I have mentioned a few places now that I am working on a visual novel. It is titled “The Spell Collector”.

The Spell Collector is being created in RenPy. (Here is a link to my work-in-progress code).

The image from this post is a digital enhancement of a canvas I painted for a background.

You have an IndieWeb-ish blog. Great. Now what?

This post is my guide to connecting with readers in the IndieWeb way. I make no claims to completeness or dependableness but I think this is mostly right. Feel free to correct me with replies, mentions, or comments.

Why do I think I am qualified to talk about this?

I’ve been making wired stuff and putting it on the Internet for over 20 years. In that time, I picked up a few skills. Some of my things are blogs, others are too strange to categorise.

Am I an expert? Only in the sense that I have made a significant number of the mistakes on the theoretical list of all the possible mistakes. I don’t know everything but I do know a few things. Hopefully, I know enough to say something useful.

I may come back and edit this to clarify stuff based on questions and fix spelling and typing mistakes but the main gist of this post is unlikely to change.

Before you start

All of this is for nothing if you do not first have something worth looking at. Promoting your blog to others used to be known as “launching” the blog. Before you launch, be sure to have at least three solid posts so that there is more to read if visitors like the first thing they encounter.

If a vistor comes to your blog, likes what they read and then cannot find anything else, they may leave and not come back. Show readers why they should stick arround, add you to their feed reader or subscribe in some way by demonstrating that you have more than one great post in you. Take your time. There is no rush.

Never launch naked. Post are clothes. Put some clothes on before you go outside.

In case you missed it I will say it again – don’t promte your blog until it has content.

Step 0 (mostly for WordPress users)

I strongly suggest you install some or all of the following six plugins:

ActivityPub

ActivityPub is so Mastodon and other Fediverse people can follow you. It pairs well with the other plugins I will suggest.

ActivityPub is available for both self-hosted and dot com WordPress.

IndieWeb

This plugin requires WebMention which is just as well because I strongly recommend that too. In addition, I suggest you pick up Syndication Links as it supports a whole bunch of IndieWeb ideas.

Both of these can be added via the IndieWeb extensions page.

WebMention is an official standard ping-back-like system. I think all blogs should use WebMention. One strong selling point is that you can reply to others with a post on your own blog and have it appear as a comment on the other site.

Syndication Links is simply a nice way to do POSSE, PESOS, and reblogging.

There are others which might be useful depending on your individual use case.

WebFinger

This plugin makes your integrations a little smoother.

For more about the protocol visit webfinger.net.

The Friends plugin (personal/single-user blogs only)

At this stage, your blog is pretty much a social media node. Complete the process to enable following and subscribing too.

I have two examples of this my social node and I Am The DJ.

Step 1: Connect with others

Both early web and small web (or smolweb) ran/run on personal connections. There is no magic wand way to “go viral”. Instead, you build relationships over time.

What you are not going to get into one or more of these and immediately start blasting blog links at everyone. That’s just rude.

Here are my favourite ways to connect with others

Forums – making friends on forums is great. I run a forum for bookish people. Forums are a lot of work to set up and maintain so I strongly recommend joining an existing forum. That said, if you want to run a forum I will not stop you (but I may wish to join it). There is a lot of forum software out there to choose from. Find friends with blogs. Subscribe to those blogs.

Social Media – I strongly suggest you connect on Mastodon. When you find others who blog, go read their blogs. If you are reading this, you might like indieweb.social. I am the author of a guide to social media for authors that might help.

Mastodon – If you chose to include ActivityPub in your blog, then you are halfway there already. However, there is a gap to bridge. I will get to that gap later. For now, make an account and start making friends. You should find a steady stream of interesting people who blog – go check out their blogs. Here’s how to join Mastodon.

Comment on other blogs – Once you have found other blogs, leave interesting and value-adding comments. You know the kind – comments that show you read the content and wish to engage with the theme or topic. The kind of comment that makes the author happy to have written the post and overjoyed to see an engaged reader. Be genuine. This is not a game. Many blogs have a field for a link with the comment. Use that link box for your blog.

(Web) Mention other blogs – This is just the advice about comments but using WebMention. You don’t have to run WebMention software but that does make life easier as you do not need to manually ping the other blog. I’ll detail some example blogs that use WebMention later on.

Step 2: Seed your blog into the fediverse

Before your ActivityPub-powered blog will be seen by others it must first be seen by others. This section is my advice on how to overcome the gap keeping you out.

Have a regular Mastodon account

In step #1 I said join mastodon. If you did that already or have now done so, you have your initial subscriber -you.

I like to be clear that my blog and my account are two instances of me. I see no point in covering the fact that the blog is mine.

What you now have is federation to your first instance. You will appear in the local feed there. For more direct discovery, your account can boost your blog.

As your account matures (at a speed dictated by how friendly you are and how often you show up), it will provide more reach. There is no fast way to get readers. This is a slow burn process.

Optional – subscribe directly

If you are using the Friends plugin or have some other way to subscribe/follow with your blog, you can be direct by following interesting people. Each follow will show up as a notification (if everything works as it should).

Do not abuse this unless you want to get blocked or ignored. No one likes a spammer.

