Interesting way to frame the fact that the members of the european parliament voted 311 to 218 yesterday to reject the companies right to spy on you.
I'm the first person to admit the EU has democratic deficit, but MEPs are directly elected by EU citizens and they chose this in a democratic process. The companies are certainly making a choice with this blogpost.
I dunno, man. If tech companies responded to a failure to extend interim guidance by terminating their CSAM detection programs, and claimed when challenged that the EU made them do it, I'm pretty confident there would be much more outrage about "malicious compliance". If the EU wants companies to stop detecting CSAM until the final guidance arrives, they should say so directly.
What is the false negative rate and total rates? Without those we are missing too much. If the false negative rate (saying fine but it isn't) then the whole thing is useless. If the total cases are a few hundred (either CASM isn't a problem or those doing it use other platforms cause they know they will be caught on these) I don't care much that some are false positives - odds are it didn't get me.
Sure you can, random sampling should work. Don't just go making things up.
Of course actually carrying out that experiment would be absurd since I don't think anyone expects an appreciable percentage of clearnet material to be CSAM. The working assumption is that the goal is to find a needle in a haystack so GP's objection about needing to know the false negative rate is misguided.
I expect the equivelent of the fbi is investigating this using other sources and so has plenty of data without needing to randomly sample any non-suspect conversation. CASM has been a problem since before computers.
The report you're referring to by the European Commission [1] shows that the mass surveillance of Chat Control 1.0 is probably not very proportional. They even note themselves that "The available data are insufficient to provide a definitive answer to this question".
However, the "13-20%" that you're quoting is a dishonest propaganda number itself. It's the false positive rate that a single small company (Yubo) reported. The reported false positive rates of other companies are between 0.32% and 1.5%, which is still a high error rate in absolute numbers.
Just to be clear: the report itself is full of uncertainty, convenient half truths and false causality. They for example completely rely on Big Tech platforms themselves to count false positives when a moderation decision was reversed. Microsoft apparently even claims that no user ever appealed against a decision ("No appeals reported"). There is no independent investigation into the effectiveness of the regulation at all, while it is in direct conflict with fundamental rights and required to be proportional to its goals.
The section about "children identified" is also a complete mess where most countries can't even report the most basic data, and it isn't clear if mass surveillance contributed anything to new cases at all. But somehow they still conclude "voluntary reporting in line with this Regulation appears to make a significant contribution to the protection of a large number of children", which seems extremely baseless.
I'm sure a lot of HN commenters would agree that a CSAM detection system with a 13-20% false positive rate should be terminated, but we're not EU regulators. And you've got a sibling comment saying this would be malicious compliance, so even on HN it's not unanimous. Is there an example of a specific EU official, MEP, etc. explicitly stating that tech companies should not perform hash-based CSAM detection or should not perform CSAM detection at all?
Yes? The Pirate Party has MEPs, it’s not exactly difficult to find their quotes. 3 seconds of searching was enough to find the following quote from MEP Markéta Gregorová:
„We can now finally say with certainty that Chat Control 1.0 will end on April 3 without replacement. The European Parliament has sent a clear signal: it is time to put an end to this ineffective and disproportionate derogation from privacy rules. Under the pretext of protecting children, millions of private messages from innocent citizens were being scanned for years without delivering adequate results. This system simply did not work and had no place in a democratic society.“
It doesn’t have to be unanimous on HN. It wasn’t even unanimous in the EUP.
But what it was is legal and democratic. And the discussion in the parliament explicitly included the fact that the companies will either have to stop, or find a different legal grounding.
The companies in this blog post are effectively admitting they are making a choice to go against the law.
> I'm pretty confident there would be much more outrage about "malicious compliance".
As there should be.
The big tech companies have done that every time the EU passes some consumer protections, and have been spanked in court several times for the disingenuousness.
You are technically correct but seem to be applying common law standards to civil law countries.
Unlike common law judiciary, civil law judiciary in and of itself has investigatory powers and judges don’t just hear arguments but can order their own investigations and are significantly more independent than in common law.
