> ToTok amounts to the latest escalation in a digital arms race among wealthy authoritarian governments, interviews with current and former American foreign officials and a forensic investigation showed. The governments are pursuing more effective and convenient methods to spy on foreign adversaries, criminal and terrorist networks, journalists and critics — efforts that have ensnared people all over the world in their surveillance nets.
So... um... how does the fact that the NSA monitors everything we do square with this? Is it only an arms race when other governments try to do it, too?
(A more low effort response would be "Me trying to uninstall apps that the US government monitors" and a GIF link to that scene in The Devil Wears Prada where she throws her cell phone into the fountain.)
>How could a country with the largest prison population in the world not fall into at least some definition of authoritarian?
Because the prison population isn't comprised of political prisoners at the will of the federal government.
The vast majority of prisoners are there as a result of violating state level crimes by State prosecutors...having nothing to do with political opinions.
Is there a actual reason you define the country with the largest prison population as necessarily authoritarian?
For example, if drug laws were pushed to target certain demographics who generally voted a certain way, even though there is two orders of correlation removed, could they still be considered a political prisoner? What about the act where a non-political law (ignoring for the moment how to decide such a label is justified) is passed and enforced, but the enforcement is based on political grounds. In that case, the people in prison are there for breaking the non-political law, but at the same time I think that they should be counted as political prisoners.
>Is there a actual reason you define the country with the largest prison population as necessarily authoritarian?
If we assume that lawbreaking is spread throughout the entire population, the places with higher prisoner populations are places with some combination of more laws and more enforcement of laws. Would those two factors not be justified as ranking a country are more authoritarian than a country which has less of those two factors?
> If we assume that lawbreaking is spread throughout the entire population
i think you are saying how people act is evenly distributed across the population but different areas have different laws about that action.
That is an assumption to further a point, I see no reason for that to be true because different states and suburbs are not homogeneous.
If what your assumption is correct we would have similar crime rates across suburbs within a state.
different suburbs do not have the same crime rates for say armed robbery and in a country different states would have different rates( where the laws are the same)
Sometimes the rates are similar because of their lack of statistical significance I don’t know say suicide by toaster in the bath tub
>That is an assumption to further a point, I see no reason for that to be true because different states and suburbs are not homogeneous.
I think it does hold true when you average on the national level and look at a global scale. Not every nation is equal, but there should be many nations which are close enough. The idea is that behavior that is often viewed as criminal in the US isn't significantly higher than at least one other country such as Germany, France, UK, or Netherlands yet the rate of prisoners is.
That different areas within a country might have different crime rates don't matter as what we are concerned with is the national average.
You're wrong, all drug offenders are political prisoners. The violent one were just more willing defend their human rights. How do you square treatment of Sackler vs Guzman?
So prisoners in prison for breaking laws passed and continuously supported by a democratically elected government are now "political prisoners"? That makes every prisoner a political prisoner.
>You're wrong, all drug offenders are political prisoners.
Without any support for that statement, it comes of as...pretty authoritarian. As in you are right and everyone else is wrong.
It also doesn't explain why the country with the most prisons is by definition authoritarian...especially when its supported with an unrelated statement about drug offenders, which is applicable to every other country in the World. It seems you just want to call nations of laws, authoritarian governments, because you know...they have laws.
“The Nixon campaign in 1968, and the Nixon White House after that, had two enemies: the antiwar left and black people. You understand what I’m saying? We knew we couldn’t make it illegal to be either against the war or black, but by getting the public to associate the hippies with marijuana and blacks with heroin, and then criminalizing both heavily, we could disrupt those communities. We could arrest their leaders, raid their homes, break up their meetings, and vilify them night after night on the evening news. Did we know we were lying about the drugs? Of course we did.”
- John Ehrlichman, domestic advisor to President Nixon
>You understand what I’m saying? We knew we couldn’t make it illegal to be either against the war or black, but by getting the public to associate the hippies with marijuana and blacks with heroin, and then criminalizing both heavily, we could disrupt those communities.
You do know that drug crimes existed pre-Nixon right? Were drug offenders before Nixon not political prisoners too and only after Nixon were drug offenders political prisoners? Since Nixon's administration admitted to using drug laws to break up specific groups from organizing...does that mean only blacks and hippies were political prisoners of the drug laws and all non-blacks and non-hippies just regular criminals or were the political prisoners too even though the Administration had no issue with their politics?
The government is elected by the people, it doesn't fit that definition.
An authoritarian type of government is a government that is in power by force.
Democracy and slavary existed together. Having a prison population 1 in 125 people doesn't matter because the people decided to elect someone to make that decision.
You had me thinking about the difference between dictatorship and authoritarian as you are implying authoritarian is dictatorial. I went to Wikipedia and for what it’s worth the entry [1] claims “Authoritarianism and democracy are not fundamentally opposed to one another, as it is possible for democracies to possess authoritarian elements”
> The government is elected by the people, it doesn't fit that definition.
Is it though? First rebuttal that comes to mind is that, in the US, one can legally be elected without the having the majority of the counter, valid, votes.
Another one would be that one can be elected without the approval of the majority of the people who could vote.
>Is it though? First rebuttal that comes to mind is that, in the US, one can legally be elected without the having the majority of the counter, valid, votes.
