corporation and a real democratic government is that a government is accountable to all its citizens, instead of its shareholders. I understand that this is a difficult concept to grasp for US citizens, but the rest of us living in actual European democracies don't deserve your childish derision. No system is perfect, but don't make the mistake of thinking that the US government is the best (or even a good) example of democracy out there.
I'm brazilian. My complete and utter disdain for any trust whatsoever put on goverment (i.e. government officials, i.e. people) comes from hard earned experience. I would rather leave my life in the hands of an "evil" corporation than any bureaucrat.
So much this! The internet does not have to be a monolith controlled by the mega-corp/govt flavor-of-the-month. It originally was (and still can be) a network of smaller federated ecosystems controlled by individuals or smaller groups.
Government and charity can be corrupted (and usually are, to at least a small degree). Private industry is corrupt bt default: to the extent possible, it will intentionally serve owners at the expense of other stakeholders.
This is not a knock against private industry in general. Capitalism's greatest strength is precisely that it harnesses corruption toward productive ends through private industry.
Nonetheless, it's unsurprising that people would take a chance at less-corrupt versions of key infrastructure. My preference would be to do this through charity, which worked pretty well for e.g. Mozilla for a while - but I wouldn't call other directions naive.
There are a lot of pragmatic pro-government people here, holding tightly to the
"51% > 49%" core principle of democracy, which sadly turns into a mess at the scale of humanity, just like any other model we've invented so far. There isn't a real alternative for us collectively now but to submit to power – so any even slightly anarchistic views are not welcome here most of the time...
The solution to this conundrum is to decentralise these services, i.e. run your own XMPP server for your family and friends. Keep your own data where you can 'see' it, on 'the server under the stairs' with some distributed backups to 'devices under different stairs'.
This is no pie-in-the-sky statement, I've been running such a server for years and have installed several for others. System requirements and maintenance are minimal - you can run Prosody on a Raspberry Pi 1B if needed. Availability and reliability are high, it basically works as long as network connectivity and storage are available. The user experience largely depends on the client applications where Conversations on Android is probably the gold standard and in many ways comparable to Whatsapp.
When using OMEMO the server admin does not have access to cleartext communications so assuming clients are configured correctly there is not much to be gained from raiding the server. If some government entity wants to snoop on communications they'd have to gain access to at least one of the client devices since encryption is handled locally. Instead of backdooring centralised services run by Whatsapp or Signal or Telegram they'd have to get to a multitude of servers-under-stairs and client devices which makes it infeasible to use the 'dragnet approach' which is most likely the intended outcome of these backdoor laws.
Some decades ago at I heard Jello Biafra repeat his statement not to criticise the media but to become the media. This has happened, the (current incarnation of) legacy media is running on its last legs and has been overtaken by 'new' media. Here's a corollary to this statement:
Don't criticise the service providers, become the service provider
Use the internet as it was meant to be, a network of networks. Lots of networks, each running their own services with 'secure' communications between those services. I put secure in quotes because there might be a chance for some TLA or other organisation to break the encryption on one of those communication links. Even if they managed to do so they'd gain access to only a small fraction of the communications going on around the 'net.
But advocating for distributed communications only aids and abets criminals, won't you think of the children?
When guns are outlawed, only outlaws have guns. Criminals already use these services (and some of them have been broken/backdoored) so this is nothing new to them.
But you can't expect grandma to run her own server
No, I don't expect her to do so, she can use yours instead.
But but but but
You're starting to sound like a chicken.
Running this stuff is not hard. If you know how to do it, do so and help others to get started. While you're at it you can help them to secure their networks against intrusion by their service providers as well by making sure the ISP connection terminates at a router managed by the device owner, not the ISP. There is no reason to give the ISP access to your LAN since that only creates an incentive for those government entities to force the ISP to give them access to customer networks. The ISP should be used as IAP - internet access provider - and only be allowed to see whatever traffic you allow out of your network, not what goes on inside of it. That, though, is something for another post, another time.
I've been running services like this for decades, this works, it is not difficult and does not take that much time. It has only gotten easier over time, hardware has gotten cheaper and smaller, power use has gone down, performance has radically improved. This is not a pipe dream, it has been first my, then our reality for more than 30 years.
Don't criticise the service providers, become the service provider
> If the purpose is to stop the gang violence, why not remove the gangs from the country?
Because the stated purpose is only the sales pitch. The full list of uses will never be stated publicly, unless someone like Snowden leaks it at great personal peril.
I believe the citation falls under "street smarts" as the WikiLeaks press release mentioned Signal explicitly. Whether this was a subtle outing the origin of the tool itself is left as an exercise for the reader.
Regardless, the threat vector is accessing the data before encryption anyway. And drawing attention to yourself by running certain apps and services in the first place.
There's a lot of mathematicians in maryland and those who studied the history often land on "if they want you, they got you."
If there are even NDAs that forbid mentioning their existence - how would you cite them?
And here we're talking about 3-letter agencies in U.S.
Of course they have the access and of course you can't ever prove it. One could even argue that Julian Assange didn't leak anything and it's all lies and he can't prove it, lol.
The US does not have a law requiring all messaging applications to store historical messages and provide access for law enforcement to decrypt and view all messages.
The US may (or may not) be capable of decrypting Signal messages themselves -- but that is a different issue. The US does not (currently... it HAS been discussed previously) ban the use of any particular encryption techniques because US agencies are incapable of breaking those techniques. And there ARE techniques that US agencies are incapable of decrypting.
There is no evidence or reason to believe that US intelligence agencies can access signal messages when used properly.
It would be much simpler for them to compromise the phones of targets vs break the signal protocol. This is generally true of secure communication systems, the flaws tend to be in usage and endpoint security, not in the protocol implementation.
Right. I have zero illusions about the presence of many critical security vulnerabilities in my smartphone. Just look at how many are fixed each month.
However, i have also reason to believe that the cryptography of my encrypted messaging app Signal is sound and there's no backdoor.
Indeed. One of the most important properties of a cryptosystem is its resistance to ordinary human screw-ups. And that's before you get to intentional co-operation.
> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties
First time I am seeing an organization against this. Kudos to them for standing up.
According to the original article (Swedish: https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...), the reason for the armed forces to be against it is because they recently started advocating for its personnel to start using Signal to reduce eavesdropping, so backdooring Signal would decrease the armed forces security.
> Men Försvarsmakten är negativa och nyligen uppmanade försvaret sin personal att börja använda Signal för att minska risken för avlyssning.
In fact, they are negative because they say that this can't be done without opening up the service to vulnerabilities that could be used by others.
> I ett brev till regeringen skriver Försvarsmakten att lagförslaget inte kommer kunna förverkligas ”utan att införa sårbarheter och bakdörrar som kan komma att nyttjas av tredje part”.
> In a letter to the government, the Swedish Armed Forces writes that the legislative proposal will not be able to be implemented "without introducing vulnerabilities and backdoors that may be utilized by third parties."
That specific quote is in the original comment of this thread :)
Yes, but your deduction is incorrect. They're saying the SAF are negative _and_ they recommend their personell to use the service, not that they are negative _because_ they recommend it.
I don't see how you can know that "because" is incorrect. This seems like it could be possible to me:
(Possibly) SAF is negative because they use Signal, and don't want a law that would introduce vulnerabilities into Signal that could be utilized by third parties.
This was already commented by the original comment in this thread and is not mutually exclusive to GP's comment. What is your point?
Makes sense, the entire point of Signal is no backdoors. If you add one, you might as well make the app illegal.
TOR was sort of famously contributed to by a dude in US Naval research early on, right?
They are militaries, not police or intelligence forces. The job is to be ready to do war, not nanny and snoop on civilians (Some of that might be a necessary side effect but it isn’t their reason for being).
The NRL originally developed onion routing and Tor. It was then open sourced, stewarded by the EFF for a few years, before becoming its own non-profit. The NRL still do a ton of work on Tor and its ecosystem, primarily through academic research and occasionally code, though the Tor Project is obviously now the biggest player in the space. The original motivation was to enable communicating with covert assets (intelligence services and the like) overseas, which requires lots of non-military cover traffic to be useful, hence the opening up. Its popularity as an anti-censorship tool has motivated a lot of the continued support from various US agencies, including the NRL. Really though, the NRL is a largely civilian institution, and while the people who work there do work for the military, they aren't typically enlisted, have limited security clearance if any, etc. It's sort of like the Navy's version of Microsoft Research, or Bell Labs.
Militaries need intelligence services to be their eyes and ears. That said, most people who are not in their country's armed forces, government, or intelligence service vastly overestimate how much another country's intelligence services actually care about them. Most people aren't that interesting and don't have any intelligence value for another country's government.
US Navy research labs developed onion routing and the core of Tor
arguably, one of the reasons it was released to the public was to get large amounts of traffic using onion routing. because if it's just 50 data steams that are entirely ONI or NSA then it's easy to hit them with timing attacks.
but 2+ million streams from all over makes it a lot easier to hide.
And SELinux was given to us by the NSA.
I question the use of an instant messaging service hosted in another country for your armed forces, is that a good idea, especially now?
As good as Signal is I mean, you will want something under your control.
