0:00:00.000,0:00:17.135
<i>34C3 preroll music</i>

0:00:17.135,0:00:24.430
Herald Angel: Good. I have the pleasure[br]and the honor of introducing to you two

0:00:24.430,0:00:34.699
persons here who are really working at[br]'La QuadratureDuNet'. Alors, c'est vraiment

0:00:34.699,0:00:39.050
quelque chose en Français ! It's an[br]organization NGO, it's actually working

0:00:39.050,0:00:45.979
really on the rights, on freedom of[br]citizens on the internet. I understood

0:00:45.979,0:00:52.030
that Agnes is there responsible for the[br]coordination mainly about legal issues and

0:00:52.030,0:00:58.500
that Okhin - I'll pronounce this well - is[br]more responsible at the technical side.

0:00:58.500,0:01:04.518
He runs as well, I think, a bunch of[br]volunteers, or helping you around.

0:01:04.518,0:01:08.370
Please give them a welcome applause.[br]Let the show start!

0:01:08.370,0:01:16.870
<i>applause</i>

0:01:16.870,0:01:20.479
Agnes: Hello, here is Okhin, but he has

0:01:20.479,0:01:25.969
already been introduced, the third person[br]from 'La Quadrature du Net', and I am

0:01:25.969,0:01:32.460
Agnes and I work on legal and political[br]issues at 'LaQuadrature' as well. So

0:01:32.460,0:01:38.270
LaQuadrature is an organization that[br]fights for fundamental rights and freedoms

0:01:38.270,0:01:44.090
in the digital area. We are here today to[br]talk about the danger lying above your

0:01:44.090,0:01:50.200
jobs, especially if you're building or[br]maintaining cryptographic tools. We're

0:01:50.200,0:01:55.579
here because we think it's important to[br]demonstrate that the worst authoritarian

0:01:55.579,0:02:05.560
laws don't only come from far right[br]governments such as Hungaria or Poland,

0:02:05.560,0:02:09.759
but mostly from the "social democracy[br]compatible with market economy", to quote

0:02:09.759,0:02:19.470
Angela Merkel. Along with Germany and the[br]United Kingdom (but with Brexit, exit the

0:02:19.470,0:02:26.450
UK), France is one of the biggest forces[br]within the EU. And if France can rally at

0:02:26.450,0:02:31.100
least one of the two others on board it[br]can obtain what it wants from its European

0:02:31.100,0:02:40.200
partners. It works both ways, of course![br]But it's important because the problem

0:02:40.200,0:02:44.120
with that: France is not only exporting[br]its knowledge and practice of law

0:02:44.120,0:02:51.300
enforcement and anti-riot gear to various[br]governments such as Tunisia or others.

0:02:51.300,0:02:59.570
France is now also shining for its anti-[br]privacy lobbying as you will see later.

0:02:59.570,0:03:12.460
<i>sound issues on Okhin's microphone</i>

0:03:12.460,0:03:15.460
Okhin: What is interesting here is to[br]think about what we can do as technicians,

0:03:15.460,0:03:20.760
developers, sysadmins, sysops,[br]or legal persons

0:03:20.760,0:03:26.500
specialised in technology issues.[br]Because the threats come from legal,

0:03:26.500,0:03:32.280
political and technical area and endanger[br]not only us but also sex workers, abused

0:03:32.280,0:03:36.570
women and abused people, who[br]need to flee their home etc.

0:03:36.570,0:03:39.570
We have to think about our role[br]and to find ways to act, to fight

0:03:39.570,0:03:44.440
against the threats against encryption.

0:03:44.440,0:03:50.960
We're going to start with a quick but[br]sadly non-exhaustive history of laws

0:03:50.960,0:03:54.841
trying to weaken or circumvent[br]cryptography in France one way or another.

0:03:54.841,0:04:01.520
We are including here everything that[br]talks about spyware and keyloggers,

0:04:01.520,0:04:06.260
because they're a direct threat against[br]a lot of cryptographic tools.

