this post was submitted on 12 Apr 2025
496 points (98.6% liked)

Technology

69211 readers
3595 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
496
Florida’s New Social Media Bill Says the Quiet Part Out Loud and Demands an Encryption Backdoor (www.eff.org)
submitted 1 week ago by cm0002@lemmy.world to c/technology@lemmy.world
37 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] tal@lemmy.today 6 points 1 week ago* (last edited 1 week ago)

Oh, yeah, my concern isn't really that Florida is planning to go after instance admins

I'm just being sardonic

so much as to point out that any practical enforceability of this is going to have a lot of issues.

I mean, do you mandate that Lemmy disallow third party clients? Try to force them to detect and block encrypted messages? What happens if I start dumping big PGP messages steganographically in images and simply send those? What happens if the image I'm sending is just a link to isn't even uploaded to pict-rs on a Lemmy instance?

I don't need to move a whole lot of bits to send messages, and it's really hard to block people who can send any data at all from having software send data that cannot be read by intermediaries, use the existing social media channel to agree upon out-of-band communications channels that social media operators have no control over, and so forth. Like, okay. Say I am a child-molesting terrorist drug running money launderer or whatever. I know someone who uses Facebook.

Let's even say that Facebook does a fantastic job of detecting and blocking any E2E-encrypted communications like PGP messages of the sort I mentioned in the above comment.

Okay. Now let's say that there is some other non-social-media system that uses OTR. I use Facebook to send someone my identity on that OTR system, as well as -- which doesn't need to be in any kind of standardized format

the shared secret OTR uses to bootstrap trust between two parties. That shared secret becomes useless after the initial handshake completes. Is Florida going to figure out everything that I'm saying, manage to break into whatever other channel I'm using, and MITM the thing? Probably not, since even if they supoena Facebook and Facebook gives them that shared secret, it doesn't let them later MITM the OTR communications.

That sounds complicated, but from a user standpoint it's "Let's talk on . I'm , and here's ." The other person fires up their program, pastes string in, and unless Florida have already supoenaed and MITMed that channel, at that point, the deed is done -- out-of-band E2E-encrypted communications are bootstrapped, and Mark Zuckerberg can't read them or let anyone else read them even if he wants to do so.