-
34C3 preroll music
-
Herald Angel: Good. I have the pleasure
and the honor of introducing to you two
-
persons here who are really working at
'La QuadratureDuNet'. Alors, c'est vraiment
-
quelque chose en Français ! It's an
organization NGO, it's actually working
-
really on the rights, on freedom of
citizens on the internet. I understood
-
that Agnes is there responsible for the
coordination mainly about legal issues and
-
that Okhin - I'll pronounce this well - is
more responsible at the technical side.
-
He runs as well, I think, a bunch of
volunteers, or helping you around.
-
Please give them a welcome applause.
Let the show start!
-
applause
-
Agnes: Hello, here is Okhin, but he has
-
already been introduced, the third person
from 'La Quadrature du Net', and I am
-
Agnes and I work on legal and political
issues at 'LaQuadrature' as well. So
-
LaQuadrature is an organization that
fights for fundamental rights and freedoms
-
in the digital area. We are here today to
talk about the danger lying above your
-
jobs, especially if you're building or
maintaining cryptographic tools. We're
-
here because we think it's important to
demonstrate that the worst authoritarian
-
laws don't only come from far right
governments such as Hungaria or Poland,
-
but mostly from the "social democracy
compatible with market economy", to quote
-
Angela Merkel. Along with Germany and the
United Kingdom (but with Brexit, exit the
-
UK), France is one of the biggest forces
within the EU. And if France can rally at
-
least one of the two others on board it
can obtain what it wants from its European
-
partners. It works both ways, of course!
But it's important because the problem
-
with that: France is not only exporting
its knowledge and practice of law
-
enforcement and anti-riot gear to various
governments such as Tunisia or others.
-
France is now also shining for its anti-
privacy lobbying as you will see later.
-
sound issues on Okhin's microphone
-
Okhin: What is interesting here is to
think about what we can do as technicians,
-
developers, sysadmins, sysops,
or legal persons
-
specialised in technology issues.
Because the threats come from legal,
-
political and technical area and endanger
not only us but also sex workers, abused
-
women and abused people, who
need to flee their home etc.
-
We have to think about our role
and to find ways to act, to fight
-
against the threats against encryption.
-
We're going to start with a quick but
sadly non-exhaustive history of laws
-
trying to weaken or circumvent
cryptography in France one way or another.
-
We are including here everything that
talks about spyware and keyloggers,
-
because they're a direct threat against
a lot of cryptographic tools.
-
Agnes: Okay, so let's be clear here, we
are only to talk about very specific
-
aspects of the digital related law. Access
to the Internet, filtering, censorship can
-
probably be discussed in other talks with
the same quantity of laws hindering those
-
rights. But we will focus here on
cryptography only. Before 1998 use of
-
cryptographic tools for the public was
essentially forbidden. The key length was
-
limited to 128 bits for asymmetric
cryptography. There were authentication
-
of communication or for ensuring integrity
of the message a prior declaration
-
was necessary. For all
other uses, especially
-
for confidentiality, ex ante authorization
from Prime Minister was required as well.
-
Okhin: After lengthy negotiations with
-
intelligence services cryptography has
been freed in 1998. But it still
-
required that the system used respects one
of those three following limitations.
-
The cryptography system cannot be used
for confidentiality purposes without
-
authorisation. Or the cryptography system
is operated by a third party owning a
-
master key which the police may have
access to. Or the user does not need a
-
strong confidentiality and can use a
standard encryption solution with a key
-
lower than 40 bits.
-
bad sound, subtitles now
from author's transcript
-
Furthermore: people providing encryption
tools for confidentiality purposes were
-
required to give the code, decryption
devices or conventions when law required
-
by them. In 2001 the use of cryptography
is freed, but still requires that the
-
system used has been first registered at
the Interior Ministry's office. Now it's
-
one of the ANSSI mission, the French
National Cybersecurity Agency ANSSI that
-
reports to the Prime Minister. France's
doctrine toward cryptography has always
-
been dictated by intelligence services and
the army. They want to collect as much
-
data as possible, multiple times, and to
have the capability to decrypt every
-
conversation at any given time. This is at
this condition that they consented to give
-
free access to cryptography for the
general public. That's why, French law
-
oblige to declare to the ANSSI the supply
or importation of a cryptology tool.