0:04:06.260,0:04:14.310
Agnes: Okay, so let's be clear here, we[br]are only to talk about very specific

0:04:14.310,0:04:20.149
aspects of the digital related law. Access[br]to the Internet, filtering, censorship can

0:04:20.149,0:04:25.180
probably be discussed in other talks with[br]the same quantity of laws hindering those

0:04:25.180,0:04:33.250
rights. But we will focus here on[br]cryptography only. Before 1998 use of

0:04:33.250,0:04:37.720
cryptographic tools for the public was[br]essentially forbidden. The key length was

0:04:37.720,0:04:46.560
limited to 128 bits for asymmetric[br]cryptography. There were authentication

0:04:46.560,0:04:56.181
of communication or for ensuring integrity[br]of the message a prior declaration

0:04:56.181,0:04:59.280
was necessary. For all[br]other uses, especially

0:04:59.280,0:05:02.280
for confidentiality, ex ante authorization[br]from Prime Minister was required as well.

0:05:02.280,0:05:10.660
Okhin: After lengthy negotiations with

0:05:10.660,0:05:15.530
intelligence services cryptography has[br]been freed in 1998. But it still

0:05:15.530,0:05:19.620
required that the system used respects one[br]of those three following limitations.

0:05:19.620,0:05:23.350
The cryptography system cannot be used[br]for confidentiality purposes without

0:05:23.350,0:05:27.120
authorisation. Or the cryptography system[br]is operated by a third party owning a

0:05:27.120,0:05:32.110
master key which the police may have[br]access to. Or the user does not need a

0:05:32.110,0:05:36.271
strong confidentiality and can use a[br]standard encryption solution with a key

0:05:36.271,0:05:37.271
lower than 40 bits.

0:05:37.271,0:05:38.271
<i>bad sound, subtitles now[br]from author's transcript</i>

0:05:38.271,0:05:39.271
Furthermore: people providing encryption[br]tools for confidentiality purposes were

0:05:39.271,0:05:40.271
required to give the code, decryption[br]devices or conventions when law required

0:05:40.271,0:05:41.271
by them. In 2001 the use of cryptography[br]is freed, but still requires that the

0:05:41.271,0:05:42.271
system used has been first registered at[br]the Interior Ministry's office. Now it's

0:05:42.271,0:05:43.271
one of the ANSSI mission, the French[br]National Cybersecurity Agency ANSSI that

0:05:43.271,0:05:44.271
reports to the Prime Minister. France's[br]doctrine toward cryptography has always

0:05:44.271,0:06:56.100
been dictated by intelligence services and[br]the army. They want to collect as much

0:06:56.100,0:07:53.350
data as possible, multiple times, and to[br]have the capability to decrypt every

0:07:53.350,0:07:54.350
conversation at any given time. This is at[br]this condition that they consented to give

0:07:54.350,0:07:55.350
free access to cryptography for the[br]general public. That's why, French law

0:07:55.350,0:07:56.350
oblige to declare to the ANSSI the supply[br]or importation of a cryptology tool.

0:07:56.350,0:07:57.350
This procedure is an obstacle for the[br]deployment of such services in France,

0:07:57.350,0:07:58.350
mostly because you have to face an[br]administrative system which refuses to

0:07:58.350,0:07:59.350
speak non-French. The delay for the[br]transportation (?) is at least one month.

0:07:59.350,0:08:00.350
For a long time, all administrative[br]documents were in French only, ANSSI

0:08:00.350,0:08:01.699
now provides the translation as[br]a courtesy, but you're still supposed

0:08:01.699,0:08:04.230
to fill the forms in French. You're[br]supposed to provide your source code, but

0:08:04.230,0:08:05.230
since you all develop open software, this[br]is fine, isn't it? And of course, you have

0:08:05.230,0:08:06.230
to send it by regular snail mail, there's[br]no electronic version of it, in triplicate,

0:08:06.230,0:08:07.230
which is much more expensive, especially[br]if you're not in France. Let's say that

0:08:07.230,0:08:08.230
administrative documents are sometimes[br]very complicated for French-speaking

0:08:08.230,0:08:09.230
people, who are supposed[br]to be used to them.

0:08:09.230,0:08:10.230
Agnes: So..[br]Okhin: How enabling foreign people - not

0:08:10.230,0:08:11.230
French speaking ones - to understand them[br]and to correctly fill them?

