WEBVTT
00:00:00.000 --> 00:00:17.135
34C3 preroll music
00:00:17.135 --> 00:00:24.430
Herald Angel: Good. I have the pleasure
and the honor of introducing to you two
00:00:24.430 --> 00:00:34.699
persons here who are really working at
'La QuadratureDuNet'. Alors, c'est vraiment
00:00:34.699 --> 00:00:39.050
quelque chose en Français ! It's an
organization NGO, it's actually working
00:00:39.050 --> 00:00:45.979
really on the rights, on freedom of
citizens on the internet. I understood
00:00:45.979 --> 00:00:52.030
that Agnes is there responsible for the
coordination mainly about legal issues and
00:00:52.030 --> 00:00:58.500
that Okhin - I'll pronounce this well - is
more responsible at the technical side.
00:00:58.500 --> 00:01:04.518
He runs as well, I think, a bunch of
volunteers, or helping you around.
00:01:04.518 --> 00:01:08.370
Please give them a welcome applause.
Let the show start!
00:01:08.370 --> 00:01:16.870
applause
00:01:16.870 --> 00:01:20.479
Agnes: Hello, here is Okhin, but he has
00:01:20.479 --> 00:01:25.969
already been introduced, the third person
from 'La Quadrature du Net', and I am
00:01:25.969 --> 00:01:32.460
Agnes and I work on legal and political
issues at 'LaQuadrature' as well. So
00:01:32.460 --> 00:01:38.270
LaQuadrature is an organization that
fights for fundamental rights and freedoms
00:01:38.270 --> 00:01:44.090
in the digital area. We are here today to
talk about the danger lying above your
00:01:44.090 --> 00:01:50.200
jobs, especially if you're building or
maintaining cryptographic tools. We're
00:01:50.200 --> 00:01:55.579
here because we think it's important to
demonstrate that the worst authoritarian
00:01:55.579 --> 00:02:05.560
laws don't only come from far right
governments such as Hungaria or Poland,
00:02:05.560 --> 00:02:09.759
but mostly from the "social democracy
compatible with market economy", to quote
00:02:09.759 --> 00:02:19.470
Angela Merkel. Along with Germany and the
United Kingdom (but with Brexit, exit the
00:02:19.470 --> 00:02:26.450
UK), France is one of the biggest forces
within the EU. And if France can rally at
00:02:26.450 --> 00:02:31.100
least one of the two others on board it
can obtain what it wants from its European
00:02:31.100 --> 00:02:40.200
partners. It works both ways, of course!
But it's important because the problem
00:02:40.200 --> 00:02:44.120
with that: France is not only exporting
its knowledge and practice of law
00:02:44.120 --> 00:02:51.300
enforcement and anti-riot gear to various
governments such as Tunisia or others.
00:02:51.300 --> 00:02:59.570
France is now also shining for its anti-
privacy lobbying as you will see later.
00:02:59.570 --> 00:03:12.460
sound issues on Okhin's microphone
00:03:12.460 --> 00:03:15.460
Okhin: What is interesting here is to
think about what we can do as technicians,
00:03:15.460 --> 00:03:20.760
developers, sysadmins, sysops,
or legal persons
00:03:20.760 --> 00:03:26.500
specialised in technology issues.
Because the threats come from legal,
00:03:26.500 --> 00:03:32.280
political and technical area and endanger
not only us but also sex workers, abused
00:03:32.280 --> 00:03:36.570
women and abused people, who
need to flee their home etc.
00:03:36.570 --> 00:03:39.570
We have to think about our role
and to find ways to act, to fight
00:03:39.570 --> 00:03:44.440
against the threats against encryption.
00:03:44.440 --> 00:03:50.960
We're going to start with a quick but
sadly non-exhaustive history of laws
00:03:50.960 --> 00:03:54.841
trying to weaken or circumvent
cryptography in France one way or another.
00:03:54.841 --> 00:04:01.520
We are including here everything that
talks about spyware and keyloggers,
00:04:01.520 --> 00:04:06.260
because they're a direct threat against
a lot of cryptographic tools.