Ask your good friends

If you took the time to build up online friendships, you could consider asking some of these friends if they would be willing to follow/subscribe to your blog via their Mastodon account(s).

Do not spam. Requests like this require an existing and firm relationship. This is not speed dating – take your time. I’ve not asked IRL friends to do this for me yet – I want to know my content is worthy of their attention first.

Step 3: Make full use of WebMention

To make the best use of WebMention, you need to find other blogs that use WebMention to interact with. This section is here to help you do that. These are all ideas for getting started with some conversation.

User made lists

My irregular list of all found blogs/sites that use WebMention – March 2024. I sometimes post my list of all found WebMention-enabled blogs. It is far from complete.

Bookmark any such lists that you stumble upon. They make a great starting place for content you might want to reply to (WebMention).

OpenMentions.com

Open Mentions is a pet project of mine that is powered by WebMention and ActivityPub along with some bridge technology – more on that later.

The idea of OpenMentions is to create a distributed directory of topics that you can mention. Thus, as different bloggers tag in on different topics, we are creating a self-updating listing of posts on topics that interest us.

I also try to post a Question of the Week for more narrowly defined topics for discussion. Despite the name, there is no time limit for replying via a mention (or via Mastodon).

Chat: Shall we talk

This is a book and writing-centric blog created as part of Author Buzz UK (the place with the forum that I mentioned). I’m involved in this one too. It is set up to be friendly to WebMention bloggers.

isBrill.com

This is another one of my projects. This site is set up around the ideas of fan pages, shrines, and general positivity. Most of the “brills” are set up expressly for ActivityPub and WebMention use. Topics include IndieWeb, dad jokes, tea, Doctor Who, steampunk, various bands, Sci-fi, Mastodon, and replying to things.

Step 4: Build a bridge (optional)

I’ve hinted at bridge building and no it is time to pay off that promise. I would like to introduce you to brid.gy.

If you have WebMentions installed brid.gy is a tool that will feed likes, boosts, and replies back to your blog as WebMentions. Brid.gy is free and I highly recommend it.

You may also like Brid.gy Fed to connect with BlueSky. If you are a WordPress user with all the toys I recommended installed, you can set up direct syndication to Bridgy Fed.

The most important: Step 5: Follow your passions

Have you ever heard the saying, “Content is king”? If not, let me say it now – content is king.

It does not matter how nicely decorated, how syndicated, how connected – if you never publish anything worth looking at, no one will come and look.

The most important thing you can do for your blog is to write content you care about for only those who also care about it. Yes, you can get readers and subscribers by following trends, algorithms, and fashion but all you will have is an audience with whom you have no common ground.

Therefore, be sincere, be passionate, and create stuff that you care about enough to share.

Be yourself. Everyone else is taken.

Step 6: Use hashtags and hashcats well

By now you should be building connections, engaging with others, and writing about your passions. Your content is propagating out there somewhere. No what?

Now it is time to use tags. Well, I say use tags. Use tags if your content is published via ActivityPub. I have set a custom ActivityPub template that adds my tags and categories as activityPub hashtags. We are going to talk about how to use these.

Hashtags not to use

The power of hashtags is in their specificity. While it might be tempting to tag all your work #Blogging #blogs #blog – that tells me nothing about your subject matters. I suggest you stay well away from generic tags.

Hashtags to use

I would love to give you a list but that list would never be the same from one person to the next. The best tags (hashtags) to use are tags that accurately describe the nature, theme, and subject(s) of the content.

For example, on I Am The DJ my tags are genres, instruments, and artists. That way the Electro Swing lovers and the Metalheads each know if my post is right for them. The same is true of all flavours of music fans.

Don’t chase the big hashtags and trending topics. Instead, use tags to describe in as few tags as possible who this post is for by describing the content and topic.

The best tags are the specific ones because – even if they get very little attention – the right readers for you care about them.

My preferred ActivityPub template

<strong>[ap_title]</strong>

[ap_content apply_filters="yes"]

<p>[ap_hashtags] [ap_hashcats]</p>

[ap_permalink type="html"]

Step 7: Master headlines

Before we start, I am not endorsing linkbait. That might work in the walled gardens but in the small web this is going to come off as fake and manipulative. I don’t want to see “24 things that do bluh (you wont believe number 9)” nor “Is your common thing slowly killing you?”

Instead, practice writing headlines that tell the people who love what you love that this post is for them. There is no magic formula for this. Time and practice are going to be your teachers here.

Here are three ideas I use a lot

1. I tend to go with descriptive titles but the right choice depends on you and your content.
2. Asking a question that your post will answer is another method I like.
3. Starting a conversation with a simple open ended question works too

Tell me about your headline writing in the comments, a reply, or via a mention.

Step 8: Experiment with stuff

If you want to indicate your indie blog into the Fediverse or as a comment via WebMention – try some stuff out. Ideally in a way that doesn’t spam up someone else’s blog or timeline.

It took me a long time before I could get I Am The DJ to look even remotely readable on Mastodon. What I learned was that while I could embed a YouTube video in a post, that did not translate too well in the Fediverse. I learned that I needed a regular link as well as the embed. My posts now often have the text YTL (for YouTube Link) which I link to the video. Then, on Mastodon, the video is shown as long as it is the first link.

