undefined | Better HN

0 pointsZeroConcerns5mo ago0 comments

> A hot take: removing protections guaranteed by constitution

Lawful intercept laws exist in most, if not all, EU countries.

It's just that super-national overlay services like Signal don't entirely fall within the framework of those.

So, there is now a choice: expand interception powers indefinitely (a.k.a. ChatControl, which, to make things crystal-clear, I'm 100% against), or bring new services into the fold of existing legislation.

0 comments

LudwigNagasena5mo ago

No existing legislation requires proactive interception of mail, physical or electronic. Bringing new services into the fold of existing legislation would mean forbidding any proactive scanning by civilians and forbidding such scanning by authorities without a warrant or court order.

ZeroConcernsOP5mo ago

> proactive interception of mail, physical or electronic

Lawful interception is not proactive: it requires a judicial order to collect plaintext communications from/to specifically identified individuals (resident in the country demanding the interception), for a limited time and for a specific purpose.

ChatControl, which I strongly argue AGAINST would sort-of be what you describe. But: I. Am. Arguing. AGAINST. That.

Zak5mo ago

A piece of open source software running on Alice's computer exchanges keys with a piece of open source software running on Bob's computer. Later Alice and Bob exchange messages encrypted with those keys through Charlie's server.

Eve, a police officer has evidence that Alice and Bob are messaging each other about crimes and obtains a warrant to require Charlie to intercept their communication. Charlie has no ability to do so because it is encrypted with keys known only by Alice and Bob.

If you want a different result, someone has to proactively change part of this process. Which part should change?

One option is to mandate that any encrypted messaging software also give a key to the government or the government's designee, but someone using open source software can modify it so that it doesn't do that, which would be hard or impossible to detect without a forensic search of their device.

Another option is to mandate that a service provider like Charlie's only deliver messages after verifying that it can decrypt them. This, too is hard to enforce because users can layer additional encryption on top of the existing protocol. Signal's predecessor TextSecure did that over SMS.

Both of those options introduce a serious security vulnerability if the mechanism for accessing the mandatory escrowed keys were ever compromised. Would you like to suggest another mechanism?

1 more reply

j / k navigate · click thread line to collapse