WEBVTT

00:00:00.000 --> 00:00:17.135
<i>34C3 preroll music</i>

00:00:17.135 --> 00:00:24.430
Herald Angel: Good. I have the pleasure
and the honor of introducing to you two

00:00:24.430 --> 00:00:34.699
persons here who are really working at
'La QuadratureDuNet'. Alors, c'est vraiment

00:00:34.699 --> 00:00:39.050
quelque chose en Français ! It's an
organization NGO, it's actually working

00:00:39.050 --> 00:00:45.979
really on the rights, on freedom of
citizens on the internet. I understood

00:00:45.979 --> 00:00:52.030
that Agnes is there responsible for the
coordination mainly about legal issues and

00:00:52.030 --> 00:00:58.500
that Okhin - I'll pronounce this well - is
more responsible at the technical side.

00:00:58.500 --> 00:01:04.518
He runs as well, I think, a bunch of
volunteers, or helping you around.

00:01:04.518 --> 00:01:08.370
Please give them a welcome applause.
Let the show start!

00:01:08.370 --> 00:01:16.870
<i>applause</i>

00:01:16.870 --> 00:01:20.479
Agnes: Hello, here is Okhin, but he has

00:01:20.479 --> 00:01:25.969
already been introduced, the third person
from 'La Quadrature du Net', and I am

00:01:25.969 --> 00:01:32.460
Agnes and I work on legal and political
issues at 'LaQuadrature' as well. So

00:01:32.460 --> 00:01:38.270
LaQuadrature is an organization that
fights for fundamental rights and freedoms

00:01:38.270 --> 00:01:44.090
in the digital area. We are here today to
talk about the danger lying above your

00:01:44.090 --> 00:01:50.200
jobs, especially if you're building or
maintaining cryptographic tools. We're

00:01:50.200 --> 00:01:55.579
here because we think it's important to
demonstrate that the worst authoritarian

00:01:55.579 --> 00:02:05.560
laws don't only come from far right
governments such as Hungaria or Poland,

00:02:05.560 --> 00:02:09.759
but mostly from the "social democracy
compatible with market economy", to quote

00:02:09.759 --> 00:02:19.470
Angela Merkel. Along with Germany and the
United Kingdom (but with Brexit, exit the

00:02:19.470 --> 00:02:26.450
UK), France is one of the biggest forces
within the EU. And if France can rally at

00:02:26.450 --> 00:02:31.100
least one of the two others on board it
can obtain what it wants from its European

00:02:31.100 --> 00:02:40.200
partners. It works both ways, of course!
But it's important because the problem

00:02:40.200 --> 00:02:44.120
with that: France is not only exporting
its knowledge and practice of law

00:02:44.120 --> 00:02:51.300
enforcement and anti-riot gear to various
governments such as Tunisia or others.

00:02:51.300 --> 00:02:59.570
France is now also shining for its anti-
privacy lobbying as you will see later.

00:02:59.570 --> 00:03:12.460
<i>sound issues on Okhin's microphone</i>

00:03:12.460 --> 00:03:15.460
Okhin: What is interesting here is to
think about what we can do as technicians,

00:03:15.460 --> 00:03:20.760
developers, sysadmins, sysops,
or legal persons

00:03:20.760 --> 00:03:26.500
specialised in technology issues.
Because the threats come from legal,

00:03:26.500 --> 00:03:32.280
political and technical area and endanger
not only us but also sex workers, abused

00:03:32.280 --> 00:03:36.570
women and abused people, who
need to flee their home etc.

00:03:36.570 --> 00:03:39.570
We have to think about our role
and to find ways to act, to fight

00:03:39.570 --> 00:03:44.440
against the threats against encryption.

00:03:44.440 --> 00:03:50.960
We're going to start with a quick but
sadly non-exhaustive history of laws

00:03:50.960 --> 00:03:54.841
trying to weaken or circumvent
cryptography in France one way or another.

00:03:54.841 --> 00:04:01.520
We are including here everything that
talks about spyware and keyloggers,

00:04:01.520 --> 00:04:06.260
because they're a direct threat against
a lot of cryptographic tools.

