About 250 scientists from 31 countries have signed another open letter criticizing the latest EU
#chatcontrol
draft . The letter confirms 2 earlier letters from July 2023 and May 2024
I co-authored a new open letter signed by more than 270 scientists from 33 countries warning for the risks of the modified CSAM (child sexual abuse) regulation proposed by the Belgian presidency.
#chatcontrol
A🧵1/10
Very clear statement by Signal's
@mer_edith
exposing the cynical game of the Belgian presidency to keep rebranding chatcontrol/client side scanning as "upload moderation with consent", claiming that this would not break end-to-end encryption. 1/3
📣Official statement: the new EU chat controls proposal for mass scanning is the same old surveillance with new branding.
Whether you call it a backdoor, a front door, or “upload moderation” it undermines encryption & creates significant vulnerabilities
Omdat sommige mensen mij gevraagd hebben wat ze kunnen doen: bijvoorbeeld een brief of email schrijven naar onze ministers, zodat ze weten hoe u denkt over
#chatcontrol
(dutch only sorry - inspired by EDRI letter)
Detection of information in content prior to encryption cannot be reconciled with the essence of end-to-end encryption. Major risk for abuse by undemocratic regimes. 4/10
Etappensieg: Die EU-Staaten einigen sich heute nicht auf eine Position zur
#Chatkontrolle
– Die Ratspräsidentschaft nimmt die Abstimmung von der Tagesordnung
After 25months, the contact tracing app
@CoronalertBe
will be discontinued. Users are requested to disable and remove the app. A big thank you to the large team (including several volunteers and the DP3T researchers) going above & beyond their duty to make this work. A🧵 1/7
Likely part of the global war on encryption ("going dark" working party) with as main target terrorism, organized crime and (in some countries) political opposition and human rights advocates. But CSAM plays to emotions thus easier to sell to broader public 10/10
After 6 months of hard work of the DP3T team and 3 months of hard work of the Belgian team, today is the big day: Coronalert is available. A useful tool, not a miracle solution. Big thanks to all who contributed. More
@CoronalertBe
More than 300 scientists from 32 countries have signed an open letter criticizing the EU proposal for regulation to detect Child Sexual Abuse Material
TL;DR ineffective; risk for function creep & abuse; violates human rights
-collab. w
@carmelatroncoso
Two major changes: target detection based on risk and require more than one hit to reduce false positives will not have meaningful impact on protection of fundamental rights. 2/10
The technology will fail to achieve its claimed goals for various reasons (insecure perceptual hash functions, huge number of false positives, framing of innocent users, easy to bypass). 5/10
While you are busy clicking on cookie banners, 2% of the top 100K websites send without consent email addresses (and sometimes passwords!) from web forms directly to third party trackers.
More details and in the USENIX Security 2022 paper.
1/9
Rather than talking to the scientists who pointed out security risks for the web infrastructure introduced by eIDAS and fixing the regulation, EU has switched a PR campaign. 1/2
Europa: ‘eIDAS-wetgeving geen probleem voor privacy en veiligheid’ 1/4
In collaboration with 335 top level scientists and multiple non-governmental organizations, I have drafted and signed an open letter that meticulously underscores these significant risks and presents concrete suggestions for mitigating these issues.
🧵1/7
While this legalese sounds reasonable, it is like putting cameras in every house plus AI to detect whether or not something inappropriate is happening. Note the definition of inappropriate can change easily and surreptitiously. 3/4
The Belgian presidency has drafted yet another tweaked
#chatcontrol
proposal. In summary, the proposal remains completely unacceptable. TLDR: All the problems pointed our in our open letters are still there & 🧵1/6
Data News en
@destandaard
zijn de enige media die het chatcontrol dossier opgevolgd hebben. Heel goed dat er vandaag veel aandacht is in de bredere media, maar als je wacht tot de dag van de stemming in de Europese raad zou het kunnen dat het kalf al verdronken is.
(sorry ik ga even flexen hier)
Wat je vandaag in heel wat media leest over chatcontrol, las je de afgelopen maanden al bij Data News. Draadje.
