Monthly Archives: May 2022

Article note: This is a small but unfortunate price bump. Not enough to make me want to move things, but unfortunate.

Article note: The implementation is ...frightening... (it's using regex rewrite rules on something that isn't a regular language), but sqlite should really be the default back-end for most web stuff, it's wildly simpler to deal with and scales further than most users need.

Article note: Holy shit. It's not the whole stack (eg. they're still using their own closed source GL/CL/Vulcan/etc. implementation in libraries), and only supports the newer models, but it's a huge and unexpected improvement.

Article note: We've been fighting this dumb bullshit for 30 fucking years now, can the authoritarians and pearl-clutchers please fuck off already? We're gonna have to have another PZ/PGP situation where someone builds a free distributed mechanism that allows individuals to bypass the bullshit, until it becomes clear what a bad idea it is.

Enlarge (credit: Getty Images | Yuichiro Chino)

A European Commission proposal could force tech companies to scan private messages for child sexual abuse material (CSAM) and evidence of grooming, even when those messages are supposed to be protected by end-to-end encryption.

Online services that receive "detection orders" under the pending European Union legislation would have "obligations concerning the detection, reporting, removal and blocking of known and new child sexual abuse material, as well as solicitation of children, regardless of the technology used in the online exchanges," the proposal says. The plan calls end-to-end encryption an important security tool but essentially orders companies to break that end-to-end encryption by whatever technological means necessary:

In order to ensure the effectiveness of those measures, allow for tailored solutions, remain technologically neutral, and avoid circumvention of the detection obligations, those measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services. Therefore, this Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation.

That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.

A questions-and-answers document describing the plan emphasizes the importance of scanning end-to-end encrypted messages. "NCMEC [National Center for Missing and Exploited Children] estimates that more than half of its CyberTipline reports will vanish with end-to-end encryption, leaving abuse undetected, unless providers take measures to protect children and their privacy also on end-to-end encrypted services," it says.

Article note: I mean, he's a giant piece of shit and targeting Disney specifically (...for reasons other than their role in the ridiculous expansion of copyright) is inappropriate but... I'd be all for going back to 28+28 copyright.

Article note: This is ...exactly the opposite... of what I want out of an auth system. I don't want to delegate auth to a phone, I trust my computers WAY more than my appliances. I don't want to delegate my trust to google or apple as the only players who support the system, and especially not doing "log in with google" so I can get locked out of unrelated accounts if they get in a "your account is deactivated because fuck you" mood or I need to kill an account. Auth is pretty well a solved problem; you use a password manager with a well-documented on-disc format, and you sync your password DB to whichever devices you want to log in from. You don't share credentials to the greatest degree possible so problems with one place don't turn into problems with others. The largest threat to most users isn't their account getting hacked, it's one of the many places they have an account getting hacked or turning malicious.

Article note: Fine is less than profit from the behavior, without even getting in to externalizatities like their ongoing effort to keep the tax code incomprehensible, this is is a cost of doing business, not an effective deterrent.

Article note: It's a problem _everywhere_ (hello academic prestige games!), but the rumor has long been is that google is the worst. It really is an ugly problem, almost _any_ incentive structure eventually turns into a perverse game.