Tell the Eu: Don't Break Encryption with "chat Control"
Posted4 months agoActive3 months ago
mozillafoundation.orgTechstoryHigh profile
heatednegative
Debate
85/100
EncryptionSurveillanceEU Legislation
Key topics
Encryption
Surveillance
EU Legislation
The Mozilla Foundation is campaigning against the EU's proposed 'Chat Control' legislation that could break encryption, sparking a heated discussion on the implications of such a law on privacy and security.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
19m
Peak period
114
0-12h
Avg / period
20.7
Comment distribution124 data points
Loading chart...
Based on 124 loaded comments
Key moments
- 01Story posted
Sep 22, 2025 at 6:01 AM EDT
4 months ago
Step 01 - 02First comment
Sep 22, 2025 at 6:20 AM EDT
19m after posting
Step 02 - 03Peak activity
114 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 28, 2025 at 3:18 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45331217Type: storyLast synced: 11/20/2025, 5:45:28 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat... https://archive.ph/ia2z4
I see the link is now broken on their site so perhaps they have thought better. STFU and just make firefox.
Still true that cool URLs shouldn't change, of course.
This article is simply about justifying political repression. Then the repression proved ineffective, the article became needless, and since justifying political repression is a rather toxic activity, the article was removed.
- Germany is currently not opposed to it (https://news.ycombinator.com/item?id=45273854).
- EU doesn't require all countries to support it on the council level (or parliament level). You just need at least 55% countries (at least 15) that represent at least 65% of citizens. To block it you need at least 4 countries that represent at least 35% of citizens, we are at ≈22%.
"If you were able to break encryption only for criminals, it would increase the security of the people. Please try to break encryption only for criminals" is not completely unreasonable.
The problem, of course, is that it's not possible. But for those politicians, cryptography is pretty much magic. Why wouldn't it be possible?
Same thing happens for climate change: instead of understanding the problem and facing reality, politicians (and honestly most people) stop at "scientists just need to find a way to remove CO2 from the atmosphere efficiently". That's not how it works, but it doesn't prevent them from behaving as if it was possible. "It's magic, just do this one more spell".
For most of human history, war of aggression was a matter of a cost-benefit analysis which often have more benefit than cost. That has changed (relatively) recently because of how destructive it is that even the winner does not gain from it.
Point being, hierarchical authoritarian structures are very good at war (and other kinds of competition). That's why they exist. But they should no longer be needed.
They are entrenched and we need to evolve away from them.
Few, if any, politicians are nuclear physicists, and I'd argue nuclear physics is far more complex than cryptography, yet I haven't seen any of them ask the weapons industry to manufacture a nuke for just the bad guys.
Let's not attribute blatant malice to stupidity. People in these positions have the resources and advisors to know exactly what the consequences will be.
And yes, this is an attack on basic human freedoms and should be punished, not just prevented.
- They think it's easy to just ask engineers to magically make safe backdoors.
- You think it's always easy to know what is right and what is wrong. "We should just punish those who harm society". Sure, we should! And we should have safe backdoors!
We're not talking about "being able to do it" but "being able to understand what it can do". Nuclear weapons are a lot easier to grasp than cryptography in that sense: it is a thing that explodes. It is absolutely obvious to everybody that a bomb destroys whatever is in the vicinity.
> Let's not attribute blatant malice to stupidity. People in these positions [...]
It's not people in these positions: the vast majority of the population doesn't understand the limits of cryptography.
> have the resources and advisors to know exactly what the consequences will be.
Seems to me like you haven't been in contact with lobbies and expert advisors. Many times, politicians will have to ask experts from the industry. They would not contact an average engineer for advice, but rather the company itself. If there is money to be made, the CEO or some executive will give their advice. This advice is systematically beneficial for the company. It's not necessarily malice: a CEO has to believe in what they are doing, even if it is objectively bad for society.
