This is just my opinion and what I've always done but I'd keep 'em separated. By weird coincidence I've been following some PCI standards for my home gear before the PCI standard existed. Linux for daily driver. A throw-away Windows machine for watching streaming videos that come with my Amazon Prime and to make the governments and their corporate 3rd party buddies happy that they can see some things I do. Another Linux machine for protecting financial data. Another Linux machine for managing devices. All except Windows are configured to be in a hostile network. I leave the Windows machine leaking like it is expected to be.

What would you do then?

If something required an app to be installed I would not use it. If something ever requires WEI [1] I would not use it. If a video game requires some anti-cheat daemon running with higher privs I get a refund and so on. Given the internet is entirely optional for me and everyone else too there is no way I could be required to install something.

My cell phone is used for Texting neighbors, family and voice. It will soon be launched from a skeet launcher and replaced with a IP68 tough dumb phone that will be powered off most of the time. I do not trust centralized services for sensitive chat even if one of their founders used to be kindof cool. This stodgy cranky ol' troglodyte will use self hosted IRCD, SSH chat, uMurmur, open source tinc vpn meshes. They are higher friction and I love it. It keeps people with leaky pipes off my stuff. Maybe AI can help me make a song, "Crank up the friction!"

[1] - https://www.eff.org/deeplinks/2023/08/your-computer-should-s...

If not, what would you do? Change bank?

Although the damage to trust these attempts alone should never be underestimated. Windows is already running in an enclave for me and I use it less and less. I don't like MacOS because I think Apple is not the way if you like open computing. Nice devices, but for a different target demographic.

Otherwise I can of course just disable any scanning, it isn't too hard to filter or even better make false reports. I don't use large messengers outside of a dry business account and I doubt any smaller software will comply.

Under no circumstance do I want to use a device where any third party can scan as it please, even if it is just file hashes or something similar. I would like to sabotage such attempts to the largest degree possible because I believe them to conflict with basic rights.

The answer is largely going to be to just use open source software which doesn't have CSS and continues to implement E2E. For work I don't care because it's not my privacy to protect so I'll probably just continue using whatever – Mac, Slack, etc. For most personal stuff I use Linux anyway so I don't really care.

Something I will warn people of in advance is that if you're in the EU/UK people have been arrested for terrorism simply for their book and memorabilia collections. If you're suspected of terrorism (at least in the UK) you do not have a right to silence and this extends to being legally required to hand over passwords/keys for your devices.

Once CSS is in place if you have any edgy Alex Jones memes on your phone / computer or a digital copy of something like the anarchistic cookbook don't be surprised if the government suspects you of being a terrorist or if you get put you on a list.

CSS and breaking E2E gives governments everything they need to find out who all the wrong thinkers are in society so they can protect us. It would be irresponsible of them to pass up that opportunity. Keep your opinions to yourself, and ensure all jokes and memes viewed or stored on your device are safely within the Overton window.

In terms of the Chat Control this would be mandatory for all messaging apps. There is no exclusion in the law regarding the number of users.

> Something I will warn people of in advance is that if you're in the EU/UK people have been arrested for terrorism simply for their book and memorabilia collections. If you're suspected of terrorism (at least in the UK) you do not have a right to silence and this extends to being legally required to hand over passwords/keys for your devices.

IF CSS is in place, I don't think the US will sit idle on this, they will want the same capabilities so this issue with the content will be relevant whether you live in the UE/UK/US or Australia.

GDPR is mandatory too, but realistically it's only something that the largest companies need to worry about. If some small news site doesn't implement a cookie banner correctly they're not likely to be sued.

My point is that there will always be alternatives that fly under the radar, or are merely open source projects for which there is no individual or organisation to mandate.

> IF CSS is in place, I don't think the US will sit idle on this, they will want the same capabilities so this issue with the content will be relevant whether you live in the UE/UK/US or Australia.

I suspect it would be different in the US because as far as I know it's not an offence to say and think the wrong things. In Germany it's literally a crime to be a Nazi and here in the UK you can be arrested for telling an offensive jokes.

Just as an example of what I'm talking about here, my girlfriend is a historian and she studied WWII. When we first started dating I'd often send her silly Hitler memes to make her laugh. A lot of our old chat history has references to Hitler, Nazis and Hitler memes in them. She's also dragged me to a lot of Nazi sites over the years and we have thousands photos from those visits. I am in the process of deleting those messages and backing up our photos onto external drives at the moment because I don't want state questioning why we're so interested in the Nazis. I might know they were just memes and it may be true that we're are just genuinely interested in WWII and Nazi Germany, but I rather not have to prove that in court.

If these on device content scanners are implemented and the government really wants to know who has an interest in the Nazi's it's quite possible we could be flagged as suspicious. But thankfully I don't hold offensive views so I never say offensive stuff in private. I don't need to worry about any explicitly racist things I might have said 2 years ago on WhatsApp. But a lot of people do say and believe things in private which could be consider hateful, and those people should take precautions if they don't want the government to know their views. As an example here, just a few weeks ago the private WhatsApps chats from a group of retired police officers were obtained by the media and because those retirees said some racist things about Meghan Markle they have now be charged with hate crimes. Lots of people will likely find themselves in the same boat going forward.

Yes, but this may in fact take much longer that it may look at first glance. Think decades, not years.

Do not overestimate churn. Compare to how long it took / is still taking for virus scanners to become integral part of Windows. Similarly, at some point it will become empirically clear that CSS (like virus scanners) aren't the end-all blessing they promised to be.

There will be accidents in the mean time. Obviously: false positives, misuse by oppressive regimes. But also: malware, DoS, exploits and other mischief we've already seen in the wild with virus scanners, spam filters, intrusion detection systems, DRM, corporate firewalls.

I'm confident that at some point, legislation will be loosened to aim for more realistic goals. Especially once legislator realizes it fails to meaningfully "protect the children and fight terrorism".

So even if the various governments end up understanding that this was a bad law, then we still have to live with this 3rd party algorithm watching your every move until it is overturned.

So, I kinda accepted that things will change mostly for the worst. When the real thing against ecryption comes out, I will adapt to the specific case. Not much to do outside a political battle (which requires real power).

The CSS would be implemented at the OS level but also at the app level, so even if you avoid the OS detection, when you use any messaging platforms, your content would be scanned unless I am mistaken.

I mean it would be pretty stupid to remove CSS at the app level otherwise like you said you could swap your OS and not have to worry about it which is clearly not the goal of the laws in question.