Got a YouTube account?

New: enable viewer-created translations and captions on your YouTube channel!

English subtitles

← 34C3 - WTFrance

Get Embed Code
2 Languages

Showing Revision 9 created 01/02/2018 by Schnapspraline.

  1. 34C3 preroll music
  2. Herald Angel: Good. I have the pleasure
    and the honor of introducing to you two
  3. persons here who are really working at
    'La QuadratureDuNet'. Alors, c'est vraiment
  4. quelque chose en Français ! It's an
    organization NGO, it's actually working
  5. really on the rights, on freedom of
    citizens on the internet. I understood
  6. that Agnes is there responsible for the
    coordination mainly about legal issues and
  7. that Okhin - I'll pronounce this well - is
    more responsible at the technical side.
  8. He runs as well, I think, a bunch of
    volunteers, or helping you around.
  9. Please give them a welcome applause.
    Let the show start!
  10. applause
  11. Agnes: Hello, here is Okhin, but he has
  12. already been introduced, the third person
    from 'La Quadrature du Net', and I am
  13. Agnes and I work on legal and political
    issues at 'LaQuadrature' as well. So
  14. LaQuadrature is an organization that
    fights for fundamental rights and freedoms
  15. in the digital area. We are here today to
    talk about the danger lying above your
  16. jobs, especially if you're building or
    maintaining cryptographic tools. We're
  17. here because we think it's important to
    demonstrate that the worst authoritarian
  18. laws don't only come from far right
    governments such as Hungaria or Poland,
  19. but mostly from the "social democracy
    compatible with market economy", to quote
  20. Angela Merkel. Along with Germany and the
    United Kingdom (but with Brexit, exit the
  21. UK), France is one of the biggest forces
    within the EU. And if France can rally at
  22. least one of the two others on board it
    can obtain what it wants from its European
  23. partners. It works both ways, of course!
    But it's important because the problem
  24. with that: France is not only exporting
    its knowledge and practice of law
  25. enforcement and anti-riot gear to various
    governments such as Tunisia or others.
  26. France is now also shining for its anti-
    privacy lobbying as you will see later.
  27. sound issues on Okhin's microphone
  28. Okhin: What is interesting here is to
    think about what we can do as technicians,
  29. developers, sysadmins, sysops,
    or legal persons
  30. specialised in technology issues.
    Because the threats come from legal,
  31. political and technical area and endanger
    not only us but also sex workers, abused
  32. women and abused people, who
    need to flee their home etc.
  33. We have to think about our role
    and to find ways to act, to fight
  34. against the threats against encryption.
  35. We're going to start with a quick but
    sadly non-exhaustive history of laws
  36. trying to weaken or circumvent
    cryptography in France one way or another.
  37. We are including here everything that
    talks about spyware and keyloggers,
  38. because they're a direct threat against
    a lot of cryptographic tools.
  39. Agnes: Okay, so let's be clear here, we
    are only to talk about very specific
  40. aspects of the digital related law. Access
    to the Internet, filtering, censorship can
  41. probably be discussed in other talks with
    the same quantity of laws hindering those
  42. rights. But we will focus here on
    cryptography only. Before 1998 use of
  43. cryptographic tools for the public was
    essentially forbidden. The key length was
  44. limited to 128 bits for asymmetric
    cryptography. There were authentication
  45. of communication or for ensuring integrity
    of the message a prior declaration
  46. was necessary. For all
    other uses, especially
  47. for confidentiality, ex ante authorization
    from Prime Minister was required as well.
  48. Okhin: After lengthy negotiations with
  49. intelligence services cryptography has
    been freed in 1998. But it still
  50. required that the system used respects one
    of those three following limitations.
  51. The cryptography system cannot be used
    for confidentiality purposes without
  52. authorisation. Or the cryptography system
    is operated by a third party owning a
  53. master key which the police may have
    access to. Or the user does not need a
  54. strong confidentiality and can use a
    standard encryption solution with a key
  55. lower than 40 bits.