They're not using/advocating to use Signal for their military control/communication:
> This week, Brigadier General Mattias Hanson, the Swedish Armed Forces' CIO (Chief Information Officer), decided that calls and text messages that do not concern classified information should, as far as possible, be made using the Signal app. The decision aims to make it more difficult to intercept calls and messages sent via the telephone network.
https://www.forsvarsmakten.se/sv/aktuellt/2025/02/forsvarsma...
Seems people were using SMS for those messages they are now advocating to use Signal for.
Also, seems they've done a review (obviously) but unclear if they had access to something internal from Signal to do the review, feels like they had to:
> The Signal application has been deemed by the Swedish Armed Forces to have sufficient security to make it difficult to intercept calls and messages.
Any decent military will be using multiple forms of communication systems.
I was a communications specialist for the Swedish Armed forces 10+ years ago, including a tour in Afghanistan and a tour in Kosovo.
We used radio links for internet that I can tell you, were more adversarial than friendly.
The Swedish military is highly capable when it comes to network communications. A small nation will have to think differently.
You could potentially use an instant messaging system in control by someone else, if you are willing and capable of sharing encryption keys with whomever you are going to communicate with beforehand.
Is Signal hosted in just 1 country?
Good question! I assumed it was US only but things have changed a while back after it becoming popular it seems. Going by https://signal.org/blog/signal-is-expensive/
>Because everything in Signal is end-to-end encrypted, we can rent server infrastructure from a variety of providers like Amazon AWS, Google Compute Engine, Microsoft Azure, and others while ensuring that your messages and calls remain private and secure.
Your source doesn't support your claim. The exact snippet you quoted, interpreted strictly, only means they have the option to host it across providers, not that they actually do so. It also doesn't say anything about where it's hosted. It can be hosted in AWS, GCP, and azure, but all in the US, for instance.
Apple took the same stance during the San Bernardino case!
FYI the EU wide proposal to scan all your private messages using an AI agent on your devices also originated in Sweden by EU Commissioner Ylva Johansson in 2022.
> EU Commissioner Ylva Johansson has also been heavily criticised regarding the process in which the proposal was drafted and promoted. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the proposal. This was also highlighted by digital rights organisations, which Johansson rejected to meet on three occasions. Commissioner Johansson was also criticised for the use of micro-targeting techniques to promote its controversial draft proposal, which violated the EU's data protection and privacy rules.
I don't think anything good ever came from Ylva Johansson. Mentions of her name on something should make one automatically treat that thing with suspicion.
is there some fascist movement in Sweden that I haven't heard about?
Yeah, the Social Democrats, whose member she is
You know it's a banger proposal when even the Swedish armed forces tells you "Please don't".
European armed forces should know best, given that Signal has seen actual use by Ukrainian military personnel, with Russian forces trying their best to target those encrypted communications (right now mostly by getting those smartphones from dead bodies).
They also have a social engineering attack using the Linked Devices features, which was on the front page of HN recently.
The fact that proposals like this get this far, without anyone checking with the defence department and actual experts is really weird. It's not just Sweden, this is clearly a problem in many other countries.
I'd really like to know why it's so hard for politicians and police forces to understand that backdoors are dangerous.
It will be waring factions within government (which is never unitary in any country) --- here these laws/proposals/etc. probably come from domestic spying agencies and police forces in most countries. I suspect that signals intelligence agencies and offensive forces have probably mostly moved to "encryption is good" stance given the number of foreign attacks upon domestic assets (gov, biz, etc.).
However, we shouldn't underestimate the desire for foreign intelligence agencies to bait one's own domestic agencies into "spying for them". So i imagine there's some pressure from, eg., the US sigint agencies to have the EU compromise EU citizens in ways that even those very agencies may today not wish to compromise their own.
At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
As an empirical matter, encryption makes agencies like EUROPOL's jobs extremely difficult -- i imagine also because they probably struggle to get coop from domestic police forces, so cannot easily do "the physical police work necessary" to get device access.
In the end, I imagine we'll have china to thank for the end to this nonesense -- since any backdoor will immediately be a means of mass corp/gov espionage.
> At a complete guess, I wouldnt be supried if, eg., the NSA (, CIA, et al.) were goading EUROPOL which was demanding domestic anti-encryption laws.
The exact purpose of Five Eyes?
I'm shocked, shocked! there's gambling going in here!
It's not the purpose of five eyes, it's a noted tactic.
But at the same time countries realise they are under attack economically and political from hostile cyber warefare... and so there's something self-defeating about this tactic now whereas perhaps 10-20 years ago there wasnt.
It's hard to imagine a US-China war (say by proxy in TW) or a EU-Russia war (eg., esp., by proxy in UA) "going well" under conditions of broken domestic encryption.
Eg., back when the UK mass surveillance law was passed in 2016, I imagine sigint agencies were more on-board... today I wonder if that law would now be "quietly opposed" on grounds of national defence
I think it's part ignorance, part exceptionalism. Backdoors sound simple, and if you're thinking about physical backdoors people are generally pretty good at protecting them. That this is largely because they have a lot of characteristics not shared by digital backdoors is easily lost on most people. These folks also tend to believe that THEY will be perfect stewards of backdoors, and anybody who loses control of them is just less competent.
They haven’t been in a war since 1814, so they’ve had lots of time to develop other competences.
I hear they also make amazing sourdough and can discuss the Beatles catalog at depth.
as a general rule countries that succeed with a policy of neutrality do so by having their military strong enough that they're mot worth fucking with.
> having their military strong enough
That's not how Sweden remained "neutral" though, although I'm not sure I'd agree Sweden been neutral since 1814, wasn't exactly neutral before/during the second world war. https://en.wikipedia.org/wiki/Sweden_during_World_War_II
in your link there are numerous indications that Sweden keeps its military strong enough that it isn't worth fucking with, as in this quote
>Georg Homin, a captain on the General Staff, stated:
> Without a defensive force we cannot follow any policy of our own, our declarations become merely empty words and we leave the country's fate to chance, or to the decisions of others. With a defense as strong as Swedish conditions allow, we secure for ourselves the basis of a continued independent Swedish policy.
obviously strong enough that not worth fucking with is a relative thing, based on a calculation of what do you get for attacking, how much will you have to spend to get that?
Sweden is one of only 10 countries on the planet that has developed its own fighter jet (JAS 39 Gripen, plus retired predecessors).
(At least ChatGPT lists Sweden as one of 10 countries with indigenous fighter jet programs.)
GGGP:
> They haven’t been in a war since 1814
Geography plays a role too I'd think. In a way, located in an icy corner of the world (rather than f.ex. in central Europe)
Signal is headquartered in the US and presumably has no employees in Sweden (and perhaps the entire European Union).
There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship. Preemptive surrender is extremely disappointing, especially for a non-profit - there isn’t even any revenue that can be ‘fined’ by the EU!
> There is utterly nothing the Swedish government can do to stop Signal except for pressuring app stores and/or ISP-level censorship
They can go after executives and employees of foreign companies, too. The charges may not mean much unless those employees travel through Sweden, but if the political winds change in the future then they may be able to convince other countries to enforce their charges against employees as well.
It’s reasonable for a company to avoid risking their employees becoming targets of detention for international travel.
It also more effectively highlights the political issue within Sweden if people there see the consequences of the laws of their elected officials rather than having those laws silently ignored by a company that takes the legal risk upon themselves.
The app stores are run by companies with a presence in the EU.
What's funny is that it's other EU laws from totally different parts of government which are, at the same time, pushing to allow for side loading of apps and alternate app stores on iOS and Android.
https://www.google.com/search?q=apple%20eu%20alternative%20a...
The end result of which, if done at large scale, means that an EU government couldn't ban signal, short of forcing all its domestic ISPs to be downstream of a China type great firewall, or simply null route all the IP space where signal's servers are located.
All the alternative app stores can easily be subject to the same legal requirements as Apple.
Side-loading is harder to enforce any rules over, of course.
Blocking domains is well-established at this point, thanks to the copyright industry doing a 21.5-year whack-a-mole-waltz with The Pirate Bay. Of course, this also demonstrates the limited effectiveness of domain blocking.
> Of course, this also demonstrates the limited effectiveness of domain blocking.
Extremely limited effectiveness, when VPN operators like Mullvad are corporations based in Sweden and offer 5 euro a month service to bypass whatever local "mess with internet traffic" activity, whether government-caused or not, that someone's last mile ISP is up to...
There's also the game of whack a mole with taking ownership of domains at the registrar/ICANN level through court orders, such as with the various .com or similar things that get jacked and plastered with a "DOMAIN HAS BEEN SEIZED" notice by the US feds.
You don't need to get Signal from an app store (unless you're on iOS I guess)
For 99% of people the effect is the same as blocking the app.
You mean because users don't know how to sideload? Maybe so far, as there's been no need. On Android it's just one pref and then you download the APK in the browser.
Yeah, most people don't leave the easy path. Most people don't use Signal. Adding more friction won't improve that.
Fortunately iOS is not 99% of the market.
I did not mean iOS.
In the EU, Apple must support side loading and other app stores.
But those are also vulnerable to these laws, no? App sideloading seems the only escape.
Even then the webapp should work
Since when is there a Signal web app? I don't think there is, but even if there were then presumably it'd work the same as the desktop app: "To use the Signal desktop app, Signal must first be installed on your phone."
