1
00:00:00,000 --> 00:00:17,135
34C3 preroll music
2
00:00:17,135 --> 00:00:24,430
Herald Angel: Good. I have the pleasure
and the honor of introducing to you two
3
00:00:24,430 --> 00:00:34,699
persons here who are really working at
'La QuadratureDuNet'. Alors, c'est vraiment
4
00:00:34,699 --> 00:00:39,050
quelque chose en Français ! It's an
organization NGO, it's actually working
5
00:00:39,050 --> 00:00:45,979
really on the rights, on freedom of
citizens on the internet. I understood
6
00:00:45,979 --> 00:00:52,030
that Agnes is there responsible for the
coordination mainly about legal issues and
7
00:00:52,030 --> 00:00:58,500
that Okhin - I'll pronounce this well - is
more responsible at the technical side.
8
00:00:58,500 --> 00:01:04,518
He runs as well, I think, a bunch of
volunteers, or helping you around.
9
00:01:04,518 --> 00:01:08,370
Please give them a welcome applause.
Let the show start!
10
00:01:08,370 --> 00:01:16,870
applause
11
00:01:16,870 --> 00:01:20,479
Agnes: Hello, here is Okhin, but he has
12
00:01:20,479 --> 00:01:25,969
already been introduced, the third person
from 'La Quadrature du Net', and I am
13
00:01:25,969 --> 00:01:32,460
Agnes and I work on legal and political
issues at 'LaQuadrature' as well. So
14
00:01:32,460 --> 00:01:38,270
LaQuadrature is an organization that
fights for fundamental rights and freedoms
15
00:01:38,270 --> 00:01:44,090
in the digital area. We are here today to
talk about the danger lying above your
16
00:01:44,090 --> 00:01:50,200
jobs, especially if you're building or
maintaining cryptographic tools. We're
17
00:01:50,200 --> 00:01:55,579
here because we think it's important to
demonstrate that the worst authoritarian
18
00:01:55,579 --> 00:02:05,560
laws don't only come from far right
governments such as Hungaria or Poland,
19
00:02:05,560 --> 00:02:09,759
but mostly from the "social democracy
compatible with market economy", to quote
20
00:02:09,759 --> 00:02:19,470
Angela Merkel. Along with Germany and the
United Kingdom (but with Brexit, exit the
21
00:02:19,470 --> 00:02:26,450
UK), France is one of the biggest forces
within the EU. And if France can rally at
22
00:02:26,450 --> 00:02:31,100
least one of the two others on board it
can obtain what it wants from its European
23
00:02:31,100 --> 00:02:40,200
partners. It works both ways, of course!
But it's important because the problem
24
00:02:40,200 --> 00:02:44,120
with that: France is not only exporting
its knowledge and practice of law
25
00:02:44,120 --> 00:02:51,300
enforcement and anti-riot gear to various
governments such as Tunisia or others.
26
00:02:51,300 --> 00:02:59,570
France is now also shining for its anti-
privacy lobbying as you will see later.
27
00:02:59,570 --> 00:03:12,460
sound issues on Okhin's microphone
28
00:03:12,460 --> 00:03:15,460
Okhin: What is interesting here is to
think about what we can do as technicians,
29
00:03:15,460 --> 00:03:20,760
developers, sysadmins, sysops,
or legal persons
30
00:03:20,760 --> 00:03:26,500
specialised in technology issues.
Because the threats come from legal,
31
00:03:26,500 --> 00:03:32,280
political and technical area and endanger
not only us but also sex workers, abused
32
00:03:32,280 --> 00:03:36,570
women and abused people, who
need to flee their home etc.
33
00:03:36,570 --> 00:03:39,570
We have to think about our role
and to find ways to act, to fight
34
00:03:39,570 --> 00:03:44,440
against the threats against encryption.
35
00:03:44,440 --> 00:03:50,960
We're going to start with a quick but
sadly non-exhaustive history of laws
36
00:03:50,960 --> 00:03:54,841
trying to weaken or circumvent
cryptography in France one way or another.
37
00:03:54,841 --> 00:04:01,520
We are including here everything that
talks about spyware and keyloggers,
38
00:04:01,520 --> 00:04:06,260
because they're a direct threat against
a lot of cryptographic tools.
