site banner

Culture War Roundup for the week of January 29, 2024

This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.

Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.

We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:

  • Shaming.

  • Attempting to 'build consensus' or enforce ideological conformity.

  • Making sweeping generalizations to vilify a group you dislike.

  • Recruiting for a cause.

  • Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.

In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:

  • Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.

  • Be as precise and charitable as you can. Don't paraphrase unflatteringly.

  • Don't imply that someone said something they did not say, even if you think it follows from what they said.

  • Write like everyone is reading and you want them to be included in the discussion.

On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.

6
Jump in the discussion.

No email address required.

I'm currently working as a cybersecurity engineer and I'm a former Google SRE. So, I request you do not kneejerk dismiss me as some kind of technical ignoramus if you think that's what my argument hinges on.

Whenever privacy warriors complain about privacy I find myself rolling my eyes and thinking okay boomer. Even though more people than boomers say this and I do believe privacy is important. To be clear I mean privacy in the abstract. "I don't use Facebook because [privacy]". "I am looking to adopt a GrapheneOS based phone with no Google apps because [privacy]".

Privacy is obviously important. I don't want some rando, or worse, some personal enemy to rifle through my all of my digital data looking for ways to harm me. But the abstract privacy concern takes the form of a Motte and Bailey between the two. Google, Facebook and friends mostly act on your private data in the aggregate, but the privacy advocates generate worry that your intimate conversations or pictures are being personally viewed.

I also find privacy warrior claims rather, lets say, Joker-level anarchistic about rule of law. Everyone should have end-to-end encrypted messaging and the government should be locked out of private spaces no matter what. In no other domain do we accept a claim like "this dungeon in my house is off limits even to detectives with a court order because it is my private property" but apparently yes this digital cache of self-produced child pornography or evidence of a ticking time bomb terrorist plot[1] is something we can take to our graves regardless of any legitimate pursuit of justice. The level of hostility towards government here surpasses any of government's responsibility to protect its citizenry.

I'm not arguing against having digital security. It's very important for both organizations and individuals to have basic opsec lined up, especially because of how many automated and directed attacks there are trying to steal money and secrets. But in this battle companies like Google, who privacy advocates possibly fear only less than Facebook, are far closer to friend than foe because they provide a level of sophisticated and free security and direct privacy guarantee that almost nobody can achieve on their own.

The level of fear and worry privacy warriors generate rises to the level of conspiracy-adjacence. The word "qanon" pops into my head. Someone, Out There, is collecting all of your private information and you need to disconnect from the grid right now. Abandon all petty conveniences like being able to share photos with grandma, your life depends on it.

Ironically, the self-hosted Trust No One approach appears to make people even more vulnerable to attack. Even very technically sophisticated friends of mine who have hosted their own email have been hacked and their identities stolen (and used against them for extortion) in ways that would not have happened if they had stuck to GMail and used their FIDO2 two factor key for second factor.

I have another friend who decided to take his family's photos and files out of iCloud and Google Drive. He set up a home RAID array and was cruising along fine but neglected to monitor the drives. One failed and he didn't know, so when the second failed all of his data was gone. He didn't have backups, because why would you if you have RAID and snapshotting. He's not some noob either. He is also a sophisticated technology professional.

My argument against individual actions you can take on privacy are something like: you can do a few basic things to radically improve your personal opsec, and anything else is rapidly diminishing returns at increasingly greater inconvenience and, worse, may be a net increase in your vulnerability to attack or data loss.

My argument against regulatory action on this is, well: Europe leads the way on this. Does anyone think, say, GDPR has made Europeans much safer than Americans? At what regulatory and compliance cost? Mostly GDPR seems like a joke.

The fact that privacy fretting appears to primarily afflict men (with notable exceptions like Naomi Brockwell) suggests that there must be something autistic about it.

(Mostly, I can't shake the strange feeling that inside of all of this is a The Last Psychiatrist style phenomena (made with impeccable erudition that I could never live up to) that privacy worries are a proxy for dealing with some... thing(?) that people would never allow themselves to acknowledge consciously)

In the end, excessively fretting about privacy mostly is costly (in time), increases inconvenience and annoyance, increases the nanny/regulatory state, puts you at greater risk, and just makes the ads being served to you dumber.

  1. I'm aware this argument is cited derisively by other security professionals, but that doesn't make them correct. Ticking time bomb plots are a real thing.

Ironically, if you are paranoid about privacy you are better off using a big tech platform, not a smaller site, forum, or service. Big tech platforms tend to be harder to hack and less inclined to cough up info unless pressed, which small services are happy to comply with minimal prodding (look how hard it is for the FBI to get Apple to unlock its phones). I have lost track of the number of time small web-hosters and forums have been hacked and data leaked.

Yes, this completely. Smaller platforms, including things you'd use for self-hosting, are very easy to fool with (e.g.) completely forged subpoenas.

and just makes the ads being served to you dumber.

Calling it, this dude is an alien or something. No human being would communicate this to another as if it were something anyone would ever give one iota of a shit about.

I was not holding it up as a loss in particular, just pointing out it's the only visible scar from all of that self-flagellation.

This comment was an antagonistic and low effort reply. Warning you not to do this.

As a former Facebooker I share this sentiment. Personalized ads are better than non-personalized. Sometimes I actually find something nice through personalized ads.

They don't butter my bread anymore and I still believe this.

Mostly, I can't shake the strange feeling that inside of all of this is a The Last Psychiatrist style phenomena (made with impeccable erudition that I could never live up to) that privacy worries are a proxy for dealing with some... thing(?) that people would never allow themselves to acknowledge consciously.

One alternative suggestion that I haven't seen explored (but I'm sure isn't original) is that privacy concerns are often the result of human intuition about our evolved environment rather than about our modern one. Thinking of data collectors as just algorithmic and disinterested in you personally doesn't come intuitively to most people. If they're collecting your information and using your information for something that they profit from, surely they must have some specific interest in you, they must be taking something from you that is yours, and you don't want them to get that which belongs to you. When it comes to physical goods, proprietary knowledge, or genuinely clandestine information in a Dunbar-limited world, these concerns basically make sense. If you had information that you could sell to some other guy to make money, you'd be pretty pissed off that someone was ripping it off! Likewise, if someone collected something you thought was private, it would be quite reasonable to be concerned that they're trying to hurt you, or at least want leverage over you in the future.

Oh, actually, people also seem to drastically overvalue what their private data is worth.

Anecdotally: So, I don't have health insurance (I have wealth insurance instead, for catastrophes and it can't call itself insurance). So, I pay the retail rate for drugs. But it turns out there's a whole bizarro world economy where you can go to goodrx.com and get insane discounts off of the list price, like 90% or more and the drug ends up costing less than it would with an insurance copay.

Anyway, I have no idea how this works. I asked the pharmacist once why this free coupon knocked $10 off of this totally mundane drug that millions of people take. Her knee-jerk reaction was "because they sell your data". She really thought the fact that I take this med + my email address is worth $10 to someone. Not just that one time, but every time I refill it.

So, extrapolating "taking something that's yours" and "$10+ per take", I could see a recipe for widespread driving people crazy about privacy.

…what would feel like a good price?

I agree that $10 is way too high for any real value of that data. I could also believe that it’s where companies end up after factoring in all that bizarro-world. Maybe they sell the data for $1, but are also saving for bureaucratic reasons. Maybe it’s one of those loss-leader things where the cheap Xanax keeps people (or insurers?) in the program when they have to buy the long tail of exotic drugs. My personal guess would be that it has something to due with Medicaid pricing, because that derails literally everything.

I think it's probably worth a penny, at most?

Anyway, my research suggests these goodrx.com coupons are actually drug manufacturer rebates to the pharmacy off of their wholesale purchase. The manufacturer is effectively using this channel to quote much lower prices to uninsured poor people who would otherwise be forced to go without.

privacy concerns are often the result of human intuition about our evolved environment rather than about our modern one. Thinking of data collectors as just algorithmic and disinterested in you personally doesn't come intuitively to most people.

We're looking at more of an intuitive statistical gap in understanding small percentage chances. There is clearly a greater chance that if my private information is stored at police headquarters that some sequence of events will lead to someone at police headquarters using that information against me in some way, than if that information is not stored at police headquarters. Most people aren't capable of actually calculating the expected value of that probability, so they either round it up too high or too low.

Most people don't have the information to even estimate. If your GPS location pattern marks you as being high risk for being a drug courier and you keep getting pulled over for minor and imagined traffic violations as a result, how would you even know that's what's resulting in the harassment?

It's worse. I have to estimate it long before anything goes wrong.

And my modal case is something like coming into contact with a person of interest. Or it's personal, your former coworker with an axe to grind or your ex boyfriend or your new girlfriend's ex boyfriend with a grudge, happens to have access to that kind of thing in some way or another.

That probability is impossible to estimate in advance. When I went skeet shooting in 2017, I could not have known that multiple people I shot with would be indicted in federal court on "insurrection" charges. I've seen friends stalk romantic partners, perspective and current and former, all across the internet including misusing work tools to do so. I have no method of assessing the people I interact with for whether they materially increase that risk.

I think you are taking a bit different take here, but I haven't seen my argument considered by you or anyone else here. Why do people encrypt their personal notes, self-host their e-mail servers and use VPN with Tor? Because their can. Similarly, why people climb Mount Everest? Because it's there. Himalayan mountaineering is one of the deadliest activity one can think of and yet, there is no shortage of people who want to give it a try.

As far as I observed, many people concerned with privacy, usually do so on a superficial level, while their deeper motivation resolves around the temptation to do something single-handedly. Many programmers possess only a limited understanding of unix systems, operating systems architecture in general, cryptographic algorithms and other more obscure topics. They are usually happy using Windows with VS code. Do they miss something in their day-to-day life, do their actions lack utility? Not at all.

But I'm talking here about a different type of people: hackers, tweakers, geeks who just build complicated projects for their own joy, because it's in their nature to take the road less traveled. You are right that it takes a certain kind of person to take pleasure in tens of hours of setting and adjusting systems that have a high chance of being abandoned after a couple of uses, but isn't that what FOSS is all about? The famous: "Linux is free if your time is worth nothing" points to the fact, that exploring software consumes tons of hours. Is it useful? I don't know man, this is exploratory behavior, some people think that there is some utility in exploring and learning new things. Of course one should be able to find a difference between a hobby and mental issues.