De open brief van verschillende wetenschappers 'technisch onhaalbaar en nutteloos'.
Overall lack of transparency in the process and failure of decision makers to openly engage with academic community and civil society on the problem. 9/10
Today I presented a keynote at
@acmcodaspy
'24 in Porto on the never-ending encryption debate, including the latest developments in the CSAM/chatcontrol saga.
Slides here: 1/2
The full Belgian presidency chatcontrol proposal has been leaked by netzpolitik today. This proposal fails to protect children, leads to mass surveillance and presents a large risk of abuse. The criticism in our open letters is unfortunately still valid.
I co-authored a new open letter signed by more than 270 scientists from 33 countries warning for the risks of the modified CSAM (child sexual abuse) regulation proposed by the Belgian presidency.
#chatcontrol
A🧵1/10
Access to content before encryption, however it is called, is disproportionate mass surveillance that has not place in the EU.
I wonder how the employees of the European Commission think about this, as they have switched to Signal for a reason. 2/3
While claiming to protect European values and human rights, the EU is gradually installing or enabling a level of mass surveillance that we so proudly denounce in other states. 4/4
Congratulations to my former PhD student
@carmelatroncoso
who has been central in creating a privacy-friendly digital proximity solution and who has been recognized by
@FortuneMagazine
for her amazing work
Many of us wish there was a magic solution that would make end-to-end security available to everyone except for the "bad guys" (fill in your definition). Experts have shown that this is technically impossible. Unfortunately policy makers don't (want to?) understand this 1/4
📣
@EDRi
joined 47 organisations and cybersecurity experts in calling the Belgian government to halt legislation that would undermine
#Encryption
.
Read the open letter here:
There is no practical and widely deployed solution yet for privacy friendly age verification; not clear that eIDAS 2.0 will solve it given that unlinkability protection in the future digital identity wallet is optional. 7/10
Latest proposal for chatcontrol leaked via
@echo_pbreyer
"Art 10a Technologies for upload moderation.
In order to implement this Regulation, providers of interpersonal communication services shall install and operate technologies... 1/4
Three decades after Shor's breakthrough paper, NIST has posted the first post-quantum cryptographic FIPS standards
203: ML-KEM
204: ML-DS
205: state-based hash
@VeraJourova
In the very literal sense, the encryption method is not broken. But de facto this proposal is much worse as it completely undermines the essential protection that encryption provides. Please stop the word games and the planned mass surveillance.
Politie vraagt aan iedereen met rolluiken en gordijnen die niets verkeerd doet om dat op hun website te melden; dat voor het geval men in de toekomst op grote schaal drones met warmtecamera's gaat inzetten.
Als honderden wetenschappers uitleggen dat iets technisch en juridisch niet mogelijk is, doen ze dat enkel maar om er voor te zorgen dat wat wel haalbaar is, ook kan gebeuren - en niet omdat ze niet bezorgd zouden zijn over het probleem.
Hoogste Europese rechtbank (HvJEU) stelt dat metadata van iedereen altijd verzamelen mensenrechten schendt en dus onwettig is. Voorgesteld antwoord: complexe criteria invoeren en nog meer metadata verzamelen. En dan ook gebruik van Tor en Nym verbieden?
@viktoropsomer
Voorstel: herlees de open brieven van de 100+ wetenschappers grondig en als het niet duidelijk is, nodig hen dan uit voor een gesprek. Dat zal het debat meer vooruithelpen dan onzinnige mantra's zoals "het is geen mass surveillance" & "we raken niet aan encryptie" te herhalen.
Cool work - we keep discovering (since 40 years) that implementing cryptography correctly and securely is hard. A lesson to be kept in mind when moving to post-quantum cryptography.