-
This procedure is an obstacle for the
deployment of such services in France,
-
mostly because you have to face an
administrative system which refuses to
-
speak non-French. The delay for the
transportation (?) is at least one month.
-
For a long time, all administrative
documents were in French only, ANSSI
-
now provides the translation as
a courtesy, but you're still supposed
-
to fill the forms in French. You're
supposed to provide your source code, but
-
since you all develop open software, this
is fine, isn't it? And of course, you have
-
to send it by regular snail mail, there's
no electronic version of it, in triplicate,
-
which is much more expensive, especially
if you're not in France. Let's say that
-
administrative documents are sometimes
very complicated for French-speaking
-
people, who are supposed
to be used to them.
-
Agnes: So..
Okhin: How enabling foreign people - not
-
French speaking ones - to understand them
and to correctly fill them?
-
proper sound back again
Agnes: Since then cryptography legislation
-
has not really evolved. However, one
national security or counter terrorism law
-
after another - we had something like 30
of them in the last 15 years - the
-
judiciary and repressive arsenal did grow.
For example, police were authorized to
-
install keyloggers in the LOPPSI 2 law in
2011. Then police were authorized to force
-
any person or entity they think able
to decrypt or to analyze every kind of
-
encrypted content they get their hands on
in the counter-terrorism law of 2014, and
-
the army and intelligence agency of course
can help to do those crypto analysis
-
if needed.
bad sound, again from author transcript now
-
Okhin: And now the so-called "Black boxes"
entered the game in the Surveillance Law
-
of 2015. Those are algorithms collecting
and analysing metadata in order to catch
-
terrorists. We know they are made by
Palantir and we had the confirmation on
-
November of their deployment.
The fun fact: the internal intelligence
-
service signed the agreement with Palantir
but the military intelligence and foreign
-
intelligence services are quite concerned
about it, because they would rather maintain a
-
strategic autonomy.
-
In the same law, the use
of IMSI Catchers is granted to cops
-
and they can install spyware on your
terminal without prior validation of a
-
judge. IMSI Catchers and spywares may be
used to gather any information that may
-
help protect vague interests, such as the
"industrial and economic well being" of
-
France or the prevention of undeclared
protests. recording audio back to quality
-
Thanks to the state of emergency since
2015 and now made permanent in last
-
October, search warrants may now be
delivered on mere rumour and suspicions,
-
after the fact, without any investigations.
They allow for collection of any data found
-
on site. And data is kept during three
months, but if they are encrypted the judge
-
can decide to retain them indefinitely
until they decrypt them.
-
And without any investigative power.
-
Agnes: So to conclude this
depressive state of affairs
-
we need to add that cryptography
is an aggravating circumstance
-
in a long list of crimes
and felonies linked
-
primarily to organized crime and terroism,
but also conveniently to aiding refugees
-
for example. So encrypting things makes
you even more suspect and more guilty.
-
Okhin: Oh and we almost forgot - if ever
you're operating a cryptographic system
-
for third parties you have an obligation
to provide either decryption key or plain
-
text to cops if they ask for it and
you have 72 hours to comply
-
- which means a lot of pressure
on you. It probably can
-
apply to yourself if you're being
investigated upon, but it might clash with
-
the right to remain silent and to not
self-incriminate we do not have a lot of
-
choice here. But we recently had cases
where cops.., where the law has been used
-
one of them was to coerce a teenager to
provide decryption key for an encrypted
-
chat with OTR he was operating and which
had been used by people who were making
-
fake bomb alert in schools. And for one we
know about, how many of them have gone
-
unnoticed, people chosing to keep living
their lives instead of risking jails time
-
and huge fines ?
Agnes: So here it's important to note that
-
there's difference being made between
cryptography which enforces security
-
communication and cryptography which
enforces confidentiality. In this
-
presentation we're addressing the issue of
cryptography in the concept context of
-
confidentiality only. To illustrate that
this debate goes beyond the classic lines
-
of left/right politics we like to display
some quotes on the topic by various
-
ministers, candidates, elected
representatives and prominent political
-
speakers. For example, Éric Ciotti, he is
a member of parliament from the right-
-
wing. He wants to fine Apple 1.5 million
euro, if they refuse to give encryption
-
keys, among other outrageous things he
said, this is one taking hold.
