I can only agree. If Qubes decides to implement privacy invading changes, there is no place for Edward Snowden on the homepage. He would be fully against this, which should be obvious. He is the reason I came to Qubes in the first place, because I am fully against mass surveillance, which could lead us into a dictatorship. If the project decides to go against what he said, I will leave.
4 Likes
I didn’t understand the hate for systemd, but now I do. Either we should fork systemd or get rid of it.
4 Likes
Finally, someone says that. We shouldn’t cooperate with mass surveillance and censorship laws just because some regime in the world wants that.
4 Likes
Ok, let us assume for the sake of discussion that this argument is acceptable, even though that may itself be disputed. For the limited scope of this post, I will work with that assumption. So under that framing, Qubes dom0 would not be called an operating system, but a meta operating system.
My question is: what follows from that when we look at the Templates that the Qubes Templates repository provides, such as Debian, Fedora, and Whonix?
Impact on Kickscure for Qubes / Qubes-Whonix
Since Qubes OS may be the entity distributing Templates, the decision of what Templates can and should do will ultimately rest with the Qubes maintainers.
From my perspective, Qubes may be distributing Qubes-Whonix. I may contribute to Qubes-Whonix as a developer, but the hosting of the Template repository, and the final decision on whether Qubes-Whonix is available in Qubes, rest with the Qubes core developers.
The same question comes up for the Qubes Debian Template. Qubes is making editorial changes to Templates. For example, there can be discussions such as [1]: should a specific package be included or not? The decision whether the hypothetical package age-api-debian will be installed by default in the Qubes Debian Template would be made in the source code repository qubes-builder-debian and would ultimately rest with the Qubes core developers. Debian does not control that decision.
For that reason, I think it is fair to describe the Qubes Debian Template as a derivative of Debian. It is not the original Debian as downloadable from the official Debian website. So in practical terms, it seems more accurate to describe it as a derivative. [2] [3] [4]
I am not trying to make a legal determination here, and this is not legal advice. I am only describing the technical and editorial relationship as I currently understand it.
So from my perspective, calling Qubes dom0 a meta operating system may not resolve the underlying issue.
Could you please show comparable cases using the same criteria where the project had a better outcome?
Full disclosure:
I am documenting various pieces of information about age API-related legal issues and adding them to the Kicksecure age-api wiki page. That page might contain material that could be useful to point legal counsel to.
[2] Debian templates: get added to Derivatives Census · Issue #1834 · QubesOS/qubes-issues · GitHub
1 Like
I don’t keep a list of cases. I was just trying to tell you that this direction of the discussion is not going to give you the solution you seem to be looking for.
Other than that, Snowden was never extradited to USA to be sued and is protected. Not really a project, if you insist on that.
1 Like
Even those cases are vastly different. A non-U.S. legal entity may still commit crimes in (or affecting) the US and therefore judged to be under American jurisdiction. The procedures in civil (as is the case) and criminal cases are immensely different both in law and, perhaps more crucially, in practice. In criminal cases US has been in the past willing to exert a lot of pressure on other countries. On small, low stakes cases civil cases with small open source projects where there will surely be backlash, bad press, where litigation costs and workload will vastly outweigh potential gains (no assets in California or US), they are unlikely to even try, practicality matters too, not just law.
However, it Is much beyond that, a Non-U.S. incorporated legal entity may still operate commercially in California and profit from Californian users, this is another important criteria in assessing purposeful availement. This was another point I made. Qubes project is not just an organization which is incorporated outside of California (and even the US), Qubes project has no relevant presence in the US, much less California, it does not operate commercially there or profit from Californian users, it does not target directly Californian users and it is also not a criminal case. The cases you listed tend to go on the opposite direction. Like I said previously, Qubes project is almost a text book definition of global passive availability and therefore any cases won’t even be attempted on the lack of jurisdictional grounds, much less succeed.
“Operating Commercially” really is one of the key concepts to have in mind (albeit not the only one) because it heavily impacts purposeful availment. How I define it or see it legally is of little relevance, it’s more important how the courts see it and use in practice. One Supreme Court decision mentioned it as “a regular course of commercial conduct or a particular commercial transaction or act,". Examples of what this is are things like: buying and selling goods in the state, entering the state for commercial purposes, holding assets in the state, selling services to people of the state, a key example would be redhat selling specialised tech support for fedora to Californian companies(example relevant for more than redhat…), this could place them under Californian jurisdiction if it showed a repeated pattern (one off unlikely to be enough). This does not apply to Qubes.
Best analogous court decisions to our OS discussion are those that focused on websites, a website merely being available to Californian users does NOT constitute ‘forum directed activity’ as courts have called it. That’s passive availability.A website collecting data from California users and commercially exploiting it by selling that data to data brokers and ad companies will likely fall into Californian jurisdiction. There are multiple Ninth Circuit cases regarding jurisdiction that further confirm this. Even in a case about a commercial, ad-funded website, the Ninth Circuit said a “passive website alone” is not enough; there must be “something more—conduct directly targeting the forum.” Qubes’ case is even cleaner because it does not monetize Californian users nor does it service them ads (or does these to anyone lol).
https://law.justia.com/cases/federal/appellate-courts/ca9/18-15051/18-15051-2020-08-17.html
this is an example, but there are more.
Distros like Qubes are likely extremely safe. Hell, the vast majority of distros are likely to be very safe from this stupid law. Even the few that are less safe, likely have little to worry about in practice as the law was clearly intended to target 3 specific behemoth companies that compromise around 98% of consumer OS market.