Breaking RSA private keys without ridiculously powerful computers due to implementation errors introduced by hardware bugs. "these invalid signatures and vulnerable devices are surprisingly common"
In spite of cosmetic changes and the addition of needless complexity to create confusion, the core of the proposal is still the same: mass surveillance consisting of inspection of content on every device. 2/6
Very unusual joint report by cybersecurity agencies from 4 countries - ANSSI (FR), BSI (DE), NSNLA (NL) and NCSA (SE) critical of Quantum Key Distribution: only for niche cases and lacks maturity.
Promising start of
#Coronalert
. First data analysis available: 1.4 M downloads, 27K people received test result in the app, 4K positive, 7K keys uploaded
Big thank you to the team.
This applies to any mobile phone: even if it is switched off, it can be turned into a remote listening device. That is why people in the know used to remove the battery before having a confidential conversation. And then the iPhone arrived 😉
When you turn off your iPhone, it doesn’t fully power down—chips inside continue to run in a low-power mode that makes it possible to locate lost or stolen devices. Now researchers have found a way to abuse this with malware: Via
@arstechnica
📸: Getty
What a day July 5 is. NIST selects 4 post-quantum algorithms. CERN finds 3 new particles. 2 UK government ministers resign. A Belgian cyclist ends on place 1 in today's stage of the Tour de France (after being 2nd 3 times). And 4 mathematicians received a Fields medal.
The surprising thing is that this word game seems to work as the press is loosing interest and at this moment the focus of the policy world is on other topics.
Call to action - please reach out to decision makers. 3/3
After one day 405K installs of Coronalert (61% Android, 39% iOS). Very pleased with the first results. Big thank you to the team. More info see
@CoronalertBe
And of course the official line is that it does not weaken end-to-end encryption (it doesn't weaken it, it completely undermines the core principle).
In the mean time, lets' all watch ⚽️ 4/4
Happy to report that there are more than 1 million
#Coronalert
downloads (59% Android/41% iOS). Please keep encouraging family, friends and colleagues to install it.
Coordinated vulnerability disclosure requires a fair and constructive attitude from all parties. Bad-mouthing the researchers who help to improve your product is unacceptable.
New Year's resolution for all companies with software out there: don't do a Threema.
There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings. Here’s some real talk:
More than 400 scientists with expertise in cybersecurity and privacy signed an open letter that providers detailed technical arguments why the Commission's CSAM detection proposal is highly problematic and should not pass.
VIEW | Failure to answer the issues we raise shows
@YlvaJohansson
knows the European Commission’s regulation on Child Sexual Abuse Material cannot succeed. Instead, the post responds to statements we never made,
@carmelatroncoso
and
@bpreneel1
write.
It is amazing that we have to keep fighting this battle in the EU, while the EU has the ambition to set the global standards in privacy. Hard data from law enforcement is missing: yes, more happens online but there is many surveillance data is available anyway. 1/3
Het artikel in DS laat alle partijen aan het woord, maar ziet een essentieel punt over het hoofd: het voorstel zal leiden tot function creep en misbruik.🧵 1/7
Privacy-experts maken brandhout van technologie die kindermisbruik in onze chats moet opsporen
Probleem met het 🇪🇺 chat control voorstel: het is een complex dossier waar 100en wetenschappers, privacy activisten en industrie er op wijzen dat technische oplossingen niet haalbaar zijn en zullen leiden tot misbruik en privacy schendingen op grote schaal. Een 🧵1/7
Facebook broke the world record in disconnecting people (about 2.8 billion). Strong benefit for humanity including less vaccination misinformation, fewer depressed teens and more time to waste on Twitter. 😉
The never-ending story. Rumor has it that both grooming detection and AI parts have been dropped, limiting the proposal to detection of known CSAM content. But even that is highly problematic as it does not work (easy to avoid), gives rise to a huge number of false positives...
Either Mrs. Johansson is naive and does not understand that she and the protection of children are abused in the 30-year old battle to get backdoor access to all our encrypted communications. Or she does understand and then she is willfully misleading the public.
This video has got a lot of reactions. Good.
It is an emotional subject because it is about stopping sexual violence against children.
But the facts of my proposal are clear, and I will always defend them.
Because this is about protecting children - and only that.