I don't buy into falling prey to conspiracy theories. Maybe you know people, who are so involved into distrustful political stances or are stuck in the views of the society taken out of the '80s and 90's movies like 12 Monkeys or Fight Club, but usually it's just an excuse for DIY. Here you have a link to a blog of a person, who self-hosted her blog server as a unikernel. A cumbersome way of doing it to say the least! And she in fact mentions hacker attacks as a reason in her blog post, but it may as well have something to do with the fact that she has worked on MirrageOS, a framework for creating unikernels. This is the pattern I find among the bloggers I follow: not the distrustful schizos, but rather hackers constantly experimenting with new tooling.

I don't mean to condemn people who are doing it for fun. Or securitymaxxing as art. As a cybersec person I 100% appreciate the beauty of a blog tech stack that's pure OCaml all of the way down to the (virtual) metal and have fantasies that one day we will go further and synthesize bespoke hardware from the type graphs and there's nothing black-box between your code and the net. Holy shit, so good.

I'm specifically trying to grab and shake the person who, when setting up their new phone, sees the [x] use cloud backups/sharing for safety and convenience? option and unchecks it because they believe they're so subversive or outrageous that the state (or big corporations) are looking for them and they can't afford the risk of centralizing their photos and documents. And then they go further and get to work on their GrapheneOS game and turn off push notifications because of side channel attacks and really want to live in a world where they don't get your message until they take their phone out of a faraday sleeve, get on WiFi, open Signal and have it pull messages.

This is a type of person and they're afflicted with something and I'm surrounded by them and I don't fully understand what's going on. I understand liberals and conservatives and libertarians. I can change the sliders on my values and see how my thinking can have me end up in one tribe or another. But the amount of paranoia that I'd have to add to end up in privacymaxx zone seems untenable. Surely something else is going on.

Now I see your point better! I would suspect that many people nurture the grandiose thoughts of self-importance and would even dream of the government taking interest in their usual life. Though sometimes cloud services can suck and while iCloud is smooth, my institution uses Outlook and I'm struck with OneDrive, which is sometimes so slow, that I usually carry around external HD to not get frustrated every couple hours or so.

Though I must admit, that I don't know many people of the type you're writing about, since in general I don't know that many people.

I don't use cloud saves for photos not because of privacy, but because I'm afraid that inevitably due to an error on either side an empty folder is going to get synced the wrong way and I'll lose five years' worth of photos. As for music, movies, and ebooks: lol lmao, as if I'm going to vendor-lock myself to a single storefront.

A few notes, but mostly marking to think and read more and maybe write more about later:

I have a feeling that like 70% of the privacy ultra-activist stuff is counter-productive in that it mostly serves to draw more attention onto you than would be paid if you acted more like a "perfectly ordinary sheep" type. Like the guy trying to be covert with the obvious trench coat just making sure everyone in the diner is staring at him versus nobody giving him a second glance if he was wearing business casual.

Google gets beat up a lot for non-responsiveness to user inquiries and supposed privacy violations. I actually agree with your point in that I continue to use Google for most things because I trust their security better than just about anyone else. Their Advanced Protection stuff is probably best of breed, and at least I can be sure that no hacker or activist will ever be able to socially engineer their way into my accounts. I accept that they might delete it someday because some wrongthink I posted somewhere gets caught in the wrong filter. And they might give everything they have to the Government some day, but meh, I doubt it's much safer anywhere else.

I do still use Google's location tracking, partly because it is sometimes convenient. I also have a feeling, or at least would not be surprised if it is some day revealed, that the phone UI checkboxes to turn it off actually only turn off the visibility to you, not the collection and storage. If they're gonna collect and store it either way, I might as well get some use from it too. If I ever need to really be covert, I guess I'll have to leave it at home. Though even that might not help much, since it's such an unusual and rare thing to do, if anybody was actually watching that closely, they'd probably have reason to think that, whatever I was actually doing then, I was up to no good.

And yeah, running your own servers and storage has its own risks as well. I doubt I'm a particularly great sysadmin, but as far as I know, I haven't lost any servers yet, so maybe it's not quite that hard, or maybe nobody cares that much about my stuff.

Are you aware of the third party doctrine?

Not specifically. I was aware of it on a "how to deal with the police" tactics based level: law enforcers looking at emails requires a warrant but documents you have sitting in Drive may not.

Just FWIW as someone engaged on academic work on these issues, I broadly agree with your take. That said, two quick points of disagreement -

(1) Even supposedly friendly personalisation can be dangerous. Really effective personalised advertised can boost consumption, but if you're anything like me, you should probably be consuming less. You're like a dieter walking through a buffet restaurant filled with dishes perfectly targeted to your palate. By controlling the data held on you by third parties, you can limit how appealing the menu they offer you is. Now, of course, sometimes it will be your cheat day and you can eat to your heart's content, and having an amazing menu offered to you is positively desirable. But most of the time, having this personalised menu is going to be bad for your ability to achieve your reflectively-endorsed goals. Data privacy is one way to protect yourself from having your own most voracious instincts exploited.

(2) Privacy concerns don't seem to me to be male-coded. If anything, more of my female students are very worried about it. More than anything else, I'd say it skews continental European; Germans above anyone else seem obsessed with it. Brits are radically unconcerned about it.

Just FWIW as someone engaged on academic work on these issues, I broadly agree with your take. That said, two quick points of disagreement -

Wow, okay, good timing. I was just about reserved to believe I was debating with 100 swords pointed at me until this falls below the fold (thanks everyone for engaging!)

What's the line of your academic work?

(1) Even supposedly friendly personalisation can be dangerous. Really effective personalised advertised can boost consumption, but if you're anything like me, you should probably be consuming less. You're like a dieter walking through a buffet restaurant filled with dishes perfectly targeted to your palate. By controlling the data held on you by third parties, you can limit how appealing the menu they offer you is. Now, of course, sometimes it will be your cheat day and you can eat to your heart's content, and having an amazing menu offered to you is positively desirable. But most of the time, having this personalised menu is going to be bad for your ability to achieve your reflectively-endorsed goals. Data privacy is one way to protect yourself from having your own most voracious instincts exploited.

Well, right from a healthy living perspective, ads that are very targeted and appealing might be a problem. But isn't it said (advocated) that "good ads" are in fact, "content"? If that premise holds, don't we already widely suffer from this problem?

(2) Privacy concerns don't seem to me to be male-coded. If anything, more of my female students are very worried about it. More than anything else, I'd say it skews continental European; Germans above anyone else seem obsessed with it. Brits are radically unconcerned about it.

I agree it makes more natural sense that women have higher privacy concerns because there's a lot pervs trying to get inside of their digital devices to exfiltrate nudes (and be otherwise generally creepy). But the level of inconvenience and fringe-ness men take on in pursuit of privacy is more extreme than what women do, in my read.

I also find privacy warrior claims rather, lets say, Joker-level anarchistic about rule of law. Everyone should have end-to-end encrypted messaging and the government should be locked out of private spaces no matter what.

The steelman for this being "if technology is basically just telepathy, why should "because it's technically possible" ever be a valid argument for society to have any right to monitor the contents of the communication"? The strongest right is one you can guarantee personally, after all.

In no other domain do we accept a claim like "this dungeon in my house is off limits even to detectives with a court order because it is my private property"

We have at least 2; attorney-client, and religious priest-confessor.

this digital cache of self-produced child pornography is something we can take to our graves regardless of any legitimate pursuit of justice.

We throw, and threaten to throw, teenagers in jail all the time over this. It is probably good that they take steps to defend themselves if they're going to engage in this activity to avoid the current environment of societal overreaction; the entire point of "rights" is to limit the damage society can do when (not if) it overreacts (the flip side of the coin being "ticking time bomb plots", but I'm willing to trade the lives lost in those for the ones saved due to them not committing suicide any more over this).

The level of hostility towards government here surpasses any of government's responsibility to protect its citizenry.

The overwhelming majority of murders worldwide in the 20th century were perpetrated in an organized fashion by governments targeting their own citizens (organized mobs using simple demographic criteria make up most of the rest); the impulse to make one a harder target against those is only natural. Proponents of this approach can point to things like census records being burned to stop an angry invading force from determining which people were going to the concentration camps and which were not. The Germans are well-acquainted with this; being that they have committed the overwhelming majority of murder on the European continent in the last 100 years probably has something to do with that.

The fact that privacy fretting appears to primarily afflict men (with notable exceptions like Naomi Brockwell) suggests that there must be something autistic about it.

While there are a variety of reasons why this is true, men are murdered more often than women; I don't think it's more complex than that.

In no other domain do we accept a claim like "this dungeon in my house is off limits even to detectives with a court order because it is my private property"

We have at least 2; attorney-client, and religious priest-confessor.

Sure fine whatever. But even these are not absolute, and can be pierced if justified.

this digital cache of self-produced child pornography is something we can take to our graves regardless of any legitimate pursuit of justice.

We throw, and threaten to throw, teenagers in jail all the time over this. It is probably good that they take steps to defend themselves if they're going to engage in this activity to avoid the current environment of societal overreaction; the entire point of "rights" is to limit the damage society can do when (not if) it overreacts (the flip side of the coin being "ticking time bomb plots", but I'm willing to trade the lives lost in those for the ones saved due to them not committing suicide any more over this).

By "self-produced child pornography" I did not mean teenagers recording themselves over Snapshot. I meant something more like an adult recording a child that they have prisoner in their closet that they raped periodically before murdering and disappearing them. The child is now gone without a trace but authorities believe this crime was committed and would like to view all of their encrypted data.

The overwhelming majority of murders worldwide in the 20th century were perpetrated in an organized fashion by governments targeting their own citizens (organized mobs using simple demographic criteria make up most of the rest); the impulse to make one a harder target against those is only natural. Proponents of this approach can point to things like census records being burned to stop an angry invading force from determining which people were going to the concentration camps and which were not. The Germans are well-acquainted with this; being that they have committed the overwhelming majority of murder on the European continent in the last 100 years probably has something to do with that.

These atrocities were committed by dictatorships, yes?

When I say people with these worries are Qanon-adjacent. this is what I mean. Invocation of living in fascist Germany or the Khmer Rouge to describe the need to rigorously defend your privacy living in the United States in 2024. Yes, if you live in a totalitarian dictatorship, or one that's rapidly becoming one, sure fine privacy seems pretty important! To these privacy warriors in the US, I'm sure we seem a quick slide of the slippery slope away from being targeted for our Chud/Woke beliefs with no time to prepare before it's too late. IMO this is a persecution fear very distantly tethered to Earth.

I submit that privacy warriors are just another shade of culture warrior, and it's a kind of warfare with bipartisan appeal.

  • -12

authorities believe this crime was committed and would like to view all of their encrypted data.

