I am very pleased to see that the _current_ administration came to their senses and listened to reason. However, this is a fight i am afraid we will always have to fight over and over again unless right to encryption is codified in EU constitution or a similar document.
Article 7 of the Charter of Fundamental Rights, which was adopted with the Lisbon treaty, reads (in its entirety):
"Everyone has the right to respect for his or her private and family life, home and communications."
On the short term a change to the treaties of the Union is not realistic, in my opinion. So I am afraid we might be stuck with having "to fight over and over again", using the above as a foundation. I guess I think of it as educating the politicians.
Fortunately the pro-privacy voices in the EU seem loud enough. For example, in this case the Belgian national privacy authority had already complained about the proposed law. And Germany seems to have adopted the right to encryption in its latest coalition agreement.
Yes, but this article of the Charter (and other laws) does not prevent lawful interception.
This is the crux of the issue: the so-called "pro-privacy" camp wants absolute privacy of communications.
Law enforcement and intelligence services are not against privacy, they are against systems that provide absolute privacy because these systems prevent even lawful interception.
Voice calls on your smartphone are private but may be lawfully intercepted. This is so because mobile networks are in the hands a few licensed and heavily policed operators. On the other hands, we've reached a point where it is simple to develop and publish software apps that allow anyone to communicate in a way that is impossible to intercept as far as we know.
This is not a simple issue. There is a valid concern but at the same time the potential ways to address it (e.g. backdoors, etc) are not very satisfactory.
The problem with "lawful"-whatever is that the lower the apparent impact on the target, the wider the net that is thrown. So the tool ends up having an outsized impact on the innocent rather than the guilty. Unlike the lawful use of a firearm by law enforcement officers, lawful decryption of data when an innocent person is targeted is a "safe", "victimless" abuse.
Imagine the uproar if a person being shot and killed during a court approved raid turns out to be completely innocent. Now imagine the silence when the same person just has their private chats or nude pics decrypted and seen by investigators.
There's no such thing as kind of private. Either you cannot decrypt private citizen communications or you can. And if you can for any reason you also can for no reason at all.
> Law enforcement and intelligence services are not against privacy
Name a LE or IS that hasn't repeatedly been caught doing surveillance for personal or political reasons and we'll talk.
In the US at least, they keep telling us that there are many cases that they thwart that they can't tell us about. However, we do see lots of "known wolf" attacks and shit-shows like Epstein.
It should be as hard as humanly possible for them to intercept anything. They cannot be trusted with that power. They should have to literally move mountains in order to do it.
> I guess I think of it as educating the politicians.
What about the other way around? What makes you think it's not police hackers who value privacy just like us, and who strive to protect us, who requested this to politicians? That seems more likely.
Encryption is necessary for the entire modern economy, but also worthless when keystrokes can be remote-sensed, faces and other biometrics generated by the same AI that scan for them, and displays can be Van Eck phreaked.
Our near-term future has both unbreakable encryption and omniscient surveillance in the hands of low-budget and non-technical people, and in a fight between the two, surveillance wins.
I don’t know where the world goes from here, but I’m confident the status quo won’t be for much longer.
Faces and biometrics are finding a formidable opponent in one of the positive externalities of COVID:
Masking.
Masking has effectively been normalized in the western world thanks to COVID. Masking is a huge win for a free society. Before COVID, it was actually illegal to hide your face in some US States and many countries [1]
Mask + sunglasses, and you should be effectively anonymous in public.
Yeah, I feel like people either overlook or underestimate the uniqueness of a person's gait. I feel the only issue with it is collecting the information on it, as it requires more than just a picture.
Sure, if you change the rocks daily, while wearing a mask, and having sunglasses on. However, the context was around how mask wearing and eye covering is fairly normalized at the moment, not about how people started enjoying putting rocks in their shoes.
Still a bit more difficult to implement than facial recognition, which is now trivial to set up with AWS Rekognition. Even Photoprism does a great job.
Facial recognition for bucketing photos is much easier than for biometric security. Both might still be easy these days (I wouldn’t know, I am not as in the loop for AI as I’d like to be), but the former was good enough at least a decade before people seriously used the latter.
Would something like gait be easy to fake - just being aware of how you walk... Putting a thumbtack in your right foot, or something along those lines?
It's interesting how the most apparently compelling arguments that were made against people wearing masks turn out to be false in practice. I can think of two categories:
1) the claim that the wearing of masks would impede law enforcement, including the passing of statues especially against masks on demonstrations
2) the claim that Muslim women wearing full religious head coverings could not be tolerated in public spaces because it was obvious that it would make it impossible to judge the mood or other psychologically important signals normally exchanged in public
None of this seems to have been true. Sure, there probably is some small validity to some aspects of those claims, but they seem to have been hugely exaggerated.
Finally someone brings this up. Here in Belgium the rules around Islamic headdress were addresses by a law that says nobody can cover their face in public except during carnival and when riding a motorbike (full face helmet), thereby avoiding any explicit references to religion (unlike in France where it caused a sh*tstorm)
I was waiting for the anti mask crowd to challenge mask wearing in court by citing this law.
No idea if it's been amended or not. But it definitely used to be illegal to cover one's face.
Indeed, you would need a rootkit in each target, logging and transmitting the keys. Something like a proprietary instant messaging client or keyboard application.
Remote sensing in this case is listening to the individual sound a key makes when pressed by the victim, and wear on the keys means that frequently used keys (such as 'e' or the space bar) would make a slightly different sound than the other keys, as does the hand/finger position used to press a key.
But you don't need that, you'd only get too much information you don't need. You need to intercept suspect network traffic only, otherwise you're most likely to fail to find anything useful at all.
Is Van Eck phreaking really a concern since moving from CRT? I know there is a paper showing it was possible for CRT but it seems impossible now. It would be easier to install a custom cable to wirelessly send the display currently.
The above applies to every single country in the planet. Time for all companies to stop providing online services anywhere period?
We need actual workable ideas, not empty statements. It is frustrating that this fight doesn't end. If you have real suggestions, I'd like to hear them.
Which country is that? You probably haven't dug deep. If you live anywhere in north america, the EEA, china, russia, india or australia, then I'm aware of such efforts and I don't exactly follow this closely. I just live in Belgium...
I'm Czech. I'm really not aware of any "efforts to ban encryption", and given our history with the StB (https://en.wikipedia.org/wiki/StB), local population really wouldn't react well to that. I just don't see any possible parliament composition willing to pass a law along any such lines.