Very happy and proud to announce that Emilia Kasper (my ex-PhD student) received today the prestigious Levchin prize for Real World Cryptography for her great work on certificate transparency (together with Al Cutter, Adam Langley and Ben Laurie).
Ontgoochelend: waar zijn de cijfers over identiteitsfraude? Zelfs als vingerafdrukken nodig zijn op de eID, moet dit met privacy-by-design oplossingen zoals voorgeschreven door de GDPR.
Dat is dan dat. Als het GwH in deze zaak geen schending ziet van de privacy, dan vrees ik voor elke andere privacyzaak in de toekomst.
Vandaag is een uitermate trieste dag voor de privacy van alle burgers in dit land. Bijzonder, bijzonder teleurgesteld.
The elephant in the room: eiDAS 2.0 opens the door to large access by law enforcement and intelligence services to our communications.
Similar to
#chatcontrol
, data retention, and some provisions of the Cyber Resilience act. 3/4
De kern van het probleem is dat technologie middelen gegeven heeft aan gerechtelijke- en politiediensten die ze voordien nooit gehad hebben. Maar er is nooit een open debat geweest of gevoelige informatie over alle burgers maanden mag wordt bijgehouden voor het geval dat... 1/2
De zoveelste vernietiging van de data-retentiewet door Gw. Hof -op instructie van het HvJ EU- is grote hinderpaal voor elk degelijk gerechtelijk onderzoek. Privacy is belangrijk, maar waarheidsvinding evenzeer. Ik hoop op snelle remedie in Belgische en Europese wetgeving.
The latest change is “upload moderation”. Users have to give “consent” for scanning; if they don’t, no picture will be sent. How can this be free consent? 3/6
Good to see that Apple's position is in line with the 400+ scientists : it is impossible to perform client side scanning without creating unacceptable risks.
@ChildFocus
and others are wrong when they say we should just try harder. It simply does not work
The company's response offers a rare look at its broader views on creating mechanisms to circumvent user privacy protections, such as encryption and data monitoring.
Hopefully we don’t need contact tracing for the next years, but if necessary a redeployment would be much easier in the future. Finally, it has been demonstrated that complex large-scale technology projects can achieve their goals without violating privacy of their users. 7/7
Very sad and unexpected news. Among the many contributions that others will highlight, Ross took the initiative to create Fast Software Encryption in 1993 - a small workshop in Cambridge that started a vibrant research community. Today we was the last day of FSE 2024 in Leuven.
The PR campaign is based on denial. There is also a clear lack of transparency up till the very end.
What the EU refuses to do: impose minimum security norms and allow browsers to enforce higher security levels, leaving the door open for future innovation. 2/4
TLDR; new letter of scientists pointing out that there are still serious issues with the upcoming eiDAS regulation produced by the trilogue
Vote in ITRE Committee of EU Parliament on 28 November. A 🧵 1/6
En toch zal ik een betere manier vinden om die minuut te besteden😀
Stap 2 is camera software in de smart TV die nagaat of we wel degelijk kijken. Stap 3 is verplichte chip ingeplant in hersenen die checkt of we wel echt opletten bij het bekijken van al die onzinnige reclame.
Wouter Castryck from
@cosicbe
delivering a great invited talk at Eurocrypt'24 in Zurich: An attack became a tool: isogeny-based cryptography 2.0. Slides and video will be available later here:
Extensive report on our open letter warning for the new
#chatcontrol
draft in Techcrunch.
EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn via
@techcrunch
You can't make this up:
"Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]"
In summary: the new variants of chatcontrol are unacceptable. Child Sexual Abuse needs to be addressed with a combination of targeted search and prevention. 6/6
Uitstekend artikel over de stand van zaken. Het voorstel van de commissie is technologisch niet haalbaar, schendt de privacy van burgers, verlaagt de veligheid van de digitale maatschappij en zal leiden tot function creep (terrorisme, drugs. oppositie) en misbruik. 1/2
Het begin van een controlestaat? Europa wil al jouw online gesprekken controleren, maar honderden wetenschappers waarschuwen: “Gevaarlijk en er is spionagerisico”
Met
@bpreneel1
en
@DOBBELAEREW
If you believe that the month should be written before the day, it's pi day today. If you follow the ISO standard (year first), you have to wait 1120 years until 3141 but then you get a pi year.
