Posted by gasull 1 day ago
But this is the ultimate "grant me dictatorial powers so I can do good" play.
Rather than narrow and specific - it's a broad based law that suddenly touches everyone even though offenders are a small percentage and should be able to be targeted more efficiently.
Back in the day when I was like 15 and DC++ was still a thing, I used to browse people's shared folders. One day I came across a file called "the paradox of false positive". It was a 1 pager that described how a machine which is 99.9% accurate at identifying terrorists would be completely useless due to this false positive base rate fallacy you're describing.
It really stuck with me throughout the years. It's kind o remarkable how even a 99.9% accurate heuristic is insufficient at scale.
Which begs the question: lets assume the intentions are pure (which we know they're not but lets be generous), what other options are there when 99.9% heuristic is not good enough? how do you design systems when they're guaranteed to fail as they scale up?
edit: and what do you know, I just saw this as I scrolled down on HN https://news.ycombinator.com/item?id=48816959
And there is a saying where I grew up: you need a village to raise a kid, I feel like we lost track of that and feel the issues of that now.
Btw, von der leyen is trying to get stuff like this written down as laws since 2009, it got her the nickname Zensursula.
And Germans and Europeans looked at that and thought the best place for her is leading the EU?!
Remind me again how she got elected in that position?
Because it seems like the entire EU population knew her being infamous for that, except for the few elites who appointed her there via "democratic process" to the head of the EU.
Also most of the EU population don’t know her for anything at all. I’d be surprised if more than 50% of Europeans could name her.
I am not against EU cooperation, mainly in external security and free market economy. But the system we have is not very democratic, and def not very representative of people. They act like demigods, elected by parliament with no real consequences of their actions.
I disagree. That's an executive power position for an entity that lacks sovereignty. Giving it the legitimacy of direct vote is highly problematic.
Start by giving more power to parliament.
And it fails miserably.
If anything I find GenZ a lot more focused on explicit consent than GenX.
No it doesn't. That's just needlessly reductionist doomerist take with no argumentation to back that up.
Define failure and success of the system in this context.
1. The cultural factor is rising expectations for children and their parents, costing both time and money;
2. The political/social factor is nanny states and academic institutions that the public expects to not only teach but raise their kids;
3. Technology. Especially the Internet, mobile devices, social media, and short form content. Technology distracts and isolates both kids and parents.
An example of the three factors at work is the all-too-common local news trope of ”Nosy neighbor calls CPS because the family next door lets their kids walk to school. Whole family traumatized as a result.”
That's a good way to put it
In fact that's why nothing ever gets done to improve things in the EU/west, because we expect perfect outcome in every new change and we want potential risks to be zero before something new is implemented, so it's easier for leaders to just never do anything, never change anything, just sit and maintain the status quo while we go through managed decline complaining things keep slowly getting worse.
Or is that where you want other people to end up while you peddle propagandist fairytales about failed parenting?
Suppose I invent a device that can detect whether there is a giant invisible dragon living in your house, and it has an accuracy of 99.999%
Now, I use it in your house and it tells me there is an invisible dragon… so what are the chances that there is a dragon in your house?
Based on your statement, it would be 99.999% likely that there is an invisible dragon in your house. However, we actually know that there is a 0% chance there is an invisible dragon, so even with the positive test result we still know there is a 0% chance a dragon is there.
Whereas if only 0.001% of your population are terrorists then 99 out of 100 alerts are false positives at which point the system is well on its way to being useless.
There is an important difference between scenarios where we care about the relative versus absolute frequency of errors.
> There is an important difference between scenarios where we care about the relative versus absolute frequency of errors.
The context is chat control without probable cause over the whole population of Europe with a low prevalence. My point, and presumably that of OP, is that even a small relative frequency of errors will yield an unsustainably high absolute frequncy of errors.
> This is merely information provided to a human agent.
It will be in theory. In practice the human agent will just forward the decision. A human agent is not sufficient; you need to test only with probable cause for the kind of scenario we're talking about. The exact opposite of "Chat Control 1.0 and 2.0".
P.S.: The comment I originally replied to choose a very convoluted way of saying that the false discovery rate of the test matters for a proper evaluation. Both you and they explain this by throwing numbers without context in combination with slightly inaccurate definitions. I got the definitions mixed up differently, which led to this follow-up.
