This is possibly the most important and long-awaited tweet that I've ever composed.
On behalf of
@Twitter
, I am delighted to announce their new
@TorProject
onion service, at:
IN CASE YOU MISSED IT:
All of Apple, WhatsApp & Signal will be pulling their products out of the UK market because of proposed Government surveillance obligations.
Yes, really.
WOW:
- No Signal
- No WhatsApp
- No iMessage
- No Facetime
@jamesrbuk
called it
#internexit
; the UK will be extraordinarily isolated from the rest of the internet.
IN CASE YOU MISSED IT:
The EU — in private — amended draft digital identity regulation to create a legally-mandated surveillance backdoor in HTTPS.
Over 300 academics & tech experts TODAY publish an open letter calling on the EU to fix this + follow web standards instead:
Hot on the heels of
#ChatControl
and in the name of “identity” and “consumer choice” the EU seeks the ability to undetectably spy on HTTPS communication; 300+ experts say “no” to
#Article45
of
#eIDAS
#QWAC
"Oh, you're 'into crypto'? Cool! So am I, I got into crypto in 1991. DES optimisation through S-box inlining. Record-breaking stuff, and a slight frisson of illegality. Wait… what? What do you mean, 'investment'?"
@KatiePrice
Katie, this proposal will cause grief & harm to innocent people who need anonymity to learn & communicate, whilst also driving abusers to just use VPNs to bypass restrictions, "show off" & abuse more. This won't fix the problem; it'll make matters worse.
@KatiePrice
But Katie, this won't work — for instance
#Facebook
doesn't permit anonymity and yet there's plenty of bullying and abuse on there.
It turns out that some people are just horrid, and removing anonymity just means that people who need it (LGBTQ teens?) will lose it.
@profgalloway
Hi! I am a former Facebook engineer who has worked on security, privacy safety and compliance issues for 30+ years.
Inhibiting anonymity / obligating use of real names, does little to inhibit abuse, but it DOES boost disenfranchisement & censorship of the poor & less able.
THIS is the most important thing I've read about
#onlinesafety
today: 99% of racist-abusive Twitter users were found to be identifiable, not "anonymous", trolls.
That anonymity is a "driver" is incorrect; we have a societal problem that people are content to be overtly racist.
Our data suggests that ID verification would have been unlikely to prevent the abuse from happening - as of the permanently suspended accounts, 99% of account owners were identifiable.
WOW:
- No Signal
- No WhatsApp
- No iMessage
- No Facetime
@jamesrbuk
called it
#internexit
; the UK will be extraordinarily isolated from the rest of the internet.
@KatiePrice
Katie, your proposal is at 126k signatures, and you're talking about a real, social issue; but your proposal to "card everyone" will isolate teens, closeted LGBTQ people, & those without paperwork.
Surely you don't want that?
Plus: VPNs will defeat it. It won't stop abuse.
Cross-referencing
@mjranum
's recent post about using Google Maps to identify CIA "Black" sites in Djibouti, with the
#Strava
heat-map, appears to offer corroboration
PASSWORD SECURITY IS COUNTERINTUITIVE:
"Your password must be 8 characters & contain upper, lower, digit & punctuation characters" => "Your password is now 2.14x easier to guess via brute force."
@KatiePrice
But Katie, this won't work — for instance
#Facebook
doesn't permit anonymity and yet there's plenty of bullying and abuse on there.
It turns out that some people are just horrid, and removing anonymity just means that people who need it (LGBTQ teens?) will lose it.
Oh, this is glorious: pysaml2 library uses an `assert` statement to check & reject users who use the wrong password; however when running with the optimiser enabled, all assert statements are stripped…
so: anyone can log into anything with any password.
Regards
#Article13
, I wrote up a little command-line false-positive emulator; it tests 10 million events with a test (for copyrighted material, abusive material, whatever) that is 99.5% accurate, with a rate of 1-in-10,000 items actually being bad.
@neerajarora
Hey Neeraj! I don't know what planet you were orbiting around in 2014, but speaking as a Facebook engineer at that time, the notion that FB didn't then have a hugely bad "civil society" reputation back then is ludicrous.
Tech companies need to admit when they have done wrong.
