2026-03-21 04:41:04
Perfect commentary on nerds following authoritarianism because it is an interesting intellectual challenge:
2026-03-21 04:21:26
Apparently RollOnFriday is kind of “Slashdot meets HackerNews” for the UK legal community, and they are covering that Ofcom is being hamstered by 4chan.
Public ridicule amongst the legal community may actually be quite impactful, plus the article has some genuinely interesting background information which does not get much airtime.
https://www.rollonfriday.com/news-content/lawyer-mocks-ofcoms-big-fine-bigger-hamster
2026-03-20 17:07:53
1/ obtain a hash of abuse material that’s both known & banned; if pervasive as claimed this shouldn’t be hard
2/ use algorithms from this paper to create a cat meme with the same hash
3/ send the cat meme to all MPs & Civil Servants via SMS, E-Mail, WhatsApp (bonus if it goes viral)
4/ watch as MPs are locked out & banned by platforms for possessing abusive material, preventing government
Also: there is no mitigation by saying “all of these cases should be appealed” because by the time enough resources have been deployed to resolve the appeal claims, government will have been offline for 12 hours or more.
Of course one could propose mitigations: the government could ex-ante inform all platform providers which accounts needed to be prevented from ever being blocked – to be given special treatment – however:
Also, there will be claims of “two-tier surveillance” and so forth.
White-Box Attacks on PhotoDNA Perceptual Hash Function
https://eprint.iacr.org/2026/486
[*] note: strictly, it is not necessary to obtain the material, merely the hash; therefore a leak of the existing database of hashes – several million in size – would be catastrophic by providing material for an infinite sequence of attacks like this.
2026-03-20 10:35:28
“Meta ends End-to-End Encryption for Instagram DMs!”
“Meta lobbies for Age Verification in App Stores!”
“Moxie Marlinspike partners with Meta to build E2EE for AI Chats!”
The first story is a cause for mild disappointment & reflection, not outrage. The second is common sense for anyone who cares about privacy. The third should be celebrated. Here’s why:
Who am I? I’m a full time stay at home dad who has no axe to grind any more, but here are my relevant bona fides:
In 2013-16 I worked for Facebook and amongst other projects I led the team which delivered the first version of end-to-end encryption (E2EE) for Facebook messenger.
I subsequently quit the company because of exhaustion and attempts to please the Chinese Government and enter China.
In 2019 Meta announced that they were intending to E2EE absolutely all of their messenger backends by default, which immediately led to digital rights civil society declaring this to be an evil ploy to reinforce monopoly power and to prevent Instagram being divested from Facebook via the FTC.
For some reason digital rights civil society has a tendency to be a turkey always voting for Christmas, because the announcement at the time was literally what we (including myself) had spent the previous 25 years screaming for everyone to do.
Now, Meta have controversially given up on some of that, and (worse) rather than manage the narrative properly they just posted about it on their support page.
Facts are starting to leak out:
At this point I cannot do better than to roughly quote myself from a recent chat-group conversation:
This is a very long thread by Jon Millican who was my #2 engineer on Messenger E2EE back in 2015 and subsequently guided building the full product and shipped it. I trust him absolutely:
https://bsky.app/profile/jonmillican.bsky.social/post/3mgycdhiqt22t
Long story short: WhatsApp and Messenger are Messenger apps, Instagram is for sharing your breakfast. They have a shitload of features which are not compatible with having private conversations due to various forms of enrichment and dynamism amongst the product development team, so it’s very hard to justify continuing E2EE development for Instagram when the direct-messenger aspects are only 10% of the product’s value.
In some ways it’s the same problem as public groups on Facebook: beyond a certain point centralisation and cleartext makes way more sense for feature value, than does the implicit decentralisation of content visibility [caused by e2ee] with the concomitant wrangling that engineers have to do to try and blind themselves to what the fuck the users are [otherwise quite obviously] actually doing.
Especially when there is a cost/benefit battle [of product velocity versus doing privacy “properly” in spite of users making it virtually impossible] to be fought.
