Realistically the EU only cares about protecting their citizens from private companies, and especially American ones. When it comes to government overreach they know virtually no bounds.
Then the US on the other hand does decently protect its citizens from the government itself (well, this recent year/administration notwithstanding), only because the US government knows full well they can just turn around and grab all the data they want from the private American companies they don't regulate at all.
I shared your comment with the author and we're going to reorder some of the sentences in a little bit to highlight the fact it's a backdoor earlier. We've talked about Chat Control so much over so many years (because it keeps reappearing) that it's easy to forget many haven't heard of it lol
I think one source of confusion is that many probably see "Chat Control", expecting it to be a reference to one specific proposal or legislation (a la "GDPR" or "DMA"), while it's an umbrella term you use to group different proposals pushing the same agenda and end-results. Readers look for one face to point at but it's a hydra and they just leave confused.
Clearly defining the term and its intended meaning would do well, I think.
Sure you can. For example, UK will jail you if you refuse to disclose a cryptographic key for something encrypted that the court wants to see, so long as the judge is convinced that you know it. I could easily see that extending to steganography: "there's no rational justification for you to have this file, and statistical analysis patterns show that it likely has a steganographic payload".
"Sir, those are just internet memes I've been sharing with a friend of mine"
The whole point of this technique is that with sufficiently low information density the data is not recoverable unless you know what you're looking for, because it's indistinguishable from noise.
> "Sir, those are just internet memes I've been sharing with a friend of mine"
"I don't believe you, so now you're going to be in the locker for contempt of court until you provide law enforcement access to this critical evidence."
Of course, because I can bet on the fact that no one will find anything having just those images.
Again: the signal is below the noise floor. Unless you really know what to look for, you'll just find noise. Whoever seizes these files would have to at least know the specific method used, particularly if the content is also encrypted.
Take for an example JPEG as a vessel for steganographic content: the image is divided into 8x8 pixel chunks. If you encode just one bit of entropy in each chunk, a 320x240 image will yield 1200 bits, so 150 ASCII characters. Mangle it with a one-time pad for good measure so that it actually looks like noise. How did that noise get there? Well, it's lossy compression your honor.
There are so many ways to encode that one bit in such a large piece of information that authorities are better off drugging, bribing or torturing you or whoever was the recipient of that message than trying to decode it.
I mean, not just the UK - it eventually changed in the US, but anything deemed too strong to crack was classified as a munition for a while in the 90s and 00s, and some things are still banned from being shipped to some places -
Totally. This is exactly the problem with things like Chat Control in the EU and KOSA in the US. They will just introduce the same bill over and over and over again until they get the desired result.
What we need is for legislatures to pass "NO Chat Control" and "NO KOSA" bills that specifically block this behavior, but unsurprisingly governments don't seem to be too keen about limiting their own rights, only those of their citizens.
True, and this is also the case in many other countries. Even if it is revocable by future legislation though, having pro-privacy laws on the books to prevent the current executive powers-that-be from abusing them would still be helpful.
A lot of these laws are now attempting to apply extra-territorially, e.g. to servers and companies in the US just because people in the UK are connected to the same internet, with punishments meted out if any part of that company does any business in the UK even if it's unrelated.
It might be interesting to go the other way: Get it put into the constitution of a major country that these kind of backdoors are banned world-wide and you can't do business in that country if any part of your enterprise implements them anywhere else.
To begin with this would make it harder to pass laws like this in other places -- domestic companies with international operations would put up stronger opposition because it would compromise their ability to do business elsewhere, and legislators might actually be concerned about that. And then on top of that it would force the companies to choose which subset of the world they want to operate in, allowing people in oppressive countries to pick up uncompromised devices from the places where compromised devices are banned.
The US constitution already has a provision against unreasonable search properly enshrined, and well tested in courts. Things like KOSA can be rejected as clearly violating it.
The EU does not seem to have such simple and ironclad norm.
Ah, that constitution must explain why we never see people being abducted in broad daylight by goon squads in the US, right? Because anything that clearly violates the constitution would obviously never happen there. Because you're the best country. The greatest.
I'm not sure if the 4th amendment applies to deportation of non-citizens, and secondly you would have to take it to supreme court to find out.
