ChatControl and VPS in the EU
I just heard that unfortunately ChatControl is moving forward in the EU. I've also heard about some recent shenanigans by the French government trying to compel GrapheneOS to create a backdoor.
I bought some VPS in the current Black Friday/Cyber Monday sales which are in one of the member states that supported ChatControl.
Will we have to worry about backdoors or loss of privacy in EU VPS in the future?
Comments
Time to deploy https://chatmail.at/ to escape ChatControl
For well over a decade (at least) the writing's been on the wall.
In most major cities (and soon after even in the countryside) everything we do will be 100% recorded.
Expect to go to prison before you commit any crime based on algorithm's 99.9999% prediction (with the "if one child can be saved" and similar rhetoric that no one can really oppose without sounding as paranoid as I'm sounding now LOL).
π§ BikeGremlin guides & resources
Without getting in to politics, the answer is: Yes, to both.
I would avoid Email entirely, if privacy is a huge concern.
Lots of metadata, even if body of the message is encrypted.
Possibly the first real brexit benefit lol
No that the uk is doing any better on crap laws
Chatmail is the server for Deltachat[1] = end-to-end encryption (E2EE) by default for all messages ( metadata too )
[1] https://blog.feld.me/posts/2025/03/deltachat-is-actually-good-though/
All legislation in this context targets platform operators, not hosting providers. There's no immediate need to migrate your EU infrastructure.
That said, given the current political climate, both in the EU and globally, it may be worth considering alternative locations as part of a long-term strategy (3-5 years out). The challenge is that few countries maintain both a strong pro-privacy stance and a stable political outlook for the foreseeable future.
Iceland would come to my mind, but as an EEA member, it's unclear how insulated it would be from EU regulatory changes.
Not to mention that it probably would get under a lot of political pressure if it becomes the location to evade international regulations.
The best way to go is probably to ensure that your services implement proper E2EE. So you don't need to worry too much regardless of how regional legislation evolves.
100%.
Personal VPS's and small orgs are small fish that nobody cares about. And the regulations will not hit the hosting providers, they will hit the orgs themselves that are then required to comply (install backdoors) with their own labor. Why? Well:
Personal ISP connections, for example, are trivial to monitor en-masse by installing a MITM box in the upstream. So the legislation hit the ISP's to force that change.
The web hosting environment is too complex to implement mass-surveillance on the infrastructure-level like that. So the legislation will go after each org individually instead, and demand a case-specific backdoor into each service of interest.
In short: The usual precautions apply. Encrypt your disks, E2E all network connections, don't collaborate with the cops.
No
That's from a hollywood movie.
The resistance will never die. Historically, people have always resisted even in much worse circumstances. If you surrender your optimism and hope for a better future, you are forgetting history and doing their propaganda for them.
ItΝ's bad, and getting worse. But let's keep our eye on the real oppressions and not allow each other to get lost in cynicism
All my personal devices are encrypted but I am skeptical of the benefit of having an encrypted volume or drive on a VPS. I did it once on a dedicated server using a guide and it was a pain to set up. My understanding is that if the VPS is continually powered on then the encryption key is in memory and thus could be accessed by someone with access to the physical hardware if they really wanted to anyway. The only protection I would have is if the VPS was powered down. But maybe I'm misunderstanding this.
Thanks for the Chatmail recommendation, I hadn't heard of this. It looks like a great alternative to Signal if that becomes targeted. The WebDXC apps were very cool and I tested playing chess with a friend!
I am still looking for a Discord alternative as I don't trust Matrix (https://hackea.org/notas/matrix.html). If someone could add a channel like style to Chatmail that would be ideal.
It looks like there isn't much benefit to hosting your own Chatmail server though due to the nature of the protocol other than perhaps having control of the domain and not losing access to the email address. However since it's not like the data is really stored on the server for long periods, as long you'd notify people of the change of address it would be fine.
If you dont want to host Chatmail by yourself... You can test ArcaneChat[1]
[1] https://arcanechat.me/
Who are your opponents? Some hypothetical James Bond Hackerman, or some real state organization with budgets, bureaucracy and burnout to contend with?
The benefit is that:
1) It is much, MUCH more difficult and expensive to extract data from an encrypted server
2) This expense means that state opponents are more likely to avoid doing it
3) Unless you're running something extremely massive, you are probably not the main target. So your extra security will be overlooked and not considered a priority.
4) Historically we can see that the standard procedure of state opponents is to seize servers, power them off, and THEN do forensics.
So encrypting your VPS is actually very effective in real life. Don't let theoretical exploits blind you from the real security benefits. Remember, security is never perfect and always iterative - the only secure computer is one that's turned off, under 6 feet of dirt. Every useful computer has some compromises.
Extracting LUKS encryption key from VPS RAM isn't particularly hard task unless memory encryption is used (AMD SEV). With unencrypted RAM, the attack is pretty practical.
However, I do agree here.
I would still recommend using a dedicated server and implement LUKS there, security guarantees are significantly higher there. Though, depends on what kind of data you are processing. For most use cases it's too big expense to justify.
Check our KVM VPS plans in π΅π± Warsaw, Poland and πΈπͺ Stockholm, Sweden
Out of the game for over a decade now. I can't confirm or deny this.
π§ BikeGremlin guides & resources
You mentioned dedi only, would implementing LUKS on a shared VPS be useless?
Sure but - is it done routinely, to every seized server?
If not - how would the tech know the disk is encrypted before powering off the server?
I would argue that encrypting your server is extra valuable if you're small fish, and you're not seen as likely to be extremely secure. Because it's less likely that an opponent will take the precaution to inspect your server closely before powering off.
No, LUKS is always better to use than not. But dedicated server is more secure because not vulnerable to hypervisor exploits.
Sorry if I wasn't clear. There is still trust to whatever provider operating the hypervisor node hosting your VPS. You are trusting them to refuse dumping guests RAM and thus leaving feds the only option to seize physical machines.
Check our KVM VPS plans in π΅π± Warsaw, Poland and πΈπͺ Stockholm, Sweden
Oh yeah you're right - I forgot we were talking about VPS's only here. Then yeah, it's much more practical to just dump disk + RAM as standard practice since the process can be completely automated.