Matthew GarrettPeople will complain that a technology can be used to oppress user freedom while contributing to free software that gets used in literal weapons of war
I do entirely understand the idea that functionality that can be used against users (even if it can also be used to enhance user security) is bad, I just don't understand why people will simultaneously make that argument and support the idea that a software license that says "You may not use this software to murder people" is incompatible with the ideals of free software
DRM is pretty obviously something that inherently removes user freedom without benefit, and decrying it is entirely reasonable. Hardware identity and state attestation *can* be used for DRM, but can also be used for other purposes that improve things for users (like Signal verifying that it's communicating with a genuine enclave before disclosing any sensitive data), and attacking the technology rather than the ways it's used seems short-sighted
Manoj Kasichainula@mjg59
I don't have the nuance of whomever you're replying to, so broadly:
(Approximately) no one complains about Yubikeys, datacenter HSMs, etc., because context matters. FIDO deployment wasn't going to lead to controlling what computers you can use the web with. But Google's ReCAPTCHA replacement has as a specific tactic to stop people operating outside the phone duopoly from using portions of the web.
And it probably won't even be good at their alleged goal: https://bsky.app/profile/retr0.id/post/3mljwh4k4k225
@mjg59 The thing is, I think you know all this better than I do based on what I've read from you, so I'm genuinely confused where you're coming from.
@headmold People are turning this into an argument about attestation in general, not the specific instance of it
@mjg59 Ah OK, yeah I can't go so far as to oppose all attestation yet. If you had to bring up "free software gets used in weapons, ya know", I can only imagine.
Where I sit right now: Yubikeys and secure elements are pretty good. Google Play Integrity is bad.
@headmold Yeah, but from a technology perspective there's basically no difference between Yubikey attestation (and some banks do insist on actual Yubikeys, not other valid WebAuthn tokens!) and what Google's doing here - which is why I think it's important to talk about the ways people use it, rather than the technology
hughcb@mjg59 @headmold I think there's a big difference between attestation tech that's tightly coupled with computer/phone hardware and vendor-provided OSes and doesn't work on LineageOS/PostmarketOS/etc, versus attestation done by a relatively cheap pluggable external device. Only the former is restricting the OS & software people can run on devices they own. OTOH Yubikeys and other pluggable/NFCable tokens can work with basically any OS.
@mjg59 Fair point. My brokerage restricted by key vendor too.
But certain implementations of attestation are going to bias more towards particular uses. Yubikeys are *mostly* (to me) good. I think Google Play Integrity, because it is flaky for security yet effective for control, is mostly bad. That's why I argue against this particular "technology" or at least implementation of it.
I can't tell if I'm arguing something you disagree with though :).
jfk@mjg59 I don't know if you are subtooting this, but this threas broadly summarizes my experience:
https://grapheneos.social/@GrapheneOS/116550899908879585
As someone with an infosec background, I am of course highly intrigued by the tech and what it *theoretically* enables. But my experience with big tech so far has been: if a technology is widely deployed and has the potential to strengthen their monopoly, it will be used for that sooner rather than later.
GrapheneOS (@[email protected])
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@jfkimmes I agree! But this is true of a great deal of technology that we enthusiastically endorse, and in general we argue about the specific use rather than the technology that allows that, and I don't understand why we're fixating on the technology rather than the abusive use of it in this case
@mjg59 The fixation on this topic may come from the fact that there is no turning back on this one once hardware attestation is baked into everone's personal devices.
I see a lot of advantages if I am the attesting party, instead of being the attested party (i.e. your signal use case vs GrapheneOS's Google/Android issue). But again, Google started by letting users attest their own boot chain and is now continuously switching to a Google-only solution.
G@mjg59 this doesn't sound complicated. You may have a claim about whether this is good or bad but it's clearly not "free software" the way we use that term. Words mean what we want them to mean, trying to redefine them to equal whatever we think is good or bad just leaves them meaningless.
@mjg59 and without context I have to admit my first reaction is it wouldn't be very helpful to have hundreds of licenses that have various conflicting restrictions on which parties of which conflicts can use them. I suppose that's a slippery slope argument so maybe I regret it already.