  56. bad sound, subtitles now
    from author's transcript
  57. Furthermore: people providing encryption
    tools for confidentiality purposes were
  58. required to give the code, decryption
    devices or conventions when law required
  59. by them. In 2001 the use of cryptography
    is freed, but still requires that the
  60. system used has been first registered at
    the Interior Ministry's office. Now it's
  61. one of the ANSSI mission, the French
    National Cybersecurity Agency ANSSI that
  62. reports to the Prime Minister. France's
    doctrine toward cryptography has always
  63. been dictated by intelligence services and
    the army. They want to collect as much
  64. data as possible, multiple times, and to
    have the capability to decrypt every
  65. conversation at any given time. This is at
    this condition that they consented to give
  66. free access to cryptography for the
    general public. That's why, French law
  67. oblige to declare to the ANSSI the supply
    or importation of a cryptology tool.
  68. This procedure is an obstacle for the
    deployment of such services in France,
  69. mostly because you have to face an
    administrative system which refuses to
  70. speak non-French. The delay for the
    transportation (?) is at least one month.
  71. For a long time, all administrative
    documents were in French only, ANSSI
  72. now provides the translation as
    a courtesy, but you're still supposed
  73. to fill the forms in French. You're
    supposed to provide your source code, but
  74. since you all develop open software, this
    is fine, isn't it? And of course, you have
  75. to send it by regular snail mail, there's
    no electronic version of it, in triplicate,
  76. which is much more expensive, especially
    if you're not in France. Let's say that
  77. administrative documents are sometimes
    very complicated for French-speaking
  78. people, who are supposed
    to be used to them.
  79. Agnes: So..
    Okhin: How enabling foreign people - not
  80. French speaking ones - to understand them
    and to correctly fill them?
  81. proper sound back again
    Agnes: Since then cryptography legislation
  82. has not really evolved. However, one
    national security or counter terrorism law
  83. after another - we had something like 30
    of them in the last 15 years - the
  84. judiciary and repressive arsenal did grow.
    For example, police were authorized to
  85. install keyloggers in the LOPPSI 2 law in
    2011. Then police were authorized to force
  86. any person or entity they think able
    to decrypt or to analyze every kind of
  87. encrypted content they get their hands on
    in the counter-terrorism law of 2014, and
  88. the army and intelligence agency of course
    can help to do those crypto analysis
  89. if needed.
    bad sound, again from author transcript now
  90. Okhin: And now the so-called "Black boxes"
    entered the game in the Surveillance Law
  91. of 2015. Those are algorithms collecting
    and analysing metadata in order to catch
  92. terrorists. We know they are made by
    Palantir and we had the confirmation on
  93. November of their deployment.
    The fun fact: the internal intelligence
  94. service signed the agreement with Palantir
    but the military intelligence and foreign
  95. intelligence services are quite concerned
    about it, because they would rather maintain a
  96. strategic autonomy.
  97. In the same law, the use
    of IMSI Catchers is granted to cops
  98. and they can install spyware on your
    terminal without prior validation of a
  99. judge. IMSI Catchers and spywares may be
    used to gather any information that may
  100. help protect vague interests, such as the
    "industrial and economic well being" of
  101. France or the prevention of undeclared
    protests. recording audio back to quality
  102. Thanks to the state of emergency since
    2015 and now made permanent in last
  103. October, search warrants may now be
    delivered on mere rumour and suspicions,
  104. after the fact, without any investigations.
    They allow for collection of any data found
  105. on site. And data is kept during three
    months, but if they are encrypted the judge
  106. can decide to retain them indefinitely
    until they decrypt them.
