In T15273#270954, @ngraham wrote:

who always thinks the sky is falling

@ngraham then please explain clearly why this isn't the case. How hard can it be?

I've asked you several times before, only to get back accusations and non-explanations.

Look, there's next to no trustworthy hardware left without Intel ME, AMD PSP, etc.

The US law is the only line of defense we have.

We're always one bad bill away from near total worldwide loss of digital privacy.

It looks like a US political campaign. Perhaps you should invest your time
reaching a target group big enough to change the US politics. KDE
developers is far away from the 0.001% of the US population. It's not worth
it

Missatge de Lord Help Us <noreply@phabricator.kde.org> del dia ds., 12 de
febr. 2022 a les 16:48:

lordhelpus added a comment.

In T15273#270954 https://phabricator.kde.org/T15273#270954, @ngraham
https://phabricator.kde.org/p/ngraham/ wrote:

who always thinks the sky is falling

@ngraham https://phabricator.kde.org/p/ngraham/ then please explain
clearly why this isn't the case. How hard can it be?

I've asked you several times before, only to get back accusations and
non-explanations.

Look, there's next to no trustworthy hardware left with Intel ME, AMD PSP,
etc.

The US law is the only line of defense we have.

We're always one bad bill away from near total loss of digital privacy.

*TASK DETAIL*
https://phabricator.kde.org/T15273

*To: *jriddell, lordhelpus
*Cc: *jriddell, ngraham, Websites, KDE Privacy Goal, lordhelpus

Sure, but KDE developers are in a good position to reach out to Linux users, who are generally among the most worried about their privacy and the most ready to share information; the problem is that one might not even find out about this bill until it's already too late, robust encryption begins to be phased out, and backdoors start being introduced everywhere... Even sources such as FSF and LWN aren't covering this! And those that do don't even pin it to their front pages...

What we really need is an all-out SOPA-style protest, complete with a Wikipedia blackout. Instead, we're left with a deafening silence...

Look, there's next to no trustworthy hardware left without Intel ME, AMD PSP, etc.

You are right. For pretty much every computer or phone user of the world there are already backdoors in their devices which means privacy through encryption might not even be possible currently because there is already direct access to the devices themselves.

The US law is the only line of defense we have.

The US law is the opposite of a line of defense. From what I can tell the backdoors are implemented because companies are encouraged to do so by government agencies.

We're always one bad bill away from near total worldwide loss of digital privacy.

From what I can tell, we already have a worldwide loss of digital privacy. Most people use operating systems controlled by Google, Microsoft or Apple. All of them are actively working against people's privacy.

What we really need is an all-out SOPA-style protest, complete with a Wikipedia blackout. Instead, we're left with a deafening silence...

We don't get anything by ringing the doom bells every other day. The Linux users we reach are already aware that they can't expect privacy from these companies. Many non-Linux people are aware of it too but didn't switch for various reasons. We should be working on these various reasons so more than the 1% which are currently using Linux have the privilege to choose an operating system that cares about their privacy at all. KDE developers can't do that if they/we use their/our limited time and leverage for politics all the time.

Also keep in mind that free software is generally immune to national law because anyone from any other country can fork the software, remove any backdoors and stuff and then allow other people to download it. This is also true about the compromising of Firefox you are warning about in another thread.

The US law is the opposite of a line of defense.

It could be a lot worse! For now, American citizens can at least protect their privacy to the extent that they can. Why do you think they want to pass laws against end-to-end encryption so badly? They want to drive anti-surveillance software underground, nip initiatives to develop freedom-respecting hardware in the bud, and finally, begin using their hardware backdoors much more frequently and openly.

The Linux users we reach are already aware that they can't expect privacy from these companies.

Indeed, however not all know that they're attempting to bar us from even attempting to safeguard ourselves.

anyone from any other country can fork the software, remove any backdoors and stuff

Hardware backdoors are not removable. Until we can manufacture our own CPUs at home, all we can do is protest. But we don't.

This is also true about the compromising of Firefox you are warning about in another thread.

It is possible to remove the government's mandatory certificate. However, you will not be able to access any websites, since the government will screen all HTTPS traffic and then re-encrypt it with the certificate you removed.

Censored users will be left behind in the cold. In order to circumvent censorship, a secure protocol that can conceal normally blocked traffic is essential. Without such a protocol, the censored will have no place to hide.

The US law is the opposite of a line of defense.

It could be a lot worse!

Could it be? We know since Snowden that every US citizen is spied on and except the most techy of people, hardly anyone even chooses Linux because of it. The way bigger offender are smartphones anyway. https://edwardsnowden.substack.com/p/all-seeing-i?utm_source=url

anyone from any other country can fork the software, remove any backdoors and stuff

Hardware backdoors are not removable. Until we can manufacture our own CPUs at home, all we can do is protest. But we don't.

Right, but the hardware backdoors are already there. This ship has already sailed.

For now, American citizens can at least protect their privacy to the extent that they can.

But it is questionable if this is effective at all because this is assuming that all the backdoors are known and it is known how to circumvent it.

It is possible to remove the government's mandatory certificate. However, you will not be able to access any websites, since the government will screen all HTTPS traffic and then re-encrypt it with the certificate you removed.

Maybe you know something that I don't. You make it sound like the law (if it passes) is forcing browsers to exclusively use government CAs. This isn't the case AFAIK.