0:08:11.230,0:08:12.230
<i>proper sound back again</i>[br]Agnes: Since then cryptography legislation

0:08:12.230,0:08:14.180
has not really evolved. However, one[br]national security or counter terrorism law

0:08:14.180,0:08:20.990
after another - we had something like 30[br]of them in the last 15 years - the

0:08:20.990,0:08:27.320
judiciary and repressive arsenal did grow.[br]For example, police were authorized to

0:08:27.320,0:08:40.188
install keyloggers in the LOPPSI 2 law in[br]2011. Then police were authorized to force

0:08:40.188,0:08:50.990
any person or entity they think able[br]to decrypt or to analyze every kind of

0:08:50.990,0:08:58.300
encrypted content they get their hands on[br]in the counter-terrorism law of 2014, and

0:08:58.300,0:09:07.480
the army and intelligence agency of course[br]can help to do those crypto analysis

0:09:07.480,0:09:33.749
if needed.[br]<i>bad sound, again from author transcript now</i>

0:09:33.749,0:10:05.160
Okhin: And now the so-called "Black boxes"[br]entered the game in the Surveillance Law

0:10:05.160,0:10:07.649
of 2015. Those are algorithms collecting[br]and analysing metadata in order to catch

0:10:07.649,0:10:10.500
terrorists. We know they are made by[br]Palantir and we had the confirmation on

0:10:10.500,0:10:12.310
November of their deployment.[br]The fun fact: the internal intelligence

0:10:12.310,0:10:14.019
service signed the agreement with Palantir[br]but the military intelligence and foreign

0:10:14.019,0:10:16.649
intelligence services are quite concerned[br]about it, because they would rather maintain a

0:10:16.649,0:10:17.779
strategic autonomy.

0:10:17.779,0:10:18.909
In the same law, the use[br]of IMSI Catchers is granted to cops

0:10:18.909,0:10:20.040
and they can install spyware on your[br]terminal without prior validation of a

0:10:20.040,0:10:21.290
judge. IMSI Catchers and spywares may be[br]used to gather any information that may

0:10:21.290,0:10:23.970
help protect vague interests, such as the[br]"industrial and economic well being" of

0:10:23.970,0:10:29.670
France or the prevention of undeclared[br]protests. <i>recording audio back to quality</i>

0:10:29.670,0:10:33.089
Thanks to the state of emergency since[br]2015 and now made permanent in last

0:10:33.089,0:10:35.029
October, search warrants may now be[br]delivered on mere rumour and suspicions,

0:10:35.029,0:10:36.029
after the fact, without any investigations.[br]They allow for collection of any data found

0:10:36.029,0:10:37.029
on site. And data is kept during three[br]months, but if they are encrypted the judge

0:10:37.029,0:10:39.089
can decide to retain them indefinitely[br]until they decrypt them.

0:10:39.089,0:10:41.149
And without any investigative power.

0:10:41.149,0:10:43.209
Agnes: So to conclude this[br]depressive state of affairs

0:10:43.209,0:10:47.850
we need to add that cryptography[br]is an aggravating circumstance

0:10:47.850,0:10:56.749
in a long list of crimes[br]and felonies linked

0:10:56.749,0:11:02.309
primarily to organized crime and terroism,[br]but also conveniently to aiding refugees

0:11:02.309,0:11:04.089
for example. So encrypting things makes[br]you even more suspect and more guilty.

0:11:04.089,0:11:07.089
Okhin: Oh and we almost forgot - if ever[br]you're operating a cryptographic system

0:11:07.089,0:11:10.820
for third parties you have an obligation[br]to provide either decryption key or plain

0:11:10.820,0:11:14.910
text to cops if they ask for it and[br]you have 72 hours to comply

0:11:14.910,0:11:20.389
- which means a lot of pressure[br]on you. It probably can

0:11:20.389,0:11:24.429
apply to yourself if you're being[br]investigated upon, but it might clash with

0:11:24.429,0:11:27.420
the right to remain silent and to not[br]self-incriminate we do not have a lot of

0:11:27.420,0:11:35.639
choice here. But we recently had cases[br]where cops.., where the law has been used

0:11:35.639,0:11:40.019
one of them was to coerce a teenager to[br]provide decryption key for an encrypted

0:11:40.019,0:11:44.399
chat with OTR he was operating and which[br]had been used by people who were making

0:11:44.399,0:11:55.089
fake bomb alert in schools. And for one we[br]know about, how many of them have gone

0:11:55.089,0:11:59.730
unnoticed, people chosing to keep living[br]their lives instead of risking jails time

0:11:59.730,0:12:04.300
and huge fines ?[br]Agnes: So here it's important to note that

