• ಠ_ಠ@infosec.pub
    link
    fedilink
    arrow-up
    54
    ·
    5 months ago

    They start with CSAM, move to copyright infringement, and end at censorship of those with opposing views.

    Once such laws and mechanisms are in place all it takes is the right wrong leadership to take it all away to keep us safe.

    • geissi@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Once this has been implemented, something worse can be implemented.

      I don’t like these slippery slope arguments. You might as well reduce it to any legislation.
      Once people are allowed to make laws, bad people can make bad laws.
      Which is why we must continue to vote in the right people, not abandon the concept of laws.

      In this case, I don’t doubt that copyright infringement and general censorship are on some people’s agenda.
      But this current proposal is bad enough itself and should be opposed because of that and not because someone might make other, even worse proposals in the future.

  • eveninghere@beehaw.org
    link
    fedilink
    arrow-up
    4
    arrow-down
    14
    ·
    edit-2
    5 months ago

    Article 10a, which contains the upload moderation plan, states that these technologies would be expected “to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material.”

    This is what I guessed the other day when a post here didn’t clarify what the censorship meant.

    While I’m not a fan of this stupid regulation, it doesn’t sound like being the armageddon that turns e2ee into ashes.

    (Given that Signal doesn’t like it, I might be wrong though.)

    As long as we trust, say, Signal, it will possibly be able to do the scan without sending a good chunk of the image data that the user is sending. URLs can be hashed before sending it to the scanner.

    The remaining piece for privacy is to use open source and to guarantee that the binaries are free of modification from the original. This problem always existed on the Apple ecosystem btw.

    • BrikoX
      link
      fedilink
      English
      arrow-up
      35
      ·
      5 months ago

      How about the false positives? You want your name permanently associated with child porn because someone fucked up and ruined your life? https://www.eff.org/deeplinks/2022/08/googles-scans-private-photos-led-false-accusations-child-abuse

      The whole system is so flawed that it has like 20-25% success rate.

      Or how about this system being adopted for anything else? Guns? Abortion? LGBT related issues? Once something gets implemented, it’s there forever and expansion is inevitable. And each subsequent government will use it for their personal agenda.

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        1
        arrow-down
        5
        ·
        5 months ago

        They say they the images are merely matched to pre-determined images found on the web. You’re talking about a different scenario where AI detects inappropriate contents in an image.

        • vrighter@discuss.tchncs.de
          link
          fedilink
          arrow-up
          5
          ·
          5 months ago

          change one pixel and suddenly it doesn’tmatch. Do the comparison based on similarity instead and now you’re back to false positives

          • eveninghere@beehaw.org
            link
            fedilink
            arrow-up
            1
            arrow-down
            3
            ·
            edit-2
            5 months ago

            My guess was that this law was going to permit something as simple as pixel matching. Honestly I don’t imagine they can codify in the law something more sophisticated. Companies don’t want false positives either, at the very least due to profits.

            • Inductor@feddit.de
              link
              fedilink
              arrow-up
              4
              ·
              5 months ago

              Unfourtunately, I couldn’t find a source stating it would be required. AFAIK it’s been assumed that they would use perceptual hashes, since that’s what various companies have been suggesting/presenting. Like Apple’s NeuralHash, which was reverse engineered. It’s also the only somewhat practical solution, since exact matches would be easily be circumvented by changing one pixel or mirroring the image.

              Patrick Breyer’s page on Chat Control has a lot of general information about the EU’s proposal.

              • eveninghere@beehaw.org
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                5 months ago

                Stupid regulation, honestly. Exact matches are implementable but further than that… Aren’t they basically banning e2ee at this point?

                Now I see why Signal will close in EU.

    • poVoq@slrpnk.net
      link
      fedilink
      arrow-up
      20
      ·
      5 months ago

      Its a slippery slope thing. Sure, technically it doesn’t break e2ee, but it basically forces app developers to integrate a trojan into their app that scans messages before they are encrypted and send. Right now it is “only” for images, but once this is in place and generally accepted, what is stopping lawmakers to extend it to scanning all messages?

