The EU proposal to scan all your WhatsApp chats is back on the agenda (www.techradar.com)
from schizoidman@lemm.ee to technology@lemmy.world on 05 Dec 23:42
https://lemm.ee/post/49104338

cross-posted from: lemmy.world/post/22814154

#technology

threaded - newest

Jackthelad@lemmy.world on 05 Dec 23:55 next collapse

Is this a Brexit benefit?

UnderpantsWeevil@lemmy.world on 06 Dec 00:13 next collapse

Not when the UK is already a member of Five Eyes.

Jackthelad@lemmy.world on 06 Dec 00:14 next collapse

Isn’t that a burger restaurant?

UnderpantsWeevil@lemmy.world on 06 Dec 00:16 next collapse

Not quite

en.wikipedia.org/wiki/Five_Eyes

An Anglosphere intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are party to the multilateral UK-USA Agreement, a treaty for joint cooperation in signals intelligence.

ComradeMiao@lemmy.world on 06 Dec 00:19 collapse

Woosh

Morphit@feddit.uk on 06 Dec 01:20 collapse

Yeah, they’re a burgers & spies joint.

jagged_circle@feddit.nl on 06 Dec 14:09 collapse

Even the US let’s us use encrypted messaging apps

UnderpantsWeevil@lemmy.world on 06 Dec 15:01 collapse

The PRISM leak demonstrated how much that’s worth

jagged_circle@feddit.nl on 06 Dec 15:08 collapse

Yes. Specifically the top secret slide that listed Signal and Tor as being “disastrous” to their dragnet surveillance systems

UnderpantsWeevil@lemmy.world on 06 Dec 15:30 collapse

And I’m sure in the intervening ten years they haven’t done anything about that

blog.dijit.sh/i-don-t-trust-signal/

Signal is not open source

Why would I say something so provably untrue? “Of course signal is open source, it’s on f-droid! (it’s not, actually1); there are even sources on github!” … I can already hear it coming.

How is it then dear reader, that they developed MobileCoin integrations for over a year without anyone knowing?

That would be because, they stopped updating sources. We can be reasonably sure that private & unpublished code was in production, otherwise they left some security vulnerabilities unpatched for a long time2. This throws into question the entire nature of what they consider “open source” to mean, they are clearly comfortable deploying non-public software.

It’s also vanishingly small amounts of people who will use the from-FOSS versions of the client, nearly everyone will be downloading it from Google Play or Apple’s App Store; and they have a long way to go when it comes to verified builds which seems to work when you google it and there’s a page; but in reality if you read the page you’d realise is not possible.

Which gives a false appearance in my opinion, and that is a large part of my issue honestly; that there is a surface level of “everything is by the book” but underlying it all is: nothing, really. Signal doesn’t give you any option to verify their claims

If I were in a situation to be signal, if there was a competing implementation that I could point my clients to (similar to how headscale is an implementation of tailscale’s control server); I’d certainly be a lot more comfortable, since then I could be in a situation where I can see all traffic to my server and jail/inspect all traffic coming from the binary distributed Signal client; thus it would allow for independent verification of the binary distributions delivered via Play or the iOS App Store.

As it stands the whole thing is built on trust and people believe that someone else will do the hard part of reverse engineering every version.

Which I don’t have to tell you is significantly more effort, requires much more advanced skills and might not even yield results even if there were concerning items yet to be discovered.

“Moxie says you can run your own server though!”3; I’d like to see where I can change the endpoint in the signal app that’s distributed via Play or App Store; my claim is purely that I can’t verify those and that few enough people run the custom compiled versions to be meaningful. If I was to be smart and want to hide a back door I’d only need one side of every conversation. – please note though, I’m not saying they do this, I’m just saying that they could do this and the only thing that says they don’t is “trust me”.

laurelraven@lemmy.zip on 06 Dec 18:11 collapse

That sounds pretty bad, but 1) the article is 3 and a half years old (not that big of a deal really, but an update on the current status would be useful at this point), and 2) I see plenty of commits to all five of their pubic facing repos.

I’m not saying they’re wrong…I’m not going to presume to understand it better than them… But I’m not seeing how that translates to them hiding things from public view, or if they were that they’re still doing so. If you’re aware of something I’m missing there, I’m very much interested in hearing about it.