39
00:04:06,260 --> 00:04:14,310
Agnes: Okay, so let's be clear here, we
are only to talk about very specific
40
00:04:14,310 --> 00:04:20,149
aspects of the digital related law. Access
to the Internet, filtering, censorship can
41
00:04:20,149 --> 00:04:25,180
probably be discussed in other talks with
the same quantity of laws hindering those
42
00:04:25,180 --> 00:04:33,250
rights. But we will focus here on
cryptography only. Before 1998 use of
43
00:04:33,250 --> 00:04:37,720
cryptographic tools for the public was
essentially forbidden. The key length was
44
00:04:37,720 --> 00:04:46,560
limited to 128 bits for asymmetric
cryptography. There were authentication
45
00:04:46,560 --> 00:04:56,181
of communication or for ensuring integrity
of the message a prior declaration
46
00:04:56,181 --> 00:04:59,280
was necessary. For all
other uses, especially
47
00:04:59,280 --> 00:05:02,280
for confidentiality, ex ante authorization
from Prime Minister was required as well.
48
00:05:02,280 --> 00:05:10,660
Okhin: After lengthy negotiations with
49
00:05:10,660 --> 00:05:15,530
intelligence services cryptography has
been freed in 1998. But it still
50
00:05:15,530 --> 00:05:19,620
required that the system used respects one
of those three following limitations.
51
00:05:19,620 --> 00:05:23,350
The cryptography system cannot be used
for confidentiality purposes without
52
00:05:23,350 --> 00:05:27,120
authorisation. Or the cryptography system
is operated by a third party owning a
53
00:05:27,120 --> 00:05:32,110
master key which the police may have
access to. Or the user does not need a
54
00:05:32,110 --> 00:05:36,271
strong confidentiality and can use a
standard encryption solution with a key
55
00:05:36,271 --> 00:05:37,271
lower than 40 bits.
56
00:05:37,271 --> 00:05:38,271
bad sound, subtitles now
from author's transcript
57
00:05:38,271 --> 00:05:39,271
Furthermore: people providing encryption
tools for confidentiality purposes were
58
00:05:39,271 --> 00:05:40,271
required to give the code, decryption
devices or conventions when law required
59
00:05:40,271 --> 00:05:41,271
by them. In 2001 the use of cryptography
is freed, but still requires that the
60
00:05:41,271 --> 00:05:42,271
system used has been first registered at
the Interior Ministry's office. Now it's
61
00:05:42,271 --> 00:05:43,271
one of the ANSSI mission, the French
National Cybersecurity Agency ANSSI that
62
00:05:43,271 --> 00:05:44,271
reports to the Prime Minister. France's
doctrine toward cryptography has always
63
00:05:44,271 --> 00:06:56,100
been dictated by intelligence services and
the army. They want to collect as much
64
00:06:56,100 --> 00:07:53,350
data as possible, multiple times, and to
have the capability to decrypt every
65
00:07:53,350 --> 00:07:54,350
conversation at any given time. This is at
this condition that they consented to give
66
00:07:54,350 --> 00:07:55,350
free access to cryptography for the
general public. That's why, French law
67
00:07:55,350 --> 00:07:56,350
oblige to declare to the ANSSI the supply
or importation of a cryptology tool.
68
00:07:56,350 --> 00:07:57,350
This procedure is an obstacle for the
deployment of such services in France,
69
00:07:57,350 --> 00:07:58,350
mostly because you have to face an
administrative system which refuses to
70
00:07:58,350 --> 00:07:59,350
speak non-French. The delay for the
transportation (?) is at least one month.
71
00:07:59,350 --> 00:08:00,350
For a long time, all administrative
documents were in French only, ANSSI
72
00:08:00,350 --> 00:08:01,699
now provides the translation as
a courtesy, but you're still supposed
73
00:08:01,699 --> 00:08:04,230
to fill the forms in French. You're
supposed to provide your source code, but
74
00:08:04,230 --> 00:08:05,230
since you all develop open software, this
is fine, isn't it? And of course, you have
75
00:08:05,230 --> 00:08:06,230
to send it by regular snail mail, there's
no electronic version of it, in triplicate,
76
00:08:06,230 --> 00:08:07,230
which is much more expensive, especially
if you're not in France. Let's say that
77
00:08:07,230 --> 00:08:08,230
administrative documents are sometimes
very complicated for French-speaking
78
00:08:08,230 --> 00:08:09,230
people, who are supposed
to be used to them.
79
00:08:09,230 --> 00:08:10,230
Agnes: So..
Okhin: How enabling foreign people - not
80
00:08:10,230 --> 00:08:11,230
French speaking ones - to understand them
and to correctly fill them?
81
00:08:11,230 --> 00:08:12,230
proper sound back again
Agnes: Since then cryptography legislation
82
00:08:12,230 --> 00:08:14,180
has not really evolved. However, one
national security or counter terrorism law
83
00:08:14,180 --> 00:08:20,990
after another - we had something like 30
of them in the last 15 years - the
84
00:08:20,990 --> 00:08:27,320
judiciary and repressive arsenal did grow.