It is very hard to find unbiased experts to help you forge policies.
And the engineers' response is "not our job, it's yours. Please invent and patent such thing yourself, then we MAY execute". As it stands, it is in fact completely unreasonable.
More substantial parts of discussion regarding Chat Control and similar regulations always had to do with philosophical, almost syntactic level feasibility of such implement, against which beyond fusion reactor level of unilateral skepticism had been constantly cast from engineers, combined with negativity coming from its generally unethical nature, rather than mostly about ethics or freedom.
You're saying it's reasonable that they want warp cores today for coming winter, and I'm rolling eyes, that's not directed personally at you.
> You're saying it's reasonable that they want warp cores today
I am not. If they asked for warp cores today, I would say they are idiots. But they are not.
Not so long ago, communications on the Internet were not end-to-end encrypted: WhatsApp put e2ee on the map by integrating the Signal protocol in 2016. That's less than a decade ago. Not long before that (a few years, really), I had a Firefox extension that could get the credentials of people connecting to their Facebook account over HTTP while on the same network. For decades, the police has been able to just tap phone lines.
Did all countries turn authoritarian because of that? Not at all. Now we're coming with better encryption, and some politicians see it as a degradation of security ("we can't do what we used to do to chase criminals"). And they are right!
Security is a tradeoff. You and I believe that in 2025 it's better to have strong encryption for the masses, even if it makes it harder to tap on criminal conversations. Because whoever gets access to all that data has a lot of power.
But now go to an average person and ask them how much they care about the privacy issues in today's Internet? They don't give a shit. They will let anyone collect their data if they get a discount for it. They "have nothing to hide". They just don't see the problem.
Politicians are normal people. They also don't see the problem with weakening encryption (to a state that, as far as they understand, is still better than what used to be not so long ago) in order to not weaken security.
Telling them that they are idiots is not the way to convince them that they may be wrong.
Have you ever had a really great mentor or teacher who was excellent at explaining things to you? Good news, you've now got a budget to hire several of them in full-time exclusively for yourself.
Unsure about something? Just ask and a huge apparatus of several departments, featuring dozens of expert panels with hundreds of domain specific experts each will sift through huge databases, many of them not available to anyone else but the government, of state-of-the-art research, current events, historic events, standards, whatever ..., they will analyze your problem from every possible perspective and make the result of these efforts available to you, together with several recommendations of actions according to the guidelines you provided.
I highly doubt that there are more than a hundred people on this planet who could be incompetent under these conditions. What we're observing is not incompetence, but a conflict of interests, between what they want and how often they need to throw you a little bone to keep you obedient.
No. Much of the legislation that gets introduced is provided as "model legislation" by political action groups (such as ALEC). This is why so many states seem to introduce the same legislation all at once.
The party whip tells them what to vote for. Sometimes, sensible people stop deranged legislation from getting out of committee (such as banning all mRNA vaccines (ID in 2024 & 2025, KY in 2025) or requiring blood banks to provide "pureblood" (from people who never had covid vaccines) at no additional cost to anyone requesting same (ID & KY in 2025). Or the one from ID in 2024 that would have made providing blood from a person who had a covid vaccine a felony.
You can follow along with the state legislatures at: https://www.billtrack50.com/info/
And the feds at: https://www.congress.gov/
For example, HR 22 passed the House of Representatives along party lines. The Senate has not scheduled the bill for hearing/vote yet. This bill is only 2 pages long, but I would like you to read it and take a guess at who they are trying to ban from voting in Federal elections. It has never been legal for non-citizens to vote in federal elections.
https://www.congress.gov/bill/119th-congress/house-bill/22/t...
> A form of identification issued consistent with the requirements of the REAL ID Act of 2005 that indicates the applicant is a citizen of the United States.
This is called an Enhanced Driving License and only 5 states (MI, MN, NY, VT, and WA) issue these. From the front, they look just like the REAL ID compliant ID/DL from that state but with a cute little American flag on the front. The back has the funny OCR text like the page in your passport that has on the page with your picture.
