In the meantime though, Signal specifically should not do something stupid like blocking the EU, which is basically surrender. They are a non-profit headquartered in the US, so there are zero business risks to non-compliance - nothing in the EU to fine or seize. And the EU has no jurisdiction over servers in the US, all they can do is build their own Great Firewall. (However, they might pressure AWS to deplatform Signal - hopefully the team is prepared for the possibility that self-hosting will be necessary soon.)
Very much. I also fear they coming for this, we already have instances of where using secure alternatives tags you as a criminal[0], so i don't doubt a future where non-approved applications will get you in trouble. With everything happening around Android locking itself down[1] and Windows being a spyware[2] anybody who wants privacy will be 'different', and can be tagged and excluded from parts of society for not using the same services.
[0]: https://x.com/GrapheneOS/status/1940440326830989549
Imagine all I ever posted was cat pics... unless I have your public key and then all of a sudden those pics are decoded into messages of dissent
Google is already working on closing the possibility to install apps from outside the app store, Apple has been like that since forever. The fact that a few technically savvy users with rooted phones will still be able to use Signal doesn't mean anything. It will be dead if the EU decides they don't want it.
https://en.wikipedia.org/wiki/National_security_letter
the government can compel entities to let them access their systems and keep it a secret.
Also, if Signal runs on AWS, that is another potential vector of surveillance.
These kind of responses is why it is hard to trust privacy advocates on HN. They are high on rhetorics, but half the time dont know what they are talking about.
I did saw it was an extension of the 1.0. To my understanding, "allows to scan" can also mean enabling a pipeline for accepting requests of scanning lawful content because, well, they can. In practice, it creates a mechanism to crawl people's information because when they feel like. While the law do make it explicit that this 'allowance' should not be used for anything else outside of the scope, i can't trust they won't. Once the mechanism is there, and that is valid for other countries, it might be used for stuff outside this scope since it's possible.
I work in the ISP field, and this happened in another context. First, a pipeline was built to block sites without a judge, because doing it only with court orders made it to difficult. After a few months of many ISPs complying the scope grew, now they can target piracy websites at will, and you must comply. Why stop there?
My fear is that this sets an example. I hope I'm wrong, but i don't trust them. There's a reason it was rejected before and it is being passed like that now.
Just a recap how it happened in Russia:
1. First, year ~2015 legal framework was created under disguise of banning pirated media(specifically torrents.ru)(legislative push). State-wide DNS ban introduced. Very easy to circumvent via quering 8.8.8.8
2. Then, having legal basis, govt included extra stuff in banned list(casinos, terrorist orgs, etc)(executive push). IP bans introduced, applied very carefully.
3. Legal expanded allowing govt to ban specific media on very vague criterias(legislative push). IP blocks tried on some large websites. DPI hardware mandated to be installed by ISPs to filter by HTTPS SNI(executive push).
4. At ~2019 Roskomnadzor(RKN) created, special govt entity which enforces bans without court orders(legislative push).
5. ~2021 sites become banned if they are not filtering content by Russian laws by request of RKN(executive push). VPN services were obligated to also DPI-filter traffic(legislative push).
6. ~2023 Crackdown on VPN started(executive push). Popular commercial services were IP-banned, OpenVPN and IPSec connections selectively degraded by DPI.
7. ~2025 Heavy VPN filtering(vless, wireguard, etc) introduced(executive push). Performance of certain sites were degraded(youtube, twitter, etc).
When you hear of "person arrested after NCMEC cyber tip" that's what this enables - people sharing or storing CSAM that was caught by this scanning, reported to NCMEC, and then sent to local authorities.
I have zero problems with Chat Control 1.0 as the existing derogation brought the EU into line with the rest of the world. Chat Control 2.0 is problematic however, but again, is not what's being voted on here.