You're affected by EU-wide encryption-related laws and discussions. The EU is less insane than the US on that front, but issues like this still appear once in a while, and have to regularly be defeated…
As I said, the chances of anything like this being adopted on a national level are virtually zero. Good luck to any such directive coming from Brussels. Hell, I wonder if this couldn't trigger yet another constitutional amendment like the last one if it comes to that.
Even constitutions only offer very limited protection. There was a recent case in Germany where the government simply ignored the ruling of the supreme court (Federal Constitutional Court). And keep in mind that this is the government with leading influence on the EU. I don't know about everywhere else but at least in Europe rule of law isn't as strong as people assume.
The US constitution also offers limited protection - it's subject to interpretation by judges, and re-interpretation by a growing body of people who think that it "needs to be updated" and "is a living document" and "is not absolute". Your fight for your rights will never end, as evil people will always be elected to office. Just because your officials are not literally Hitler doesn't mean that they won't be trying to infringe upon your rights.
Since you (or realistically anyone) downvoted me rather than engaging, i feel like I should elaborate.
Our modern understanding of rights is not wholesale received from the time that the constitution was written. The concept itself has evolved over time into what you cherish now. 200 years ago, the constitutional protections one received were far more limited than they are now.
Agreed, I think we need to change the narrative to get the politicians to "get it". Instead of all the talk about protecting us from __________ (random evil), we need to highlight the consequence of these plans. We need journalists to ask politicians to hand over their unlocked phones with the "promise" that they won't share anything they learn. That is what these backdoors would enable. We need to make them understand the downside because all "save the kids" will always have public support.
I don't think encryption backdoors will ever be enforceable, even if it becomes a legal requirement. What's to stop someone from just doing it anyway if we use protocols that allow for plausible deniability?
Wouldn't a company such as WhatsApp (Facebook) drop the Belgian user base in a heartbeat if they would actually be confronted with a law like this? My guess is they would much rather lose a few million users than having to deal with the bad publicity and the intrusive technical challenges that come with a requirement such as this.
I totally agree that it's probably worthwhile to implement some country specific logic for a user base of that size and ad revenue per user. But specifically with regards to this, I really can't imagine they would agree to do this. Suppose they do, it's probably not a bad guess that they would lose more users globally due to the bad publicity it would generate than they would lose by cutting off Belgium.
On the technical front, your examples are good and valid, but they seem like features that are pretty straight forward to feature flag per country. Something like disabling end-to-end encryption looks a lot more intrusive to me (without being a subject matter, feel free to correct me). Whatever WhatsApp built, they built it to enable end-to-end encryption on a global scale, to enable anyone from around the globe to send an encrypted message around the globe. Poking a hole in that seems non-trivial.
As a Belgian I guesstimate that WhatsApp has more than 80% of IM market share here.
> it's probably not a bad guess that they would lose more users globally due to the bad publicity it would generate than they would lose by cutting off Belgium.
But this is what all the tech companies do in China.
I don't think its hard to "defend" complying with the Belgian government that faces a terrorist network and drug cartel problem bigger than any other 1st world country (in relative terms).
> Poking a hole in that seems non-trivial.
They operated without E2E for many years though. I doubt that non-encrypted chat is even revoked.
And even if they pulled, there's many alternatives available. It's not like Belgium is worried about Meta's revenue.
Meta doesn't operate in China though, for not wanting to comply with their requirements of state-controlled censorship. I could see them applying similar reasoning here on principle (my god, I just used 'Meta' and 'principle' in the same sentence, I must be high). Another tech company might jump in that hole of course.
With regards to E2E, I wonder how it would work when you want to chat with someone outside Belgium though. If I'm the person outside Belgium, I wouldn't want E2E to be disabled just like that. And if WhatsApp can only be used between Belgians, that's quite a hinderance.
Belgium doesn't care about Meta revenue and rightly so, but if a law would be the reason that Meta pulls the plug on Belgium, that seems like a cause for a possible serious political backlash.
I wouldn't give FB/Meta _too_ much credit. I'm pretty sure they would comply with China's regulations if they were able to. It seems much more likely that FB cannot effectively moderate the amount of content people post and cannot comply.
For your second point, to me that's the same kind of feature work GP was talking about: Just add a little UI that says "Hey, you're speaking with someone in a country that doesn't support encryption. Your messages are unencrypted".
Also agreeing with GP, screw Meta! As a Belgian I could care less about one company when it comes to the rights and laws of my country. They can definitely make suggestions like everyone else, but they also need to follow each country's laws like everyone else.
Meanwhile there's a high likelihood that there's a backdoor in the Intel processors (and maybe now also AMD ones ?) that was put there by the NSA... and hardy anyone seems to care ?
Those MINIX cores have been a subject of scrutiny for many years, just not by the people who you'd encounter in your day-to-day. There are definitely people who care, but they've basically started waving the white flag at this point. Pretty much every modern CPU (as well as the software running on it) has some degree of government oversight/intervention, trying to circumvent it is a hobbyist effort, and an often unsuccessful one at that.
"Hardly anyone cares because it is mostly schizo people who fall for these conspiracy theories."*
I can't appreciate the slur against people with schizophrenia. In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
Although I do wonder, if there was a backdoor in intel processors for the law enforcement to access, would you support it?
I can't prove it. But Intel has gone on record stating there is no backdoor. People who have reverse engineered it have not stated there is a backdoor.
>* It was open source.
You could say the name thing about Windows. People and business have reasons why they want to restrict access to the source come.
>* It could be disabled.
The ME is required for your computer to properly boot. If it was disabled, then your computer wouldn't work.
>* NSA hadn't requested from intel for their own undocumented way to disable ME.
The government can be overly paranoid. Just look at the procedures they have had for disposing harddrives when simply zeroing the drive was enough.
>linked vulnerability
That vulnerability required someone to have physical access to your machine no they could attach a flasher to it. Once an attacker has physical access to your machine most people would consider this game over. That vulnerability was not remotely executable.
>In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
I don't know enough about the Snowden revelations to answer this.
>if there was a backdoor in intel processors for the law enforcement to access, would you support it?
If access could be implemented in a secure way and it required a warrant then yes I would support it. It would be a better alternative than someone breaking down your door to physically take your computer leaving you without one for months or never being able to retrieve it.
