This law is unenforceable for people who self-host XMPP for their friends and family.

· · Web · 2 · 1 · 3


It's clear they won't stop here, next they'll also scan messages for "terrorist content".

@jcbrand How so? A simple "legal" solution to this approach seems to simply consider everyone who does this kind of hosting a "telecommunication provider" bound by the usual laws, like it happens with other similar laws too. How much demand of paperwork will it take for people to give up on that kind of self-hosting at all...?


@z428 @echo_pbreyer

You can't stop users from using E2EE on your instance

@jcbrand No, but you can force instances to track all the communication that is not encrypted (like metadata), and possibly again you could add legal penalties, in example making the use of E2EE illegal altogether.


@z428 @echo_pbreyer

How are they even going to know that you use a private XMPP server in order to force you to do anything?

This is like the war on drugs, or the attempt in the 90s to ban encryption algorithms.

@z428 @echo_pbreyer

The best thing technologists can do to fight surveillance and oppression like this is to make it unenforceable.

I'm happy there are pirates like @echo_pbreyer fighting the political fight, but that's not for me, since I'm an immigrant and can't even vote.

@jcbrand Agreed, this works for an XMPP server for a closed user group that doesn't federate with any other system. As soon as you actually want to communicate with other users, your system will become more or less publicly visible. And I think in general, something like the "war on encryption" can, these days, easily be "won" (at least for a majority) by making these tools illegal and persecuting their uses with draconian means - similar to how the music industry dealt with ...


@jcbrand ... users of "illegal" file sharing in the early 2000s. Take a few John Does that are fined with horrendous amounts of money (or even sentenced to stay in prison) for using encryption apps, and you for sure will see acceptance of these tools fade. 😟


@z428 @echo_pbreyer

Those tactics were largely ineffectual and didn't stop piracy.

I know because I was there, pirated myself and had lots of friends who pirated.

BTW, you can still use Usenet to pirate to your heart's content with basically no way of getting caught.

Cheap enough streaming services have played a much bigger role in reducing piracy.

@jcbrand Yes, but few people use usenet. These tactics are efficient because they keep out a large majority of people from using these things - people that aren't skilled enough from a technical point of view, people who don't want to risk things by trying it (after all it's still illegal), or people who simply don't know. It will drive these tools out of the mainstream while (in terms of surveillance) leave the vast majority of people without better options.


@z428 @echo_pbreyer

Yes, this is the new digital divide and it's been like this for a long time already.

People with technical skills will be able to maintain a higher level of privacy and autonomy than the rest.

@jcbrand Yes, that's my very problem, and I see a lot of approaches especially from a legal point of view happening at the moment that are enforcing this digital divide while on the other side at least the tech crowd doesn't do much to compensate for that. Example: Threema and (to some degree) Signal by now seem much better a tool to fight this kind of "surveillance" than XMPP or Matrix because having little or no communication stored on the server reduces the amount of ...


@z428 @echo_pbreyer

Threema and Signal being centralized means that they can be corrupted and subverted to start collecting data and you won't even know it.

I use Signal, but don't be fooled into thinking that a centralized black box can actually guarantee your privacy and safety.

Oh, and the fact that their code is open source doesn't help because you have no guarantee that the server itself is actually using that code unmodified.

@jcbrand ... data subject to being monitored or handed over. There still is a problem of having a legal entity (company or organisation operating this service) that could be considered a "provider" though. Maybe a real P2P, server-less solution would be the only way to circumvent this at some point for a large crowd of people. But for that we need to not just agree on trying to pursue opennes but also on trying to reduce this digital divide (by embracing the fact that a ...


@jcbrand ... majority of users has no access to technical skills and even if they had, something federated, yet server-bound like Matrix, XMPP or encrypted e-mail always will come with a high hurdle). Then, you would only need something like plausible deniability to keep people out of legal focus.


@z428 @echo_pbreyer

XMPP OMEMO has plausible deniability.

In any case, you can either sit on an ash heap and cry about all the people left behind, or you can work on solutions for yourself and your family and friends, which incidentally other people can also use.

@jcbrand That's why I am at the moment trying to throw money at solutions like tox or briar while primarily using Threema (yes, I think for operating such infrastructure it needs a company that least doesn't _depend_ upon collecting money by selling user data). I have no real hope for XMPP (again, server-bound, plaintext metadata) or the non-P2P variant of Matrix (servers) here. 😐


@z428 @echo_pbreyer

If P2P messengers take off, then I'm happy. The more solutions the better.

If you self-host XMPP then you don't have to worry about metadata or that it's "server-bound".

Also, the metadata is about which JIDs communicate with which other JIDs. No personally identifying information is required for XMPP to work.

Not ideal perhaps, but not a huge problem either IMO.

Self-hosting can be as simple as starting a docker instance and setting DNS records.

@jcbrand @z428 @echo_pbreyer
Technically you don't even need e2ee for self-hosted xmpp as long as you don't care about messaging with external accounts (eg family only). Since you own server and hence encryption keys of both legs of communication. You only need to protect then data at rest (eg host it at home).

@jcbrand @z428 @echo_pbreyer Current XMPP e2e is fairly trivial to block at a server level, do we need an e2e that is hard to detect/block? I have some thoughts. :)

@moparisthebest @echo_pbreyer @z428

Yes, I was more thinking in terms of a cat and mouse game that would result and that eventually you wouldn't be able to stop it server side.

Are your thoughts written down somewhere?

@jcbrand @echo_pbreyer @z428 You'd have to scrap all the nice negotiation, but keep the real cryptography and run it through something like instead of base64 (think bip32 mnemonic but arbitrary length and wordlist) so you only exchange real words in your language.

Depending on the govt they could still rubber hose you for sending nonsense but hard to detect/block anyway.

@moparisthebest @echo_pbreyer @z428@social.tchncs.d

Interesting. Alternatively, if you were worried about the server rejecting base64 encoded ciphertext in the message body, you could also put it in a XEP-231 "data" element. 🙂

Could be a fun, silly hack to work on during a hackathon.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!