This can cut both ways, yes in theory the judge can accept evidence the prosecution obtained illegally, but the judges can also call the prosecutions bluff and call their own witnesses or order an independent expert to provide their own opinion, even if defense is unable to.
Scandinavian law is commonly considered to be a subcategory of civil law. Judges in Scandinavia have investigative powers and can judge the truth of the matter.
>Scandinavian law is commonly considered to be a subcategory of civil law
Their judiciaries are very different from how you describe civil law systems.
>Judges in Scandinavia have investigative powers and can judge the truth of the matter.
This is, at best, technically correct. While Judges in Nordic countries tend to technically have some limited investigative powers, it is extraordinarily unusual for them to be used in any meaningful capacity.
In reality the investigate powers wielded by judges in Nordic countries tend to be the same as in common law countries, asking a question here and there during the hearing to make sure they're keeping up.
These countries are certainly not at all like France or Spain where you might have examining magistrates, criminal investigations are run by the police and prosecutors.
Note that original discussion was discussing extraordinary unusual circumstances already.
This isn’t your average „my neighbor built a fence and damaged my tree“ case.
In such cases, the technical differences between fully adversarial common law systems and mixed-but-still-some-inquisitive-powers systems like the Nordic law matters.
And of course it is not exactly like Napoleonic law countries.
Also, the police still runs investigations, even in France. It’s just that the judges can choose to not believe the police. Famously, even if you sign a confession they can say they don’t believe it.
People in the comment asking for harsher punishment should note that we don’t know how many people selected the „I have no strong preference“ option and got assigned to group A randomly.
It’s a bit harder to make the argument that those people _explicitly_ agreed to not use LLMs.
And given how the desk-rejection logic relies on an ethical integrity argument, actual explicit intent is important.
Police show up and arrest you. Could be with reason, could be by accident. Maybe you did something wrong, maybe you didn’t. They also physically size your servers, and in doing so they unplug the system.
If you have disk encryption, your data now requires the police to force you to produce a password, which may or may not be within their powers, depending on the jurisdiction.
It’s strictly better to have full disk encryption and remote unlocking than no disk encryption at all, because it prevents such „system was switched off by accident“ attacks.
They have kits that allow them to unplug the server from the wall without interrupting power supply, specifically so they don't lose the decryption keys.
Sure, but in reality I'm more interested in not letting any low paid tech dude in the DC access to my data just because it can pull a drive. Or someone who buys the server from the provider.
In the real real world, not all police has that or uses it in every raid. We got visited once as a group of people some ten years ago, coordinated to happen at the same time at different locations across multiple states, and at none of the locations they brought any such equipment or expert, even though both the accused crime revolved around computing and warrant specifically was for computer equipment. They asked nicely for passphrases and since we didn’t provide any they got nowhere. They even allowed us to power down some machines for them, haha.
Some fields of engineering have long had roles with names like that.
Want to do something with motors, but don’t know how to calculate the right combination of motor, gearbox, brake, encoder and controller? Maxon’s sales engineers will happily walk you through the calculations.
I feel it’s an evolution of the term “Devrel” which still feels tacky.
Nor would you want someone who built most of their career as an actual engineer to suddenly drop that term and become a generic someone in “marketing”. They’re more than that for sure.
I quite like the terminology the more I think about it.
If you don't need global access, I have found that Geoblocking is the best first step. Especially if you are in a small country with a small footprint and you can get away at blocking the rest of the world. But even if you live in the US, excluding Russia, India, Iran and a few others will cut your traffic by double digit percent.
In the article, quite a few listed sources of traffic would simply be completely unable to access the server if the author could get away with a geoblock.
This makes me a little sad. There's an ideal built into the Internet, that it has no borders, that individuals around the world can connect directly. Blocking an entire geographic region because of a few bad actors kills that. I see why it's done, but it's unfortunate
It's not because of a few bad actors, it's because of a hostile or incompetent government.
Every country has (at the very least) a few bad actors, it's a small handful of countries that actively protect their bad actors from any sort of accountability or identification.