Nobody knew in the beginning that Facebook would become a Frankenstein monster that devoured user data and spat out dirty money.
We didn’t either.
@OneNerdyOpinion
This is an excellent short-term hack but you will need to get kitten food soon because cats need taurine because they can't synthesise it (a bit like us with vitamin c) and dog food does not necessarily contain it.
@CaseyNewton
I deleted my previous tweet so that I can be more plain: this is a mind numbingly foolish, privacy-destroying, encryption-busting, innovation-killing proposal, dressed up in clothes of anti-monopoly.
If you want federation go use a federated protocol.
So it's 28 years after I published the "Crack" password cracker, and people are still trying to make the argument that "Access To 'Offensive' Security Tools Can And Should Be Restricted"
People: Stop it.
/cc
@GossiTheDog
@QW5kcmV3
@riskybusiness
"Tech companies should implement features that will give us control over our children's internet usage" — this won't work because children are advanced, persistent threats who are resident within the physical security perimeter.
They are hackers:
#5rights
Hot on the heels of
#ChatControl
and in the name of “identity” and “consumer choice” the EU seeks the ability to undetectably spy on HTTPS communication; 300+ experts say “no” to
#Article45
of
#eIDAS
#QWAC
So the Information Commissioner's Office
@ICOnews
just slapped the Home Office
@ukhomeoffice
in the face, and all of the charities that the HO had co-opted, too, regarding
#NoPlaceToHide
:
I think I'll have a piece of cake with morning coffee.
@KatiePrice
If some kid does not understand the world but wants to engage or ask questions without consequences, they need anonymity.
If someone wants to report abuse or whistleblow safely, they need anonymity.
Anonymity is not the problem. People are.
@profgalloway
Also: the real reason (i.e. not the one that you cite) for anonymity and self-declared identity being so popular on social media sites, is that ANONYMITY IS THE DEFAULT ON THE INTERNET.
Summary
- PGP is not broken (except in architectural ways we already understand)
- nor is GPG
- install the inevitable software updates when they arrive
- try to stop using Email so much (because PGP is the only way to secure it)
- ignore the hype
- move on
#efail
is hype
I am also honoured that they've chosen to adopt EOTK (the Enterprise Onion Toolkit) to power their onion platform, albeit with considerable though reasonable modification to meet their extraordinary production requirements:
The Twitter and Facebook Onion Sites, as well as others such as the New York Times, BBC, Deutsche Welle, Radio Free Europe and others, are documented on the
#RealWorldOnionSites
page at:
Britain as a nation state does not have leverage to tell the rest of the world how to write code, not for any excuse.
And, frankly, that is a net good for humanity, excuse the pun.
1/ THE MOST IMPORTANT information security discussion of the day will be about the publication of
#BugsInOurPockets
, a paper by the biggest names in encryption, regarding
#ClientSideScanning
and the likes of the
@Apple
#CSAM
-detection proposal:
ICYMI: absolutely the most important story that broke overnight is that Apple apparently intend to launch a feature enabling image detection & government surveillance on everyone's iPhones in the name of child protection.
Apple are walking back privacy to enable 1984.
Whether they turn out to be right or wrong on that point hardly matters. This will break the dam — governments will demand it from everyone.
And by the time we find out it was a mistake, it will be way too late.
So why am I first(-ish?) to tweet about it?
From past experience with the Facebook and BBC Onion sites, any sufficiently large announcement leads to a load-spike, and given that
@TwitterSafety
has 3.6 million followers it would not be wise in a time of global crisis.
IN CASE YOU MISSED IT:
The EU — in private — amended draft digital identity regulation to create a legally-mandated surveillance backdoor in HTTPS.
Over 300 academics & tech experts YESTERDAY published an open letter calling on the EU to fix this + follow web standards instead:
Hot on the heels of
#ChatControl
and in the name of “identity” and “consumer choice” the EU seeks the ability to undetectably spy on HTTPS communication; 300+ experts say “no” to
#Article45
of
#eIDAS
#QWAC
BREAKING NEWS: Nate Cardozo, lawyer for
@EFF
, is joining
@Facebook
as "Privacy Policy Manager for WhatsApp" — awesome potential future for secure messaging and end-to-end encryption!