0:12:04.300,0:12:09.639
there's difference being made between[br]cryptography which enforces security

0:12:09.639,0:12:15.550
communication and cryptography which[br]enforces confidentiality. In this

0:12:15.550,0:12:19.649
presentation we're addressing the issue of[br]cryptography in the concept context of

0:12:19.649,0:12:26.639
confidentiality only. To illustrate that[br]this debate goes beyond the classic lines

0:12:26.639,0:12:32.689
of left/right politics we like to display[br]some quotes on the topic by various

0:12:32.689,0:12:39.769
ministers, candidates, elected[br]representatives and prominent political

0:12:39.769,0:12:47.009
speakers. For example, Éric Ciotti, he is[br]a member of parliament from the right-

0:12:47.009,0:12:56.740
wing. He wants to fine Apple 1.5 million[br]euro, if they refuse to give encryption

0:12:56.740,0:13:02.170
keys, among other outrageous things he[br]said, this is one taking hold.

0:13:02.170,0:13:07.529
Okhin: François Molins, Paris Prosecutor,[br]wrote about that in the New York Times

0:13:07.529,0:13:11.990
against cryptography. The title is quite[br]explicit it states: "When Phone Encryption

0:13:11.990,0:13:20.089
Blocks Justice" And he talks about the[br]importance of privacy rights of the

0:13:20.089,0:13:24.220
individual in the same paragraph of the[br]"marginal benefits of full disk

0:13:24.220,0:13:29.129
encryption". He signed this bullshit with[br]his colleague Cyrus Vance Jr, District

0:13:29.129,0:13:32.879
Attorney of Manhattan, Adrian Leppard,[br]commissioner of London City Police and

0:13:32.879,0:13:37.760
Javier Zaragoza, chief prosecutor of the[br]national court of Spain. I let you read

0:13:37.760,0:13:46.279
the full quote in all its splendor.[br]Agnes: So we have also Guillaume Poupard

0:13:46.279,0:13:53.420
from the ANSSI we talked about before. He[br]said just before the Bataclan attack in

0:13:53.420,0:13:59.970
2015 that backdoors and key sequestrations[br]is a bad idea and that he instead proposes

0:13:59.970,0:14:06.939
to work on "points of cleartext". Whatever[br]it means it probably stands for transport

0:14:06.939,0:14:10.410
security and against confidentiality of[br]communications.

0:14:10.410,0:14:15.259
Okhin: Emmanuel Valls, then Prime[br]Minister, used the term "legal

0:14:15.259,0:14:18.799
cryptography" in interviews where the[br]official discourse for the last 20 years

0:14:18.799,0:14:27.720
was that all cryptography was legal.[br]Agnes: Here the digital national council,

0:14:27.720,0:14:34.790
then chaired by Mounir Mahjoubi, who is[br]now Secretary of State for digital issues,

0:14:34.790,0:14:39.929
did oppose the ideas of backdoors and did[br]advocate for the use and development of

0:14:39.929,0:14:44.160
end-to-end encryption just before the[br]presidential electoral race - you'll see

0:14:44.160,0:14:47.879
later why it's important.[br]Okhin: Bernard Debré, another elected

0:14:47.879,0:14:54.220
representative from the right wing he[br]actually ordered drugs online, cocaine for

0:14:54.220,0:15:00.519
80 euros a gram on onion-services to prove[br]how dangerous it is. He also said you can

0:15:00.519,0:15:05.269
buy body parts and guns there and that[br]it's easier than ordering shoes online. He

0:15:05.269,0:15:09.699
also bought a lot of drugs from a non-[br]identified website in Netherlands, so

0:15:09.699,0:15:18.379
surely the encryption is at fault here.[br]Agnes: So Jean-Jacques Urvoas who was

0:15:18.379,0:15:25.399
Minister of Justice said he wants to[br]access computers, Skype communications and

0:15:25.399,0:15:34.790
so on and to put all suspects and their[br]entourage under permanent recording.

