• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    The law restricts providing a commercial service in the EU that provides end-to-end encryption without monitoring of the content of communications, not using end-to-end encryption. Unless you’re planning to run some kind of underground messaging service, you probably won’t be the one violating the law.

    • RedPandaRaider@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What is to stop a company from offering their services in the EU though? As long as they don’t legally cooperate with the EU it should be fine. Like Telegram operating from Russia (if they weren’t collaborators already).

      • tal@lemmy.today
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Well, depends on the jurisdiction where they are operating from.

        In the US, if you’re intentionally offering commercial services in the EU (and while the US and EU definition of that may differ, I don’t think that the difference is broad enough to matter much from the standpoint of services that are being affected), my understanding is that the US will honor EU jurisdiction, and will enforce rulings against companies. Now, you have to actually be doing business under the US standard of doing business in the EU for this to apply – like, this can’t just be some random non-commercial server that you set up and then let anyone on the Internet use, as the US doesn’t consider that doing business in the EU. A US-based lemmy/kbin server isn’t going to be considered by the US to be doing business in the EU, but if its operator, for example, says “hey Europeans, donate money here and avoid restrictions”, then that’s targeted advertising to the area and the US will consider that to be doing business in Europe. Someone like Whatsapp definitely can’t just say “oh, my servers are in the US, ergo EU law doesn’t count, and I’m going to go right on selling ads and services and such in the EU and whatever else I do”.

        For somewhere like, oh, Russia, Russia may not care about enforcing EU law. However, that isn’t a blank check.

        First, it may be a pain for the EU to act against Telegram itself, but if money is involved, so are payments. It’s not hard for the EU to act against payment processors – banks, Visa, stuff like that. If a service is getting payment either directly from people in the EU or from advertisers in the EU, the EU can tell the payment processor to cut them off. The payment processor isn’t going to fight the EU on that; this sort of thing happens regularly.

        Second, if you’re using an illegal service, the EU might wind up having EU ISPs block it. Russia has been running around requiring ISPs to ban certain sites. The EU hasn’t done that yet, but it could. I am not at all convinced that in the long term, it won’t be the norm for countries to have a list of “banned” services that they require their ISPs to block. I am pretty sure that there are a number of parties who would like piracy sites to be blacklisted, for example.

        https://en.wikipedia.org/wiki/List_of_websites_blocked_in_Russia

        Third, from an individual standpoint, that means that someone in the EU is not going to be getting any EU legal protection, in the privacy sphere or elsewhere. Now, maybe the technical benefits of having end-to-end encryption outweigh that for the user, but stuff like traffic analysis on messages and the security of the client may be up for question.

        Specifically for Telegram, I haven’t used Telegram, so I don’t know how it handles key distribution, which you need to do for end-to-end encryption – OTR, for example, needs some pre-existing shared secret or secure sideband channel to bootstrap trust between two users. It looks like Telegram provides source, but for that to be useful, one needs to believe that someone trustworthy has validated the source, that the binary for the client is a legitimate build from that source, and that you have properly distributed keys with the other user using that client. Those can all be done with a lack of legality, but my guess is that a lack of legality likely makes it harder.