But yes, trust should not be implicit, it should be verified.

ambitiousslab@lemmy.ml on 06 Dec 00:37 collapse

To answer seriously: unfortunately, the UK is one step ahead with the Online Safety Act. They’ve already given Ofcom the power to enforce client-side scanning. Ofcom themselves are deciding whether they want to use this power yet and this should happen sometime next year.

EngineerGaming@feddit.nl on 07 Dec 11:11 collapse

I wonder how in the world Ofcom could enforce that?

ambitiousslab@lemmy.ml on 08 Dec 20:14 collapse

I think (and hope!) it would likely only get applied to the biggest services, and would be enforced by removal from the app stores.

Then, the logical next step for the government when this doesn’t work would be to allow this requirement at the OS level.

EngineerGaming@feddit.nl on 08 Dec 21:34 collapse

That would only really work on mobile, though - and that’s assuming the OS isn’t custom.

Talaraine@fedia.io on 06 Dec 00:20 next collapse

Literally on the heels of the revelation that China is spying on all chats and phone calls, these clowns still think back doors are safe in any way.

I swear, humanity is simply failing the IQ test here.

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 00:31 collapse

Google “TSA-Approved Locks”

This is the same stupid thing, but digital.

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 00:29 next collapse

If y’all wanna know why is this stupid

Take a look at the so-called “TSA-Approved Locks”

The locks that lets TSA have a “special key” to unlock your bags to search then without cutting it open.

The same “special key” is available to buy on amazon.

🤣

It’s even worse than no locks, since someone could plant drugs in your bag using the “special key”, and since there’s no evidence of tampering, and the bag is also locked, the blame falls on you.

sugar_in_your_tea@sh.itjust.works on 06 Dec 01:07 next collapse

Do I seriously need to put always on cameras in my luggage?

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 01:12 next collapse

I mean, thats why you don’t use TSA locks. Use a normal lock, and when it gets broken, now you have plausible deniability.

Adincar@discuss.tchncs.de on 06 Dec 05:50 collapse

I believe DeviantOllam recommends putting a gun in your bag (from memory a starter gun counts as a gun to TSA but doesn’t have the whole licence restrictions of an actual firearm). Because you have a gun you are allowed to lock it with an actual padlock and the TSA can’t just go through your stuff. If you put a padlock on otherwise they’ll just cut it off and you’re back to square one.

cmnybo@discuss.tchncs.de on 06 Dec 01:46 next collapse

I just use a zip tie. It keeps the bag shut and it’s obvious if they open it. Of course they could potentially replace it with an identical zip tie. You can get security seals that are serial numbered if you want to protect against that.

sugar_in_your_tea@sh.itjust.works on 06 Dec 02:09 next collapse

Good idea. And you could easily add a mark (maybe green permanent marker?) and they’re most likely not going to replicate it. Prep a few and carry the zip ties in your personal item or something.

That said, zip ties seem kind of annoying since you’ll need to cut them at the destination, without being able to being a knife with you.

cmnybo@discuss.tchncs.de on 06 Dec 02:24 collapse

I put a cheap pair of wire cutters in the front pocket of the suitcase to cut the zip tie off with.

ayyy@sh.itjust.works on 06 Dec 06:46 collapse

You can undo and reuse a zip tie by just lifting up the flap with a small object.

kambusha@sh.itjust.works on 06 Dec 04:27 next collapse

If your bag has an exposed zipper, then a malicious actor doesn’t need to pick your lock, they can just get through the zipper with a pen usually, and they can still zip it up after.

www.youtube.com/watch?v=wpIJVWXsBBI

sugar_in_your_tea@sh.itjust.works on 06 Dec 05:05 next collapse

I guess it could be better to not lock it at all and use some other form of tamper detection?

Or I guess I could just travel with a pelican case so they have to defeat the lock to get in.

ayyy@sh.itjust.works on 06 Dec 06:45 collapse

Be sure to put a flare gun in it. Then you’re actually allowed/required to lock it.

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 06:37 collapse

That kinda leave evidence tho.

Like they can probably steal shit, but not plant drugs and frame you for it.

uranibaba@lemmy.world on 06 Dec 08:32 collapse

It’s in the video how he closes it again to remove the evidence. youtu.be/wpIJVWXsBBI?t=93

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 08:40 collapse

Oh I didn’t watch the video at first and I was thinking of the ones where the locking mechanism is stationary and attached to the suitcase, not a separate lock that you use.

Those stationary ones, you cannot rezip.

uranibaba@lemmy.world on 06 Dec 18:12 collapse

Yeah, okey. That makes sense. I would be difficult to hide the intrusion if you can’t move the zippers.