Censored users will be left behind in the cold. In order to circumvent censorship, a secure protocol that can conceal normally blocked traffic is essential. Without such a protocol, the censored will have no place to hide.

Also I am not sure if you are aware but an EU fund has recently even paid so KDE contributors could implement end-to-end encryption in KMail and Neochat. The situation is definitely not as dire in the EU as you make it out to be.

Why do you think they want to pass laws against end-to-end encryption so badly? They want to drive anti-surveillance software underground, nip initiatives to develop freedom-respecting hardware in the bud, and finally, begin using their hardware backdoors much more frequently and openly.

I hope I am not coming across like this isn't a problem. I think this is quite terrible for everyone's security but also keep in mind that some countries already have such laws and that privacy-infringing behaviour is happening everywhere all the time currently and the world hasn't ended yet. It is also very much something that people from non-US countries have very limited control over and the KDE contributors from the US are only a handful within KDE.

We don't really have the possibilities to be outraged every time a country removes privacy. If we want to be able to do stuff like this we need contributors for this. A group of people that really only wants to do political stuff within KDE and most importantly developers that would implement whatever might be necessary to only bug the people about it which would be affected. This is already a technical problem in itself.

Generally I think the way more terrible tech-induced problems are happening out in the open already: User tracking, manipulation, tech-waste production, exploitation, … Freedom is at stake not only in the technical world either. See the recent war as an example.

https://www.eff.org/deeplinks/2021/08/if-you-build-it-they-will-come-apple-has-opened-backdoor-increased-surveillance

But many times potent pressure to access encrypted data also comes from democratic countries that strive to uphold the rule of law, at least at first. If companies fail to hold the line in such countries, the changes made to undermine encryption can easily be replicated by countries with weaker democratic institutions and poor human rights records—often using similar legal language, but with different ideas about public order and state security, as well as what constitutes impermissible content, from obscenity to indecency to political speech. [...] They will contend that if Apple is providing access to any nation-state under that state’s local laws, Apple must also provide access to other countries, at least, under the same terms.

Clearly, the EFF believes that they have yet to build up the necessary pretenses for using their worst backdoors whenever they want, and we are still some way from reaching the level of 1984. I assume they did their due diligence here, and their claim of hope is not false. But if we don't fight to preserve it, it may disappear forever.

You make it sound like the law (if it passes) is forcing browsers to exclusively use government CAs. This isn't the case AFAIK.

You're right, but again, the EFF is less concerned about the EU, and more concerned about what countries with less than democratic outlooks might do if they're granted an excuse to mess with HTTPS security.

We don't really have the possibilities to be outraged every time a country removes privacy.

But the US isn't just "a country"; it's the leader of the (supposedly) Free World, and home to some of the most influential tech companies, such as AMD, Amazon, Apple, Google, Intel, Microsoft, and so on... Its influence extends far beyond its borders. Attacks on end-to-end encryption in the US will have global consequences if they succeed...

It is also very much something that people from non-US countries have very limited control over and the KDE contributors from the US are only a handful within KDE.

1. My proposal is to target users instead of developers via the websites of popular applications such as Krita and Kdenlive; maybe even include pop-ups in the apps themselves.

2. My apologies for not clarifying, but I also hope that once KDE breaks the silence, other open-source projects will follow its lead.

And the silence truly is unsettling... Many people and organizations who normally are deeply concerned about privacy and often discuss it, like the FSF, LWN, Tor, and Matrix, did not cover the reintroduction of EARN IT Act at all (even though some did cover it when it first came up)...

It's almost as if the NSA is blackmailing key FOSS figures... Hope that's not what's happening and there's just a lack of awareness...

Clearly, the EFF believes that they have yet to build up the necessary pretenses for using their worst backdoors whenever they want, and we are still some way from reaching the level of 1984. I assume they did their due diligence here, and their claim of hope is not false. But if we don't fight to preserve it, it may disappear forever.

Not meaning to discourage you but maybe check out this article by Amnesty International about the Pegasus Project: https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/ Journalists already get killed in some countries even before they publicise their articles.

We don't really have the possibilities to be outraged every time a country removes privacy.

But the US isn't just "a country"; it's the leader of the (supposedly) Free World

I disagree with this but I don't want to debate it. Keep in mind that KDE is an international community with people that do value their own countries.

Attacks on end-to-end encryption in the US will have global consequences if they succeed...

Only if other countries don't enforce their own law in which case US companies are already free to do whatever they want there currently.

It's almost as if the NSA is blackmailing key FOSS figures... Hope that's not what's happening and there's just a lack of awareness...

We don't even have anyone regularly working on KDE's webpages currently. Some webpages haven't been touched in a decade. Only one of the people doing promotion for KDE is paid. At least when it comes to KDE I am pretty sure nothing sinister is the cause of the silence you are talking about.

My proposal is to target users instead of developers via the websites

If you make a merge request for showing a banner against that anti-encryption act for US people only, I believe there is a relatively good chance that it will be merged and shown to users.

If you don't, it is like I said: "we need contributors for this"

websites of popular applications such as Krita and Kdenlive;

You'll have to ask the contributors of these applications. It is for a big part their decision because it is their product.

maybe even include pop-ups in the apps themselves.

For the applications that I have some control over I would be opposed to this but that is mainly because I wouldn't know where to place this without immensly annoying users. Aside from that, it is also a bit of a privacy challenge. We don't want to show this to non-US people but we also don't want software to track the location of users.