Sweden is part of the expanded 5 eyes (now 14 eyes). As a workaround for restrictions on domestic spying, they subcontract their dirty work to each other. Hence, you can expect the US to assist in pressuring them (ostensibly on behalf of Sweden)
I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
Yes, Signal may be headquartered in the US, but that doesn't mean they can just ignore the laws of other countries, which is exactly what may happen here, depending on the outcome.
Sweden may propose a backdoor (a utterly shitty idea, I agree) which Signal may decline (which this submission is about). Then the next step is either Sweden giving up on the request, or placing fines on Signal until they comply or outright ban it, or Signal deciding it isn't worth it (prevent Swedish users from using Signal).
All within their capacities and rights, even though I again think it would very stupid approach.
There are only a few instances where institutional powers pass judgements that they cannot enforce. Generally doing so makes that institution look weak because it puts them in a position to have their rulings openly flouted. That's at the core of what jurisdiction means.
Sweden can fine Signal all they want but if they can't enforce the collection, they weaken their power and foster disrespect.
Singal is centralized? Can't they just block it at the border? I understand VPN or whatever, but if they're serious I hear there's a couple of countries with "pretty good" border firewalls.
Doing that would eliminate so many Swedes from Signal...
I haven't found a VPN solution for iPhone users in a couple of US states. It's like iphones are actively hostile to the very idea of a VPN. Or at least "self-hosted VPN", maybe the $20/month VPN work but that's... Sketchy.
You're making my point. Sweden would choose the most effective mechanism that they can actually enforce to deal with Signal's noncompliance. Blocking DNS or ISP access is much more accomplishable for Sweden than trying to levy fines.
Not familiar with Swedish law, but in most of the world the courts have a concept of jurisdiction. Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
I would be surprised if Swedish law allowed for prosecuting a foreign company with not one bit of operations in the country.
> Otherwise a small country could just fine Apple $1T and solve its budget woes, and probably build a giant waterslide.
You're joining two things here which I think are important to keep separate--the demand and the enforcement.
The Province of Bumbinga can absolutely claim worldwide jurisdiction and fine Apple $1T. And they can fine them a further $1T for every day they're not paid and their waterslide is not built.
Hell, _I_ could send Apple a letter claiming they owe me a trillion dollars so I can build a waterslide.
But when Apple doesn't pay a trillion dollars... then what? Send them angry letters? Still doesn't get the waterslide built.
A legal system's power isn't the orders it's the enforcement mechanism behind it. With a local presence they have the option to seize local assets and bank accounts, forcefully close operations, arrest employees, etc.
When the company has no local presence, your only enforcement mechanism is gaining the cooperation of a foreign country, in which case the country they're headquartered in is very relevant. And they're only going to cooperate if your request aligns with their ideals and generally benefits them.
Except in the most extreme cases, it's generally not worth it to try and impose your rule outside your borders because you have no mechanism to make anyone comply. It's an empty threat. Jurisdiction in the international sense is descriptive not prescriptive. It's recognition of the limits of your authority. The outcome is the same with or without it.
Signal may have users in Sweden which Sweden sees as giving it jurisdiction. Sweden may see it being accessible at all as giving them jurisdiction. Sweden may say "screw it, we have jurisdiction over the whole world!". But their ability to enforce that more or less ends at requiring ISPs to block their traffic or asking the US government to enforce their orders within US borders, so it's kind of a moot point.
> a foreign company with not one bit of operations in the country.
Borrowing from how tax & law is usually applied for companies trading outside of their incorporated country, at least in many places including the EU: If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
> even if your product is purely software, you can be considered to have operations in that country
Couldn't users in pretty much every internet-connected country use VPNs and other methods of cross-borders indirection to access even those US services which explicitly block non-US IP ranges?
If this is the case, then is it not the case under the quoted reasoning above that any internet company should be expected to have operations in every other internet-connected country?
I didn't say it was sensible policy. But yes.
It's the same reason Australia and now South Africa demand payment from Meta and Google for revenues related to links going to local news sites and the like.
> If you have users/customers in a certain country, even if your product is purely software, you can be considered to have operations in that country.
If no money is changing hands, good luck with that. (Or, rather, bad luck with that.)
(If money is changing hands, you might find your payments blocked by local payment providers, though even then that would take a while and might or might not happen.)
> I keep seeing this idea that because a company is headquartered in some place, means they don't have to follow the laws of the countries where they operate.
My friend's medium size regional ISP is headquartered in the US and as a hosting company certainly has customers who violate any number of censorship, blasphemy, etc laws in Iran, Russia, Myanmar, Pakistan, Bangladesh, just to name a few.
Signal doesn't "operate" in Sweden any more or any less than any other internet based service which has zero servers, offices, bank accounts or other physical presence in the country.
> they operate?
How are they operating? It might as well be viewed as citizens of Sweden interacting with a foreign service out of their own volition.
In general, laws are backed up by the threat of violence. To the extent that Sweden's police can't confiscate Signal's assets in the US, they do not have to comply with anything. The only leverage Sweden's government may have is ISP level censorship, which is likely to cause unintended disruptions. Signal is in turn free to attempt to circumvent the censorship.
While I don't personally agree with the law, I genuinely hope we witness a major corporation withdraw from a market just so we can finally observe the concrete impact of these types of threats. (Even though their position is understandable in this particular case.)
Google ultimately did that for China. The outcome in that case is that the domestic market filled in the gaps, while complying to all relevant authoritarian legislation. I do not believe that the same would happen for every market where these stunts are being pulled off, at least not to the same level of quality.
Why are European countries trying to pull one off from the China playbook, while simultaneously being shocked that companies react to authoritarian moves in the exact same way as they have done in the past, is beyond me. Is the hubris so large that they honestly can't conceive their "requirements" as being "literally the same as China?"
Having to build local alternatives probably had a positive impact on China's software industry. We're at a point today that major Chinese software/tech companies are routinely talked about on nightly news.
India banning TikTok did not have the same effect on the Indian software market [1]. The local competitors that cropped up were mostly disappointing and didn't outcompete YT/Instagram.
Similarly, the benefits of Sweden banning Signal would most likely accrue to WhatsApp, not any indigenous software company.
[1] https://restofworld.org/2022/tiktok-sized-hole-in-india/
China has a user base that could make any app insanely popular. In the single country. Not to mention that EU has less people, EU is also very diverse culturally and the gap keeps widen.
Would you want to be reliant on American companies right now?
Not wanting to be reliant on american companies because of the data and technological sovereignty is admirable.
Not wanting to be reliant on American companies because they don’t allow you to spy on your own citizens as much as you want through…
[dead]
Someone is always willing to bend towards what the market requires - including complying with whatever insanity gov wants
Let them. If you bend you reduce the options for people who do not want that.
Have you ever read the book The Corporation? It goes into some detail about why corporations can't do that. Not "won't" - can't.
i did not read the book but i did read the news when google gave up on serving censored search results in china
What would you say the difference is between Google in 2010 in China and Apple in 2025 in the UK?
Unlike a certain big tech giant who pretends to care about privacy until it cuts into their profits.
All of them?
Well, only some claim to "remain committed to offering our users the highest level of security for their personal data" while turning off E2EE cloud storage for an entire country.
What other choice did Apple have? To ignore the law of a country where you operate just because you don't agree with the law is a terrible standard to set.
> Signal to leave Sweden if backdoor law passes
Apple already did set that precedent during last year with their responses to the EU DMA.
In fact I find the difference in how they handle the two very telling.
Terrible yes, but given Musk-X-Brazil, at this point the Rubicon of "setting" such standards has already been crossed.
(Even if the result was Musk being humiliated).
What else could they have done?
They could have done like Telegram in Russia and said that they will not care about that and work on ways to bypass any firewall that could setup the authority to block it.
Are we talking about Apple? How can they operate in a country they are banned in? They are predominantly a hardware company.
As Signal are doing here, they could have refused to do business (at least, with iCloud) in that country. That's a far bigger pushback than simply capitulating to removing a relatively unknown feature.
To be clear, if they did this and the UK gov called their bluff, it'd affect me personally, but I'd rather that than swinging open the backdoors
You believe that the Apple Board of Directors would allow their CEO to do that? Who do you think would make that decision?
If it's the board that makes that decision, it's the board that holds responsibility for it. Nobody said anything about a specific person at Apple doing anything, just Apple as a company.
Would they? Of course not, but the question was what else could they do, and this is something they could (and if their fundamental motive wasn't purely profit above all else, perhaps should) do.
The board can't make a decision like that. They would be ousted by activist shareholders.
I'm trying to help people understand that there is no actor that can make these decisions they want them to.
Not put absolute profit over principles? Or at least don't advertise they do?
No, what specific action would you have had them do?
> Signal to leave Sweden if backdoor law passes
I don't know... what else could Apple have done? Hard to determine what else they could have done besides turn off the feature in a thread on another company not just turning off a feature, but leaving a country entirely.
Who would make that decision? What would happen next after they did?
That's beside the point. The question was what else could they have done. My comment is 100% correct. For some reason, people dislike facts.
I think the only way to change the decision a person or entity makes is to first understand what they are asking that person to do, and the consequences of that action.
Being unwilling to do that simply has no impact on the real world. You scream into the void.
No, some of them don't even bother pretending they care about your privacy.
What would even be the point of Signal if there’s a backdoor? This isn’t just principled, it’s necessary for business.