00:04:06.260 --> 00:04:14.310
Agnes: Okay, so let's be clear here, we
are only to talk about very specific

00:04:14.310 --> 00:04:20.149
aspects of the digital related law. Access
to the Internet, filtering, censorship can

00:04:20.149 --> 00:04:25.180
probably be discussed in other talks with
the same quantity of laws hindering those

00:04:25.180 --> 00:04:33.250
rights. But we will focus here on
cryptography only. Before 1998 use of

00:04:33.250 --> 00:04:37.720
cryptographic tools for the public was
essentially forbidden. The key length was

00:04:37.720 --> 00:04:46.560
limited to 128 bits for asymmetric
cryptography. There were authentication

00:04:46.560 --> 00:04:56.181
of communication or for ensuring integrity
of the message a prior declaration

00:04:56.181 --> 00:04:59.280
was necessary. For all
other uses, especially

00:04:59.280 --> 00:05:02.280
for confidentiality, ex ante authorization
from Prime Minister was required as well.

00:05:02.280 --> 00:05:10.660
Okhin: After lengthy negotiations with

00:05:10.660 --> 00:05:15.530
intelligence services cryptography has
been freed in 1998. But it still

00:05:15.530 --> 00:05:19.620
required that the system used respects one
of those three following limitations.

00:05:19.620 --> 00:05:23.350
The cryptography system cannot be used
for confidentiality purposes without

00:05:23.350 --> 00:05:27.120
authorisation. Or the cryptography system
is operated by a third party owning a

00:05:27.120 --> 00:05:32.110
master key which the police may have
access to. Or the user does not need a

00:05:32.110 --> 00:05:36.271
strong confidentiality and can use a
standard encryption solution with a key

00:05:36.271 --> 00:05:37.271
lower than 40 bits.

00:05:37.271 --> 00:05:38.271
<i>bad sound, subtitles now
from author's transcript</i>

00:05:38.271 --> 00:05:39.271
Furthermore: people providing encryption
tools for confidentiality purposes were

00:05:39.271 --> 00:05:40.271
required to give the code, decryption
devices or conventions when law required

00:05:40.271 --> 00:05:41.271
by them. In 2001 the use of cryptography
is freed, but still requires that the

00:05:41.271 --> 00:05:42.271
system used has been first registered at
the Interior Ministry's office. Now it's

00:05:42.271 --> 00:05:43.271
one of the ANSSI mission, the French
National Cybersecurity Agency ANSSI that

00:05:43.271 --> 00:05:44.271
reports to the Prime Minister. France's
doctrine toward cryptography has always

00:05:44.271 --> 00:06:56.100
been dictated by intelligence services and
the army. They want to collect as much

00:06:56.100 --> 00:07:53.350
data as possible, multiple times, and to
have the capability to decrypt every

00:07:53.350 --> 00:07:54.350
conversation at any given time. This is at
this condition that they consented to give

00:07:54.350 --> 00:07:55.350
free access to cryptography for the
general public. That's why, French law

00:07:55.350 --> 00:07:56.350
oblige to declare to the ANSSI the supply
or importation of a cryptology tool.

00:07:56.350 --> 00:07:57.350
This procedure is an obstacle for the
deployment of such services in France,

00:07:57.350 --> 00:07:58.350
mostly because you have to face an
administrative system which refuses to

00:07:58.350 --> 00:07:59.350
speak non-French. The delay for the
transportation (?) is at least one month.

00:07:59.350 --> 00:08:00.350
For a long time, all administrative
documents were in French only, ANSSI

00:08:00.350 --> 00:08:01.699
now provides the translation as
a courtesy, but you're still supposed

00:08:01.699 --> 00:08:04.230
to fill the forms in French. You're
supposed to provide your source code, but

00:08:04.230 --> 00:08:05.230
since you all develop open software, this
is fine, isn't it? And of course, you have

00:08:05.230 --> 00:08:06.230
to send it by regular snail mail, there's
no electronic version of it, in triplicate,

00:08:06.230 --> 00:08:07.230
which is much more expensive, especially
if you're not in France. Let's say that

00:08:07.230 --> 00:08:08.230
administrative documents are sometimes
very complicated for French-speaking

00:08:08.230 --> 00:08:09.230
people, who are supposed
to be used to them.

00:08:09.230 --> 00:08:10.230
Agnes: So..
Okhin: How enabling foreign people - not

00:08:10.230 --> 00:08:11.230
French speaking ones - to understand them
and to correctly fill them?