-
Okhin: François Molins, Paris Prosecutor,
wrote about that in the New York Times
-
against cryptography. The title is quite
explicit it states: "When Phone Encryption
-
Blocks Justice" And he talks about the
importance of privacy rights of the
-
individual in the same paragraph of the
"marginal benefits of full disk
-
encryption". He signed this bullshit with
his colleague Cyrus Vance Jr, District
-
Attorney of Manhattan, Adrian Leppard,
commissioner of London City Police and
-
Javier Zaragoza, chief prosecutor of the
national court of Spain. I let you read
-
the full quote in all its splendor.
Agnes: So we have also Guillaume Poupard
-
from the ANSSI we talked about before. He
said just before the Bataclan attack in
-
2015 that backdoors and key sequestrations
is a bad idea and that he instead proposes
-
to work on "points of cleartext". Whatever
it means it probably stands for transport
-
security and against confidentiality of
communications.
-
Okhin: Emmanuel Valls, then Prime
Minister, used the term "legal
-
cryptography" in interviews where the
official discourse for the last 20 years
-
was that all cryptography was legal.
Agnes: Here the digital national council,
-
then chaired by Mounir Mahjoubi, who is
now Secretary of State for digital issues,
-
did oppose the ideas of backdoors and did
advocate for the use and development of
-
end-to-end encryption just before the
presidential electoral race - you'll see
-
later why it's important.
Okhin: Bernard Debré, another elected
-
representative from the right wing he
actually ordered drugs online, cocaine for
-
80 euros a gram on onion-services to prove
how dangerous it is. He also said you can
-
buy body parts and guns there and that
it's easier than ordering shoes online. He
-
also bought a lot of drugs from a non-
identified website in Netherlands, so
-
surely the encryption is at fault here.
Agnes: So Jean-Jacques Urvoas who was
-
Minister of Justice said he wants to
access computers, Skype communications and
-
so on and to put all suspects and their
entourage under permanent recording.
-
Between the first and second turn of the
last presidential elections he broke the
-
professional secret and sent to Thierry
Solère who is a member of parliament from
-
the white ring the information that he was
investigated upon. He sent a message by
-
Telegram and the note was saved on Thierry
Solère's phone and found during a police
-
search at his house later on.
Okhin: In August 2016 there was a joint
-
declaration of Thomas de Maizière and
Bernard Cazeneuve, interior ministers of
-
Germany and France respectively about
European internal security and they stated
-
that: "At the european level, it will
require to force the non cooperatives
-
operators to remove illegal content or to
decrypt messages during investigation."
-
Agnes: However, so it was a joint
communication but French written version
-
of the joint declaration was different
than Germans. Only France kept the part
-
about how it would be so great to have
back doors or golden keys. So either
-
Germany did not want to publicly advocate
for backdoors or they had a different
-
strategy, but unfortunately very recently
the same de Maizière announced that he
-
wanted to force tech and car companies to
provide the security services with hidden
-
digital access to all devices and
machines. He probably did not know that if
-
you lowered the security of cars you
dramatically increase the risk of accident
-
among others.
Okhin: All this was before Macron was
-
elected last spring. It's like an actual
photo. It's not a Photoshop. During his
-
presidential campaign Emmanuel Macron said
that we should put an end to cryptography
-
by forcing the biggest companies to
provide encryption keys or to give access
-
to the complete content stating that "one
day they'll have to be responsible of
-
terror attacks complicity".
Agnes: So Mounir Mahjoubi again. He was
-
then concealing the candidate and he is
now internet minister. He has been forced
-
to backpedal and to explain that messing
with end-to-end cryptography was out of
-
question and that they'd rather force
companies to cooperate faster with police
-
forces. He specifically emphasized the
importance of cryptography by companies to
-
protect trade and industrial secrets and
since then Mounir Mahjoubi has become
-
totally silent on this topic. So it seems
that encryption for confidentiality is a
-
real problem for them. Would you be
surprised to know that to communicate with
-
his political party and representatives
Emmanuel Macron, now president, uses
-
telegram? An application regularly
described by a lot of representatives as
-
an enabling terrorism tool and which
should be banned. Their words, not ours.