Once Signal is backdoored successfully (in this alternate timeline) you go after WhatsApp, RCS, whatever other encryption you can't bypass. Other countries follow suit because Sweden did it (like an infamous single study out of the Netherlands that affected global health policy.)
The goal is no privacy. Because terrorism. Or the children. Or espionage. Just pick one and speak against them directly and you'll find many arguments why the government needs access for any of those reasons. People love going to bat for giving up rights.
I forget who said it but you cannot have a civilization without secrets.
It seems like a lot of these proposals are coming out of Europe—assuming I’m not mistaken (and I may well be), why is Europe cracking down so much on privacy?
There is a huge section of the population who believes it's possible to strip the security of criminals using apps like Signal without it affecting everyone's security. Same in Sweden as the rest of the world.
The military of Sweden seems to get it at least, they "write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties"". The military also recently advocated for more use of Signal, so clearly they've reviewed it and find the current security good enough.
It's not just privacy, Europe is cracking down on freedoms generally. Free speech, the right to silence, the presumption of innocence, etc.
Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Another theory I have is that this could just be a symptom of an older and more female voter base. As women become more politically active and as older generations make up a larger share of total voters if we assume these demographics are more safety orientated on average then perhaps we should assume that safety concerns will begin to trump the desire for freedom. It's just a theory though.
> Most of this is being done to address the increasing terrorism threat we now face on a daily basis. Freedoms really only work in societies where people broadly share the same values and cooperate, but European societies are fragmenting and increasingly becoming less safe and less tolerant. If we want to do something about this then restricting freedoms is probably going to be required to some extent.
Or you could undo the changes that have caused that decline in social cohesion. People don't share the same values because our governments have been non-stop importing people with radically different values. Values which see it as a positive to end the lives of those who don't agree.
> Another theory I have is that this could just be a symptom of an older and more female voter base.
That voter base does vote more for the established parties and their policies that have gotten us into this compared to the population at large, yes.
Glaring example supporting the first hypothesis is that Denmark reinstated blasphemy laws in 2023. https://en.wikipedia.org/wiki/Blasphemy_law#Denmark
It's becoming clear that EU politicians are far too easy to manipulate by companies with products to sell.
> Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
https://news.ycombinator.com/item?id=43171861
Sweden has rapidly devolved from a high trust society to one where firearms and grenade attacks are a weekly occurence [1]. It is the perfect opportunity for law enforcement to demand more surveillance capabilities.
[1] https://la.stnight.in/Sweden/
Step 1: allow a million people from low trust societies to immigrate to a nation of 10 million in a short span of time.
Step 2: Sweden becomes the gun crime capital of Europe.
Step 3: Change your society to a low trust society, dismantling all the wonderful things social services and liberal institutions.
European bureaucrats generally have little understanding of the technology they get paid to regulate, as we've seen with the their previous attempts to regulate the industry. It's very much a "vibes-based" approach. They can simply keep proposing the same regulation with a new name until it's voted through.
> European bureaucrats generally have little understanding of the technology they get paid to regulate
I'd agree with you if you just put "bureaucrats" instead of European bureaucrats, what country isn't currently led by a bunch of bureaucrats who don't seem to understand even the basics of the technology they legislate about?
I've yet to seen a country to lead the way, no wonder the rest of the countries don't seem to know what to do and just throwing stuff at the wall.
While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits who will lobby against this kind of legislative overreach and sue if the legislation passes. Obviously we have all sorts of other problems, but mostly our bureaucrats and legislators aren’t making backdoors a policy as far as ai’m aware (who knows what the CIA and FBI and NSA are up to, though?).
I assume it’s just one of those things that Swedish society is having to grapple with abruptly and that they will adapt the appropriate institutions. I have more faith in Sweden than my own country lately.
> While I generally agree, the bureaucrats in the US have been somewhat checked by nonprofits
So does Sweden, and have had strong privacy advocates for a long time. Remember that The Pirate Bay came from Sweden? It spawned a political and ideological movement (Piratbyrån & Copyleft/Kopimi) that still has some presence in Sweden and EU although doesn't seem as strong as it used to be, except for Iceland I think.
> I have more faith in Sweden than my own country lately.
Not sure what your own country is, but assuming it's US, they're pretty much equal in many ways (but not all obviously) and Sweden basically copy-pastes US political policy for the last decades, for better or worse.
Yes, my country is the US. I'm very skeptical that Sweden and the US have similar policy in the general case or in the case of privacy in particular. With respect to privacy specifically, I don't think the US has passed any "no encryption" or "mandatory backdoor" policies (I'm happy to be corrected). In the broader case, I'm of the impression that Swedish policy differs dramatically from US policy with respect to regulation, social safety net, taxation, government-owned enterprises, etc.
The politicians voting on it might not fully understand but the people pushing the regulation absolutely do. They want a popultion that hears and sees only what they want to.
Sweden is having an epidemic of Crime as a Service, where minors are recruited online to do killings etc for cash. Secure messaging makes it very hard to find the leaders of these crimes.
Bullshit. Crime gangs had myriad of ways to hire youth before. There could be other ways to make sure there’s no huge pool of youth waiting to be hired. But that may be politically too hard.
Please do your research before throwing that term after me. I don't care if you think its markedly different for crime recruiting earlier. Point is contracts for killings are put online and planned through Signal. The Swedish police find it annoying as it makes it hard to find the money men. That's the reason for why Sweden want the back door. If it makes sense or not has no bearing on what I wrote.
I’m throwing that term at Swedish police, not at you.
Gangs would find another communication channel before the law is put into effect. Yet backdoor would be there forever.
The population in europe is finally (if slowly) waking up to the fact that their elected leaders do not act in their interest. This is the establishment's attempt of staying in control of the narrative so they can keep suppressing any real resistance to their rule.
I can not speak for Europe generally but Sweden has very serious problems with gang wars the last couple years, and people are really tired of them shooting each other and setting off explosives. That's the reason for this particular proposal (and many other questionable expansions of police power too).
Because European tradition is to have strong bureaucracies steering the „democratic“ processes. And encryption is a wrench hitting those mechanisms. Another one is the raise of all sorts of independent journalists/bloggers/etc.
Those themes keep recurring both on EU as well as national levels. Including nations that ain't EU members.
As a citizen of EU member, I’d love to change this discourse. But there seems to be very few options to vote for. And then such BS happens at levels that are practically out of reach of democratical process.
Bear with me here, but I think it comes down to believing in a "benign government", coupled with a misunderstanding of the technology.
Under a benign government (as arguably we have in most of Europe), we can have a reasonable assumption that the state will act in the interests of the population. The public sector workers who have chosen that line of work probably believe in what they're doing and want to do it well.
The government has always had the ability to steam letters open, and they will always need to, in order to fulfill their duties to the population.
Of course, requests such as adding a back door to end-to-end encryption are unnecessary when they could take control of one of the devices in some fashion...
On the surface it's mostly "think of the children" and "terrorists use encryption" type arguments.
I'm sure some of the politicians advocating for this have ulterior motives, but I hope we won't get in a position where we find out what those motives are.
In Russia Internet censorship went in ten years from "we need a legal framework to block websites with child porn on a court order, why are you against it, are you a pedophile" to blocking everything that doesn't speak complimentary of the government without leaving any paper trail at all.
The reasons mostly are "they are all owned by elites whose names you're not allowed to even know and who would like to keep the serfs docile and ignorant".
Because we’re cuckolds and a politically dead society. Also very old. After you’re passed the age of 40 you’re more interested from your pension is going to get paid for when the day will come, not in abstract things like “freedom” and what have you.
This made me immediately picture all of my 40 plus friends and colleagues and... Its completely accurate. Aging slippers-and-tea Brits in comfortable office jobs with very little mortgage stress and a lot of time to virtue signal on facebook are some of the most useless, autopilot zombies the human race has ever seen
Things would improve dramatically if everybody who lives off the state (including pensioners) couldn’t vote.
In some European countries public money has turned into a pretty transparent way of buying votes. These votes are used to make sure nothing ever changes.
As opposed to the US, where this spying is done illegally and no one gives a shit?
[dead]
[flagged]
Could you substantiate this comment in any way whatsoever? I don't need more pithy adverts for authoritarian politicians in my life.
Vance's speech at the MSC criticizes Europe cracking on freedom of speech for its citizens.
Just in case you are counting, there's another proposal in France to force backdoors:
> At Tuta, we are deeply concerned about the proposed amendment to the so-called "Narcotrafic" law, which would force encrypted communication providers to implement backdoors for law enforcement. This would threaten everybody’s security and privacy and could be in conflict with European data protection legislation and Germany's IT Security Act. We urge the French National Assembly to reject this dangerous amendment. A backdoor for the good guys only is not possible.
> France is about to amend a bill against drug trafficking, the “Narcotrafic” law, which will force encrypted messaging apps like Signal and WhatsApp to backdoor the encryption for being able to hand over decrypted chat messages of suspected criminals within 72 hours of the request. In order to enforce it, the text provides for a “fine of EUR 1.5 million for natural persons and a fine of up to 2% of the annual world turnover for legal persons”. The amendment has already been passed by the Senate and is now moving fast to the National Assembly.
https://tuta.com/blog/france-surveillance-nacrotrafic-law
Swedenherald and their 807 vendor buddies value your privacy.