00:08:11.230 --> 00:08:12.230
<i>proper sound back again</i>
Agnes: Since then cryptography legislation

00:08:12.230 --> 00:08:14.180
has not really evolved. However, one
national security or counter terrorism law

00:08:14.180 --> 00:08:20.990
after another - we had something like 30
of them in the last 15 years - the

00:08:20.990 --> 00:08:27.320
judiciary and repressive arsenal did grow.
For example, police were authorized to

00:08:27.320 --> 00:08:40.188
install keyloggers in the LOPPSI 2 law in
2011. Then police were authorized to force

00:08:40.188 --> 00:08:50.990
any person or entity they think able
to decrypt or to analyze every kind of

00:08:50.990 --> 00:08:58.300
encrypted content they get their hands on
in the counter-terrorism law of 2014, and

00:08:58.300 --> 00:09:07.480
the army and intelligence agency of course
can help to do those crypto analysis

00:09:07.480 --> 00:09:33.749
if needed.
<i>bad sound, again from author transcript now</i>

00:09:33.749 --> 00:10:05.160
Okhin: And now the so-called "Black boxes"
entered the game in the Surveillance Law

00:10:05.160 --> 00:10:07.649
of 2015. Those are algorithms collecting
and analysing metadata in order to catch

00:10:07.649 --> 00:10:10.500
terrorists. We know they are made by
Palantir and we had the confirmation on

00:10:10.500 --> 00:10:12.310
November of their deployment.
The fun fact: the internal intelligence

00:10:12.310 --> 00:10:14.019
service signed the agreement with Palantir
but the military intelligence and foreign

00:10:14.019 --> 00:10:16.649
intelligence services are quite concerned
about it, because they would rather maintain a

00:10:16.649 --> 00:10:17.779
strategic autonomy.

00:10:17.779 --> 00:10:18.909
In the same law, the use
of IMSI Catchers is granted to cops

00:10:18.909 --> 00:10:20.040
and they can install spyware on your
terminal without prior validation of a

00:10:20.040 --> 00:10:21.290
judge. IMSI Catchers and spywares may be
used to gather any information that may

00:10:21.290 --> 00:10:23.970
help protect vague interests, such as the
"industrial and economic well being" of

00:10:23.970 --> 00:10:29.670
France or the prevention of undeclared
protests. <i>recording audio back to quality</i>

00:10:29.670 --> 00:10:33.089
Thanks to the state of emergency since
2015 and now made permanent in last

00:10:33.089 --> 00:10:35.029
October, search warrants may now be
delivered on mere rumour and suspicions,

00:10:35.029 --> 00:10:36.029
after the fact, without any investigations.
They allow for collection of any data found

00:10:36.029 --> 00:10:37.029
on site. And data is kept during three
months, but if they are encrypted the judge

00:10:37.029 --> 00:10:39.089
can decide to retain them indefinitely
until they decrypt them.

00:10:39.089 --> 00:10:41.149
And without any investigative power.

00:10:41.149 --> 00:10:43.209
Agnes: So to conclude this
depressive state of affairs

00:10:43.209 --> 00:10:47.850
we need to add that cryptography
is an aggravating circumstance

00:10:47.850 --> 00:10:56.749
in a long list of crimes
and felonies linked

00:10:56.749 --> 00:11:02.309
primarily to organized crime and terroism,
but also conveniently to aiding refugees

00:11:02.309 --> 00:11:04.089
for example. So encrypting things makes
you even more suspect and more guilty.

00:11:04.089 --> 00:11:07.089
Okhin: Oh and we almost forgot - if ever
you're operating a cryptographic system

00:11:07.089 --> 00:11:10.820
for third parties you have an obligation
to provide either decryption key or plain

00:11:10.820 --> 00:11:14.910
text to cops if they ask for it and
you have 72 hours to comply

00:11:14.910 --> 00:11:20.389
- which means a lot of pressure
on you. It probably can

00:11:20.389 --> 00:11:24.429
apply to yourself if you're being
investigated upon, but it might clash with

00:11:24.429 --> 00:11:27.420
the right to remain silent and to not
self-incriminate we do not have a lot of

00:11:27.420 --> 00:11:35.639
choice here. But we recently had cases
where cops.., where the law has been used

00:11:35.639 --> 00:11:40.019
one of them was to coerce a teenager to
provide decryption key for an encrypted

00:11:40.019 --> 00:11:44.399
chat with OTR he was operating and which
had been used by people who were making

00:11:44.399 --> 00:11:55.089
fake bomb alert in schools. And for one we
know about, how many of them have gone

00:11:55.089 --> 00:11:59.730
unnoticed, people chosing to keep living
their lives instead of risking jails time

00:11:59.730 --> 00:12:04.300
and huge fines ?
Agnes: So here it's important to note that

