Most everyone would love to see more work on stopping child sexual abuse.
But this is the ultimate "grant me dictatorial powers so I can do good" play.
Rather than narrow and specific - it's a broad based law that suddenly touches everyone even though offenders are a small percentage and should be able to be targeted more efficiently.
Yep, and this is a perfect example of a base rate fallacy situation... even if the scanner is 99.99% accurate, because an even higher percentage of photos are innocent, most matches the scanner will find will be false positives.
Funny you bring this up.
Back in the day when I was like 15 and DC++ was still a thing, I used to browse people's shared folders. One day I came across a file called "the paradox of false positive". It was a 1 pager that described how a machine which is 99.9% accurate at identifying terrorists would be completely useless due to this false positive base rate fallacy you're describing.
It really stuck with me throughout the years. It's kind o remarkable how even a 99.9% accurate heuristic is insufficient at scale.
Which begs the question: lets assume the intentions are pure (which we know they're not but lets be generous), what other options are there when 99.9% heuristic is not good enough? how do you design systems when they're guaranteed to fail as they scale up?
edit: and what do you know, I just saw this as I scrolled down on HN https://news.ycombinator.com/item?id=48816959
The system we got for this is called parenting.
And there is a saying where I grew up: you need a village to raise a kid, I feel like we lost track of that and feel the issues of that now.
Btw, von der leyen is trying to get stuff like this written down as laws since 2009, it got her the nickname Zensursula.
>Btw, von der leyen is trying to get stuff like this written down as laws since 2009, it got her the nickname Zensursula.
And Germans and Europeans looked at that and thought the best place for her is leading the EU?!
Remind me again how she got elected in that position?
Because it seems like the entire EU population knew her being infamous for that, except for the few elites who appointed her there via "democratic process" to the head of the EU.
The president of the European Commission is “elected” through a thin pretence of democracy that the people of Europe have effectively no control over, and mostly pay no attention to. If you think she’s there because the greater public decided she’s the best person for the job then you don’t know how the EU works.
Also most of the EU population don’t know her for anything at all. I’d be surprised if more than 50% of Europeans could name her.
Not a single person that is not attached to EU voted for he. She is second hand vote. These roles should all be result of direct vote. This way you only get votes by people who are sucking the money of Eu parliament or. The only position people vote for is EP. And that % is so small, that if they ask the people who didn't vote if they want it, they would have to tear it down.
I am not against EU cooperation, mainly in external security and free market economy. But the system we have is not very democratic, and def not very representative of people. They act like demigods, elected by parliament with no real consequences of their actions.
These roles should all be result of direct vote.
I disagree. That's an executive power position for an entity that lacks sovereignty. Giving it the legitimacy of direct vote is highly problematic.
Start by giving more power to parliament.
I think you'll find it's the EU member countries that lack sovereignty, not the EU. EU law overrides member state law, not the other way around.
You have to reconsider what "elected" means when it comes to the EU. Certainly not acts of "Germans and Europeans".
> The system we got for this is called parenting
And it fails miserably.
Not really. Yes most kids will see porn before they're 18 but it doesn't damage them or give them the wrong idea about consensual behaviour.
If anything I find GenZ a lot more focused on explicit consent than GenX.
>And it fails miserably.
No it doesn't. That's just needlessly reductionist doomerist take with no argumentation to back that up.
Define failure and success of the system in this context.
It's been working for tens of thousands of years. What changed in the last few decades wasn't parenting or technology. It was the rise of the nanny state where the parents gave up the parenting of their kids and entrusted that to educational institutions instead.
I genuinely think it’s all three:
1. The cultural factor is rising expectations for children and their parents, costing both time and money;
2. The political/social factor is nanny states and academic institutions that the public expects to not only teach but raise their kids;
3. Technology. Especially the Internet, mobile devices, social media, and short form content. Technology distracts and isolates both kids and parents.
An example of the three factors at work is the all-too-common local news trope of ”Nosy neighbor calls CPS because the family next door lets their kids walk to school. Whole family traumatized as a result.”
>It's been working for tens of thousands of years.
I mean, I'll gladly send you 10k years back and have you tell me how it goes.
It both works and fails, like many other things. But if you hold the goal that it must never fail in sufficiently high esteem, you invariably end up with a system like the one we have now.