0:15:34.790,0:15:40.809
Between the first and second turn of the[br]last presidential elections he broke the

0:15:40.809,0:15:46.579
professional secret and sent to Thierry[br]Solère who is a member of parliament from

0:15:46.579,0:15:53.480
the white ring the information that he was[br]investigated upon. He sent a message by

0:15:53.480,0:15:59.679
Telegram and the note was saved on Thierry[br]Solère's phone and found during a police

0:15:59.679,0:16:06.799
search at his house later on.[br]Okhin: In August 2016 there was a joint

0:16:06.799,0:16:11.209
declaration of Thomas de Maizière and[br]Bernard Cazeneuve, interior ministers of

0:16:11.209,0:16:16.519
Germany and France respectively about[br]European internal security and they stated

0:16:16.519,0:16:20.579
that: "At the european level, it will[br]require to force the non cooperatives

0:16:20.579,0:16:24.829
operators to remove illegal content or to[br]decrypt messages during investigation."

0:16:24.829,0:16:32.360
Agnes: However, so it was a joint[br]communication but French written version

0:16:32.360,0:16:38.649
of the joint declaration was different[br]than Germans. Only France kept the part

0:16:38.649,0:16:43.809
about how it would be so great to have[br]back doors or golden keys. So either

0:16:43.809,0:16:50.040
Germany did not want to publicly advocate[br]for backdoors or they had a different

0:16:50.040,0:16:56.480
strategy, but unfortunately very recently[br]the same de Maizière announced that he

0:16:56.480,0:17:01.480
wanted to force tech and car companies to[br]provide the security services with hidden

0:17:01.480,0:17:07.220
digital access to all devices and[br]machines. He probably did not know that if

0:17:07.220,0:17:11.159
you lowered the security of cars you[br]dramatically increase the risk of accident

0:17:11.159,0:17:15.470
among others.[br]Okhin: All this was before Macron was

0:17:15.470,0:17:22.579
elected last spring. It's like an actual[br]photo. It's not a Photoshop. During his

0:17:22.579,0:17:27.630
presidential campaign Emmanuel Macron said[br]that we should put an end to cryptography

0:17:27.630,0:17:31.610
by forcing the biggest companies to[br]provide encryption keys or to give access

0:17:31.610,0:17:38.269
to the complete content stating that "one[br]day they'll have to be responsible of

0:17:38.269,0:17:45.600
terror attacks complicity".[br]Agnes: So Mounir Mahjoubi again. He was

0:17:45.600,0:17:54.130
then concealing the candidate and he is[br]now internet minister. He has been forced

0:17:54.130,0:17:59.210
to backpedal and to explain that messing[br]with end-to-end cryptography was out of

0:17:59.210,0:18:03.630
question and that they'd rather force[br]companies to cooperate faster with police

0:18:03.630,0:18:09.639
forces. He specifically emphasized the[br]importance of cryptography by companies to

0:18:09.639,0:18:16.890
protect trade and industrial secrets and[br]since then Mounir Mahjoubi has become

0:18:16.890,0:18:24.680
totally silent on this topic. So it seems[br]that encryption for confidentiality is a

0:18:24.680,0:18:30.000
real problem for them. Would you be[br]surprised to know that to communicate with

0:18:30.000,0:18:34.590
his political party and representatives[br]Emmanuel Macron, now president, uses

0:18:34.590,0:18:41.090
telegram? An application regularly[br]described by a lot of representatives as

0:18:41.090,0:18:48.460
an enabling terrorism tool and which[br]should be banned. Their words, not ours.

0:18:48.460,0:18:52.670
Animal Farm is back: We are all equal with[br]the use of cryptography, but some are more

0:18:52.670,0:18:58.630
equal than the others. Coupled with this[br]focus on protecting companies' secrets

0:18:58.630,0:19:03.220
this confirms that the Start Up Nation[br]doesn't care about protecting citizens but

0:19:03.220,0:19:08.610
only about business and powerful friends.[br]This becomes blatantly obvious when you

0:19:08.610,0:19:12.120
look at Macron's social and economy's[br]policies.

0:19:12.120,0:19:16.610
Okhin: Last but not least, successive[br]French government put pressure to add in

0:19:16.610,0:19:21.289
the law possibility for cops to ask you[br]for all of your online handles, including

0:19:21.289,0:19:25.960
that all Yahoo mailboxes, ICQ numbers,[br]your Twitter or Facebook account, all the

0:19:25.960,0:19:30.620
weird nicknames you use on IRC and stuff[br]like that. That's why mine is currently a

0:19:30.620,0:19:34.970
fork-bomb embedded into a shellshock, but[br]I think we can get more creative and find

0:19:34.970,0:19:39.179
a way to be more destructive for a system[br]when cops would have to enter it into

0:19:39.179,0:19:46.440
their systems. Two attempts have been made[br]already and rejected at some point. This

0:19:46.440,0:19:50.590
kind of registration already exist in the[br]UK in the US and we hope the government

0:19:50.590,0:19:54.480
won't succeed in France to put this kind[br]of limitation in law.