Yes, spend a couple of moments reading up on the EC. The rules haven't changed in a long time. Even if you don't like it, that's only how the president is elected. Federal representatives for the state are elected by getting the most votes in a district.
>Another one would be that one can be elected without the approval of the majority of the people who could vote.
Every election system that allows more than two candidates or allows people to skip voting has this flaw.
>Every election system that allows more than two candidates or allows people to skip voting has this flaw.
This is completely false, there are plenty of voting systems out there that allow for more than 2 people to run, yet still require a majority to vote for you. Here's a playlist explaining several: https://www.youtube.com/playlist?list=PLNCHVwtpeBY4mybPkHEnR...
> Yes, spend a couple of moments reading up on the EC. The rules haven't changed in a long time. Even if you don't like it, that's only how the president is elected. Federal representatives for the state are elected by getting the most votes in a district.
So... it makes what the gp is saying true? It means the government is indeed by the people? I don't follow.
> Every election system that allows more than two candidates or allows people to skip voting has this flaw.
Again, how is that supposed to make gp's statement true?
> Every election system that allows more than two candidates or allows people to skip voting has this flaw.
It's not even necessarily a flaw. It's good because it allows the minority a chance to not have certain views crammed on to them by the majority.
Just people a larger amount of people agree to a certain set of ideas, doesn't mean everyone does or has to. Densely populated areas have an advantage and likely different views to rural areas. What's best for one group might not be best for the other.
In many countries most are elected without ever having the majority. The system is called first past the post. The person with the most votes wins. In the US two parties get most of the votes but if a third or fourth party existed with support a president would never get 50%.
Not everyone chooses to vote or is legally able to. The winner is choosen from the available votes that have been cast.
That's not what the problem in America is, we don't actually have first past the post voting for president. You need a majority in the electoral college to win. The issue that that people are given disproportionally more power based on where they live. People in California are worth far less by vote than people from say, Rhode island.
>Another one would be that one can be elected without the approval of the majority of the people who could vote.
That's simply handled by saying that they should vote.
>one can legally be elected without the having the majority of the counter, valid, votes
How so? If you are referring to the President, did he not win the majority of the valid votes in the population allowed to vote? You could say there is an issue with only allowing a subset of the population to vote, but most people I've seen making such a claims still believe their own limits as for who can vote are valid and have not offered me a reason as to why one method is more valid than the other.
> That's simply handled by saying that they should vote.
So people should vote for somebody, anybody, even though they'd rather not vote for any of the offered options ?
Pick the ones the less indifferent to them? Pick the ones they don't believe in the least? Pick the ones they believe to be the less corrupt? Pick the ones the least likely to cause them the most harm?
I don't know the origin of most of these people's motivation not to vote, or their lack of motivation to vote, but it is quite telling that they won't take a few hours every few years to pick who they believe should have what is supposed to be the most important and impactful job in their country.
And that, in itself, is a choice. A worrying one. A disheartening one. One that says "None of this, and none of these people, are worth even a couple hours of my life".
A choice made by many, too many, that some discard saying "That's simply handled by saying that they should vote", when they already did.
>So people should vote for somebody, anybody, even though they'd rather not vote for any of the offered options ?
The offered options are numerous. That most people who do vote only want two of the group and thus no one else even has a chance is part of democracy in action, and perhaps a view as to what is wrong with such a system. For long term gains, people who don't vote can try to push for the most popular third party candidate to shake up the system. If enough win, they may support voting reform that will change how votes are counted.
There are also other options. For example, convincing other people to not vote. I honestly do not see why this is viewed as bad. If my argument can't convince someone to vote for the one I think will do a good job but can convince them to not vote for one of the ones I think will do a bad job, why not use that argument?
>And that, in itself, is a choice. A worrying one. A disheartening one.
Is it much different than people who skip out on jury duty instead of getting to make sure the 'facts' align with their own view of reality? People are overall too complacent, which may just be an indictment that things are still going well enough.
Just as a friendly reminder, I am replying to someone who stated
> The government is elected by the people [...]
And ok, yes. Phrased my answer wrong.
He was elected by the majority of the valid votes (those of the electoral college).
He also was elected by the people chosen by a minority of the total people who bothered voting in a a valid fashion.
So no, the government isn't elected by the people. It is elected by some people, and it can be indirectly elected by a minority of the people who bother to vote in a valid fashion.
Although it is more accurate, it does seem much less readable.
I’m not sure this is just being written in bad faith, but in the 2016 presidential election, the winner had over 3 million less votes (over 2% of votes tallied). The electoral college system of the US values certain voters more than others in terms of assigning points to the contestants.
I'm aware of the 2016 situation. What I'm saying is that the 'popular vote' is not actually a vote. The vote for president is based on 538 people who are eligible to vote, and in that vote Trump won.
Now, I know some people have issues with that only a very select group of people are allowed to vote for such a powerful position. But my counter point to that is where is the real differences compared to rules that say you have to be 18 to vote or you have certain legal status to vote. All of these laws can have an attempted justification made under the same argument of 'that's the way we've done it', 'it is how the Constitution says it should be done' or even 'if enough people wanted to, the Constitution can be modified to change it'.
