[leononame]

Not that I'm a fan of it, but in corps it's pretty standard praxis to have a custom root cert installed on all devices and enforce VPN connections on devices outside the network to be able to MITM all requests and do stuff like content filtering (e.g. NSFW, swearwords and obviously malware). It's the company's device and they give it to you for work specific purpose, you shouldn't use it for personal stuff. I don't think it compares to an app that shadily installs its own root cert on an end user's device to spy on them.

[RowanH]

It's not corporate level it was/is religious group level (of which this particular org I'm guessing largely employed staff from that religion). They are well known within our country to be quite insular.

It certainly seemed for all intents and purposes if you were a member of _____ group (wider than the company) you had the vpn on your device, and it was filtering content. I've found other reports in other countries of that happening with the same group.

So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).

It certainly made my skin crawl for anyone in that religion. That means the central filtering service could be reading messages. Not sure if they're that sophisticated but certainly they didn't want people to see random images/videos.

[leononame]

Is it like required from their religious leadership to install this? That is incredible, and I only now understand your comment to its full extent. That is brutal.

[ndriscoll]

This is one reason I think ECH is probably on net a bad idea. Content filtering is a legitimate use-case for lots of users/networks, and if traffic is completely opaque to all networks, you end up needing things like root level processes or full MITM or laws requiring ID for websites instead of more privacy-preserving inspection of basic metadata (like SNI) at the network level.

You could imagine a standard for a network to signal to a client that it does not allow certain privacy features like ECH, and then clients can accept that or not. Instead I expect browsers will eventually mandate ECH, so people will have to MITM instead.

[FergusArgyll]

Yes, this exists. There's more than one company you can choose. It's not 'forced' but strongly recommended. Also, my love for hacking started with getting around it...

[felsokning]

From the inference of the commenter, I think they were referring to an app on a mobile device and not the device itself.

It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.

Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?

[leononame]

After re-reasing the comment I think you're right. I had a hard time grokking it it seems. But since the issue was apparently a VPN app installed on the phone, I don't know whether this was the ISP or maybe their IT service provider that did content filtering on behalf of the company (like an outsourced IT department?)

[RowanH]

The VPN (much like Meta's) is doing some root cert trickery to filter content that is deemed inappropriate or potentially inappropriate. This appeared to be controlled by a Company A in another country that undoubtedly contracted to Y religion to be their central point of content filtering globally.

So, member of the church? you get this VPN on your phone, (not sure whether phone was supplied by the church, but certainly this VPN was on it) VPN is effectively content filtering and blocking content.

I had our app whitelisted by that central company (literally raised a ticket with them, next day magically fixed).