Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

On Mon, Dec 18, 2023 at 1:22 AM Vittorio Bertola <vittorio.bertola=
40open-xchange.com@dmarc.ietf.org> wrote:

>
>
> > Il 16/12/2023 23:41 CET Brian E Carpenter <brian.e.carpenter@gmail.com>
> ha scritto:
> >
> > > I am at a loss on how mandatory use of client-side scanning could
> > > restrict the use of open-source software as the statement does not
> > > explain that.
> >
> > That seems fairly clear to me. If open-source software does not allow,
> > or actively prevents, mandatory scanning it would be illegal to use it.
>
> Well, yes, much like software that would be designed to break any other
> law. But (as an employee of a European open source software maker) I do not
> see how this is a problem for open source, especially once it is clear that
> any modification applied to the code by third parties for the purpose of
> circumventing a law is not the responsibility of the original author of the
> software. It's life in a democracy, you just make your software comply with
> any applicable law, like it or not, and that's it.
>

I think this misunderstands the issue around open source and client side
scanning, which is not about the author of the software, but about
enforcement by the service.

In general, if you want to build a service which has a client and server
component (as messaging services do), and you want some behavior to happen,
you can either have it happen on the client or happen on the server. If
that behavior is something the user wants, then it often doesn't matter
where it happens, but if it's something that the user doesn't want (e.g.,
advertising), then you are counting on the client to behave the way you
intend even though you don't directly control it. In a system where either
the client is open source or the protocols between the client and the
server are open source, then it is possible to create an interoperable
client which behaves differently than the service provider expects, in this
case by not scanning the content.

The main approach to requiring specific client side behaviors in an open
system is attestation of the client side software [0], but this also has a
negative impact on open source.

-Ekr

[0] For more on this topic see:
https://educatedguesswork.org/posts/wei/
https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/

(Anyway, the European proposal has very little chances to be approved.
> There's just too much opposition, including that from Germany, and they
> only have a couple of months before the term ends and the Parliament is
> dissolved for new elections.)
>
> --
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com
> Office @ Via Treviso 12, 10144 Torino, Italy
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>