For example, police were authorized to
85
00:08:27,320 --> 00:08:40,188
install keyloggers in the LOPPSI 2 law in
2011. Then police were authorized to force
86
00:08:40,188 --> 00:08:50,990
any person or entity they think able
to decrypt or to analyze every kind of
87
00:08:50,990 --> 00:08:58,300
encrypted content they get their hands on
in the counter-terrorism law of 2014, and
88
00:08:58,300 --> 00:09:07,480
the army and intelligence agency of course
can help to do those crypto analysis
89
00:09:07,480 --> 00:09:33,749
if needed.
bad sound, again from author transcript now
90
00:09:33,749 --> 00:10:05,160
Okhin: And now the so-called "Black boxes"
entered the game in the Surveillance Law
91
00:10:05,160 --> 00:10:07,649
of 2015. Those are algorithms collecting
and analysing metadata in order to catch
92
00:10:07,649 --> 00:10:10,500
terrorists. We know they are made by
Palantir and we had the confirmation on
93
00:10:10,500 --> 00:10:12,310
November of their deployment.
The fun fact: the internal intelligence
94
00:10:12,310 --> 00:10:14,019
service signed the agreement with Palantir
but the military intelligence and foreign
95
00:10:14,019 --> 00:10:16,649
intelligence services are quite concerned
about it, because they would rather maintain a
96
00:10:16,649 --> 00:10:17,779
strategic autonomy.
97
00:10:17,779 --> 00:10:18,909
In the same law, the use
of IMSI Catchers is granted to cops
98
00:10:18,909 --> 00:10:20,040
and they can install spyware on your
terminal without prior validation of a
99
00:10:20,040 --> 00:10:21,290
judge. IMSI Catchers and spywares may be
used to gather any information that may
100
00:10:21,290 --> 00:10:23,970
help protect vague interests, such as the
"industrial and economic well being" of
101
00:10:23,970 --> 00:10:29,670
France or the prevention of undeclared
protests. recording audio back to quality
102
00:10:29,670 --> 00:10:33,089
Thanks to the state of emergency since
2015 and now made permanent in last
103
00:10:33,089 --> 00:10:35,029
October, search warrants may now be
delivered on mere rumour and suspicions,
104
00:10:35,029 --> 00:10:36,029
after the fact, without any investigations.
They allow for collection of any data found
105
00:10:36,029 --> 00:10:37,029
on site. And data is kept during three
months, but if they are encrypted the judge
106
00:10:37,029 --> 00:10:39,089
can decide to retain them indefinitely
until they decrypt them.
107
00:10:39,089 --> 00:10:41,149
And without any investigative power.
108
00:10:41,149 --> 00:10:43,209
Agnes: So to conclude this
depressive state of affairs
109
00:10:43,209 --> 00:10:47,850
we need to add that cryptography
is an aggravating circumstance
110
00:10:47,850 --> 00:10:56,749
in a long list of crimes
and felonies linked
111
00:10:56,749 --> 00:11:02,309
primarily to organized crime and terroism,
but also conveniently to aiding refugees
112
00:11:02,309 --> 00:11:04,089
for example. So encrypting things makes
you even more suspect and more guilty.
113
00:11:04,089 --> 00:11:07,089
Okhin: Oh and we almost forgot - if ever
you're operating a cryptographic system
114
00:11:07,089 --> 00:11:10,820
for third parties you have an obligation
to provide either decryption key or plain
115
00:11:10,820 --> 00:11:14,910
text to cops if they ask for it and
you have 72 hours to comply
116
00:11:14,910 --> 00:11:20,389
- which means a lot of pressure
on you. It probably can
117
00:11:20,389 --> 00:11:24,429
apply to yourself if you're being
investigated upon, but it might clash with
118
00:11:24,429 --> 00:11:27,420
the right to remain silent and to not
self-incriminate we do not have a lot of
119
00:11:27,420 --> 00:11:35,639
choice here. But we recently had cases
where cops.., where the law has been used
120
00:11:35,639 --> 00:11:40,019
one of them was to coerce a teenager to
provide decryption key for an encrypted
121
00:11:40,019 --> 00:11:44,399
chat with OTR he was operating and which
had been used by people who were making
122
00:11:44,399 --> 00:11:55,089
fake bomb alert in schools. And for one we
know about, how many of them have gone
123
00:11:55,089 --> 00:11:59,730
unnoticed, people chosing to keep living
their lives instead of risking jails time
124
00:11:59,730 --> 00:12:04,300
and huge fines ?