Original article (in Swedish, but the interview with Whittaker is in English): https://www.svt.se/nyheter/inrikes/signal-lamnar-sverige-om-...
the english interview is actually in the video banner above the page btw
What is the state of peer to peer messengers with E2EE? Over ten years ago, Bittorrent Inc. (now Rainberry and Resilio) made a serverless chat client (Bleep IIRC). But I don't think there is anything new that is also user-friendly? (Drop-in replacement of WhatsApp, Signal, iMessage, etc.)
Peer to peer communications are difficult to combine with mobile phones (at least if you value battery life). There are various messengers out there, but they're incredibly niche and I doubt they'll ever get any decent user bases.
Tox is peer to peer and encrypted, but its UX will probably drive away anyone who wants the ease of use of Signal or WhatsApp.
I think Matrix experimented with the concept of running a server on-device, and that's one of the few alternative chat systems with decent UIs available, but AFAIK that never made it beyond the proof of concept stage.
Veilid Chat, developed by the Cult of the Dead Cow, promises to be an interesting option, but it's currently in beta and has been for a while.
> Matrix experimented with the concept of running a server on-device
https://arewep2pyet.com/
On the Matrix side we still want to get back to working on this; it's just needs dedicated funding.
Jami is supposed to be encrypted, distributed, opensource, and cross platform, though I haven't personally used it:
https://jami.net/
Session, SimpleX, Jami, Briar are a few.
Some background: Lots of stories in the media in Sweden recently about how murders are now ordered via chat apps. Today in fact, there was one about a Snapchat murder. https://www.aftonbladet.se/nyheter/a/8qL3A1/uppgifter-missta...
It is incredibly dangerous to add this kind of functionality to anything. I also believe that this request is illegal with current European legislation.
> The Armed Forces, on the other hand, are negative and write in a letter to the government that the proposal cannot be realized "without introducing vulnerabilities and backdoors that can be exploited by third parties", reports SVT.
What is the meaning of this paragraph? Did someone from Sweden's own armed forces write to the government to dissuade them from the initiative?
I know this is a very unpopular take on HN, but coming fra Scandinavia id like the police to have a system to scan for child pornography etc. We trust our gov. Hard to believe I know.. I’m not sure if it would be technically possible to design a system where the backdoor could really only be used by the gov somehow
Apple did the right thing in the UK. This means that neither politicians nor the military will benefit from E2EE, while it's clear that they wished that just the plebes would be affected by this.
Maybe all IMs should then drop encryption altogether, bringing us back to the stone age of clear text messaging (email sent unencrypted between MTAs).
Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
> Because this "please let them use encryption, but let us peek around it" just doesn't feel right.
Most of gov regulation works like that. You can have guns but only registered ones. Machines guns illegal unless it’s military etc
But it is not encryption if it can be broken. It's like guns, but they can remotely disable them with devices planted in each.
And people say the US is authoritarian. You can't burn books in Denmark without going to jail and now Sweden wants to spy on all your messages.
I wonder if there is some connection between the more-spying direction of policy to Sweden's recent entry into NATO ("after 200 years of non-alignment"):
https://www.nato.int/cps/en/natohq/news_223446.htm
Sweden has been sharing info with its neighbours and the US for a long time. See SIGINT Seniors Europe for example
I certainly hope they don’t install any kind of backdoor, because they will give unfettered access to the fbi, and they will likely use that to hunt down marginalized groups (trans women) to eliminate them.
Interesting that the Swedish military agrees it's a bad idea.
Which bill are they talking about? Chat control?
How are these politicians so clueless?
They aren't. They know very well what they are doing.
Actually, they are totally clueless many of them.
There is a reason why Free Software (as in freedom) was invented: To ensure that those who create the software do not overpower those who use the software. The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong. And it is wrong, because to be a human in the 21st century means in most cases, that your digital devices and your digital interactions are a core part of who you are as a private person. Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
> The idea, that companies or politicians can force the user's machine to work against it's owner, is wrong.
You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will. If the object can act in a way that favors someone else's interests over yours, you do not own it. This is true of pretty much any device running proprietary software.
A litmus test: can you make your device lie to the manufacturer's servers? Regardless of the legality or morality of doing so.
However this article is really about something else: the vulnerability of centralized services in the face of government oppression. Signal only has the ability to log messages because it is a centralized service that controls both the client and the server. The benefits of E2EE is greatly reduced if the client and the server is controlled by the same entity (tomorrow Signal can push out an update that would send a plaintext backup to their servers, and you wouldn't know it until later). Moreover, the non-free distribution mechanisms on mobile phones (stores) limits a company's ability to resist.
Also only possible because we use Signal as compiled by themselves and not by trusted third parties from a source kept clean of any future client-side backdoors. The client is open source, right? https://github.com/signalapp
(Reproducible builds is a cool technique.)
Yes, this is part of the problem. Application developers and the packagers should be distinct unrelated entities to reduce the chance of a malicious update being pushed to users if the developer sells out.
F-Droid and Debian/etc show how this is done.
Without reproducible builds, this just means you have to trust the packager instead of the developer. Sometimes that's a good trade-off, but you still haven't really solved the problem, just moved it.
With reproducible builds, you don't have to trust the packager or the developer as long as you trust at least one person who reviewed the source code.
Packagers have proven to be more reliable. Sometimes they make mistakes but there's no case of a packager ever selling out (correct me if I'm wrong.) On the other hand, there are numerous cases of developers selling out.
Splitting the developer and the packager doesn't inherently reduce the chance of a malicious update any more than using a VPN reduces the chance of being snooped on by an ISP. All it accomplishes is change who you have to trust to not be malicious. You might have good reason to believe that you can trust one party better than you can trust another, but unless you're building the package yourself there's still no guarantee that the package that you install is built from the source code you can inspect.
It's all based in trust in the packager and only the packager—there are no checks and balances. The only reason why splitting up the responsibilities might help is if you find the F-Droid maintainers to be inherently more trustworthy than the Signal developers, not due to simply separating the concerns.
That does not solve the problem. A country can forbid F-Droid and Debian and anything else that is not in a short list of vetted app stores that comply with the law of that country to backdoor everything.
A sovereign country creating and enforcing domestic laws is not a problem that can be overcome with software.
I have unpopular opinions about this, because Signal has been so hostile to anyone other than Signal themselves being involved.
But to be specific: "open source" claims go out the window when they're;
1. Not reproducible (before anyone links me to the "reproducible steps" please actually read them because they tell you directly that they will not create a reproducible output).
2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories.
Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
EDIT: I don't really care if bots or shills downvote me, can you really, with a straight face, say it's NOT "trust us bro" ideology that makes people use Signal?
https://molly.im for a more FOSS and safer fork of Signal
Can you point out where it says it won't be a reproducible output?
https://github.com/signalapp/Signal-Android/blob/main/reprod...
I skimmed and didn't see that but the "apkdiff" script extracting the apk because "diff doesn't work well on zips" made my gut twitch.
Why can't I sha256sum the two apk?
Archive formats are hard to make reproducible because there are lots of ways of making different yet equivalent archives. So it’s not surprising to me that someone would fail at this hurdle and find it frustrating to resolve. Nix defined their own format for this to avoid this exact problem.
It seems there are multiple reasons. For one, the apk files include a digital signature and you won't have Signal's and Google's private keys available to recreate their signatures.
Thank you for this nice response. Did you already know or did you look it up? please don't tell me you just copied and pasted my question into an input form somewhere and it gave a bunch of reasons...
i should have done that.
I was interested in this so I had a look at the tools.
Now that I asked ChatGPT, it didn't include this reason - perhaps it's too obvious and no-one has written it down before.
Ah nice; they got rid of that explicit warning - instead though we have the entire section about "bundlePlayProdRelease" including an externally sourced binary blob.
A significant improvement.
/s
I don't understand how the details of the build process matter if the resulting files can be checked to be bit by bit identical? I can only think of something like Signal and Google conspiring to backdoor the binaries during the build process via this external binary blob. But if Google is part of this, they could also do it within Android which is not fully open source.
If you don't like this, you use the non-Play Store build instead (which supposedly doesn't include any binary blobs, but I haven't checked).
I’m throwing a +1 your way. Hiding development for a year to launch a get-rich-quick coin isn’t the way a trustworthy FOSS organization should behave.
As someone who got their whole network to switch to Signal before that happened, it was absolutely disgusting watching that all play out.
> 2. Able to hide development of mobilecoin (somehow) from us for nearly a year. To be clear: There were updates to the Signal app on iOS and Play, otherwise there would have been security bugs, but those patches did not make their way into the repositories. Signal operates on a "trust us bro" mentality, and no matter how trustable they seem to be- something about that doesn't sit right with me and never has.
The MobileCoin work and the source code not being published on the public repository for nearly a year was an extremely ill thought move. It soured my view of Signal as well.
> to own an object means to subject it fully to your own will
Not by a long shot. Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
I'm not saying I'm a fan of even more exceptions of that kind, but I don't think there are any particular inherent rights arising from property ownership beyond from what society agrees on there are (e.g. the first sale doctrine for physical media). That's what makes it even more important to codify these rights.
> Just a few counterexamples from the top of my head: Destroying currency, altering passports, reproducing copyrighted images.
These aren't counterexamples, they prove the rule. A US passport literally has the text "this passport is the property of the United States" printed inside of it, and I imagine the same is true in most countries: you are the recipient of a passport, not the owner of one.