I would suggest not using slurs and claim that people who think otherwise are schizophrenic then.
"But Intel has gone on record stating there is no backdoor"
It would not be much of a backdoor if they said otherwise.
"People who have reverse engineered it have not stated there is a backdoor."
I am curious about that. Got a link?
"The government can be overly paranoid."
No reason for civilians not to be as paranoid.
"People and business have reasons why they want to restrict access to the source come."
Obviously, one of them is hiding backdoors. Not saying that closed source software has to be backdoored, it just does not raise confidence.
"It would be a better alternative than someone breaking down your door"
Why not let the government have a master-key of every door then? Sounds like a solution in similar spirit.
"If access could be implemented in a secure way and it required a warrant"
Got any technical suggestion regarding its implementation? How would you make sure that a warrant would be required and that the private key would not leak?
>I would suggest not using slurs and claim that people who think otherwise are schizophrenic then.
I'm not sure what you expect from me. I similarly can't prove that almost every piece of hardware and software isn't backdoored, but it would be silly to think that it all is especially if you have experience designing hardware or software products.
At least the people who do talk to me about being afraid of the ME often are overly paranoid and don't have a good understanding of hardware / software. These people often think ARM's TrustZone is an equivalent to ME.
>It would not be much of a backdoor if they said otherwise.
Intel is kind of in an impossible situation then. They can't prove there is no backdoor because it wouldn't be much of a backdoor if they showed you. You have to trust Intel that they are developing a secure product. It is Intel's best interest to develop a secure product.
>I am curious about that. Got a link?
I can't link to something that doesn't exist, but there have been a few people / teams who have attempted reversing it which you can find by googling.
>No reason for civilians not to be as paranoid.
Sure people can be paranoid, but it can get in the way of them living their life.
>Why not let the government have a master-key of every door then?
This seems like a logistical nightmare, but something similar already exists for emergency purposes such as for fire fighters.
>Got any technical suggestion regarding its implementation?
People who sign warrants have a hardware device which holds their private key. If this device gets lost or stolen the key can be invalidated. The private key wouldn't leak because you can't access the key itself. The hardware device could potentially also have a rate limit like 100 machines per day to limit abuse.
They fought against a law and changed one article. "They fought" but there were many others in that fight. The article is very poorly worded, I guess they contributed to a change in the law but not repealed the law (like the title suggests) and they were not the major contributor. They need a better writer.
Well tutanota is a small company with around two handful employees afaik, I'd assume their budget for maintaining their blog is very limited. Obviously they use their own media channels to portrait themselves as positive as possible, nothing wrong with that in my eyes. It's not that they were spreading any lies or so
Not to downplay this result, after all this was achieved in Belgium, home of Brussels & EU institutions, which probably have great influence over local politics. However it's still sad that we have to celebrate such small victories and we're not fighting towards establishing law that promote positive rights towards protecting privacy both against private and public entities.
We're on the back foot here, and the general public is not even aware of this.I used to think this was about technological literacy but i don't think that's the case: most people don't know what's going on, they don't necessarily care how it happens, they just need to know the end "result", which they don't.Another issue is "law language" being hard to swallow, and politicians can always wrap this language as a candy and pretend it's to : protect the children, against terrorism, or some other minuscule reason that won't justify the abuse and also logistically can't be enforced in an online medium.
We see new technologies emerge that make our day jobs easier as they get more and more automated.
I understand the desire of people in gov agencies to have more access to backdoors than they currently have, but think for a moment the risks that such powers pose to the public when the government itself turns authoritarian.
Unthinkable in our current climate, maybe. To the left and right of you -- at the NSA or FBI -- everyone is a non-partisan patriot who wants a color blind utopia of freedom and democracy.
I would argue two points: (1) That an apparratus has already been built that is beyond the wildest dreams of prior authoritarian states. (2) Democracies are historically rare and notoriously short lived. They do not last.
With points (1) & (2), we can conclude thus that the powers of such government agencies WILL one day be used by an authoritarian regime. It is a question of when, not if. Let us not build the authoritarian tools so as to not tempt a future would-be tyrant.
The condition upon which God hath given liberty to man is eternal vigilance...
I disagree, I only master French democracy, and of that one I can say it is irreversible. As such, I disagree with your conclusion, even more so when it boils down to "let's leave some criminals running around just in case one day our democracy turns into an authoritarian regime like in scifi".
I am affected by the damage caused in the present reality, not by hypothetical damage in an highly unlikely reality, as such, I base my political opinion on facts that happen in the present, factual reality.
I admire your enthusiasm and conviction. I do not doubt that you and your pro-democracy patriotic brothers and sisters at what ever group are probably the right people for the job, currently.
In the United States presently, I am concerned about the health of democracy itself. I assume authoritarian forces from abroad (RU / NK / CN / Iran / others) are abusing our open social media networks to radicalize the public. The infection here is to a point where a very small minority of people even understand there is an infection -- most people don't look at problems from this sort of meta perspective, and they instead hail from either side of the divide, and are begging for a one-party takeover of the system.
I do not see the 1337 folks doing much to fix this. Going to hack some routers, spoof some DNS, send people firmware viruses, break their servers, collect information? That doesn't fix it. Authoritarian attacks on the American mind are mostly succeeding and this is blatantly evidenced by the radicalism that is becoming so popular in our politics.
If it can happen here, it can happen in France. I'm wondering if the only remedy is a government firewall of social media / comment sections / etc to keep conversations limited to real citizens, rather than foreign information warriors.
If a foreigner has an argument I believe we want to ear it, maybe we refutate it, maybe it improves our understanding.
It is happening here in France, the woke totalitarism has penetrated our universities, we're removing statues too, and soon will also be burning books just like on the other side of the Atlantic ... Unless next elections put a stop to that.
Western governments have not yet fully acknowledged the fact that the strategy of seducing totalitarian regimes like Russia and China with peaceful economic progress has failed. The awakening on this is extremely slow.
Our 1337 have been, on the whole, too arrogant to acknowledge that the status quo of how they operate to preserve democracy has failed in that it is not enough and Democracy is currently receding and morale is at an all-time low.
If the civilization we were born to love and defend is to survive, then it must adapt to the current threats and quickly. Our adversaries are back and more powerful than they ever were. It is time we end the drunken holiday of the 1990s and bring back the creativity of McCarthyism and such.
McCarthyism was after people with an opinion, I don't believe that's a good thing and that it's going to happen again in western countries.