And how do you propose authorities do that if the device is turned off and the data has been securely encrypted at rest? Put back doors into every computing device to prevent this scenario from arising?

authorities believe this crime was committed and would like to view all of their encrypted data.

And how do you propose authorities do that if the device is turned off and the data has been securely encrypted at rest? Put back doors into every computing device to prevent this scenario from arising?

  1. Torture warrants
  2. Require device and crypto backdoors

I'm aware 95% of security researchers think #2 is a nightmare and makes security worse, but I believe they are simply revealing their libertarian-anarchist ideology. We just got through a period where enormous sums were invested in web 3.0 crypto-systems with outlandish ultra complicated architectures for everything from micropayments to whole network states (etc) and it was all pursued with doe eyed zeal. It is absurd to claim a system where law enforcers have a backdoor is not a solvable problem.

I'm aware 95% of security researchers think #2 is a nightmare and makes security worse

They're both nightmares, only #1 is more honest about it.

It is absurd to claim a system where law enforcers have a backdoor is not a solvable problem.

Of course that's a solvable problem. But such a back door is destruction of security. And being universal, it's a rather less-than-controlled destruction of security.

The problem to be solved with law enforcement backdoors is not destruction of security by itself, it's law enforcement abusing the backdoor and not telling us. And you're not solving that problem.

I don't think @dr_analog thinks that's a problem.

I don't think @dr_analog thinks that's a problem.

To be clear, I think police abuses are bad. I consider that a problem. I don't think it's unsolvable or that it is destruction of security. At least not moreso than any other rights. I don't think someone would say the security around your property rights don't exist or are destructed because a police officer can theoretically steal your property and tell you to suck it.

By "We just got through a period where enormous sums were invested in web 3.0 crypto-systems with outlandish ultra complicated architectures for everything from micropayments to whole network states (etc) and it was all pursued with doe eyed zeal" I mean that it's absolutely possible to construct a system where law enforcement has keys to unlock crypto with some semblance of due process. The problem previously is that it's been done so secretively (since the community response is so outraged) that nothing with a sound design has been produced.

I cant stress this enough; the cypherpunk community warned us at length of how impossible it would be to prevent abuses if you give law enforcement a backdoor and then during web 3.0 cheerfully advanced pitch decks for protocol research labs for moving all social media to blockchain, tracking and enforcing all property rights either through blockchain or DAOs, doing anonymous voting, insurance, exchanges and a hundred other libertarian fantasy replacements for the state that balajis could generate.

Take their hysteria about police backdoors with a grain of salt.

To these privacy warriors in the US, I'm sure we seem a quick slide of the slippery slope away from being targeted for our Chud/Woke beliefs with no time to prepare before it's too late.

What do you think preparing looks like, if not fighting for civil liberties and maintaining our ability to coordinate politically without being targeted? To me it looks like you'd mock anyone fighting government overreach right up until it's too late.

Do you think those murdered by their governments in the 20th century had "time to prepare", but simply chose to not to? Do you remember the borders being closed with no warning during covid?

Do you think those murdered by their governments in the 20th century had "time to prepare", but simply chose to not to? Do you remember the borders being closed with no warning during covid?

So, what's the ground truth here? When you unbox a smartphone do you decline to log into a Google/Apple account so you can sync because you're worried that if you say yes there's a 1% chance that's how you end up in a gas chamber some day? If this isn't you, are you saying you sympathize with that view?

What do you mean by "ground truth"? I personally don't make many sacrifices for privacy or civil liberty's sake, but I'm grateful when others do.

Where I live I already don't have freedom of speech or association, and the government recently froze the bank accounts of protesters whom the state-run news agency had already demonized.

Again, how do you think anyone ends up in a gas chamber?

Where I live I already don't have freedom of speech or association, and the government recently froze the bank accounts of protesters whom the state-run news agency had already demonized.

Do you believe Canada is on the slippery slope towards gas chambers?

Again, how do you think anyone ends up in a gas chamber?

I've read about a couple of these situations and the best answer I can take away is: they live in a place that has gone insane.

I've read about a couple of these situations and the best answer I can take away is: they live in a place that has gone insane.

This is indeed the main anxiety of those who confound you, I suspect, and moreover, the main driver of our modern discourse.

I've read about a couple of these situations and the best answer I can take away is: they live in a place that has gone insane.

Yes, that's it. Sadly, places that have gone insane don't make it necessarily obvious that they have gone insane, because they attempt to gaslight the sane. And being nice prosocial apes those sane ones waste a lot of time they could be using to get away from insane place wondering if everyone around them seeming insane is not what insane people observe about the world.

Do you believe Canada is on the slippery slope towards gas chambers?

I wouldn't say quite that, but canadian culture in particular is uniquely vulnerable to mass insanity and mass manipulation, being obsessed with getting along over anything else. So while it's not on the slope right now, you can be sure the canadian slope is gonna be steep and well lubrified when we get on it.

Do you think those murdered by their governments in the 20th century had "time to prepare", but simply chose to not to?

This very much depends on context, but in the case of murder by one's own government, usually yes.

German Jews had "time to prepare" in that it was obvious that a murderously anti-semitic political force was in the ascendant since 1930, and most of them did - the core fact about the Holocaust they don't teach you is that it was mostly a genocide of defeated enemy Jews because only 180,000 or so Jews were left in Germany proper to Holocaust.

The various groups that would be predictably disfavoured by the Soviets also had fair warning (the Soviet Union didn't actually enforce emigration restrictions until 1928, a decade after the revolution) and those who had the resources to get out, did so (more than 1% of the pre-revolution population emigrated). If you were a Ukrainian kulak, you had "time to prepare" but probably not the resources to do anything about it - with 21st century transport tech and refugee law, I think most would have got out. The people who got gulagged in the 1930's included actual political opponents of the regime, but also a significant number of people who were effectively swept up at random - that isn't something people manage to plan around.

I am less sure about precisely what happened in China, but the Great Leap Forward looks like a combination of "insane regime kills at random" and genuine incompetence in a country poor enough to have no margin for error, and the Cultural Revolution is the Trope Codifier for "insane regime kills at random". In any case, Communist rule in China follows a period of 30 years of pervasive political violence (warlordism, murderous military government under Chiang Kai-Shek, Japanese invasion, civil war)

The much more common case is "Lose war, get occupied, get genocided". Contrary to the usual spin, this covers the vast majority of Nazi victims. It also covers most of the post-1945 communist victims - if you became an ethnic minority in the USSR as a result of the Soviets conquering your country in WW2, things were unlikely to end well for you. (And, of course, all the colonial genocides). I

So in summary, "Emigrate if you find yourself ruled by people who hate you" seems to be a heuristic that people tend to put into practice if they have the resources, with the result that "Government genocides a disfavoured minority group in its own core territory" is a much less common threat model than people think it is. "Emigrate if you think your country might lose a war in the near future" and "Emigrate if your country might fall under communist rule in the near future." are similarly good heuristics, but ones which people seem to struggle with acting on.

To me it looks like you'd mock anyone fighting government overreach right up until it's too late.

From my view everyone who raged teary-eyed against government "overreach" like the PATRIOT act or FISA has been proven wrong to date. This stuff did not at all alter life in the US except for giving the government slightly more power to investigate crime.

I'll be really embarrassed if this all paved the way for a USA Patriot Points social credit system but I just don't see that taking off in the US. The notion sounds really far-fetched.

I agree that some people were overly certain about the consequences of the PATRIOT act. But I would still rage teary-eyed against government overreach even if I were merely worried it would lead to tyranny, because once the government is totalitarian it's very hard to come back from that.

Also, in that time there have been various counter-movements, such as Snowden's, that pushed back against mass surveillance. But that could have easily not happened, and plus the state has presumably hardened itself against the next Snowden since then.

This stuff did not at all alter life in the US except for giving the government slightly more power to investigate crime.

How are you going to know if the government investigated you secretly and then made some excuse about it? Look up parallel construction.

Touched on here: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183560?context=8#context

I'm not denying it doesn't happen, it obviously does sometimes. So, that said, what's the argument in response? Because parallel construction could happen (and sometimes does), that means the government therefore should not have access to these tools without a court order ahead of time and if it wrecks their ability to counter terrorist plots or organized crime or handle fast-moving cases, so be it?

I think part of the issue, for me anyway, is just how much of my data is out there and how useful it is. And it turns out to be not only nearly impossible to protect your data from leaking with or without a warrant, but absolutely impossible to remove information once it’s in the wild.

If I go into your house, warrent or not, I’m bound to only the things in that location to get Information on your life. I might rifle through the papers on your desk, and maybe find out some things. But it’s limited in scope and it’s not going farther than those bits of data that are available in that house. Give me access to your data and I can know pretty much literally everything about you. I have your location, the websites you visit, the apps you use, your contact list — and that’s just from your internet service provider. Get your credit card information, and I know every purchase you’ve made. The scope is worlds apart.

The other thing is the permanent nature of the databases that the governments can build off the data. Once they have it, storage capacity is the only limit to the size and detail of the profile built. And this presents a problem that really needs addressing— if the cops get a warrent on me today, how far back can they dig and how far forward? How long can they keep this data? What can they do with these dossiers once they have them?

For most people, I think the danger is probably overblown. Most of us aren’t that interesting. But there are people who would absolutely be harmed by public databases being available. Back doors for cops can easily be weaponized by bad actors to track down escaping domestic abuse victims, for example. Governments can use these databases to track dissenters or in extreme cases to enable genocide. If the government decided in 2357 that it wanted to kill Hispanics, your phone and the data it collected and continues to collect would turn you in rather quickly. You had your phone in your pocket when you went to the Hispanic church up the road. You have a Spanish keyboard on your phone. You follow Hispanic topics on social media. It doesn’t take a lot of work to query a database with markers for membership in the wrong demographic group.

These databases already exist and have more than enough information to carry out any kind of genocide you'd like. Society couldn't possibly work without them. This was true 100 years ago and it's true today.

If the government wants to find and kill a group (or even an individual), it's not lack of information that's going to stop them, it hasn't been for a very long time.

I feel like much of the pracrical issues is with how these databases are accessed. People shouldn't have as wide access as the do and analysis should be done more by machines whose algorithms are centrally controlled (rather than having potentially millions of bad actors accessing the information and being security risks), that can then hand risks related to specific individuals to human analysist/administrators who only get access to that relevant information.

There were limits. Real time tracking wouldn’t have been possible in 1924. And given that most of the data available at the time we’re on paper that had to be physically stored, copied and sent to various places, it would have been much harder to pull off a targeted mass killing without missing people who wanted to hide. In fact there was at least one country (I believe it was Holland) that managed to save a substantial number of Jews from the Nazis by burning the census records. In that era, burning the single copy of the records in question makes them no longer exist. In the era of cloud computing, nothing short of destroying all the internet connected computers on earth would guarantee the data being gone.

