Hacker News

Tiktok has direct messages, they don't even call them private.

It's better that they're honest about this, nobody should believe for a second that WhatsApp or FB messages are truly E2EE.

DM on social media shouldn't be used for anything remotely private. It's a convenience feature, nothing more.

In my experience most forums have private messaging.

Additionally I think it is fine to say "we don't support e2ee". I prefer honesty to a bad (leaky) e2ee implementation, at least the user can make an informed choice.

Adding that private self hosted forums can permit uploads of encrypted files, encrypted with a pre-shared secret or a secret shared over a private self hosted Mumble voice chat server.

And yet virtually all consumer services with 1:1 messaging lacks e2e. This is a bit of a quixotic position to take.

The email protocols would like to have a chat with you.

“Will we ever end the MySpace monopoly?”

> MySpace is well on the way to becoming what economists call a "natural monopoly". Users have invested so much social capital in putting up data about themselves it is not worth their changing sites, especially since every new user that MySpace attracts adds to its value as a network of interacting people.

> "In social networking, there is a huge advantage to have scale. You can find almost anyone on MySpace and the more time that has been invested in the site, the more locked in people are".

https://www.theguardian.com/technology/2007/feb/08/business....

>Regulations are needed

Lolololol. No, not regulations. Regulators. With the people we currently have voted into office in the US the only regulations we are going to get are ones saying Sam and Peter must look at everything you do all the time.

Until we stop voting for more authoritarianism, expect ever increasing amounts of authoritarianism.

federation would never work. How would it work here? Either you are forcing tiktok to give pageviews to federations of spam, or you are letting tiktok decide which federations to work with, which essentially results in no federation.

Anyone who doubts the requirement for e2e messaging should not be considered a skeptic, they are fully buying into whatever narrative LEO would like you to believe.

Depends on your definition of "safe". Imagine an adult DMs a nude photo to a minor (or other kinds of predation).

If it's E2EE, no one except the sender and receiver know about this conversation. You want an MITM in this case to detect/block such things or at least keep record of what's going on for a subpoena.

I agree that every messaging platform in the world shouldn't be MITM'd, but every messaging platform doesn't need to be E2EE'd either.

It makes certain users less safe in certain situations.

E2E makes political activists and anti-chinese dissidents safer, at the cost of making children less safe. Whether this is a worthwhile tradeoff is a political, not technical decision, but if we claim that there are any absolutes here, we just make sure that we'll never be taken seriously by anybody who matters.

well having no e2e encryption is safer than having a half-baked e2e encryption that have backdoor and can be decrypted by the provider.

and for tiktok's stance, I think they just don't want to get involved with the Chinese government related with encryption (and give false sense of privacy to user)

Tesla doesn't have parking sensors. They're a safety feature. There's lots of safety features in cars that are optional, we've got an entire rating system for the safety of cars.

We're talking about an app that's controlled by the CCP, I do expect them to take a principled stance - stances like Taiwan is a part of China and you can't be openly critical of the leader of the party. They don't have the same principles as you. You can force them to put in E2EE, but you can't force them to be honest about it or competent about it. I would rather know what we're getting than to push them to lie.

This is the same thing as the OpenAI/Anthropic thing. You've got Anthropic taking a principled stance and getting pain for it, and you've got OpenAI claiming to take the same stance, but somehow agreeing to the terms of the DoW. Do you think it's more likely that Anthropic carelessly caused themselves massive trouble, or do you think OpenAI is claiming to have got the concessions that clearly won't work in practice. I think it's naive to think the former.

Would be a nightmare to implement and achieve the goal, but I have to say I think it’s more right than wrong. All of the data is very clear about the harms.

China has restrictions for social media and screen time for kids — how do they implement this?

The most important principle in the modern age is the freedom to prey on wallets. You can’t give parents tools to conveniently restrict what their children do. Impressionable minds ought to live in a lord of the flies state where they are bombarded with stuff to nag to their parents about and give them FOMO about what their friends have that they don’t have.

That’s why children must be free.

Parents are already allowed to restrict their children access to 'dangerous' things like open computers or knives.

At the same time, I remember growing up in the internet's wild west and bad encounters weren't an issue for me because of the golden rule I was taught from the start: you don't give your personal information and you don't interact with complete strangers. Learning to navigate the web instead of being in a walled garden was helpful in many ways.

The better question to ask ourselves is, does the capability to gather more information also lead to more power to act on this information? If the investigative resources are spread thin already it's not like they're gonna catch more criminals with investing more there. Repelling questionable individuals off the platform with lots transparancy -is- an effective way, but just a specific tool for a symptom.

I think a part of a better solution is to give parents and children better tools to manage their social graph themselves. Essentially the real problem is discovery and warding off of social outliers in a way that doesnt out all responsibility on opaque algos or corporations.