In comparison to the US constitution, EU "norms" might as well be toilet paper. For example, they have some notion of "free expression" which sounds like free speech but is defined to be so weak as to be useless. The european public broadly does not seem to care, they certainly aren't willing to kill for their rights.
Other commenters already mentioned that the current situation in the US shows how fragile this "ironclad" norm is. Aside from that, though, the fourth amendment wouldn't necessarily prevent a law that requires companies to scan the data and creates certain liabilities if they don't. The weakness in the US's version of such "rights" is that none of them are actually guarantee that any individual rights are to be protected against all comers; they restrict the government from doing certain things but allow private actors to do those same things.
I mean that'd certainly be nice, and it is also their only job, but even if they wanted to do it in regular legislation that'd be better than nothing.
Make a law that says companies have to protect the data of their citizens without the possibility of any intentional backdoor, perhaps. Make a law that says companies can't require people to dox themselves with ID scans simply to use a publicly available internet platform that provides no services in the physical world. Make a law that says OS developers can't create client-side scanning services that upload results off-device without revocable user consent.
No security is perfect, you can only create walls and speedbumps. It makes it harder. You're right, limit the power, but that doesn't mean you can't do both. The latter is much harder
This post is 3 years old and mostly talking about a completely different website, because the poster didn’t know privacyguides.org moved to a new domain after the old one was hijacked.
Most are, most are affiliate link-farms in disguise as well, and privacyguides.org is written in response to such guides.
It is called privacy guides and not security guides for a reason, and many of our basic "recommendations" are geared towards a specific threat model that does not include, for example, being targeted by law enforcement or others with access to zero-day vulnerabilities or similarly targeted exploits. They are geared towards avoiding commercial-grade tracking, especially by corporations, and dragnet mass surveillance programs.
This is why we place so much of an emphasis on threat modeling before suggesting recommendations in the first place though, to make sure readers know exactly when the recommendations apply to them and when they instead need to seek additional resources. We have countless pages within our community forum detailing why and when Chromium is technically superior to Firefox.
This is also why we don't recommend Firefox on mobile devices at all, because while we do feel Firefox on desktop is adequately secure for many people, we don't feel that is the case on Android, unfortunately.
Anyways, thank you for your insight. I will look into making this more clear at a glance.
We don't have a deal with Brave. It was added almost 3 years ago, and nobody has even proposed removing it in the time since. Furthermore, it would be insane and likely illegal for a public charity to strike a deal to serve an undisclosed advertisement for a product from a private company.
I think our position on Brave is clear enough from the very first paragraph in the guide:
> We recommend Mullvad Browser if you are focused on strong privacy protections and anti-fingerprinting out of the box, Firefox for casual internet browsers looking for a good alternative to Google Chrome, and Brave if you need Chromium browser compatibility.
> We recommend Mullvad Browser if you are focused on strong privacy protections and anti-fingerprinting out of the box
Just want to put emphasis on “out of the box”. Changing any of the default settings will cause you to stand out. The fingerprinting protection is essentially to have a bunch of people all using the same browser with all of the mechanisms used for fingerprinting being either disabled or giving the same results on all installations; everyone has the same fingerprint.
We cover that too [0]. In addition, while I wouldn't blanket recommend a VPN usually, it's important to use a VPN in conjunction with Mullvad Browser (specifically). If you're not blending in with a crowd of similar browsers at the network level too, the fingerprinting protections are a bit pointless.
> Like Tor Browser, Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: Standard, Safer and Safest. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default security levels. Other modifications would make your fingerprint unique, defeating the purpose of using this browser.
> We recommend Mullvad Browser if you are focused on strong privacy protections and anti-fingerprinting out of the box, Firefox for casual internet browsers looking for a good alternative to Google Chrome, and Brave if you need Chromium browser compatibility.
What about a WebKit based browser?
"Orion comes with state-of-the-art ad and tracker blocking enabled by default, unlike any other browser in existence... Beyond blocking all ads and trackers by default, Orion is also a zero telemetry browser. It protects you from websites on the web, and the browser itself never leaks your private information anywhere."
Then the US on the other hand does decently protect its citizens from the government itself (well, this recent year/administration notwithstanding), only because the US government knows full well they can just turn around and grab all the data they want from the private American companies they don't regulate at all.
Two approaches with the same outcome, absolutely.