Agnes: So here it's important to note that
125
00:12:04,300 --> 00:12:09,639
there's difference being made between
cryptography which enforces security
126
00:12:09,639 --> 00:12:15,550
communication and cryptography which
enforces confidentiality. In this
127
00:12:15,550 --> 00:12:19,649
presentation we're addressing the issue of
cryptography in the concept context of
128
00:12:19,649 --> 00:12:26,639
confidentiality only. To illustrate that
this debate goes beyond the classic lines
129
00:12:26,639 --> 00:12:32,689
of left/right politics we like to display
some quotes on the topic by various
130
00:12:32,689 --> 00:12:39,769
ministers, candidates, elected
representatives and prominent political
131
00:12:39,769 --> 00:12:47,009
speakers. For example, Éric Ciotti, he is
a member of parliament from the right-
132
00:12:47,009 --> 00:12:56,740
wing. He wants to fine Apple 1.5 million
euro, if they refuse to give encryption
133
00:12:56,740 --> 00:13:02,170
keys, among other outrageous things he
said, this is one taking hold.
134
00:13:02,170 --> 00:13:07,529
Okhin: François Molins, Paris Prosecutor,
wrote about that in the New York Times
135
00:13:07,529 --> 00:13:11,990
against cryptography. The title is quite
explicit it states: "When Phone Encryption
136
00:13:11,990 --> 00:13:20,089
Blocks Justice" And he talks about the
importance of privacy rights of the
137
00:13:20,089 --> 00:13:24,220
individual in the same paragraph of the
"marginal benefits of full disk
138
00:13:24,220 --> 00:13:29,129
encryption". He signed this bullshit with
his colleague Cyrus Vance Jr, District
139
00:13:29,129 --> 00:13:32,879
Attorney of Manhattan, Adrian Leppard,
commissioner of London City Police and
140
00:13:32,879 --> 00:13:37,760
Javier Zaragoza, chief prosecutor of the
national court of Spain. I let you read
141
00:13:37,760 --> 00:13:46,279
the full quote in all its splendor.
Agnes: So we have also Guillaume Poupard
142
00:13:46,279 --> 00:13:53,420
from the ANSSI we talked about before. He
said just before the Bataclan attack in
143
00:13:53,420 --> 00:13:59,970
2015 that backdoors and key sequestrations
is a bad idea and that he instead proposes
144
00:13:59,970 --> 00:14:06,939
to work on "points of cleartext". Whatever
it means it probably stands for transport
145
00:14:06,939 --> 00:14:10,410
security and against confidentiality of
communications.
146
00:14:10,410 --> 00:14:15,259
Okhin: Emmanuel Valls, then Prime
Minister, used the term "legal
147
00:14:15,259 --> 00:14:18,799
cryptography" in interviews where the
official discourse for the last 20 years
148
00:14:18,799 --> 00:14:27,720
was that all cryptography was legal.
Agnes: Here the digital national council,
149
00:14:27,720 --> 00:14:34,790
then chaired by Mounir Mahjoubi, who is
now Secretary of State for digital issues,
150
00:14:34,790 --> 00:14:39,929
did oppose the ideas of backdoors and did
advocate for the use and development of
151
00:14:39,929 --> 00:14:44,160
end-to-end encryption just before the
presidential electoral race - you'll see
152
00:14:44,160 --> 00:14:47,879
later why it's important.
Okhin: Bernard Debré, another elected
153
00:14:47,879 --> 00:14:54,220
representative from the right wing he
actually ordered drugs online, cocaine for
154
00:14:54,220 --> 00:15:00,519
80 euros a gram on onion-services to prove
how dangerous it is. He also said you can
155
00:15:00,519 --> 00:15:05,269
buy body parts and guns there and that
it's easier than ordering shoes online. He
156
00:15:05,269 --> 00:15:09,699
also bought a lot of drugs from a non-
identified website in Netherlands, so
157
00:15:09,699 --> 00:15:18,379
surely the encryption is at fault here.
Agnes: So Jean-Jacques Urvoas who was
158
00:15:18,379 --> 00:15:25,399
Minister of Justice said he wants to
access computers, Skype communications and
159
00:15:25,399 --> 00:15:34,790
so on and to put all suspects and their
entourage under permanent recording.
160
00:15:34,790 --> 00:15:40,809
Between the first and second turn of the
last presidential elections he broke the
161
00:15:40,809 --> 00:15:46,579
professional secret and sent to Thierry
Solère who is a member of parliament from
162
00:15:46,579 --> 00:15:53,480
the white ring the information that he was
investigated upon. He sent a message by
163
00:15:53,480 --> 00:15:59,679
Telegram and the note was saved on Thierry
Solère's phone and found during a police
164
00:15:59,679 --> 00:16:06,799
search at his house later on.
