May we then continue discussing E2EE in this thread?
Personally I donāt think there are cons to E2EE in the product unless itās negatively impacts the user experience or makes the product impossible to implement.
In my opinion the only reason not to implement it in a chat app (like but not limited to sphere) would be if you where planning on using the user generated content (another way of saying this would be āreading peopleās messagesā) or because you had the intention of complying with governement censorship.
1 Like
Of course. Indeed, I was talking about it up-thread:
There are some tough questions for us as a society, with no easy answers.
2 Likes
So in response to your question number 1ā¦
Under the āsnoopers charterā / Investigatory Powers Act 2016, ISPs are now required to store what websites were visited by an individual for one year, and the police/gov now have the power to request this data in bulk without any need to suspect of criminal wrongdoing, and have fairly wide-ranging powers allowing them to hack phones and computers, again without need for suspicion of criminality.
The collection of internet history appears to only be coming into force now, with many of the big ISPs involved.
I have been urging all my friends to install VPNs and obscure their browsing as much as possible so as to resist such mass surveillance without cause and avoid having a single profile drawn up and clearly linked to yourself.
So while I note your premise of appropriate oversight, such a reality is quickly disappearing, and therefore I think it is appropriate and in fact important that we have spaces which arenāt accessible at all.
Without a drastic shift in government policy, I believe things like this will only get worse. Itās much harder to restore a freedom that been lost.
I think thatās my answer to Q2 as well really. I donāt think we should ever make ourselves less secure.
The thing is, though, that Iām not particularly concerned about the gov doing itās thing.
I donāt like it either, but I can accept it, as long as there is oversight.
Companies doing the same is something that I am far more critical of, as they do it almost always for financial reason (even if they say they do it for security, most companies are only concerned about āsecurityā where it affects - directly or indirectly - their bottom line).
So, bottom line: Current government surveillance bothers me far less than surveillance by a commercial chat provider.
1 Like
So, my point is that there is very little oversight of the above-mentioned new powers.
And this gov appears to increasingly be doing things for financial gain too. Whoās gonna get the contract for sifting through all this surveillance data? Itās gonna be Palantir or their like, not civil servants on gov salaries.
So while Iām worried for very different reasons, I donāt quite see that reasoning standing up in the current climate.
You make a few really good points, but discussing government surveillance seems very off topic for this thread, so to avoid being told off again, Iāll shut up now.
This isnāt entirely true. Iām not totally clued into the laws here, but my isp do not do this. Itās primarily why I chose them.
https://www.aa.net.uk/broadband/real-internet/
We do not log which websites you visit (though the website administrator may). We donāt run any sort of transparent proxies or other systems to covertly log what you do on the internet, and do not sell data to anyone. We have no, so called, black boxes which monitor traffic for the government, or anyone else.
AFAIK this is just nonsense spouted by the VPN industry to scare people into subscribing, blissfully unaware that they too are defined as ISPs, and would need to comply in order to provide their service here. The law may allow the government to force ISPs to log this stuff, but as of yet, they donāt.
I know their are some court decisions that target specifically the big ISPs though, but I donāt recall them being related to logging data.
This has been an intense game with the government for about a decade now. The same proposed laws keep resurfacing under new names and we again push back. So far, theyāve been unsuccessful. Encryption is the only line of defence should they ever succeed.
This depends. A centralised surveillance tool will be a prime target for threat actors. I donāt trust our government to have the skills necessary to protect against them. Proper oversight is only half the battle.
Iām of the opinion that whatever compromises we make to security protocols, and in turn, privacy, the only people they will impact are us ordinary law abiding citizens. Weāll have less freedom. Criminals wonāt mind the extra little work to evade surveillance. And as long as mathematics is a thing, that will always be possible, regardless of any laws, and the criminals will use it no matter how illegal it is.
The proposed compromises always seem to be founded on the false dichotomy that criminals will cease to be criminals and follow the laws. They wonāt.
As such, I think itās unfair to assign accountability to the software engineers that build these tools to protect our privacy. Itās not their fault if a terrorist uses to plot an attack in secret. Without the tool, theyād have found another way, whilst the rest of us have zero privacy.
On the contrary, it ties very much into E2EE, and privacy in general. You canāt really discuss either in general terms without also discussing the potential threats surrounding their existence, or removal.
For as long as Sphere donāt have E2EE, theyāre very much a target for governments to go after for their data. And because itās not encrypted in a way where they donāt have the keys, they have no excuse not to hand it over.