You too may need to play about with some stuff until you get things working. Never assume that a jump from one platform to another is still readable. Check. Try stuff. Break things. Try more stuff. This is how we learn.

Step 9: Get feedback

I write stories. Perhaps to a level that could get an agent interested. Maybe. To get there though, I had help. That help came from a community of other writers. Writers who I meet in person most weeks.

When I started out, I had none of that. In fact, I struggled to find a writing group because I had no idea where to look (there were loads). My solution was to start a writing group. That’s not the important part of the story. The important part here is the lesson it taught me. The lesson was this – to get good, you need peer feedback.

Another lesson was to get my story as good as I could get it before asking for feedback. That way anything the other writers flagged up was not something I could have easily fixed if I had made more of an effort.

Those friends you made back in the earlier steps – a polite request for their thoughts on a blog post or two may yield insights you might not get on your own. Yes, you can ask chatGPT but I promise you real humans do it better. Just remember that these are people giving up their time to help you and treat them appropriatly.

Apply what you learn to the next post you write. Keep learning. Keep writing better posts. Do not stop.

Step 10: Maybe go easy on the stock images

While it is true that images with posts often get more attention, that’s not the full story. We humans are visual for the most part. Which is why using images with your post can get more eyeballs on it. Especially if the syndication via ActivityPub and WebMention are working well.

There’s a huge gotcha that no one will tell you about. Stock images.

You are a blogger (or want to be). I’m a blogger. Our readers have seen many blog posts before us. Which means that they have probably seen those stock images ten times before. How many potential readers have skipped past our posts because they are bored of seeing those images?

You know what images your possible readers have not seen before? The ones you take yourself. They don’t even need to be from a dedicated camera (although a good DSLR can take amazing images). Your phone has a good enough camera on it. Go outside. Take pictures. Use them at least sometimes instead of stock images.

If nothing else, you’ll have some unique image content for social media.

I’m practicing what I preach for this post. The image with this post was taken by me earlier this year.

Step 11: Don’t stop

Developing a community or a readership takes time. Yes, I know big walled-garden social media has led us to expect big numbers quickly but IndieWeb is all about quality over quantity.

Blogging is very much a marathon and not a sprint. To be much more accurate – blogging is like fishing. You drop out a line and see if you get a bite. Then you do it again.

If you write stuff people want to read and don’t stop, eventually those people will find you.

Step 12: Add value

You might have noticed that my posts on this blog are infrequent but long. I have found that posts that go deeper, take more research, and a greater investment of time attract the kind of readers that I would like to connect with.

That’s not the only way to do things. I also get nice interactions on my social node which is pure short form. There, I get reactions with photos I have taken and open-ended questions that start a discussion.

My best post (by comment count) on Matrix Dreams is a breakdown of a new spam/scam. The readers show up from search results because I’m the only one to have written about this scam.

What these all have in common is that the posts offer value to the people who find them. How they find them differs from blog to blog but it is the value that matters.

Value can be many things. In short, value is something that the visitor finds worthwhile. That can be useful information, niche content, howtos and guides, news, reviews, fun, laughter, cute animals, code samples, tutorials, a game, wildlife photography… So, yeah, value is hard to pin down but, generally, you know it when you see it.

Step 13: Forget about finding readers and unite communities

Having learned all that, I am now going to suggest you forget it and do this one neat thing – unite people.

The more you can draw people together rather than to you specifically the more value everyone gains as a result. The more people in the social network of friends and fellow fans of your specific niche and interests the greater the value to everyone inside the group. They call this the network effect. That’s what makes Facebook and Mastodon work. The more of us there are the better it is for everyone.

While, yes, you can do those other things maybe bringing people together is of more value. The chances are that you will need to do some or all of those things to build a community. I’m not going to lie, community building is harder. However, if you build a loyal readership you only have readers but if you aim to build a found family instead you have both readers and a village of folk who share your passions and interests.

And so this takes us back to the beginning where I suggested that connecting with people is the thing to do. Instead of promoting a blog, promote a virtual village in which your blog is but one house.

Conclusions and Further Reading

Getting readers (and comments) to your indie blog is 90% connecting with people and 10% making neat stuff. There are a few bumps and lumps to overcome so the network effect can kick in assuming that is even what you want.

A node of interacting WebMention blogs grows in value with each additional blogger that connects with the community. As I said, connecting with people is the secret such as it is.

Talking of WebMention, I wrote a post called 100 things you can do with WebMention. One of the things I did not add was subscribe to the #WebMention hashtag on Mastodon. People tend to post about setting it up. That’s your chance to go connect with another WebMention user.

If you liked this post, you may like my even longer post Let’s talk about making IndieWeb weirder and easier.

Here are some other blog posts not by me for further reading:

• How I am blogging the IndieWeb way by Elizabeth Tai
• Social readers, a new way of thinking about social web interactions on James’ Coffee Blog
• IndieWeb adventure: First steps by bacardi55
• Replacing comments with webmentions by eRambler
• Joining the IndieWeb with Webmentions and Microformats by Steve Woodson
• Grow the IndieWeb with Webmentions by Amber

Over to you

What are your tips for connecting with readers the IndieWeb way? Do you agree with all my points or do you have an alternative view – I’d love to hear from you either way.