>the goal that it must never fail
That's a good way to put it
If the goal of a system is to never fail, then the bureaucrats in charge of running that system will just game the metrics and cover up all the issue, while it fails first very slowly then very suddenly.
In fact that's why nothing ever gets done to improve things in the EU/west, because we expect perfect outcome in every new change and we want potential risks to be zero before something new is implemented, so it's easier for leaders to just never do anything, never change anything, just sit and maintain the status quo while we go through managed decline complaining things keep slowly getting worse.
Do you realize you'll end up in fascist dystopia where your children belong to the state, with this line of thinking?
Or is that where you want other people to end up while you peddle propagandist fairytales about failed parenting?
The intuition I've built is that you can't talk about a false positive rate being high or low on its own - it's always relative to the actual occurrence rate of positives in the tested population. E.g. if there's a 1 in 10000 risk of a false positive, but real positives also are only 1 out of 10000 tested cases, then a positive case will have a 50/50 chance of being a false positive (because for every 10000 tests, you'll have on average one false positive and one real positive). So a false positive rate can only be said to be low if it's significantly lower than the real occurrence rate of positives.
The mentioned accuracy in the comment you are replying to already encapsulates the relation of true positives to false positives.
No I don't believe it does. I interpret 99.9% accurate to mean 1 in 1000 false positives. If 0.1% of your population are terrorists that means each alert has a 50% chance of being correct. That's nowhere near good enough to fully automate things but it is quite reasonable assuming this is merely information provided to a human agent.
Whereas if only 0.001% of your population are terrorists then 99 out of 100 alerts are false positives at which point the system is well on its way to being useless.
There is an important difference between scenarios where we care about the relative versus absolute frequency of errors.
You're right it doesn't. At least not completely. I was thinking about precision (i.e.: if the test is positive, what are the odds that its prediction is true). It turns out, that accuracy is not defined as "true positive / (true pos. + true neg.)", but "correct predictions / all predictions". The whole point of OP's statement: "It's kind o remarkable how even a 99.9% accurate heuristic is insufficient at scale.", which you actually support with your example.
> There is an important difference between scenarios where we care about the relative versus absolute frequency of errors.
The context is chat control without probable cause over the whole population of Europe with a low prevalence. My point, and presumably that of OP, is that even a small relative frequency of errors will yield an unsustainably high absolute frequncy of errors.
> This is merely information provided to a human agent.
It will be in theory. In practice the human agent will just forward the decision. A human agent is not sufficient; you need to test only with probable cause for the kind of scenario we're talking about. The exact opposite of "Chat Control 1.0 and 2.0".
P.S.: The comment I originally replied to choose a very convoluted way of saying that the false discovery rate of the test matters for a proper evaluation. Both you and they explain this by throwing numbers without context in combination with slightly inaccurate definitions. I got the definitions mixed up differently, which led to this follow-up.
I think we largely agree about being opposed to chat control however we seem to disagree somewhat about the underlying reasoning leading us to that conclusion.
> even a small relative frequency of errors will yield an unsustainably high absolute frequncy of errors.
That depends entirely on the rate of true positives in the general population and the rate at which the test successfully catches them. If the success rate is reasonably high and the rate of true positives is within one base ten order of magnitude of the rate of false positives then regardless of volume the stream of reports would be expected to prove quite useful.
To put this in concrete terms, if 1 billion messages are scanned, there are 100 violations, 99 of those violations are successfully detected, and there are an additional 1000 false positives reported, then you've got about a 10% hit rate when examining reports. That would provide a genuinely useful starting point.
But it's not at all clear that we can expect numbers like that. Both because the scanners are likely much worse but also because criminals can't reasonably be expected to stick around on conforming platforms in the event that such measures are enacted.
Even if the reports were 100% accurate I'd still be opposed to it on ideological grounds. I don't think pervasive surveillance of that nature is compatible in the long term with a free and democratic system of government.
> Both you and they explain this by throwing numbers without context in combination with slightly inaccurate definitions.
It was my intent to provide reasoning for all the numbers I put forward. They were meant as examples.
As to definitions I wasn't going by anything formal. I tried to spell out exactly what I meant by each term. Apologies if I wasn't entirely clear about that. Regardless, the precise definitions of the terms aren't what matters here. It's the practical end result - what percentage of the alerts are false?