  107. And without any investigative power.
  108. Agnes: So to conclude this
    depressive state of affairs
  109. we need to add that cryptography
    is an aggravating circumstance
  110. in a long list of crimes
    and felonies linked
  111. primarily to organized crime and terroism,
    but also conveniently to aiding refugees
  112. for example. So encrypting things makes
    you even more suspect and more guilty.
  113. Okhin: Oh and we almost forgot - if ever
    you're operating a cryptographic system
  114. for third parties you have an obligation
    to provide either decryption key or plain
  115. text to cops if they ask for it and
    you have 72 hours to comply
  116. - which means a lot of pressure
    on you. It probably can
  117. apply to yourself if you're being
    investigated upon, but it might clash with
  118. the right to remain silent and to not
    self-incriminate we do not have a lot of
  119. choice here. But we recently had cases
    where cops.., where the law has been used
  120. one of them was to coerce a teenager to
    provide decryption key for an encrypted
  121. chat with OTR he was operating and which
    had been used by people who were making
  122. fake bomb alert in schools. And for one we
    know about, how many of them have gone
  123. unnoticed, people chosing to keep living
    their lives instead of risking jails time
  124. and huge fines ?
    Agnes: So here it's important to note that
  125. there's difference being made between
    cryptography which enforces security
  126. communication and cryptography which
    enforces confidentiality. In this
  127. presentation we're addressing the issue of
    cryptography in the concept context of
  128. confidentiality only. To illustrate that
    this debate goes beyond the classic lines
  129. of left/right politics we like to display
    some quotes on the topic by various
  130. ministers, candidates, elected
    representatives and prominent political
  131. speakers. For example, Éric Ciotti, he is
    a member of parliament from the right-
  132. wing. He wants to fine Apple 1.5 million
    euro, if they refuse to give encryption
  133. keys, among other outrageous things he
    said, this is one taking hold.
  134. Okhin: François Molins, Paris Prosecutor,
    wrote about that in the New York Times
  135. against cryptography. The title is quite
    explicit it states: "When Phone Encryption
  136. Blocks Justice" And he talks about the
    importance of privacy rights of the
  137. individual in the same paragraph of the
    "marginal benefits of full disk
  138. encryption". He signed this bullshit with
    his colleague Cyrus Vance Jr, District
  139. Attorney of Manhattan, Adrian Leppard,
    commissioner of London City Police and
  140. Javier Zaragoza, chief prosecutor of the
    national court of Spain. I let you read
  141. the full quote in all its splendor.
    Agnes: So we have also Guillaume Poupard
  142. from the ANSSI we talked about before. He
    said just before the Bataclan attack in
  143. 2015 that backdoors and key sequestrations
    is a bad idea and that he instead proposes
  144. to work on "points of cleartext". Whatever
    it means it probably stands for transport
  145. security and against confidentiality of
  146. Okhin: Emmanuel Valls, then Prime
    Minister, used the term "legal
  147. cryptography" in interviews where the
    official discourse for the last 20 years
  148. was that all cryptography was legal.
    Agnes: Here the digital national council,
  149. then chaired by Mounir Mahjoubi, who is
    now Secretary of State for digital issues,
  150. did oppose the ideas of backdoors and did
    advocate for the use and development of
  151. end-to-end encryption just before the
    presidential electoral race - you'll see
  152. later why it's important.
    Okhin: Bernard Debré, another elected
  153. representative from the right wing he
    actually ordered drugs online, cocaine for
  154. 80 euros a gram on onion-services to prove
    how dangerous it is. He also said you can
  155. buy body parts and guns there and that
    it's easier than ordering shoes online. He
  156. also bought a lot of drugs from a non-
    identified website in Netherlands, so
  157. surely the encryption is at fault here.
    Agnes: So Jean-Jacques Urvoas who was
  158. Minister of Justice said he wants to
    access computers, Skype communications and
  159. so on and to put all suspects and their
    entourage under permanent recording.
