[izzydata]

I assume this is just a police state overreach rather than genuine intent to stop crime. They must know that anyone actually engaging in criminal activity is going to not be caught by this because they use other forms of encrypted communication.

[philipallstar]

Continent-wide police overreach.

[bccdee]

It'd be extremely easy to circumvent, too. Since the scanning runs client-side on images uploaded into the messenger, you just need an app to mangle and unmangle images. XOR the pixels in your payload with a picture of static, then do it again on the other side.

It does not need to be particularly secure—the messages are still E2E encrypted so long as nothing trips the client-side scanner.

[k7sune]

I suppose by XOR the payload the image size will multiply many times because no compression, whether lossy or lossless, will be possible.

[bccdee]

Or transform the bytes of the compressed image file into pixels and send that. That'll be incompressible, but the file size should be similar.

[myrmidon]

I'm not saying that this is NOT police state overreach, but the assumption that all (or even most) criminals practice good operational security still seems laughable to me.

I think you are letting your ideological alignment (against surveillance state) push you into irrational standpoints ("more surveillance would not catch additional criminals").

I'm 100% with you on opposing legislation like this, but it is very important to not delude oneself about its likely effects, and to pick the right hills to die on, figuratively speaking.

[p0w3n3d]

They meant, I assume, that it's the same as gun control laws. You have to prove your permission, you have to show your id, you gave to have a gun that is registered, however unidentified gangsters are running right now with unregistered guns and shooting people.

[potato3732842]

And then they go and catch the people who didn't do that stupid process and act as though they caught "real criminals" when they only really caught "fake criminals" that they just minted.

You see this all the time with all sorts of areas of law, not just guns. The real evil-doers are the enablers cheering it on. "Well they didn't have a permit so they deserved it" and the like.

[IncreasePosts]

I've always thought we're actually very lucky that terrorists tend to be idiots.

[shadowgovt]

I'm reminded of the story of the bombing attempt that failed because two cells miscommunicated on timezone.

The bomb was handed off across a political boundary and detonated at some arbitrary point on the way to its target, an hour earlier than expected.

(And then there was the one in France, where a cellphone-triggered bomb detonated prematurely and eliminated its builders because the mobile carrier they were using sent a "HAPPY NEW YEAR" SMS to every customer).

[shadowgovt]

We in infosec are often trained to imagine the ideal "adverse actor" who could do the most possible damage to our systems to test their vulnerability.

It's a good model for identifying and closing gaps (especially if one is not, oneself, prone to think like a criminal), but like all other human population groups, half of all criminals are below average.

[tolmasky]

I think the slightly more sophisticated position is that, regardless of the operational security that is currently employed, if you were to implement something like this, then criminals would quickly adapt to improve their operational security accordingly. Especially because "operational security" in this case is doing a lot of heavy lifting to obscure how easy it would be: just use a good E2E messenger.

This is not some wild hypothetical, the recent explosion in VPN use by every country that has implemented an age restriction law should be sufficient to display this effect in place. In a world without weird country restrictions (whether that be intellectual property restrictions or content restrictions), VPNs would be a niche technology for business. Instead unbelievably large amounts of the general population are now not only using it, but paying for it.

I think the assumption that criminals would not learn how to use one of the many free E2E encrypted messengers is the deluded and naive position.

[loeg]

Criminals aren't very smart and don't think about their actions or the consequences very much.

[bccdee]

That's not true. You're stereotyping criminals. People who commit assault, petty robbery, public indecency, etc. are probably on the whole not brilliant. But how about fraud, embezzlement, or parking infractions?

Given that we're talking about cybercrime here, what are the odds that the criminals in question are too dumb to Google "how can i get around whatsapp image scanning"?

[loeg]

It's a general statement; there is always individual variation. It is also generally true of fraudsters and cybercriminals.

[izzydata]

I hear this a lot, but I wonder if that is just because the only criminals you hear about are the not very smart ones doing crime on unencrypted monitored services. This sounds like a survivor bias situation. How can we know how many criminals there are if we only know about the ones we know about?

[IshKebab]

> you were to implement something like this, then criminals would quickly adapt to improve their operational security accordingly

This just isn't the case. Many criminals use non-encrypted phone calls, leave voice mails, etc. all the time. For example this recent theft of a gold toilet:

https://www.bbc.co.uk/news/articles/cgeg39vr3j3o

> A photograph found by police on his phone showed a carrier bag stuffed with cash, which was sent on WhatsApp with the message "520,000 ha ha ha".

The only reason that was E2E encrypted is because everyone in the UK uses WhatsApp and they enable E2E encryption by default.

> I think the assumption that criminals would not learn how to use one of the many free E2E encrypted messengers is the deluded and naive position.

It absolutely isn't. Some would, but the vast majority of criminals are not security experts.

It's still a dumb law. Also the criminals that it claims to target (paedophiles) are probably the least likely to get caught because they're already used to lots of electronic scanning things. Though even there it's not like they're all criminal masterminds. I can't find it now but there was recently a story about a someone who tried to hide child porn just in a deep folder structure like .../secret/do_not_open/i_warned_you/...

Dumb law, but lets use real reasons to argue that.