Literally making it possible to delete people from registries and locking them out of their identity makes it trivual to commit #ForcedDisappearance and illegally #deport and #denaturalize citizens into being #stateless.
@quincy@kkarhan@glynmoody I suspect the solution is to replace the existing CA system altogether, with something that takes into account everything the cryptography community has learned from SSL/TLS.
That would leave them with an empty victory, and us with better security.
Ideally (IMO) that would involve displacing the existing hierarchical system in favour of a more decentralised web-of-trust thing, but... how many PGP keysigning parties have you been to in the last five years?
@kkarhan@quincy@glynmoody@torproject And that's part of the challenge: coming up with something that they can't outlaw without also hurting measures like this.
@glynmoody@quincy@kkarhan I am not sure that I understand the issue: Does the use of one certificate make the issuer able to see everything that I do when not using that certificate?
@thomasjorgensen@quincy@kkarhan a government - or rather its intelligence agency - could use a certificate claiming falsely to be any entity, allowing them to intercept traffic to that entity, then pass it on (man in the middle attack). even though the browser maker knew this was false, they would be forbidden from revoking the cert...
the thing is, they're trying to mandate what runs on the user's system. that's a no-no, and no amount of procedure can fix this fundamental breach of security and basic rights.
trust can't be mandated and attempts to do so make one intrinsically unworthy of trust.
@quincy@glynmoody@kkarhan OK, but I also drive on the right side of the road. Sorry for being the devil's advocate here, but I am sincerely trying to understand
@thomasjorgensen@quincy@kkarhan the key issue is that EU governments will be able to carry out surveillance on any encrypted Web traffic, invisibly, and impossible to stop
It's basically a #Govware#Backdoor mandated into basically everything because in the end everything uses #SSL / #TLS (with fewer and fewer exceptions like @torproject#Tor )...
And since that would be mandatory, it would be trivial to plant false evidence under people.
@kkarhan@glynmoody@quincy@torproject so yes, the issuer of these certificates would be able to see everything - also on sites that do not use these certificates, or no?
@thomasjorgensen The issuer could very well (be pressured or tampered with to) issue rogue certificates for any site it would like, to intercept or even help modify the traffic, since it's a root CA.
@lobingera@kkarhan@quincy@glynmoody I have more questions: if this is not mandatory, could Google (that has both a wallet and a browser) not deny certificates from public wallets and force Chrome users to go to the Google Wallet and make it the de-facto universal wallet?
Let's not forget #Google - like all #GAFAMs - was a #PRISM collaborator, is subject to #CliudAct and #ITAR and thus not only capable but able and willing beyond the legally mandated minimums to do so.
Just like with #eCall + banning #anonymous#Prepaid#SIM cards basically making a #GSM#tracker mandatory in #cars under the dalse claim to do "roadside assistance and distress calls" when other options would've offered the same at far less cost, better privacy and better coverage...
@thomasjorgensen@quincy@kkarhan you wouldn't know about it if carried out by intelligence agency; and they are allowed to do it because of ridiculously broad exemptions for national security
@glynmoody@quincy@kkarhan I would not know if my phone is tapped, but the police/intelligence services would still need a warrant. Is this a technical issue or an issue of trusting the checks and balances within our political systems?
@thomasjorgensen@quincy@kkarhan both: this breaks the trust system underlying encrypted Web transmissions; it also means there that by default EU intelligence services/police can eavesdrop on encrypted streams. it's the death of online privacy, and it's illegal to undo it. there are lots of other political issues to do with - say - Hungary issuing certificates that must be respected, which means that nice Mr Orban gets to read anything he wants to. might be useful for that nice Mr Putin...
@glynmoody@quincy@kkarhan In any case, if you want to do something political I would spin it like this: If you want this to work for example for banking, travelling or education, you need to ensure that citizens trust the system. This requires solid privacy guarantees, and then you say how to concretely solve the problem in the regulation.
If they had any warrant or legitimate interest, they'd have sufficient intel to kick in doors...
If not then we should question for an "intelligence agency" to exist as beinf fundamentally incompatible with freedom and human rights necessary for any decent democracy.
@thomasjorgensen@glynmoody@quincy In fact, they don't and you'd be surprised how easy it is to get Telcos to hand over data when the alternative is getting their HQ searched by police and staff held at gunpoint to do so.
@glynmoody@thomasjorgensen@quincy@kkarhan ...but that in itself is not something new, a government intelligence being able to intercept my traffic, for me more important are the safeguards and legal framework around it ? 🤔
And everyone who believes a centralized messenger like @signalapp or a privider like @protonmail will save their ass is either completely ignorant of cases besides #EncroChat & #ANØM or prefers to lie to oneself over the cold reality.