0x0@programming.dev on 06 Dec 09:22 collapse

Ink bombs like some ATMs have.

sugar_in_your_tea@sh.itjust.works on 06 Dec 12:59 collapse

I’m sure the TSA would love that…

wurstgulasch3000@lemmy.world on 06 Dec 01:36 next collapse

Oh no you don’t understand, with this legislation bad actors and foreign intelligence would not be allowed to use these back doors. So they can’t do it because it’s illegal. That’s why it’s 100% safe. I mean don’t you trust the it competence of 60+ year old law makers?

OK I will stop now

Mr_Blott@feddit.uk on 06 Dec 05:22 next collapse

Where I am, we have “Post Office approved” locks, cam locks for your post box that can be opened with your key plus a special key that the postie has, in case they have a parcel that won’t go in the slot.

Yes, you can get one of the special keys if you know where to look

No, it isn’t a problem because we’re not a bunch of fucking savages 😂

IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com on 06 Dec 06:36 next collapse

Yea, a mailbox near your house all the time is not the same as a luggage that to through MILLIONS of people in a busy airport. Only take one scum out of a million to ruin it.

Fun fact: I never actually had a porch pirate. Well other than a neighbor’s kid being a dipshit (or maybe mistaken it to be their package, who knows), but that eventually got returned, and one time, the delivery driver kinda stole it before it ever arrived on the porch, so it was not technically porch theft. Reported that one and got refunded.

Like never a random dude (or gal) that just walked up and grabbed a package. Like never!

Valmond@lemmy.world on 06 Dec 09:05 collapse

This metaphor is so bad. You expect people on the internet to act like good neighbours?

daggermoon@lemmy.world on 06 Dec 07:34 next collapse

For anyone else who’s curious about the history I actually went and looked this up. Photos of the keys were accidentally leaked on the Travel Sentry website. This made it very easy to copy. The website says “Sensitive Information – do not post, copy or disseminate”. Clearly someone elected to do the opposite.

DacoTaco@lemmy.world on 06 Dec 10:04 next collapse

Even worse btw, you can 3d print the tsa master keys. I have them printed, and confirmed them working.

Tsa knows about this, and they have publicly said they dont care

reksas@sopuli.xyz on 06 Dec 11:55 collapse

wow, a lock that decreases your security

CosmoNova@lemmy.world on 06 Dec 01:04 next collapse

What we need are laws to prevent this kind of court trolling because courts all over europe are wasting time and money on these repeated proposals. Politicians should be held accountable for wasting everyone’s time.

Scrollone@feddit.it on 06 Dec 07:23 next collapse

In the US somebody recently found a way to account powerful people.

daddy32@lemmy.world on 06 Dec 07:48 next collapse

But it didn’t work, ended up just with bruises.

Free_Opinions@feddit.uk on 06 Dec 09:19 collapse

Yay murder.

Scrollone@feddit.it on 07 Dec 10:39 collapse

Yes, murder. That’s what his company did to many families.

rottingleaf@lemmy.world on 08 Dec 06:16 collapse

I thought a lot about fair government and such when I was 16-17.

And it came down to any such action being individual, thus having an initiator, who is the responsible person, or a group of such.

And such laws, when not passing through courts, should require a huge payment (should be tied to total GDP, I think), equally split among members of that group (so a group does not become an entity).

No person from among them can initiate anything such until having paid the previous.

It seems logical, I mean. If something IRL is being overloaded, it should just be a paid service. Same here.

Should be expensive enough so to not be an acceptable cost of doing business for a corrupt politician.

Also the cost should depend on which tier of laws this is - suppose regulation of milk products is lower tier than total fscking surveillance.

Also the court should be able to determine whether a rejected initiative is a repetition, in which case the cost will be, say, order x 12 x “last year’s GDP” x coefficient x tier.

It’s ridiculous that lawmaking is free, with the amount of value it redistributes.

iii@mander.xyz on 06 Dec 03:02 next collapse

Context: en.wikipedia.org/…/Regulation_to_Prevent_and_Comb…

How your representatives in EU parliament voted: mepwatch.eu/9/vote.html?v=134463&country=fr|de

Looks like it’s mostly german representatives that block it. They remember the stasi.