00:04:06.260 --> 00:04:14.310
Agnes: Okay, so let's be clear here, we
are only to talk about very specific
00:04:14.310 --> 00:04:20.149
aspects of the digital related law. Access
to the Internet, filtering, censorship can
00:04:20.149 --> 00:04:25.180
probably be discussed in other talks with
the same quantity of laws hindering those
00:04:25.180 --> 00:04:33.250
rights. But we will focus here on
cryptography only. Before 1998 use of
00:04:33.250 --> 00:04:37.720
cryptographic tools for the public was
essentially forbidden. The key length was
00:04:37.720 --> 00:04:46.560
limited to 128 bits for asymmetric
cryptography. There were authentication
00:04:46.560 --> 00:04:56.181
of communication or for ensuring integrity
of the message a prior declaration
00:04:56.181 --> 00:04:59.280
was necessary. For all
other uses, especially
00:04:59.280 --> 00:05:02.280
for confidentiality, ex ante authorization
from Prime Minister was required as well.
00:05:02.280 --> 00:05:10.660
Okhin: After lengthy negotiations with
00:05:10.660 --> 00:05:15.530
intelligence services cryptography has
been freed in 1998. But it still
00:05:15.530 --> 00:05:19.620
required that the system used respects one
of those three following limitations.
00:05:19.620 --> 00:05:23.350
The cryptography system cannot be used
for confidentiality purposes without
00:05:23.350 --> 00:05:27.120
authorisation. Or the cryptography system
is operated by a third party owning a
00:05:27.120 --> 00:05:32.110
master key which the police may have
access to. Or the user does not need a
00:05:32.110 --> 00:05:36.271
strong confidentiality and can use a
standard encryption solution with a key
00:05:36.271 --> 00:05:37.271
lower than 40 bits.
00:05:37.271 --> 00:05:38.271
bad sound, subtitles now
from author's transcript
00:05:38.271 --> 00:05:39.271
Furthermore: people providing encryption
tools for confidentiality purposes were
00:05:39.271 --> 00:05:40.271
required to give the code, decryption
devices or conventions when law required
00:05:40.271 --> 00:05:41.271
by them. In 2001 the use of cryptography
is freed, but still requires that the
00:05:41.271 --> 00:05:42.271
system used has been first registered at
the Interior Ministry's office. Now it's
00:05:42.271 --> 00:05:43.271
one of the ANSSI mission, the French
National Cybersecurity Agency ANSSI that
00:05:43.271 --> 00:05:44.271
reports to the Prime Minister. France's
doctrine toward cryptography has always
00:05:44.271 --> 00:06:56.100
been dictated by intelligence services and
the army. They want to collect as much
00:06:56.100 --> 00:07:53.350
data as possible, multiple times, and to
have the capability to decrypt every
00:07:53.350 --> 00:07:54.350
conversation at any given time. This is at
this condition that they consented to give
00:07:54.350 --> 00:07:55.350
free access to cryptography for the
general public. That's why, French law
00:07:55.350 --> 00:07:56.350
oblige to declare to the ANSSI the supply
or importation of a cryptology tool.
00:07:56.350 --> 00:07:57.350
This procedure is an obstacle for the
deployment of such services in France,
00:07:57.350 --> 00:07:58.350
mostly because you have to face an
administrative system which refuses to
00:07:58.350 --> 00:07:59.350
speak non-French. The delay for the
transportation (?) is at least one month.
00:07:59.350 --> 00:08:00.350
For a long time, all administrative
documents were in French only, ANSSI
00:08:00.350 --> 00:08:01.699
now provides the translation as
a courtesy, but you're still supposed
00:08:01.699 --> 00:08:04.230
to fill the forms in French. You're
supposed to provide your source code, but
00:08:04.230 --> 00:08:05.230
since you all develop open software, this
is fine, isn't it? And of course, you have
00:08:05.230 --> 00:08:06.230
to send it by regular snail mail, there's
no electronic version of it, in triplicate,
00:08:06.230 --> 00:08:07.230
which is much more expensive, especially
if you're not in France. Let's say that
00:08:07.230 --> 00:08:08.230
administrative documents are sometimes
very complicated for French-speaking
00:08:08.230 --> 00:08:09.230
people, who are supposed
to be used to them.
00:08:09.230 --> 00:08:10.230
Agnes: So..
Okhin: How enabling foreign people - not
00:08:10.230 --> 00:08:11.230
French speaking ones - to understand them
and to correctly fill them?
00:08:11.230 --> 00:08:12.230
proper sound back again
Agnes: Since then cryptography legislation
00:08:12.230 --> 00:08:14.180
has not really evolved. However, one
national security or counter terrorism law
00:08:14.180 --> 00:08:20.990
after another - we had something like 30
of them in the last 15 years - the
00:08:20.990 --> 00:08:27.320
judiciary and repressive arsenal did grow.
