Mullvad argues that surveillance regimes are now benchmarking themselves against each other on coverage, retention, and the ability to compel access into encrypted systems. They frame this as a qualitative shift — governments no longer feel obliged to defend the practice, they advertise it as a capability.
The editorial argues the real signal isn't Mullvad's framing but the catalog: EU CSAR, UK OSA §121 notices, and similar proposals are convergent specifications for a single primitive — an undisableable backdoor into client- or provider-side content, matched against a state-approved hash list, with gag orders attached. Engineers tracking these as separate national stories miss that they're one architecture.
Citing the EU CSAR requirements for perceptual-hash matching, novel-CSAM classifiers, and grooming NLP, the editorial notes the proposal carefully avoids naming client-side scanning, but the math leaves no other coherent implementation point for E2E services. This is the same architecture Apple shipped and pulled in 2021–2022, now being legislated rather than chosen.
The post hit 202+ points on the HN front page, which the editorial characterizes as high for a VPN vendor policy essay but low relative to the actual stakes. The implicit community position is that this catalog of converging surveillance laws warrants engineer attention even when wrapped in vendor marketing.
Mullvad published a long-form essay arguing that nation-states have moved past justifying mass surveillance and are now openly competing on it — measuring themselves against each other on coverage, retention, and the ability to compel access into encrypted systems. The piece hit the Hacker News front page at 202 points, which is high for a VPN vendor's policy post and low for the actual stakes.
The essay's value isn't the framing — it's the catalog. Engineers tend to half-track these proposals as separate national stories. Lined up next to each other, they're convergent specifications for the same primitive: a backdoor into client-side or provider-side content that the user cannot disable, integrated against a state-approved hash list, with a gag order attached to the implementation contract.
EU CSAR ("Chat Control 2.0"), back on the Council agenda in 2026. The current text obliges "interpersonal communications services" to deploy "detection technologies" for known CSAM, new CSAM, and grooming. In practice that means three things engineers would have to wire up: (1) perceptual-hash matching (PhotoDNA or a NeuralHash-equivalent) against an EU Centre-managed hash database, (2) a classifier for novel imagery, and (3) an NLP classifier for grooming patterns on text. For E2E services, the only technically coherent place to run (1)–(3) is on-device, pre-encryption — the exact architecture Apple shipped and pulled in 2021–2022. The proposal does not name client-side scanning, but the math leaves nowhere else to put it.
UK Online Safety Act §121 notices. Ofcom has the statutory power to issue an "accredited technology" notice compelling a provider to use specified scanning technology on a private messaging service. The notices haven't been issued yet, but the accreditation regime, the appeals process, and the maximum fines (10% of global turnover) are all live law. The engineering contract here is brutally specific: integrate a named vendor's hash-matching SDK, accept their hash list as a binary blob you cannot audit, and don't tell your users. Signal and WhatsApp have both said publicly they would withdraw from the UK before complying; smaller providers don't have that option.
US EARN IT, reintroduced 2025. The mechanism is indirect — strip Section 230 immunity for any provider that doesn't follow "best practices" set by a federal commission — but the engineering output is the same: scan against NCMEC's hash database server-side, or accept unbounded liability for user-generated content. Section 702 reauthorization in April 2024 separately keeps the upstream collection regime intact, which is what actually determines whether your TLS-terminated traffic gets ingested at the IXP.
Australia's Assistance and Access Act (TOLA, 2018, still in force). The most mature of the lot, and the one engineers should study first because it's already been used. TCNs (Technical Capability Notices) can compel a provider to build a new capability — i.e., write code — to assist law enforcement, with criminal penalties for disclosure. There is no public count of how many have been issued.
France's Article 8ter and the SREN law. Browser-level blocklists enforced at the resolver, plus age-verification mandates that in practice require either government-ID handoff or third-party attestation services like France Identité Numérique.
For a decade, the threat-modeling default for messaging and storage products has been: trust the math, distrust the server, treat governments as adversaries whose budget is bounded by what they can do at the wire. That default is wrong now. The new default has to assume the operator of your service may be legally compelled to ship code that defeats the cryptographic guarantees the user is paying for, and forbidden from telling anyone it happened.
Apple's 2021 NeuralHash announcement and 2022 retreat is the canonical case study, but the more recent data points are quieter and more revealing. Meta rolled out default-on E2E for Messenger in late 2023 specifically to make CSAR-style on-device scanning harder to mandate without breaking the product. Signal's response to the UK OSA was a public withdrawal threat that Ofcom hasn't yet called. Apple's Advanced Data Protection for iCloud was pulled in the UK in February 2025 after a §121-adjacent capability notice — the first time a major US provider visibly degraded a security feature for a single jurisdiction.
That's the pattern to model against. The mandate doesn't arrive as a courtroom drama. It arrives as a feature-flag rollback, a regional binary, a quiet removal of a setting from the iOS Settings app in one country.
This is the part most surveillance-policy writeups skip. The concrete engineering decisions that determine whether you can comply, refuse, or honestly say "we can't do that":
- Key custody. If your server can decrypt user content at all — even briefly, even for search indexing, even for spam detection — you are in scope for a server-side scanning order. Designs where the server never sees plaintext (Signal Protocol, MLS, age-old PGP-style envelope encryption) are the only ones that let you truthfully respond "the capability does not exist." - Metadata retention. Section 702 and its EU analogues care more about who-talked-to-whom-when than about content. Default 30-day log retention with cryptographically-enforced deletion is a defensible posture. Indefinite retention "for debugging" is a subpoena magnet. - Jurisdiction of the prod database. Hosting in Ireland gets you GDPR and CSAR. Hosting in the UK gets you OSA §121. Hosting in the US gets you 702 and NSLs. There is no neutral option; pick deliberately. - Build-time vs. runtime updates. A signed binary that ships through app review is harder to compel a silent update against than a hot-loadable JS bundle or a remote-config flag. The compelled-update threat model is now real; design accordingly. - Warrant canaries and transparency reports. Legally fragile, but the only signal users have. Publish them, and decide in advance what your team does the day the canary doesn't get re-signed.
None of the three live proposals has fully landed. CSAR has been blocked at the Council level twice and may be again. The UK has §121 powers but hasn't used them publicly. EARN IT has died in committee three times. It is entirely possible that the political cost of forcing client-side scanning into WhatsApp turns out to be higher than any government wants to pay, and the next decade looks more like Australia's TOLA — quiet, targeted, deniable — than like a global mandate. That's still a worse threat model than the one most stacks are designed against. Plan for the quiet version.
Spoiler alert : Singapore won the race years ago. Cameras everywhere, and mostly : the singaporian civilian population is educated to surveil peers so that they don't commit incivilities. Here is an article about it : https://gcctvms.com/smart-city-surveillance-singapore-camera..
reddit started asking KYC yesterday.You (and me) can bitch all you want, but reddit has well prepared for us whining and being sad will change nothing.Mark my words: KYC will be required on HN in about two years. Not because dang will want it, but because that's the direction the world is going
VPNs are great and all but many that are well advertised here in North America are a huge source of attacks, abuse, etc. so it’s pretty desirable just to block them. They sometimes have agreements with residential ISPs to get around the bans.
Governments are casting a wide a net but it all seems aimed at a foreign influence and espionage Cold War going on. The thought of using this for crime in most countries is tertiary and the real reasons for implementing these systems are so embarrassing to their respective governments that they will
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The internet, as it was before the one-way ratchet started to close, feels more and more like a lightning in a bottle that nobody in power wants repeating ever again. Everything in the past couple years has been going towards the centralization into a small number of services, walled wastelands that