The current threat here is a rise of criminality, having more evidence would secure more people, this bill was actually a try to "adapt to the current threats".
It's like if you're asking "what would prevent us from burning heretics alive again" or "what would prevent us from going back into the middle age again", or even "what would prevent us from buying slaves again". I'm not an expert of McCarthyism, I'm not even American and as such have not studied it a lot (barely read a wikipedia article about it and a couple of movies), I'd be more confortable answering "what would prevent us from going back into nazism"? Because I could there build an answer based on the current state construct and history.
But, I wouldn't construct my answer about "one thing specifically", instead, on a whole context of things, such as: evolution, experience, education...
It's a vague but extremely interesting question, I'm sorry I'm too tired to disgress as much as I'd love to but I suppose my answer would boil down to "we've made a long road since McCarthyism, we've learned to appreciate confronting ideas", it would be constructed about exactly why it's important to study history, keep a memory, and keep debating so that every single argument can be studied and refutated by anyone.
Again, I'm not fearing hypothetical realities that look like scifi, but instead, I'm trying to solve problems we actually have right here in our shared present reality, such as criminality. It's fine if you don't want to help me, that doesn't make you a criminal, but it would be great if someone like you with your talent would like to help.
But are you really off-topic or are you actually much deeply in topic?
After all, why wouldn't it be the case here: making our own states weaker because "we the public will not negociate our privacy!" ? Is the public in question, strongly expressing their opinion here, really going to benefit from having a weaker state ? Is there no limit about how weak we want our state ? At what point does it starts benefiting forces which are hostile to our civilisation ? Has it even started already ? I think I figured your answer to that last one!
What makes our state weaker is not this public, it's whatever forces weaponizing this public against our states, and indeed I'm aware about them, but the public is in the middle, we must win with arguments, by talking about reality, I beleive that's how we can wake up and face reality and actually debate solutions instead of hiding behind distopian scifi scenarios like we are doing here.
You could start with explaining what exactly do you mean by "totalitarian", and how comes you don't consider totalitarian the country with world's highest incarceration rate, world's largest army, and world's largest civilian death toll.
I'm always truthful unless I'm saying something so stupid that I'm expecting nobody to take it seriously ... which is pretty french, irony is a bet you take on your audience's intelligence, that does not always go as planned as you might notice in a comment ...
Long live Canada! Or Quebec whatever side you're on xD
If the "forced companies to decrypt encrypted data upon request" required companies to store all encrypted transmissions and have some way to decrypt it, it's effectively the same thing as banning encryption. It's a forced backdoor. Though, I'm not familiar enough with this law to know if this was the intent.
All electronic communication means essentially any words going over the internet. All transmissions would have to be stored in a form where they could be decrypted by someone other than the end users. The law wasn’t saying “You have to be able to flip a switch on a person, and all things they send from that point on must be able to be decrypted”, it was saying “All communication must be able to be decrypted whenever the government asks you for it.” All information being stored in a way that is meant to be decrypted for government use means the encryption is inherently untrustworthy.
The law was maybe saying that, but that doesn't change what I'm saying. Which boils down to "I disagree with the response we have given, we should have been negociating rather than just saying no". Should I go ahead with a disclamer that says which open source encryption products used by governments that I'm involved into? Not sure, my point is: we have their attention, why use it to just say no when we could negociate and make outdoors security a feature in addition too online security.
You keep making this point across the thread about actual harm being invoked. The tools available to governments today should be sufficient to stop a number of crimes. Yet time and time again we see that increased surveillance doesn't really correlate to the elimination of crime.
Why not push this energy into making your government agencies more efficient with what resources they have? The UK has tons of CC TVs in public -- still seems to have a high issue with shoplifting, pickpocketing, and other crime in public places.
Doesn't it alarm you to keep giving an inefficient potentially malicious actor more tools it can abuse?
But that's fine because they are "defending our privacy" ?
Or, do you want to try to make another suggestion ?
Meanwhile, criminality is thriving and we are powerless against it. Maybe we should try planting more trees and developing more socio cultural activities ?
Anyway, shouldn't you be against CCTVs because "if the state can see them streams then it means a hacker can see them too" ? I mean, I think that's the whole point being made here against this bill.
The problem with banning encryption or e2e encryption is that it doesn’t solve anything. Criminals/terrorists will move to a chat app/service that offers e2e encryption no matter if it’s legal or not. It just means that the major players such as facebook, microsoft, google, apple etc can’t offer it so the only one left hanging is the law abiding masses.
A democratic state is elected by the majority, as such, the state should share the same definition as the majority. That's the deal we're taking when we decide to live in a democracy: that we will abide by the law of the majority. This doesn't mean we have to agree: it means we have to convince the majority if we want a change.
But a state that can't defend the majority because of an open letter signed by a hundred crypto anarchists seems pretty bad to have indeed!
"The majority" doesn't want exactly the same things, they agreed on some thing or two that was prioritary and deserved the vote."
I agree, so I presume that you retract the following?: "A democratic state is elected by the majority, as such, the state should share the same definition as the majority."
Often only a relative majority (higher than any other party but can still be <50%) is needed.
"That is simply not true, the majority just wants that puberty blockers don't be provided to children."
Are you claiming that 100 years ago (and even now in some countries) there wasn't/isn't a majority of people that desires this or other immoral things?
"Didn't understand your last point sorry (non native)"
No worries. I am saying that this law being removed benefits the majority as their communications will be safer.
I don't think I need to retract it because I don't think it's incompatible. I'm positive people won't vote for a party that makes them illegal unless they have decided to change.
Relative majority is still majority, >50% of casted votes gets you elected.
50 years ago, the left was all over the place advocating for pedophilia, and here they are today, advocating for privacy of pedophiles and other criminals because they are scared to compromise their own.
My communications will be safer but my streets won't, and I don't only live online.
> A democratic state is elected by the majority, as such, the state should share the same definition as the majority.
This is trivially falsifiable. Weed is still a federal felony, despite 60% support for recreational & medical use, and another 31% support for medical alone[0]. In fact opposition for legalization is now a trivial 8% of the population, which is basically nobody. There isn't even a party with majority support for keeping weed illegal anymore.
If democratically elected states were guaranteed to eventually share the same definition as the majority, weed would have been legalized years ago for medical use. And yet, here we are.