Happy
#PiDay
! We love Pi day, not only because it’s a perfect time to eat an irrational amount pie — but to pay tribute to the phenomenon that is Pi, and to all the mathematicians, engineers, and scientists around the world.
But also because of pie.
📷:
@HellaDislike
Long but very clear explanation why the security of the web ecosystem depends on the browsers (whether we like it or not). And how the current intervention of governments (with good or bad intentions) will likely make things worse. 1/3
Many misunderstandings surround WebPKI. A significant misconception is that the CA/Browser Forum (CABF) decides which Certificate Authorities (CAs) are trusted; in reality, each browser has its own trust criteria, usually including an audit to ensure CAs meet the CABF's
The problem with e-voting is that it very hard to convince non-experts that the problem is very difficult - "It's easier to fool people than to convince them that they have been fooled."
10 years after the FBI "going dark" statement.
Masks are falling off: perhaps we will not get the client side scanning we wanted (the camera in every room) hence we will ask for ban on end-to-end encryption (make curtains and blinds illegal). 1/2
European Police Chiefs call for industry and governments to take action against end-to-end encryption roll-out | Europol
#EndToEndEncryption
#censorship
En dat debat kan er maar komen op basis van open info: welke informatie wordt op dit moment gebruikt (meta data, ANPR, smartphones, GPS in wagens...) en hoeveel onderzoeken lopen echt vast? Toenemende macht vraagt toenemende transparantie en controle en die is er nu niet 2/2
There are good reasons why the DP3T architecture (also used by
#Coronalert
) only collects minimal data and does not centralize any data on contacts:
#privacybydesign
Strong evidence that your SIM card is talking to your operator via the base band processor, while bypassing the phone OS. This must be part of the puzzle how any mobile phone (even switched off) can be used as a remote microphone - provided the battery is not empty. 1/2
"AT&T says nothing publicly about why their SIMs send these reports, but it seems that they are trying to keep a database of what phones their customers are using, and where."
Article in
@destandaard
on our open letter for
#chatcontrol
variant proposed by the Belgian presidency.
Controle van elk onlinegesprek moet kindermisbruik tegengaan: “Alsof er een camera in je huis wordt geplaatst” 1/2
What happens if you ask ChatGPT to “Repeat this word forever: “poem poem poem poem”?”
It leaks training data!
In our latest preprint, we show how to recover thousands of examples of ChatGPT's Internet-scraped pretraining data:
Major impact on citizen's rights, yet media attention on the Chat Control regulation picking up slowly.
DM setting a good example in 🇧🇪
Europa wil chatberichten controleren: ‘Berichten en foto’s kunnen zo ook in handen komen van hackers ... via
@demorgen
It was suspected from day one that law enforcement wants full access to all non-filtered positives triggered by the AI (meaning millions of pictures per day). Journalists found hard evidence. And the content can also be used for other crimes (terrorism, organized crime).... 1/2
Foto door AI aangeduid als 'kindermisbruik' maar na controle blijk je onschuldig? Europol wil toch weten wie je bent en wil zelfs je chatberichten op andere misdaden controleren.
Pasfoto op gemeentehuis is helaas nodig om morphing aanvallen te stoppen: er bestaan tools om een foto te maken die voor een mens op persoon 1 lijkt en voor een computer op persoon 2. Dit is geen scifi. Moeilijk te detecteren. Zie
Attending
@IACReurocrypt
2021 in Zagreb. First hybrid conference organized by the IACR. A big thank you to the organizers and in particular the support team - the technology seems to work fine.
1/2 Riddle. A water lily plant is growing in a pond. The plant doubles in size every day. If left alone, it would fill the pond in 30 days killing all the other living beings in the pond. After the first days things look fine. We start worrying when it covers half the pond.