  160. Between the first and second turn of the
    last presidential elections he broke the
  161. professional secret and sent to Thierry
    Solère who is a member of parliament from
  162. the white ring the information that he was
    investigated upon. He sent a message by
  163. Telegram and the note was saved on Thierry
    Solère's phone and found during a police
  164. search at his house later on.
    Okhin: In August 2016 there was a joint
  165. declaration of Thomas de Maizière and
    Bernard Cazeneuve, interior ministers of
  166. Germany and France respectively about
    European internal security and they stated
  167. that: "At the european level, it will
    require to force the non cooperatives
  168. operators to remove illegal content or to
    decrypt messages during investigation."
  169. Agnes: However, so it was a joint
    communication but French written version
  170. of the joint declaration was different
    than Germans. Only France kept the part
  171. about how it would be so great to have
    back doors or golden keys. So either
  172. Germany did not want to publicly advocate
    for backdoors or they had a different
  173. strategy, but unfortunately very recently
    the same de Maizière announced that he
  174. wanted to force tech and car companies to
    provide the security services with hidden
  175. digital access to all devices and
    machines. He probably did not know that if
  176. you lowered the security of cars you
    dramatically increase the risk of accident
  177. among others.
    Okhin: All this was before Macron was
  178. elected last spring. It's like an actual
    photo. It's not a Photoshop. During his
  179. presidential campaign Emmanuel Macron said
    that we should put an end to cryptography
  180. by forcing the biggest companies to
    provide encryption keys or to give access
  181. to the complete content stating that "one
    day they'll have to be responsible of
  182. terror attacks complicity".
    Agnes: So Mounir Mahjoubi again. He was
  183. then concealing the candidate and he is
    now internet minister. He has been forced
  184. to backpedal and to explain that messing
    with end-to-end cryptography was out of
  185. question and that they'd rather force
    companies to cooperate faster with police
  186. forces. He specifically emphasized the
    importance of cryptography by companies to
  187. protect trade and industrial secrets and
    since then Mounir Mahjoubi has become
  188. totally silent on this topic. So it seems
    that encryption for confidentiality is a
  189. real problem for them. Would you be
    surprised to know that to communicate with
  190. his political party and representatives
    Emmanuel Macron, now president, uses
  191. telegram? An application regularly
    described by a lot of representatives as
  192. an enabling terrorism tool and which
    should be banned. Their words, not ours.
  193. Animal Farm is back: We are all equal with
    the use of cryptography, but some are more
  194. equal than the others. Coupled with this
    focus on protecting companies' secrets
  195. this confirms that the Start Up Nation
    doesn't care about protecting citizens but
  196. only about business and powerful friends.
    This becomes blatantly obvious when you
  197. look at Macron's social and economy's
  198. Okhin: Last but not least, successive
    French government put pressure to add in
  199. the law possibility for cops to ask you
    for all of your online handles, including
  200. that all Yahoo mailboxes, ICQ numbers,
    your Twitter or Facebook account, all the
  201. weird nicknames you use on IRC and stuff
    like that. That's why mine is currently a
  202. fork-bomb embedded into a shellshock, but
    I think we can get more creative and find
  203. a way to be more destructive for a system
    when cops would have to enter it into
  204. their systems. Two attempts have been made
    already and rejected at some point. This
  205. kind of registration already exist in the
    UK in the US and we hope the government
  206. won't succeed in France to put this kind
    of limitation in law.
  207. Agnes: So, as demonstrated France is one
    of the very active power against
  208. cryptography within the EU. Even if some
    of other member states did express some
  209. concerns namely Poland, Croatia, Hungary,
    Italy, Latvia, and other countries, those
  210. concerns have been prompted by other
    member states and probably France. Each
  211. new bill is a risk to reduce the use of
    cryptography especially with the criminal,
  212. digital or judiciary laws that are coming
    soon. For instance France is pushing hard
  213. for avoiding any obligation on end-to-end
    encryption in the ePrivacy regulation.