Privacy is obviously important. I don't want some rando, or worse, some personal enemy to rifle through my all of my digital data looking for ways to harm me. But the abstract privacy concern takes the form of a Motte and Bailey between the two. Google, Facebook and friends mostly act on your private data in the aggregate, but the privacy advocates generate worry that your intimate conversations or pictures are being personally viewed.

There is a very thin line between "enemies" and "neutrals" when it comes to protecting your digital privacy, its one irreversible data exchange away from belonging to both of them.

I generally don't take too many steps to protect my own privacy, because I consider it a lost cause. If some enemy wants to go after me I'm pretty sure I'm fucked. Because enough "neutral" parties have collected enough data on me that is only loosely protected. There is a certain point where tech savvy adults have this realization about their online activities. "Oh shit, all of this stuff in aggregate could totally be used against me and fuck me over." Plenty of them react by trying to lock down the data about them. I don't think I blame them for that reaction, even if I kind of agree with you that this is a pointless endeavor. Its a bit of a horror show to realize how quickly an unscrupulous asshole could fuck over your life.

I work in web-development and GDPR has been a huge annoyance. I think its brought us closer to a Balkanization of the internet. Many large companies in the US were able to comply with the regulations, many small companies weren't. The obvious choice for the small companies was just to stop offering services to Europe. At some point the inter region disparities in law could force even the big companies to pull out. I'm not convinced this is a bad thing. Let each country or region have the internet it deserves based on the laws they impose on it. The sophisticated users will resort to using VPNs (at least until those get fully banned).

The sophisticated users will resort to using VPNs (at least until those get fully banned).

Perhaps by the services themselves, rather than any government. Once I turned my VPN on, Google blocked me from search even after I solved a few captchas.

go figure. shitty pooled IPs. same experience here with VPNs.

Google, Facebook and friends mostly act on your private data in the aggregate, but the privacy advocates generate worry that your intimate conversations or pictures are being personally viewed.

This isn't some hypothetical threat. Given you work in the industry I'm sure you're well aware of the number of times that employees at these companies have been caught spying on individual user's data or listening to them fuck via voice assistant recordings.

From the original Vice article:

The document says that Google terminated 36 employees in 2020 for security-related issues. Eighty-six percent of all security-related allegations against employees included mishandling of confidential information, such as the transfer of internal-only information to outside parties. Ten percent of all allegations in 2020 concerned misuse of systems, which can include accessing user or employee data in violation of Google's own policies, helping others to access that data, or modifying or deleting user or employee data, according to the document.

So, it's a bit hard to parse without the actual numbers, but it appears that of 36 security incidents, 31 (86%) were Google employees leaking confidential corporate information (ironically, including the document leaked to the Vice reporter). 4 of them were misuse of systems (which includes but is not limited to accessing user or employee data). This is actually pretty amazing, considering how many Google employees there are and the scale of data that Google collects. You might say "well, that's how many were caught," but it's very likely the majority of cases are caught (all major systems at Google have every user data access logged and audited, though I suppose some minor systems that no one uses might not have that set up).

If anything, working at Google actually made me a lot more confident about their PII protections. They take it extremely seriously and I'm actually surprised so many people were able to abuse it, though it's to be expected at their scale: Google has 175,000 employees and maintains billions of accounts.

To me, this is the exception that proves the rule: you're safer with Google.

Gin, mdb, rpcsp... Security there is taken very seriously. There're always potential holes in the system, but I trust Google much more to keep my data safe against realistic adversaries than anyone's homelab duct taped together with VLANs and reverse proxies. (And at least 90% of alternative non-Google third party hosts are honeypots, either out of incompetence or malice.)

The danger with Google is that Google co-operates with the authorities, either voluntarily, "voluntarily", or because they've been literally infiltrated.

It's absolutely fair to say that, if you're doing something the government places a high priority on detecting and punishing, Google is not the place to put digital evidence of that something. And that's a certainty.

The issue comes in when someone believes that there exist digital safes that no one but they can open. You're not going to build one in your spare time, and you're certainly not going to find one in other well-known third-party services (which are equally compromised by the government and less secure than Google) or in unknown fly-by-night services (half of which are government honeypots, and the other half are people waiting to do a rug pull to steal all your bitcoin and which are probably breached by the government anyway).

I agree, when I worked at Google I remember their security measures being extremely well-thought-out - so much better than the lax approach most tech companies take. However, I DON'T trust their ideological capture. They won't abuse people's information by accident, but I will not be surprised if they start doing it on purpose to their outgroup. And they have the tools to do it en masse.

Either for ideology or just to squeeze out a few more dollars. If Google's moats start falling, and their profits start falling with them, the first sign will just be that products start being less good. This is understandable and fine; they won't have as much funny money to blow on non-profit-centers that only add marginally, but that customers like. But if it gets really bad, well, there's always Baker's Law: "You never know how evil a technology can be until the engineers who created it fear for their jobs."

I've never heard of that (and DDG brings up nothing except stuff that looks more relevant to biology), what are some examples of tech-gone-bad like that?

The extremely low-level version of this is the classic example of a free, simple app. I heard the story of one recently that was just an app that let you change the brightness of the flashlight on some phones that didn't have that functionality built in. It started off just having basic ads. But as it became less and less profitable, crowded out by things like more phones having it just built-in, they saw the writing on the wall. Presumably, they just sold it to someone else, but I don't know in this particular case. In any event, either the original owner or someone who bought it added really obtrusive video ads... and then snuck in a $15/month subscription charge. Basically just banking on it already being installed in some number of phones, and some number of them not really noticing or accidentally clicking the wrong thing and not noticing and such. This is the really simple version.

I'd have to try to go back and see if I can find any real examples, but you can imagine that an app that collects a bunch of data on you, maybe biometric data and such, could end up on a downward spiral, profitwise. Who freaking knows how they'll sell it in order to make that last buck? Who knows what form of shady scaremongering they could do, "We see that you have this gene, and you're really in danger of [medical problem] (that is barely supportable by the scientific evidence), so you really ought to consult with [our shady partner who sells you some worthless shit and kicks us back money]."

Actually, just as I finished writing that, I thought of the example of virus protection software. That shit was constantly burying itself deeper and deeper into your system, until it had basically unfettered access to everything. Lots of people kept using it, mostly out of inertia. As it started getting squeezed out of the market, they started squeezing customers harder and causing all sorts of problems, not least of which is the tension between, "If our software has a vulnerability, attackers can use that to get deep access to your system, but you're probably oblivious to the details of how that works, so we're actually kind of okay with it, so long as it scares enough people to keep paying the subscription."

Jeez, never thought about it like that.

Will skip most of the points here since we already have great comments and I don't have a lot more to add, but I feel a very important a very important aspect of it is often brushed off without much thought.

makes the ads being served to you dumber.

I don't know about you, but to me that alone sounds like an end in itself. I am not aware of any comprehensive study that dissects the impact of targeted ads on - at individual level - opinions, behavior, finances and mental health; and, by extention, at a societal level - social development, culture, economy and public health.

This ought to be better understood (recommendations for reading are welcome!), but given gargantuan size of targeted publicity businesses (including Big Tech names) it seems like the impact of targeted advertisement can hardly be overstated. And I do not - and neither should you - trust that private corporations should hold that power.

Of course, privacy hacks can only do so much in terms of protecting you from big baddie tech, whatever that means, and people who do that are already very likely savvy enough to block ads anyway. But as a policy, I think GDPR and other initiatives are a great step forward, although not so effective yet.

A warrant lets specific authorities in to a specific place for a specific period of time. Unencrypted data doesn't know or care about the who or the when - it can be copied infinitely, in perpetuity. The risk profile is not the same. One single unscrupulous copy operation, or even a short residence on a machine that has a security hole and a curious onlooker, is all it takes for the genie to get out of the bottle.

I am probably less technical than you at this point but: Broadly, I agree that trying to roll your own security is less secure than trusting a convenient megacorp who employs professionals. For 99.5% of people, this is the case.

I also agree that the probability of being targeted because of your data is lower than many privacy-obsessed people mention.

I also am glad you're bringing arguably a fresh PoV to the discussion!

However, I think other folks have swung back on a number of items very well that I'm not even going to try to double up on. Random thoughts:

Not all privacy desires have their foundations in criminality and kiddy porn. Villainizing E2E encryption and truly private spaces as exclusively the domains of ne'er do wells is the exact same tactic people use against guns to win the culture war. Carrying a pistol doesn't make you a paranoid asshole; it means you're vastly more prepared for a rare occurrence than someone who doesn't. You can't even make the same off-color jokes in Discord that you could have made in a Facebook message 5 years ago without auto-bans, so the probability of unsecured communication having consequences isn't super low.

I want to be able to talk about the government without them listening. I want to be able to talk about psychotic leftists without them getting me fired, and I want to watch exotic pornography without pyschotic rightists getting me fired. I don't trust any convenient megacorp to safeguard me from any of these actors or themselves.

Not all privacy desires have their foundations in criminality and kiddy porn. Villainizing E2E encryption and truly private spaces as exclusively the domains of ne'er do wells is the exact same tactic people use against guns to win the culture war. Carrying a pistol doesn't make you a paranoid asshole; it means you're vastly more prepared for a rare occurrence than someone who doesn't.

Just to be clear, as I mentioned elsewhere, I'm not villainizing people for using E2E encryption. Just pointing out that E2E encryption is an absolute gift to villains while everyone else using it LARPs as an enemy of the state.

As someone who has guns himself, my view is

  1. it would be best if society had no guns in it
  2. but our society has guns
  3. criminals exist and are incentivized to crime
  4. police cannot stop them from doing crime fast enough
  5. therefore, I should have guns myself

Perhaps if police response time in my town was 90 seconds and not 20 minutes the economics of crime would change, but it's not so I need a gun.

Anyway, I agree given the circumstances handgun ownership makes sense. Is the claim for E2E messaging even this solid?

I want to be able to talk about the government without them listening. I want to be able to talk about psychotic leftists without them getting me fired, and I want to watch exotic pornography without pyschotic rightists getting me fired. I don't trust any convenient megacorp to safeguard me from any of these actors or themselves.

I don't quite follow. You want to be able to do this stuff under your real name without every adversary finding you? Or... you want to be able to do this via an anon handle without being easy to doxx?

