• poVoq@slrpnk.net
    link
    fedilink
    arrow-up
    20
    ·
    6 months ago

    Its a slippery slope thing. Sure, technically it doesn’t break e2ee, but it basically forces app developers to integrate a trojan into their app that scans messages before they are encrypted and send. Right now it is “only” for images, but once this is in place and generally accepted, what is stopping lawmakers to extend it to scanning all messages?

    • toastal
      link
      fedilink
      English
      arrow-up
      7
      ·
      6 months ago

      I think the parent is distinguishing between messages & the attachments as they are stored differently & often in different places in many systems. But I agree with you in assuming that the goal would ultimately be to then start scanning messages too.

      Imagine governments used something like SHA1 that has conflicts & now you have collision potential–you could even fabricate attachments that could cause a collision to get someone throw in jail since all you have to rely on is the file hashes. If you can’t scan the actually content & you are just using hashes, then you also don’t prevent new content that those in power deem ‘bad’ from being flagged either which doesn’t really stop the proliferation of the ‘bad thing’ just specific known ‘bad things’. If I were implementing clients, I would start adding random bits to the metadata so the hashes always change.

      The only way this system even works is if there are centralized points the governments/corporations can control. Chalk this up as another point for supporting decentralization & lightweight self-hosting since it would be impossible to have oversight over such a system if anyone can spin up a personal server in their bedroom.

    • kbal@fedia.io
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      6 months ago

      technically it doesn’t break e2ee

      ** for some unorthodox definition of e2ee

      If the “endpoints” are defined as being somewhere outside the end users’ control, because for example the client software they have is designed to betray their secrets, then the system is no longer end-to-end encrypted in the way that both cryptographers and normal people would usually understand the concept.

    • eveninghere@beehaw.org
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      6 months ago

      Yes, I agree it is dangerous. I just wanted to assess the actual threat (current and future) before jumping onto the wagon.