Over to you – WebMention, Reply, or comment with your thoughts, ideas, tips, stories of failure, and all your other stories of blogging on the small web.

I am a huge fan of WebMention and a WordPress user. This is why I am so thrilled that Matthias Pfefferle created the fantastic WebMention plugin for WordPress. I think we should all use WebMention and in this post, I will explain why.

What is WebMention?

TL;DR: WebMention pings a page you link to to tell it about the link. The linked-to page can choose to display a list of the pages linking to it this way. Perhaps in the form of a comment.

WebMention is a set of groovy IndieWeb Internet rules (aka a protocol) that (among other things) allows us to reply in the form of a blog post (or any other page on the web). For a better overview, try the Wikipedia Webmention article.

All I have to do to reply from this blog is link to a WebMention-enabled page that I want to mention. My post will (maybe after a short delay) appear as a comment on the mentioned page in question.

Why is WebMention good?

This is a great idea because it allows small web things to knit together into a semblance of a community. Not to mention that it can increase the count of relevant comments. Pair with ActivityPub also by Matthias Pfefferle for maximum federated comments.

Getting comments, I think, validates the efforts we make to write interesting content. Also, it just feels nice.

Can WebMention really get me more readers?

Yes but also maybe.

By itself, WebMention does not do much. However, when you start interacting with others and reply to their content, you are likely to attract the attention of others. Some of those others might like your stuff and bookmark you or add you to a feed reader or something. They might not but they might. That rather depends on what content you make.

Does WebMention increase spam?

No.

I’ve never had a spam WebMention. Probably because the link to the page has to exist when the ping was sent or the mention gets rejected.

Is WebMention free?

Yes.

There are no ways for someone to charge you for it. The WordPress plugin is free too.

Conclusions

WebMention is fantastic IMHO. I want more people to find out about it and start mentioning to each other. If you are an indie blogger, WebMention is your friend.

In this post, I am going to share some Python stuff I have written for my visual novel written in Renpy. The novel is set in my Three Kingdoms setting (recently added to my pixel wall).

These may or may not be a good way to do what I am doing. Please feel free to comment or reply with corrections, suggestions, or insights. Then again, feel free to just say hello.

If you want to use my draft Python code, feel free to take it under the GNU GPL2 or CC BY-NC-SA 4.0.

Injectable flags

init 1 python:
    #skip some stuff
    
    class ChFlags:
        def __init__(self):
            self.name = 'flags'
            self.flags = dict()
        
        def set(self, flag, flag_bool=True):
            self.flags[flag]=flag_bool
            
        def has(self, flag):
            if flag in self.flags:
                return self.flags[flag]
            self.flags[flag] = False
            return False

The purpose of this class is that it can be injected into other classes – mostly character and faction classes. The setting self.name is what is used as the index to retrieve the class later.

Injectable classes (like characters) have a method like this:

        def add_feature(self,feature):
            self.feature[feature.name]=feature

I chose to go this way as not all characters need all the features. The player, for example, needs almost all, and the key characters also need many. Characters have a big enough list of data as it is. Adding more than needed did not seem smart.

Faction tracking

I use a similar approach to assigning characters to factions.

init 1 python:
    #skip some stuff
    class faction:
        def __init__(self, name):
            self.name = name
            self.chars = dict()
    
        #skip some stuff 
    
        def add(self,ch):
            self.chars[ch.name] = ch

In this class for faction tracking, you can see that I’ve not completed it (I skipped some bits that are not good enough to show off yet). I use that same name as the key method as characters all have unique names. Here, however, the faction itself is initialised with a unique name. That’s because the collection of all factions contains more than one faction. This way I can ask for a faction by name.

Spells and spell effects

I have used the same pattern for building up unique spells.

init 4 python:
    #skip some stuff

    class SpellEffect:
        def __init__(self):
            self.name = 'mistake'
            
        def single_target_effect(self, target, caster,spell):
            pass

    #skip some stuff

    class SpellEffectDamageDice(SpellEffect):
    
        def __init__(self):
            self.name = 'damagedice'
            self.n=1
            self.dice=4
            
        def define_dice(self,n,dice):
            self.n=n
            self.dice=dice
            
        def single_target_effect(self, target, caster,spell):
            damage = spell.modify_by_element(dice_roll(self.n,dice=self.dice))
            return target.take_hp(damage)

In this example, spell effects build off of the SpellEffect class. This is so I can change all spells at once (if I need to) by editing the base class and specifying different ways to implement spell effects.

The example here is SpellEffectDamageDice(SpellEffect) – a class that rolls a number (n) of arbitrary-sided dice. As the name variable is set only one dice roll of damage happens per spell. That said, all class attributes are public in Python as far as I can tell so, I guess, I can always rename one.

In case you were wondering about that last method (not fully tested), dice_roll is a function. IT is currently the only helper/tool not inside a class.

init -99 python:

    # common rpg feature
    def dice_roll(number=1, dice=6, plus=0):
        total = 0
        for x in range(1,number):
            total = total + renpy.random.randint(1, dice)
        total = total + plus
        return total

Conclusions

I have this peek at some of my code from a project in development was interesting. I’d love to hear your thoughts on my approach. Is it good, bad, or something else? I’m fairly new to Python so I won’t feel bad if you want to correct me on anything.

