XOT: On Privacy, Security, and... https://blog.xot.nl/ On privacy, security and (occasionally) other stuff Wed, 07 Feb 2024 08:44:41 +0000 en daily 1 Do fair design patterns exist? https://blog.xot.nl/2024/02/07/do-fair-design-patterns-exist/index.html https://blog.xot.nl/2024/02/07/do-fair-design-patterns-exist/index.html Wed, 07 Feb 2024 00:00:00 +0000 Last week I participated in a Lorentz workshop on Fair patterns for online interfaces, organised by Hanna Schraffenberger, Raphael Gellert, Colin Gray, Arianna Rossi and Cristiana Santos. The workshop was super interesting, and I would like to thank the organisers for the great work they did in preparing such a stellar event. (BTW: the Lorentz Center offers a great location and a great deal of support to organise your own workshop at no cost. They are always happy to receive workshop proposals!).

At the workshop dinner, Arianna asked me what I learned, and I provocatively quipped: “fair design patterns do not exist”. Of course the truth is much more nuanced, which I will try to unpack a bit in this blog post, to perhaps start a more in depth discussion and study.

]]>
Analysing the proposal to regulate the digital euro https://blog.xot.nl/2023/12/04/analysing-the-proposal-to-regulate-the-digital-euro/index.html https://blog.xot.nl/2023/12/04/analysing-the-proposal-to-regulate-the-digital-euro/index.html Mon, 04 Dec 2023 00:00:00 +0000 Earlier this year the European Commission published a proposal for a regulation on the establishment of the digital euro. At the same time it also published another proposal for a regulation on the legal tender of euro banknotes and coins. See for more information this digital euro package.

A few months later, both the European Central Bank (ECB) and the EDPB/EDPS published their opinions on this proposal. I was asked to offer my views on these proposals to the Civil Liberties, Justice and Home Affairs (LIBE) committee of the European Parliament. This is what I submitted.

]]>
Some observations on the final text of the European Digital Identity framework (eIDAS). https://blog.xot.nl/2023/11/20/some-observations-on-the-final-text-of-the-european-digital-identity-framework-eidas/index.html https://blog.xot.nl/2023/11/20/some-observations-on-the-final-text-of-the-european-digital-identity-framework-eidas/index.html Mon, 20 Nov 2023 00:00:00 +0000 The final text of the update to the eIDAS regulation (establishing a framework for a European Digital Identity) has been agreed upon. In a last minute effort to improve the text, we wrote an open letter criticising the proposal on weakening the security of the web, and providing too few safeguards protecting users of the proposed European Identity Wallet. Were we successful?

]]>
Clearghost: Using the laws of nature to limit digital surveillance by law enforcement. https://blog.xot.nl/2023/10/24/clearghost-using-the-laws-of-nature-to-limit-digital-surveillance-by-law-enforcement/index.html https://blog.xot.nl/2023/10/24/clearghost-using-the-laws-of-nature-to-limit-digital-surveillance-by-law-enforcement/index.html Tue, 24 Oct 2023 00:00:00 +0000 Digitisation owes its disruptive power to the near zero marginal cost of digital products and services. Although the initial investment to create a product or service may be huge, creating a new digital copy, adding new users, or processing more work, costs next to nothing. As a result, these products and services can scale up very quickly without control, creating all kinds of societal problems. In this blog post I will focus on the particular problem of digital surveillance by law enforcement, and will study a speculative approach based on laws of nature to inherently limit their reach.

]]>
Tainting the CSAM client-side scanning database. https://blog.xot.nl/2023/10/11/tainting-the-csam-client-side-scanning-database/index.html https://blog.xot.nl/2023/10/11/tainting-the-csam-client-side-scanning-database/index.html Wed, 11 Oct 2023 00:00:00 +0000 The proposal of the European Commission for a regulation on preventing and combatting the sexual abuse and sexual exploitation of children is currently discussed in Dutch parliament. I recently wrote about some concerns and the risk of a DDoS attack. It turns out it is also possible to taint the database of images of known child sexual abuse material (CSAM), allowing an adversary to trick the client-side scanning system to also trigger an alarm for other, non CSAM, material. Client side scanning could thus be vulnerable to undetectable function creep.

]]>
DDoS-ing client-side scanning https://blog.xot.nl/2023/10/04/ddos-ing-client-side-scanning/index.html https://blog.xot.nl/2023/10/04/ddos-ing-client-side-scanning/index.html Wed, 04 Oct 2023 00:00:00 +0000 The European Commission is proposing a regulation on preventing and combatting the sexual abuse and sexual exploitation of children. I recently wrote (in Dutch) about some concerns I have about the proposal, especially the requirement it creates for large messaging platforms to implement client side scanning for child sexual abuse material (CSAM). Today I learned I forgot something: it appears to be possible to DDoS the system!

]]>
Straks account vereist voor Philips Hue app? https://blog.xot.nl/2023/09/17/straks-account-vereist-voor-philips-hue-app/index.html https://blog.xot.nl/2023/09/17/straks-account-vereist-voor-philips-hue-app/index.html Sun, 17 Sep 2023 00:00:00 +0000 Het lijkt er op dat mensen die de Philips Hue app gebruiken om hun slimme lampen te bedienen binnenkort verplicht worden een account aan te maken. Dat is tenminste wat deze melding in de app lijkt te suggereren.

Dat gaat toch echt een stap te ver.

]]>
End-to-end encryptie en risico’s client-side scanning https://blog.xot.nl/2023/08/26/end-to-end-encryptie-en-risico-s-client-side-scanning/index.html https://blog.xot.nl/2023/08/26/end-to-end-encryptie-en-risico-s-client-side-scanning/index.html Sat, 26 Aug 2023 00:00:00 +0000 De Europese Commissie wil serieus werk maken van de bestrijding van online kindermisbruik. Vorig jaar diende de commissie hiervoor een wetsvoorstel in dat grote online dienstverleners verplicht noodzakelijke maatregelen te treffen. Middels deze blog wil ik aandacht vragen voor een aantal fundamentele bezwaren die aan het voorstel van de Commissie kleven.

]]>
Optimising Deft for Emacs https://blog.xot.nl/2023/08/01/optimising-deft-for-emacs/index.html https://blog.xot.nl/2023/08/01/optimising-deft-for-emacs/index.html Tue, 01 Aug 2023 00:00:00 +0000 Deft is an Emacs mode for quickly browsing, filtering, and editing directories of plain text notes, inspired by Notational Velocity. I started using it more, but as the number of notes increased it became slower and slower. Here is how I managed to make it snappy again, also for older Emacsen. (Updated with more general code).

]]>
From Postbox back to Thunderbird https://blog.xot.nl/2023/07/23/from-postbox-back-to-thunderbird/index.html https://blog.xot.nl/2023/07/23/from-postbox-back-to-thunderbird/index.html Sun, 23 Jul 2023 00:00:00 +0000 I am a long time email user. (Yes, I’ve even used Gnus to read my mail!) Seven years ago or so, when it looked like Thunderbird would no longer be maintained, I switched to Postbox to read my mail. I was happy with it, especially with its clear and modern UI and its support for tagging email. But now Postbox appears less well maintained: there are UI bugs, it has become slow and unresponsive, and updates are few. So I decided to return to Thunderbird, especially now that it properly supports a vertical, fully column based view that I liked in Postbox, using the new card view to summarise messages in the message list.

]]>