It really doesn’t, and it is easy to demonstrate by using an extreme example.
Suppose I invent a device that can detect whether there is a giant invisible dragon living in your house, and it has an accuracy of 99.999%
Now, I use it in your house and it tells me there is an invisible dragon… so what are the chances that there is a dragon in your house?
Based on your statement, it would be 99.999% likely that there is an invisible dragon in your house. However, we actually know that there is a 0% chance there is an invisible dragon, so even with the positive test result we still know there is a 0% chance a dragon is there.
False result rate is a property of the test. They're describing predictive value, derived from that rate and population statistics.
https://en.wikipedia.org/wiki/Positive_and_negative_predicti...
Because no one around me understood how to calculate false positive/false negative probabilities, I put together this calculator[1] in 2020.
[1]: https://www.covid2020.icu/false-positive-false-negative-simu...
I thought this was known as Bonferonni'a principle? Or am I getting mixed up?
Bonferonni correction is relevant when you calculate multiple p-values. Most statistical tests are used with a p-value threshold of 5% to reject the null-hypothesis. But because you are repeatedly testing, the probability for false positives increases and that is why you need to decrease the threshold and make it harder, to obtain a p-value below that threshold to declare a significant result.
You typically use the Bonferroni correction when making general statements about a statistical relationship. You wouldn't use it for checking if a particular image shows illegal content. If you kept testing with your image classifier, your significance threshold would need to be continuously lowered and you would asymptotically reach zero.
Relevant XKCD: 882
Google have already caused significant hardship to a father for such kinds of photos. What's particularly galling is how they've continued to maintain they were in the right, despite the police saying no crime had been committed.
https://www.koffellaw.com/blog/google-ai-technology-flags-da...
Of course google and every other big-tech platform is gonna insta-wipe every account containing detected nudes of children, regardless if you're the parent.
The corporate liability of such content being found on their cloud is so insanely nuclear, that they're not gonna wait and ask you "hey are those nudes your own kids or are you a pedo?" before they wipe the account with all pics off their servers.
And yet the will badger you endlessly to the point their photos app is near unusable to turn on auto sync which slurps up every photo and makes it very awkward to then delete them after. To me, this makes Google a liable party even if real CSAM is stored.
> even if the scanner is 99.99% accurate, because an even higher percentage of photos are innocent, most matches the scanner will find will be false positives.
If the scanner is 99.99% accurate, then most classifications will be correct.
If you scan 1,000,000 pictures (with let's say 10 CSAM), you'll have 100 false positives and 10 true positives, giving you like only 10% correct results
Ah, sorry, I misread what the OP meant by "matches" - thought they were referring to all classifier outputs, while they specifically meant the positives. I changed my original comment to better reflect what I meant, even though that makes it a bit of a non-sequitur now.
https://en.wikipedia.org/wiki/Base_rate_fallacy
How many child abusers do you think there are out there?
Even if 10% of population were actively criminal pedos (which is waaaay too high), its pretty safe to assume that the majority of even their online footprint would be ordinary images/messages.
So a quota of 0.1% or even less material being detectably criminal sounds realistic (probably not much less, though).
I’ve shared this before, I really like this quote:
"The urge to save humanity is almost always a false front for the urge to rule."
H.L. Mencken
Mencken just has the best quotes. Here's a few of my favorites:
> The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.
> For every problem, there is a solution that is simple, neat, and wrong.
> Freedom of press is limited to those who own one.
its also just disastrous for signal to noise ratios. scanning everything means any sort of error rate is going to cause massive amounts of incorrect labelling. this means innocent things getting flagged and put into a system where people are treated like offenders when they arent until they can get an actual human with authority to review their circumstances (not guaranteed to happen at all btw), or some actual offenders get away with more bc they passed a scan
outlier cases aside, there is also just a large amount of processing power that will go into this, the service can only be worse off for it. Privacy is not just about being able to hide things, it is also about being in control of how you present to the world. not because that control is maniupulative but because we all exist within our own microcosms of uniqueness, using words slightly differently than each other, and having certain balances of intention and meaning with those we send messages to that cannot be fully presumed from a 3rd party. even in images.