0:19:54.480,0:20:00.740
Agnes: So, as demonstrated France is one[br]of the very active power against

0:20:00.740,0:20:05.190
cryptography within the EU. Even if some[br]of other member states did express some

0:20:05.190,0:20:13.120
concerns namely Poland, Croatia, Hungary,[br]Italy, Latvia, and other countries, those

0:20:13.120,0:20:18.210
concerns have been prompted by other[br]member states and probably France. Each

0:20:18.210,0:20:23.679
new bill is a risk to reduce the use of[br]cryptography especially with the criminal,

0:20:23.679,0:20:30.580
digital or judiciary laws that are coming[br]soon. For instance France is pushing hard

0:20:30.580,0:20:37.550
for avoiding any obligation on end-to-end[br]encryption in the ePrivacy regulation.

0:20:37.550,0:20:45.220
They explicitly ask to gain access to any[br]communication or metadata, which is what

0:20:45.220,0:20:51.460
is written here in French. Sorry, we[br]didn't translate it. The government also

0:20:51.460,0:20:57.539
pushes to obtain EU legislation on[br]encryption which would limit end to end

0:20:57.539,0:21:04.500
encryption, of course. The government[br]intends then to use this EU legislation

0:21:04.500,0:21:11.919
for justifying its position while it did[br]create this proposal at the first place.

0:21:11.919,0:21:20.519
In the next month the discussions[br]eEvidence will start at the EU level. They

0:21:20.519,0:21:26.570
will probably be a lot of talks about[br]cryptography in the next "counter-

0:21:26.570,0:21:32.230
terrorist package" expected in 2018.[br]Counterterrorism is always a good way for

0:21:32.230,0:21:37.580
the governments to make some provisions to[br]enhance security and to lower the rights

0:21:37.580,0:21:43.220
and freedoms. They threaten the Parliament[br]to be responsible of the next attacks and

0:21:43.220,0:21:48.409
the members of parliament thus vote[br]anything just because they don't want to

0:21:48.409,0:21:54.200
be responsible.[br]Okhin: So as technician, what can we do?

0:21:54.200,0:21:58.590
From a technical perspective we think we[br]should operate communication

0:21:58.590,0:22:03.600
infrastructure and systems in an illegal[br]and clandestine way. It is important to

0:22:03.600,0:22:07.139
build undetectable and encrypted[br]communication systems that break the link

0:22:07.139,0:22:11.440
between your online communications and[br]yourself. Making those tools available to

0:22:11.440,0:22:15.899
the general public and mass adopted by[br]them is a critical and non trivial issue

0:22:15.899,0:22:19.980
to address. Especially as French legal[br]registration system might block access to

0:22:19.980,0:22:25.210
high-quality privacy preserving encryption[br]tools. For instance, Apple requires you to

0:22:25.210,0:22:29.380
fill the ANSSI form and obtain a[br]certificate from them to put your software

0:22:29.380,0:22:34.639
on the Apple App Store already.[br]Moreover it is paramount to think wider,

0:22:34.639,0:22:38.870
because if your encrypted communication[br]relies on centralized infrastructure at a

0:22:38.870,0:22:44.809
highly identifying piece of information[br]such as for instance a phone number, then

0:22:44.809,0:22:49.630
a passive listener such as an IMSI catcher[br]can get your phone number from a protest

0:22:49.630,0:22:54.669
you were at for instance and then guess[br]what your account is and then, they got

0:22:54.669,0:22:59.240
your phone number, so they can ask to[br]deploy key loggers and spyware on your

0:22:59.240,0:23:08.750
phones. And this defeating all the[br]security based on your phone number. At a

0:23:08.750,0:23:11.730
time where more and more governments want[br]to hinder encryption and secret of

0:23:11.730,0:23:15.799
communications, it is critical to have[br]access to communication systems that are

0:23:15.799,0:23:19.250
free, pseudonymous, decentralised and[br]distributed to the widest audience

0:23:19.250,0:23:24.200
possible, meaning user-friendly, yes, and[br]to think about way to push those tools