I would still like to see more E2E as a default proposition for communications and to minimise the amount of plain text visibility / plain text availability for shit like legal subpoenas, but pragmatism does dictate that at some point you just give up unless you are starting from a wholly decentralised architecture in which case you have the converse problem of avoiding building a side-channel attack.
If my partner and I are typical we are using Instagram DM wholly to send links of pictures to each other which we both subsequently click and which both have engagement tracking IDs on them, which means that the messages are effectively in their entirety available to Instagram as-is in the E2EE flow. There is barely any benefit to E2EE in such user circumstances. It is just theatrics.
So I am not worried about Instagram losing E2EE Direct Messages. It would still be nice, but in a platform not wholly dedicated to messaging it’s really hard and trying to “get it back” is just going to waste effort which could be better-placed elsewhere.
The way that civil society has reacted to this lobbying “story” — which as far as I can tell is sourced from a random person who anonymously posted a bunch of inference to a previously non-existent Github account and then boosted it on Reddit, created a website and is now apparently begging cryptocurrency for doing all this — the way that civil society has reacted to this “story” is entirely wrongheaded.
GUYS, THIS IS ACTUALLY WHAT YOU WANT META TO BE DOING. AGE VERIFICATION SUCKS, BUT THIS SUCKS LESS.
There are a few tweets from people who actually understand beyond the “ZOMG META DID SOMETHING WE MUST NOW GO HATE ON THE ZUCKS” aspects, but for a really brief summary:
Privacy Wonks will hate it, but Mark Zuckerberg is correct that [a] proper place for prescriptive Age Verification is in the App Store of a mobile device; yes, that means Google and Apple will “find out more about you” but that can be minimised if they choose to implement a privacy-preserving protocol a-la what happened over COVID tracking.
The reason people are angry about this is that they don’t understand that the App-Store-and-Google/Apple-Account approach to AV is a degenerate form of what we should have been doing all along: age attestation, not age verification.
The user should be signed up with their own preferred provider of private age-attestation services which they can enmesh into whatever transactions they require an age test for; this puts the user in control of provider choice and information protection, and the reliant parties — vendors, porn sites, forums, whatever — should be obliged to accept attestation tokens.
But we don’t do that, probably because (a) it makes less money for the industry and (b) because Governments get more ID tracking metadata with the age verification approach.
App Stores are basically “Age Attestation v1.0” — either you get the app, or you don’t. The app developers have no need to learn anything about how old you are nor ever see sight of your face, nor your documents, and their costs and business risks are commensurately lower.
Linking App-Stores to Websites with Age Atteststion tokens would be the next step.
Again: THIS IS THE GENERAL MODEL OF WHAT WE SHOULD BE DOING. IT SHOULD NOT BE INCUMBENT UPON EVERY WEBSITE ONLINE TO IMPLEMENT DIGITAL-IDENTITY “KnowYourCustomer” ON THE OFF-CHANCE THAT THEY MIGHT SEE BOOBS.
Of course: to a first approximation everyone hates Meta, so the following statements are also true:
So with this understanding, how could they be doing anything else?
Which brings us to story 3:
If you haven’t been paying attention you may be wondering “…what the hell is Moxie doing, announcing something of this magnitude rather than it coming from Meta?”
My suspicion: it gets the story out without triggering a major newspaper event and cycle of criticism. It’s a tactic I have used, myself. I suspect also that Meta are leaning on the Marlinspike “stamp of approval” to lend credibility to their ongoing work, especially compared to previous efforts.
[aside: surprise, the white paper just got updated!]
Some people in civil society hate AI even more than they hate Meta, so the newspaper coverage of this story as only ever going to be resolutely negative — just as when Instagram announced E2EE in 2019.
Not to mention the child safety (and adjacent activist) community are going to go absolutely nuts when they work out what this actually means.
So if you’re an E2EE Integrity and Privacy Activist like me:
2026-03-19 22:11:08
Regulate the Britons, not the foreign websites:
“4Chan responds to £520,000 Ofcom fine with AI picture of hamster”
“Companies – wherever they’re based – are not allowed to sell unsafe toys to children in the UK. And society has long protected youngsters from things like alcohol, smoking and gambling. The digital world should be no different,” she said.