The same applies to copyrighted images— when you purchase a book you own the physical copy and can fully subject it to your own will, but you don't own the right to make additional copies of it. You own the copy, not the intellectual property.
As for currency, it may not legally be the property of the US government like a passport, but I would argue that the fact that you can't modify it does in fact mean that you don't own the bill, the bill is a representation of an abstraction of "money" that you do own.
Afaik currency (as in the physical banknote) is actually state property too. What you really own is a promise from the national/federal bank to pay you the value that is written.
Yeah, that has been my understanding, but I couldn't find a citation for that right away, so I didn't want to assert it confidently. But I've heard the same thing.
Note that I said "can", not "legally can". You can destroy currency, alter passport, reproduce copyrighted images if you want to. There may be legal consequences but you can. You can also stab a person with a knife you own, even if you will be punished for it. I'm not talking about rights, but capabilities.
You can't make your phone lie to an app developer about its location, rooted status, etc. You can't make your HP printer print with unsanctioned ink. Therefore, you do not own them.
I also can't make a pen and a sheet of paper contain a proof showing whether P is equal to NP. Does that mean I don't own them either?
Now you could of course say that the difference is somebody having intentionally designed an object in a way that makes it capable of withholding some functionality from me but not others, and I'd agree.
But all in all, I just don't think "property rights" is the right lens to think about computing devices.
You can also not use a service. I think anonymity is a better measure than the ability to lie for co-operative systems.
You don't need to run the server to backdoor the client. You just need access to push updates to the client. It doesn't matter who runs the server.
> You are hinting at something important here. Let me strengthen your point: to own an object means to subject it fully to your own will.
Let’s explore that.
If the law says I can’t ride my motorcycle the wrong way down the street, does that mean I don’t own it?
What about if we add traffic cameras that absolutely guarantee I will be prosecuted?
What about it if we add a black box that reports transgressions automatically to the authorities?
What about if the black box automatically cuts power to the engine?
I don’t think ownership is a binary using your criterion, or perhaps it’s simply that different people will put the dividing line in different places.
You don't own the streets.
You can do what you want with the bike, but your analogy falls flat because it implies that despite you owning the bike you get to drive through your neighbours living room: because your right to own a bike somehow trumps their right to own land and a home.
> Invading the privacy of one's digital space is a violation that goes as deep as reading someone's diary when we look back and the time when life was more analog.
Which police with a warrant can very much do.
There’s no warrant protection in this bill. They want to keep a copy of everyone’s data so they can look back at old stuff after the fact.
Even if there was warrant protection, I’d still be against it. People have traditionally had the right to speak to each other without giving a transcript to the police. I think it’s unreasonable to make that illegal.
Sure but I was responding to the point that a diary can't be searched. It can be. The key difference is that doing this for analog conversations was expensive for the police as it required them to devote finite human time. Digital is not the case.
Comparing to analog is I think flawed because even if it mapped 1-to-1 it does allow for a level of search that is problematic given the low cost of digital surveillance.
Testimony under oath can be compelled
In theory. In reality, no. "I don't remember/I don't recall" is a famous dodge.
Yes but people can genuinely forget the exact words they spoke time ago, even one minute ago, or a whole conversation. Examples: Who did I talk to yesterday? Did I met that neighbor of mine yesterday or was it the day before? I don't know.
I think generalizing forgetting information ignores that certain conversations would likely have a better chance to be remembered
They are not the same thing.
That is a significant hurdle. They have to do it for each individual target, show up in person and each case can be contested in court.
Scalable surveillance is different, just as scalable weapons are different.
It’s a good thing we have FISA then to protects us from the scalable surveillance. /s
Or, for that matter, analog correspondence or notes can absolutely be subpoened in many sorts of court proceedings, including civil.
Unfortunately, when we switched from letters to emails, the legal privacy protections we enjoyed back then, were not carried over do the digital realm. We're still suffering and have to use encryption to protect ourselves from the lack of legal protection.
Legal protections are great and everything, but if I had to choose between abstract legal protections or concrete protections based on physical properties, I'll choose the later every time. Obviously both is ideal, but I'd use encryption for most of my correspondence regardless of my levels of legal protection.
It may be wrong, but it proves that technology can't beat politics and policy.
The issue with Apple caving to UK demands regarding encryption, and now Signal being in a similar situation, shows that you can't just focus on technology and ignore policy and politics.
And you'll find out that a ton of people here on HN will care, but most of the public won't.
People should take XKCD 538 really to heart (The 5$ wrench one). It's not the same point, but very similar. https://xkcd.com/538/
>The issue with Apple caving to UK demands regarding encryption
Apple "caving" would've looked different; in fact, we probably never would have known, given the insidious nature of the underlying statute in the UK.
Apple is making noise about the fact that they pulled the product, and the tech press is making it clear WHY even though Apple itself is legally prohibited from giving any additional context.
I feel like that was probably the best move available to them given the cards dealt. Fighting in secret courts is unlikely to be fruitful.
Removing the advanced encryption option for new accounts is really 'caving' to the demands of the government in my view.
And in time, they will also remove the e2e encryption on existing accounts using the e2e feature to comply with UK demands.
They may have sounded the alarm, which I appreciate, but they still have to 'cave' and do as the UK government tells them or they have to cease operations in the UK.
What I'm really noting here is that Apple had no good options.
Capitulating would've meant giving the UK government the back door they wanted. They didn't do that. They complied in a loud and public way, which unmistakably shined a light on the insane request.
The only other options for them were withdrawal from the UK market entirely, or a secret court fight they'd probably lose.
To me, their actual response reads more like malicious compliance than "caving," which usually implies giving up completely.
> It may be wrong, but it proves that technology can't beat politics and policy.
It very much can. In a battle between human force and physics, physics win every time. If I send an encrypted email to you, you have the choice to not give up the key, even if you'll be in jail. With physical letters, you don't have this option. Technology gives you the ironclad ability to keep a secret, only limited by the fortitude of your character.
You can always burn a physical letter or delete a file.
This bill is akin to making it illegal to destroy your own correspondence.
You clearly haven't felt a 5$ wrench on your body. Giving up your secrets under torture isn't a character flaw, it's what will happen to 99.99% of people under torture. I can't help you if you don't believe that this is true.
And I hope you understand that 5$ wrench is a euphemism for what would 'really' happen.
All this to say that no, technology does not triumph over politics and policy.
Technology very much does. It's the flesh that has a hard time triumphing over force. To counteract this, you can also engineer a system that can resist it through e.g. split secrets on multiple people located in different jurisdictions.
If you split a secret over two people, first, we use the 5$ wrench on one of you to identify the other and the rest is easy.
If the second person is somewhere else in a different jurisdiction, how are you going to communicate with each other to get the two halves of the secret together to encrypt/decrypt messages? It's an unworkable situation.
As I see it, you create a fantasy situation that would not work if you just want to communicate with people in a secure way. No amount of technology or encryption is going to work, especially in the real practical world.
> technology can't beat politics and policy.
It often only can't in a world of mandatory centralized app stores. That's not the only possible world.
We technologists will probably be able to circumvent any Signal-ban. But we don't exist in a vacuum, we are a small part of a larger society. Who's at the other end of your conversation?
Most 'regular/normal' people won't and most importantly - don't want to - jump through the technical hoops to keep using Signal.
Although the downside of the official app stores is clear, the alternative might result in a swift return to the '90s and '00s where malware and viruses were rampant. Pick your poison.
I think malware and viruses are less common for many reasons, but I suspect increased awareness and security posture (including the architecture of modern OS) has more to do with this than "walled gardens." Malware does make it onto closed app stores, and many users (e.g. on Windows) still don't use app stores.
The answer you're looking for is probably to build more decentralized, FOSS software with better UX. Much easier said than done of course.
> It may be wrong, but it proves that technology can't beat politics and policy.
There's definitely a strain of thought which perceives almost everything in society as being outcroppings of the progress of technology (however you define that), and especially in the 1990s imagined/expected everything to fall over under the mantle of "information wants to be free" etc.
I think you're right that this is an intellectual dead-end. Many of us lived through the 90s hype wave and into now, and have watched things take a complete circle. The Internet didn't transform society into utopia, the real-world dystopia transformed the Internet into a high definition image of itself.
Did Apple cave to UK's demands? I thought instead they removed their product from the market, like Signal.
We're talking about companies though, not technology. Something like Bitcoin or BitTorrent can be regulated, but not stopped.
Not fully, but making transacting in Bitcoin outright illegal would probably go a long way to making it completely unattractive to 99% of all potential users.
And if Apple and Google were forced to remove all wallets from their app stores, it would largely be game over.
Transacting in Bitcoin is already unattractive to 99%+ of potential users.
In addition, simply taking out the on/off ramps, such as Coinbase, would destroy the utility of cryptocurrency as well, since the grand majority of folks dealing in the stuff are only interested in flipping it for more cash money on the other end by finding the next sucker in the chain.
Very few people actually care about the principles of Bitcoin and the like. Maybe the core devs and some very early adopters?
I think a large part of the success of Bitcoin can be explained by the combination: It allows people to say (and even believe!) that they're in it for the ideology, while the real motivation is primarily that of capital gains.
Whether it's useful to the current "grand majority" or not / holds the value it does today is orthogonal to whether the technology can be stopped and whether it still provides value to those who continue to use it.