>in terms of assigning points to the contestants
Is it actually assigning points? I thought it worked by states picking the 538 voters who will vote for president. In 2016 there was some debate on if those 538 people actually had to vote the way they said they would when they were picked, but from my memory the conclusion is that they do not. That's why I think it should be counted as the actual vote for president and not an assignment of points.
But the system (regardless of if you call it "points" or "an actual vote") means that one candidate could get 78% of the popular vote and still loose as discussed in https://www.youtube.com/watch?v=7wC42HgLA4k (it talks about how it's possible to win the electoral college with only 22% of the popular vote).
I don't think that can be called a fair "actual vote".
To me, the vote seems fair because it was the conditions to form the USA, and the USA has had centuries to change it but has chosen not to. At least, it is as fair as a vote that requires 'citizenship' to count, given that lack of citizenship doesn't stop one form being directly impacted by the decisions of the President.
> The government is elected by the people, it doesn't fit that definition.
At the risk of invoking Godwin's law, the Furher was elected by the people. It's a disservice to society at large to so casually brush off judgements about whether a Government is "authoritarian," especially when the question deserves a nuanced answer.
I would say the United States can be quite authoritarian, when it's given the leeway to. The militarization of the police comes to mind. Overpolicing of certain communities, the ongoing struggle for many marginalized groups to attain the same rights and freedoms as the majority, the way the United States swings it's foreign influence and military around worldwide to get what it wants, etc.
I mean our current President was elected on a platform of building a wall on our southern border to solve a completely imaginary problem, and the Government is now trying to seize privately owned property to make that happen.
Is that authoritarianism on the level of China or North Korea? No, not even close. Is it authoritarian? I would say yes, it absolutely is, and that should be a warning to future generations so it never has the opportunity to become authoritarian like China.
The US is the third-largest nation by population. It stands to reason its prison population should be in the top three.
China executes many of its prisoners.
India lacks infrastructure.
Most US prisoners are imprisoned at state jails -- not federal facilities. In fact the rate of incarceration at the state and local level combined is about 10x the federal incarceration rate. If you think it's too high, you've got to lobby your state government. The federal prison rate is actually much lower than that of other developed nations such as Switzerland, Germany, and France.
> The US is the third-largest nation by population. It stands to reason its prison population should be in the top three.
The US has the highest incarceration rate in the world (that's prisoner:population ratio.) And there's a big gap between the US and #2, and a bigger gap between #2 and #3.
> China executes many of its prisoners.
Not really, maybe around a tenth of a percent annually. It has no significant effect on the statistics (leaving out political prisoners from the count does, but even correcting for that China wouldn't be anywhere close to the US.)
China has 1.7m prisoners and executes single-digit thousands each year. With those numbers, the fact that it "executes many of its prisoners" is immaterial for its incarceration rate vs the US (maybe those China #s aren't accurate, I can't be sure).
China also has "re-education camps". The numbers are unknown but the estimate for the Xinjiang re-education camps alone are estimated to hold 1.5 million. [1] So I doubt the 1.7 million number -- or, if accurate, it must discount China's various "re-education" camps and other involuntary political holding facilities.
Sure. I'm not defending China or taking these numbers at face value.
But even if the 1.5m in Xinjiang is true, China is still significantly below the US in terms of incarceration rate. And it's sad that that's the comparison we're making.
Could it be that there are more opportunities in the US for criminals to make money, hence a higher prison population? The US has the third largest population and highest GDP.
Those prisoners are being deprived of their lives - and I'd guess in many times wrongly since the US incarcerates twice as many people per capita than Russia or China.
On one hand, guards, staff,etc need to be paid. Someone being a criminal should not put extra burden on the rest of us, and our social services. Many for-profit prisons are incentivized to better serve than state-run institutions.
On the other hand, many prisons, private and otherwise, seem to play dirty rent-seeking bs with insanely low conpensation for work done, exorbiant fees for calling, visiting,or even emailing family, and systematic mismanagement.
Clearly there is a way to optimize this system, and both profit, and improve lives. Maybe someone here has a vision.
> Someone being a criminal should not put extra burden on the rest of us, and our social services,
I disagree with this, criminals shouldn't place extreme burden on society, but it's our job to deal with rehabilitating them - it's a societal choice, some societies over time have forced capital punishments on any law breakers and our modern society tries to rehabilitate them.
>and I'd guess in many times wrongly since the US incarcerates twice as many people per capita than Russia or China.
That's a very interesting theory.
How is it you conclude the US vs Russia/China prison population is indicative of the US wrongly incarcerating "many people?" The current estimates say US wrongful conviction sits around 2-10% with an 85% conviction rate overall, meanwhile Russia has 99%+ conviction rate overall (suggesting far more corruption and wrongful convictions) and China it is estimated 90% of crimes go unreported due to general mistrust of the system.
Based on US crime rates, the majority of violent and property crimes go unsolved...hell I think murder cases are around 60% unsolved...so how exactly is it: 1) US many times wrongly imprison people; and 2) Russia/China prison population have any connection to this conclusion?
