ETA: in short, about a month ago they did get the votes, at least in the EU, and it's now "allowed" for providers to scan all content. In a little while, they're going to have a vote to change "allowed" to "required", and we have no reason to think it'll go differently.
Bad news for the EU maybe, if that were to pass. That sort of thing never passed muster in the US. There is always a huge backlash because it infringes on the speech rights of both companies and individuals. You'd essentially be forcing banks to build in backdoors that criminals could use, and also making it so that only criminals can use true E2E encryption.
There is no sense making laws you can't enforce. It erodes trust and credibility.
If you think EU policy only impacts the EU, you didn't pay attention to what happened with GDPR. Some companies might scan only EU-to-EU communications, some might scan communications where only one end is in the EU, and some might just scan everything because why build two completely separate systems rather than just doing whatever is compliant everywhere you operate?
> They've tried to do this for decades and have failed.... Let's see how voters like it.
My "point" is that I thought the same way you did -- look what a mess Clipper Chip was, they always want backdoors but surely a voice of reason will show up, etc -- but something has changed. Couple the vote in the EU with the way the major tech companies reacted to GDPR (you'd be surprised how many sites simply block all of Europe rather than comply) and it's a wakeup call. There is a real chance of the bad guys winning here.
My opinion here is that such policies are unenforceable and will therefore blow up in the faces of whoever implements them. Whoever does not will have the people's backing and will pave the way to the future. Of course, none of us can see the future, so we'll just have to wait and see. If I lived in the EU I would make my voice heard about that legislation.
Maybe I'm just too jaded but I don't think "making voices heard" matters -- in the link I posted upthread, the overwhelming majority of voters did not want the Chat Control measure to pass, but it did anyway, "for the children". (I can't even do that -- I'm an American living over here, I have no say in politics but am subject to a lot of their rules.)
Maybe we'll get lucky and the next vote will fail, or maybe if it passes there will be providers that refuse to comply. I think if it happens, it's far more likely that most will cave, and a few will just pull the plug and stop offering service.
Of course it matters. Politicians must listen to voters on topics of import or they're out. If you're arguing against democracy and for some imagined alternative, then I can't help you because that's a worse outcome.
It's true some policies do pass that a lot of people don't want. It's up to the voters to make an issue of that in the next election cycle. As an American living in the EU you can certainly use your voice. That may be as consequential as your vote if you are convincing. Since I do not live there I don't engage in those politics, despite the connectedness of the world. There's enough to deal with on our home turf.
I'm not arguing against democracy: it's the worst system except all the other ones. I didn't think much of Brexit, I think they really shafted themselves, but at the same time I get the strong impression that EU governance is hopelessly broken.
I don't have to bring a solution to notice that the system we have is not working. (That's not to say I don't wish I had one, I just don't.)
Apple's own transparency report, under FISA orders. Presumably it includes all subscriber data they can access for the specified accounts, so likely contacts, photos, and device backups (full iMessage chat history, or sync keys to decrypt same).
FISA orders are not warrants and do not require probable cause; the FISA Amendments Act Section 702 spying that goes on (aka PRISM internally to the IC) pulls data directly from cloud provider systems without a search warrant and was cited by Ed Snowden as one of the main reasons he came forward.
I posted more detail upthread but what I've found suggests that Apple does have a key to decrypt pictures but they claim to use it only to respond to a warrant. (They could of course be lying about that, but I don't believe they are.)
From everything that I've read, iCloud Photo Library is currently encrypted on the server, with a key that Apple only uses when presented with a warrant. If I ran the company (disclaimer: I do not) I'd implement this with an airgapped system in a vault somewhere, where a very small number of people have access to bring encrypted images in on a CD-R under two-person control.
That being said, one of two things is true. Either Apple does exactly what they say, in which case they are not able to perform server-side content / fingerprint scanning, or Apple is outright lying about only using their key on behalf of law enforcement. This latter case would open them to all sorts of legal liabilities, like a suit from shareholders for false reports. It would also require the silence of every Apple engineer who has ever been involved in at least their iCloud Photo program, and probably a bunch of server infrastructure as well. Additionally, they'd be legally obligated to report their scan results to the NCMEC but would have to do so in a way that doesn't give away that they're lying about how their systems work.
...if a human actually gets the file, figures out what type it is, and examines it for themselves, they'd be obligated to report it. With the number of Win10 devices in the world, how big would their security team have to be to hand-groom every automatically submitted "suspicious" sample? (For that matter, why would a vanilla JPG get flagged as "suspicious" in the first place?)