For example, police were authorized to
00:08:27.320 --> 00:08:40.188
install keyloggers in the LOPPSI 2 law in
2011. Then police were authorized to force
00:08:40.188 --> 00:08:50.990
any person or entity they think able
to decrypt or to analyze every kind of
00:08:50.990 --> 00:08:58.300
encrypted content they get their hands on
in the counter-terrorism law of 2014, and
00:08:58.300 --> 00:09:07.480
the army and intelligence agency of course
can help to do those crypto analysis
00:09:07.480 --> 00:09:33.749
if needed.
bad sound, again from author transcript now
00:09:33.749 --> 00:10:05.160
Okhin: And now the so-called "Black boxes"
entered the game in the Surveillance Law
00:10:05.160 --> 00:10:07.649
of 2015. Those are algorithms collecting
and analysing metadata in order to catch
00:10:07.649 --> 00:10:10.500
terrorists. We know they are made by
Palantir and we had the confirmation on
00:10:10.500 --> 00:10:12.310
November of their deployment.
The fun fact: the internal intelligence
00:10:12.310 --> 00:10:14.019
service signed the agreement with Palantir
but the military intelligence and foreign
00:10:14.019 --> 00:10:16.649
intelligence services are quite concerned
about it, because they would rather maintain a
00:10:16.649 --> 00:10:17.779
strategic autonomy.
00:10:17.779 --> 00:10:18.909
In the same law, the use
of IMSI Catchers is granted to cops
00:10:18.909 --> 00:10:20.040
and they can install spyware on your
terminal without prior validation of a
00:10:20.040 --> 00:10:21.290
judge. IMSI Catchers and spywares may be
used to gather any information that may
00:10:21.290 --> 00:10:23.970
help protect vague interests, such as the
"industrial and economic well being" of
00:10:23.970 --> 00:10:29.670
France or the prevention of undeclared
protests. recording audio back to quality
00:10:29.670 --> 00:10:33.089
Thanks to the state of emergency since
2015 and now made permanent in last
00:10:33.089 --> 00:10:35.029
October, search warrants may now be
delivered on mere rumour and suspicions,
00:10:35.029 --> 00:10:36.029
after the fact, without any investigations.
They allow for collection of any data found
00:10:36.029 --> 00:10:37.029
on site. And data is kept during three
months, but if they are encrypted the judge
00:10:37.029 --> 00:10:39.089
can decide to retain them indefinitely
until they decrypt them.
00:10:39.089 --> 00:10:41.149
And without any investigative power.
00:10:41.149 --> 00:10:43.209
Agnes: So to conclude this
depressive state of affairs
00:10:43.209 --> 00:10:47.850
we need to add that cryptography
is an aggravating circumstance
00:10:47.850 --> 00:10:56.749
in a long list of crimes
and felonies linked
00:10:56.749 --> 00:11:02.309
primarily to organized crime and terroism,
but also conveniently to aiding refugees
00:11:02.309 --> 00:11:04.089
for example. So encrypting things makes
you even more suspect and more guilty.
00:11:04.089 --> 00:11:07.089
Okhin: Oh and we almost forgot - if ever
you're operating a cryptographic system
00:11:07.089 --> 00:11:10.820
for third parties you have an obligation
to provide either decryption key or plain
00:11:10.820 --> 00:11:14.910
text to cops if they ask for it and
you have 72 hours to comply
00:11:14.910 --> 00:11:20.389
- which means a lot of pressure
on you. It probably can
00:11:20.389 --> 00:11:24.429
apply to yourself if you're being
investigated upon, but it might clash with
00:11:24.429 --> 00:11:27.420
the right to remain silent and to not
self-incriminate we do not have a lot of
00:11:27.420 --> 00:11:35.639
choice here. But we recently had cases
where cops.., where the law has been used
00:11:35.639 --> 00:11:40.019
one of them was to coerce a teenager to
provide decryption key for an encrypted
00:11:40.019 --> 00:11:44.399
chat with OTR he was operating and which
had been used by people who were making
00:11:44.399 --> 00:11:55.089
fake bomb alert in schools. And for one we
know about, how many of them have gone
00:11:55.089 --> 00:11:59.730
unnoticed, people chosing to keep living
their lives instead of risking jails time
00:11:59.730 --> 00:12:04.300
and huge fines ?