0:23:24.200,0:23:30.850
everywhere. It is also important to lead[br]political battles. We need all available

0:23:30.850,0:23:34.809
help to slow down this attack at the[br]national and European levels. We need to

0:23:34.809,0:23:39.509
get out of the security discourses and to[br]break the link between encryption and

0:23:39.509,0:23:44.779
security for the state and to control the[br]argument that only people committing

0:23:44.779,0:23:49.100
crimes and felonies do use cryptography.[br]We need a positive discourse about

0:23:49.100,0:23:53.250
cryptography: how it helps people with[br]their daily lives, how it impr

0:23:53.250,0:23:57.059
oves social structures, how it protects[br]the identity of queers, how it helps

0:23:57.059,0:24:01.200
abused women to seek help and to escape[br]their home, how it enables a positive

0:24:01.200,0:24:05.659
change in the society, as main change[br]often comes from activities not approved

0:24:05.659,0:24:11.410
by the society. If you want more concrete[br]steps and ways to help we're currently

0:24:11.410,0:24:15.750
running a support campaign so you can help[br]us there at support.laquadrature.net.

0:24:15.750,0:24:21.570
After the Q&A, because we have some time[br]left, you can come drink some tea at the

0:24:21.570,0:24:28.490
teahouse in the CCL building and have some[br]tea and chat with us. Thank you all for

0:24:28.490,0:24:34.270
listening and if you have any question I[br]think we have some time.

0:24:34.270,0:24:40.799
<i>applause</i>[br]Herald Angel: Alright we have 5 minutes

0:24:40.799,0:24:50.299
for questions. Are there people out there,[br]maybe on the internet? No, are there some

0:24:50.299,0:24:55.830
people here who have questions for this[br]lovely organization? Well I have a

0:24:55.830,0:25:01.669
question actually: So you gave us some[br]advice regarding using avatars, alter

0:25:01.669,0:25:08.780
egos. You know what, I'm teaching as well[br]and my colleagues teachers even in that

0:25:08.780,0:25:13.090
kind of digital age that we live in are[br]always wondering why I am using several

0:25:13.090,0:25:20.880
avatars, several devices. It seems like[br]it's not accepted actually because they're

0:25:20.880,0:25:27.039
looking at you like "Are you a criminal or[br]what? What did you do wrong?" Don't you

0:25:27.039,0:25:29.149
get that kind of questions as well from[br]your audience?

0:25:29.149,0:25:34.879
Ohkin: Yes, we got that a lot. The thing[br]is, a lot of people commit crimes using

0:25:34.879,0:25:39.559
their real name and IDs and stuff like[br]that. Most of the people are asking people

0:25:39.559,0:25:42.610
online, for instance, to not use a[br]pseudonymous account or something like

0:25:42.610,0:25:47.429
that, they want to be known as our same[br]people and stuff like that. So it's like

0:25:47.429,0:25:50.540
we need to get out of this kind of[br]discourse and say: "I can do whatever I

0:25:50.540,0:25:55.210
want with my online identities. It's not[br]your business. And if I'm doing something

0:25:55.210,0:25:59.550
wrong, you have to prove it, like with due[br]process of law and stuff like that.

0:25:59.550,0:26:04.690
Herald: Ok, I see there's a question[br]raised in here. Microphone number two.

0:26:04.690,0:26:10.110
Mic2: What counts in practice as import[br]and export of cryptography. I mean, if I'm

0:26:10.110,0:26:16.409
in France and I download open SSL, do I[br]have to fill out the ANSSI form?

0:26:16.409,0:26:25.850
Okhin: Not for open SSL, because it's not[br]protocol that have a goal to provide

0:26:25.850,0:26:28.970
confidentiality of communication which is[br]end-to-end encryption.

0:26:28.970,0:26:34.760
Mic2: So GPG?[br]Okhin: Yeah, GPG is supposed to have an

0:26:34.760,0:26:37.399
important certificate and I think they[br]have it.

0:26:37.399,0:26:39.889
Mic2: For individuals or for[br]organizations?

0:26:39.889,0:26:44.059
Okhin: For the organization which provides[br]you the access to the tool. Like Google is

0:26:44.059,0:26:51.299
supposed to provide that, Apple,[br]Microsoft, Debian. Debian I think filled

0:26:51.299,0:27:00.370
the paperwork. Each Linux distribution[br]should do it.