And it's not like I am the only one who works against #Cyberfacism...
@quincy@glynmoody@thomasjorgensen@kkarhan ...ofcourse there must be checks& balances, legal framework, reporting (ex-post) etc, but some kind of surveillance in specific circumstances, controlled by law, must be possible, also in democratic societies. Not saying the EU proposal is without faults, i have not analysed it thoroughly...
@ErikJonker you obviously have more faith in legal frameworks; the point is it should not be possible in the first place without legal safeguards, these backdoors are mandated by default - too easy to abuse @thomasjorgensen@quincy@kkarhan
Or to put it simpler:
This is more irresponsible than giving a 9yr old an Uzi set to full auto and waiting for disaster to happen, because it would not just be a single 9yr old with a single mag but giant orgs with hundreds of thousands of people.
And like will all "National Security" bs, this will get extended until someone can be searched for a parking ticket or alleged littering...
Off the top of my head, I'd put it down to a long-term, carefully-thought out campaign by a well-funded bunch of fascists who are very bitter about having lost in the past.
@kkarhan@KatS@quincy@ErikJonker@glynmoody where I am beginning to understand is that making government certificates mandatory is a way to rein in big tech, but there would need the same kind of legal safeguards that prevent phone tapping and the police kicking in my door. I think that as a citizen, this would work for me
In Spain, it already takes several weeks to get a new ID card printed. It's an obvious move to steadily increase that lead-time, so that people increasingly just give up on even trying.
Inwieweit und vor allem wie lange bleibt diese Wallet freiwillig, wäre hier die Frage. Die #ePa war auch erst freiwillig. Jetzt kommt der nächste Schritt zu OptOut, dann mit Sicherheit verpflichtend.
Vertrau nicht Deinem Staat in dem Du lebst. Er will nur Dein Bestes, - Deine Daten und volle Kontrolle - über Dich ! *
@kravietz@quincy@KatS@thomasjorgensen@ErikJonker@glynmoody Also even before it was mandatory it was incentivized and i.e. Refugees who registered with the Adress of their correct legal adress in the form of Central Housing got their cards randomly blocked for no good reason and forced to ID...
Abusing marginalized people and discriminating against them doen the line, knowing those can't get any postpaid SIM due to lack of credit rating or income to get any good standing with creditors...
Not sure if I understand correctly, but in #eIDAS there's literally zero "forcing people" to do anything — the regulation is about making GAFAM corporations to recognize the QCA certificates. You, as a citizen, are not forced to use eIDAS or anything — the regulation is targeted at Google, Mozilla, Apple, Microsoft. Exactly in the same way as GDPR did not force citizens to do anything, but it forced corporations to seek your consent bofore employing behavioral tracking against you.
And personally it only radicalizes me into demanding not just the reinstation of all rights that got axed but also demand interest on top in retaliation...
I second that demand. Right now, too often there isn't even an independent (or any) evaluation of "necessary measures" say 5 years after to see if they were really "necessary"
They have to make it crystal clear that the law cannot be abused against makers of browsers.
But it doesn't do that. On the contrary.
Please have another look at Article 45 and tell me how you read anything into it but unreasonable demands on what "web browsers" (or sometimes "web-browsers" (sic)) can and cannot do.
So AFAICS there's no reason not to raise the alarm.
The problem is, that nobody can trust the EU in the area of civil rights (I think you could never because it was since beginning only focused to business but never to democratic principles beside the Sunday speeches for the public)
About this is the typical salamislicing tactic observable in the past to trick the EU citicens. Wire taping is a good example or the Internet variation of that like Pegasus and other survailance tools.
All this raised questions about the hidden agenda behind that. I'm very sure that a lot of shady organizations are behind that like we just observing with the "chatcontrol" case.
So yes, I expect that forcing people is at the end.
And ... even if I had good reasons to trust the authorities (based on their spotless track record and foolproof checks and balances, in some parallel universe), they still wouldn't belong in my computer.
Trust cannot be mandated. It has to be guaranteed.
@thomasjorgensen@kkarhan@quincy@ErikJonker@glynmoody It does nothing to rein in big tech at all. What it does is enable governments to systematically tap interactions with them, equally as with any other smaller tech.
If I actually believed that due process was required, and public accountability would be genuinely applied, I'd be less worried.
However, one of the provisions is that under "exceptional circumstances" the agencies can go ahead and JFDI, then notify the court some time in the following 48 hours.
Historical precedent says that "exceptional circumstances" will turn out to be remarkably common, that there will be no effective punishment for either misusing these powers, or even for "forgetting" to report their use.
Add comment