They are trying to ban the following from voting in Federal elections:
1. Transgender people.
2. Non-citizens.
3. Women who took their husband's name upon marriage.
4. People who changed their name.
5. People who can't afford the $200 for a US Passport (if you never had one before, or lost yours like I did, this is about what you have to pay, otherwise it runs $110).
6. All of the above.
7. Something else (please explain)
If this passes, just stop using anything inherently insecure. You may want to stop using WhatsApp, Instagram, Facebook, etc. for private conversations. I already do this.
There are alternatives that will not be affected by this, stick to these. I would give you a list, but I should better be quiet about it.
For how long?
In any case, Signal is not what I had in mind. Telegram is not what I had in mind either, and in fact, Telegram still has no E2EE on desktop so whatever.
EDIT: (I’m throttled and can’t reply to the child reply) - I said ANY phone number will work. You can get a number from any country, or a VoIP number, or a landline. It doesn’t need to be a sim card from the country you’re in. It doesn’t need to be a sim card at all. Any number will work.
If your country requires details to get a number, get a number from a different country. Unless you’re in China or Russia, we’re on the same internet with the same access to jmp.chat and others.
These attacks on freedom will continue until every computing device is mandated to have an ML system tracking your every input. And no communication method is safe from that.
Not even steganography would save you because more and more people would do it and they'd make it illegal too.
---
EDIT: Technology can give us tools to fight it but this has to be defeated at the political level, likely by enshrining privacy is a core human right.
Well, in that case yeah, that would suck. OTR, OMEMO, etc. would not help then. Collectively not buying new hardware and pushing against it collectively might.
Steganography to do key exchange on any compromised channel using DH, and then you just send normal encrypted messages - their magical idea is to do client side scanning.
this does require control over your device, but such regulations would just spring up black market for such devices.
An app, in an official app store no less, is not going to be a solution for long. If you want an actual technical attempt at a solution you first need to regain ownership over your computing devices.
You can trust GNU/Linux phones though (Librem 5 and Pinephone).
By pure coincidence the walls are closing in from all sides.
EU ministers want to exempt themselves (https://european-pirateparty.eu/chatcontrol-eu-ministers-wan...)
But then it begs the question, why politicians feel the need to use public (>50MMAU) chat systems to conduct the protected (official) business?
It also begs the question why CSAM "distributors" would use those ;)
I think politicians should not be stupid and isolate their official business from the private one. (That would be ideal, anyway).
Selective pressure on the intelligence of criminals will cause them to become more intelligent.
You now need even more draconian legislation to disproportionally keep catching the intelligence-wise lowest quantile of criminals.
The locations where exempts are gathered, locations where there are high commerce traffic and/or verified sent-in data, but no sent-out data, or abnormally low traffic altogether, those are all high-value targets as well.
No matter how you slice it, they're creating a list of airstrike targets and means to aid literal foreign spies. If the affected locations and people are as obvious and well guarded as the US DoD headquarters and uniformed guys there, fine, otherwise, they're just creating doors in the wall exclusively open for "enemy" uses.
Of course they don't need to spy on themselves. The goal is to stop targeted attacks against politicians and any attempts to overthrow the government. The government is uniquely unlikely to overthrow itself.
I don't remember Democrats ever conducting a legal (fake elector scheme) or extralegal attempt (insurrection) to overthrow an election. I don't remember any leader ever saying the kinds of hateful things Trump does. Even Reagan and Bush 1 who peddled the whole "welfare queen" bullshit. I don't remember any admin prior to this one that removed research and published number wholesale from government website.
This is not normal and hasn't been for some time. I don't have a comprehensive list right now of all the ways this is batshit crazy because keeping track would be a full time job.
But sure, let's bookmark this thread and come back to it.
And of course if you do still consider further it only gets worse.