Okhin: In August 2016 there was a joint
165
00:16:06,799 --> 00:16:11,209
declaration of Thomas de Maizière and
Bernard Cazeneuve, interior ministers of
166
00:16:11,209 --> 00:16:16,519
Germany and France respectively about
European internal security and they stated
167
00:16:16,519 --> 00:16:20,579
that: "At the european level, it will
require to force the non cooperatives
168
00:16:20,579 --> 00:16:24,829
operators to remove illegal content or to
decrypt messages during investigation."
169
00:16:24,829 --> 00:16:32,360
Agnes: However, so it was a joint
communication but French written version
170
00:16:32,360 --> 00:16:38,649
of the joint declaration was different
than Germans. Only France kept the part
171
00:16:38,649 --> 00:16:43,809
about how it would be so great to have
back doors or golden keys. So either
172
00:16:43,809 --> 00:16:50,040
Germany did not want to publicly advocate
for backdoors or they had a different
173
00:16:50,040 --> 00:16:56,480
strategy, but unfortunately very recently
the same de Maizière announced that he
174
00:16:56,480 --> 00:17:01,480
wanted to force tech and car companies to
provide the security services with hidden
175
00:17:01,480 --> 00:17:07,220
digital access to all devices and
machines. He probably did not know that if
176
00:17:07,220 --> 00:17:11,159
you lowered the security of cars you
dramatically increase the risk of accident
177
00:17:11,159 --> 00:17:15,470
among others.
Okhin: All this was before Macron was
178
00:17:15,470 --> 00:17:22,579
elected last spring. It's like an actual
photo. It's not a Photoshop. During his
179
00:17:22,579 --> 00:17:27,630
presidential campaign Emmanuel Macron said
that we should put an end to cryptography
180
00:17:27,630 --> 00:17:31,610
by forcing the biggest companies to
provide encryption keys or to give access
181
00:17:31,610 --> 00:17:38,269
to the complete content stating that "one
day they'll have to be responsible of
182
00:17:38,269 --> 00:17:45,600
terror attacks complicity".
Agnes: So Mounir Mahjoubi again. He was
183
00:17:45,600 --> 00:17:54,130
then concealing the candidate and he is
now internet minister. He has been forced
184
00:17:54,130 --> 00:17:59,210
to backpedal and to explain that messing
with end-to-end cryptography was out of
185
00:17:59,210 --> 00:18:03,630
question and that they'd rather force
companies to cooperate faster with police
186
00:18:03,630 --> 00:18:09,639
forces. He specifically emphasized the
importance of cryptography by companies to
187
00:18:09,639 --> 00:18:16,890
protect trade and industrial secrets and
since then Mounir Mahjoubi has become
188
00:18:16,890 --> 00:18:24,680
totally silent on this topic. So it seems
that encryption for confidentiality is a
189
00:18:24,680 --> 00:18:30,000
real problem for them. Would you be
surprised to know that to communicate with
190
00:18:30,000 --> 00:18:34,590
his political party and representatives
Emmanuel Macron, now president, uses
191
00:18:34,590 --> 00:18:41,090
telegram? An application regularly
described by a lot of representatives as
192
00:18:41,090 --> 00:18:48,460
an enabling terrorism tool and which
should be banned. Their words, not ours.
193
00:18:48,460 --> 00:18:52,670
Animal Farm is back: We are all equal with
the use of cryptography, but some are more
194
00:18:52,670 --> 00:18:58,630
equal than the others. Coupled with this
focus on protecting companies' secrets
195
00:18:58,630 --> 00:19:03,220
this confirms that the Start Up Nation
doesn't care about protecting citizens but
196
00:19:03,220 --> 00:19:08,610
only about business and powerful friends.
This becomes blatantly obvious when you
197
00:19:08,610 --> 00:19:12,120
look at Macron's social and economy's
policies.
198
00:19:12,120 --> 00:19:16,610
Okhin: Last but not least, successive
French government put pressure to add in
199
00:19:16,610 --> 00:19:21,289
the law possibility for cops to ask you
for all of your online handles, including
200
00:19:21,289 --> 00:19:25,960
that all Yahoo mailboxes, ICQ numbers,
your Twitter or Facebook account, all the
201
00:19:25,960 --> 00:19:30,620
weird nicknames you use on IRC and stuff
like that. That's why mine is currently a
202
00:19:30,620 --> 00:19:34,970
fork-bomb embedded into a shellshock, but
I think we can get more creative and find
203
00:19:34,970 --> 00:19:39,179
a way to be more destructive for a system
when cops would have to enter it into
204
00:19:39,179 --> 00:19:46,440
their systems. Two attempts have been made
already and rejected at some point. This
205
00:19:46,440 --> 00:19:50,590
kind of registration already exist in the
UK in the US and we hope the government
206
00:19:50,590 --> 00:19:54,480
won't succeed in France to put this kind
of limitation in law.