00:12:04.300 --> 00:12:09.639
there's difference being made between
cryptography which enforces security

00:12:09.639 --> 00:12:15.550
communication and cryptography which
enforces confidentiality. In this

00:12:15.550 --> 00:12:19.649
presentation we're addressing the issue of
cryptography in the concept context of

00:12:19.649 --> 00:12:26.639
confidentiality only. To illustrate that
this debate goes beyond the classic lines

00:12:26.639 --> 00:12:32.689
of left/right politics we like to display
some quotes on the topic by various

00:12:32.689 --> 00:12:39.769
ministers, candidates, elected
representatives and prominent political

00:12:39.769 --> 00:12:47.009
speakers. For example, Éric Ciotti, he is
a member of parliament from the right-

00:12:47.009 --> 00:12:56.740
wing. He wants to fine Apple 1.5 million
euro, if they refuse to give encryption

00:12:56.740 --> 00:13:02.170
keys, among other outrageous things he
said, this is one taking hold.

00:13:02.170 --> 00:13:07.529
Okhin: François Molins, Paris Prosecutor,
wrote about that in the New York Times

00:13:07.529 --> 00:13:11.990
against cryptography. The title is quite
explicit it states: "When Phone Encryption

00:13:11.990 --> 00:13:20.089
Blocks Justice" And he talks about the
importance of privacy rights of the

00:13:20.089 --> 00:13:24.220
individual in the same paragraph of the
"marginal benefits of full disk

00:13:24.220 --> 00:13:29.129
encryption". He signed this bullshit with
his colleague Cyrus Vance Jr, District

00:13:29.129 --> 00:13:32.879
Attorney of Manhattan, Adrian Leppard,
commissioner of London City Police and

00:13:32.879 --> 00:13:37.760
Javier Zaragoza, chief prosecutor of the
national court of Spain. I let you read

00:13:37.760 --> 00:13:46.279
the full quote in all its splendor.
Agnes: So we have also Guillaume Poupard

00:13:46.279 --> 00:13:53.420
from the ANSSI we talked about before. He
said just before the Bataclan attack in

00:13:53.420 --> 00:13:59.970
2015 that backdoors and key sequestrations
is a bad idea and that he instead proposes

00:13:59.970 --> 00:14:06.939
to work on "points of cleartext". Whatever
it means it probably stands for transport

00:14:06.939 --> 00:14:10.410
security and against confidentiality of
communications.

00:14:10.410 --> 00:14:15.259
Okhin: Emmanuel Valls, then Prime
Minister, used the term "legal

00:14:15.259 --> 00:14:18.799
cryptography" in interviews where the
official discourse for the last 20 years

00:14:18.799 --> 00:14:27.720
was that all cryptography was legal.
Agnes: Here the digital national council,

00:14:27.720 --> 00:14:34.790
then chaired by Mounir Mahjoubi, who is
now Secretary of State for digital issues,

00:14:34.790 --> 00:14:39.929
did oppose the ideas of backdoors and did
advocate for the use and development of

00:14:39.929 --> 00:14:44.160
end-to-end encryption just before the
presidential electoral race - you'll see

00:14:44.160 --> 00:14:47.879
later why it's important.
Okhin: Bernard Debré, another elected

00:14:47.879 --> 00:14:54.220
representative from the right wing he
actually ordered drugs online, cocaine for

00:14:54.220 --> 00:15:00.519
80 euros a gram on onion-services to prove
how dangerous it is. He also said you can

00:15:00.519 --> 00:15:05.269
buy body parts and guns there and that
it's easier than ordering shoes online. He

00:15:05.269 --> 00:15:09.699
also bought a lot of drugs from a non-
identified website in Netherlands, so

00:15:09.699 --> 00:15:18.379
surely the encryption is at fault here.
Agnes: So Jean-Jacques Urvoas who was

00:15:18.379 --> 00:15:25.399
Minister of Justice said he wants to
access computers, Skype communications and

00:15:25.399 --> 00:15:34.790
so on and to put all suspects and their
entourage under permanent recording.