"All animals are equal, but some are more equal than others."
..and this was allegedly Orwell's allegory for the Soviet Union. Are we there yet?
Maybe when they see private conversations with their colleagues being leaked because someone stupidly used their personal account, they'll see the light.
This is dystopian. Who is behind this coordinated attack?
It affects everybody in the world messaging a person in EU.
What we should be advocating instead is the freedom of doing whatever we want with our computing devices, which include rejecting the sort of crap companies and various government like to impose on ourselves.
The client-side scanning means that some amount of your communication will be uploaded in clear text to the government. And unless the government keeps it completely secure (spoiler: they won't) this will leak. Therefore it defeats the point of the encrypted channel.
So sure, it isn't as bad as just removing encryption from these apps. But it is very similar to giving the government a backdoor key to all messages. Maybe you see it as slightly better because only the messages flagged by the automated scanning are made vulnerable or maybe you see it as slightly worse because previously you would need both the backdoor key and access to the original messages and now all of the data you want is in a single location.
But the point is that this significantly weakens the security properties that these E2EE messengers provide if implemented.
Ever wondered why they position themselves like that? Because they repeated it so often that everyone believes it now.
I feel:
- The most danger in my life is from deranged people like some rando homeless person who decides to push me under the subway out of the blue. The second biggest danger is unemployed drug-using losers who might try to rob me in the street. The third danger is aggressive groups of teenagers (which happen to usually be a certain minority where I live) who might try to beat my up because somehow that is how they gain status among each other.
- If I was a woman, the fourth would probably be getting raped. Most probably by an immigrant, usually from a Muslim country. This might be incredibly controversial to US people but in the EU, we hear about these cases regularly. I am not saying every immigrant or Muslim is a rapist. I am not saying they rape at a much higher rate than the native population. This is why I prefaced everything with "I feel" because these 4 reasons are the narrative I see from the media. OTOH I would be surprised if there wasn't _some_ measurable correlation - I would love to see this quantified but at the same time it's the kind of thing where you get accused of being an -ist or -phobe no matter which result you get.
Anyway, taking away people's privacy does not help with any of these.
But that's not the point.
The most danger to a politician's life is from:
- Terrorists.[0]
- Non-deranged (sane) people who are so ideologically opposed to the politician's views and actions that they decide the only way to stop them is to attack them physically.
Taking away people's privacy helps with both of these. If performed by a group of people, there's the obvious need to communicate and organize. If performed by a single individual, then he still has to perform reconnaissance and acquire tools, both of which are likely to be done online to some degree.
---
So you see, it's not about people's safety. It's about politicians' safety.
[0]: Terrorism is by definition the intention to cause fear among the population. It was later redefined as trying to affect political change through violence, which is stupid but it serves the purpose of politicians using terrorists as a source of fear, despite the average person being incredibly unlikely to be hurt by one.
New Pact on Migration and Asylum (https://en.wikipedia.org/wiki/New_Pact_on_Migration_and_Asyl...)
'Women Are No Longer Safe': Critics Blame Surge in Migrant Crime Across Europe (https://www.ibtimes.co.uk/women-are-no-longer-safe-critics-b...)
While crime has gone up significantly in Britain in the last 10 years, many other dramatic events have also occurred, including voting itself out of the largest regional trading block and losing out on financial markets to the middle east.
We are at a point where we shouldn't have to justify opposition to it. Just hold legislators of the EU accountable. If that isn't possible, hold the whole EU accountable and if that isn't possible, the EU has no legitimacy for such laws in the first place. Back to those responsible on a national level and repeat.
I have no idea what this means.
You probably don't like the comparission because you want to be an alarmist who is acting like this is new. All the fears you have, have literally been proven to be...
Also, Signal was released not because of end-to-end encryption but because the founder sold WhatsApp and wasn't happy with the direction.