I want to watch exotic pornography without pyschotic rightists getting me fired

As a psychotic rightist, I can't say I'm thrilled about anyone watching exotic porn, but I don't want to know you watch it and whatever you do in the privacy of your own goon cave is your business, not mine.

The freakin' ads and marketing and metrics and data scraping and the rest of it make it my business. Just shut up and let me browse in peace! The irony, of course, is that none of this stops the pornbots spamming me on social media sites, even when it's "we're a big professional company, trust us" (the Tumblr Female-Presenting Nipples Purge did nothing to stop the 'hi [username], I really like you and want to get to know your bank account' crap, and ironically Tumblr Live is now being mercy-killed since nobody used it except as an OnlyFans knockoff, and even that couldn't make money).

In the non digital world there are a lot more checks and balances. Getting a warrant to search a home is one thing, mass surveillance on millions of users is another. What is happening online is more like the police obtaining a search warrant for every building in a city and sending a robot with drug sniffing capacity into every room in the city. The police may follow a specific suspect around, while the state in many countries forces ISPs to keep a record of all visited websites for millions of people. Governments want to snoop mass amounts of data on cloud servers but don't have the right to routinely search hotel rooms or offices spaces. Why should data on the cloud be less protected than a letter laying on a desk in a hotel? Why can't digital services be as private as a taxi service? If I rent an uber the police can't set up a roadblock and search all documents in every car. So why can they do that for email?

As for GDPR it did make a big difference. In my career as a developer I hear the acronym GDPR on a regular basis, and it has forced companies to be far more careful in how they store and handle data. GDPR put a lot of pressure on companies to think before they acted and made the non-tech portion of companies much more interested in data security. Thanks to GDPR I have had non tech boomers with a business background send long emails asking about how we encrypt data, TLS, when data is deleted and other issues that they never thought about 10 years ago.

In the non digital world there are a lot more checks and balances. Getting a warrant to search a home is one thing, mass surveillance on millions of users is another. What is happening online is more like the police obtaining a search warrant for every building in a city and sending a robot with drug sniffing capacity into every room in the city. The police may follow a specific suspect around, while the state in many countries forces ISPs to keep a record of all visited websites for millions of people. Governments want to snoop mass amounts of data on cloud servers but don't have the right to routinely search hotel rooms or offices spaces. Why should data on the cloud be less protected than a letter laying on a desk in a hotel? Why can't digital services be as private as a taxi service? If I rent an uber the police can't set up a roadblock and search all documents in every car. So why can they do that for email?

In the olden days we used to argue that mass surveillance was actually useless because it generated far too much data and even detection systems with very low false positive rates still created an unworkably huge number of events that had to be manually reviewed.

I haven't seen anything that has changed the story on this, except in CSAM which is so radioactive that law enforcers have successfully pushed the burden onto companies to surveil and report them. There's been some criticism of the false positives here https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html but so far this doesn't seem like a huge problem. And again only something like CSAM appears to rise to this standard, for now.

To be clear, I still think police should have warrants to do stuff.

As for GDPR it did make a big difference. In my career as a developer I hear the acronym GDPR on a regular basis, and it has forced companies to be far more careful in how they store and handle data. GDPR put a lot of pressure on companies to think before they acted and made the non-tech portion of companies much more interested in data security. Thanks to GDPR I have had non tech boomers with a business background send long emails asking about how we encrypt data, TLS, when data is deleted and other issues that they never thought about 10 years ago.

I thought the Snowden leaks, specifically the revelation that the NSA was able to re-construct GMail inboxes without a warrant because they had tapped replication events on private lines between Google's datacenters, compelled an industry-wide effort to take security a lot more seriously, including TLS everywhere by default. Also it timed well with the fact that CPUs were now fast enough that encrypting by default didn't add an unacceptable burden. I'd be curious to see how the GDPR specifically made a difference here since it coincided with these two other events.

In the olden days we used to argue that mass surveillance was actually useless because it generated far too much data and even detection systems with very low false positive rates still created an unworkably huge number of events that had to be manually reviewed.

An issue that I think will no longer be a concern to the Big Other once AI gets good enough. Sure, ten humans today might not be able to find a dissident in the sea of data with four weeks of searching, but an AI drinking from the gigahertz of an RTX card might with only ten seconds.

Google, Facebook and friends mostly act on your private data in the aggregate, but the privacy advocates generate worry that your intimate conversations or pictures are being personally viewed.

If by "privacy advocates" you mean Ursula von der Leyen and all the other assorted EU / WEF / World Bank goons who want to have all the aggregated data for themselves, in order to turn society into a panopticon while pretending they care about "privacy", then yes.

"I don't use Facebook because [privacy]". "I am looking to adopt a GrapheneOS based phone with no Google apps because [privacy]".

It's incoherent to scoff at privacy advocates because actually all the data is aggregated, and at the same time laugh at their efforts to not be a part of the aggregated dataset. There are valid criticism, like you can say it doesn't add up to a spit in the bucket, or that the only people using these alternatives are privacy freaks, so using one automatically marks you as the odd one out, but "it's still better than laying down and dying letting Big Tech have an absolute monopoly without a single alternative" seems like a valid counter-argument.

I also find privacy warrior claims rather, lets say, Joker-level anarchistic about rule of law. Everyone should have end-to-end encrypted messaging and the government should be locked out of private spaces no matter what.

Based. Bad faith actors are an absolute minority in society, and as you pointed out yourself most of the cyber-surveillance is aggregate level. If the cost of blinding the elites to society-wide trends is letting a few pedos get away with it, it seems worth it. Sure, you could posit some theoretically-existing good-guy elites, who only bypass encryption to catch the bad guys, and would never use Big Data to manipulate society, but that's not the elites we have, and not ones we are about to get any time soon.

I have another friend who decided to take his family's photos and files out of iCloud and Google Drive. He set up a home RAID array and was cruising along fine but neglected to monitor the drives. One failed and he didn't know, so when the second failed all of his data was gone. He didn't have backups, because why would you if you have RAID and snapshotting. He's not some noob either. He is also a sophisticated technology professional.

Your photo-album could perish in a fire if you house burns down, that's not an argument for leaving it in some centralized repository where every bureaucrat working there can skim through it, access to it can be denied at their whim, etc.

My argument against regulatory action on this is, well: Europe leads the way on this. Does anyone think, say, GDPR has made Europeans much safer than Americans?

Mostly no. GDPR has some good provisions, like giving you the option to force companies to delete all your personal data, or to send to you everything that they collected on you, but for the most part it's not even a joke. It's a measure to centralize data in the hands of a few big companies that are easier to pressure politically. I agree the solution is not regulatory but technological (like the aforementioned E2E encryption that nobody gets to bypass, or in the case of GDPR more trivial measures like blocking third party cookies).

Google, Facebook and friends mostly act on your private data in the aggregate, but the privacy advocates generate worry that your intimate conversations or pictures are being personally viewed.

If by "privacy advocates" you mean Ursula von der Leyen and all the other assorted EU / WEF / World Bank goons who want to have all the aggregated data for themselves, in order to turn society into a panopticon while pretending they care about "privacy", then yes.

Don't we live in the world where the maximum amount of information about you is widely available? Haven't we for 10+ years or so? The absolute worst that has happened from this is newspaper headline related freak events rather than stuff that happens to everyone. In terms of my personal life, it's telling that the only person I know who has suffered a catastrophic privacy breach is someone that was hell-bent on never trusting Google or Facebook and self-hosted the whole way.

This is a type of person.

It's incoherent to scoff at privacy advocates because actually all the data is aggregated, and at the same time laugh at their efforts to not be a part of the aggregated dataset.

I do scoff at them, independent of the avoiding aggregation claim, because in their efforts to protect their privacy because they're so paranoid about the ThE bIG tEcH ComPaniEs they leave themselves far more vulnerable. And effectively island themselves from social activities like, oh, sharing photos with friends.

Your photo-album could perish in a fire if you house burns down, that's not an argument for leaving it in some centralized repository where every bureaucrat working there can skim through it, access to it can be denied at their whim, etc.

I'm just here to say when someone tries to share a photo with me from their home nextcloud server and I wait 5 minutes for the account confirmation email to show up, and it never arrives, and I have to help them diagnose whether or not they fucked up their self-hosted mail configuration, it's hard not to judge them as being so conceited that they think a state bureaucrat gives a shit about their private life.

I suppose they could print their photos out and mail them to me. That would be a nice change of pace even. But could I convince them to put a printer inside of their home nowadays? Think of how much closed source firmware those things have which could be reporting every single thing you print to The Powers that Be.

The absolute worst that has happened from this is newspaper headline related freak events rather than stuff that happens to everyone.

Are you familiar with the existence of the nation of China? The actual "absolute worst" that has happened from a complete lack of digital privacy is government dissidents and people who report the official who sexually harassed them getting disappeared and their organs harvested. You're talking about how all these silly paranoid privacy people have concerns that could never be realistic, and all the while we can just go look at one of the largest nations on Earth and see what happens when you get your way.

You're talking about how all these silly paranoid privacy people have concerns that could never be realistic, and all the while we can just go look at one of the largest nations on Earth and see what happens when you get your way.

I did not say lets also become an authoritarian dictatorship at the same time. I am specifically criticizing privacy warriors in the US.

See also the bottom of this other comment: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183628?context=8#context

I did not say lets also become an authoritarian dictatorship at the same time.

This is makes about as much sense as "come on, baby, just the tip", for all the derision you lob at privacy advocates this is insanely naive given what has already happened in the west, let alone their open drooling at China's social credit system.

I did not say lets also become an authoritarian dictatorship at the same time.

Do you think authoritarian dictatorships announce themselves as authoritarian dictatorships and democratically ask the people to vote on their takeover? The privacy warriors in the US are looking over at places like China, Russia and the UK and seeing almost exactly the things they were warning about being implemented, and you're calling them paranoid when they take umbrage at US politicians talking about how great those things are and wanting to bring them here! One of the major arguments made by the privacy warriors is that even if you give the government this power now because you trust it not to become an authoritarian dictatorship, it is impossible to tell when one of those is coming down the pipe. Yes, it sucks that the one pedophile who was capable of using encryption perfectly to hide his crimes got away, but that's utterly insignificant when compared to the danger posed by our current panopticon if it were to fall into the wrong hands, and there is no way of making sure that it does not fall into the wrong hands. Both sides of politics believe that their opposition will use this power corruptly, and I'm honestly not sure either of them are wrong.

Your argument is essentially saying that it is fine to not have seatbelts because you personally haven't crashed your car and don't think you're going to crash it in the near future (yeah sure other people get into car crashes but you're built different), and the people saying "hey you should wear a seatbelt" are just paranoid, low-status losers who shouldn't be listened to.