00:15:34.790 --> 00:15:40.809
Between the first and second turn of the
last presidential elections he broke the

00:15:40.809 --> 00:15:46.579
professional secret and sent to Thierry
Solère who is a member of parliament from

00:15:46.579 --> 00:15:53.480
the white ring the information that he was
investigated upon. He sent a message by

00:15:53.480 --> 00:15:59.679
Telegram and the note was saved on Thierry
Solère's phone and found during a police

00:15:59.679 --> 00:16:06.799
search at his house later on.
Okhin: In August 2016 there was a joint

00:16:06.799 --> 00:16:11.209
declaration of Thomas de Maizière and
Bernard Cazeneuve, interior ministers of

00:16:11.209 --> 00:16:16.519
Germany and France respectively about
European internal security and they stated

00:16:16.519 --> 00:16:20.579
that: "At the european level, it will
require to force the non cooperatives

00:16:20.579 --> 00:16:24.829
operators to remove illegal content or to
decrypt messages during investigation."

00:16:24.829 --> 00:16:32.360
Agnes: However, so it was a joint
communication but French written version

00:16:32.360 --> 00:16:38.649
of the joint declaration was different
than Germans. Only France kept the part

00:16:38.649 --> 00:16:43.809
about how it would be so great to have
back doors or golden keys. So either

00:16:43.809 --> 00:16:50.040
Germany did not want to publicly advocate
for backdoors or they had a different

00:16:50.040 --> 00:16:56.480
strategy, but unfortunately very recently
the same de Maizière announced that he

00:16:56.480 --> 00:17:01.480
wanted to force tech and car companies to
provide the security services with hidden

00:17:01.480 --> 00:17:07.220
digital access to all devices and
machines. He probably did not know that if

00:17:07.220 --> 00:17:11.159
you lowered the security of cars you
dramatically increase the risk of accident

00:17:11.159 --> 00:17:15.470
among others.
Okhin: All this was before Macron was

00:17:15.470 --> 00:17:22.579
elected last spring. It's like an actual
photo. It's not a Photoshop. During his

00:17:22.579 --> 00:17:27.630
presidential campaign Emmanuel Macron said
that we should put an end to cryptography

00:17:27.630 --> 00:17:31.610
by forcing the biggest companies to
provide encryption keys or to give access

00:17:31.610 --> 00:17:38.269
to the complete content stating that "one
day they'll have to be responsible of

00:17:38.269 --> 00:17:45.600
terror attacks complicity".
Agnes: So Mounir Mahjoubi again. He was

00:17:45.600 --> 00:17:54.130
then concealing the candidate and he is
now internet minister. He has been forced

00:17:54.130 --> 00:17:59.210
to backpedal and to explain that messing
with end-to-end cryptography was out of

00:17:59.210 --> 00:18:03.630
question and that they'd rather force
companies to cooperate faster with police

00:18:03.630 --> 00:18:09.639
forces. He specifically emphasized the
importance of cryptography by companies to

00:18:09.639 --> 00:18:16.890
protect trade and industrial secrets and
since then Mounir Mahjoubi has become

00:18:16.890 --> 00:18:24.680
totally silent on this topic. So it seems
that encryption for confidentiality is a

00:18:24.680 --> 00:18:30.000
real problem for them. Would you be
surprised to know that to communicate with

00:18:30.000 --> 00:18:34.590
his political party and representatives
Emmanuel Macron, now president, uses

00:18:34.590 --> 00:18:41.090
telegram? An application regularly
described by a lot of representatives as

00:18:41.090 --> 00:18:48.460
an enabling terrorism tool and which
should be banned. Their words, not ours.

00:18:48.460 --> 00:18:52.670
Animal Farm is back: We are all equal with
the use of cryptography, but some are more

00:18:52.670 --> 00:18:58.630
equal than the others. Coupled with this
focus on protecting companies' secrets

00:18:58.630 --> 00:19:03.220
this confirms that the Start Up Nation
doesn't care about protecting citizens but

00:19:03.220 --> 00:19:08.610
only about business and powerful friends.
This becomes blatantly obvious when you

00:19:08.610 --> 00:19:12.120
look at Macron's social and economy's
policies.

00:19:12.120 --> 00:19:16.610
Okhin: Last but not least, successive
French government put pressure to add in

00:19:16.610 --> 00:19:21.289
the law possibility for cops to ask you
for all of your online handles, including

00:19:21.289 --> 00:19:25.960
that all Yahoo mailboxes, ICQ numbers,
your Twitter or Facebook account, all the

00:19:25.960 --> 00:19:30.620
weird nicknames you use on IRC and stuff
like that. That's why mine is currently a

00:19:30.620 --> 00:19:34.970
fork-bomb embedded into a shellshock, but
I think we can get more creative and find

00:19:34.970 --> 00:19:39.179
a way to be more destructive for a system
when cops would have to enter it into

00:19:39.179 --> 00:19:46.440
their systems. Two attempts have been made
already and rejected at some point. This

00:19:46.440 --> 00:19:50.590
kind of registration already exist in the
UK in the US and we hope the government

00:19:50.590 --> 00:19:54.480
won't succeed in France to put this kind
of limitation in law.