I’m sharing this mostly for the comments and interactions – so please reply, mention, or comment. I want to know your thoughts.

I’ve been reflecting on the EU “Upload Moderation” law – better known as Chat Control – and why it will not work as intended.

What is Chat Control?

Upload Moderation is an EU proposal designed to identify child sexual abuse material (CSAM). This is a valid and laudable aim. The law proposes legal obligations for chat and email providers to scan every message for CSAM, even if the data is encrypted.

The scanning proposal would create “detection orders” that allow for messages, files, and photos from hundreds of millions of users around the world to be compared to government databases of child abuse images. At some points during the debate, EU officials even suggested using AI to scan text conversations and predict who would engage in child abuse. That’s one of the reasons why some opponents have labeled the proposal “chat control.”

Now The EU Council Should Finally Understand: No One Wants “Chat Control”, Electronic Frontier Foundation

Why is (Upload Moderation) Chat Control bad?

Chat Control is terrible for so many reasons. Here are some of those reasons which can be summarised as cost, effectiveness, and detrimental effects. But mostly Chat Control is a square-peg solution for a round-hole problem.

1. Chat Control could fatally undermine encryption.

The proposal, which is aimed at preventing child sexual abuse material, would essentially break encryption.

EU chat control law proposes scanning your messages — even encrypted ones, theverge.com

If you leave the backdoor open so your mum can pop in any time she likes, criminals and local wildlife could also pop in when they want to. On a technical level, the only way Chat Control could be implemented would be to essentially install spyware on phones and computers or compromise encryption. Do you want a digital back door that never closes?

Spyware is not smart, it will report to whoever figures out how to ask it to report. No matter how much the EU plans to protect the spyware access, sooner or later cyber criminals will figure out how to use it too. At that point, we are all in for a world of hurt.

A hole in a defensive wall is a hole that both sides can use. If you poke a hole in encryption, everything the encryption protects is open to whoever wants to look at it. That would include passwords. Any chat or email system with that sort of security problem is no longer worth using.

Either way, the EU does not understand the technology being legislated about. The UK tried something similar and was shot down because what they were asking for would have given criminals unrivalled access to Internet banking via compromised encryption.

For two years, Member States have been unable to agree on a common position for the CSA Regulation. It is time to withdraw the current proposal and consider a new approach for making online platforms safer for children that does not lead to generalised monitoring or breaks encryption.

Joint statement on the future of the CSA Regulation

2. Chat Control treats us all like criminals

We are alarmed and fear that the EU Council’s current proposal would simply undermine the confidentiality of private communications.

Warnung vor Chatkontrolle (Warning against chat control) – translation via tuta.com

There is no practical difference between reading all emails/chats and any of these things:

• Opening every letter sent in the mail just in case
• Recording every telephone conversation
• Planting a bug in every home

They are all the same level of privacy invasion.

No good thing ever came from the assumption of guilt until proven innocent. I’m confident no one needs me to explain this one.

I also assume you noticed that once set up, it would be trivial for EU countries to quietly expand the scope of Chat Control and spy on people for other reasons.

3. Preditors would not be slowed by Chat Control

Evildoers determined not to be caught doing evil are highly motivated to find ways to remain undetected. In this case, said preditors have a whole load of options not least of which include chat and email systems operated outside of the EU. Chuck into the mix TOR, VPNs, proxies, and other privacy tools and the vast majority will remain undetected.

Back in the early days of the web, we all communicated in forums. These forums had filters to block topics that the moderators did not want. They never worked. They failed because as fast as the filters updated, users found new and fun ways to say things such that the filters were none the wiser.

“Sex” could become s*x, zex, se><, $ex, se)(, sox*(o=e), and so on.

“Porn” could become, pron, p@rn, p*rn, prn, p()rn,pr()n, p()r|\|, and so on.

Those are just the ones I remember seeing. You cannot update the filters faster than people can find ways around those filters. Word scan moderation never solved the problem on forums so why does anyone believe that Upload Moderation will work this time?

Not to mention that common phrases often got truncated into acronyms. Comment “I feel old” to anyone who remembers ASL being a banned topic and/or still knows what it means and why it worried the admins. FYI, this problem was solved with more moderators and better user reporting tools. Forums were made into safe places not through technical solutions but through community cooperation.

4. Just look at China – they had to ban Winnie-the-Pooh

China has near-total surveillance of everything its population does online. Nevertheless, the Chinese population still talks about illegal topics. They do so by adaptively switching to new euphemisms.

China ended up banning Whinny the Pooh because that became a way to “innocently” mention a high-ranking party member.

Beginning in July 2017, the government of China has been censoring imagery of the anthropomorphic teddy bear Winnie-the-Pooh, particularly Disney’s version of the character. The censorship is believed to be a result of General Secretary of the Chinese Communist Party Xi Jinping being compared to the character in internet memes, which the Chinese government perceived as a disrespectful mockery of Xi.