  214. They explicitly ask to gain access to any
    communication or metadata, which is what
  215. is written here in French. Sorry, we
    didn't translate it. The government also
  216. pushes to obtain EU legislation on
    encryption which would limit end to end
  217. encryption, of course. The government
    intends then to use this EU legislation
  218. for justifying its position while it did
    create this proposal at the first place.
  219. In the next month the discussions
    eEvidence will start at the EU level. They
  220. will probably be a lot of talks about
    cryptography in the next "counter-
  221. terrorist package" expected in 2018.
    Counterterrorism is always a good way for
  222. the governments to make some provisions to
    enhance security and to lower the rights
  223. and freedoms. They threaten the Parliament
    to be responsible of the next attacks and
  224. the members of parliament thus vote
    anything just because they don't want to
  225. be responsible.
    Okhin: So as technician, what can we do?
  226. From a technical perspective we think we
    should operate communication
  227. infrastructure and systems in an illegal
    and clandestine way. It is important to
  228. build undetectable and encrypted
    communication systems that break the link
  229. between your online communications and
    yourself. Making those tools available to
  230. the general public and mass adopted by
    them is a critical and non trivial issue
  231. to address. Especially as French legal
    registration system might block access to
  232. high-quality privacy preserving encryption
    tools. For instance, Apple requires you to
  233. fill the ANSSI form and obtain a
    certificate from them to put your software
  234. on the Apple App Store already.
    Moreover it is paramount to think wider,
  235. because if your encrypted communication
    relies on centralized infrastructure at a
  236. highly identifying piece of information
    such as for instance a phone number, then
  237. a passive listener such as an IMSI catcher
    can get your phone number from a protest
  238. you were at for instance and then guess
    what your account is and then, they got
  239. your phone number, so they can ask to
    deploy key loggers and spyware on your
  240. phones. And this defeating all the
    security based on your phone number. At a
  241. time where more and more governments want
    to hinder encryption and secret of
  242. communications, it is critical to have
    access to communication systems that are
  243. free, pseudonymous, decentralised and
    distributed to the widest audience
  244. possible, meaning user-friendly, yes, and
    to think about way to push those tools
  245. everywhere. It is also important to lead
    political battles. We need all available
  246. help to slow down this attack at the
    national and European levels. We need to
  247. get out of the security discourses and to
    break the link between encryption and
  248. security for the state and to control the
    argument that only people committing
  249. crimes and felonies do use cryptography.
    We need a positive discourse about
  250. cryptography: how it helps people with
    their daily lives, how it impr
  251. oves social structures, how it protects
    the identity of queers, how it helps
  252. abused women to seek help and to escape
    their home, how it enables a positive
  253. change in the society, as main change
    often comes from activities not approved
  254. by the society. If you want more concrete
    steps and ways to help we're currently
  255. running a support campaign so you can help
    us there at
  256. After the Q&A, because we have some time
    left, you can come drink some tea at the
  257. teahouse in the CCL building and have some
    tea and chat with us. Thank you all for
  258. listening and if you have any question I
    think we have some time.
  259. applause
    Herald Angel: Alright we have 5 minutes
  260. for questions. Are there people out there,
    maybe on the internet? No, are there some
  261. people here who have questions for this
    lovely organization? Well I have a
  262. question actually: So you gave us some
    advice regarding using avatars, alter
  263. egos. You know what, I'm teaching as well
    and my colleagues teachers even in that
  264. kind of digital age that we live in are
    always wondering why I am using several
  265. avatars, several devices. It seems like
    it's not accepted actually because they're
  266. looking at you like "Are you a criminal or
    what? What did you do wrong?" Don't you
  267. get that kind of questions as well from
    your audience?
  268. Ohkin: Yes, we got that a lot. The thing
    is, a lot of people commit crimes using
  269. their real name and IDs and stuff like
    that. Most of the people are asking people
  270. online, for instance, to not use a
    pseudonymous account or something like
  271. that, they want to be known as our same
    people and stuff like that. So it's like
  272. we need to get out of this kind of
    discourse and say: "I can do whatever I
  273. want with my online identities. It's not
    your business. And if I'm doing something
  274. wrong, you have to prove it, like with due
    process of law and stuff like that.
  275. Herald: Ok, I see there's a question
    raised in here. Microphone number two.
  276. Mic2: What counts in practice as import
    and export of cryptography. I mean, if I'm
  277. in France and I download open SSL, do I
    have to fill out the ANSSI form?
  278. Okhin: Not for open SSL, because it's not
    protocol that have a goal to provide
  279. confidentiality of communication which is
    end-to-end encryption.
  280. Mic2: So GPG?
    Okhin: Yeah, GPG is supposed to have an
  281. important certificate and I think they
    have it.
  282. Mic2: For individuals or for
  283. Okhin: For the organization which provides
    you the access to the tool. Like Google is
  284. supposed to provide that, Apple,
    Microsoft, Debian. Debian I think filled
  285. the paperwork. Each Linux distribution
    should do it.
  286. Herald: Question here, microphone number
  287. Mic1: Okay, thanks so much for the talk.
    I'd really love to hear a little bit more
  288. about the very crunchy in-depth bits about
    encryption policy in France. Now might not
  289. be the right time, but building off of the
    last question: What kinds of laws or
  290. policy are around taking encryption
    technology outside of France, like across
  291. a border?
    Agnes: Well for exporting to closed
  292. encryption technology there is the
    Wassenaar Arrangement signed by several
  293. countries, so I don't know by heart
    everything in there, but for example a
  294. system that can use for war and for other
    use. Then you have it's forbidden or you
  295. have to declare that you're exporting such
    tools etc. So for exporting you have this
  296. Wassenaar agreement and I think there is
    nothing else if it's not a double use
  297. system.
    Mic2: Thank you!
  298. Herald: Okay, one last question, please
    there, mister three.
  299. Mic3: It seems to me that all of these
    laws are mostly falling under national
  300. security. Are there any laws way to
    challenge any of this in the European
  301. level? So on the European level there's
    wonderful direct data protection
  302. directives and all the stuff. But my
    understanding is that all of these
  303. directives any state can kind of opt out
    of them for national security reasons. So
  304. is there anything that can be done on any
    level without invoking a national security
  305. exception?
    Agnes: Yeah well all data protection
  306. regulation policies at the EU level and
    especially the GDPR, general data
  307. protection regulation, has a specific
    provision that enable member states to
  308. say: okay, it doesn't apply because it's a
    national security issue. What I said, what
  309. I showed here, is that in in the ePrivacy
    regulation, which is currently under
  310. negotiation at the EU level, the EU
    Parliament has already adopted a position
  311. which promotes encryption as soon as it's
    possible to have end-to-end encryption.
  312. And that's why the French government is
    trying to push it away, there will be
  313. negotiation between the Council, the
    European Parliament and the European
  314. Commission. The Council represents all
    member states, so there will be a
  315. negotiation with all the institutions,
    beginning this summer probably. Or just
  316. after the summer, but maybe a little bit
    before. And then the French government is
  317. going to try to push it away. As we saw
    in the document which we showed in
  318. French, the government is trying to get to
    gain access to all communications and
  319. data. It's very clear in the French
    communication we showed.
  320. Herald: May I make a suggestion?
    They have a fantastic tea house.
  321. You have to continue this discussion
    later on there with a cup of tea,
  322. and some massage maybe. I have
    one last call for you both, you know,
  323. and the audience: « Indignez-vous ! »
    [i.e.“Time for Outrage!”]
  324. Ca, c'est! That's why we wanna hear you! (?)
    Indignez-vous !
  325. applause
  326. postroll music
  327. Subtitles created by
    in the year 2018