207
00:19:54,480 --> 00:20:00,740
Agnes: So, as demonstrated France is one
of the very active power against
208
00:20:00,740 --> 00:20:05,190
cryptography within the EU. Even if some
of other member states did express some
209
00:20:05,190 --> 00:20:13,120
concerns namely Poland, Croatia, Hungary,
Italy, Latvia, and other countries, those
210
00:20:13,120 --> 00:20:18,210
concerns have been prompted by other
member states and probably France. Each
211
00:20:18,210 --> 00:20:23,679
new bill is a risk to reduce the use of
cryptography especially with the criminal,
212
00:20:23,679 --> 00:20:30,580
digital or judiciary laws that are coming
soon. For instance France is pushing hard
213
00:20:30,580 --> 00:20:37,550
for avoiding any obligation on end-to-end
encryption in the ePrivacy regulation.
214
00:20:37,550 --> 00:20:45,220
They explicitly ask to gain access to any
communication or metadata, which is what
215
00:20:45,220 --> 00:20:51,460
is written here in French. Sorry, we
didn't translate it. The government also
216
00:20:51,460 --> 00:20:57,539
pushes to obtain EU legislation on
encryption which would limit end to end
217
00:20:57,539 --> 00:21:04,500
encryption, of course. The government
intends then to use this EU legislation
218
00:21:04,500 --> 00:21:11,919
for justifying its position while it did
create this proposal at the first place.
219
00:21:11,919 --> 00:21:20,519
In the next month the discussions
eEvidence will start at the EU level. They
220
00:21:20,519 --> 00:21:26,570
will probably be a lot of talks about
cryptography in the next "counter-
221
00:21:26,570 --> 00:21:32,230
terrorist package" expected in 2018.
Counterterrorism is always a good way for
222
00:21:32,230 --> 00:21:37,580
the governments to make some provisions to
enhance security and to lower the rights
223
00:21:37,580 --> 00:21:43,220
and freedoms. They threaten the Parliament
to be responsible of the next attacks and
224
00:21:43,220 --> 00:21:48,409
the members of parliament thus vote
anything just because they don't want to
225
00:21:48,409 --> 00:21:54,200
be responsible.
Okhin: So as technician, what can we do?
226
00:21:54,200 --> 00:21:58,590
From a technical perspective we think we
should operate communication
227
00:21:58,590 --> 00:22:03,600
infrastructure and systems in an illegal
and clandestine way. It is important to
228
00:22:03,600 --> 00:22:07,139
build undetectable and encrypted
communication systems that break the link
229
00:22:07,139 --> 00:22:11,440
between your online communications and
yourself. Making those tools available to
230
00:22:11,440 --> 00:22:15,899
the general public and mass adopted by
them is a critical and non trivial issue
231
00:22:15,899 --> 00:22:19,980
to address. Especially as French legal
registration system might block access to
232
00:22:19,980 --> 00:22:25,210
high-quality privacy preserving encryption
tools. For instance, Apple requires you to
233
00:22:25,210 --> 00:22:29,380
fill the ANSSI form and obtain a
certificate from them to put your software
234
00:22:29,380 --> 00:22:34,639
on the Apple App Store already.
Moreover it is paramount to think wider,
235
00:22:34,639 --> 00:22:38,870
because if your encrypted communication
relies on centralized infrastructure at a
236
00:22:38,870 --> 00:22:44,809
highly identifying piece of information
such as for instance a phone number, then
237
00:22:44,809 --> 00:22:49,630
a passive listener such as an IMSI catcher
can get your phone number from a protest
238
00:22:49,630 --> 00:22:54,669
you were at for instance and then guess
what your account is and then, they got
239
00:22:54,669 --> 00:22:59,240
your phone number, so they can ask to
deploy key loggers and spyware on your
240
00:22:59,240 --> 00:23:08,750
phones. And this defeating all the
security based on your phone number. At a
241
00:23:08,750 --> 00:23:11,730
time where more and more governments want
to hinder encryption and secret of
242
00:23:11,730 --> 00:23:15,799
communications, it is critical to have
access to communication systems that are
243
00:23:15,799 --> 00:23:19,250
free, pseudonymous, decentralised and
distributed to the widest audience
244
00:23:19,250 --> 00:23:24,200
possible, meaning user-friendly, yes, and
to think about way to push those tools
245
00:23:24,200 --> 00:23:30,850
everywhere. It is also important to lead
political battles. We need all available
246
00:23:30,850 --> 00:23:34,809
help to slow down this attack at the
national and European levels. We need to
247
00:23:34,809 --> 00:23:39,509
get out of the security discourses and to
break the link between encryption and
248
00:23:39,509 --> 00:23:44,779
security for the state and to control the
argument that only people committing
249
00:23:44,779 --> 00:23:49,100
crimes and felonies do use cryptography.