Censorship of Winnie-the-Pooh in China, Wikipedia

China may have frightened the masses into being very careful about what they say online but they have yet to stop people from talking about or expressing opposition to legally protected ideas.

Unless the EU is prepared to be as ever-present as the Great Firewall of China, Chat Control will fail to help even if it passes. Moreover, the EU is not a territory with restricted speech laws so the same type of oppressive overreach will be less effective in the EU than in China.

5. Preditors are motivated to stay hidden

If you scan files of people who are trying to stay secret, do you think they are not going to find ways to hide those files from the scan? They are already trying to hide from the police and often from their own families.

To identify images of the unmentionable evil variety requires either an unsustainable workforce or automation. The workforce is too expensive and automation has some big risks attached.

You could look for files called this-is-criminal-abuse.jpg but nothing is stopping them from calling the file roses-on-a-sunny-morning-in-june.jpg. So, obviously, this is out. This is why the legislation points to AI matching criminal images to sample images via AI identification. And we all know that AI never spits out nonsense apart from those times when it does. This means that innocent people may be heavily investigated because the AI couldn’t tell the difference between someone’s holiday photos and something vile.

Meanwhile, the preditors will be (1) not sending images as scalable as that and probably encrypting them inside archive files with, say, VeraCrypt, (2) use coded language that only other predators understand that changes over time, and (3) selling to each other on the dark web where everyone ignores the law anyway. Chat Control solves none of these problems as most criminals are already doing these things.

Furthermore, AI can be tricked into misidentifying images with very little effort. I cover this in more detail further down the page.

Preditors are actively attempting to avoid being noticed. The ones that were not caught early in their active evil behaviour will have already mastered looking innocent under inspection. Some well-known British entertainers spent their entire lives beloved of the public while doing unspeakable things. The spot light does not frighten them.

6. There are a lot of ways to ignore the Chat Control law

If you knew that your whole house was bugged, you would be careful about what you said at home. For important conversation, you would go out for coffee, visit a park, or sit on the beach. Likewise, Chat Control can easily be avoided too.

The most obvious method of avoiding Chat Control I mentioned earlier – TOR. A technology that is pretty much what people mean when they say “The Dark Web”. TOR cannot be indexed, resists user identification, and is heavily encrypted over and over again (in layers like an onion).

If TOR is not your cup of tea, there are guides out there that allow you to jailbreak your phone. Once that is done, you can determine what does and does not run. And you can sideload chat apps that are not in the EU and thus not filled with legally mandated spyware.

If there is enough demand, another criminal enterprise will arise with a solution. Like the one that sold specially built and encrypted smartphones running on a dedicated dark (and criminal network) for criminals.

Chat Control is an attempt at a technical solution to a human problem. The thing is, technical solutions only work for technical problems. Chat Control would just set itself up as a technical problem to be solved. For human problems, you need human solutions.

7. Compliance enforcement will only hurt the economy

What if Chat Control passes and all the technology companies just said no? What if the companies that understand the technology respond that the Chat Control laws are unrealistic and/or technically impossible? What if companies oppose them on moral grounds (at least for PR reasons)?

Let’s say I am a tiny start-up in the chat world with a staff of just me. I can’t afford expansive AI. Do I go bust or do I tell a white lie? What I can afford is to write a tiny script which says that I did the scans and found nothing. After all, there is no difference between finding nothing and saying you found nothing – they look the same. The fake version is affordable and takes an afternoon.

Companies like Apple, Microsoft, and Google have deep pockets and teams of people just for handling legal challenges by governments. The EU would have to raise a big old budget to take on all the technology firms. Even if they win, the technology companies can just walk away from the EU. There’s no rule that says they have to stay.

An international technology company with its headquarters in France would have little problem becoming a technology company with its headquarters in the UK, America, or some other non-EU location. No criminals have been caught and you just cost your country a whole load of jobs and tax revenue while making the EU less relevant in the technology marketplace.

Sure some companies may comply. Others will fight you to the bitter end.

Of those companies that comply, how many will survive the rapid departure of the technologically literate to other companies that don’t spy on you?

At that stage all Chat Control has done is create a financial incentive for companies to (1) say they comply but don’t, (2) refuse to comply, and/or (3) move their HQ somewhere that values them.

For years, experts, civil rights groups, and chat service providers have warned about the potential impact on privacy and security. Chat services like Threema and Signal have stated they would leave the EU if such controls were implemented.

Chat Control to be back on the European political agenda in October, stackdiary.com

8. Chat Control is an invitation to protest using technology

Some time ago, it was revealed that an American agency was secretly reading citizen’s emails. People did not like that much and so protested in the funniest way possible. They started sending vast quantities of emails laden with junk text containing keywords that whatever three-letter group it was looking for. (My memory suggests it was the NSA but I don’t fully recall). Thus for no cost to the protesters, the government agency had to pay more to sort through the increased volume of noise (false positives).

It would be trivial to send billions of emails a minute as noise the EU states and ISPs would have to work through. Spammers already do this so the tools are mature and robust. The recipients don’t even need to exist so long as the sending is what the Chat Control spyware logs. If you have an unlimited data plan, that automation can run 24/7.