00:19:54.480 --> 00:20:00.740
Agnes: So, as demonstrated France is one
of the very active power against

00:20:00.740 --> 00:20:05.190
cryptography within the EU. Even if some
of other member states did express some

00:20:05.190 --> 00:20:13.120
concerns namely Poland, Croatia, Hungary,
Italy, Latvia, and other countries, those

00:20:13.120 --> 00:20:18.210
concerns have been prompted by other
member states and probably France. Each

00:20:18.210 --> 00:20:23.679
new bill is a risk to reduce the use of
cryptography especially with the criminal,

00:20:23.679 --> 00:20:30.580
digital or judiciary laws that are coming
soon. For instance France is pushing hard

00:20:30.580 --> 00:20:37.550
for avoiding any obligation on end-to-end
encryption in the ePrivacy regulation.

00:20:37.550 --> 00:20:45.220
They explicitly ask to gain access to any
communication or metadata, which is what

00:20:45.220 --> 00:20:51.460
is written here in French. Sorry, we
didn't translate it. The government also

00:20:51.460 --> 00:20:57.539
pushes to obtain EU legislation on
encryption which would limit end to end

00:20:57.539 --> 00:21:04.500
encryption, of course. The government
intends then to use this EU legislation

00:21:04.500 --> 00:21:11.919
for justifying its position while it did
create this proposal at the first place.

00:21:11.919 --> 00:21:20.519
In the next month the discussions
eEvidence will start at the EU level. They

00:21:20.519 --> 00:21:26.570
will probably be a lot of talks about
cryptography in the next "counter-

00:21:26.570 --> 00:21:32.230
terrorist package" expected in 2018.
Counterterrorism is always a good way for

00:21:32.230 --> 00:21:37.580
the governments to make some provisions to
enhance security and to lower the rights

00:21:37.580 --> 00:21:43.220
and freedoms. They threaten the Parliament
to be responsible of the next attacks and

00:21:43.220 --> 00:21:48.409
the members of parliament thus vote
anything just because they don't want to

00:21:48.409 --> 00:21:54.200
be responsible.
Okhin: So as technician, what can we do?

00:21:54.200 --> 00:21:58.590
From a technical perspective we think we
should operate communication

00:21:58.590 --> 00:22:03.600
infrastructure and systems in an illegal
and clandestine way. It is important to

00:22:03.600 --> 00:22:07.139
build undetectable and encrypted
communication systems that break the link

00:22:07.139 --> 00:22:11.440
between your online communications and
yourself. Making those tools available to

00:22:11.440 --> 00:22:15.899
the general public and mass adopted by
them is a critical and non trivial issue

00:22:15.899 --> 00:22:19.980
to address. Especially as French legal
registration system might block access to

00:22:19.980 --> 00:22:25.210
high-quality privacy preserving encryption
tools. For instance, Apple requires you to

00:22:25.210 --> 00:22:29.380
fill the ANSSI form and obtain a
certificate from them to put your software

00:22:29.380 --> 00:22:34.639
on the Apple App Store already.
Moreover it is paramount to think wider,

00:22:34.639 --> 00:22:38.870
because if your encrypted communication
relies on centralized infrastructure at a

00:22:38.870 --> 00:22:44.809
highly identifying piece of information
such as for instance a phone number, then

00:22:44.809 --> 00:22:49.630
a passive listener such as an IMSI catcher
can get your phone number from a protest

00:22:49.630 --> 00:22:54.669
you were at for instance and then guess
what your account is and then, they got

00:22:54.669 --> 00:22:59.240
your phone number, so they can ask to
deploy key loggers and spyware on your

00:22:59.240 --> 00:23:08.750
phones. And this defeating all the
security based on your phone number. At a

00:23:08.750 --> 00:23:11.730
time where more and more governments want
to hinder encryption and secret of

00:23:11.730 --> 00:23:15.799
communications, it is critical to have
access to communication systems that are

00:23:15.799 --> 00:23:19.250
free, pseudonymous, decentralised and
distributed to the widest audience

00:23:19.250 --> 00:23:24.200
possible, meaning user-friendly, yes, and
to think about way to push those tools