I did worry this example would be too political, hence including the BitTorrent example as well.
Much like how PGP was disseminated by Phil Zimmermann, and then the government decided to come down on him like the plague in the early 90s. What the US government didn't know was that it was too late and such technology was out in the zeitgeist. Bitcoin is in a similar situation.
The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough. I say this as someone who is absolutely not a fan of the project and find the perverse incentives in PoW especially to be pure garbage, but I am also a realist.
When you have folks like Peter Zeihan declaring that Bitcoin *will* go to zero - that is, I think, the epitome of hubris. We don't know what will happen next, and with our current administration, I'm only seeing Bitcoin become more influential in the interim, much to my chagrin.
I think we're in agreement.
> The actual software and code? Good luck getting that genie back in the bottle now. But, you can certainly hamstring it in other ways, and frankly, that should be good enough.
This is my point - the technology is out of the bottle. You can't stop it. You can disincentivize its use in all sorts of social and legal manners, but to go all the way back to my original comment: you can stop Apple (Coinbase) from operating, you can penalize individuals for using encryption (or cryptocurrency in this case), but encryption (and blockchain) still exists and can be self-hosted, and individuals can continue to utilize those tools.
Again, look at torrents. Its primary use case is illegal. What.CD, Oink, even TPB (at various points) have all been taken down. Yet torrenting still enjoys widespread use across the globe.
I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
>I'm not a fan of cryptocurrency either, but I do want to note that "hamstringing" it at this point will likely have many negative downstream effects on the overall economy.
This part does terrify me. Too many hedge funds and more common investment vehicles have gotten exposure to this. If there ever is a huge rugpull, regular folks will get nailed. Sad times.
The antidote to XKCD 538 can be steganography. They won't beat you with a $5 wrench if they don't suspect you of doing anything at all. End-to-end encryption can become illegal, but as long as you can run arbitrary code on your machine, you can hide and decode messages with steganography. JavaScript can do the job, so even locked down mobile devices will work if you go to CodePen, JSFiddle, JSBin, etc.
Steganography isn't some magic shield to avoid surveillance though. If authorities are already monitoring you for some other reason, then they can burn a zero-day exploit and see anything you do on your device. And if your entire city is covered in cameras with facial recognition, well... you can have your secret messages but I don't know what kind of resistance you're going to be putting up. So to some degree you're right that you can't fully ignore policy and politics.
Not sure how to get most of the public to care though. I get most people have more immediate concerns in there lives, and crime is a legitimate issue, but even a cursory knowledge of history will show the hell life can be under authoritarian governments. I think far too many people think "it can't happen here", which seems insane considering how often it has occurred even in liberal democracies (Spain, Portugal, Germany, Italy, Argentina, Chile, and many more.) In less liberal and less stable democracies, it has happened even more times. I'm not sure why people have some unfounded faith that their government could never become authoritarian and oppressive.
I'm not saying take down every CC camera and get rid of intelligence agencies -- they are important tools for fighting crime. But there's a difference between a few traffic cameras and CC cameras in places people would presumably commit a crime, and burning targeted exploits for surveillance of truly notorious criminals, and just mass surveillance through banning end-to-end encryption. With zero-day exploits, the government is inherently limited in the surveillance they can do, so it's a limiting factor on their potential for abuse, as the more they use it, the more likely they are to be discovered and patched. But with no end-to-end encryption, the potential for abuse is limitless.
I think that this highlights exactly why we need decentralized, open source software.
Back when Moxie Marlinspike made a thoughtful critique of Web3 (the most thoughtful one I had read, actually), I put together a reply. It’s worth a read for anyone on HN who cares about user freedom and how society is structured:
https://community.intercoin.app/t/web3-moxie-signal-telegram...
A note to the younger HN crowd who may have grown up with locked-down devices: the “hacker ethos” used to mean the freedom to tinker and buuld your own. It wasn’t always the case. The Personal Computer and Apple came about through the Homebrew app. And before that, Steve Jobs and Wozniak were even building blue boxes for “phreakers”:
https://www.youtube.com/watch?v=HFURM8O-oYI
Before he became a corporate golden boy, Mark Zuckerberg built Synapse for regular users and open sourced it instead of selling it to Microsoft and wanted to build Wirehog, but Sean Parker proudly said he and Peter Thiel “put a bullet in that thing”
https://techcrunch.com/2010/05/26/wirehog/
I don’t want to just be the “wake up sheeple” guy or some unkempt Stallman clone. But there is a real culture clash between the hackers and the corporations, and I feel like the HN denizens who knee-jerk downvote of anything decentralized today don’t get the point of open source decentralized hacker ethos and how the people who practice it produce the next big thing. Working for FAAMGA and “the cloud” ain’t it folks. Here’s why “the cloud sucks” by Steve Wozniak: https://gizmodo.com/why-the-cloud-sucks-5932161
In short — read my rejoinder to Moxie Marlinspike, in my first link. It is ironic because all these years later, I end up being right: it is exactly his company that’s getting hit with this, exactly because it is centralized.
And if you are Moxie or Durov and think your centralized company has somewhere to run… here is the bigger picture around the world — governments are coming for you and the war on user freedom is coming through you: https://community.qbix.com/t/the-global-war-on-end-to-end-en...
This principle seems out of touch with most people’s reality: products hardly ever do everything you want and often work against you. If someone has a device that doesn’t do what they want and there’s no setting to change its behavior, replacing it is usually the only practical option. (Or if it’s a problem with an app, they might be able to install a different app.)
If there is a free software license, it’s of no direct use to them. Only software developers care about such things. (There is an indirect effect on what software is available.)
Yes, because we largely don't have Free Software.
> If there is a free software license, it’s of no direct use to them.
It's of indirect use; they could use a modified version of the software that does what they want, created by someone else. This is why you generally don't see user-hostile features in Free Software; someone would just fork the project and edit them out.
The problem is that some forks are malware [1], so switching to a fork by developers you don't know is risky. How do non-technical users learn which software developers to trust?
[1] https://www.securityweek.com/malware-delivered-via-malicious...
Worst-case, they could hire someone they trust to review the source code.
More realistically, you generally don't have to switch to a fork in the first place because the mere threat of a fork is enough to prevent the deployment of user-hostile features. And when a project does get forked it's often a highly publicized affair with a lot of community drama which produces no shortage of information about who's trustworthy and who's not.
This is only somewhat true for the software most popular with technical users - the sort of thing the average Hacker News reader might be familiar with.
There is a long tail of malware in app stores, despite the efforts of app vendors to police such things. Nobody would be bothering to fork them because most technical users don't care about them, but they still attract lots of victims.
Example: malicious Chrome extensions. Authors of Chrome extensions receive enticing offers to sell and sometimes they do.
Yes, malware does exist in app stores. I don't really see how that's related to Free Software though?
When I say user-hostile features I'm not talking about malware. Yes, I suppose theoretically you could fork a Free Software malware app and make it not-malware, but that's not what I'm talking about here. I'm talking about things like Samsung putting ads on your TV home screen[1], or BMW charging a monthly subscription to access your car's seat heaters[2], or Sweden trying to install a backdoor in Signal. With Free Software, users get the final say on whether those features are installed on their devices or not.
[1]: https://www.reddit.com/r/samsung/comments/184a1j6/why_do_i_h...
[2]: https://www.bbc.com/news/technology-62142208
If malware isn’t user-hostile, I don’t know what is? It works both ways. A fork can fix something that’s user-hostile, but it can also introduce malware into an otherwise useful app that didn’t already have it, and many users won’t know which one to install. There’s no guarantee that any security researcher is watching. In practice we rely largely on reputation, and sometimes that’s the blind leading the blind.
Users don’t get final say in what their devices do unless a software developer is willing and able to help them. Most are actually pretty helpless on their own.
Yes, forks can do anything. That's the point: to make it possible to create software that behaves the way the user wants and not just the way it was originally programed.
There are lots of ways to figure out what version to install; which is a lot better than having literally no choice because there's only one option available: the one with homescreen ads/government backdoors/seat heater subscriptions.
Will some users make the wrong choice? Yes. Is that a valid justification for treating everyone like children unable to make decisions for themsleves? Absolutely not. Just as there are other ways to prevent real-world crime than by locking everyone in concentration camps, there are other ways to prevent cybercrime than by locking everyone in an inescapable walled garden.
I can speak for german law: If you buy something, it becomes your property, and you have full power of disposal ("Verfügungsgewalt") over it. If vendors deny you from exercising this right, they are violating their part of the purchase contract.
Rights are of limited use if there's no practical way to exercise them. Hiring a software developer to change an OS or an app is rarely a practical option for most consumers.
Correct. It's not practical because those apps usually aren't Free Software and because the hardware or firmware they're running on often aren't Free and include anti-features that prevent you from installing Free alternatives.
If they were Free, users wouldn't necessarily even need to hire a developer to change their app or OS; those changes would most likely already exist in some form somewhere and the user could simply purchase the modified version.
You can install Linuxor a custom ROM. And if the manufacturer has DRM like SecureBoot in place to prohibit that, you can file for damages and basically get the device for free.
OP is not out of touch, OP is literally saying that this is happening and that it is a bad thing.
Unfortunately, the philosophy of Free Software does not account for the scale at which software is being run now.
Having the source code to a printer driver available is a completely different thing than being dependent on a platform, because all your friends and relations are using it.