Wrufieotnak@feddit.org on 06 Dec 06:56 collapse

It was the one good thing the german liberal party FDP was good for, but they aimed to destroy the coalition from the inside (literally! they made plans and discussion meetings when the best time to destroy it would be). And now they are out and we have the SPD and the Greens left. So one party who really has a hard on for surveillance and the other one who is undecided.

kokesh@lemmy.world on 06 Dec 07:06 next collapse

Here we go again Good old Child abuse.

Valmond@lemmy.world on 06 Dec 08:59 collapse
daggermoon@lemmy.world on 06 Dec 07:25 next collapse

You shouldn’t be using whatsapp anyway.

Valmond@lemmy.world on 06 Dec 09:00 next collapse

First they came for whatsapp. I didn’t say anything because I don’t use whattsapp.

Free_Opinions@feddit.uk on 06 Dec 09:14 next collapse

And instead use what? Signal? And then chat with the zero other people who use it?

Telling europeans to not use whatsapp is like telling people not to use the power grid. It’s more popular here than iMessages are in the US.

daggermoon@lemmy.world on 06 Dec 09:44 next collapse

Why do you assume I’m American? I am, but you would have no way of knowing that. I could be Croatian for all you know.

HC4L@lemmy.world on 06 Dec 09:52 next collapse

Nobody assumed that, but you still haven’t answered the question…

Free_Opinions@feddit.uk on 06 Dec 10:33 collapse

I haven’t made any assumptions about where you’re from. I’m only arguing against the blanket statement of telling everyone to stop using whatsapp.

daggermoon@lemmy.world on 06 Dec 17:38 collapse

Sorry but if you want private messaging Signal is your only option. I’m sorry you all have to deal with it but now is a good time to bully friends and family into switching to Signal.

0x0@infosec.pub on 06 Dec 10:10 next collapse

I dont know a single euroepean that is using WhatsApp, and im european… i mostly encounter asian people that use it.

woelkchen@lemmy.world on 06 Dec 11:13 next collapse

Then you’re in a weird bubble. Nearly everyone uses it. I do. I hate it, I think its usability is bad, why can I only link four devices, etc.

Brumefey@sh.itjust.works on 06 Dec 12:34 collapse

WhatsApp is everywhere. Even at school it’s used for parents discussions. I have Signal but not using it since nobody has it…

Lazycog@sopuli.xyz on 06 Dec 10:17 collapse

I’m European using signal, I frequent in two countries very often (not neighbouring countries) and for the past two years I’ve noticed more and more people using signal.

Ditched whatsapp half a year ago and haven’t had problems. Some friends use both signal and whatsapp.

Not saying many in whole Europe use signal but it certainly is not only popular in US.

Edit: but not saying using signal will change anything if this bill passes. No matter what popular app we use we are going to have no privacy at all if this thing passes…

woelkchen@lemmy.world on 06 Dec 11:11 collapse

WhatsApp uses the same encryption as Signal and chat screening won’t be exclusive to WhatsApp anyway, so whatever WhatsApp will need to implement to comply, Signal will have to follow.

Lazycog@sopuli.xyz on 06 Dec 12:14 next collapse

Very true. It wont matter what pops up in the appstore after either.

jagged_circle@feddit.nl on 06 Dec 14:07 next collapse

Only if they do business in the EU…

Zetta@mander.xyz on 06 Dec 14:58 collapse

Signal is open source, so no it will always be available without chat control. github.com/signalapp

woelkchen@lemmy.world on 06 Dec 20:39 collapse

Good luck setting up your own server and convincing everybody else to use that.

Signal is not federated. It relies on a central server, meaning for all intends and purposes Signal controls the entire chain.

Zetta@mander.xyz on 06 Dec 21:14 collapse

End to end encrypted, I think chat control is all about client-side scanning so the app being open source is a big deal and would prevent client-side scanning because even if they build in client-side scanning, it’s open source and people can remove it.

woelkchen@lemmy.world on 07 Dec 08:54 next collapse

Just have the server link a hidden device, boom, all chats decrypted.

EngineerGaming@feddit.nl on 07 Dec 11:03 collapse

Signal is pretty control freak-y, so would not be surprised if they can somehow prohibit third-party modifications entirely. That would be out-of-character for them, though, so doubt they would actually go through with this.

Still, if that went through, I’d discount all the centralized solutions.