Again, I’m not a lawyer and this is not legal advice, but hopefully it will serve as some food for thought.
1 Like
GrapheneOS is refusing to implement age verification.
I hope Qubes OS does the right thing and follows the steps.
5 Likes
I’m not sure the Snowden example is especially relevant here. If the suggestion is that a Polish developer should emigrate to a country that, at the time of writing, does not extradite to the USA, that seems like a very uncertain solution, particularly since such arrangements could change in the future, whether directly or as part of a broader, unrelated political deal.
Even setting aside the possibility that relocating there might create more problems than it solves, there are still major practical concerns. Foreigners are not automatically allowed to stay indefinitely in another country, and they are not automatically allowed to work there either. Not everyone has a source of income that can simply be moved across borders or that would satisfy the legal and practical requirements for migration.
On top of that, there are questions about the legality of the software in the destination country, the relative strength of the rule of law in the source and destination countries, internet freedom, payment processing, sanctions, family obligations, language barriers, quality of life, physical security, security conditions including the risk of war, and other complications that may not be immediately apparent.
2 Likes
[… 13 lines elided]
Selected case examples of the USA versus people outside of the U.S., not as direct equivalents, but as examples that cross-border enforcement are not unheard of:
Samourai Wallet devs, Keonne Rodriguez and William Lonergan Hill were
both US citizens. I don’t think their example counts as “cross-border
enforcement”. It wasn’t the case of US Govt. going after a “Polish
dev”.
1 Like
[… 35 lines elided]
[… 3 lines elided]
a law without morality is nothing but a means of oppression.
[… 25 lines elided]
Might be offtopic, but I like this characterization. I will keep this
in mind.
1 Like
For sample cases including non-U.S. citizen refer to Legal Jurisdiction Comparison Table:
- Megaupload: German-Finnish [1]
- 1Broker: Austrian [2]
- Tornado Cash: Russian [3]
-
dual citizen of Finland and Germany
U.S. Department of Justice -
Austria
CFTC -
Russia
U.S. Department of Justice
1 Like
Totally! That is the stand we should hope to see in every privacy/security/anonymity focused open source software! I personally would refuse to use any that go in the opposite direction.
2 Likes
If the XY goal of your attempt to create a collection of cases is to justify a decision whether to comply or not, there is hardly any reply that will be able to do that.
You seem to be approaching this mathematically and orderly, which is understandable for a technical person. And that is exactly why I pointed out that the vagueness of this law cannot match the required precision a technician needs. It lacks the clarity we are used to read in RFCs, so it all comes down to complying with nonsense out of fear. Or not.
In general, this is all about politics and international hegemony - a huge topic that we cannot discuss on this forum. People have only one tool against oppression and that is resistance - that is the law of all millennia. Everyone decides for oneself whether one wants to use it or not. Note, however, that it would be very hard to say “Donate!” if you don’t.
2 Likes
Based on the article, there’s a new site to prevent data brokers. Hopefully, there’s an app developed for using their API to submit forms in the phone whilst not compromising anything.
1 Like
Fundamentally there are two choices, comply or resist.
Some people are suggesting to comply through loop holes or minimum possible. But the problem is that it might not be possible. New York for example requires verification as well.
Resisting is what we should do, and what everyone here is saying.
But the problem is the devs are not anonymous. And there is not enough time to start making changes to the development infrastrucutre to make it possible for developers to be anonymous.
I think we must use this as a warning. A canary of the tyranny that is increasing.
We need to start building the infrastrucutre around Qubes OS to be censorship resistant. That means anonymity.
We need another forum technlogy which works with JS disabled.
Email addressees are outdated, not anonymous, and fundamentally insecure.
It is actually strange that Qubes OS developers who are the best security researchers in the world, are using email.
Developers need to be able to contribute code without requiring an email address, without requiring enabling JS.
Create a censorship resistant infrastrucutre around Qubes OS, for the developers and community, then hopefully the anonymous developers will come.
And then we can give the finger to age verification laws.
3 Likes
The first thing EVER systemd “did right”.
2 Likes
I applaud the spirit your messaged displayed, however, for distros like Qubes, there is NO need to comply. A random country, much less a state within one, can’t simply rule or decide how projects all over the world operate lol.
It’s a matter of jurisdiction and California’s (or Brasil’s, which has enacted an even worse version) do not apply to Qubes. Qubes is neither Californian nor Brazilian, moreover, the Qubes project is almost a textbook version of global passive availability and there is a plethora of jurisprudence coming from the ninth circuit court of appeals (covers California) attesting to the fact that mere global passive availability does NOT convey states jurisdiction over a given individual or organization. There is no purpose availment, nor “forum directed activity”.
I am not a lawyer nor is this legal advice.
3 Likes
Would you trust software created by completely anonymous people with unknown past and relations? How would you know it is not a state actor behind an anonymous identity?
Also how will they work together if they are anonymous? And I mean anonymous (disposable identifiers), not pseudonymous (persistent identifiers).
3 Likes
I wouldn’t regarding OS, that’s why I don’t use any that are mostly pseudonymous.
They do not need to be anonymous either. Firstly, there is the matter of jurisdiction I mentioned on several messages by now. Secondly, even if it did, devs could do what midnightbsd did and update their terms do deny usage of the OS to people from affected regions.
GrapheneOS project has stated it WONT implement age verification BS, that’s already a huge win. Others should follow.
1 Like