I would guess that the rate of criminal activity in the world is relatively flat until you start introducing factors like political instability. My optimism would say that the US is probably on par with China in terms of providing a stable society, and both of them are miles ahead of Russia. The US may not be as stable as some of the European countries but the netherlands has an incarceration rate of 61/100,000 while the US has 655/100,000 this is all according to the rough numbers up on wikipedia: https://en.wikipedia.org/wiki/List_of_countries_by_incarcera...
How is comparing incarceration rate relevant to this discussion when countries have differing laws? People aren't wrongly imprisoned if they've broken agreed upon laws, especially in a democratic society where popularly elected officials pass the laws.
If society Z passed a law with a minimum three year prison sentence for jaywalking (pedestrian crossing a street without the right of away provided by a traffic signal), the incarceration rate may rise, but no one is wrongly imprisoned.
(replace with the war on drugs in the US, of course).
This may be particularly relevant as I chose the netherlands and it has a relaxed attitude toward substance abuse - so grabbing a better example country... The UK has a rate of 140/100,000 vs. the US's 655/100,000. That said, laws honestly don't differ extremely from country to country, most humans are in agreement about what is good and what is ill and in countries that have more extreme punishment (getting decades in prison for stealing bread) those punishments are viewed as unjust and enforcement of those penalties tends to be spotty since corruption will be more socially acceptable and people will have more moral allowance to ignore the unjust laws - a prison guard might just let someone otherwise blameless escape from jail for the penalty of stealing bread after a few days.
Honestly, while oftentimes human beings are terrible, humans are pretty decent otherwise... That all said, I think you'd find that laws really don't vary as much from country to country and that, outside of weird ones (like MJ illegality in the US) people will mostly adhere to laws out of convenience.
The US population is nearly 5x of the UK, has a much larger area and perimeter, and is more wealthy (7.8x total GDP, 1.3x per capita). This no doubt makes drug trafficking not only easier, but also much more profitable in the US vs UK.
It would also appear illicit drug use in US is more prevalent than in nearly every other country.
Edit: I'm not sure how relevant this is to what you posted, but figured I'd bring it up because I think it's an important thing to note in the general conversation.
The figures above where scaled to population, the actual US population (according to the wiki source) was 2,121,600 vs. UK with 83,014 - the GDP is honestly pretty even per capita though the US probably suffers from worse wealth inequality[1] although the CIA factbook says that both countries have ~15% population below the poverty line - so many that's not really a factor.
The difference between 99 and 85 is only 14 %, so what - the 14% with the most expensive lawyers get off and everyone else gets forced into a plea deal. That's not less corrupt, just corruption organized differently. Also quantitatively, considering the difference between the total convictions 14% makes no difference. the us is still way ahead.
60% is meaningless in this context, it just shows that LEA focuses on the wrong types of crime. How many murders are unsolved? Whatever the number it is small compared to people who are arrested for whatever happens to be most convenient and profitable.
Well, yeah, historically and now "authoritarian government" is pretty redundant. The only meaning it might have is to draw an arbitrary line and consider only the governments on one side of the line to be "authoritarian," but when people do that they seldom bother to articulate where they're drawing that line and why. So I completely agree that the word in practice does not usually have much useful meaning.
Many heavily authoritarian regimes in the past have defended comedians as bastions of free-speech promoting those that do little harm to the system while spurning those that spread truly subversive messages.
I think we also need to acknowledge the fact that the president is hardly the government - America is a gigantic bureaucracy and our government is primarily composed of civil servants who keep the lights on. If Steven Colbert (similar to his better know a district series on the old show) started to tear down agencies within departments, going after Animal and Plant Health Inspection Service, National Nuclear Security Administration or Foreign Claims Settlement Commission[1] - then he'd actually be subverting the government. The executive branch is both structurally minor and, IMO, partially exists to be the target of blame and praise so that the rest of the government can get on with their business.
> If Steven Colbert (similar to his better know a district series on the old show) started to tear down agencies within departments, going after Animal and Plant Health Inspection Service, National Nuclear Security Administration or Foreign Claims Settlement Commission[1] - then he'd actually be subverting the government. The executive branch is both structurally minor and, IMO, partially exists to be the target of blame and praise so that the rest of the government can get on with their business.
Well, if Colbert started running those types of investigations, do you think is show would get pulled off the air? I'm pretty confident it would not. John Oliver's Last Week Tonight, while not a broadcast show, might serve as a better example in that respect. They've run a lot of pieces which are critical of a wide variety of government agencies. And they don't just crack jokes, they get into the weeds.
And then there's outlets explicitly dedicated to investigative journalism, like ProPublica, and many of the major newspapers. None of this could exist in the UEA, or China, or Russia, etc.
That should be a hint that the government he makes fun of does not feel threatened by his comedy, which probably means that the government's position of power is so strong that being mocked and even derided for its negative qualities does not constitute a threat. Whether that's a good thing is, I suppose, a matter of perspective.
Is there evidence to suggest that the US government will not suppress speech that they deem to be a threat to their power? There was rampant blatant suppression of supposedly communist-friendly speech in the 1950s and 1960s. Does anyone think this has significantly changed? For a more recent example, see how the US government handled the leaking of its diplomatic cables, something which (unlike late night comedy) actually threatens the reputation of the US government.
