Idiomdrottning’s homepage

When the EU wanted to own all computers

Just found out that the EU commission proposal I wrote about last May is still underway.

Their desire to monitor 100% of all communication is understandable, it’s for a good cause, but the only way to do that technically is if the are the admin user on every single computer (because otherwise people can still chat over Omemo, PGP, Matrix, or SSH+talk).

So no more passwords, SSL certs, bank login, no more free operating systems, no more Jitsi or SSH or HTTPS. This law literally breaks all computing and the entire Internet. Which, if that’s what they really intend to do, they should just say so explicitly. The EU anti–all-computers-ever law. I can kind of see the appeal but I doubt business & politicians would, if they really understood that that was the ramifications.

The only way to prevent FOSS e2ee like Matrix or PGP or OMEMO is to own everyone’s uid zero.

Owning everyone’s uid zero is not OK for a hundred ripple effects. Passwords, finance, love letters, computational resources…

This is different from already external apps like Signal or iMessage or iCloud, apps which are like hiring someone to come over to your house to fix your broken sink. Any given plumbing company can introduce&advertise an idea like their plummers can wear a body cam to prevent assault, for example, and such cameras can be regulated or even mandated by the EU.

That’d be a draconian future, and I don’t advocate for it, but it’s at least possible. Please differentiate between actively advocating for it (which I’m not) vs not being super eager to die on a hill against it (when there are other things I care a lot more about, like climate).

But trying to also curb FOSS e2ee like OMEMO is extremely different. It’s like installing a permanent camera over the sink in every home so that no-one tries to fix their own sink. And then needing to watch the camera itself so no-one tampers with it, and then need to watch that mechanism so no-one tampers with it, all the way up to having permament and exclusive control over the house keys probably better known as uid zero a.k.a. root. In other words, the ripple effects from the infrastructure needed to set up a camera in every house are not OK.

A friend wrote in, saying:

The proposal probably only applies to messaging services for the public, not things like the internal chat of organizations. For example, see the Data Retention Directive which had similar wording for email logs.

On the other hand, there is a very real risk that messaging apps that don’t have client side scanning gets banned from App Store and Google Play. That’s, in my view, the big problem with this.