One assumes that there would have to be some API for those remaining compliant companies to send their data to the EU. There is nothing stopping protesters from buying of-the-self DDoS software and just hitting the API with more than it can handle.

Smarter hackers could register themselves as chat/email company and then just start fining bogus claims about politicians or rivals they don’t like.

I can assure you that when Chat Control becomes a vector for protest, no amount of AI will protect the EU from the eyewatering computer infrastructure and personal costs. I confidently predict that maintaining Chat Control will be expensive. If only because it only takes a few discontented and technically able people to cause a massive headache for whoever maintains a computer-based system.

If you want useful data from that, someone is going to have to wade through the bottomless depths of false positives, and spammed noise. EU, stop hitting yourself.

9. There are cheaper and more effective ways to stop vile evil scum who hurt children

There are cheaper and more effective ways to stop vile evil scum who hurt children than Chat Control.

An open letter from EDRi and 48* digital rights, human rights and children’s rights/protection organisations demanded that the EU instead:

i. Work with children’s rights groups, child protection advocates, digital human rights groups, cybersecurity experts and other technologists to develop new technical and nontechnical solutions which are lawful, targeted, and technically-feasible, where these are necessary;
ii. Focus on the implementation of the Digital Services Act (DSA) to ensure that illegal content is tackled swiftly and proportionately;

Joint statement on the future of the CSA Regulation

Who would have thought that the best solution is to work with the experts to build solutions that are both lawful and technically feasible? What a shocker.

10 Chat Control is a data breach waiting to happen

Privacy advocates aren’t the only ones raising alarm bells about the proposal. This week, dozens of Parliament members wrote to the EU Council to express their opposition to the proposal. Patrick Breyer, a German member of the European Parliament, has also spoken out about the bill, saying that “indiscriminate searches and error-prone leaks of private chats and intimate photos destroy our fundamental right to private correspondence.”

EU chat control law proposes scanning your messages — even encrypted ones, theverge.com

If you strip away the privacy and security protection necessary for Chat Control to be fully implemented, you make data breaches easier. This is not me being alarmist – if you remove the things that are there to stop data breaches, you get data breaches. This isn’t rocket science.

Chat Control is an ill-informed order to make mobile phones less secure. That’s bad for users, but amazing for criminals. The EU will have done the hard work for the underworld. You can bet there are criminals ready to try using this the minute it goes live.

11. Chat Control is undemocratic and a perfect tool for oppression

There has never been a time or place where mass surveillance was not used to oppress the population. It is a rare security law that has not suffered from scope creep over time. Today it is sex traffickers and child abusers they are looking for. Who or what will be added to that search tomorrow or the days after tomorrow?

Commission President Von der Leyen’s planned chat control is a Big Brother agency that would monitor EU citizens’ private communications. We must prevent this massive state surveillance.

Moritz Körner, Member of the European Parliament

It would be easy for a government to oppress some groups it does not like by adding “just a few more parameters for the search” but very hard for the public to even find out about it. Do you trust your government?

In the UK we have had scandal after scandal involving lies to the public, the Queen, and parliament; cash handouts to Tory supporters, and all sorts of corruption. I very much doubt that such things will not happen again. Sooner or later a minister will abuse their power to enrich themselves or abuse a group they hate. It is not a question of if but of when.

12. Chat Control will not protect children

Client-side scanning is a highly controversial technology, with critics claiming that it erodes user security and privacy, while failing to protect children.

Tech Firms Warn Against EU Chat Control, Forbes

The reason this proposal fails so hard is that it fails to understand the problem it is trying to solve. Abuse of children is a retched and evil thing that humans do. What the law proposal misses is any evidence that the huge mass of user data will stop even one criminal. It assumes that because these evil ****s use phones that the solution is to search all phones.

Child abusers use cars too. Should we have checkpoints every fifty miles for a full stop and search of all cars? Of course not, that would be a massive overreach and disproportionate to the problem. Chat Control is the same amount of overreach for no good reason.

You would be much better off empowering children to speak up when an adult is harming them. It would be better to work with existing agencies that understand the problem and help them to be more effective. It would be cheaper to train police officers than it would to look at every photo ever sent by anyone ever again.

13. AI is not fit to do this job

You might be tempted to think that AI can handle the so-called “Upload Moderation” of Chat Control. The truth is, though, that current AI does little more than statistically guided guessing. AI does not understand what it is looking at. Furthermore, AI is so very easy to trick.

There is a tool called Nightshade designed to poison generative AI models by misleading the AI about what it sees. Nightshade changes the pixels of images in subtle ways that are invisible to human perception. These changes manipulate machine-learning models so that they interpret the image as something different to what it actually is.

All a criminal would have to do is use Nightshade so that humans see, “a child being harmed by an adult” whereas the AI sees, “a dog jumping for a ball”. Now, how much use is your privacy invasion scan worth?

One of my hobbies is getting generative AI to do weird and amusing things. Trust me, it is trivial to get AI to behave in ways it was not designed to be used.

AI will not help Chat Control be effective. Instead, it will give you false positives and false negatives. I have doubts that such an undertaking would reliably produce actionable intel. On the other hand, investing in schools so that children feel safe enough to talk to an adult will produce actionable intel at a fraction of the cost.