We need a positive discourse about
250
00:23:49,100 --> 00:23:53,250
cryptography: how it helps people with
their daily lives, how it impr
251
00:23:53,250 --> 00:23:57,059
oves social structures, how it protects
the identity of queers, how it helps
252
00:23:57,059 --> 00:24:01,200
abused women to seek help and to escape
their home, how it enables a positive
253
00:24:01,200 --> 00:24:05,659
change in the society, as main change
often comes from activities not approved
254
00:24:05,659 --> 00:24:11,410
by the society. If you want more concrete
steps and ways to help we're currently
255
00:24:11,410 --> 00:24:15,750
running a support campaign so you can help
us there at support.laquadrature.net.
256
00:24:15,750 --> 00:24:21,570
After the Q&A, because we have some time
left, you can come drink some tea at the
257
00:24:21,570 --> 00:24:28,490
teahouse in the CCL building and have some
tea and chat with us. Thank you all for
258
00:24:28,490 --> 00:24:34,270
listening and if you have any question I
think we have some time.
259
00:24:34,270 --> 00:24:40,799
applause
Herald Angel: Alright we have 5 minutes
260
00:24:40,799 --> 00:24:50,299
for questions. Are there people out there,
maybe on the internet? No, are there some
261
00:24:50,299 --> 00:24:55,830
people here who have questions for this
lovely organization? Well I have a
262
00:24:55,830 --> 00:25:01,669
question actually: So you gave us some
advice regarding using avatars, alter
263
00:25:01,669 --> 00:25:08,780
egos. You know what, I'm teaching as well
and my colleagues teachers even in that
264
00:25:08,780 --> 00:25:13,090
kind of digital age that we live in are
always wondering why I am using several
265
00:25:13,090 --> 00:25:20,880
avatars, several devices. It seems like
it's not accepted actually because they're
266
00:25:20,880 --> 00:25:27,039
looking at you like "Are you a criminal or
what? What did you do wrong?" Don't you
267
00:25:27,039 --> 00:25:29,149
get that kind of questions as well from
your audience?
268
00:25:29,149 --> 00:25:34,879
Ohkin: Yes, we got that a lot. The thing
is, a lot of people commit crimes using
269
00:25:34,879 --> 00:25:39,559
their real name and IDs and stuff like
that. Most of the people are asking people
270
00:25:39,559 --> 00:25:42,610
online, for instance, to not use a
pseudonymous account or something like
271
00:25:42,610 --> 00:25:47,429
that, they want to be known as our same
people and stuff like that. So it's like
272
00:25:47,429 --> 00:25:50,540
we need to get out of this kind of
discourse and say: "I can do whatever I
273
00:25:50,540 --> 00:25:55,210
want with my online identities. It's not
your business. And if I'm doing something
274
00:25:55,210 --> 00:25:59,550
wrong, you have to prove it, like with due
process of law and stuff like that.
275
00:25:59,550 --> 00:26:04,690
Herald: Ok, I see there's a question
raised in here. Microphone number two.
276
00:26:04,690 --> 00:26:10,110
Mic2: What counts in practice as import
and export of cryptography. I mean, if I'm
277
00:26:10,110 --> 00:26:16,409
in France and I download open SSL, do I
have to fill out the ANSSI form?
278
00:26:16,409 --> 00:26:25,850
Okhin: Not for open SSL, because it's not
protocol that have a goal to provide
279
00:26:25,850 --> 00:26:28,970
confidentiality of communication which is
end-to-end encryption.
280
00:26:28,970 --> 00:26:34,760
Mic2: So GPG?
Okhin: Yeah, GPG is supposed to have an
281
00:26:34,760 --> 00:26:37,399
important certificate and I think they
have it.
282
00:26:37,399 --> 00:26:39,889
Mic2: For individuals or for
organizations?
283
00:26:39,889 --> 00:26:44,059
Okhin: For the organization which provides
you the access to the tool. Like Google is
284
00:26:44,059 --> 00:26:51,299
supposed to provide that, Apple,
Microsoft, Debian. Debian I think filled
285
00:26:51,299 --> 00:27:00,370
the paperwork. Each Linux distribution
should do it.
