> SecureBoot in itself also does not in any sense stop general purpose computing of unsigned code.
It's true that SecureBoot isn't enough, but its current lack of ubiquity is the only thing holding back such a law. A government couldn't demand that a large proportion of voters throw away their PCs / phones, but requiring people to use an "approved" app store is as simple as writing a law and making a couple of calls to Microsoft, Apple, and Google. (See the end of this comment.) Just look at how quickly voters accepted having to carry around a Covid Pass app.
> and you've just kneecapped your software industry ... The EU has a long history of crazy demand like this
Indeed, and this is what people said about the GDPR, and it's what people said about Apple's on-device content scanning, and yet both of those got implemented (to some extent). The regulations I'm imagining are actually quite modest, and basically all software industry groups would support them. They just have to publish a public key on their website, perhaps in some .well-known location, and that would be enough to connect their submissions to app stores with their official company registration details.
Germany, for example, already requires that companies include Impressum information on their websites[0], and the EU is apparently trying to take this idea to its logical extreme with its controversial QWAC certificates[1]. In reality, it is businesses who decide what is reasonable or practical for a jurisdiction to mandate, and Apple is already making people pay an annual developer's tax to them to prove their identity, so no politician is going to say that an "online software development licence" is some sort of impossibility or gross infringement of people's freedoms. (Indeed, a law that makes things slightly more inconvenient for small developers/companies will only be more supported by the lobbyists of big companies, which is further grounds to suspect this will happen).
> If a channel can transfer language, it can transfer data.
You're right, it is possible to generate files that hide encrypted data within them, while also deniably hiding the fact that the encrypted data is there at all, and to do so in a way that is robust against the digital-analog-digital round trip (twice, since both the sender and receiver have to transfer the message between a locked-down and a jail-broken device). And of course the software to do this will have to be sent carefully from person to person, on USB sticks, since any computer that's allowed online will treat it as malware. And people will have to preserve old, unapproved devices to run this code on, which will become increasingly hard to find (with the sale, and then possession, of them being made illegal).
> But we're talking a regime more oppressive than China for this to even be relevant.
It's not more oppressive than China, at least not at the beginning. The first steps are already in place, and no one complained. If a jurisdiction can mandate multiple app stores, then it can mandate only "approved" app stores, and 50% of the population (the Apple fans) will cheer for such regulations, saying that side-loading is dangerous and only the most trusted gatekeepers should be allowed to decide what runs on people's devices.
If you're still not convinced, imagine that the law initially applies just to companies, and is pushed to prevent piracy and to protect cybersecurity of the economy. Would companies really reject such a rule (if it was phased in over a long enough timeframe that all their computers already supported SecureBoot by default)? Perhaps there would be an exemption for software companies to start with, if you think that's a sticking point. Also, imagine these laws being introduced in the aftermath of a cyberattack on energy infrastructure which causes massive prolonged blackouts. I'm not saying this would be a false flag... I'm just saying that one way or another, such a law will pass, even in a liberal democracy.
It's true that SecureBoot isn't enough, but its current lack of ubiquity is the only thing holding back such a law. A government couldn't demand that a large proportion of voters throw away their PCs / phones, but requiring people to use an "approved" app store is as simple as writing a law and making a couple of calls to Microsoft, Apple, and Google. (See the end of this comment.) Just look at how quickly voters accepted having to carry around a Covid Pass app.
> and you've just kneecapped your software industry ... The EU has a long history of crazy demand like this
Indeed, and this is what people said about the GDPR, and it's what people said about Apple's on-device content scanning, and yet both of those got implemented (to some extent). The regulations I'm imagining are actually quite modest, and basically all software industry groups would support them. They just have to publish a public key on their website, perhaps in some .well-known location, and that would be enough to connect their submissions to app stores with their official company registration details.
Germany, for example, already requires that companies include Impressum information on their websites[0], and the EU is apparently trying to take this idea to its logical extreme with its controversial QWAC certificates[1]. In reality, it is businesses who decide what is reasonable or practical for a jurisdiction to mandate, and Apple is already making people pay an annual developer's tax to them to prove their identity, so no politician is going to say that an "online software development licence" is some sort of impossibility or gross infringement of people's freedoms. (Indeed, a law that makes things slightly more inconvenient for small developers/companies will only be more supported by the lobbyists of big companies, which is further grounds to suspect this will happen).
> If a channel can transfer language, it can transfer data.
You're right, it is possible to generate files that hide encrypted data within them, while also deniably hiding the fact that the encrypted data is there at all, and to do so in a way that is robust against the digital-analog-digital round trip (twice, since both the sender and receiver have to transfer the message between a locked-down and a jail-broken device). And of course the software to do this will have to be sent carefully from person to person, on USB sticks, since any computer that's allowed online will treat it as malware. And people will have to preserve old, unapproved devices to run this code on, which will become increasingly hard to find (with the sale, and then possession, of them being made illegal).
> But we're talking a regime more oppressive than China for this to even be relevant.
It's not more oppressive than China, at least not at the beginning. The first steps are already in place, and no one complained. If a jurisdiction can mandate multiple app stores, then it can mandate only "approved" app stores, and 50% of the population (the Apple fans) will cheer for such regulations, saying that side-loading is dangerous and only the most trusted gatekeepers should be allowed to decide what runs on people's devices.
If you're still not convinced, imagine that the law initially applies just to companies, and is pushed to prevent piracy and to protect cybersecurity of the economy. Would companies really reject such a rule (if it was phased in over a long enough timeframe that all their computers already supported SecureBoot by default)? Perhaps there would be an exemption for software companies to start with, if you think that's a sticking point. Also, imagine these laws being introduced in the aftermath of a cyberattack on energy infrastructure which causes massive prolonged blackouts. I'm not saying this would be a false flag... I'm just saying that one way or another, such a law will pass, even in a liberal democracy.
[0] https://www.ionos.com/digitalguide/websites/digital-law/a-ca...
[1] https://en.wikipedia.org/wiki/Qualified_website_authenticati...