A part of their e2e keys could be shared using an intentionally obtuse way like mailing an item or a physical "friend code". That way parents and vetted friends can have their privacy. You don't need to tie an id to someone's person to get positive confirmation on someone's poor behaviour. If someone crossed the line then parents can see it and escalate. In additon, what would happen to a child with abusive parents who can then arbitrarily restrict and deny a childs freedom to communicate? I did not have this myself, but without free access to other minds and information I would have been duller. Does a large information dragnet really serve our collective interests or are more precise tools needed?

Locking down children’s devices doesn’t stop adults sharing illegal content with other adults though, so there would still be pressure to monitor communications between adults.

Indeed way past time. Though no CEO would admin publicly what the addiction to attention/social media, gaming, and general screen use, causes to children. Of course this should've been regulated similarly to Alcohol, but billions would dry and it's much easier to witch-hunt marijuana, and illegal raves, right?

> Instead children would own special devices that are locked down and tagged with a "underage" flag when interacting with online services, while adults could continue as normal.

California is mandating OSes provide ages to app stores, and HN lost their mind because it's a ban on Linux.

This honestly sounds like the best proposed solution I have heard.

> while adults could continue as normal.

After providing their identities to prove they are adults, and having all their activities tracked wherever they go and whatever they do.

The first 18 years aren't freedom either, just the system prepping you for what's ahead.

> We should have banned children

I see you Mr Quaker Oats

apple SDK already can return underage/adult

I can't tell if this is sarcasm or not

The California law works this way, and it doesn't even have to require the browser can't be modified

Then adults could lie about their age and benefit from the data protection laws only granted to children for some reason.

It matters because if it works and people continue using the platform then other providers will follow and the only remaining E2EE providers will be niche.

Switch to what exactly?

I suppose they mean that apps should brand their non e2ee chat features as private or personal, which is what users take as the default assumption when interacting in one to one chat.

In a bar you're not speaking directly into a microphone that is permanently saving everything you say for later instant access by every government and advertising agency that wants to prosecute you or invade your privacy to sell you something

Isn't that something we asked for? We keep asking for parents to parent their children instead of getting age verification laws, and that is what that looks like.

Fundamentally actual E2EE is complicated problem. And probably not very user friendly. It is full of technical trade-offs. And mistakes are very common. Or they lead to situations that people do not want. Like if you lost your phone or it break how do you get history back... What if you also forgot password? Or it was stored in local manager...

It is phrase that sounds good. But actually doing it effectively in way that average user understand and can use system with it with minimal effort is very hard.

no you couldn't. that wouldn't be considered end-to-end encrypted in any modern sense

> Where are these mythical people who aren’t concerned with both?

People don't care about "what companies serve them". They only care if the children see sexual content (or things considered deviant). Once sexual and deviant content is filtered, they're happy to give away their children's development to the company's algos.

In effect, the people don't want to concern themselves with what their children consume, unless they're outraged by things normally taboo in their age group. Besides, if everyone is in it "it's not that wrong". They seek reactive entertainment rather than proactive engagement in their children's development.

> Where are these mythical people who aren’t concerned with both?

They're called politicians.

> Monitoring children's DMs is the responsibility of the parents, not megacorps

Absolutely. But what responsibilities do megacorps have? Right now, everyone seems to avoid this question, and make do with megacorps not being responsible. This means: "we'll allow megacorps to be as they are and not take any responsibilities for the effects they cause to society". Instead of them taking responsibilities, we're collecting everyone's data and calling it a day by banning children from social networks... and this is because there are many interests involved (not related to child development and safety).

The simplest way that can work is for the child account to be linked to a parent account, and the parent account can see the child account's DMs.

I also think children do/should have a right to privacy and their parents do not have to know everything.

Kids should be able to write a journal or talk to friends with total trust that this information will not reach their parents.

> Monitoring children's DMs is the responsibility of the parents, not megacorps.

Yup, but the tools provided make that easy or hard.

But putting that emotive bit to one side, Megacorps have a vested interest in not being responsible to children. They need children's eye balls to drive advertising revenue. If that means sending them corrosive shit, then so be it.

Its a bigger issue than encryption, its editorial choice.

Mega corps should be compelled to and rewarded for allowing parents to monitor their children’s dms.

> maybe an employer on a work-provided device.

The children yearn for the mines(?).

I'm all for helping parents to do this. Any site requiring age verification should indicate this as a http header or whatever, and the browser I allow my child to use should respect that and the parental controls should be easy for me to engage with

Many parental controls are massive pains to get working. Apple does fairly well (although I don't get a parental pin number to unlock the phone, which is normally fine as my child will tell me, but in some circumstances it wouldn't be), but does require the parent to be on the apple ecosystem too.

EA and Microsoft however are terrible, especially as it's likely the child will be playing fortnite/minecraft and the parent won't have ever touched it. I think with minecraft we had to make something like 5 or 6 accounts across three different sites to allow online minecraft play from a nintendo switch.