But the numbers don't lie. In my case, I locked down to a fairly small group of European countries and the server went down from about 1500 bot scans per day down to 0.
Reminds me of when 4chan banned Russia entirely to stop DDOSes. I can't find it but there was a funny post from Hiro saying something like "couldn't figure out how to stop the ddos. Banned Russia. Ddos ended. So Russia is banned. /Shrug"
Similarly, for my e-mail server, I manually add spammers into my exim local_sender_blacklist a single domain at a time. About a month into doing this, I just gave up and added * @* .ru and that instantly cut out around 80% of the spam e-mail.
It's funny observing their tactics though. On the whole, spammers have moved from bare domain to various prefixes like @outreach.domain, @msg.domain, @chat.domain, @mail.domain, @contact.domain and most recently @email.domain.
It's also interesting watching the common parts before the @. Most recently I've seen a lot of marketing@, before that chat@ and about a month after I blocked that chat1@. I mostly block *@domain though, so I'm less aware of these trends.
There is a small OTC medical device that is about $60 in the US, quadruple the price in my country. I tried to order one to be sent to a US family member's house, who was coming the following month to visit. However I could not order because I was not in the US.
In the end I found another online store, paid $74, and got the device. So the better store lost the sale due to blocking non-US orders.
Just keep in mind, that could block legit users who are outside the country. One case being someone traveling and wanting to buy something to deliver home. Another case being a non-resident wanting to buy something to send to family in the service zone.
I'm not saying don't block, just saying be aware of the unintended blocks and weigh them.
Also consider tourists outside of their home country. If, eg I'm in Indonesia when Black Friday hits and I'm trying to buy things back home and the site is blocked; shit. I mean, personally I can just use my house as as a VPJ exit node thanks to Tailscale, but most people aren't technical enough to do that.
The answer to all of those is "yes" and they will not bother to find them, they will ask you to list them. Omitting information or providing false information on your visa application is a felony.
It's the same logic as behind the "Are you a terrorist?" question. Lying is itself a crime, and can be used to prosecute you in the future.
I think the point to many of those questions/requirements are to ensure absolutely everyone can be prosecuted or deported because it's basically impossible to complete the immigration process or just about any other complicated government process without doing something that could possibly be construed in the most uncharitable way as being answered incorrectly.
"You failed to tell us that you made a single post on an obscure forum 4.5 years ago that questioned if capitalism was truly a good system, have fun being deported to a random country, you communist"
I've quoted Marx on HN on more than one occasion. I'm not sure they'd like my social media profile, despite having also been consistent in arguing for liberal freedoms that the US used to like to claim to favour.
I've visited the US many times, but I have no intention of going back under the current regime.
I transited through China earlier this year, and I frankly felt less concerned doing that - despite having criticised the Chinese government online many times over the years - than I would feel about entering the US at this point.
It's a one-man Search engine developed and hosted in the EU.
If you read his about page, it is basically an anti-centralization anti-ad anti-spyware attempt at websearch. It is also "The project is independent in that it has no loans, no investors looking for a payday, no strings attached anywhere to pressure it into doing anything than providing as much and as good internet search as it is capable of."
It does index bits of NYT, but coverage is pretty spotty outside of their archives. They put a lot of crawler countermeasures up on their main site (which I guess is fair, they have a business to run), but author biographies are generally accessible, including Ezra's[1].
Though since the search engine doesn't really apply much in terms of domain authority, this doesn't rank very highly, the websites that talk about Ezra Klein rank higher.
There is a middle ground there. I self-host, was not at all affected today nor would I be if Google, MS, Cloudfare or any of the big ones go down. But I cannot easily access my server because it is locked in a datacenter 1000 km away.
But it is a bare metal server from Hetzner auction that I got for cheap and it now hosts an entire family&friends cloud for 10-ish people.
I'm the first person to admit the EU has democratic deficit, but MEPs are directly elected by EU citizens and they chose this in a democratic process. The companies are certainly making a choice with this blogpost.
reply