Agnes: So here it's important to note that
00:12:04.300 --> 00:12:09.639
there's difference being made between
cryptography which enforces security
00:12:09.639 --> 00:12:15.550
communication and cryptography which
enforces confidentiality. In this
00:12:15.550 --> 00:12:19.649
presentation we're addressing the issue of
cryptography in the concept context of
00:12:19.649 --> 00:12:26.639
confidentiality only. To illustrate that
this debate goes beyond the classic lines
00:12:26.639 --> 00:12:32.689
of left/right politics we like to display
some quotes on the topic by various
00:12:32.689 --> 00:12:39.769
ministers, candidates, elected
representatives and prominent political
00:12:39.769 --> 00:12:47.009
speakers. For example, Éric Ciotti, he is
a member of parliament from the right-
00:12:47.009 --> 00:12:56.740
wing. He wants to fine Apple 1.5 million
euro, if they refuse to give encryption
00:12:56.740 --> 00:13:02.170
keys, among other outrageous things he
said, this is one taking hold.
00:13:02.170 --> 00:13:07.529
Okhin: François Molins, Paris Prosecutor,
wrote about that in the New York Times
00:13:07.529 --> 00:13:11.990
against cryptography. The title is quite
explicit it states: "When Phone Encryption
00:13:11.990 --> 00:13:20.089
Blocks Justice" And he talks about the
importance of privacy rights of the
00:13:20.089 --> 00:13:24.220
individual in the same paragraph of the
"marginal benefits of full disk
00:13:24.220 --> 00:13:29.129
encryption". He signed this bullshit with
his colleague Cyrus Vance Jr, District
00:13:29.129 --> 00:13:32.879
Attorney of Manhattan, Adrian Leppard,
commissioner of London City Police and
00:13:32.879 --> 00:13:37.760
Javier Zaragoza, chief prosecutor of the
national court of Spain. I let you read
00:13:37.760 --> 00:13:46.279
the full quote in all its splendor.
Agnes: So we have also Guillaume Poupard
00:13:46.279 --> 00:13:53.420
from the ANSSI we talked about before. He
said just before the Bataclan attack in
00:13:53.420 --> 00:13:59.970
2015 that backdoors and key sequestrations
is a bad idea and that he instead proposes
00:13:59.970 --> 00:14:06.939
to work on "points of cleartext". Whatever
it means it probably stands for transport
00:14:06.939 --> 00:14:10.410
security and against confidentiality of
communications.
00:14:10.410 --> 00:14:15.259
Okhin: Emmanuel Valls, then Prime
Minister, used the term "legal
00:14:15.259 --> 00:14:18.799
cryptography" in interviews where the
official discourse for the last 20 years
00:14:18.799 --> 00:14:27.720
was that all cryptography was legal.
Agnes: Here the digital national council,
00:14:27.720 --> 00:14:34.790
then chaired by Mounir Mahjoubi, who is
now Secretary of State for digital issues,
00:14:34.790 --> 00:14:39.929
did oppose the ideas of backdoors and did
advocate for the use and development of
00:14:39.929 --> 00:14:44.160
end-to-end encryption just before the
presidential electoral race - you'll see
00:14:44.160 --> 00:14:47.879
later why it's important.
Okhin: Bernard Debré, another elected
00:14:47.879 --> 00:14:54.220
representative from the right wing he
actually ordered drugs online, cocaine for
00:14:54.220 --> 00:15:00.519
80 euros a gram on onion-services to prove
how dangerous it is. He also said you can
00:15:00.519 --> 00:15:05.269
buy body parts and guns there and that
it's easier than ordering shoes online. He
00:15:05.269 --> 00:15:09.699
also bought a lot of drugs from a non-
identified website in Netherlands, so
00:15:09.699 --> 00:15:18.379
surely the encryption is at fault here.
Agnes: So Jean-Jacques Urvoas who was
00:15:18.379 --> 00:15:25.399
Minister of Justice said he wants to
access computers, Skype communications and
00:15:25.399 --> 00:15:34.790
so on and to put all suspects and their
entourage under permanent recording.
00:15:34.790 --> 00:15:40.809
Between the first and second turn of the
last presidential elections he broke the
00:15:40.809 --> 00:15:46.579
professional secret and sent to Thierry
Solère who is a member of parliament from
00:15:46.579 --> 00:15:53.480
the white ring the information that he was
investigated upon. He sent a message by
00:15:53.480 --> 00:15:59.679
Telegram and the note was saved on Thierry
Solère's phone and found during a police
00:15:59.679 --> 00:16:06.799
search at his house later on.