> even a small relative frequency of errors will yield an unsustainably high absolute frequncy of errors.
That depends entirely on the rate of true positives in the general population and the rate at which the test successfully catches them. If the success rate is reasonably high and the rate of true positives is within one base ten order of magnitude of the rate of false positives then regardless of volume the stream of reports would be expected to prove quite useful.
To put this in concrete terms, if 1 billion messages are scanned, there are 100 violations, 99 of those violations are successfully detected, and there are an additional 1000 false positives reported, then you've got about a 10% hit rate when examining reports. That would provide a genuinely useful starting point.
But it's not at all clear that we can expect numbers like that. Both because the scanners are likely much worse but also because criminals can't reasonably be expected to stick around on conforming platforms in the event that such measures are enacted.
Even if the reports were 100% accurate I'd still be opposed to it on ideological grounds. I don't think pervasive surveillance of that nature is compatible in the long term with a free and democratic system of government.
> Both you and they explain this by throwing numbers without context in combination with slightly inaccurate definitions.
It was my intent to provide reasoning for all the numbers I put forward. They were meant as examples.
As to definitions I wasn't going by anything formal. I tried to spell out exactly what I meant by each term. Apologies if I wasn't entirely clear about that. Regardless, the precise definitions of the terms aren't what matters here. It's the practical end result - what percentage of the alerts are false?
https://en.wikipedia.org/wiki/Positive_and_negative_predicti...
[1]: https://www.covid2020.icu/false-positive-false-negative-simu...
You typically use the Bonferroni correction when making general statements about a statistical relationship. You wouldn't use it for checking if a particular image shows illegal content. If you kept testing with your image classifier, your significance threshold would need to be continuously lowered and you would asymptotically reach zero.
Relevant XKCD: 882
https://www.koffellaw.com/blog/google-ai-technology-flags-da...
The corporate liability of such content being found on their cloud is so insanely nuclear, that they're not gonna wait and ask you "hey are those nudes your own kids or are you a pedo?" before they wipe the account with all pics off their servers.
If the scanner is 99.99% accurate, then most classifications will be correct.
So a quota of 0.1% or even less material being detectably criminal sounds realistic (probably not much less, though).
outlier cases aside, there is also just a large amount of processing power that will go into this, the service can only be worse off for it. Privacy is not just about being able to hide things, it is also about being in control of how you present to the world. not because that control is maniupulative but because we all exist within our own microcosms of uniqueness, using words slightly differently than each other, and having certain balances of intention and meaning with those we send messages to that cannot be fully presumed from a 3rd party. even in images.
Are they really saying "if you want to send private messages then go make your own network" ?
No, because with the way things work, they'll make that illegal next.
Unironically, we should all move to using TOR.
Anyone setup a .onion mirror for HN yet? I'd assume usual HN-mirror-rules, no login or posting but free to view...
https://www.thatprivacyguy.com/blog/chat-control-the-415-who...
The irony is, you don't actually need Tor on my site because there is no logging, no third parties, no adtech etc. it is just static HTML files - so whereas I would normally recommend Tor I designed the site specifically to be privacy first.
I will try to figure out what is going on though because obviously I am fully supportive of people protecting their privacy with Tor.
I will investigate.
"The urge to save humanity is almost always a false front for the urge to rule."
H.L. Mencken
> The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.
> For every problem, there is a solution that is simple, neat, and wrong.
> Freedom of press is limited to those who own one.
By the parents. Install parental controls that only allow to message you and closest relatives. Problem solved.
They should give precise numbers of how many such crimes are detected via such means or are expected to be detected per year, and how many of those are not possible to catch through regular investigative work. It just seems ridiculously out of proportion especially that with all this flurry around the topic, the criminals surely aren't using WhatsApp for this any more, but especially won't be once the law is adopted. Sure, many are likely stupid but if they are so stupid, won't they fall into other honeypots?
Why are chat apps the best leverage for uncovering this? They'd have to justify this with some sort of data and numbers.
Because later they can just come back and say, well unfortunately they are now all using other means, so now we need to break https,we need to ban e2e, we need to ban vpns, tor and foss operating systems etc etc.
Anyways, once that implemented noone will report to you and there will be no means of pushing against it because all your online efforts to coordinate will be compromised.
Because narrow law is easier to avoid or find the loophole and a single case is enough to induce panic and anger.