OTOH, one party can effectively conspire with the President to subvert the constitutional limits to that power (SCOTUS in Bush v. Gore; McConnell refusing to try an impeached president.)
A charitable reading could be "governments that uphold high liberty regimes as a nation, such as the US". Parts of that assertion are reasonable to question. A less charitable reading could be "governments that engage in the same global atrocities as my own, but which are on the other side." This reading is also a reasonable questioning.
Just as how a traditional dictator does not dwell on the autocratic authoritarianism of their country, the New York Times does not ponder the democratic authoritarianism of the US.
I would guess unless someone actually agrees to help the NSA they cannot do much to defeat real E2E encryption schemes used in things like Wire/Telegram/Signal/Matrix/Tox - and with some of them that are open source such schemes to help the NSA will be very difficult. I don't think this quite the same as what UAE allegedly did with ToTok.
Or a law is passed / directive issued. See the cryptography restriction in the 90s and the recent lotus notes backdoor story here.
Even the old stories about the blackberry messaging keys requirements in various countries
So instead of paying hackers to gain
access to a target’s phone — the going
rate is up to $2.5 million for a hacking
tool that can remotely access Android
phones, according to recent price lists
— ToTok gave the Emirati government a
way to persuade millions of users to hand
over their most personal information for
free.
There's really not much in this, is there? Have we not concluded that
A) Modern governments will do anything they possibly can to infiltrate and track not just their own citizens but those of foreign states
and
B) The modern average consumer will place convenience above just about everything else in their lives, but especially any concerns about how their data is handled or its effect on their personal privacy
That the government in question in A, in this case, accomplished so much simply via marketing is a testament to B.
There's some chatter in the article pointing to the nationalities of those working in Dark Matter and Pax (Americans, Europeans, Asians and some Emirates), as though it too is consequential. How much of a step is it to make to work for the NSA as a contractor writing code to monitor people, or a US tech giant writing tracking and psycho-analysis tech via ads and other patterns, to doing the same for a company elsewhere for presumably a higher paycheck?
You could argue that some in the NSA are doing so out of patriotism and their new behaviour constitutes betrayal, but the same can't be said for former workers of Google or similar, and especially not Palantir.
I'm not sure what I'm expected to be outraged about here? The lack of something blatant points to why a clickbait headline may have been chosen for publishing.
...has nothing to do with the app from this article made by "Breej Holding" "most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work."
My theory has always been, Chinese will start behaving like Americans in protecting their IP once they reach a similar level of reach and sophistication with their products. It's starting...
Then the shoe will be on the other foot. Not that a couple hundred years ago it wasn't the same.
I doubt this will happen unless there is motivation from the central government to crack down on it. There are many cultural reasons shameless copying is less stigmatized in China than in the west (not necessarily a negative thing).
Britain used industrial espionage to gather the technology to reach their industrial revolution. The USA did it in turn. (It used to be a death sentence for skilled technologists to emigrate.)
Not only that, but it’s likely the same reason this story is getting airtime at outlets like Fox News. People skim the headlines, see “ToTok,” and associate it with TikTok.
Even this NYT article doesn’t clarify the difference until near the end. That seems irresponsible to me. Many readers would be unfamiliar with both, but recognize the general sound of the name as “TikTok.” The author should have included the clarification in the first paragraph.
Others have suggested "click-bait", which is probably the most likely term for a headline specifically. It does assume the reasoning though, that it's being done to drive views at the direction of marketing. Which granted is not an unreasonable assumption, even media with very strong editorial policies that will push back against most interference may consider "mere headlines" be a place they can sacrifice to marketing, it's not uncommon these days in many places to actually have a few different headlines created, served up at random to a sample of initial browsers, and then have whichever one gets the most clicks selected as the one that is displayed generally.
However if you want a more general term one might be "purple prose", which can apply not just to headlines but to any text in an article. It's a subjective judgement, but the idea is when there is text that is so excessively ornate, emotional, extravagant, etc that it actually breaks the flow of your attention and reading of the content itself. Basically, prose that stops serving to convey the content and starts drawing attention to itself for the sake of itself. It comes from a passage in one of the poetic works of Horace (Quintus Horatius Flaccus, from Rome).
Again, it is subjective, because sometimes content really does deserve heavy levels of verbage and different people have different tolerances. But when flowery prose gets in the way of comprehension rather than enhancing it it's a good candidate.
Remember journalists don't get to write their own headlines, headlines frequently vary between print and digital, and as another comment pointed out even gets A/B'd in digital, so please don't blame the journalism.
Don't get me wrong, I hate the phenomenon as much as anyone, and its fine to judge a product by its sum total, but as things stand today it's a bit like saying "The new MBP sucks. Just look at all the gratuitous parallax on the product webpage!".
Doesn't compute.
That is a fair comment, I may have been a bit too broad in my usage of the term journalism.
I mean the industry rather than the individual journalists - which would included whoever came up with the headline - but I appreciate I may have used the wrong term to do so.
Come to think of it, it sounds like the catchphrases you hear when watching TV news. "At first she thought she was safe. Then Florida man showed up" or whatever, followed by "find out more tonight at 11." Maybe it's psychological clickbait?