00:23:24.200 --> 00:23:30.850
everywhere. It is also important to lead
political battles. We need all available

00:23:30.850 --> 00:23:34.809
help to slow down this attack at the
national and European levels. We need to

00:23:34.809 --> 00:23:39.509
get out of the security discourses and to
break the link between encryption and

00:23:39.509 --> 00:23:44.779
security for the state and to control the
argument that only people committing

00:23:44.779 --> 00:23:49.100
crimes and felonies do use cryptography.
We need a positive discourse about

00:23:49.100 --> 00:23:53.250
cryptography: how it helps people with
their daily lives, how it impr

00:23:53.250 --> 00:23:57.059
oves social structures, how it protects
the identity of queers, how it helps

00:23:57.059 --> 00:24:01.200
abused women to seek help and to escape
their home, how it enables a positive

00:24:01.200 --> 00:24:05.659
change in the society, as main change
often comes from activities not approved

00:24:05.659 --> 00:24:11.410
by the society. If you want more concrete
steps and ways to help we're currently

00:24:11.410 --> 00:24:15.750
running a support campaign so you can help
us there at support.laquadrature.net.

00:24:15.750 --> 00:24:21.570
After the Q&A, because we have some time
left, you can come drink some tea at the

00:24:21.570 --> 00:24:28.490
teahouse in the CCL building and have some
tea and chat with us. Thank you all for

00:24:28.490 --> 00:24:34.270
listening and if you have any question I
think we have some time.

00:24:34.270 --> 00:24:40.799
<i>applause</i>
Herald Angel: Alright we have 5 minutes

00:24:40.799 --> 00:24:50.299
for questions. Are there people out there,
maybe on the internet? No, are there some

00:24:50.299 --> 00:24:55.830
people here who have questions for this
lovely organization? Well I have a

00:24:55.830 --> 00:25:01.669
question actually: So you gave us some
advice regarding using avatars, alter

00:25:01.669 --> 00:25:08.780
egos. You know what, I'm teaching as well
and my colleagues teachers even in that

00:25:08.780 --> 00:25:13.090
kind of digital age that we live in are
always wondering why I am using several

00:25:13.090 --> 00:25:20.880
avatars, several devices. It seems like
it's not accepted actually because they're

00:25:20.880 --> 00:25:27.039
looking at you like "Are you a criminal or
what? What did you do wrong?" Don't you

00:25:27.039 --> 00:25:29.149
get that kind of questions as well from
your audience?

00:25:29.149 --> 00:25:34.879
Ohkin: Yes, we got that a lot. The thing
is, a lot of people commit crimes using

00:25:34.879 --> 00:25:39.559
their real name and IDs and stuff like
that. Most of the people are asking people

00:25:39.559 --> 00:25:42.610
online, for instance, to not use a
pseudonymous account or something like

00:25:42.610 --> 00:25:47.429
that, they want to be known as our same
people and stuff like that. So it's like

00:25:47.429 --> 00:25:50.540
we need to get out of this kind of
discourse and say: "I can do whatever I

00:25:50.540 --> 00:25:55.210
want with my online identities. It's not
your business. And if I'm doing something

00:25:55.210 --> 00:25:59.550
wrong, you have to prove it, like with due
process of law and stuff like that.

00:25:59.550 --> 00:26:04.690
Herald: Ok, I see there's a question
raised in here. Microphone number two.

00:26:04.690 --> 00:26:10.110
Mic2: What counts in practice as import
and export of cryptography. I mean, if I'm

00:26:10.110 --> 00:26:16.409
in France and I download open SSL, do I
have to fill out the ANSSI form?

00:26:16.409 --> 00:26:25.850
Okhin: Not for open SSL, because it's not
protocol that have a goal to provide

00:26:25.850 --> 00:26:28.970
confidentiality of communication which is
end-to-end encryption.

00:26:28.970 --> 00:26:34.760
Mic2: So GPG?
Okhin: Yeah, GPG is supposed to have an

00:26:34.760 --> 00:26:37.399
important certificate and I think they
have it.

00:26:37.399 --> 00:26:39.889
Mic2: For individuals or for
organizations?

00:26:39.889 --> 00:26:44.059
Okhin: For the organization which provides
you the access to the tool. Like Google is

00:26:44.059 --> 00:26:51.299
supposed to provide that, Apple,
Microsoft, Debian. Debian I think filled

00:26:51.299 --> 00:27:00.370
the paperwork. Each Linux distribution
should do it.