14. “Upload Moderation” AKA Chat Control does not understand the technology

Any criminal who knows what they are doing will not feel threatened by this EU law. This is because the law fundamentally fails to understand the technology it is trying to address. Most of all because it assumes that no one knows how to hide files inside other files whereas criminals are very good at hiding. Hiding is in the job description for evildoers.

For a moment I am going to imagine that we live in an oppressive surveillance state with remarkably effective AI monitoring everything I send. I, in this imagination, am an activist working towards a return to free and fair democracy. If I am caught, I will be killed. I need to send a series of photographs I took inside the secret police headquarters. The government will see everything I send.

Part 1 – simple Op Sec

Today, I shall be paranoid. I will start but using a virtual PC running without access to my hard drive (you can use RAM as a temporary HDD). When I shut it down, all traces will be gone.

I boot my virtual PC and download TOR. The government AI saw me do that. The clock is ticking for me. Using TOR, I down an illegal-to-own copy of Nightshade from the darknet. Then I download a copy of VeraCrypt the same way.

I pull my photos from the memory card and then erase the memory card, smash it up, and burn it. I use Nightshade to corrupt my photos with false AI data. I strip all metadata from the images. Then I hide the photos inside the metadata of some cat photos. A method known as Steganography.

That was all stuff anyone with an internet connection could do for real, right now without the darknet. and unknown to anyone

Part 2 – getting my file ready

Now I boot VeraCrypt and create a volume twice as large as I need. This will make a file that is filled with random noise indistinguishable from encrypted content. I add some copies of underground newsletters that might get me a few years in prison onto the drive. Then I make an invisible VeraCrypt drive inside the first one. Even if they force me to give them a password for the file later, they will only unlock the newsletters.

I add the images to the second VeraCrypt volume. I save the file as financial-report-Q3-private.xls. I use TOR to connect to a disposable email address with which I send out the file with the subject “Help! This report is due and the file has corrupted”. I attach the VeraCrypt file.

I shut down the virtual machine leaving no trace on my actual PC.

Anyone could learn to do this in less than a day.

Part 3 – can’t touch this

The oppressive surveillance state saw me send that file to fellow dissidents. The secret police have a backdoor with my ISP and TOR (yes this is a dark timeline). They have the file I sent. Even so, I know they have nothing I did not want them to have.

They bring me in and “integrate me”. I yield under “enhanced questioning” and give them the first password. They see I have been reading banned writing. I confess to reading the newsletter.

Meanwhile, they search the VeraCrypt file but cannot determine if there is anything else inside it. They also search my computer which is totally clean.

They give the VeraCypt file to the AI. It breaks the second password (this is fantasy after all). It finds the hidden files (definitely a fantasy). It finds no images to worry about because I added the Nightshade corruption. It reports, “No crime detected”.

I get a couple of beatings and two years in re-education for passing about banned newsletters. The pro-democracy underground has my photos and the campaign continues without me.

In real life: AI is not that good, encryption is nearly impossible to break, pulling files from a noise-based encrypted virtual volume has never been done, finding hidden files requires trained professionals, and the police do not (officially) get to beat people until they confess.

Imagine this is a criminal in a democracy now

You can learn to do all of those things with a few searches. If a criminal did this – even if the criminal’s entire internet connection was monitored and scanned by both AI and people – the authorities would have nothing to base charges on.

Now imagine that the criminal was not a total newbie at this sort of thing like I am. How much better would they be at hiding evil images? No amount of privacy invasion will help the police.

Making sure the child being abused has safe adults to talk to will help. Making it easier for children to tell adults that they are being hurt will stop criminals sooner.

No amount of technical Op Sec will save a criminal if their victims speak up. In the fantasy version of this method, all it would take would be one person from the secret police inside my team, and my fictional activist self would forfeit their life. The sort of crime Chat Control wants to fix is a people thing, not a technology thing.

What I am saying is that this proposed law is not fit for purpose

If a child harming evil **** sends their illegal images in the clear, they have probably messed up in so many other ways that Chat Control is not needed and if not then Chat Control cannot help.

These are not secret techniques for hiding content. They are well-known tools. Some of the methods the criminals can use pre-date the Internet. Detecting these crimes was never a technology problem.

This little story is not a guide to evading capture as a vile human being but an object lesson in how the technology went passed the point of legislating to give you an inside view years ago. If you don’t think the criminals are using these and more advanced techniques, I have a bridge to sell you.

Just like as a fictional activist, I could hide my activities while in full view of the authorities, criminals can likewise hide what they do. Just like fictional me, the weakness is not technology but people. Fund the people parts of crime detection and prevention if you want to catch more evil criminals who harm children.

Conclusions

I waffled on for long enough already. I have shown you 14 reasons why Chat Control will never work even if it passes. The simple truth is that it is not an effective tool. For real change, you need human solutions to human problems. AI is not the answer.

The EU “Upload Moderation” law – better known as Chat Control – is silly and shows a profound lack of understanding about how technology works and how it is used.

What are your thoughts on Chat Control and other government attempts to fruitlessly break encryption? Do you disagree with me? Have I missed a good reason why it won’t work and should never be passed? Would you like to add something?

Let’s talk. Leave me a comment or a social reply.