Don't we live in the world where the maximum amount of information about you is widely available? Haven't we for 10+ years or so?

Maximum? Last I checked we still have not reached the elite's wet dream of all our activities being done through a uniquely identifying digital identity.

The absolute worst that has happened from this is newspaper headline related freak events rather than stuff that happens to everyone.

This is again incoherent in the light of your "it's all aggregated" criticism. These will never be things that happen to everybody, because manipulating society by manipulating each individual is the most inefficient way to go about it that I can think of. That doesn't change the fact that the measures they already took to monitor and control the flow of information already justify burning everything down and salting the earth.

independent of the avoiding aggregation claim

You don't get to do that. People avoiding Big Tech aren't doing so for fear of being super-haxxored, they do so to avoid centralizing power. You especially don't get to do that after claiming they ignore the aggregated nature of surveillance.

it's hard not to judge them as being so conceited that they think a state bureaucrat gives a shit about their private life.

We already had Google removing documents with wrongthink that got too popular. That I am personally not important to them is not relevant to my argument.

I also find privacy warrior claims rather, lets say, Joker-level anarchistic about rule of law. Everyone should have end-to-end messaging and the government should be locked out of private spaces no matter what. In no other domain do we accept a claim like "this dungeon in my house is off limits even to detectives with a court order because it is my private property" but apparently yes this digital cache of self-produced child pornography or evidence of a ticking time bomb terrorist plot[1] is something we can take to our graves regardless of any legitimate pursuit of justice. The level of hostility towards government here surpasses any of government's responsibility to protect its citizenry.

This is implicitly misrepresenting the actual situation. Searching your home dungeon takes a warrant; searching your digital asserts (held by third parties) for self-produced child-pornography or other state-disapproved things requires a subpoena at best and may simply be blanket done on everything by some sort of automated system.

This is implicitly misrepresenting the actual situation. Searching your home dungeon takes a warrant; searching your digital asserts (held by third parties) for self-produced child-pornography or other state-disapproved things requires a subpoena at best and may simply be blanket done on everything by some sort of automated system.

Oh, sorry, I meant to say end-to-end encrypted messaging up there. Fixed. That's private to only the sender and recipient and even a warrant can't compel discovery if both sides destroy their copies .

This is it, yes.

If there was a widespread invasion of privacy by our governments in the physical realm, as in once every year when you're out of the home a team of detectives (or to make the analogy more 1:1, a sophisticated automated drone) breaks in and inspect your home for evidence of crimes without warrants, we would very likely have at least some evidence that they did. If they did it in the digital realm, we would have... Exactly the evidence we have right now: no clear admission that it is so but also courts allowing "de-anonymising" of people of interest, implying they actually do intercept data without any kind of warrants, whistleblowers like Snowden, etc...

OP can dismiss it as "QAnon" stuff if he wants, but there's a hightened general distrust of our governments nowadays from both the left and the right. The red tribe today has reason to believe that the legal system, including police and the judiciary are weaponized against them, there's a discussion about such here today. You can disagree, but even if you do I think it's unfair to call it unreasonable to believe. And the blue tribe loudly frets about scenarios where if the red tribe gains power again they will weaponize government against them. So concerns about surveillance being in the interest of legitimate police interventions are convincing no one.

I'll reply to what I think is your central claim which is that "my private sex dungeon isn't off limits to cops so why should my hard drive be off limits".

The difference is scale.

For example, my house is not very secure. I lock my doors, but anyone with a crowbar could pretty easily break in and steal my stuff when I'm gone. I live in Seattle, so there's also zero chance they would caught or go to jail. Why am I okay with this state of affairs? Why haven't I put iron bars on all the windows? The answer: there simply aren't enough people willing to commit a home invasion to worry about it.

On the other hand, let's say I had cryptocurrency on my computer. (I don't, by the way). I would take extreme measures to keep this secure because everyone in the whole world could potentially steal my coins.

The number of people that local cops can harass is limited by the resources of the local police department. Salaries aren't cheap.

The number of people that government spy agencies can harass is much more scalable. The Canadian truckers had their bank accounts frozen less than 2 years ago! We need digital privacy so that a government bureaucrat can't change a 1 to a 0 and lock a million dissidents from their bank accounts.

Scale matters.

I brought up the wholesale surveillance concern here https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183482?context=8#context

It's not a complete response to your comment though.

The number of people that government spy agencies can harass is much more scalable. The Canadian truckers had their bank accounts frozen less than 2 years ago! We need digital privacy so that a government bureaucrat can't change a 1 to a 0 and lock a million dissidents from their bank accounts.

Scalable harassment is worrying, though I don't see how this is a function of privacy really? Like how would you solve the de-banking problem? Is the problem that it was too easy for the government to figure out who all of the protestors were and then work backwards to find their financial accounts and lock them down?

On the other hand, let's say I had cryptocurrency on my computer. (I don't, by the way). I would take extreme measures to keep this secure because everyone in the whole world could potentially steal my coins.

Irony of ironies, the extremely technically competent anarchist friend who had his self-hosted personal email hacked was because the attacker was an organized criminal who knew he had millions of dollars worth of cryptocurrency. The level of sophistication deployed by the attacker was astounding, which included producing faked search warrants. The attacker also already somehow had copies of his driver's license and we have no idea how he got it. They were not successful in stealing his Bitcoin but they came very close and this criminal continues to pop up in his life from time to time using information he gathered.

See also that a Bitcoin core developer was hacked recently https://www.theblock.co/post/198688/bitcoin-developer-pgp-exploit

I was really hoping there would be more of an argument here than "umm yikes, smells like Qanon" but you just completely ignored the whole issue. There's also some impressive irony in flipping between "qanon conspiracy theory" accusations and insinuations of "people worried about privacy look a lot like they have child sex slave dungeons, isn't that suspicious?"

This is exact sort of dismissive "if you have nothing hide, you have nothing to fear" attitude people in the 00s were worried would become common once universal surveillance was normalized.

I was really hoping there would be more of an argument here than "umm yikes, smells like Qanon" but you just completely ignored the whole issue. There's also some impressive irony in flipping between "qanon conspiracy theory" accusations and insinuations of "people worried about privacy look a lot like they have child sex slave dungeons, isn't that suspicious?"

I am not saying this. I think the grand majority of people who use (e.g.) Signal are unremarkable and having completely mundane conversations. The reason more people aren't burned by Signal is that it's not too inconvenient. If your phone dies you lose all of your chat history with everyone (since no cloud backups). People survive that okay, it turns out. But the flip-side of the normalization of Signal is that there also bad people using it for crime and law enforcement is 100% powerless to do anything about it.

The Qanon-adjacent part is believing your mundane unremarkable life is so important that you must use Signal and that this meaningfully protects you from The Powers Whom are Unspecified, which is Important.

This is exact sort of dismissive "if you have nothing hide, you have nothing to fear" attitude people in the 00s were worried would become common once universal surveillance was normalized.

What additional argument is needed here? The no privacy status quo has existed for decades for billions of people and the only people that are for the worse for it are stupid criminals who send CSAM over Facebook in the clear and have been busted for it, and also a few freak headlines where normies are also swept up in abuses?

I'm a Signal user, and definitely one of those people who are too mundane to be noticed most of the time. While I do use regular SMS for most convos, there are particularly spicy chats with trusted friends and family that I use Signal for because I don't trust the alternatives. Perhaps this is paranoid of me, but a few things triggered its adoption:

  1. A blast from my edgy teenage past (about 15 years old at the time of the incident) popped up out of the blue with potential professional consequences for not only me, but an old friend as well. I was shocked that a JPG uploaded to the middle of nowhere on a webzone stuck in early 00s design and infrastructure managed to turn up in a company's background check for him. I was lucky to get a response and takedown from the current owner after spamming his email for a week.

  2. There's this phenomenon where people caught in freak, chaotic situations who make a bad move have their text histories pored over. This is to be expected, I imagine. But... Did you express violent displeasure at the 2019 protestors to a confidant? Maybe use some colorful language? Were you so bold and colorful to suggest that maybe a certain kind of protestor should have the ambulances they're obstructing drive right through them? Hope you didn't write that down. If you end up in a situation where somebody gets hurt or killed, you're a premeditated murderer! Let's say that I would be fucked beyond measure if one of MY antisocial morning-before-coffee shitposts got dug up after a protestor died after attacking my dad, for instance.

And during these moments, I'm noticing that the open, mind-your-own-business, permissive tech culture of old has been largely inverted by men and women who sound like you. I don't trust that change, and I don't trust you or your fellow travelers to never take it too far. Sure, I'm too boring today - unless an aggrieved party forces my publicity. But I can certainly imagine an evolved, V2 future wokescold developing the interest once they've exhausted every other one of Al Capone's vaults in their quest to find racism and intolerance as an explanation for why the world sucks. When you can no longer find any mechanism for systemic racism in the processes or the data, but you don't yet have mindeaders, why not go for the next best thing like their lifelong chat history? And who wouldn't be tempted to ctrl-f the word 'nigger' to see what comes up in a paper trail of that size?

Part of the concern is that today's mundane can quickly become tomorrow's problematic. That transgressing popular orthodoxies is not as ruinous or catastrophic as it could be by historical standards doesn't assuage my fears, because I honestly don't know if and when such curiosity regarding wrongthink and badspeak will be sated. I think I need to cement here that I did not have 'privacy concerns' as a foremost thing in my mind until I felt like the culture and people I'm surrounded by got bizarrely tilted and bloodthirsty.

I recognize that my small, amateurish attempts to guard against this are probably futile and incomplete, and possibly laughable by your vantage. But the impulse to escape your sight lines will continue to be very real. Dangling a hypothetical pedo bunker over the scale doesn't move me. A world without privacy and encryption looks more like the Trump investigations stretching into infinite than a parade of young girls rescued from Joseph Fritzl. Even the latter would require real work and resources, so I expect more resume-padding and activity among DEI hires in the Department of Bad Texts than anything else.

If I have to submit to your preferred apparatus, it would only be in the 'nice until meanness is coordinated' sense. Secretly I'll keep hoping it's destroyed by implosion or external force.

Let me present you an alternate vision of dystopia.

https://www.themotte.org/post/479/calling-all-lurkers-share-your-dreams/94878?context=8#context

We've been pretty fortunate that everyone that has built darknet markets (DNMs) so far are not competent or visionary enough to produce something high quality. The potential black market has not come anywhere close to being fully actualized.