Well of course I'm engaged against shit countries like that, so obviously my answer is no: I do not want our companies to comply with them. But I want our companies to comply with us, and make, not only online security, but also outdoors security, a feature.
You seem to agree there is some moral underpinning of the law - that simply because the law exists does not make the law moral.
One of the hot topics currently is Anti-money laundering laws, AML. This is why large transactions are reported to government agencies, why you need proof of identity to do banking, etc.
The flip side is that this makes it hard for refugees to get bank accounts. It means large donations to activists are recorded by the government. It means the government knows in great detail how you spend your money and that data is shared widely.
Yet money laundering still persists. It is still a major problem. We have paid a great price and the problem is no better for it.
Should we continue giving up more? Should we surrender even more to try and stop it?
What if money laundering can't be solved? Money laundering has existed from ancient cultures to now. It has never been crushed. Some crimes are intractable - we can reduce but never prevent them.
We can't go whole hog on security. Nobody can make you safe. Danger is an innate part of life that can only be partially controlled.
For me there's a lot of contradiction within your own comment, but don't worry, I'll give you more than merely talk about its own contradictions.
> We can't go whole hog on security. Nobody can make you safe. Danger is an innate part of life that can only be partially controlled.
We can improve our security, the state has to make us safer, it is possible because danger can be partially controlled, which is exactly what you say.
You also that laundering has never been crushed, and can only be reduced. I also agree with that, and because we can reduce it: it is our moral duty to do what we can to reduce it, giving up "because we can't crush it" is not an option for a person of honor.
If this was just a quick trick to get me to tell my opinion about refugees in general, let me cut it short: https://news.ycombinator.com/item?id=29640944 And let me add to that: we can't keep on taking 400k a year in our little 67m inhabitants country, we already have enough troubble with those we have here (please don't ask me for solid evidence, or if you do, please do so in a dedicated comment)
Of course, I could just burry it by calling it a syllogism, "cheese has holes, holes are air and not cheese, as such, the more cheese you have the less cheese you have", but as you have figured, I'd rather face the game and risk myself than hide, in the worst case I will have learned something which is positive for my own development, more than whatever shame it can bring on me: it's a basic cost/benefit analysis.
As a matter of fact, I found your comment so interesting that I've been discussing it with left leaning friends I met back when I was into AML, who are still active in it, the discussion being over I'm back to reply (an hour ago, I'm proof reading myself for once).
First things first: AML's impact is transversal, it has a lot more impact than you might think. It's the basic tool we have against corruption. And because it prevents crimes, "I will not take this shady deal because it won't bring me useful money", it's impossible to prove that crimes would have happened without it. While you can still measure it's impact on corruption, you'll say it's very hard to measure corruption, fine, that's true.
Mind you, there's more I want to disagree on in your comment. You're saying it "makes it hard for refugees to get bank accounts", I don't see this, at least, not in France which takes 400k so-called "refugees" per year, which is the equivalent of a city like Paris every 5 years, which corresponds to the president mandate.
I will just quote the law here: "Every person living in France, without a bank account, has the right to the opening of such an account in the bank of his choice or in our service", this is article L.312-1 of the Monetary and financial code of law. Even they can't, indeed, open a "normal" bank account, because they have burnt their own papers, say, because they are wanted by the police and want to go incognito, they can still open a "Livret A" where the minimal deposit and withdrawal is 1.5€ https://www.ouest-france.fr/monde/migrants/demandeurs-d-asil...
I'd like to conclude by "sorry", I'm sorry that it's a problem for your friends making "large donations" to be inspected by the state, but that's how it's going to be because we know now for a fact that it does happen that "activists" turn out to actually be human traffickers, a traffik that is worth ~10 billion USD per year, well, not all of them of course, there are also true activists, but these are in bed with the traffickers who tell them exactly when a boat leaves the coast, who knows if they don't get their share ? https://www.cnews.fr/monde/2021-03-15/migrants-un-rapport-po...
And of course ... perdon my french! And thank you for the respectful discussion, always appreciated!
Would it also be acceptable for the state to dictate how we store our bananas at home (pedophiles eat them too), what font we use in our greetings cards (terrorists also send birthday cards), or with which hand you are to wipe your arse (even Ted Bundy pooped)?
Citizens should not be treated or approached as enemies of the state by default.
>Citizens should not be treated or approached as enemies of the state by default.
They aren't under these types of laws. Typically the government would need to get a warrant first before this is possible. You don't have to let them be able to read your messages by default.
That's a fair point. The nature of encryption complicates this slightly though.
If the purpose of encryption is to make data unreadable, but a back-door exists that allows anyone with access to it to bypass the encryption, can the data ever really be considered unreadable?
>but a back-door exists that allows anyone with access to it to bypass the encryption
The trick is you don't do that. Ideally you would only want people with a valid warrant would be able to also decrypt the message (bypass the encryption). So the problem is that you want to design a system where this is possible. Perhaps it takes the cooperation of someone from the government and someone from within the company to verify the warrant. Perhaps you have a list of people who need to cryptographically sign the warrant.
It must in no way be possible for any of these companies to ever run a non-verified decryption mechanism on any single server, computer, or other type of device.
There are so many moving parts to manage, infinite possibilities for abuse, and it would require an absolute massive amount of trust in companies with numerous convictions for abuse of precisely that.
If you're going to attempt a reductio ad absurdam, the end position actually needs to be absurd. For drugs, I would assume legalization is the median position in this forum. Guns are more complicated, but there are definitely a lot of posters that think they should be legal.
Just make sure that all your drug users do actually dismantle their guns before they take any! People are responsible as we all know, especially in our modern society where we value our own individuality above society, ie. "I can use drugs safely every once or twice a year, as such I want it easier for me to get some, and that's why I'm asking to make it legal for everybody, no matter the disaster we know drugs cause on a society". It's indeed exactly the same, "I want to hide my messages with my mom from my government so I will fight to prevent the government from being able to decrypt any message at all no matter the basis of the court order, no matter how many children have been raped or killed, I value my own freedom above security of society".
Basically, "the victims don't matter as long as I'm fine".
"Basically, "the victims don't matter as long as I'm fine"."
The victims here are these that get arrested for the victimless crime of taking drugs. A society is less secure if anyone who takes drugs runs the risk of being arrested.
Also loving the unrelated "think of the children" argument.
Why would you be arrested for taking drugs? Because you're driving on drugs perhaps?