Personally, I'd only trust a governmental agency to provide such services, which makes the article we're discussing ironic at the least, or complicated.
> Personally, I'd only trust a governmental agency to provide such services,
I can't see why you'd say that.
Governments (and private corporations) are not operated to faithfully serve the public, certainly not the public as a set of individuals and small groups of people. It's not that "government services are bad", but rather, than governments, even democratically-elected ones, are practically certain to wiggle out of the straightjacket of strict protection of individual needs and interests for legitimate or illegitimate "greater good"; specifically, they will not resist the desire and the interest to spy on you. And the potential for government abuse of private information is quite high.
Bakunin put it best:
"There is only one essential difference between a monarchy and even the most democratic republic—in the former, bureaucrats oppress and plunder the people in the name of the monarch; in the latter, they do it in the name of the people's will." - Statism and Anarchy
The core problem isn’t the form of government, but the concentration of power itself.
A government run social anything would be the most milquetoast experience, wouldn't it?
I suppose if I needed to make sure there was a public immutable record of something it would be useful. Like "I made this thing no later than this post"
But who would use it?
"Personally, I'd only trust a governmental agency to provide such services" I understand where you're coming from, "the ultimate goal of a company is to profit and so we can not trust it to protect their users/consumers interests instead of their own" but... you know that it is always the government that will put you in prison, or send you to war right? That it is a blob of power, controlled by people right? This goverment = good that you see people believing these days is such a childish view of reality.
> This government = good that you see people believing these days is such > a childish view of reality.
There are plenty of immature ideas about running human affairs going around. History has shown that a social contract obtained by popular assent is the only viable choice, unless you relish war, insurrection, terrorism, and social collapse [0].
Government is good almost by definition because we grant its existence on that basis of benevolence. Indeed one should be ready to defend good government and lay down ones life to make it good, including overthrowing existing bad government.
This was well established 80 years ago and we seem to have forgotten.
I know there are some around here agitating for tyranny and dictatorship. That in my opinion is the "childish view", a result of too much screen-time and a lack of life experience.
Would you be willing to fight for good government? [1]
[0] https://en.wikipedia.org/wiki/Social_contract
[1] https://cybershow.uk/blog/posts/soe/
you know that it is always the government that will put you in prison, or send you to war
You're merely playing word games here. A person keeping another human being against their will is called slavery or abduction instead of prison. Similarly, it's only called war when it's a government doing it, otherwise it's called activism, terrorism, or gang warfare (note the overload of the term).
The main difference between a corporation and a real democratic government is that a government is accountable to all its citizens, instead of its shareholders. I understand that this is a difficult concept to grasp for US citizens, but the rest of us living in actual European democracies don't deserve your childish derision. No system is perfect, but don't make the mistake of thinking that the US government is the best (or even a good) example of democracy out there.
Why do you presupose I am a US citizen?
Because you're repeating the typical US defeatist trope that government is other people. That attitude is how democracy dies. FSM help us all.
I'm brazilian. My complete and utter disdain for any trust whatsoever put on goverment (i.e. government officials, i.e. people) comes from hard earned experience. I would rather leave my life in the hands of an "evil" corporation than any bureaucrat.
It seems you have already accepted your subjugation. So it shall be, then.
So much this! The internet does not have to be a monolith controlled by the mega-corp/govt flavor-of-the-month. It originally was (and still can be) a network of smaller federated ecosystems controlled by individuals or smaller groups.
Government and charity can be corrupted (and usually are, to at least a small degree). Private industry is corrupt bt default: to the extent possible, it will intentionally serve owners at the expense of other stakeholders.
This is not a knock against private industry in general. Capitalism's greatest strength is precisely that it harnesses corruption toward productive ends through private industry.
Nonetheless, it's unsurprising that people would take a chance at less-corrupt versions of key infrastructure. My preference would be to do this through charity, which worked pretty well for e.g. Mozilla for a while - but I wouldn't call other directions naive.
There are a lot of pragmatic pro-government people here, holding tightly to the "51% > 49%" core principle of democracy, which sadly turns into a mess at the scale of humanity, just like any other model we've invented so far. There isn't a real alternative for us collectively now but to submit to power – so any even slightly anarchistic views are not welcome here most of the time...
The solution to this conundrum is to decentralise these services, i.e. run your own XMPP server for your family and friends. Keep your own data where you can 'see' it, on 'the server under the stairs' with some distributed backups to 'devices under different stairs'.
This is no pie-in-the-sky statement, I've been running such a server for years and have installed several for others. System requirements and maintenance are minimal - you can run Prosody on a Raspberry Pi 1B if needed. Availability and reliability are high, it basically works as long as network connectivity and storage are available. The user experience largely depends on the client applications where Conversations on Android is probably the gold standard and in many ways comparable to Whatsapp.
When using OMEMO the server admin does not have access to cleartext communications so assuming clients are configured correctly there is not much to be gained from raiding the server. If some government entity wants to snoop on communications they'd have to gain access to at least one of the client devices since encryption is handled locally. Instead of backdooring centralised services run by Whatsapp or Signal or Telegram they'd have to get to a multitude of servers-under-stairs and client devices which makes it infeasible to use the 'dragnet approach' which is most likely the intended outcome of these backdoor laws.
Some decades ago at I heard Jello Biafra repeat his statement not to criticise the media but to become the media. This has happened, the (current incarnation of) legacy media is running on its last legs and has been overtaken by 'new' media. Here's a corollary to this statement:
Don't criticise the service providers, become the service provider
Use the internet as it was meant to be, a network of networks. Lots of networks, each running their own services with 'secure' communications between those services. I put secure in quotes because there might be a chance for some TLA or other organisation to break the encryption on one of those communication links. Even if they managed to do so they'd gain access to only a small fraction of the communications going on around the 'net.
But advocating for distributed communications only aids and abets criminals, won't you think of the children?
When guns are outlawed, only outlaws have guns. Criminals already use these services (and some of them have been broken/backdoored) so this is nothing new to them.
But you can't expect grandma to run her own server
No, I don't expect her to do so, she can use yours instead.
But but but but
You're starting to sound like a chicken.
Running this stuff is not hard. If you know how to do it, do so and help others to get started. While you're at it you can help them to secure their networks against intrusion by their service providers as well by making sure the ISP connection terminates at a router managed by the device owner, not the ISP. There is no reason to give the ISP access to your LAN since that only creates an incentive for those government entities to force the ISP to give them access to customer networks. The ISP should be used as IAP - internet access provider - and only be allowed to see whatever traffic you allow out of your network, not what goes on inside of it. That, though, is something for another post, another time.
I've been running services like this for decades, this works, it is not difficult and does not take that much time. It has only gotten easier over time, hardware has gotten cheaper and smaller, power use has gone down, performance has radically improved. This is not a pipe dream, it has been first my, then our reality for more than 30 years.
Don't criticise the service providers, become the service provider
[dead]
[flagged]
> If the purpose is to stop the gang violence, why not remove the gangs from the country?
Because the stated purpose is only the sales pitch. The full list of uses will never be stated publicly, unless someone like Snowden leaks it at great personal peril.
That's a huge challenge isn't it? Unless you do it like in El Salvador.
How would that be?
[flagged]
> Or do they want us to believe 3-letter U.S. agencies don't have access to Signal right now? Is this some publicity stunt?
[Citation needed]
I believe the citation falls under "street smarts" as the WikiLeaks press release mentioned Signal explicitly. Whether this was a subtle outing the origin of the tool itself is left as an exercise for the reader.
Regardless, the threat vector is accessing the data before encryption anyway. And drawing attention to yourself by running certain apps and services in the first place.
There's a lot of mathematicians in maryland and those who studied the history often land on "if they want you, they got you."
I'm on the same page with you, mathematicians and the math itself. I'm not a complete stranger to whats and hows of the craft either.
I honestly wanted a source to investigate the claim further, not to stab the commenter.
OTOH, you have given a couple of leads, which I can follow deeper. Thanks!
You have to think from time to time.
If there are even NDAs that forbid mentioning their existence - how would you cite them?
And here we're talking about 3-letter agencies in U.S.
Of course they have the access and of course you can't ever prove it. One could even argue that Julian Assange didn't leak anything and it's all lies and he can't prove it, lol.
[dead]
The US does not have a law requiring all messaging applications to store historical messages and provide access for law enforcement to decrypt and view all messages.
The US may (or may not) be capable of decrypting Signal messages themselves -- but that is a different issue. The US does not (currently... it HAS been discussed previously) ban the use of any particular encryption techniques because US agencies are incapable of breaking those techniques. And there ARE techniques that US agencies are incapable of decrypting.
The law? Not even US president cares about the law, then why would 3 letter agencies do?
There is no evidence or reason to believe that US intelligence agencies can access signal messages when used properly.
It would be much simpler for them to compromise the phones of targets vs break the signal protocol. This is generally true of secure communication systems, the flaws tend to be in usage and endpoint security, not in the protocol implementation.
Right. I have zero illusions about the presence of many critical security vulnerabilities in my smartphone. Just look at how many are fixed each month.
However, i have also reason to believe that the cryptography of my encrypted messaging app Signal is sound and there's no backdoor.
Indeed. One of the most important properties of a cryptosystem is its resistance to ordinary human screw-ups. And that's before you get to intentional co-operation.
[flagged]