As end-to-end encryption becomes more popular (yay! :rainbowdance:),
Celebrate yes,
But also remain skeptical about how this word is used and if this claim warrants your trust.
Do not trust blindly.
End-to-end encryption is a wonderful protection when well implemented. But not all apps that use end-to-end encryption are equals.
Verify that:
The provider is trustworthy :blobcatthinkingglare:
Trustworthy third-parties have verified and confirmed the provider's claims 🔍
Metadata is also encrypted and/or that, ideally, its collection is minimized :blobcatpeekaboo:
Solid security measures protect the data as well (For example, if your data is end-to-end encrypted from your password but your password is vulnerable then your data is vulnerable as well) 🛡️
Encryption is truly end-to-end, meaning only the sender and the receiver can access the data and nobody else :ablobcatpeek:
Finally keep in mind that even if a service uses minimal encryption (for example one that still collects a lot of unencrypted metadata) it is still better than the same service using no content encryption at all,
BUT there are almost always much better services that offer truly complete and well implemented end-to-end encryption for their services.
Read the fine print (when possible)... Any sufficiently large tech company has had to, by necessity, build in the means of complying with various nation states' laws. And if it's a means in one country, its a means available elsewhere (if even non-retroactively), so pay attention to the 'policy' updates - the situation can change overnight. :-/
@Em0nM4stodon Encryption itself is a thing that specific to virtual space. A way of mitigating some of effects of existing problems. But it does not solve the IRL or political or other offline problems per se.
@Em0nM4stodon@team I am ordering these just kinda wish I had a way to play around with placement on my macbook. I am having to buy a ton of new stickers for my macbook anyway. Might mess around in Krita and see what I can do.
@aut@Em0nM4stodon my response to that one is "Do you close the door to a public bathroom stall? Are you doing something 'wrong' behind a closed door? Or is privacy just a valid, human need?'
Financial problems, illnesses, ridiculed hobbies, sexual preferences, the extent of their nicotine habit… and most importantly: other people's secrets.
It's not just about protecting your or my communications, it's that my emails give insight into the lives of my family, my partners, my friends, into my work, etc etc.
John Doe don't just have to consider whether he wants his private life protected, he also has to consider Aunt Mary's marital problems, Uncle Jack's alcoholism, Cousin Peter's erectal dysfunction, Grandma Anne's cancer, Cousin Jenny's dates, and his employer's internal crises.
He has to protect all that not only against overeager cops with no regard for civil rights, but also against data leaks and hackers.
How anyone who isn't a cop can attack encryption in good faith is beyond me.
@TCatInReality@patrizia@Em0nM4stodon You cannot simply have an 'only breaks for baddies' toggle for encryption. That is fundamentally not how things work. Once you break encryption to target criminals, we all become criminals.
Let's talk about the various client-side-based encryption backdoor proposals that are coming out (ChatControl, the EU CSAM proposals). Say one of these laws pass. If it's client-side (on your device), there is no way for Apple/Google/Samsung to only install the scanning tech on baddies phones (at least not preemptively, which is what the law requires). Alternatively, there's no meaningful and legal way for sites like Signal, WA, Threema to opt out. The opt-out is either a) break the law, or b) stop making the product available.
So the end result is, this affects everybody.
Client-side scanning works by alerting when something 'bad' is detected. The problem is, as we've seen from various other ML/AI ventures, detecting 'bad things' is actually really hard. For instance, how do you tell if two teenagers are just sexting one another via WA, versus a 26-year-old man grooming a 13-year-old boy? You can't. Both get flagged, and innocent lives are ruined. Even if nobody goes to jail (and they probably won't because cops and LE will absolutely be flooded with false positives), if I'm a mobile provider or Apple or Google, I'm gonna just kick those folks off my network because better safe than sorry.
Similarly, for awful stuff like CSAM, it's not as if devices will have all the awful photographs to check against stored on people's devices. Instead, they will store a hash, generated as part of a larger list of millions and millions of hashes. Except hashes can be for anything. Any photo, video or file can have a hash. And hash collissions are a very real thing. Again, lots of lives will be ruined not to get criminals, but because a machine got it wrong.
And let's not forget: Once you build in the technology and break encryption, it becomes a trivial thing to just create new lists. If you're President Xi in China, those hash lists include all the various images of Winnie the Pooh or the Tianemen Square photo. If you're Vladimir Putin, it's every image positively portraying Ukraine, or negatively portraying Russia. If you're Rick DeSantis, it's pictures of the rainbow flag, prominent gay people, or Disney.
@TCatInReality@privacat@patrizia@Em0nM4stodon Encryption models have been cracked in the sense that if you throw enough power at it, you can crack a message or group of messages between two people.
That’s very different than having a back door where if that’s cracked or leaked, you can read all the messages every sent in the system by everyone.
The NSA tried to do what you suggest. They recommended a new encryption model for people to use, and researchers discovered that they had fine tuned it so that they could use a method they had discovered to crack it more easily. Once that info was out, anyone could use that method.
It’s math. You can’t hide something in an equation that only some people can use. You can’t make 2+2=5
The other option is to build a system where only law enforcement has access to a special key and trust that they’ll not misuse it and not lose it. But whose law enforcement? US?
China? North Korea? This has been tried too. It was called the Clipper chip. Nobody would buy or use it. Just like no other country would use encrypted systems if the US built back doors into them. They wouldn’t allow those systems to be used.
It’s not that nobody wants to do this. Cryptographers have spent their careers working on these things. There literally isn’t a way to do it securely. If the good guys can break the encryption, so can the bad: