<i>34C3 preroll music</i>

Herald Angel: Good. I have the pleasure
and the honor of introducing to you two

persons here who are really working at
'La QuadratureDuNet'. Alors, c'est vraiment

quelque chose en Français ! It's an
organization NGO, it's actually working

really on the rights, on freedom of
citizens on the internet. I understood

that Agnes is there responsible for the
coordination mainly about legal issues and

that Okhin - I'll pronounce this well - is
more responsible at the technical side.

He runs as well, I think, a bunch of
volunteers, or helping you around.

Please give them a welcome applause.
Let the show start!

<i>applause</i>

Agnes: Hello, here is Okhin, but he has

already been introduced, the third person
from 'La Quadrature du Net', and I am

Agnes and I work on legal and political
issues at 'LaQuadrature' as well. So

LaQuadrature is an organization that
fights for fundamental rights and freedoms

in the digital area. We are here today to
talk about the danger lying above your

jobs, especially if you're building or
maintaining cryptographic tools. We're

here because we think it's important to
demonstrate that the worst authoritarian

laws don't only come from far right
governments such as Hungaria or Poland,

but mostly from the "social democracy
compatible with market economy", to quote

Angela Merkel. Along with Germany and the
United Kingdom (but with Brexit, exit the

UK), France is one of the biggest forces
within the EU. And if France can rally at

least one of the two others on board it
can obtain what it wants from its European

partners. It works both ways, of course!
But it's important because the problem

with that: France is not only exporting
its knowledge and practice of law

enforcement and anti-riot gear to various
governments such as Tunisia or others.

France is now also shining for its anti-
privacy lobbying as you will see later.

<i>sound issues on Okhin's microphone</i>

Okhin: What is interesting here is to
think about what we can do as technicians,

developers, sysadmins, sysops,
or legal persons

specialised in technology issues.
Because the threats come from legal,

political and technical area and endanger
not only us but also sex workers, abused

women and abused people, who
need to flee their home etc.

We have to think about our role
and to find ways to act, to fight

against the threats against encryption.

We're going to start with a quick but
sadly non-exhaustive history of laws

trying to weaken or circumvent
cryptography in France one way or another.

We are including here everything that
talks about spyware and keyloggers,

because they're a direct threat against
a lot of cryptographic tools.

Agnes: Okay, so let's be clear here, we
are only to talk about very specific

aspects of the digital related law. Access
to the Internet, filtering, censorship can

probably be discussed in other talks with
the same quantity of laws hindering those

rights. But we will focus here on
cryptography only. Before 1998 use of

cryptographic tools for the public was
essentially forbidden. The key length was

limited to 128 bits for asymmetric
cryptography. There were authentication

of communication or for ensuring integrity
of the message a prior declaration

was necessary. For all
other uses, especially

for confidentiality, ex ante authorization
from Prime Minister was required as well.

Okhin: After lengthy negotiations with

intelligence services cryptography has
been freed in 1998. But it still

required that the system used respects one
of those three following limitations.

The cryptography system cannot be used
for confidentiality purposes without

authorisation. Or the cryptography system
is operated by a third party owning a

master key which the police may have
access to. Or the user does not need a

strong confidentiality and can use a
standard encryption solution with a key

lower than 40 bits.

<i>bad sound, subtitles now
from author's transcript</i>

Furthermore: people providing encryption
tools for confidentiality purposes were

required to give the code, decryption
devices or conventions when law required

by them. In 2001 the use of cryptography
is freed, but still requires that the

system used has been first registered at
the Interior Ministry's office. Now it's

one of the ANSSI mission, the French
National Cybersecurity Agency ANSSI that

reports to the Prime Minister. France's
doctrine toward cryptography has always

been dictated by intelligence services and
the army. They want to collect as much

data as possible, multiple times, and to
have the capability to decrypt every

conversation at any given time. This is at
this condition that they consented to give

free access to cryptography for the
general public. That's why, French law

oblige to declare to the ANSSI the supply
or importation of a cryptology tool.

This procedure is an obstacle for the
deployment of such services in France,

mostly because you have to face an
administrative system which refuses to

speak non-French. The delay for the
transportation (?) is at least one month.

For a long time, all administrative
documents were in French only, ANSSI

now provides the translation as
a courtesy, but you're still supposed

to fill the forms in French. You're
supposed to provide your source code, but

since you all develop open software, this
is fine, isn't it? And of course, you have

to send it by regular snail mail, there's
no electronic version of it, in triplicate,

which is much more expensive, especially
if you're not in France. Let's say that

administrative documents are sometimes
very complicated for French-speaking

people, who are supposed
to be used to them.

Agnes: So..
Okhin: How enabling foreign people - not

French speaking ones - to understand them
and to correctly fill them?

<i>proper sound back again</i>
Agnes: Since then cryptography legislation

has not really evolved. However, one
national security or counter terrorism law

after another - we had something like 30
of them in the last 15 years - the

judiciary and repressive arsenal did grow.
For example, police were authorized to

install keyloggers in the LOPPSI 2 law in
2011. Then police were authorized to force

any person or entity they think able
to decrypt or to analyze every kind of

encrypted content they get their hands on
in the counter-terrorism law of 2014, and

the army and intelligence agency of course
can help to do those crypto analysis

if needed.
<i>bad sound, again from author transcript now</i>

Okhin: And now the so-called "Black boxes"
entered the game in the Surveillance Law

of 2015. Those are algorithms collecting
and analysing metadata in order to catch

terrorists. We know they are made by
Palantir and we had the confirmation on

November of their deployment.
The fun fact: the internal intelligence

service signed the agreement with Palantir
but the military intelligence and foreign

intelligence services are quite concerned
about it, because they would rather maintain a

strategic autonomy.

In the same law, the use
of IMSI Catchers is granted to cops

and they can install spyware on your
terminal without prior validation of a

judge. IMSI Catchers and spywares may be
used to gather any information that may

help protect vague interests, such as the
"industrial and economic well being" of

France or the prevention of undeclared
protests. <i>recording audio back to quality</i>

Thanks to the state of emergency since
2015 and now made permanent in last

October, search warrants may now be
delivered on mere rumour and suspicions,

after the fact, without any investigations.
They allow for collection of any data found

on site. And data is kept during three
months, but if they are encrypted the judge

can decide to retain them indefinitely
until they decrypt them.

And without any investigative power.

Agnes: So to conclude this
depressive state of affairs

we need to add that cryptography
is an aggravating circumstance

in a long list of crimes
and felonies linked

primarily to organized crime and terroism,
but also conveniently to aiding refugees

for example. So encrypting things makes
you even more suspect and more guilty.

Okhin: Oh and we almost forgot - if ever
you're operating a cryptographic system

for third parties you have an obligation
to provide either decryption key or plain

text to cops if they ask for it and
you have 72 hours to comply

- which means a lot of pressure
on you. It probably can

apply to yourself if you're being
investigated upon, but it might clash with

the right to remain silent and to not
self-incriminate we do not have a lot of

choice here. But we recently had cases
where cops.., where the law has been used

one of them was to coerce a teenager to
provide decryption key for an encrypted

chat with OTR he was operating and which
had been used by people who were making

fake bomb alert in schools. And for one we
know about, how many of them have gone

unnoticed, people chosing to keep living
their lives instead of risking jails time

and huge fines ?
Agnes: So here it's important to note that

there's difference being made between
cryptography which enforces security

communication and cryptography which
enforces confidentiality. In this

presentation we're addressing the issue of
cryptography in the concept context of

confidentiality only. To illustrate that
this debate goes beyond the classic lines

of left/right politics we like to display
some quotes on the topic by various

ministers, candidates, elected
representatives and prominent political

speakers. For example, Éric Ciotti, he is
a member of parliament from the right-

wing. He wants to fine Apple 1.5 million
euro, if they refuse to give encryption

keys, among other outrageous things he
said, this is one taking hold.

Okhin: François Molins, Paris Prosecutor,
wrote about that in the New York Times

against cryptography. The title is quite
explicit it states: "When Phone Encryption

Blocks Justice" And he talks about the
importance of privacy rights of the

individual in the same paragraph of the
"marginal benefits of full disk

encryption". He signed this bullshit with
his colleague Cyrus Vance Jr, District

Attorney of Manhattan, Adrian Leppard,
commissioner of London City Police and

Javier Zaragoza, chief prosecutor of the
national court of Spain. I let you read

the full quote in all its splendor.
Agnes: So we have also Guillaume Poupard

from the ANSSI we talked about before. He
said just before the Bataclan attack in

2015 that backdoors and key sequestrations
is a bad idea and that he instead proposes

to work on "points of cleartext". Whatever
it means it probably stands for transport

security and against confidentiality of
communications.

Okhin: Emmanuel Valls, then Prime
Minister, used the term "legal

cryptography" in interviews where the
official discourse for the last 20 years

was that all cryptography was legal.
Agnes: Here the digital national council,

then chaired by Mounir Mahjoubi, who is
now Secretary of State for digital issues,

did oppose the ideas of backdoors and did
advocate for the use and development of

end-to-end encryption just before the
presidential electoral race - you'll see

later why it's important.
Okhin: Bernard Debré, another elected

representative from the right wing he
actually ordered drugs online, cocaine for

80 euros a gram on onion-services to prove
how dangerous it is. He also said you can

buy body parts and guns there and that
it's easier than ordering shoes online. He

also bought a lot of drugs from a non-
identified website in Netherlands, so

surely the encryption is at fault here.
Agnes: So Jean-Jacques Urvoas who was

Minister of Justice said he wants to
access computers, Skype communications and

so on and to put all suspects and their
entourage under permanent recording.

Between the first and second turn of the
last presidential elections he broke the

professional secret and sent to Thierry
Solère who is a member of parliament from

the white ring the information that he was
investigated upon. He sent a message by

Telegram and the note was saved on Thierry
Solère's phone and found during a police

search at his house later on.
Okhin: In August 2016 there was a joint

declaration of Thomas de Maizière and
Bernard Cazeneuve, interior ministers of

Germany and France respectively about
European internal security and they stated

that: "At the european level, it will
require to force the non cooperatives

operators to remove illegal content or to
decrypt messages during investigation."

Agnes: However, so it was a joint
communication but French written version

of the joint declaration was different
than Germans. Only France kept the part

about how it would be so great to have
back doors or golden keys. So either

Germany did not want to publicly advocate
for backdoors or they had a different

strategy, but unfortunately very recently
the same de Maizière announced that he

wanted to force tech and car companies to
provide the security services with hidden

digital access to all devices and
machines. He probably did not know that if

you lowered the security of cars you
dramatically increase the risk of accident

among others.
Okhin: All this was before Macron was

elected last spring. It's like an actual
photo. It's not a Photoshop. During his

presidential campaign Emmanuel Macron said
that we should put an end to cryptography

by forcing the biggest companies to
provide encryption keys or to give access

to the complete content stating that "one
day they'll have to be responsible of

terror attacks complicity".
Agnes: So Mounir Mahjoubi again. He was

then concealing the candidate and he is
now internet minister. He has been forced

to backpedal and to explain that messing
with end-to-end cryptography was out of

question and that they'd rather force
companies to cooperate faster with police

forces. He specifically emphasized the
importance of cryptography by companies to

protect trade and industrial secrets and
since then Mounir Mahjoubi has become

totally silent on this topic. So it seems
that encryption for confidentiality is a

real problem for them. Would you be
surprised to know that to communicate with

his political party and representatives
Emmanuel Macron, now president, uses

telegram? An application regularly
described by a lot of representatives as

an enabling terrorism tool and which
should be banned. Their words, not ours.

Animal Farm is back: We are all equal with
the use of cryptography, but some are more

equal than the others. Coupled with this
focus on protecting companies' secrets

this confirms that the Start Up Nation
doesn't care about protecting citizens but

only about business and powerful friends.
This becomes blatantly obvious when you

look at Macron's social and economy's
policies.

Okhin: Last but not least, successive
French government put pressure to add in

the law possibility for cops to ask you
for all of your online handles, including

that all Yahoo mailboxes, ICQ numbers,
your Twitter or Facebook account, all the

weird nicknames you use on IRC and stuff
like that. That's why mine is currently a

fork-bomb embedded into a shellshock, but
I think we can get more creative and find

a way to be more destructive for a system
when cops would have to enter it into

their systems. Two attempts have been made
already and rejected at some point. This

kind of registration already exist in the
UK in the US and we hope the government

won't succeed in France to put this kind
of limitation in law.

Agnes: So, as demonstrated France is one
of the very active power against

cryptography within the EU. Even if some
of other member states did express some

concerns namely Poland, Croatia, Hungary,
Italy, Latvia, and other countries, those

concerns have been prompted by other
member states and probably France. Each

new bill is a risk to reduce the use of
cryptography especially with the criminal,

digital or judiciary laws that are coming
soon. For instance France is pushing hard

for avoiding any obligation on end-to-end
encryption in the ePrivacy regulation.

They explicitly ask to gain access to any
communication or metadata, which is what

is written here in French. Sorry, we
didn't translate it. The government also

pushes to obtain EU legislation on
encryption which would limit end to end

encryption, of course. The government
intends then to use this EU legislation

for justifying its position while it did
create this proposal at the first place.

In the next month the discussions
eEvidence will start at the EU level. They

will probably be a lot of talks about
cryptography in the next "counter-

terrorist package" expected in 2018.
Counterterrorism is always a good way for

the governments to make some provisions to
enhance security and to lower the rights

and freedoms. They threaten the Parliament
to be responsible of the next attacks and

the members of parliament thus vote
anything just because they don't want to

be responsible.
Okhin: So as technician, what can we do?

From a technical perspective we think we
should operate communication

infrastructure and systems in an illegal
and clandestine way. It is important to

build undetectable and encrypted
communication systems that break the link

between your online communications and
yourself. Making those tools available to

the general public and mass adopted by
them is a critical and non trivial issue

to address. Especially as French legal
registration system might block access to

high-quality privacy preserving encryption
tools. For instance, Apple requires you to

fill the ANSSI form and obtain a
certificate from them to put your software

on the Apple App Store already.
Moreover it is paramount to think wider,

because if your encrypted communication
relies on centralized infrastructure at a

highly identifying piece of information
such as for instance a phone number, then

a passive listener such as an IMSI catcher
can get your phone number from a protest

you were at for instance and then guess
what your account is and then, they got

your phone number, so they can ask to
deploy key loggers and spyware on your

phones. And this defeating all the
security based on your phone number. At a

time where more and more governments want
to hinder encryption and secret of

communications, it is critical to have
access to communication systems that are

free, pseudonymous, decentralised and
distributed to the widest audience

possible, meaning user-friendly, yes, and
to think about way to push those tools

everywhere. It is also important to lead
political battles. We need all available

help to slow down this attack at the
national and European levels. We need to

get out of the security discourses and to
break the link between encryption and

security for the state and to control the
argument that only people committing

crimes and felonies do use cryptography.
We need a positive discourse about

cryptography: how it helps people with
their daily lives, how it impr

oves social structures, how it protects
the identity of queers, how it helps

abused women to seek help and to escape
their home, how it enables a positive

change in the society, as main change
often comes from activities not approved

by the society. If you want more concrete
steps and ways to help we're currently

running a support campaign so you can help
us there at support.laquadrature.net.

After the Q&A, because we have some time
left, you can come drink some tea at the

teahouse in the CCL building and have some
tea and chat with us. Thank you all for

listening and if you have any question I
think we have some time.

<i>applause</i>
Herald Angel: Alright we have 5 minutes

for questions. Are there people out there,
maybe on the internet? No, are there some

people here who have questions for this
lovely organization? Well I have a

question actually: So you gave us some
advice regarding using avatars, alter

egos. You know what, I'm teaching as well
and my colleagues teachers even in that

kind of digital age that we live in are
always wondering why I am using several

avatars, several devices. It seems like
it's not accepted actually because they're

looking at you like "Are you a criminal or
what? What did you do wrong?" Don't you

get that kind of questions as well from
your audience?

Ohkin: Yes, we got that a lot. The thing
is, a lot of people commit crimes using

their real name and IDs and stuff like
that. Most of the people are asking people

online, for instance, to not use a
pseudonymous account or something like

that, they want to be known as our same
people and stuff like that. So it's like

we need to get out of this kind of
discourse and say: "I can do whatever I

want with my online identities. It's not
your business. And if I'm doing something

wrong, you have to prove it, like with due
process of law and stuff like that.

Herald: Ok, I see there's a question
raised in here. Microphone number two.

Mic2: What counts in practice as import
and export of cryptography. I mean, if I'm

in France and I download open SSL, do I
have to fill out the ANSSI form?

Okhin: Not for open SSL, because it's not
protocol that have a goal to provide

confidentiality of communication which is
end-to-end encryption.

Mic2: So GPG?
Okhin: Yeah, GPG is supposed to have an

important certificate and I think they
have it.

Mic2: For individuals or for
organizations?

Okhin: For the organization which provides
you the access to the tool. Like Google is

supposed to provide that, Apple,
Microsoft, Debian. Debian I think filled

the paperwork. Each Linux distribution
should do it.

Herald: Question here, microphone number
one?

Mic1: Okay, thanks so much for the talk.
I'd really love to hear a little bit more

about the very crunchy in-depth bits about
encryption policy in France. Now might not

be the right time, but building off of the
last question: What kinds of laws or

policy are around taking encryption
technology outside of France, like across

a border?
Agnes: Well for exporting to closed

encryption technology there is the
Wassenaar Arrangement signed by several

countries, so I don't know by heart
everything in there, but for example a

system that can use for war and for other
use. Then you have it's forbidden or you

have to declare that you're exporting such
tools etc. So for exporting you have this

Wassenaar agreement and I think there is
nothing else if it's not a double use

system.
Mic2: Thank you!

Herald: Okay, one last question, please
there, mister three.

Mic3: It seems to me that all of these
laws are mostly falling under national

security. Are there any laws way to
challenge any of this in the European

level? So on the European level there's
wonderful direct data protection

directives and all the stuff. But my
understanding is that all of these

directives any state can kind of opt out
of them for national security reasons. So

is there anything that can be done on any
level without invoking a national security

exception?
Agnes: Yeah well all data protection

regulation policies at the EU level and
especially the GDPR, general data

protection regulation, has a specific
provision that enable member states to

say: okay, it doesn't apply because it's a
national security issue. What I said, what

I showed here, is that in in the ePrivacy
regulation, which is currently under

negotiation at the EU level, the EU
Parliament has already adopted a position

which promotes encryption as soon as it's
possible to have end-to-end encryption.

And that's why the French government is
trying to push it away, there will be

negotiation between the Council, the
European Parliament and the European

Commission. The Council represents all
member states, so there will be a

negotiation with all the institutions,
beginning this summer probably. Or just

after the summer, but maybe a little bit
before. And then the French government is

going to try to push it away. As we saw
in the document which we showed in

French, the government is trying to get to
gain access to all communications and

data. It's very clear in the French
communication we showed.

Herald: May I make a suggestion?
They have a fantastic tea house.

You have to continue this discussion
later on there with a cup of tea,

and some massage maybe. I have
one last call for you both, you know,

and the audience: « Indignez-vous ! »
[i.e.“Time for Outrage!”]

Ca, c'est! That's why we wanna hear you! (?)
Indignez-vous !

<i>applause</i>

<i>postroll music</i>

<i>Subtitles created by c3subtitles.de
in the year 2018</i>