Okhin: In August 2016 there was a joint
00:16:06.799 --> 00:16:11.209
declaration of Thomas de Maizière and
Bernard Cazeneuve, interior ministers of
00:16:11.209 --> 00:16:16.519
Germany and France respectively about
European internal security and they stated
00:16:16.519 --> 00:16:20.579
that: "At the european level, it will
require to force the non cooperatives
00:16:20.579 --> 00:16:24.829
operators to remove illegal content or to
decrypt messages during investigation."
00:16:24.829 --> 00:16:32.360
Agnes: However, so it was a joint
communication but French written version
00:16:32.360 --> 00:16:38.649
of the joint declaration was different
than Germans. Only France kept the part
00:16:38.649 --> 00:16:43.809
about how it would be so great to have
back doors or golden keys. So either
00:16:43.809 --> 00:16:50.040
Germany did not want to publicly advocate
for backdoors or they had a different
00:16:50.040 --> 00:16:56.480
strategy, but unfortunately very recently
the same de Maizière announced that he
00:16:56.480 --> 00:17:01.480
wanted to force tech and car companies to
provide the security services with hidden
00:17:01.480 --> 00:17:07.220
digital access to all devices and
machines. He probably did not know that if
00:17:07.220 --> 00:17:11.159
you lowered the security of cars you
dramatically increase the risk of accident
00:17:11.159 --> 00:17:15.470
among others.
Okhin: All this was before Macron was
00:17:15.470 --> 00:17:22.579
elected last spring. It's like an actual
photo. It's not a Photoshop. During his
00:17:22.579 --> 00:17:27.630
presidential campaign Emmanuel Macron said
that we should put an end to cryptography
00:17:27.630 --> 00:17:31.610
by forcing the biggest companies to
provide encryption keys or to give access
00:17:31.610 --> 00:17:38.269
to the complete content stating that "one
day they'll have to be responsible of
00:17:38.269 --> 00:17:45.600
terror attacks complicity".
Agnes: So Mounir Mahjoubi again. He was
00:17:45.600 --> 00:17:54.130
then concealing the candidate and he is
now internet minister. He has been forced
00:17:54.130 --> 00:17:59.210
to backpedal and to explain that messing
with end-to-end cryptography was out of
00:17:59.210 --> 00:18:03.630
question and that they'd rather force
companies to cooperate faster with police
00:18:03.630 --> 00:18:09.639
forces. He specifically emphasized the
importance of cryptography by companies to
00:18:09.639 --> 00:18:16.890
protect trade and industrial secrets and
since then Mounir Mahjoubi has become
00:18:16.890 --> 00:18:24.680
totally silent on this topic. So it seems
that encryption for confidentiality is a
00:18:24.680 --> 00:18:30.000
real problem for them. Would you be
surprised to know that to communicate with
00:18:30.000 --> 00:18:34.590
his political party and representatives
Emmanuel Macron, now president, uses
00:18:34.590 --> 00:18:41.090
telegram? An application regularly
described by a lot of representatives as
00:18:41.090 --> 00:18:48.460
an enabling terrorism tool and which
should be banned. Their words, not ours.
00:18:48.460 --> 00:18:52.670
Animal Farm is back: We are all equal with
the use of cryptography, but some are more
00:18:52.670 --> 00:18:58.630
equal than the others. Coupled with this
focus on protecting companies' secrets
00:18:58.630 --> 00:19:03.220
this confirms that the Start Up Nation
doesn't care about protecting citizens but
00:19:03.220 --> 00:19:08.610
only about business and powerful friends.
This becomes blatantly obvious when you
00:19:08.610 --> 00:19:12.120
look at Macron's social and economy's
policies.
00:19:12.120 --> 00:19:16.610
Okhin: Last but not least, successive
French government put pressure to add in
00:19:16.610 --> 00:19:21.289
the law possibility for cops to ask you
for all of your online handles, including
00:19:21.289 --> 00:19:25.960
that all Yahoo mailboxes, ICQ numbers,
your Twitter or Facebook account, all the
00:19:25.960 --> 00:19:30.620
weird nicknames you use on IRC and stuff
like that. That's why mine is currently a
00:19:30.620 --> 00:19:34.970
fork-bomb embedded into a shellshock, but
I think we can get more creative and find
00:19:34.970 --> 00:19:39.179
a way to be more destructive for a system
when cops would have to enter it into
00:19:39.179 --> 00:19:46.440
their systems. Two attempts have been made
already and rejected at some point. This
00:19:46.440 --> 00:19:50.590
kind of registration already exist in the
UK in the US and we hope the government
00:19:50.590 --> 00:19:54.480
won't succeed in France to put this kind
of limitation in law.
00:19:54.480 --> 00:20:00.740
Agnes: So, as demonstrated France is one
of the very active power against
00:20:00.740 --> 00:20:05.190
cryptography within the EU. Even if some
of other member states did express some
00:20:05.190 --> 00:20:13.120
concerns namely Poland, Croatia, Hungary,
Italy, Latvia, and other countries, those
00:20:13.120 --> 00:20:18.210
concerns have been prompted by other
member states and probably France. Each
00:20:18.210 --> 00:20:23.679
new bill is a risk to reduce the use of
cryptography especially with the criminal,
00:20:23.679 --> 00:20:30.580
digital or judiciary laws that are coming
soon. For instance France is pushing hard
00:20:30.580 --> 00:20:37.550
for avoiding any obligation on end-to-end
encryption in the ePrivacy regulation.
00:20:37.550 --> 00:20:45.220
They explicitly ask to gain access to any
communication or metadata, which is what
00:20:45.220 --> 00:20:51.460
is written here in French. Sorry, we
didn't translate it. The government also
00:20:51.460 --> 00:20:57.539
pushes to obtain EU legislation on
encryption which would limit end to end
00:20:57.539 --> 00:21:04.500
encryption, of course. The government
intends then to use this EU legislation
00:21:04.500 --> 00:21:11.919
for justifying its position while it did
create this proposal at the first place.
00:21:11.919 --> 00:21:20.519
In the next month the discussions
eEvidence will start at the EU level. They
00:21:20.519 --> 00:21:26.570
will probably be a lot of talks about
cryptography in the next "counter-
00:21:26.570 --> 00:21:32.230
terrorist package" expected in 2018.
Counterterrorism is always a good way for
00:21:32.230 --> 00:21:37.580
the governments to make some provisions to
enhance security and to lower the rights
00:21:37.580 --> 00:21:43.220
and freedoms. They threaten the Parliament
to be responsible of the next attacks and
00:21:43.220 --> 00:21:48.409
the members of parliament thus vote
anything just because they don't want to
00:21:48.409 --> 00:21:54.200
be responsible.
Okhin: So as technician, what can we do?
00:21:54.200 --> 00:21:58.590
From a technical perspective we think we
should operate communication
00:21:58.590 --> 00:22:03.600
infrastructure and systems in an illegal
and clandestine way. It is important to
00:22:03.600 --> 00:22:07.139
build undetectable and encrypted
communication systems that break the link
00:22:07.139 --> 00:22:11.440
between your online communications and
yourself. Making those tools available to
00:22:11.440 --> 00:22:15.899
the general public and mass adopted by
them is a critical and non trivial issue
00:22:15.899 --> 00:22:19.980
to address. Especially as French legal
registration system might block access to
00:22:19.980 --> 00:22:25.210
high-quality privacy preserving encryption
tools. For instance, Apple requires you to
00:22:25.210 --> 00:22:29.380
fill the ANSSI form and obtain a
certificate from them to put your software
00:22:29.380 --> 00:22:34.639
on the Apple App Store already.
Moreover it is paramount to think wider,
00:22:34.639 --> 00:22:38.870
because if your encrypted communication
relies on centralized infrastructure at a
00:22:38.870 --> 00:22:44.809
highly identifying piece of information
such as for instance a phone number, then
00:22:44.809 --> 00:22:49.630
a passive listener such as an IMSI catcher
can get your phone number from a protest
00:22:49.630 --> 00:22:54.669
you were at for instance and then guess
what your account is and then, they got
00:22:54.669 --> 00:22:59.240
your phone number, so they can ask to
deploy key loggers and spyware on your
00:22:59.240 --> 00:23:08.750
phones. And this defeating all the
security based on your phone number. At a
00:23:08.750 --> 00:23:11.730
time where more and more governments want
to hinder encryption and secret of
00:23:11.730 --> 00:23:15.799
communications, it is critical to have
access to communication systems that are
00:23:15.799 --> 00:23:19.250
free, pseudonymous, decentralised and
distributed to the widest audience
00:23:19.250 --> 00:23:24.200
possible, meaning user-friendly, yes, and
to think about way to push those tools
00:23:24.200 --> 00:23:30.850
everywhere. It is also important to lead
political battles. We need all available
00:23:30.850 --> 00:23:34.809
help to slow down this attack at the
national and European levels. We need to
00:23:34.809 --> 00:23:39.509
get out of the security discourses and to
break the link between encryption and
00:23:39.509 --> 00:23:44.779
security for the state and to control the
argument that only people committing
00:23:44.779 --> 00:23:49.100
crimes and felonies do use cryptography.