-
Animal Farm is back: We are all equal with
the use of cryptography, but some are more
-
equal than the others. Coupled with this
focus on protecting companies' secrets
-
this confirms that the Start Up Nation
doesn't care about protecting citizens but
-
only about business and powerful friends.
This becomes blatantly obvious when you
-
look at Macron's social and economy's
policies.
-
Okhin: Last but not least, successive
French government put pressure to add in
-
the law possibility for cops to ask you
for all of your online handles, including
-
that all Yahoo mailboxes, ICQ numbers,
your Twitter or Facebook account, all the
-
weird nicknames you use on IRC and stuff
like that. That's why mine is currently a
-
fork-bomb embedded into a shellshock, but
I think we can get more creative and find
-
a way to be more destructive for a system
when cops would have to enter it into
-
their systems. Two attempts have been made
already and rejected at some point. This
-
kind of registration already exist in the
UK in the US and we hope the government
-
won't succeed in France to put this kind
of limitation in law.
-
Agnes: So, as demonstrated France is one
of the very active power against
-
cryptography within the EU. Even if some
of other member states did express some
-
concerns namely Poland, Croatia, Hungary,
Italy, Latvia, and other countries, those
-
concerns have been prompted by other
member states and probably France. Each
-
new bill is a risk to reduce the use of
cryptography especially with the criminal,
-
digital or judiciary laws that are coming
soon. For instance France is pushing hard
-
for avoiding any obligation on end-to-end
encryption in the ePrivacy regulation.
-
They explicitly ask to gain access to any
communication or metadata, which is what
-
is written here in French. Sorry, we
didn't translate it. The government also
-
pushes to obtain EU legislation on
encryption which would limit end to end
-
encryption, of course. The government
intends then to use this EU legislation
-
for justifying its position while it did
create this proposal at the first place.
-
In the next month the discussions
eEvidence will start at the EU level. They
-
will probably be a lot of talks about
cryptography in the next "counter-
-
terrorist package" expected in 2018.
Counterterrorism is always a good way for
-
the governments to make some provisions to
enhance security and to lower the rights
-
and freedoms. They threaten the Parliament
to be responsible of the next attacks and
-
the members of parliament thus vote
anything just because they don't want to
-
be responsible.
Okhin: So as technician, what can we do?
-
From a technical perspective we think we
should operate communication
-
infrastructure and systems in an illegal
and clandestine way. It is important to
-
build undetectable and encrypted
communication systems that break the link
-
between your online communications and
yourself. Making those tools available to
-
the general public and mass adopted by
them is a critical and non trivial issue
-
to address. Especially as French legal
registration system might block access to
-
high-quality privacy preserving encryption
tools. For instance, Apple requires you to
-
fill the ANSSI form and obtain a
certificate from them to put your software
-
on the Apple App Store already.
Moreover it is paramount to think wider,
-
because if your encrypted communication
relies on centralized infrastructure at a
-
highly identifying piece of information
such as for instance a phone number, then
-
a passive listener such as an IMSI catcher
can get your phone number from a protest
-
you were at for instance and then guess
what your account is and then, they got
-
your phone number, so they can ask to
deploy key loggers and spyware on your
-
phones. And this defeating all the
security based on your phone number. At a
-
time where more and more governments want
to hinder encryption and secret of
-
communications, it is critical to have
access to communication systems that are
-
free, pseudonymous, decentralised and
distributed to the widest audience
-
possible, meaning user-friendly, yes, and
to think about way to push those tools
-
everywhere. It is also important to lead
political battles. We need all available
-
help to slow down this attack at the
national and European levels. We need to
-
get out of the security discourses and to
break the link between encryption and
-
security for the state and to control the
argument that only people committing
-
crimes and felonies do use cryptography.