The "think of the children" argument is based on personal experience, mind you, I sincerely hope for you that you will never understand the relation, ever.
"The "think of the children" argument is based on personal experience, mind you, I sincerely hope for you that you will never understand the relation, ever."
1: I doubt it
2: You too, I hope that you (or your children!) will never be prosecuted for a victimless crime.
If you take drugs at your home and don't cause any incident, there is absolutely 0 chance that you get arrested. The idea is not to have a camera in everyone's home to send the police every time someone takes a drug, the idea is to punish people who get caught taking drugs because they are causing incidents, such as car accidents, or highly risking to, such as driving after consuming drugs.
Same with this law: if you're not seriously suspected of any felony then the state will not be able to request decryption of your data.
I'm sorry to say my children and myself have suffered from a criminal that took years to catch, I hope we will fully recover one day but sincerely doubt it, but I'm glad this makes you laugh at least that makes two people laughing about it.
"The idea is not to have a camera in everyone's home"
The funny thing is that this is basically what this and any other anti-e2ee regulation is about.
"If you take drugs at your home and don't cause any incident, there is absolutely 0 chance that you get arrested."
Yet it is still illegal and people are still being arrested for ordering drugs and producing their own, how curious.
"my children and myself have suffered from a criminal that took years to catch"
Did that criminal use drugs or end-to-end-encryption?
Responding to your edit:
"Same with this law: if you're not seriously suspected of any felony then the state will not be able to request decryption of your data."
We both know that this is simply not true.
"but I'm glad this makes you laugh at least that makes two people laughing about it."
Not laughting, and if it is true I hope that you recover. I am just (hopefully understandably) a sceptic when it comes to anecdotes in this sort of arguments.
> The funny thing is that this is basically what this and any other anti-e2ee regulation is about.
Because you refuse to understand that we only want suspect communications, not all of them, and also that we don't want to break encryption to acheive that because the person might as well be innocent.
> Yet it is still illegal and people are still being arrested for ordering drugs and producing their own, how curious.
You won't until there is a problem that alerts the authority.
> Did that criminal use drugs or end-to-end-encryption?
Yes and yes, add much more.
> We both know that this is simply not true.
I disagree.
Anyway, I've been prosecuted on wrong basis myself, and got out winner, I'm not affraid this is going to change. I trust my state, my police, my judges, who are independent and who will have to issue a mandate based on serious suspicious before they read my communications.
"Because you refuse to understand that we only want suspect communications, not all of them"
Yet you are endangering all of the communications, not only the suspect ones. Kinda like having a mandatory camera in every home and promising to access it only when you claim that the person living in the house is a suspect. (Yet always having the ability to access it)
"You won't until there is a problem that alerts the authority."
In that case
* Why is it still illegal then?
* How are you so sure? I remember various cases from the US where they jail someone (usually an african-american) just for having some hashish on them.
* "a problem that alerts the authority" such as your neighbour noticing that you are growing some and calling the police on you, or just ordering some online.
"Yes and yes, add much more."
Kinda hard to believe this anecdote but oh well.
"I've been prosecuted on wrong basis myself, and got out winner, I'm not affraid this is going to change. I trust my state, my police, my judges, who are independent and who will have to issue a mandate based on serious suspicious before they read my communications."
If this is true then I am glad that you are fine, it must have been a very stressful, expensive, and tiresome process. Sadly a lot of people (espesially these living in authoritarian countries or these with a judical system biased towards the prosecutor or the police and against poor people and racial minorities) did not have the same luck.
"that's how present reality works."
No offense but it sounds like propaganda to me. Anyone who has been monitoring the news (or who just check HN once in a while) knows that this is not the case.
It's illegal because we don't want to increase consumption because it's not good for society.
Because here we're talking about a european country, where we have very different problems from USA.
Don't grow in front of your neighbours. The police here will not search you if they can't justify a suspicion.
You don't believe then do you want the links to my private youtube video? You will see a guy that looks like a nazi without any teeth that he lost consuming crack saying he's the real father of my son, that I shouldn't be trans, and that he's going to fuck me up in front of the police. Is this something you want to see to believe it? Because you believe we're in a world of good guys maybe?
It wasn't stressful, my lawyer wiped the floor with them. What are you talking about, we're talking about Belgium and France, there are all ethnicities in the police and the justice and all, there is no racism there like there is (apparently) in the USA.
This article is propaganda making our states weaker which does not benefit any of us. Quit thinking we have the same problems as the US because that's not the case.
Earlier I was against legalizing drugs but I have come to my senses there too, but the last 80 or so years has proven that there is only one group that benefits from drugs being illegal in the long run: the criminals.
As for guns, yes just like with insurance we pay, but compared to the alternative it is a small cost.
Actually, they kind of are. I mean, if you have a gun and use it to shoot cans in your backyard, or that you take drugs and stay home, or go out but don't drive, don't attract attention on you, don't cause any problem, are you even going to be arrested? You have no idea how busy the police is with actual criminals.
I'm not saying we shouldn't do illegal things that don't harm others, I'm saying we should catch criminals who actually do harm.
> End-to-end encryption is a system of communication where the only people who can read the messages are the people communicating.
That is not a technical explanation.
We can still have encryption on both ends of a communication, and at the same time have suspects using two keys instead of one to encrypt. We can encrypt a message for multiple users with GPG, why couldn't we here? As far as I understand E2EE still works, except that users suspected of a felony would also have the state key in their encryption, that doesn't mean removing other keys!! Which we should definitely not do because we do not want to compromise the privacy of innocent people!!
Technical or not it does not matter. It is clear and specific. If you encrypt the messages for someone else too (or if you leak the keys) it is not end-to-end encrypted.
"and at the same time have suspects using two keys instead of one to encrypt"
And regular citizens.
"except that users suspected of a felony would also have the state key in their encryption"
And regular citizens :)
Anyway, in that case it is not end-to-end encrypted because the state is not one of the people communicating.
Except that shooting sports have been in the Olympics longer than just about any other sport.
It is a great form of meditation; for an analogy I refer the curious to "Zen and the Art of Archery"
And many of my friends are hunters. This is a nice way to put food on the table. Esp with deer populations not having much other control on them since we got rid of most of the other large predators.
"""The main criticism was that it is simply impossible to rule out that a backdoor - once it is built - is abused by criminals or undemocratic regimes. A lowering of the security level would immediately affect all users - and not just those who are the subject of a judicial investigation."""