0:27:00.370,0:27:03.639
Herald: Question here, microphone number[br]one?

0:27:03.639,0:27:07.649
Mic1: Okay, thanks so much for the talk.[br]I'd really love to hear a little bit more

0:27:07.649,0:27:13.960
about the very crunchy in-depth bits about[br]encryption policy in France. Now might not

0:27:13.960,0:27:20.870
be the right time, but building off of the[br]last question: What kinds of laws or

0:27:20.870,0:27:25.340
policy are around taking encryption[br]technology outside of France, like across

0:27:25.340,0:27:30.120
a border?[br]Agnes: Well for exporting to closed

0:27:30.120,0:27:36.970
encryption technology there is the[br]Wassenaar Arrangement signed by several

0:27:36.970,0:27:55.889
countries, so I don't know by heart[br]everything in there, but for example a

0:27:55.889,0:28:07.710
system that can use for war and for other[br]use. Then you have it's forbidden or you

0:28:07.710,0:28:12.440
have to declare that you're exporting such[br]tools etc. So for exporting you have this

0:28:12.440,0:28:23.850
Wassenaar agreement and I think there is[br]nothing else if it's not a double use

0:28:23.850,0:28:25.710
system.[br]Mic2: Thank you!

0:28:25.710,0:28:29.740
Herald: Okay, one last question, please[br]there, mister three.

0:28:29.740,0:28:35.009
Mic3: It seems to me that all of these[br]laws are mostly falling under national

0:28:35.009,0:28:39.881
security. Are there any laws way to[br]challenge any of this in the European

0:28:39.881,0:28:44.059
level? So on the European level there's[br]wonderful direct data protection

0:28:44.059,0:28:47.789
directives and all the stuff. But my[br]understanding is that all of these

0:28:47.789,0:28:53.820
directives any state can kind of opt out[br]of them for national security reasons. So

0:28:53.820,0:28:59.090
is there anything that can be done on any[br]level without invoking a national security

0:28:59.090,0:29:04.620
exception?[br]Agnes: Yeah well all data protection

0:29:04.620,0:29:11.100
regulation policies at the EU level and[br]especially the GDPR, general data

0:29:11.100,0:29:19.450
protection regulation, has a specific[br]provision that enable member states to

0:29:19.450,0:29:28.420
say: okay, it doesn't apply because it's a[br]national security issue. What I said, what

0:29:28.420,0:29:35.120
I showed here, is that in in the ePrivacy[br]regulation, which is currently under

0:29:35.120,0:29:45.389
negotiation at the EU level, the EU[br]Parliament has already adopted a position

0:29:45.389,0:29:51.719
which promotes encryption as soon as it's[br]possible to have end-to-end encryption.

0:29:51.719,0:29:57.269
And that's why the French government is[br]trying to push it away, there will be

0:29:57.269,0:30:03.270
negotiation between the Council, the[br]European Parliament and the European

0:30:03.270,0:30:07.009
Commission. The Council represents all[br]member states, so there will be a

0:30:07.009,0:30:13.049
negotiation with all the institutions,[br]beginning this summer probably. Or just

0:30:13.049,0:30:20.269
after the summer, but maybe a little bit[br]before. And then the French government is

0:30:20.269,0:30:30.710
going to try to push it away. As we saw[br]in the document which we showed in

0:30:30.710,0:30:38.659
French, the government is trying to get to[br]gain access to all communications and

0:30:38.659,0:30:43.330
data. It's very clear in the French[br]communication we showed.

0:30:43.330,0:30:48.310
Herald: May I make a suggestion?[br]They have a fantastic tea house.

0:30:48.310,0:30:52.210
You have to continue this discussion[br]later on there with a cup of tea,

0:30:52.210,0:30:56.849
and some massage maybe. I have[br]one last call for you both, you know,

0:30:56.849,0:30:59.999
and the audience: « Indignez-vous ! »[br][i.e.“Time for Outrage!”]

0:30:59.999,0:31:04.979
Ca, c'est! That's why we wanna hear you! (?)[br]Indignez-vous !

0:31:04.979,0:31:09.689
<i>applause</i>

0:31:09.689,0:31:23.199
<i>postroll music</i>

0:31:23.199,0:31:30.781
<i>Subtitles created by c3subtitles.de[br]in the year 2018</i>