It's certainly the latest form of clickbaity, but there's some quality that differentiates it from other clickbaity titles like "You wouldn't believe what <celeb>'s <object> is!", etc. It's an odd sort of setup and punchline.
I didn't imply it wasn't did I? I was just pushing the cached version for those curious like me about the app itself and how popular it was (knowing first hand is better than he said she said). On the other hand, I wish Google and Apple would just disable downloading instead of getting rid of the whole darn page.
You need the majority of your citizens to have enough money to buy smartphones to install your app. You need to care about making it look like there is a velvet glove on your surveillance.
They're both laws covering disturbing public order, which doesn't make them that different from China (because deciding what "disturbs" the public is a slippery slope)
Comments on all platforms are easily ambushed from groups trying to push a specific point of view. Unfortunately, this place also suffers from this on political news.
Hypothetically, if people just got off their devices, wouldn't this entire digital arms race disappear? No phones. Not even computers except the bare necessity use.
> But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment [...] It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.
Only way to fight against terrorists and pedophiles I hear... [/sarcasm]
Let's suppose that I, or anyone else that reads Hacker News (like many of the YCombinator companies) creates an app (as many of them have), and this app becomes very popular in foreign countries, and goes on to get tons of users in those foreign countries...
OK, now let's suppose that a foreign newspaper, like the New York times, but a foreign version of that -- all of a sudden prints an article like this one, alleging, but not showing a comprehensive proof (like the ones in mathematics or logic) that there are all kinds of things unspeakably wrong with the app...
Well... maybe all of those things are true, but maybe they aren't...
How would I, as the end-user of such an app -- know for sure?
If the article isn't true... think of the gigantic swath of economic damage that would be caused by an article like this...
And if the article is true... well, it could be argued that you've done a great thing, and saved countless users' privacy rights...
That's quite the dichotomy of potential outcomes, based on what the truth of the matter actually is...
So here's my question to the NYT: In this era of Fake News (which you are no doubt aware of!), how do I prove to myself (as someone who is 50/50, that is, a skeptic who is willing to believe, if the proper set of facts is presented to them) that what you're saying is true?
?
Here are two things for the NYT to think about:
"Semper necessitas probandi incumbit ei qui agit"
The burden of proof lays on he who makes the claim
I don't know who the Intelligence Community is (much like I don't know who other abstract entities are like "China" or even the "U.S." are) I don't know who that is!
I do know who a guy named "John Smith" is, and I do know that if John Smith raises his right hand in a court of law and under oath promises to "tell the truth, the whole truth, and nothing but the truth, under penalty of perjury", then John Smith's claim, when he makes it under those circumstances, carries a whole lot more weight (to me) than the claims of any nameless, faceless, unaccountable organization -- by whatever name they go by...
Due Process (enshrined in our Constitution, which the media does not seem to give these days to all parties, despite the Constitution giving them their right of Free Speech) presumes innocence until proven guilty, in a court of law!
Now, all of that being said... I am willing to believe this article -- but I require a higher standard of proof...
> How would I, as the end-user of such an app -- know for sure?
Monitor network traffic, or maybe even decompile the binary. What information is getting sent out of the app? Does it seem reasonable? If not, you have cause for concern.
Unfortunately, modern platforms like iOS make this very difficult, frequently in the name of protecting security and privacy, ironically. This is a very big problem.
But to broaden your point, it could be argued that this problem affects every single application that uses the network... How do I know that Chrome, Firefox, IE, or any other U.S. made piece of software -- doesn't leak private information, one way or another? Intentionally or unintentionally?
I've thought about this long and hard (as someone who wanted to publish an app), and the only two things I can come up with are:
1) Open the source code; that is, make it open source, and subject to peer review.
2) Inform users that due to the complexity inherent in computers and software/hardware/firmware stacks in this day and age, there cannot be a guarantee that your private information will stay private; thus, the simplest solution is don't put any private information on the app / don't assume that it will stay private.
Not every end user will be able to independently verify every piece of software on their machine—going fully open source wouldn't do that either. But these types of investigations should be open to the general public so that peer review can take place.
Security is about verifiability. If you can't verify it's secure, it's not trustworthy. I've been looking into secure communication stuff for almost ten years now, and there's a low bar that makes it easy to inspect whether the app developers are even trying.
You want security for two things: Metadata and content.
Content privacy is done with end-to-end encryption. You ask yourself
1) Can I find public key fingerprints from the app? If this is not available, the app is not end-to-end encrypted properly, and you should immediately abandon it.
2) If the app is end-to-end encrypted, can I inspect the source code to verify end-to-end encryption is implemented properly? If you can't do that, i.e. if the source code is not available, there's no way to trust the app. If you lack skills needed to do that, you can pitch into an audit by third party.
3) If the source is open, can I verify I'm using binary compiled from said source? I.e., does the client have reproducible builds.
If all these three are true, then you can be sure it offers quite strong protection for your content.
This is true for e.g. Signal.
Regarding your Sagan Standard, the extraordinary claim is not
"It has a backdoor because we can't check."
The extraordinary claim is
"It doesn't have a backdoor, it's secure, but no, you can't check that for yourself."
At that point you need to have extraordinary proof that can verify the security. There's no pro-security argument in keeping an app proprietary, only monetary.