Reminder that none of this has any evidence that it helps CSA, but nobody cares about the actual children.
This is like trying to prevent burglary by working with the factory that manufactures pry bars.
> suddenly touches everyone
..............I see what you did there.
Voluntary for whom? The service provider? Can I opt out of getting scanned?
> Does it touch encrypted messages? - No. End-to-end encrypted communications were never scanned but providers could deploy client-side scanning under this law.
So it circumvents e2e encryption?
---
How would these laws prevent me from just side loading my own open source client?
They do not.
Non of these laws stop you from opting out of surveillance, but altogether it gets so hard that at some point you get more suspicious and tracked if you do all this than if you don't do any of these.
1. allow MITM decryption by a privileged authority
2. require all devices doing E2EE have a non-user-modifiable piece of functionality to scan on-device
The second is the Apple style on-device CSAM scanner? I have to say that I do sometimes think about it while taking a photo of my baby playing in the bathtub - photos like my parents have of me which have been kind of nice to see later. It would be a pity if I had to have a separate analog camera just for baby photos because then I'd need to learn the whole developing film stuff.
Polaroid coming back in business! I would not complain at all if we started reverting some of our lifestyle behaviors back to analog.
IIRC weren't there some thoughts that they'd switch iCloud to E2E but add local scanning on upload (compare to what it currently when Apple, Google, etc. freely scan all your cloud photos anyway). That didn't seem like a terrible deal on paper.
Does this mean every parent has to now make sure not to take pictures of their children playing in bath for instance, in order not to trip these scans for false positives?
They CLAIM they scan for CSAM, so watch out your documents and pictures with something that govt also wants to track.
Even with e2ee enabled for iCloud Photos/files (which NOBODY uses, and furthermore is entirely disabled in the UK), it sends identifying hashes of plaintext file content to the server without e2ee.
This is exactly what has been proposed. E.g. WhatsApp has a piece of code that scans images and texts before sending. After that, they are "encrypted".
Unlike governments, generally, the companies may use control over communications for any purpose. For example, a surveillance-based advertising services is one purpose that we know about. The companies can collaborate with any party; it may be another another company, it may be a government. The company can utilise surveillance data collected and/or its ability to throttle and censor communications to further any purpose. The parties with whom the company collaborates may potentially use the data for any purpose
Unfortunately for users, the company is not required to disclose with whom it collaborates nor the terms of such collaborations. Hence users have no way to verfiy. Users of these "free services", have few, if any, rights against the company
This situation is preventable. What enables it to exist is user "consent" to ceding control over their private communications ("chat control") to so-called "tech" companies
1. This is accomplished through granting the company total control over the client software, e.g., "automatic updates'. The company effectvely (a) blocks chat participants from using their own client software and (b) forces chat participants to use client software controlled by the so-called 'tech" company. This software is provided for free and primarily serves the company, not the user, advancing the company's commercial interests, e.g., surveillance-based advertising services, at the expense of the user's privacy and security interests
This fact was summarised in a submission that reached the HN front page yesterday: https://news.ycombinator.com/item?id=48792203
Meanwhile, Governments can take away your freedom, block your right to speech, ruin your entire life, seize your private assets/wealth, take away your children, deport you, etc...all depending on how the cultural wind is blowing on a particular day. And they are legally entitled to hold a gun to your head or kill you if you don't comply.
These are not the same level of risk. Yet more hysterical attention is paid to the former instead of the latter. This is dumb.
Be more worried about governments. Read more history.
A reminder that governments can buy from private companies. A company like Palantir can buy data from private companies then incorporate it into the software it sells to governments.
Governments can do a lot of things that hurt you, this is a consequence of having power. Giant Corporations can also hurt you because they also have power.
In general I would agree that say, walmart, is mostly interested in encouraging you to shop at their stores more frequently with the information they gather, it's also true that other corporations are currently selling the information they gather to the government.
And, of course, if I dislike what e.g. the department of labour is doing with information it's collecting, I can vote for various representatives up and down the hierarchy of power, in the USA this would include things like state governors / attorneys, federal legislators, presidents, etc, all of whom have some level of influence over my information being collected and used.
If I dislike what walmart is doing, my options are considerably more limited. I can lobby for a law to be passed against it or I can essentially wish for it to go out of business.
False dichotomy, they are the same Lernaean Hydra.