Nobody I know heard about it before Snowden. You need to provide some statistics to demonstrate it was a common knowledge.
It was referenced in popular media for decades... So people knew about it and it was public knowledge. The reason no one cared is that the outcome of it wasn't the horror story being repeated constantly.
The funny thing is, if you think this law would affect you, it will probably reduce the amount of data they get. Why? Because they still spy on you with end-to-end encryption, it's just more work and they hack the shit out of you.
What are you talking about?
> and they hack the shit out of you
Good luck. I'm using Qubes OS btw.
You kind of own your home – if someone places camera in your property, you can just remove it / obstruct vision / sound etc. If doing that will send you to jail then the level of dystopia around is so big it's irrelevant anyway – you're a slave with no rights and you will do that the shocking stick tells you to do.
Phones are different - you kind of don't own them by default because bootloader is locked so you are not free to execute the code you want on the device, as well as app store exists which it tells you what you can install and what you cannot install. The only leverage they have is to make Apple/Google remove certain apps from the EU stores.
If we really want to stop chat control and all the other proposals that will inevitably come after, we should really work hard to try to reverse this. I think asking "don't break encryption, please" is really the wrong way to go about it.
We are now kind of a the crossroad. Either we expand the SaaS model to everything, or we enforce the until-now rules of ownership of the law.
1. Have you ever texted someone from EU? You are now chat controlled too.
2. EU is pumping billions to foreign countries to promote EU values. How long until they condition this "help" with chat control?
Obviously, some groups are more right than others. If you are into cryptography, you know about the risks coming from Chat Control. But politicians are not part of your group. And what they see, from their point of view, is what I said above: whatever they try to do, there will be a vocal group of people who will genuinely believe that it is completely unreasonable.
That, to me, explains why it keeps coming back: because really, if we could break cryptography only for the bad guys, it would help a lot. "Okay, those people say that it is stupid, just like for everything else we try to do. What makes this group of people more right than the others?"
The lack of financial interests?
For whatever it's worth, as an European, I will emphasize this as one of the most frustrating facts and the largest barrier to me having any serious form of respect for the EU. I have no doubt there's honest and good people there, but in my country it's well known that fuckups just get to "retire" and get out of the spotlight by shifting to EU positions. Not only does this devalue the EU, but also the original country itself, since politicians have less fear of career-ending consequences. It's a lose-lose situation for the collective.
I can only hope that experiences in my country do not reflect Europe as a whole.
What it really does is push "regular" people back into surveillance by default. Most already assume their chats might be scanned or their phone might be listening, so they self-censor anyway. The law just bakes that into the mainstream tools, while the rest of us will keep using the same workarounds we always have.
It's not on their website list, not in their socials
Encrypted messaging not sent through one of these third party "platforms", i.e., "social media", would arguably be outside the scope of EU "Chat Control"
In other words, this proposed legislation does not require monitoring any internet user engaging in encrypted chats with any other internet user(s) as long as they avoid using a third party "platform" like the one run by Meta that is subject to the "Chat Control"
If a person believes that such encrypted chat is impossible/infeasible without the involvement of a third party such as Meta, then IMHO, this person has a more serious impediment to private conversation over the internet than EU proposed "Chat Control". But I would not trust any internet forum comment demonising the EU when what the EU is doing is regulating Big Tech
This proposed legislation may be detrimental to Meta's bottom line and so one can expect the usual public disinformation campaign where the problem is portrayed as "government surveillance" when in reality
(a) the problem is using third parties such as Meta to communicate, creating an easy partner/target for any government that wants surveiillance data
and
(b) Meta, not the government, is actually doing all the surveillance
and the EU keeps fining them for it. Big Tech companies like Meta need to ignore privacy norms in order to make money. That is the "business model". Surveillance. I cannot think of a worse choice of a third party through which to route private conversation
The EU knows this.
They’ll always include “CSAM” as a validation, but the true underlying desire is surveillance.