---
Next, metadata:
You ask yourself
1) Can I register the service anonymously, i.e. without giving any of my details
2) Can I connect (both register and use the app) via Tor? If not, your IP reveals your identity.
3) Who's hosting the service? Does a third party learn how often UID #4346455432 sends messages to other parties. I.e. is the app peer-to-peer. If the app is not peer-to-peer, your peers' bad OPSEC might deanonymize you if server-side data is cross-compared with an other social graph.
4) Can I misconfigure the system and lose anonymity (i.e. is the system Tor-routed by design or can you accidentally connect without Tor), and can you accidentally turn off end-to-end encryption and say something that might deanonymize you to the server?
ToTok is not open source, it doesn't have public key fingerprints, and judging by the completely novice, non-technical name-dropping of a few primitives in their PR statement (https://totok.ai/news):
"Furthermore, we equipped ToTok with such high-security standards as AES256, TLS/SSL, RSA and SHA256, to diligently protect the user data. We also implemented a privacy framework that complies with the local and international legal requirements to safeguard our users at all times."
It's trivial to implement backdoored system with said primitives: TLS is encryption that uses AES256, RSA, and SHA256, and it's only encryption between user and server, so server has access to plaintext data which can be given to the secret police etc. Even if they say they don't comply they might a) lie or b) be hacked.
The only way to protect from that is to always use E2EE, something ToTok does not do. So no, there's no reason to trust them. They haven't even attempted to deploy E2EE or anonymity for their system. Even if they're not intentionally being evil, they're being ignorant about security and thus, ignorant about the human lives affected.
First off a few things: I appreciate your nuanced and well-written, well-thought out comments. You are a very smart person, and you are an excellent writer. I agree with what you said about 98%. We could stop here, and we could shake hands, or I could go on to describe the 2% of what you've written that I don't exactly agree with. With your permission, I'm going to discuss that 2%. Please understand that I mean you no personal offense in the following discussion.
First understand that I in no way support ToTok, I don't use it, I have never used it, and don't really care to potentially use it. I have no financial or interest in the company. I didn't even know it existed until I read the NYT article.
I do, on the other hand, have a very deep interest in Online Communities, Apps, Users, Users' rights, including but not limited to privacy, and Company's rights, including, but not limited to not being destroyed (financially and/or reputationally) by media smear campaigns, intentional or unintentional, explicit or implied.
Now you say: "Regarding your Sagan Standard, the extraordinary claim is not
"It has a backdoor because we can't check."
The extraordinary claim is
"It doesn't have a backdoor, it's secure, but no, you can't check that for yourself."
No, the extraordinary claim is the title of the NYT article: "It Seemed Like a Popular Chat App. It’s Secretly a Spy Tool."
Now... here's the thing (and this is where things get really subtle, so follow along closely!).
That title, and all that the article alleges, might be 100% true!
So what's the problem then?
The potential problem looks something like this:
Let's suppose that an app developer in the U.S. does all of the things you say to to, for the sake of security/privacy.
OK, and now let's suppose that a Nation State Attacker --
our guys, their guys, whoever -- somehow subverts the security of the app (Browser/OS/Hardware/Network/? hacks) and gathers the apps' data.
Now... let's suppose that some foreign newspaper, the foreign equivalent of the NYT -- prints a story that our friend, the U.S. app developer -- who did nothing wrong, and tried to do everything right -- is actually gathering data for the Nation State Attacker (foreign or domestic), and thus is a "Spy" tool.
Well guess what! Under those conditions, the story is absolutely, absolutely CORRECT!
Except that there's a teensy little problem...
Call it a lie; call it an error of ommission...
The problem is as follows:
The problem is that this newspaper article's author/authors, being ignorant of the fact that there was NO INTENT of the app developer to have their app used as a "Spy Tool" -- yet that was the end effect, caused by circumstances and actors outside of the control of the app company!
That's scenario #1.
Scenario #2: The law/legal system of the country in question is used to force the intentional engineering of hidden backdoors for the Nation State Attacker, under penalty of a very long prison sentence...
Either way, the paper's story is "correct" -- but it causes a crapload of harm to the application developer, who only wanted to make a dollar by providing an equal-and-opposite value, and never intended for these things to happen!
Of course, if the ToTok developers intentionally engineered security holes while not being coerced to do so (and the NYT could present proof of this), THEN this article is clean, ethical journalism... otherwise the NYT should not have presented it until it had, and was willing to show to the world this proof...
Would you want a story like this to break in some other part of the world, some part where you do business, but some part where you might lack the language/cultural/legal skills to defend you and your company, when you and your company are acting with the best intentions in mind?
I'm not a Christian, but... remember that "Do Unto Others" quote...
That's why we have have Due Process, The Right Of An Accuser to Face The Accused (Cross Examination), and the Presumption of Innocence -- in our U.S. system of Law...
That's why in this day and age, I never assume that 100% of what the media says is true, 100% of the time.
I am sorry, but even if ToTok has betrayed its user trust (and I'm not saying they did or didn't) -- then certainly the U.S. media has, more often than not, betrayed mine...
I reiterate that the burden of proof -- is on the NYT.