Are they really saying "if you want to send private messages then go make your own network" ?
>"if you want to send private messages then go make your own network"
Unironically, we should all move to using TOR.
Anyone setup a .onion mirror for HN yet? I'd assume usual HN-mirror-rules, no login or posting but free to view...
Tor is full of honeypots, its good for getting around 3rd party snooping but useless for government level privacy
>Are they really saying "if you want to send private messages then go make your own network
No, because with the way things work, they'll make that illegal next.
there's no need to make it illegal, as it's not even remotely achievable
I have put up a list of all the MEPs who voted for the urgency procedure yesterday (in breach of EU rules) as well as their voting history on fundamental rights issues and who has been lobbying them:
https://www.thatprivacyguy.com/blog/chat-control-the-415-who...
Thank you!
Thanks. Please note that your link doesn't work with the tor browser.
OK it should be fixed now - there was a rate limit which doesn't normally land but due to multiple Tor users coming through the same exit node, it was triggering the limit.
Nothing to do with the certs just told me a cert error because it never finished the handshake.
I tested through Tor on multiple machines now and multiple circuits and is working clean - thanks for the heads up.
I cannot see what is causing the issue, the certificate's full chain is sent, the clock is synced, the cert is showing zero errors in OpenSSL - so this is very confusing.
The irony is, you don't actually need Tor on my site because there is no logging, no third parties, no adtech etc. it is just static HTML files - so whereas I would normally recommend Tor I designed the site specifically to be privacy first.
I will try to figure out what is going on though because obviously I am fully supportive of people protecting their privacy with Tor.
Not sure why, it is working fine everywhere else - I see in Tor it gives an invalid certificate error, but the Lets Encrypt certificate is working fine in other browsers, so seems to be a Tor thing specifically.
I will investigate.
In the list of people that are worried about children.... the government is at the very end.
The bad consequences are diffuse, abstract and distant (conspiracy-looking, tinfoil-like), while it's very easy to viscerally understand that "even if they just save one child, it's already worth it".
They should give precise numbers of how many such crimes are detected via such means or are expected to be detected per year, and how many of those are not possible to catch through regular investigative work. It just seems ridiculously out of proportion especially that with all this flurry around the topic, the criminals surely aren't using WhatsApp for this any more, but especially won't be once the law is adopted. Sure, many are likely stupid but if they are so stupid, won't they fall into other honeypots?
Why are chat apps the best leverage for uncovering this? They'd have to justify this with some sort of data and numbers.
Because later they can just come back and say, well unfortunately they are now all using other means, so now we need to break https,we need to ban e2e, we need to ban vpns, tor and foss operating systems etc etc.
Yeah, and also how many such crimes are actually prosecuted because you know, there is certain island with certain high-ranked people.
Anyways, once that implemented noone will report to you and there will be no means of pushing against it because all your online efforts to coordinate will be compromised.
They should add to those metrics: hours and funds wasted investigating false positives, reputations ruined from false accusations and investigations, decline in public trust, etc.
> Most everyone would love to see more work on stopping child sexual abuse.
By the parents. Install parental controls that only allow to message you and closest relatives. Problem solved.
CSA makes ppl lose all logic, so is used to justify illogical things.
Reminder that none of this has any evidence that it helps CSA, but nobody cares about the actual children.
I feel like the world cares more about stopping the spread of CSAM than it does the actual abusive actions against children.
We can look to certain world "leaders" for confirmation of that.
It's not the world that's the problem it's the small group of individuals trying to create stasi 2.0, hiding behind the children.
> Rather than narrow and specific - it's a broad based law
Because narrow law is easier to avoid or find the loophole and a single case is enough to induce panic and anger.
At some point we just have to accept the kids as collateral.
What, like with guns? Never!
so much for the principle of least privilege..
especially that the guard applying to protect the henhouse seems to have a suspiciously furry tail...
Technology is, furthermore, the wrong place to address child abuse of any kind, sexual or otherwise.
This is like trying to prevent burglary by working with the factory that manufactures pry bars.
> stopping child sexual abuse
> suddenly touches everyone
..............I see what you did there.
[flagged]
Hot take !== unsubstantiated, xenophobic take
That's not a hot take, it's just boring old racism.