Comment on Florida’s New Social Media Bill Says the Quiet Part Out Loud and Demands an Encryption Backdoor
CosmicTurtle0@lemmy.dbzer0.com 6 days agoNot that I disagree with your point, but Florida law is only relevant within Florida and, to a limited extent, the United States. Admins of US-based instances could likely be subpoenaed and then held in contempt if they refused, assuming they don’t pull a PornHub and just block all of Florida.
That said, this is very worrying since subpoenas have a MUCH lower threshold of legal bearing than warrants. I suspect that Apple will likely challenge this in court or they stop selling iPhones there.
...Florida law is only relevant within Florida and, to a limited extent, the United States.
And even then only to the extent those with the power to do so choose to enforce it. It might matter if you or I break the law; it will not matter in any meaningful way if Meta does.
tal@lemmy.today 6 days ago
Oh, yeah, my concern isn’t really that Florida is planning to go after instance admins — I’m just being sardonic — so much as to point out that any practical enforceability of this is going to have a lot of issues.
I mean, do you mandate that Lemmy disallow third party clients? Try to force them to detect and block encrypted messages? What happens if I start dumping big PGP messages steganographically in images and simply send those? What happens if the image I’m sending is just a link to isn’t even uploaded to pict-rs on a Lemmy instance?
I don’t need to move a whole lot of bits to send messages, and it’s really hard to block people who can send any data at all from having software send data that cannot be read by intermediaries, use the existing social media channel to agree upon out-of-band communications channels that social media operators have no control over, and so forth. Like, okay. Say I am a child-molesting terrorist drug runner money launderer or whatever. I know someone who uses Facebook.
Let’s say that Facebook does a fantastic job of detecting and blocking any E2E communications.
Okay. Now let’s say that there is some other non-social-media system that uses OTR. I use Facebook to send someone my identity on that OTR system, as well as – which doesn’t need to be in any kind of standardized format — the shared secret OTR uses to boostrap trust between two parties. That shared secret becomes useless after the initial handshake completes. Is Florida going to figure out everything that I’m saying, manage to break into whatever other channel I’m using, and MITM the thing? Probably not, since even if they supoena Facebook and Facebook gives them that shared secret, it doesn’t let them later MITM the OTR communications.
That sounds complicated, but from a user standpoint it’s “Let’s talk on <program X>. I’m <user>, and here’s <string>.” The other person fires up their program, pastes string in, and unless Florida have already supeonaed and MITMed that channel, at that point, the deed is done – out-of-band E2E-encrypted communications are boostrapped, and Mark Zuckerberg can’t read them or let anyone else read them even if he wants to do so.