If you have not read the EU Council Legal Service opinion on the EU's
#ChatControl
proposal — their version of the
#OnlineSafetyBill
spyware clauses — you really should.
It is *damning* about EU/UK state anti-encryption proposals:
Extracts below; src:
When Signal and WhatsApp have fled the surveillance of the
#OnlineSafetyBill
, what app will still be around for politicans, journalists, and actual normal people to use, securely.
The answer might be this:
Oh, and "long-awaited"?
In 2014 I led the team which launched the
@Facebook
onion; there have been occasional conversations re: "an onion for Twitter" ever since. This is the result of many peoples efforts, over years, and I'd like to thank them all for their perseverance.
This one is weird because it has perimeter security, but almost nobody goes into it wearing a fitbit / carrying a phone; perhaps _this_ is the CIA site?
Everyone should screenshot and archive this tweet — detailing government supporting the pervasive use of VPNs for liberty and good — because it will need to be rolled out as a counter argument in a few months when VPNs are used by teenagers to circumvent the
#OnlineSafetyBill
.
Latest Defence Intelligence update on the situation in Ukraine - 10 August 2023.
Find out more about Defence Intelligence's use of language:
🇺🇦
#StandWithUkraine
🇺🇦
@jamesrbuk
Again, for emphasis, all of the people who are saying that WhatsApp (etc) must be terribly profitable don't realise that the messaging services are largely loss-leaders.
Abandoning the UK will save them money.
@OwsWills
@BBCLeeds
This is awesome, but I cannot help thinking that it would have been great to have this level of questioning and pursuit of accountability, for the whole period from early 2016 to the present day.
Backplot: my "goodbye" posting to Facebook was in significant part in response to this work by
@boztank
, and subsequently garnered considerable support from Facebook's under-represented Engineering community, who genuinely do care about user privacy:
THIS ARTICLE BY
@emptywheel
IS THE NEXT BIG BATTLEGROUND
It's what ALL governments fear: legal opinion that if a platform does not have access to message plaintext, it cannot be coerced to provide it.
In this case though, it's
#Section702
& the USA
@tim
As Paul notes: this is not a victory, this is merely hope; and in a sense we will have to defend Apple who will doubtless be criticised from some quarters, for their taking extra time to consider the consequences of their original plan.
This is deeply bizarre of
@FrancesHaugen
- she is arguing that if Facebook willingly surrenders its ability to spy on user content — including on behalf of, say, the Chinese Government — then it cannot protect those users *FROM* the Chinese Government.
Oh god, here we go again:
- no user serviceable parts inside
- you don't ever need to edit URLs
- no, really, we have the numbers
- well, you're not normal
- trust us, the web is too complex
- trust us to tell you that you're safe
- trust google
URLs aren't usable, but people are forced to rely on them for so much -- browsing, security, sharing. Expect to see changes to how Chrome displays identity in the coming year.
@emschec
@estark37
@neerajarora
By that time the criticism had been sedimented for several years, so much so that it was considered more amazing when the company did anything "good"; but all this seems part of getting people to read Deepa's article about your startup, I guess?
Here’s my story about
@halloapp
, a startup cofounded ex WhatsApp execs including
@neerajarora
, and how the service represents a new way of thinking about social media: smaller, fewer features, & a lot more friction.
@KatiePrice
I remember the bullies at school who were up close and personal - I knew exactly who they were, and it did not stop it.
We must not ban anonymity, it is the wrong solution for the problem, doing so would achieve nothing and leave politicians complacent that the matter is sorted.
Major props to
@wcathcart
and
@whatsapp
.
Journalists covering this should take time and steps to explain that "weakening security" includes (e.g.) leaving the encryption unchanged and instead adding content-scanning software to the app.
@mikko
Google annual revenue* = $110bn
Userbase =~ 2.1bn (same as Facebook, no quick source to hand)
Your data is worth $52.38/year / about $1 per week, to Google.
*
DEAR PEOPLE WHO HAVE BRED: on a scale of 1..10, how good are your kids at bypassing parental controls and age restrictions on internet services / apps / websites?
I'll be blunt: I love
@ProPublica
, they have some great people, do some great reporting, they have an Onion Site even…
But this article by them is egregious, insinuating clickbait which harms the cause of end-to-end encryption, and it even admits it: