Before I say anything else, I should mention that this is nothing ground-breaking, neither is it terribly difficult to implement. This is simply how I envision a simple solution.
Basically, the EU and the UK want the secret keys to your encrypted media/messages. Which essentially breaks encryption completely, ending E2EE usage.
The alternative is, then, for the user to utilise their own form of E2EE. How though? The answer, in my opinion, is personal exchange of keys utilising asymmetrical encryption. Exchanging public keys in plaintext is fine as long as they don’t have your private key. Which means unencrypted services like SMS could also be secured using this method (for example, have the public key of a user in their profile). I believe QKSMS employed encryption for SMSes for as long as it lasted, but no idea about the kind of encryption).
Technically, if everyone started to use p2p messengers with asymmetrical encryption, the EU would have very little they could do without compromising every mobile in the region and preventing people from downloading APKs somehow (sorry iOS users but you’re never going to have privacy anyway).
However, this is only possible with a FOSS project, because a company would have to fork over the keys anyway to stay alive. A FOSS project can simply be forked once the OG maintainer stops working on it due to government pressure. That is where the problem comes, since FOSS projects can’t really run their own servers to store media, making p2p the only viable option. But with some people behind CG-NAT, that becomes harder for non-technical users.
I don’t have a way to solve this other than the general population becoming tech-savvy enough to give a damn.
Tl:dr; FOSS projects are best suited for implementing personal E2EE between users, but that makes p2p the only viable option without a back-end, which makes it difficult for people behind CG-NAT.
Cheers
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.42K Posts
- 56.9K Comments
- Modlog
EU is forcing apple to allow sideloading. not sure when the deadline was, i think next year?
Wow, that’s amazing!
The government can join any P2P network and collect IP addresses to start arresting people with. You would need some kind of anonymisation layer at the very least, something like Tor or Veilid. Or they could just collect a liet of IP addresses when they try to access the bootstrapping servers for peer discovery systems.
Unfortunately, those can be banned just like E2EE can be banned.
Your solution to “what if they make encryption illegal” seems to be “we do it anyway, they can’t arrest us all”. If your fancy pants app can get you arrested and labeled a terrorist paedophile, most people will shy away from you.
It’s trivial to detect encrypted contents over plaintext channels (basic entropy calculations should be enough) so E2EE over SMS or RCS will easily flag you as a “baddy” the moment the government looks into your texts.
There is no solution to a ban that doesn’t involve lifting the ban, overthrowing the government, or hiding from the law. That’s why these bans are such bad news.
You are right. I didn’t think about it like so before. I could point at I2P and TOR but I don’t think that’s foolproof either, neither do I know enough to be able to comment. Is there no way out?
Vote, contact your representatives, supoort lawsuits. The problem is a legal and political one, so there is no technical solution that doesn’t put yourself at risk of imprisonment or fines or what have you.
It’s possible to find holes in the wording of anti encryption law but that will only work until someone fails to get convicted and politicians fix their law.
A interesting thing to note is that encryption that can’t be broken was actually considered military technology, or at least dual use technology, that can’t be spread or used willy-nilly. The general public has had access to good encryption for about 25 years or so (depending on the country you live in) and policitians have tried to ban it ever since.
So far, this has failed, and several EU countries have put out statements against banning the practice in its entirety, so the hard work of the EFF and all similar organisations has not been for nothing. In fact, the EU has come out in favour of secure encryption for its citizens.
Despite the shitty politicians’ best attempts, we still have privacy, and as long as we keep voting for sensible people, we will keep it so.
Wait, if the EU is in favour of secure encryption, then who is opposing it in the EU? I haven’t heard of encryption being broken in America
The EU is made up of many countries. Some are firmly against banning E2EE, others are in favour. Based on this list by one of Chat Control’s most influential opposers, the following countries are in favour of banning real E2EE:
I would be wary of any of those countries’ governments and the laws they propose within their national jurisdiction.
Thr UK’s attempt to ban E2EE messaging has been weakened under pressure. It still requires scanning for CSAM before transmitting messages, but it’s not as bad as it could’ve been.
It was getting dangerously close to passing, though, and like the scary American internet laws from a few years back, I’m sure there will be renewed attempts to ban E2EE in a few years after the next big pedo/terrorist scandal. These proposed laws come in waves, and with the news saturated about this stuff, sometimes one makes it through.