We need a positive discourse about
00:23:49.100 --> 00:23:53.250
cryptography: how it helps people with
their daily lives, how it impr
00:23:53.250 --> 00:23:57.059
oves social structures, how it protects
the identity of queers, how it helps
00:23:57.059 --> 00:24:01.200
abused women to seek help and to escape
their home, how it enables a positive
00:24:01.200 --> 00:24:05.659
change in the society, as main change
often comes from activities not approved
00:24:05.659 --> 00:24:11.410
by the society. If you want more concrete
steps and ways to help we're currently
00:24:11.410 --> 00:24:15.750
running a support campaign so you can help
us there at support.laquadrature.net.
00:24:15.750 --> 00:24:21.570
After the Q&A, because we have some time
left, you can come drink some tea at the
00:24:21.570 --> 00:24:28.490
teahouse in the CCL building and have some
tea and chat with us. Thank you all for
00:24:28.490 --> 00:24:34.270
listening and if you have any question I
think we have some time.
00:24:34.270 --> 00:24:40.799
applause
Herald Angel: Alright we have 5 minutes
00:24:40.799 --> 00:24:50.299
for questions. Are there people out there,
maybe on the internet? No, are there some
00:24:50.299 --> 00:24:55.830
people here who have questions for this
lovely organization? Well I have a
00:24:55.830 --> 00:25:01.669
question actually: So you gave us some
advice regarding using avatars, alter
00:25:01.669 --> 00:25:08.780
egos. You know what, I'm teaching as well
and my colleagues teachers even in that
00:25:08.780 --> 00:25:13.090
kind of digital age that we live in are
always wondering why I am using several
00:25:13.090 --> 00:25:20.880
avatars, several devices. It seems like
it's not accepted actually because they're
00:25:20.880 --> 00:25:27.039
looking at you like "Are you a criminal or
what? What did you do wrong?" Don't you
00:25:27.039 --> 00:25:29.149
get that kind of questions as well from
your audience?
00:25:29.149 --> 00:25:34.879
Ohkin: Yes, we got that a lot. The thing
is, a lot of people commit crimes using
00:25:34.879 --> 00:25:39.559
their real name and IDs and stuff like
that. Most of the people are asking people
00:25:39.559 --> 00:25:42.610
online, for instance, to not use a
pseudonymous account or something like
00:25:42.610 --> 00:25:47.429
that, they want to be known as our same
people and stuff like that. So it's like
00:25:47.429 --> 00:25:50.540
we need to get out of this kind of
discourse and say: "I can do whatever I
00:25:50.540 --> 00:25:55.210
want with my online identities. It's not
your business. And if I'm doing something
00:25:55.210 --> 00:25:59.550
wrong, you have to prove it, like with due
process of law and stuff like that.
00:25:59.550 --> 00:26:04.690
Herald: Ok, I see there's a question
raised in here. Microphone number two.
00:26:04.690 --> 00:26:10.110
Mic2: What counts in practice as import
and export of cryptography. I mean, if I'm
00:26:10.110 --> 00:26:16.409
in France and I download open SSL, do I
have to fill out the ANSSI form?
00:26:16.409 --> 00:26:25.850
Okhin: Not for open SSL, because it's not
protocol that have a goal to provide
00:26:25.850 --> 00:26:28.970
confidentiality of communication which is
end-to-end encryption.
00:26:28.970 --> 00:26:34.760
Mic2: So GPG?
Okhin: Yeah, GPG is supposed to have an
00:26:34.760 --> 00:26:37.399
important certificate and I think they
have it.
00:26:37.399 --> 00:26:39.889
Mic2: For individuals or for
organizations?
00:26:39.889 --> 00:26:44.059
Okhin: For the organization which provides
you the access to the tool. Like Google is
00:26:44.059 --> 00:26:51.299
supposed to provide that, Apple,
Microsoft, Debian. Debian I think filled
00:26:51.299 --> 00:27:00.370
the paperwork. Each Linux distribution
should do it.