2 Likes
Sorry, you are right that wasnāt totally correct. They can be required to do so for a period of 12 months at any time.
My second para did state that this appears to only be starting now, per the Wired story which broke today stating that a number of major ISPs ARE now being forced to do exactly this. And my view (and the view of Liberty, a major legal/human rights charity) is that this will only be the start, so while it may not be the case for yours today, it could be one day.
Re the VPN industry being treated the same, my understanding is that the Act requires local companies to break their encryption, but not foreign ones. So if your VPN provider was based outside the UK and stored their stuff appropriately, that would protect you.
And secondly, if you use a provider which doesnāt keep logs, then youāre safe anyway, as they canāt hand over what doesnāt exist. The power is to force ISPs (or CSPs as it is in the legislation) to retain and hand over data, so if you donāt have anything to retain, that saves you from having to hand over.
Completely agree with the entirety of the rest of your post.
1 Like
Since you are all discussing off topic stuff - lets see if Iāll get away with it this time:
3 Likes
Been catching up on some ISP related news over the past week, and one troubling article I stumbled across reminded me of this.
Troubling news. And if the government is hellbent on continuing to pursue this, then encryption is more important now than ever.
Edit: just realised the article @dwarf posted above this essentially discusses the same thing! Not sure how I missed that! 
1 Like
Been using VPNās since the snoopers charter has been a thing.
Sad reality about the current state of the UK, I honestly feel like tor is the future of the internet in the UK. Another why you can scupper the logging is to use DNS crypt, you can turn this on in both Firefox and Chrome. Donāt turn this on if you are a VPN user as it can cause IP address leaks.
Hopefully windows, linux and Mac OS start supporting this as system level and turn it on by default.
Why do you think every youtuber is sponsered by Nord VPN, I personally use PIA as they are the only VPN service to date to testify in court that they do not log user activity in court.
May ditch them due to their new british ownership by Kape.
After the way Nord handled the data breach, Iāll never trust them. I always found them Shady to begin with though. In fact most are shady, and itās a shame theyāre more trustworthy than most ISPs thanks to our government.
For now, I still feel safe enough with my current ISP. They care about this stuff deeply, and I trust them with my data. They also offer a free encrypted DNS service intended for their own customers, but anyone can use it. Platform support is limited though. Firefox support encrypted DNS though, and Apple are working on it.
Iāve only used two VPNs in my lifetime. Encrypt.me (formerly getcloak) was built by a few friends of mine, so naturally, I trusted it. The company has been bought and sold a few times since, so thatās no longer the case. VyprVPN is another Iāve used, namely because I just liked the old app and the fact they own all their hardware so they can better ensure integrity. Theyāre audited as a no logs VPN too. But draw your own conclusion from that.
TOR is an entirely different story. Great for anonymity. Bad for privacy, unless you can trust the exit node, but if you can trust the node, that may diminish the extent of your anonymity. TOR is a necessary tool though, but itās not designed to solve the problem people think it does.
Encryption is the most crucial tool when it comes to combatting this level of intrusion. The data is of no use if they canāt read it. This means we need to start encrypting the metadata too.
Edit: fixed a few typos
2 Likes
TOR is good for browsing news websites and things you donāt login to or browsing itās hidden services.
I wouldnāt use TOR for anything else due to the exit node problem. DNS over HTTPS being a option in browsers is a good start but should be enabled by default. (The UK goverment whined about this)
Iām not voting for these people again, whats worse labour is no better when it comes to online privacy.
1 Like
When it comes to the issue of privacy, thereās very little real choice for us in political affiliations. The two big parties have very clearly demonstrated that theyāre both in favour of censorship and surveillance.
Itās an issue Iāll never compromise on though, and it matters a great deal more to me than other political issues. I either vote green (they seem to oppose laws like the snoopers charter and I align with many of their other values) or abstain, to the fury of some of my friends at the last election because I *didnāt vote tactically and at least labour would have been better!*
I liked Jeremy Corbyn, but besides him, theyāre no different than the conservatives when it comes to issues that matter to me. Iāll digress though, I donāt like political discussions, and I donāt much care for politics.
I tactically voted for the conservative party due to my love of cars and nothing else. (disaster rural policies such as fuel duty increases and my employment being in online retail I canāt vote for a pro high street party)
Iām probally going to either spoil my ballot or vote for a independent as I refuse to vote labour.
I have labour voting parents who are super not happy I voted for the tories.
1 Like