00:27:00.370 --> 00:27:03.639
Herald: Question here, microphone number
one?

00:27:03.639 --> 00:27:07.649
Mic1: Okay, thanks so much for the talk.
I'd really love to hear a little bit more

00:27:07.649 --> 00:27:13.960
about the very crunchy in-depth bits about
encryption policy in France. Now might not

00:27:13.960 --> 00:27:20.870
be the right time, but building off of the
last question: What kinds of laws or

00:27:20.870 --> 00:27:25.340
policy are around taking encryption
technology outside of France, like across

00:27:25.340 --> 00:27:30.120
a border?
Agnes: Well for exporting to closed

00:27:30.120 --> 00:27:36.970
encryption technology there is the
Wassenaar Arrangement signed by several

00:27:36.970 --> 00:27:55.889
countries, so I don't know by heart
everything in there, but for example a

00:27:55.889 --> 00:28:07.710
system that can use for war and for other
use. Then you have it's forbidden or you

00:28:07.710 --> 00:28:12.440
have to declare that you're exporting such
tools etc. So for exporting you have this

00:28:12.440 --> 00:28:23.850
Wassenaar agreement and I think there is
nothing else if it's not a double use

00:28:23.850 --> 00:28:25.710
system.
Mic2: Thank you!

00:28:25.710 --> 00:28:29.740
Herald: Okay, one last question, please
there, mister three.

00:28:29.740 --> 00:28:35.009
Mic3: It seems to me that all of these
laws are mostly falling under national

00:28:35.009 --> 00:28:39.881
security. Are there any laws way to
challenge any of this in the European

00:28:39.881 --> 00:28:44.059
level? So on the European level there's
wonderful direct data protection

00:28:44.059 --> 00:28:47.789
directives and all the stuff. But my
understanding is that all of these

00:28:47.789 --> 00:28:53.820
directives any state can kind of opt out
of them for national security reasons. So

00:28:53.820 --> 00:28:59.090
is there anything that can be done on any
level without invoking a national security

00:28:59.090 --> 00:29:04.620
exception?
Agnes: Yeah well all data protection

00:29:04.620 --> 00:29:11.100
regulation policies at the EU level and
especially the GDPR, general data

00:29:11.100 --> 00:29:19.450
protection regulation, has a specific
provision that enable member states to

00:29:19.450 --> 00:29:28.420
say: okay, it doesn't apply because it's a
national security issue. What I said, what

00:29:28.420 --> 00:29:35.120
I showed here, is that in in the ePrivacy
regulation, which is currently under

00:29:35.120 --> 00:29:45.389
negotiation at the EU level, the EU
Parliament has already adopted a position

00:29:45.389 --> 00:29:51.719
which promotes encryption as soon as it's
possible to have end-to-end encryption.

00:29:51.719 --> 00:29:57.269
And that's why the French government is
trying to push it away, there will be

00:29:57.269 --> 00:30:03.270
negotiation between the Council, the
European Parliament and the European

00:30:03.270 --> 00:30:07.009
Commission. The Council represents all
member states, so there will be a

00:30:07.009 --> 00:30:13.049
negotiation with all the institutions,
beginning this summer probably. Or just

00:30:13.049 --> 00:30:20.269
after the summer, but maybe a little bit
before. And then the French government is

00:30:20.269 --> 00:30:30.710
going to try to push it away. As we saw
in the document which we showed in

00:30:30.710 --> 00:30:38.659
French, the government is trying to get to
gain access to all communications and

00:30:38.659 --> 00:30:43.330
data. It's very clear in the French
communication we showed.

00:30:43.330 --> 00:30:48.310
Herald: May I make a suggestion?
They have a fantastic tea house.

00:30:48.310 --> 00:30:52.210
You have to continue this discussion
later on there with a cup of tea,

00:30:52.210 --> 00:30:56.849
and some massage maybe. I have
one last call for you both, you know,

00:30:56.849 --> 00:30:59.999
and the audience: « Indignez-vous ! »
[i.e.“Time for Outrage!”]

00:30:59.999 --> 00:31:04.979
Ca, c'est! That's why we wanna hear you! (?)
Indignez-vous !

00:31:04.979 --> 00:31:09.689
<i>applause</i>

00:31:09.689 --> 00:31:23.199
<i>postroll music</i>

00:31:23.199 --> 00:31:30.781
<i>Subtitles created by c3subtitles.de
in the year 2018</i>