Ian Turton@stark @mjg59 it's very difficult to determine if someone is breaking the GPL when they use (my) free software unless they are actively boasting about it. It would be even harder to enforce a no kill license, most of the military users of my software would claim they were using it defensively and it would be impossible for me to check, even with friendly nations like Germany, Finland and the UK. With hostile nations like North Korea I don't think I'll ever find out how they use it.
1/n
@stark @mjg59 I wrote up my thoughts about this a while back
https://blog.ianturton.com/foss/2022/03/11/open-source.html
Basically, it boils down to there's nothing I can do about it, my software is dual use and mapping has been a function of the military and or state enforcement of taxation since the beginning.
@stark I'm not saying that free software should be redefined, I'm saying that if someone is unconcerned about how free software is used then why are they concerned about how any other technology is used
Botch Frivarg@mjg59 that does raises the question is it possible to implement attestation in such a way that it can't be used for DRM (or worse surveillance tech), while still keeping it useful for apps like signal? Since if that isn't possible there is an argument to be made that DRM/surveillance tech is such a big treat to our freedoms(not just software!) that the other more user beneficial use cases for attestation aren't worth it. That said I'm pretty sure you have considered this already and have a plan (or at least an idea) on how this could work?
@deetwenty The technology as a whole? Not really, since it's just an application of cryptography - all it's fundamentally saying is that you have a chain of trust back to a private key, and that key can be used to sign specific material. What that material is is an implementation detail, and if someone wants to implement it for evil, they can
@mjg59 Yes which is why if it is possible to make a attestation system/standard that is both privacy preserving and keeps the control of the device (mostly) in the users hand we should be the ones to build that and not let Google/Apple/Palantir decided how such a system should or shouldn't work.
@deetwenty Cool, so let's do that instead of arguing that it's intrinsically evil?
@mjg59 Agreed! (provided it is actually possible to make it both privacy preserving and in the user control of course)
@mjg59 @deetwenty when even freedom advocates confuse the abstract crypto and some of its usage, imagine what will happen when they ask technology-illiterate lawmakers to regulate it. The latter would as usual let lobbies guide their hand which would hilariously backfire! Careful what you wish for π
mardy@mjg59 The problem is the interpretation: "We are not killing people, we are eliminating terrorists!", "We are executing a death penalty lawfully declared by a jury", and so on. The interpretation becomes even more troublesome if you replace that sentence with "You may not use this software to oppress people".
@mardy The one I've considered here is something like "You may not use this software in any way that would impair any other individual's inability to exercise the freedoms granted by the license", on the basis that if you kill them that's a pretty clear impairment of those freedoms
Ember is so tired of people. 
β@mjg59 real telling that people who call slop generator binaries 'open source' are taken more seriously than people advocating for lisences that disallow use for/by evil
Iker@mjg59 I think this is a product of the Libertarian skew that a lot of Free Software zealots have. There's a belief that even hinting at restrictions is the same as a government legislating restrictions on people or tech companies limiting our technologies arbitrarily. It lacks analysis of power and how enforceable something like a software license is. We've seen it with LLM scraping; we KNOW these models were trained scraping code that uses open source licenses that should not allow the LLM models to be used willy-nilly, or would require more transparency from them. But the companies behind the models have more money and political influence than OSS maintainers. There's arguments to be made about how "opening the door to restrictions" should be something we think about carefully, just as how the authoritarian power grab by the USA presidency in the George W Bush era has led us to here, or how the lack of action against NSA spying and failure to teach people about data safety and not allowing social media sites to collect and sell our information should have been a major concern from day 1. But again, there needs to be an analysis of power dynamics and social and cultural tendencies, which very few people seem to want to do these days (eg, equating disabled people asking folks to use alt text in images being equated with cop behavior as if disabled people hold the same power as police departments).
@mjg59 I donβt think that the people who make weapons of war would care about license compliance.
abstrmA no war license would perhaps deter my friends, but it would hardly deter their enemies.
Tane Piper β@mjg59 we crowd funded VR so Palmer Lucky could build war machines.