      • toastal@lemmy.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        5 months ago

        I think the parent is distinguishing between messages & the attachments as they are stored differently & often in different places in many systems. But I agree with you in assuming that the goal would ultimately be to then start scanning messages too.

        Imagine governments used something like SHA1 that has conflicts & now you have collision potential–you could even fabricate attachments that could cause a collision to get someone throw in jail since all you have to rely on is the file hashes. If you can’t scan the actually content & you are just using hashes, then you also don’t prevent new content that those in power deem ‘bad’ from being flagged either which doesn’t really stop the proliferation of the ‘bad thing’ just specific known ‘bad things’. If I were implementing clients, I would start adding random bits to the metadata so the hashes always change.

        The only way this system even works is if there are centralized points the governments/corporations can control. Chalk this up as another point for supporting decentralization & lightweight self-hosting since it would be impossible to have oversight over such a system if anyone can spin up a personal server in their bedroom.

      • kbal@fedia.io
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        5 months ago

        technically it doesn’t break e2ee

        ** for some unorthodox definition of e2ee

        If the “endpoints” are defined as being somewhere outside the end users’ control, because for example the client software they have is designed to betray their secrets, then the system is no longer end-to-end encrypted in the way that both cryptographers and normal people would usually understand the concept.

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        5 months ago

        Yes, I agree it is dangerous. I just wanted to assess the actual threat (current and future) before jumping onto the wagon.

    • Grippler@feddit.dk
      link
      fedilink
      arrow-up
      8
      ·
      5 months ago

      The images that are flagged by such scanning, local or server side, will have to be manually verified to avoid false persecution. Someone will have to look at the private images you’ve sent that might get flagged.

      These systems have huge margins of error and are incredibly inaccurate, so there will be a significant task in manually verifying everything. And do you trust some government random employee (or just the departments general IT practices or ability to not be hacked) with not leaking your nudes or personal images? I sure as hell don’t.

      And even if this is handled perfectly and all government employees are super super honorable standup citizens that never do anything slightly wrong ever…There are still malicious governments that persecute minorities, I doubt they will handle these backdoors in digital privacy very well.

      • mihor@lemmy.ml
        link
        fedilink
        arrow-up
        8
        ·
        5 months ago

        So if I send a photo of our kids playing naked in a baby pool to my wife through signal, some slimy-ass eurocrat in some IT center will be able to ‘manually verify’ the photo of my naked kids?? Are you mentally sound??

        I hate pedos just as much as every other sane parent, perhaps even more so (I’d love to wear “Why, Garry, why?!” t-shirt all day every day). But to hell with this stupid idea that some slimy scumbags will be able to browse my own photos of my own kids. Hell, even any random photo I take, it’s my business and nobody elses! Go catch pedos the proper way instead, work a little, we don’t need Gestapo or Stasi to hover over everything we do or photograph.

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        5 months ago

        They say they the images are merely matched to pre-determined images found on the web. You’re talking about a different scenario where AI detects inappropriate contents in an image.

        • Grippler@feddit.dk
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          5 months ago

          It will detect known images and potential new images…how do you think it will the potential new and unknown images?

            • Grippler@feddit.dk
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              5 months ago

              Literally the article linked in the OP…

              Article 10a, which contains the upload moderation plan, states that these technologies would be expected “to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material.”

              • eveninghere@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                5 months ago

                My bad. But that phrasing is super stupid, honestly. What company would want to promise to detect new child sex abuse material? Impossible to avoid false negatives.

    • Natanael@slrpnk.net
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      But you can’t detect such things without either server side scanning (kills E2EE dead) or client side scanning (will always be limited in what it can detect, and it’s easy to patch out of clients, AND there’s still the risk of govs maliciously pushing detection of banned media)

  • mihor@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    43
    ·
    5 months ago

    EU lawmakers are utter rubbish. Cookie consent spam?? Paper straws and ear sticks?? Non-removable bottle caps?? Invasive KYC laws?? Banning ‘foreign propaganda’ through DNS blacklist?? Propping up failed projects like the ukromaidan regime?? What. The. Hell. They just spam our countries with the worst stupidity they can come up with, all the while infringing upon our rights and wellbeing.

    I voted against joining EU 20 years ago. I guess I was right about that, unfortunately…