00:27:00.370 --> 00:27:03.639
Herald: Question here, microphone number
one?
00:27:03.639 --> 00:27:07.649
Mic1: Okay, thanks so much for the talk.
I'd really love to hear a little bit more
00:27:07.649 --> 00:27:13.960
about the very crunchy in-depth bits about
encryption policy in France. Now might not
00:27:13.960 --> 00:27:20.870
be the right time, but building off of the
last question: What kinds of laws or
00:27:20.870 --> 00:27:25.340
policy are around taking encryption
technology outside of France, like across
00:27:25.340 --> 00:27:30.120
a border?
Agnes: Well for exporting to closed
00:27:30.120 --> 00:27:36.970
encryption technology there is the
Wassenaar Arrangement signed by several
00:27:36.970 --> 00:27:55.889
countries, so I don't know by heart
everything in there, but for example a
00:27:55.889 --> 00:28:07.710
system that can use for war and for other
use. Then you have it's forbidden or you
00:28:07.710 --> 00:28:12.440
have to declare that you're exporting such
tools etc. So for exporting you have this
00:28:12.440 --> 00:28:23.850
Wassenaar agreement and I think there is
nothing else if it's not a double use
00:28:23.850 --> 00:28:25.710
system.
Mic2: Thank you!
00:28:25.710 --> 00:28:29.740
Herald: Okay, one last question, please
there, mister three.
00:28:29.740 --> 00:28:35.009
Mic3: It seems to me that all of these
laws are mostly falling under national
00:28:35.009 --> 00:28:39.881
security. Are there any laws way to
challenge any of this in the European
00:28:39.881 --> 00:28:44.059
level? So on the European level there's
wonderful direct data protection
00:28:44.059 --> 00:28:47.789
directives and all the stuff. But my
understanding is that all of these
00:28:47.789 --> 00:28:53.820
directives any state can kind of opt out
of them for national security reasons. So
00:28:53.820 --> 00:28:59.090
is there anything that can be done on any
level without invoking a national security
00:28:59.090 --> 00:29:04.620
exception?
Agnes: Yeah well all data protection
00:29:04.620 --> 00:29:11.100
regulation policies at the EU level and
especially the GDPR, general data
00:29:11.100 --> 00:29:19.450
protection regulation, has a specific
provision that enable member states to
00:29:19.450 --> 00:29:28.420
say: okay, it doesn't apply because it's a
national security issue. What I said, what
00:29:28.420 --> 00:29:35.120
I showed here, is that in in the ePrivacy
regulation, which is currently under
00:29:35.120 --> 00:29:45.389
negotiation at the EU level, the EU
Parliament has already adopted a position
00:29:45.389 --> 00:29:51.719
which promotes encryption as soon as it's
possible to have end-to-end encryption.
00:29:51.719 --> 00:29:57.269
And that's why the French government is
trying to push it away, there will be
00:29:57.269 --> 00:30:03.270
negotiation between the Council, the
European Parliament and the European
00:30:03.270 --> 00:30:07.009
Commission. The Council represents all
member states, so there will be a
00:30:07.009 --> 00:30:13.049
negotiation with all the institutions,
beginning this summer probably. Or just
00:30:13.049 --> 00:30:20.269
after the summer, but maybe a little bit
before. And then the French government is
00:30:20.269 --> 00:30:30.710
going to try to push it away. As we saw
in the document which we showed in
00:30:30.710 --> 00:30:38.659
French, the government is trying to get to
gain access to all communications and
00:30:38.659 --> 00:30:43.330
data. It's very clear in the French
communication we showed.
00:30:43.330 --> 00:30:48.310
Herald: May I make a suggestion?
They have a fantastic tea house.
00:30:48.310 --> 00:30:52.210
You have to continue this discussion
later on there with a cup of tea,
00:30:52.210 --> 00:30:56.849
and some massage maybe. I have
one last call for you both, you know,
00:30:56.849 --> 00:30:59.999
and the audience: « Indignez-vous ! »
[i.e.“Time for Outrage!”]
00:30:59.999 --> 00:31:04.979
Ca, c'est! That's why we wanna hear you! (?)
Indignez-vous !
00:31:04.979 --> 00:31:09.689
applause
00:31:09.689 --> 00:31:23.199
postroll music
00:31:23.199 --> 00:31:30.781
Subtitles created by c3subtitles.de
in the year 2018