How has that been going? Did you manage to elect someone, who made a positive change? Let's be charitable - you can pick an example from your life that goes back up to 50 years.
No. My point is you should fear centralized power in general, and in exact proportion to the scope of the power being centralized. All power gets abused.
Governments are centralized power on a scale that makes the most powerful corporation on earth look like an ant. Historically AND currently, the worst atrocities come from governments, not companies.
Yet, internet discourse (and new legislation) over the past 10 years has pretended like the biggest threat to us re: data collection is private companies. They are indeed a threat. But they are NOWHERE near the scale of the threat that data collection by governments represents.
This blind spot is part of the reason mass surveillance legislation is being rolled out (largely successfully) everywhere right now.
For example, we've created such a boogieman out of facebook/social media (which, ironically, doesn't even exist anymore as people remember it) that it has manufactured consent among the public for governments building the infrastructure for 1984. A far greater threat to us than micro-targeted face cream ads ever were.
Both large gov't and large corpo are horrible and both should be equally avoided.
You don't seem able to hold two ideas in your head.
Yes, companies can abuse their power. Yes, governments can abuse their power.
However, the power wielded by governments is on a whole different scale, so the capacity for abuse and atrocity is exponentially larger (governments have killed millions and can literally destroy the entire world with firepower 100X over).
You say that govt is holding a gun to citizen's head, but govt also holding a gun at private company's head.
By that logic, you should fear companies at least as much as their governments when handing them your data.
But companies have additional goals: to increase profit. Which can be achieved by selling more toilet bowl cleaner. But also by externalising harm/pollution/costs, monopolising, reducing taxes, etc. All of which harm you, personally.
So, sure, worry about governments. But worry more about (big) companies. Read more history.
This fact alone makes the comparison you’re trying to make pretty silly. You have far, far more to fear from the country from which you’re a citizen than the company for which you’re a customer.
Read more history.
Also, governments consists of a large amount of human each acting for their own benefit. Assuming they can easily collectively united as a single force to use violence to harm all citizen (on the topic of privacy, it really is the case) suddenly is wild.
On the contrary, for a limited government, it very likely will result in using the monopoly of violence to provide extreme capitalism style IP and private property protection which results in dominating power of large companies. On the other hand, every bit of history demonstrated you can never maintain monopoly of violence if you are really against people.
Monopoly on economic is strong because it can be guarded by violence, while violence cannot be easily guarded by itself within a country (unless AI overlord really comes).
Read more history.
You fundamentally are unable to judge risk correctly due to your political bias.
You're even admitting the risk of companies harvesting data is that it may fall in the hands of governments.
Yet you still think a private company lobbying to reduce taxes is a greater threat than your government wielding enough firepower to kill millions of people and destroy the entire world.
Companies can use it to determine voting patters and sell that to interested political parties. Government are made from political parties and can steer money to those parties, thus the data can now be sold indirectly to the government.
Companies can use it to indirectly target competitors through their customers. Creating a monopoly is much more profitable than just selling more products. Gaining favors with political parties in the above strategy can also help here.
Companies can sell data to governments of other countries. Just because your own government has laws that forbids it, it doesn't mean other countries has the same laws or will treat the citizens of your country as their own. Trade like this can also occur in multiple steps. Company sell data to country A, and country A shares/sells it to your own government. Your own government might finds this preferable to buy it directly as laws may not apply to data shared/bought, even if that data is about their own citizens.
Selling personal data to the government is profitable, but there are also other interested parties. People in legal disputes may want information about the other side, or the juries, or even the judge. Companies that want to do industry espionage would want to buy information about other companies employees. Criminal organizations very much like to buy information about vulnerable people like the elderly. Again, the data doesn't need to be sold directly but can go through many hands until it finally reach the most scummy buyers, and the money will slowly trickle upwards to the seller.
As long as someone collects the data and is willing to sell it to someone, sooner or later it will be sold/leaked to someone who shouldn't have it. That is the fundamental issue with companies collecting personal information.
I keep trying to explain to people that any data companies harvest, for whatever purpose, can then be accessed by the government, and that trying to draw distinctions in what is a big massive ouroboros is irrelevant.
Even if you trust the company AND trust the government, the data exists forever, and no one can trust all future governments and all future corporations.
If the government weren't legally able to use the toilet bowl cleaner companies data against you, it wouldn't matter.