The comment says:
> I'm glad you're keeping safe dealers, pedophiles, and other criminals as well as their lawyers.
This does not look like a solid point to me; it looks like rhetoric.
> This draft included a passage that would have forced companies such as WhatsApp and Signal to decrypt their encrypted chats upon request by the authorities for criminal investigation.
> Belgian intellectuals like Professor Bart Preneel said that "by putting a backdoor into Whatsapp, you would make it less safe for everyone".
This does not look like a solid point to me; it looks like rhetoric. Anyway:
> a backdoor - once it is built - is abused by criminals or undemocratic regimes.
If they can get their hands on a governmental private key, which is unlikely.
The NSA leaked its own hacking tools to the internet. Oops.
The US government gave… gave, not leaked, not accidental, deliberately outright gave.. the identities and other personal information of people
who had worked with the US in Afghanistan to none other than the Taliban. Because the Taliban pinkie promised not to slaughter them. Too bad, the Taliban didn’t keep its word.
Let’s not be naïve about the government’s ability or interest in keeping things private.
> If they can get their hands on a governmental private key, which is unlikely.
But those private keys aren't going to be created by the government. They will be created by Facebook, Signal, Telegram etc., who will then hand over one of them to my government, one to yours, and one to each and every government that makes a similar law, from Argentina to Zimbabwe. And they could just as easily hand over another to <insert billionaire or other non-governmental figure you dislike here>.
Just by virtue of providing the possibility of keys to the "Proverbial kingdom" and centralizing location of those keys gives far greater incentive for hackers or state actors to find new ways to gain access to these tools for decryption.
What economic damage can be done in the interval between a private key being accessed by a criminal and the key being revoked?
Depends on the systems connected to the private key of course, but billions per incident are certainly possible in some cases.
Even if this is just private chat on messenger platforms rather than 2FA or HTTPS, imagine how blackmailers would respond to getting all the nudes, the drunk confessions, the adultery, from 30 minutes access to all of the 10th most popular chat app in your country.
Then perhaps you can explain why so much stuff leaks from, say, the USA government?
Not just the stuff from government employees or contractors like Snowden and Manning who appear to be motivated by whistleblowing, but also the actual double agents working for the Soviets in the Cold War, and the apparently accidental leaks of NSA spyware: https://en.wikipedia.org/wiki/EternalBlue
Great, that just leaves the possibility that the system to install keys will itself be compromised, perhaps something like happened a few years ago with a downgrade attack to the old USA “export grade encryption” back when crypto was counted as a munition. The use of e2e encryption started to become a general standard in chat apps precisely because centralised keys proved to be a weak point after Snowden.
What makes you think that exactly? I believe these people cause damage, often irreversible, and that crypto protects them. A proper cost/benefit study has not been taken here IMHO!
Encryption protects everyone. Banning encryption is futile, make it illegal and the next day I'll transmit messages using steganography and other tricks. It would be about as effective as the war on drugs - the only winners would be the criminals making money from it.
I'm amazed that people always seem to link restriction on encryption and guns.
Encryption has a legitimate use in normal society, guns (apart from sport) are a tool applicable to a specific subset of society, easy to misuse or accidently use with extreme consequences.
I know (personally) of a number of cases where people have been killed accidently by guns, and more where anger/emotion has caused things to get out of control. This is not something that happens with encryption.
Simply said, they are not the same thing, stop trying to confound the issue.
A backdoor is a secret way to gain access to a system. I propose that we explicitly design our system to give them access. It wouldn't be a secret that they could get access to the information they needed under certain circumstances.
This has been discussed in many ways before but I'd like to try to phrase it my own way.
When police get a warrant to search your home, after they are done you can get a new lock and recover anything taken as evidence eventually.
When an investigation gets permission to surveil you, it's a temporary affair and records can be stripped of irrelevant personal data before any sort of release or duplication.
Even in the best case scenario, encryption is used in cases where incidental damage cannot be recovered from like above. Encryption is an attempt to restrict an easily accessible, indefinite lifetime, and infinitely duplicatable piece of information to only be meaningful to intended owners.
Let's imagine a very generous scenario, a chat program has encrypted chat such that every message can be unlocked with either the participants' keys or a unique key per message stored and kept safe by the service owner. Law enforcement can request chat logs and the service can return them the keys needed to read the requested logs from the interval specified.
Similar to the second scenario above it is possible after the investigation to cleanse the records law enforcement has, but in this case they are not the primary or secondary source of that information and cannot ensure that all records are permanently safe from outside parties. Anyone can easily get copies of the encrypted versions of communication done over the internet with minimal effort, this means someone can hold on to encrypted information in massive dumps and await inevitable breaches in company security that retroactively reveal all previous communication.
This is the best case scenario, it completely ignores things such as how any investigation is one day inevitably going to be a malicious actor. I don't mean whatever group of people are in charge right now going bad, I mean how all countries/groups inevitably change over time for better or worse. If a bad actor is in a position of power for even a moment, they can retroactively spy on you at all points in the past you use a weakened encryption. Imagine an extreme vegan political group making eating meat a crime punishable by death even if in the past. Your chat logs about going for burgers are easily accessible. Or similarly a retroactive law against abortion.
In the case of well encrypted chat, only the participants have control over the keys and if you want to be sure something is gone you can discard the key. This is no longer the case for encryption with a backdoor.
>Anyone can easily get copies of the encrypted versions of communication done over the internet with minimal effort, this means someone can hold on to encrypted information in massive dumps
How, if you aren't the person I'm chatting with, then you will never see my encrypted messages. How would anyone magically get all of the messages?
>Imagine an extreme vegan political group making eating meat a crime punishable by death even if in the past. Your chat logs about going for burgers are easily accessible. Or similarly a retroactive law against abortion.
Ignoring how common law does not allow for retroactive laws, you are arguing for people to be able to hide the evidence of the crimes they have committed. I imagine how you can see how governments would not be a fan of this. You are just being an example of a person who has something to hide. Killing your citizens on such a large scale is really not in your interest as a government and would not go over well in the global community.
>This is no longer the case for encryption with a backdoor.
I never said to add a backdoor. I said that the cryptosystem should be designed such that law enforcement with a valid warrant will also be able to decrypt the message.
Having a cryptosystem where only the participants or someone with a warrant can read messages is still an upgrade over unencrypted messages where a MITM can store, read, and modify your guys' messages.