The maximally dystopian horror example case is: onlyfans for live streamed child rape / snuff films with tens of thousands of men watching from behind Guy Fawkes masks beating off and tipping tens of thousands of dollars an hour. Everyone involved, the viewers and performers, completely anonymous and untraceable.

Yes, I am very familiar with the usual cypherpunk arguments for why crypto is an important tool for protecting people's security/privacy from criminals, and that also you can't trust police to protect backdoors in crypto systems and to also not abuse them. I'm not convinced the endgame world of maximally "useful" DNMs that could be produced wouldn't be a net worse world overall.

Seems like cryptocurrency is waning a bit so this future may be delayed for now.

Perhaps my view on this is informed by being very close to the production of the tools that could create this dystopia, but the creation of a completely lawless criminal state that law enforcement is permanently locked out of meeting technocapitalist incentives is a possibility that is too casually dismissed.

There's still a lot of room for an underworld Jeff Bezos to pick up a trillion dollars.

We have only to look at the Chinese surveillance system, especially as implemented in Xinjiang to track Uyghurs, to see that it is entirely feasible to have technology tracking every individual citizen all the time: where they go, who they are in contact with, and what they say.

We can also see from the COVID lockdowns how quickly “of course we could do that, but we never would” turns into “we will use every tool at our disposal to keep you safe” when a real or perceived crisis arises.

I am enough of a heretic to know that I will be discriminated against if the UK ever implements Chinese-style social credit. I was already subject to a considerable amount of abuse for voicing moderate right-wing opinions at the university I was in. I therefore want to maximise the number of controversial steps that have to be made, and red lines that have to be publicly overrun, before such a social credit system becomes popular.

It is vital that using e2e, local storage, blockers and privacy settings is done by ordinary citizens as well as witches. Otherwise it is very easy to make attempting to avoid surveillance effective proof of wrongthink.

I did not say lets also become an authoritarian dictatorship at the same time. I am specifically criticizing privacy warriors in the US.

See also the bottom of this other comment: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183628?context=8#context

You will not agree, I think, but from where I’m standing both America and the UK became authoritarian dictatorships in 2019 2020 when they locked the entire population in involuntary house arrest. I get why, but I was raised to believe that there were certain things we would never do, and seeing how quickly we stomped all over them has soured me on “let’s go 50% of the way there but obviously not 100%, who would do that?”. The fact that we managed to pull most of the way back again doesn’t really reassure me.

The privacy weirdos provide an immense service to society by keeping privacy somewhat non-partisan and acting as meat shields for witches.

Can discuss more later but got to go.

It's not substantive and I agree with your point but it is really astonishing to me that anyone could get the year in which the world reacted to COVID wrong. I feel like "2020" will never look the same as any other number to me again.

Ha. I think it’s because they first discovered it in 2019, so I got used to thinking of it as Covid 2019-2022. Thanks for the correction.

In the end, excessively fretting about privacy mostly is costly (in time), increases inconvenience and annoyance, increases the nanny/regulatory state, puts you at greater risk, and just makes the ads being served to you dumber.

Halle-freakin'-lujah!

I don't want smart ads. I don't want tailored ads. I don't want "we've been snooping on what sites you browse for the past six months so we think we can sell you this particular crap".

If I want a good or service, I'll look it up. I don't buy unsolicited rubbish, and I haven't the money for the stuff they want me to buy, anyway, so I'm bad fit for their "if this bozo spends thousands, we'll get a cut" commission.

You tell me that kicking up about this shit means it will be hobbled? Sign me up to put the hobnails on and start the kicking!

There are a lot of half arguments here.

Like, you scoff at impenetrable end to end encryption. But the realities of the internet are that any back-door or security flaw that allows end to end encryption to be penetrated exposes literally everything to literally everyone. There is no limiting principle as is the case of say, a door to a kiddy porn dungeon. Presumably there would be a warrant. Or maybe in the case of your valuables being in the sort of safe The Lockpicking Lawyer could open in under 1 second with a toothpick, some hopefully limited number of criminals will ever actually get a crack at it. Not so with anything on the internet. Either it's impenetrable, even to legitimate law enforcement (but especially illegitimate law enforcement), or virtually every criminal on Earth already has access to it. There is very little in between.

Then you decide to stan for cloud computers. Because a friend of yours is an idiot and didn't fix his NAS when it had a problem. But the fact of the matter is, the cloud is still only someone else's computer. And they can revoke access to your data just as capriciously as a RAID array might fail.

And then to smear everyone concerned as QAnon, as though fears of data collection and spying haven't been validated time and time and time again. Did Snowden happen before you were born? Has it been that long?

And then to smear everyone concerned as QAnon, as though fears of data collection and spying haven't been validated time and time and time again. Did Snowden happen before you were born? Has it been that long?

The vein here is that the most unremarkable people seem to believe that far-away powers that be care about looking at their private data because they're such a threat to the state because they're so edgy and subversive when the truth is the powers that be just don't care about them. Probably not even in the aggregate.

  • -10

The powers that be seem intent on making examples of very average people these days. We've seen extreme prosecution of actions that "reasonable people" would believe would not draw nearly that much individual attention from the government (trucker protest in Canada, J6). And the other side is worried about the idea that, for instance, a right-wing government could use private collected information to identify and deport immigrants. "If you haven't done anything wrong (or big) you have nothing to fear" is not convincing to anyone.

We've seen extreme prosecution of actions that "reasonable people" would believe would not draw nearly that much individual attention from the government (trucker protest in Canada, J6).

It was very predictable that the governments involved would be highly interested in going after the people involved in these two things, though.

Maybe after the fact. But prior, I'm sure a lot of people still clung to the belief that we lived in a free country.

Yes, nobody thought that the trucking protest was going to work, but anyone who expected that a ‘stop the steal’ rally busting into Capitol Hill during the electoral count would be treated proportionately had not been paying attention.

Seeing that over a summer it was free game to take over neighborhoods, torch police stations, do nightly assaults on federal courtrooms, attempting to blind police officers, and in the previous years interrupt official proceedings (supreme court nominations), some people could have been given a wrong impression, yes. Not so much that the government wouldn't be interested in it, but that the judiciary branch would be so captured as to do what looks at least to one side like enforcing laws on blatantly political lines.

These are average people in extremely man-bites-dog circumstances though. Contra-evidence: ~2 billion lifelong users of Google and Apple have uneventful things to report.

True, but more than ever we're at an inflection point nowadays where the ability to process this information and abuse it meets a distrust of its handlers. It's barely been one year where the public has seen the ability for computers to read and seemingly really "understand" human speech and its intents. All that collected data that we thought was too much to be processed, it could now be fed to NLP algos and to LLMs to read through and flag, on all sorts of criteria. Take a small fast LLM like Phi-2, tell it to read all personal conversations on Facebook Messenger or whatnot, flag all those that seem to indicate political extremism (as defined by politicians the public distrusts), forward them to a smarter LLM (GPT-4) to review, if it agrees, forward to a human for further review.

And the other side is worried about the idea that, for instance, a right-wing government could use private collected information to identify and deport immigrants.

If anything, a number of privacy advocates are attacking the problem from an abortion rights angle, from what I've seen, so there's already a good amount of left-coded concern.

Like, you scoff at impenetrable end to end encryption. But the realities of the internet are that any back-door or security flaw that allows end to end encryption to be penetrated exposes literally everything to literally everyone.

[...]

Not so with anything on the internet. Either it's impenetrable, even to legitimate law enforcement (but especially illegitimate law enforcement), or virtually every criminal on Earth already has access to it. There is very little in between.

This is grandiose. On Facebook without E2E encryption (but with TLS), your messages are only exposed to Facebook and whoever hacks them, which is a very remote possibility. Adding E2E encrypted messaging with a law enforcement decryption key that can only be used with a warrant does not increase the risk further than the non-E2E case, even if that key is ultimately compromised.

Then you decide to stan for cloud computers. Because a friend of yours is an idiot and didn't fix his NAS when it had a problem. But the fact of the matter is, the cloud is still only someone else's computer. And they can revoke access to your data just as capriciously as a RAID array might fail.

Somehow it never occurs to people making this argument that it's trivial to make off-site backups from cloud providers, if you're that worried about them revoking access.

Adding E2E encrypted messaging with a law enforcement decryption key that can only be used with a warrant does not increase the risk further than the non-E2E case, even if that key is ultimately compromised.

...

law enforcement decryption key that can only be used with a warrant

How exactly are you enforcing this? Magic? This is, technologically, an explicitly unsolvable problem. You may as well propose a defence system that relies on a diviner performing tarot readings to determine when missiles are incoming.

This is a common talking point, but it's never really made sense. People go down the route of saying, "Well, you can't have a mathematically provable way of verifying the validity of warrants," but that's not really relevant to the typical digital threat vectors that are normally relevant (I.e., a 400lb guy in a bed in Russia attacking your device over the internet thousands of times in the middle of the night). You can pretty easily have FB keep a private key in an HSM locked in a vault somewhere, not connected to the internet, and after their legal department has fully vetted the warrant request, they could take the encrypted blob of messages into the vault and use the purpose-built hardware to decrypt it. Sure, add some qualifier about, "..can only be used with a warrant, up to the accuracy with which FB's legal team can determine the validity of said warrant," but then your only objection fades away.

Of course, this method would also be subject to the possibility of abuse by the small number of FB insiders who are tasked with this warrant service, but that, by the terms of the argument made above, "does not increase the risk further than the non-E2E case," because in the non-E2E case, FB can also trivially abuse their access to your messages. The question here is to what extent you think FB is, itself, a threat actor, but I think the terms of the argument above stipulated that they weren't. The appropriate criticism (seen elsewhere here) is that they are.

I will actually grant that I'm not sure making an actual secret backdoor key in those lines is technologically impossible - I thought it was, but I'll freely grant that I may have been wrong there.

You can pretty easily have FB keep a private key in an HSM locked in a vault somewhere, not connected to the internet, and after their legal department has fully vetted the warrant request, they could take the encrypted blob of messages into the vault and use the purpose-built hardware to decrypt it. Sure, add some qualifier about, "..can only be used with a warrant, up to the accuracy with which FB's legal team can determine the validity of said warrant," but then your only objection fades away.

But you depart from reality here.

Think about how many law enforcement requests for this kind of data are made all over the world, every single day. Every single time a person in the UK makes a problematic tweet, that vault is getting opened. Every single minor crime or drug dealer that the police go after? That vault is getting opened. This kind of law enforcement key/bypass would have to be so easily accessible that the idea it wouldn't be leaked is just not viable.