The problem is us giving governments the right to use this data against us (passports to access the internet, messages being under constant surveillance, etc.)
In Europe we're happily handing over our rights every day so that governments have more power over us (supposedly to "protect" us from the big bad evil American tech companies).
Except, Google just wants to make $100/yr off me instead of $50/yr by me voluntarily choosing to use them.
Meanwhile, EU governments want to literally control what I think and feel and do, and take out $100,000 in debt on the backs of each of my children (we're at 115% debt-to-GDP in France) to fund this nightmare surveillance state.
Plenty of companies collecting data are operated by people who want to control what you think, feel, and do both for profit and based on their owners personal beliefs.
Look trying to separate them is foolhardy. Corporations exist due the limitation of corporate liability provided by government. There's no scenario where you have a corporation without government. A corporation will sell you out wholesale to continue having the right to make 100 bucks a year off of people.
And to steal tips [1], lower your salary [2,3], charge you more [3,4], and limit how you may use "your" property [5]. I'm sure there are many I've missed.
Oh and how could I forget - to smear you if you stand in their way [6].
[1] https://en.wikipedia.org/wiki/DoorDash#Withholding_of_tips_a... (try doing that when tips are in cash)
[2] https://www.morningstar.com/news/marketwatch/20260401139/emp...
[3] https://towardsjustice.org/wp-content/uploads/2025/02/Real-S...
[4] https://en.wikipedia.org/wiki/Price_discrimination
[5] https://www.cnbc.com/2017/12/27/nvidia-limits-data-center-us...
[6] https://www.theguardian.com/business/2019/aug/07/monsanto-fu...
Meanwhile governments wield enough power to destroy the entire world 100X over, and are currently shoveling young boys into the meat grinder of war to be slaughtered by the thousands every day.
As a left-leaning forum, HN has a giant blind spot re: government power vs. corporate power. I'm trying to point this out.
Yes, companies can abuse their power. But their power pales in comparison to government power.
Even if true it's almost entirely orthogonal.
The "right" is usually only against government control, intervention and surveillance until they get into power. Then they double down on them. Also right wing parties/groups are generally better at controlling and silencing internal opposition (since they are lot better shutting up and falling in line when push comes to shove regardless of their personal beliefs). So they are usually a lot more effective at imposing these things.
But of course Europe just ignored that warning. Like it anyways has.
They've outsourced nearly every critical component of a large sustainable society to the rest of the world: Russia, USA, China, India.
But at the same time, their politicians can't do anything because the minute they suggest that they might have to start cutting pensions and public welfare, and all of these different things in order to start supporting national industry and defense, they lose support immediately.
Also, EU countries in Eastern Europe do already have a high military spending, and even Western European countries are improving.
The situation is less than ideal but not hopeless.
I would really challenge that idea that increasing military spending will create a solid and useful military force.
Most of the money you inject within the military industrial complex is wasted and stolen. At some point it can become counterproductive, we can see it with the US military where recently Iran’s $30k shahed drone destroys $300M US radars.
Note that today's politician never state goals in practical military terms but rather in billions and trillions spent. So they are always victorious. I do not remember Alexander the Great, Hannibal, Julius Caesar, Napoleon Bonaparte or Genghis Khan stating their objectives in terms of money spent.
Germany is the EU proof of that. It outpends France at defense spending but its military is massively smaller and less capable, and also non-nuclear to boot. So they're getting a very poor bang for their buck. Mostly because of bureaucracy and corruption are eating most of their money before it gets spent on the troops.
>Most of the money you inject within the military industrial complex is wasted and stolen.
That's why I'm not holding my breath at the whole "German rearmament" propaganda. Most of the money will go to boost the stock of Rheinmetall and friends, not boost the troops.
The EU is about twice as industrialized as the US is, In the town of Unterlüß of four thousand people Germany produces about half as many artillery shells as the entire US does (and nationally alone now produces more) and Ukraine and Europe have, for the last 18 months, defended Ukraine without about any support from anyone else. Where do you get your information about Europe, on twitter?
Go demand that the original poster provides value.
They just want total control.
Last year it was about having to scan your face to verify your age to access porn (to protect the children). They said: It's not about control, it's about protecting children.
Last month the same government announced they will use the same technology to prevent access to Youtube and Twitter without giving over your ID and confirming who you are... Still under the 'protecting the children' banner.