Thanks, I understand your arguments and have held them for ~15 years, I have changed my mind: I don't believe "any investigation is one day inevitably going to be a malicious actor", that could happen with any kind of evidence anyway, encrypted evidence is no exception, I also don't believe about retroactive laws like that, and I do want something to be done about the thriving criminality, because I don't want protection from what could happen if reality became scifi, I want protection from the threats we are actually facing in the present reality. That said, your comment reflects an above standard kindness which I deeply appreciate.
> systems which allow for governments to be conditionally able to decrypt messages
Make a backdoor for the government and all organized crime will also have a backdoor and it'll turn any encryption into a security-by-obscurity model. It would be just like those TSA locks which now anyone can open because all the universal keys are public. And such powers will be abused by the government & police as well. It's inevitable, that's very clear from what already happens with current surveillance laws.
>Make a backdoor for the government and all organized crime will also have a backdoor
I never said to add a back door. I said we should add a front door. The cryptographic protocol should take into account the needs of the government too. To prevent abuse from organized crime it should be made difficult to fake warrants.
You compromise liberties of non-criminals. We have taken a while to understand that it is better to let someone guilty unpunished than it is to punish an innocent. I don't want to reiterate the reasoning behind this here.
It would be two or three steps back if we just ignore this awareness here additionally to all the constitutions that forbid surveillance in the first place.
Aside from the chilling effects from surveillance and state abuse, there are just no real arguments for surveillance. Sexual crime happens mostly in the circle of the victims, mass surveillance is a completely incompetent approach to the problem space.
> it is better to let someone guilty unpunished than it is to punish an innocent
Which is exactly what the law was for: to make it easier for enforcement to get more evidence.
This has nothing to do with mass surveillance:
> This draft included a passage that would have forced companies such as WhatsApp and Signal to decrypt their encrypted chats upon request by the authorities for criminal investigation.
As such, I don't understand your point at all, sorry.
Police can't even catch terrorists before an attack despite getting warnings from foreign countries and having the suspects on a list. What makes you think that they'll gain anything from an encryption ban when law enforcement is already complaining today about their inability to make sense of the surveillance data they're basically drowning in.
Secure E2E encryption makes companies unable to decrypt encrypted data upon request.
Therefore, a law forcing them to decrypt encrypted data upon request necessarily makes it illegal to implement secure E2E encryption. QED.
(If the law only allowed them to share with the government data that was already decryptable by third parties, that would be a different matter. That's what happened to Tutanota in Germany: the tribunal ruled that they had to allow the police to access messages sent as cleartext, but they could not be required to put a backdoor in their E2E clients.)
Semantics. E2E is necessary against a wide array of threat models and is a fundamental part of what can be considered 'pretty good privacy' by 2021 standards (pun intended).
If a government, possessing a working set of quantum computers, chose to ban post-quantum crypto algos only, by the same semantics it could be argued that it would not be a general "encryption ban" either.
I think it's clear we're talking about effective, secure encryption, and that means E2E. Faulty implementations are technically an exception, but I don't think you can argue with that in good faith.
> a passage that would have forced companies such as WhatsApp and Signal to decrypt their encrypted chats upon request by the authorities for criminal investigation.
And you'd rather have criminals that we can't catch because evidence is encrypted running around in the same streets as your children? Nobody's saying this law was a silver bullet.
For one, the kind of psychotic violent criminals that might assault random children in the streets are unlikely to get caught thanks specifically to cyber-surveillance.
I am perfectly comfortable with having my children run around in the same streets as people selling drugs or stolen credit card numbers online.
But to address your point less literally - "it might make it easier to catch criminals" is an extraordinarily weak justification for compromising the privacy of BILLIONS of citizens (WhatsApp, sadly, runs most of the personal communications in vast swathes of the world).
You are overestimating the capabilities of the average criminal. If you changed the protocol so law enforcement with warrants could decrypt messages from people on WhatsApp. Most criminals on WhatsApp would not leave the platform. They would just continuing using it regardless.
Having right to an attorney also makes it harder to convict criminals, but the trade-off is still worth it.
A world without strong crypto is a world where all kinds of records and communications are mercilessly exploited by entire armies of bad actors, some of which may sit ten timezones away from you. It is like having your home or business open to the entire 8 billion people out there.
I think you need some data to support your argument here. How many criminals go unpunished because information can't be decrypted? What is the real cost to society because of lack of backdoors?
you're assuming people working at the NSA would rather catch criminals than look at people's nudes. That assumption, unfortunately has been proven incorrect.
I wish we would just come up with a strong, transparant legal decryption framework already.
We moved our lives completely digital before e2e encryption came around, claiming that we cannot go without e2ee is false.
The "new law" is actually an update of an existing law and it would've forced "apps" (e.g. WhatsApp) to provide the same kind of text logs on request like the telcos have been doing for call log/SMS/location.
It took governments a while to catch up, and now they have. In the arms race between privacy and surveillance, E2E is the next shield against the weapon of mass surveillance.
Governments have always had warrant requirements, until they decided they didn't need them. If you want my data, get a warrant.
The US had it's own top secret database breached.. because they used a discount contractor. I choose to keep my data in higher regard.
Bulk SMS/location is also a horrible failure of justice and it harms innocent people so that a few criminals may be caught. This is backwards.
It is better that a criminal go unpunished than for a single innocent person to be harmed wrongfully by the government.
Tomorrow, we decide to re-instate the death penalty for people who commit murder.
Our very well trained seers (who are always right) tell us that this will reduce murder by 90%.. but 1/20 people we execute will be innocent of the crime.
That's a really interesting ethical question. It's what the right wight asks: most immigrants are fine, but 1/20 will be radicalized, even commit terrorism acts such as mass murder, do we take the bargain? French president Francois Hollande testified in court that he knew and took the bargain, then, we had Bataclan, Samuel Paty, and so on (please don't make me do the exhaustive list).
Now the question is, what would make one decide to apply whatever answer they give here, but not there? Definitely food for thought!
Reducing 193 murder victims (Belgium 2017) to 19.3 victims.
Assuming there's a 1:1 victim/killer ratio, that would mean ~20 executed killers of which 1 is innocent.
So, "accidentally" killing 1 person to save 173 lives.
I am very pleased to see that the _current_ administration came to their senses and listened to reason. However, this is a fight i am afraid we will always have to fight over and over again unless right to encryption is codified in EU constitution or a similar document.