"Either way, the paper's story is "correct" -- but it causes a crapload of harm to the application developer, who only wanted to make a dollar by providing an equal-and-opposite value, and never intended for these things to happen!"
They themselves took the risk when creating an insecure product. There are two ways companies can botch up security.
1) Introduce a bug that can be exploited by intelligence agencies. These happen sometimes and they're just a fact of life.
2) Design a crappy protocol. If you want to lock yourself out from your users contact's you must by definition implement strong, authenticated end-to-end encryption, and open source client with reproducible builds. That's the only way.
Once you've done that, any vulnerability will be a bug, and those are okay, they can be fixed when found.
The problem here is ToTok developers didn't do that. They didn't even try.
Now, as for metadata, VoIP capability makes Tor-routing by default impossible, thus we have need for two secure messaging apps on networked TCBs: Signal for E2EE VoIP, Briar for anonymous messaging.
Networked TCBs can not be made unhackable, thus you can't expect privacy from remote endpoint compromise, but that's again, OK, because it scales less, and is a fundamental limitation.
So no I do not agree with you because they could've done a LOT more but chose not to.
So here's what we know:
ToTok is not E2EE, thus we know for a fact their server has access to user data. The only way for NYT to independently verify the company is handing out data from the server, is to either obtain documents (which might never happen) or hack ToTok server to see such processes taking place. Which is illegal.
So I agree I'd rather see some whistleblower reveal documents, but we can't hope for that to happen if Signal etc. are blocked in UAE. If this leads to unblocking of more secure messaging apps, perhaps we'll see the evidence you need one day.
Your claim that "They themselves took the risk when creating an insecure product" is based on the idea that you know how to create a secure product.
Your idea that you know how to create a secure product is based on the use of E2EE being secure.
E2EE's security is based on the use encryption and secret keys, which must remain secret.
Well... if you read enough articles on HN, you'll see that there are a variety of ways that secret keys could potentially be compromised, for example, malware, spyware, what-have-you.
Most of these attacks are out-of-band. That is, there is no way that an application developer could possibly be responsible for them, should they occur to their app...
"They themselves took the risk when creating an insecure product"
"So no I do not agree with you because they could've done a LOT more but chose not to."
Yes, but the jury is still out on those...
I have no arguments with you personally.
My skepticism is directed solely towards the New York Times.
All I know is that if I ever created an app and ran a company and acted with the best intentions for my users, I'd never want an article like this to appear about my app or my company in some foreign press...
That is why I give ToTok the benefit of the doubt until stronger more compelling evidence (which includes intentionality) is revealed.
I apologize for the delay, I don't come here all the time.
"E2EE's security is based on the use encryption and secret keys, which must remain secret -- there are a variety of ways that secret keys could potentially be compromised,"
The argument can not be "anything can be compromised with sufficient resources, _therefore it does not matter if you don't follow best practices within limitations of the architecture_".
"Most of these attacks are out-of-band."
Agreed, but you also can't argue "the rest of the entire software stack isn't perfect, therefore I don't have to follow best practices". If E2EE fails because of vulnerability in OS, you aren't responsible. If it fails because of vulnerability in your app, then you are responsible. The same way, messaging app vendor is responsible for not using E2EE protocol which eliminates a huge gaping hole: e.g. the entire crypto community has criticized Telegram cloud chats that leave plaintext copies of messages on the server. Not knowing this is the same as not doing your job.
It's also the case you can design your software around more secure architecture to protect against remote key exfiltration, see my work on TFC for example: https://github.com/maqp/tfc
"All I know is that if I ever created an app and ran a company and acted with the best intentions for my users"
The question is, with E2EE becoming almost ubiquitous, would you really think not implementing modern encryption protocol is the same as acting with best intentions.
"That is why I give ToTok the benefit of the doubt"
I can see where you're coming from but having worked with secure messaging so long, to me it's the same as surgeon not verifying they were using industry standard materials for medical screws they use. Were they really acting in best interest of client? You can't excuse not verifying (industry best practice) just because you're "trying your best to minimize other complications".
You're working with sensitive data. You have industry checklists available. If you choose the business, there will be obligations. You don't get benefit of the doubt as a participation award when it's effin obvious you did not use the checklist.
Okay, wait, I got it. He confused totok (the app this article discusses) with tiktok, and he's mad that he got shadowbanned on tiktok for posting ukelele videos.
The only way to read guys who are shadowbanned is to enable "showdead" in your profile. You won't automatically read their comments even if you are shadowbanned yourself if you don't enable the showdead option.
I'm glad there isn't another UAE based app that stores billions of messages on its servers, effectively in plaintext, including all group chats, all desktop client chats, and overwhelming majority of one-on-one chats that aren't opt-in secret chats. /s
"BuT TelEGram HasnT beEn ComPRomIsED iN tHe wILd haS it???"
You're right. I apologize. I'm just absolutely terrified about the inevitable hack -- when intelligence establishment gets their hands on everyone's private messages on Telegram servers, or when some hacker leaks them.
So... um... how does the fact that the NSA monitors everything we do square with this? Is it only an arms race when other governments try to do it, too?
(A more low effort response would be "Me trying to uninstall apps that the US government monitors" and a GIF link to that scene in The Devil Wears Prada where she throws her cell phone into the fountain.)