Parents shouldn't give their child access to a device that allows DMs.

That said, these platforms are making it impossible for parents to monitor anything. They're literally designed to profit off addiction in children.

You can make it a nice round 2000 these days.

Age verification obliviates anonymity on the internet. If everything you do, _can_ be tracked by the government, it _will_ be.

Allowing for more effective propaganda, electrol control, and lights a fire on the concept of a government _representing_ anyone.

The problem with this discussion is that this is a wonk solution for wonkish times. You're trying to thread the needle between various reasonable compromises. Ironically due to social media, that is simply not how politics and lawmaking works any more. Instead it's an emotionally driven fight between various different sorts of moral panic, and the only option is to get people more mad about surveillance than "think of the children".

You might be able to get somewhere by getting a tech company on your side, but they generally also hate adult content and don't mind banning it entirely.

(people are not going to get age verification _banned_ any time soon! That's simply not going to happen!)

It's a slippery slope.

This is the next two steps into 1984.

Once you start mandating this, there's no going back.

The next generation will start associating wrongthink with government IDs. (Wait, we already do that, right?)

Particularly true as oligarchs co-opt gov

Please provide proof for these claims.

Same, my default MO is assuming 'e2ee' is broken and unsafe by default. Anything that I truly don't want sent over the wire would be in person, in the dark, in a root cellar, underwater. Not that I've ever been in the position to relay juicy info like that. Hyperbole I know, but my trust begins at zero.

> you just have intact brain

Fixed a bit.

Hopefully

Exactly.

Thankfully

>never going to be the case.

And in a perfect world essentially shouldn’t have to be, at least inside expensive walled garden app stores.

They might understand e2ee but not care.

> Both executives mention the danger end-to-end encryption poses to children when attached to a social media graph

So the fact that we welded a messaging platform onto a global-child-discovery-service is bad? Sure. Not encrypting that messaging platform is sort of closing the barn door after the horse has gone walkabout

Good to see this called out. The HN echo chamber has this really terrible habit of attributing any disagreement with the prevailing opinion here to big, shadowy forces with evil motives (billionaires, corporations, three letter agencies, politicians, etc) instead of facing the reality that sometimes well meaning people just have different values and priorities than us. Very rarely does that narrative get challenged directly.

The difference is: in web based cryptography, you get the cipher text and the code to decrypt it from the same source. Hijacking OS updates is arguably much harder than hijacking one particular web server, and there is pretty much no effective defense against malicious OS updates.

> with E2EE the company db is useless to an external attacker.

Depends on who is defined as the other end, it may be that the company db is the other end.

> It is worth noting that this law also applies to non-web applications where the service provider supposedly being secured against is also the client software distributor; thus, the “end-to-end encryption” offered by Whatsapp and Signal, amongst other proprietary services, is equally bogus. (Both Whatsapp and Signal ban use of third party clients, and enforce this policy.)

the specificity of between web apps that is highlighted by the article is that you receive a bundled code of software every time you open or use the app, as opposed to say, the operating system or desktop apps, which are less frequently updated. (Native) mobile apps are like web apps in that they release updates almost every day.

The thing is, it _is_ controversial. At least amongst the general public.

Obviously not in somewhere like Hacker News where there’s a clear consensus, but if you asked a random sample of the UK population “should law enforcement be allowed to compel tech companies to hand over all DMs of confirmed paedophiles?”, I’d bet very good money the majority would say “yes”.

The notion that “Big Tech” can absolve themselves of the responsibility to help law enforcement find child abusers by saying “it’s all encrypted, not my problem”, does not sit well with a large sector of the population.

Whether it’s good or bad is an ultimately political question, and both sides of the debate tend to talk past each other on this topic, but it’s undeniably a controversial point within the broader population.

Not just the TikTok client, anything made by Oracle is risky.

Neither Instagram/Facebook's Messenger/WhatsApp.

Came here to post this.

If you run (say) a restaurant, you get big spikes in business from TikTok videos in ways you don't get from Facebook or Instagram or others.

TikTok is the platform everyone is one right now.

Signal is open source

Pretty sure that for Meta the impossibility to moderate E2EE was the point. It’s cheaper to shrug than pay content moderators.

What were the other reasons for stopping?

For older generations Facebook has the same problem. "On Facebook it said [propaganda item bla bla]" is something I hear with those generations.

Yes. China gives a shit that user rdiddly, at 36 minutes before 00:55 UTC on March 4, 2026, said that China is spyihg to the point that they are going to be abducted for it.

> It carries negative connotations

Interesting I'm not a native English speaker but in news articles I have always interpreted "controversial" as meaning "under discussion" (perhaps even around a 50/50 divide) hence why they are writing an article about it.

I feel it is the news outlet trying to justify why the topic is important to read about since most people reading it will interpret the issue at hand as having a "common" stance. Usually it is used in topics that are very binary, for or against.