How would it be leaked? It's buried in an HSM that is not connected to the internet and housed in an access-controlled vault. Just assuming a breakage of the first of those conditions (extracting a key from an HSM) utterly breaks all device security guarantees you have for all the devices you own. If step one of your plan to "leak" this key is to be able to break all device security guarantees for all devices everywhere, then we can probably conclude that this thing doesn't constitute a meaningful additional risk over the status quo. Like, mayyyyybe an epsilon increase, maybe. But that epsilon is sooooo small that it would be dwarfed by a literal billion other security improvements we could make in every other aspect of our digital computing.

How would it be leaked? It's buried in an HSM that is not connected to the internet and housed in an access-controlled vault. Just assuming a breakage of the first of those conditions (extracting a key from an HSM) utterly breaks all device security guarantees you have for all the devices you own.

This just isn't true. Microsoft can keep the signing keys for some important elements of the OS private, and those keys are only accessed extremely rarely and in specific circumstances. But the threat that I'm talking about is from actors who have legitimate access to the vault.

This super skeleton key that unlocks all encryption and allows you to bypass all security on financial transactions, privacy, government documents, military assets... not only is this going to be the most valuable key in the world with thousands of motivated parties trying to get access to it, there are going to be law enforcement and government requests for it on a constant basis. Think about how many warrants are served in the USA and then remember that every single one of them is going to involve someone getting access to this key. Then remember that this key is also in use everywhere else in the world - it has to be the same otherwise you've completely broken the internet and global economy by making encrypted communication between different nations impossible (it'd be illegal to have communications that don't allow access via this master key after all). So that means that every single time a Chinese, Russian, Brazilian or South African cop wants access to some communications, that vault is getting opened right back up again.

THAT is what makes it so likely to leak - this key is going to have to be accessed by millions of law enforcement officers and government officials every single day, and it is the most valuable key in the world given that it can defeat all encryption used in financial transactions and would make fraud and financial crime as easy as pie, let alone privacy invasion and surveillance. If you think that the Chinese (or American for that matter) government is going to use this access responsibly (or just not keep their word when they say they're not making copies of the key), lmao.

This conversation is about E2EE of Facebook messages, not bank transactions. Law enforcement/government can just subpoena your bank to get your bank transactions.

this key is going to have to be accessed by millions of law enforcement officers and government officials

Also BZZZZT. As I said, the only people that ever access this key are a small number of approved Facebook insiders. Law enforcement/government make requests (with warrants) to Facebook, but they never even touch the handle to the door of the vault that contains the computer with the HSM with the key.

But the threat that I'm talking about is from actors who have legitimate access to the vault.

This is why I had said:

Of course, this method would also be subject to the possibility of abuse by the small number of FB insiders who are tasked with this warrant service, but that, by the terms of the argument made above, "does not increase the risk further than the non-E2E case," because in the non-E2E case, FB can also trivially abuse their access to your messages. The question here is to what extent you think FB is, itself, a threat actor, but I think the terms of the argument above stipulated that they weren't. The appropriate criticism (seen elsewhere here) is that they are.

More comments

On Facebook without E2E encryption (but with TLS), your messages are only exposed to Facebook and whoever hacks them, which is a very remote possibility.

You obviously haven't heard of the third party doctrine.

If Facebook has your messages, and you haven't encrypted them E2E, the government can look at them any time they want without a warrant. Your statement that they can only be seen by Facebook and by hackers is false; the current legal environment makes them open to the government, no warrant needed.

You're also ignoring that for the government to look in your basement takes some effort. Looking at millions of people's data is trivial.

I responded to this third party doctrine concern you raised on a different comment here: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183485?context=8#context

But to recap

If Facebook has your messages, and you haven't encrypted them E2E, the government can look at them any time they want without a warrant.

This isn't exactly true. Things that neatly fall into the category of "communication" are protected, like 1:1 messages. Metadata and other content (like documents) are not.

You're also ignoring that for the government to look in your basement takes some effort. Looking at millions of people's data is trivial.

A different commenter also raised this. Addressed here: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183482?context=8#context

Wholesale surveillance has been criticized as fairly useless to law enforcement by security experts for a long time.

Wholesale surveillance has been criticized as fairly useless to law enforcement by security experts for a long time.

  1. It might be useless for legitimate law enforcement purposes but fine and dandy for not-so-legitimate ones.

  2. I would argue that machine learning classifiers have made wholesale surveillance quite a bit more useful, by making it a lot easier. You want to find crimetalk, train a classifier with crimetalk and run everything through it; no need for humans to do all that work.

Fair enough. Eliot Spitzer got brought down because his bank transfers to a brothel were red flagged, they investigated, and they just happened to nail the governor of NY. Obviously what really happened is they brought up all of Eliot Spitzer's records, went over it with a magnifying glass, pieced together the brothel thing, and also noticed it had been red flagged (like a billion other transactions that are never looked at), and worked backwards from there to construct a story where they had cause.

So that's an extreme case. How often does this happen in practice though? Also, even in my extreme case, it doesn't seem actually wrong for this information to have come out about Eliot Spitzer?

So that's an extreme case. How often does this happen in practice though?

The magic of parallel construction -- where law enforcement obtains information from an illegitimate source, fabricates a chain of evidence back to a legitimate source, and then presents the fabricated chain to the court -- says we'll never know.

A different commenter also raised this. Addressed here: https://www.themotte.org/post/851/culture-war-roundup-for-the-week/183482?context=8#context

Wholesale surveillance has been criticized as fairly useless to law enforcement by security experts for a long time.

Useless at preventing crime. Fantastic as "Show me the person, and I'll show you the crime." I routinely see the government producing private non-serious conversations they've harvested through whatever means to defame the character of people they are politically persecuting.

and whoever hacks them, which is a very remote possibility

Would you consider Microsoft making a configuration mistake giving read access to every Office 365 account to a test account that was then trivially hacked more or less likely than Facebook making a similar mistake? I work in IT too, and I would have considered Microsoft more serious than Facebook regarding security. Maybe I'm wrong and Microsoft is just unserious about security while Facebook is serious. Maybe. But personally I still adjusted my estimation of the likelihood of this kind of serious breach from all of FAANG(O)/big tech upwards.

My bias is Microsoft is a lot more incompetent at security than Facebook and they regularly prove it. They're getting better, but still have a long way to go. https://srslyriskybiz.substack.com/p/microsofts-security-culture-just

Ilhan Omar speaks to her own people, in her own language, and she is getting blasted for it.

The video itself, from what I think is the most original source I could find.

The headlines I've collected:

Ilhan Omar Deportation Calls Grow From Republicans

'Squad' member grilled for remarks about allegiance: 'Somalians first, Muslims second'

Rep. Ilhan Omar Faces Backlash on Social Media Following Viral Speech on Somalia

From her own, preferred, translation:

We Somalis are people who love each other. It is possible that some of us are rough with each other, but when the going gets tough, we are people who have each other’s backs. We are sisters and brothers, supporting each other, people who know they are Somalis and Muslims, coming to each other’s aid and aiding their brothers and sisters.

And the other day, when we heard that some Somalis, or those who say they are Somalis, entered an MoU with Ethiopia, many people called me and said, “Ilhan, you should talk to the US government; what is the US government going to do about this?”

My response was: the US government will do what we ask it to do. We should have this confidence in ourselves as Somalis. We live in this country. We are taxpayers in this country. This country is one where one of your daughters sits in Congress. While I am in Congress, no one will take Somalia’s sea. The United States will not back others to rob us. So, do not lose sleep over that, O Minnesotans. The lady you sent to Congress is on this, and she is as cognizant of this interest as you are.

I would like to tell President Hassan Sheikh that we are impressed with the great work you have done. You have made it known to those living in Somalia and other places that, in spite of the many challenges we face as Somalis, we are nonetheless competent people. People who believe in their country and will not allow it to be endangered.

Thus, I want to congratulate the Somalis in Minnesota and everywhere on how united you are. How you all stood by our president, because he needs our solidarity. Somalia belongs to all Somalis. Somalia is one. We are brothers and sisters, and our land will not be balkanized. Our lands were taken from us before, and God willing, we may one day seek them, but what we have now will not be balkanized.

I thank you all for how you always welcome me and honor me; may the Lord honor you. Peace and blessings of God be with you.

Nothing here is news to me. I also think Omar should be expelled from Congress and deported, but that's because she's committed immigration fraud to bring her brother into the US by posing as his wife. It's always been obvious to me that she's simply not American, will never be American, and can never be American. She's Somali, and here, in her native tongue, talking to her coethnics, she admits as much. Look at her preferred translation again, and consider who she lumps herself with.

We Somalis are people who love each other.

We are sisters and brothers, supporting each other, people who know they are Somalis and Muslims, coming to each other’s aid and aiding their brothers and sisters.

This is the part that has been translated into Somalis first, Muslims second, and Americans not at all (emphasis mine). She does, eventually, say Minnesotans:

So, do not lose sleep over that, O Minnesotans. The lady you sent to Congress is on this, and she is as cognizant of this interest as you are.

The video subtitles do not translate Minnesota, but it's clearly recognizable (sounds like "rare minnesoto" at ~1:38).

You have made it known to those living in Somalia and other places that, in spite of the many challenges we face as Somalis, we are nonetheless competent people.

Somalia belongs to all Somalis. Somalia is one. We are brothers and sisters, and our land will not be balkanized. Our lands were taken from us before, and God willing, we may one day seek them, but what we have now will not be balkanized.

The "brothers and sisters" refers to Somali muslims, not the Scandinavian or German ethnics who have been in Minnesota for generations, those who are being replaced by Omar and her ilk. Not the yankees who moved west from New York and Pennsylvania. Solidarity is for blacks and muslims, not whites, not Americans.

I'm not trying to hide my biases here. I've long thought it obvious that this woman was a foreign agent, representing foreigners in the US congress at the expense of Americans. That offends me deeply. I can't even call her disloyal, because she's very clearly loyal to who she considers her own. I'm glad more people are noticing, and I hope that she is punished for her misdeeds eventually. I simply wish I could say, America for the Americans, our lands will not be taken from us, but I unfortunately that sentiment is only available for foreigners.

Hopefully Tlaib is next.

If the US military stayed within its own borders except when genuinely attacked in an unprovoked way, I would be more willing to grant that US nativists have a worthy moral argument. But as long as the US constantly attempts to exert its will on the world using force, I see no moral argument for why people from the rest of the world should refrain from trying to influence US politics for the benefit of their own countries or ethnic groups or why they should refrain from moving to the US and enjoying the benefits of living there while having absolutely no loyalty to it and instead just exploiting it for their own purposes.

To be fair, many US nativists are actually in favor of a less interventionist US foreign policy.