286
00:27:00,370 --> 00:27:03,639
Herald: Question here, microphone number
one?
287
00:27:03,639 --> 00:27:07,649
Mic1: Okay, thanks so much for the talk.
I'd really love to hear a little bit more
288
00:27:07,649 --> 00:27:13,960
about the very crunchy in-depth bits about
encryption policy in France. Now might not
289
00:27:13,960 --> 00:27:20,870
be the right time, but building off of the
last question: What kinds of laws or
290
00:27:20,870 --> 00:27:25,340
policy are around taking encryption
technology outside of France, like across
291
00:27:25,340 --> 00:27:30,120
a border?
Agnes: Well for exporting to closed
292
00:27:30,120 --> 00:27:36,970
encryption technology there is the
Wassenaar Arrangement signed by several
293
00:27:36,970 --> 00:27:55,889
countries, so I don't know by heart
everything in there, but for example a
294
00:27:55,889 --> 00:28:07,710
system that can use for war and for other
use. Then you have it's forbidden or you
295
00:28:07,710 --> 00:28:12,440
have to declare that you're exporting such
tools etc. So for exporting you have this
296
00:28:12,440 --> 00:28:23,850
Wassenaar agreement and I think there is
nothing else if it's not a double use
297
00:28:23,850 --> 00:28:25,710
system.
Mic2: Thank you!
298
00:28:25,710 --> 00:28:29,740
Herald: Okay, one last question, please
there, mister three.
299
00:28:29,740 --> 00:28:35,009
Mic3: It seems to me that all of these
laws are mostly falling under national
300
00:28:35,009 --> 00:28:39,881
security. Are there any laws way to
challenge any of this in the European
301
00:28:39,881 --> 00:28:44,059
level? So on the European level there's
wonderful direct data protection
302
00:28:44,059 --> 00:28:47,789
directives and all the stuff. But my
understanding is that all of these
303
00:28:47,789 --> 00:28:53,820
directives any state can kind of opt out
of them for national security reasons. So
304
00:28:53,820 --> 00:28:59,090
is there anything that can be done on any
level without invoking a national security
305
00:28:59,090 --> 00:29:04,620
exception?
Agnes: Yeah well all data protection
306
00:29:04,620 --> 00:29:11,100
regulation policies at the EU level and
especially the GDPR, general data
307
00:29:11,100 --> 00:29:19,450
protection regulation, has a specific
provision that enable member states to
308
00:29:19,450 --> 00:29:28,420
say: okay, it doesn't apply because it's a
national security issue. What I said, what
309
00:29:28,420 --> 00:29:35,120
I showed here, is that in in the ePrivacy
regulation, which is currently under
310
00:29:35,120 --> 00:29:45,389
negotiation at the EU level, the EU
Parliament has already adopted a position
311
00:29:45,389 --> 00:29:51,719
which promotes encryption as soon as it's
possible to have end-to-end encryption.
312
00:29:51,719 --> 00:29:57,269
And that's why the French government is
trying to push it away, there will be
313
00:29:57,269 --> 00:30:03,270
negotiation between the Council, the
European Parliament and the European
314
00:30:03,270 --> 00:30:07,009
Commission. The Council represents all
member states, so there will be a
315
00:30:07,009 --> 00:30:13,049
negotiation with all the institutions,
beginning this summer probably. Or just
316
00:30:13,049 --> 00:30:20,269
after the summer, but maybe a little bit
before. And then the French government is
317
00:30:20,269 --> 00:30:30,710
going to try to push it away. As we saw
in the document which we showed in
318
00:30:30,710 --> 00:30:38,659
French, the government is trying to get to
gain access to all communications and
319
00:30:38,659 --> 00:30:43,330
data. It's very clear in the French
communication we showed.
320
00:30:43,330 --> 00:30:48,310
Herald: May I make a suggestion?
They have a fantastic tea house.
321
00:30:48,310 --> 00:30:52,210
You have to continue this discussion
later on there with a cup of tea,
322
00:30:52,210 --> 00:30:56,849
and some massage maybe. I have
one last call for you both, you know,
323
00:30:56,849 --> 00:30:59,999
and the audience: « Indignez-vous ! »
[i.e.“Time for Outrage!”]
324
00:30:59,999 --> 00:31:04,979
Ca, c'est! That's why we wanna hear you! (?)
Indignez-vous !
325
00:31:04,979 --> 00:31:09,689
applause
326
00:31:09,689 --> 00:31:23,199
postroll music
327
00:31:23,199 --> 00:31:30,781
Subtitles created by c3subtitles.de
in the year 2018