Petter1@lemm.ee on 06 Dec 11:35 collapse

It would concern all messaging apps, which is beyond stupid. Lol, even nato uses the matrix protocol.

jagged_circle@feddit.nl on 06 Dec 14:06 next collapse

No, this would only affect the ones run by corporations with a presence in the EU

Petter1@lemm.ee on 06 Dec 17:24 collapse

Oh, I thought that was clear by context…

I definitely would sideload the secure versions, if I was affected, which got more easy thanks to EU, lol

jagged_circle@feddit.nl on 06 Dec 17:31 collapse

Again, no sideloading needed. You’re misunderstanding the executive.

They enforce this by freezing bank accounts and issuing fines to corporations, not by internet censorship.

So any company that doesn’t have money flowing through the EU is unaffected. And any company that does have money flowing through the EU has a choice to either pull out of the EU or to fuck over their users.

Petter1@lemm.ee on 06 Dec 17:37 collapse

I’m sure, that they would ask apple and google to remove all messaging apps from organisations with no EU money flow?

Or do you not think so too?

jagged_circle@feddit.nl on 06 Dec 18:14 next collapse

I dont think that would be legal, no.

EngineerGaming@feddit.nl on 07 Dec 11:00 collapse

I don’t see how this would be a problem either except on Apple. Blocking the sites offering the apk/deb/exe/etc - good luck, doubt their censorship skills are that good given that they’re unlikely to want a ton of collateral damage like more authoritarian places.

randombullet@programming.dev on 06 Dec 16:52 collapse

Lots of defense uses XMPP as well

latenightnoir@lemmy.world on 06 Dec 08:41 next collapse

<img alt="1000010988" src="https://lemmy.world/pictrs/image/9bd97f48-9ba2-4b85-93e5-4af58c937e9c.jpeg">

In all seriousness, the EU has become beyond frustrating in so many ways… Kudos for fighting against corporate monoliths, but… c’moon!

themurphy@lemmy.ml on 06 Dec 11:31 collapse

I don’t think you get the EU. It’s a democracy and everyone can submit proposals.

This is a proposal from pro-Russian Orban from Hungary, and not EU’s opinion.

latenightnoir@lemmy.world on 06 Dec 11:52 next collapse

I see your point, although I still can’t shake the impression that the entire EU’s shifting away from its potential of being the best example. Sure, it’s down to individual people with individual views, but we’re still to see if it’s greater than the sum of its parts, to be honest…

Don’t get me wrong, I’d still rather we have the EU than not have it, but I’d wish to see a lot more reasonable and rational minds on the council and have it be felt throughout its policies.

rottingleaf@lemmy.world on 06 Dec 13:08 next collapse

It’s a democracy where the European Commission (which is actually the main governing body of the EU and not EP) is comprised of people put there by bureaucracies.

I don’t think you get the EU. It’s a failed attempt at powerful democratic version of USSR, that has been retconned into a successful confederacy, only it’s not that too.

eleitl@lemm.ee on 07 Dec 14:31 collapse

The EU is cosplaying a democracy.

themurphy@lemmy.ml on 08 Dec 01:32 collapse

*USA

MonkderVierte@lemmy.ml on 06 Dec 09:01 next collapse

Look, it was discussed for years already and we have a consensus; it’s technically and legally not possible without giving you the keys (methaphorically and literally) and we can’t give you the keys because that would quickly lead to you abusing the power given to you.

muntedcrocodile@lemm.ee on 06 Dec 09:22 next collapse

And its fucking back again

sunbeam60@lemmy.one on 06 Dec 11:48 next collapse

I actually don’t really understand how they would do this. Isn’t WhatsApp end to end by protocol? They’d have to share messages at the client side. What a mess.

x00z@lemmy.world on 06 Dec 12:47 next collapse

They want to force WhatsApp to scan your private messages on your device.

rimjob_rainer@discuss.tchncs.de on 06 Dec 16:28 next collapse

End-to-end encryption is worthless, when it’s done by a company like meta in a closed source project.

sunbeam60@lemmy.one on 06 Dec 17:24 collapse

If you own the client, you own the message, agreed.

randombullet@programming.dev on 06 Dec 16:50 collapse

End to end encrypted with keys stored on Meta’s servers.

Just kidding but I’m sure there’s a backdoor somewhere.

Teknikal@eviltoast.org on 06 Dec 15:51 collapse

I use signal but I always kind of wanted to switch people to threema but in reality it’s hard enough getting them to install signal.

MaggiWuerze@feddit.org on 06 Dec 15:55 collapse

Threema really doesn’t do a good job of making it easy to switch. For the regular user there is too much that can go wrong and its too easy to lose your chats when migrating to a new phone