> Can we really victim-blame someone for falling for an attack
The victims may well be those who are potentially endangered by the leakage of information caused by the decision maker. Regardless of that hypothetical, the person responsible for the leak is not the victim.
If you deal with highly confidential information in your day-to-day work, you should be held accountable for keeping it confidential. This is nothing new in the corporate world, so I don't see why public officials should be held to different standards.
Remember: It was apparently a phishing attack. Someone literally asked her for her credentials. It is within the capabilities of an adult to refrain from handing out important information when asked in a no trust environment. If that's truly beyond their capabilities, they should consider another profession.
I'm not arguing for a witch-hunt or anything against this specific person. Learnings should be constructive and this could have happened to many other public officials. Just, maybe.. if you or I breach protocol, let's not call us the victims.
I was surprised by the superficiality of the Plus benefits as well, which led me to submit the article to HN at all. (That is maybe why there is still no official WhatsApp blog post about it.)
I expected something that would increase lock-in. Maybe a more capable version of their AI feature. I'm not sure. There is also AFAIK no success story for monetizing messaging yet, beyond what Telegram is doing.
> E2E is illegal in the UAE, and Meta has only advertised E2E in countries where it can operate E2E freely.
From my experience, the no-advertisement claim is untrue. I've used WhatsApp with several users in the UAE. The end-to-end encryption notice appeared on my side (as always in user-to-user communication).
> All chat apps that operate in the UAE need to store data locally with full access given to the UAE's Telecom and Interior Ministries.
Do you have a source for that claim?
Compromised endpoints, monitoring accounts or unencrypted cloud backups are far more likely to be the source than hidden deals or large conspiracies where many people need to keep a secret.
The UAE's Personal Data Protection Law (PDPL) passed in 2021.
Any internet service that is used by UAE residents has to store data domestically within UAE borders.
Assuming zero days are being used to enable mass surveillance is much more conspiratorially minded - once a zero day is used, it's often detected within days and patched.
But wait, you sourced the trivial part of your claim (a law exists), but not that WhatsApp breaks E2E. The encryption part is the important part, right?
I'm no expert in the UAEs data protection law, but I did not immediately find any reference for a mandate for government backdoor access to encrypted content.
Also: compromising endpoints obviously does not require zero-day exploits. Otherwise, I'd assume, the services of the surveillance industry (Pegasus, Cellebrite, etc.) would be far more expensive.
There is probably no large conspiracy where Meta breaks E2E for a government and nobody involved ever leaks it. The more traditional threat is probably service blocking where users get pushed to less secure alternatives that the government can more easily monitor, like Russias new government messenger.
Murder is a universal concept. There are also varying criminal laws that are called murder, but just because these exist, one must not be thrown off track: the moral, pre-legal concept of an act known as murder remains unaffected.
'Extrajudicial killing' is just an apologetic euphemism. An indirect term, since murder is usually considered to be a bad thing.
> [...] why would I trust some VPN provider any more than my ISP [...]
Of course, whether or not to use a VPN always depends on the specifics. (threat model, circumstances, VPN provider, etc.)
I am with the biggest telecoms provider in Germany, and I trust them about as far as I can throw them.
They are known for censoring their DNS servers, being opaque about government requests, and creating artificial bottlenecks to extort money from companies in order to avoid throttling.
Ironically, just like many software users, the EU Parliament is not given the option to say "no", only "ask me later".
Anyone who’s ever been unable to dismiss a nag and forced to defer via "Ask me later" knows the feeling of powerlessness and disenfranchisement deliberately planted by those making UX decisions. .. or the EU constitutional framework.
If shipping a specific device configuration to the US is illegal, Motorola should not ship this specific device configuration to the US.
I do not think our parent is suggesting otherwise.
AFAIK Motorola and GrapheneOS are not merging, they are getting into a partnership. They do not have to think or do exactly the same.
Apple can comply with both CCP and US demands at the same time without a problem. I am sure Motorola can adjust their services to the markets they are working in, as well.
They are not building a product that cannot be sold in their primary market. They are not designing GrapheneOS devices, they are improving existing devices to meet GOS requirements. There will still be an OEM OS for those devices. Preinstalled GOS devices can simply not be sold there.
Your arguments show a lack of the least imagination, let alone simple reasoning.
There are countless ways to satisfy any regulation while still doing whatever you actually want to do.
The very most obvious is simply sell the device, in the affected areas, with any sort of os that meets the letter of the law in that area.
If it's also easy for the user to install something else once it becomes their property, well that's the new owner's business atthat point, Motorola did their part and complied with everything required.
No one needs to demand a company violate anything. That is just a silly argument to even try to make. Calling people insane for things they never said nor even implied is what's insane.
In regulated industries, like finance and taxation, regulators deliberately assign responsibility to individuals, so misconduct doesn’t get lost inside the company or within its corporate stakeholder network. That removes a lot of friction once you want to hold someone liable.
I've read our parents comment as an implicit proposal to establish similar structures in tech.
The victims may well be those who are potentially endangered by the leakage of information caused by the decision maker. Regardless of that hypothetical, the person responsible for the leak is not the victim.
If you deal with highly confidential information in your day-to-day work, you should be held accountable for keeping it confidential. This is nothing new in the corporate world, so I don't see why public officials should be held to different standards.
Remember: It was apparently a phishing attack. Someone literally asked her for her credentials. It is within the capabilities of an adult to refrain from handing out important information when asked in a no trust environment. If that's truly beyond their capabilities, they should consider another profession.
I'm not arguing for a witch-hunt or anything against this specific person. Learnings should be constructive and this could have happened to many other public officials. Just, maybe.. if you or I breach protocol, let's not call us the victims.
Media education would be a great start.
reply