Thanks for the list. I live in the US but I’ll keep this in mind
Basically P2P. The government can’t do shit about them.
This is the government we’re talking about. Wiretapping is done every day of the week, and detecting encrypted communications is trivial. If you’re using something packaged into an easy to use app things will probably become even easier because the app you use is irrelevant when you don’t do the opsec required to safely send messages on adversarial networks.
An E2EE ban can just as easily be followed by a Tor ban, or a foreign VPN ban. Volunteer run mesh networks that exist outside of the internet are harder to detect, but they too can be banned. P2P will make it harder for the government to catch everyone, but people will still get arrested for breaking the law.
Hell, the government could just not enforce the law, let everyone except for a few token cases use secure messengers, and then arrest anyone they don’t like for their illegal behavior.
There’s just no good solution for E2EE bans.
And then we move to steganography with cat pictures
The government being an abusive piece of shit isn’t a good enough reason to stop trying to protect yourself
Well, then you just get the hell out of that country.
If that’s an easy option, E2EE bans aren’t really a problem that needs solving either.
I doubt that the majority would want to leave their country just for e2e though.
Totally agree with you; a p2p network is resilient and unstoppable. Every user acts as a node within the p2p network, and as long as people are actively online, it can survive. This means it cannot be banned by any country or government.
Plus, since a P2P network is a decentralized network, there is no central server to store user data such as chat histories or contact lists**. From a data privacy perspective, nothing can compare with a p2p network.
I know people are quite familiar with Signal and Whatsapp due to their E2EE services. However, they are managed by tech companies and utilize a centralized network (central server = another computer). All your chat histories and data are kept in their giant computer/server. Even though it is encrypted, who in the world knows if they have memorized your private key (I think they do, by the way, because governments need these things to monitor suspicious activities or potential criminal incidents).
So, start using applications that operate on a decentralized P2P network; it is the safest way to safeguard your privacy rights.
Have you heard of this one? They said it’s a secure messenger based on P2P network, also with end-to-end encryption technology.
Why are you promoting WireMin
… why post a png?
Link to the service
Sounds like what you’re looking for is PGP/GPG. Been around for a while, but does the job well.
Also, I doubt most projects built outside of the UK (or Europe as the EU seems to be moving in a similar direction) will actually comply and backdoor their own software. As long as you have internet they’ll always be actually secure software to download.
Well, yes, GnuPG is certainly an option. I don’t care how it’s implemented though, but I do care about the fact that clients/client apps take encryption into their own hands instead of relying on middleware.
Clients taking it into their own hands reminds me of delta chat. Basically the same thing but the client handles encryption and uses a generic email server as the chat server.
But any good client will handle encryption themselves (heck even “bad” clients will do that). As long as they’re not UK based and don’t neuter the clients for their UK users they’ll still retain proper encryption completely client side (outside of public key infrastructure which is a whole different topic).
From what I understand of PKI and the way the Internet is right now, trust in identity would be very hard to build if clients engage in PKI.
But taking encryption into one’s hands basically brings back control into one’s hands. You do not specifically need an encrypted connection in such a case, just a tamper-proof connection.
Longest shower though I’ve seen for a while. While you seem somewhat clueless in what you talk about you manage to fit in many cool words. That’s a plus.
I highly doubt that it’ll ever happen, but if, I’ll just host my own matrix server and I’m good to go.
It’s not exactly hard to find Matrix servers on the internet, if the government actuslly cared they could just arrest you for running the server. They could even go back to this comment and use it as proof that you host the illegal server to circumvent the law.
And of course this sort of thing happens every day in authoritarian countries.
This is not a technical problem at all, it’s a political and cultural one.
Why not just use an existing one? It requires a good bit of skill in server administration and security in order to run a matrix server, and I’m not sure what the benefit trade off is.
*In case the EU manages to force all providers to backdoor the services
I don’t think that’ll happen anyway. But you are right, the server doesn’t matter too much in the csse of e2e. The client is more important.
Whatever works really. I don’t care which app/system does it as long as the government doesn’t have private key
Sounds a lot like your proposed solution to tools getting banned is… Using different tools. Why not just stick to the original set of tools (Signal, SimpleX, and/or whatever people use to struggle through encrypting email)?
We need to use some tool. If the government doesn’t have your private key, they can’t decrypt your messages. I don’t care how that is implemented, but companies like Signal will either fight to the death or bow out