We need a positive discourse about
-
cryptography: how it helps people with
their daily lives, how it impr
-
oves social structures, how it protects
the identity of queers, how it helps
-
abused women to seek help and to escape
their home, how it enables a positive
-
change in the society, as main change
often comes from activities not approved
-
by the society. If you want more concrete
steps and ways to help we're currently
-
running a support campaign so you can help
us there at support.laquadrature.net.
-
After the Q&A, because we have some time
left, you can come drink some tea at the
-
teahouse in the CCL building and have some
tea and chat with us. Thank you all for
-
listening and if you have any question I
think we have some time.
-
applause
Herald Angel: Alright we have 5 minutes
-
for questions. Are there people out there,
maybe on the internet? No, are there some
-
people here who have questions for this
lovely organization? Well I have a
-
question actually: So you gave us some
advice regarding using avatars, alter
-
egos. You know what, I'm teaching as well
and my colleagues teachers even in that
-
kind of digital age that we live in are
always wondering why I am using several
-
avatars, several devices. It seems like
it's not accepted actually because they're
-
looking at you like "Are you a criminal or
what? What did you do wrong?" Don't you
-
get that kind of questions as well from
your audience?
-
Ohkin: Yes, we got that a lot. The thing
is, a lot of people commit crimes using
-
their real name and IDs and stuff like
that. Most of the people are asking people
-
online, for instance, to not use a
pseudonymous account or something like
-
that, they want to be known as our same
people and stuff like that. So it's like
-
we need to get out of this kind of
discourse and say: "I can do whatever I
-
want with my online identities. It's not
your business. And if I'm doing something
-
wrong, you have to prove it, like with due
process of law and stuff like that.
-
Herald: Ok, I see there's a question
raised in here. Microphone number two.
-
Mic2: What counts in practice as import
and export of cryptography. I mean, if I'm
-
in France and I download open SSL, do I
have to fill out the ANSSI form?
-
Okhin: Not for open SSL, because it's not
protocol that have a goal to provide
-
confidentiality of communication which is
end-to-end encryption.
-
Mic2: So GPG?
Okhin: Yeah, GPG is supposed to have an
-
important certificate and I think they
have it.
-
Mic2: For individuals or for
organizations?
-
Okhin: For the organization which provides
you the access to the tool. Like Google is
-
supposed to provide that, Apple,
Microsoft, Debian. Debian I think filled
-
the paperwork. Each Linux distribution
should do it.
-
Herald: Question here, microphone number
one?
-
Mic1: Okay, thanks so much for the talk.
I'd really love to hear a little bit more
-
about the very crunchy in-depth bits about
encryption policy in France. Now might not
-
be the right time, but building off of the
last question: What kinds of laws or
-
policy are around taking encryption
technology outside of France, like across
-
a border?
Agnes: Well for exporting to closed
-
encryption technology there is the
Wassenaar Arrangement signed by several
-
countries, so I don't know by heart
everything in there, but for example a
-
system that can use for war and for other
use. Then you have it's forbidden or you
-
have to declare that you're exporting such
tools etc. So for exporting you have this
-
Wassenaar agreement and I think there is
nothing else if it's not a double use
-
system.
Mic2: Thank you!
-
Herald: Okay, one last question, please
there, mister three.
-
Mic3: It seems to me that all of these
laws are mostly falling under national
-
security. Are there any laws way to
challenge any of this in the European
-
level? So on the European level there's
wonderful direct data protection
-
directives and all the stuff. But my
understanding is that all of these
-
directives any state can kind of opt out
of them for national security reasons. So
-
is there anything that can be done on any
level without invoking a national security
-
exception?
Agnes: Yeah well all data protection
-
regulation policies at the EU level and
especially the GDPR, general data
-
protection regulation, has a specific
provision that enable member states to
-
say: okay, it doesn't apply because it's a
national security issue. What I said, what
-
I showed here, is that in in the ePrivacy
regulation, which is currently under
-
negotiation at the EU level, the EU
Parliament has already adopted a position
-
which promotes encryption as soon as it's
possible to have end-to-end encryption.
-
And that's why the French government is
trying to push it away, there will be
-
negotiation between the Council, the
European Parliament and the European
-
Commission. The Council represents all
member states, so there will be a
-
negotiation with all the institutions,
beginning this summer probably. Or just
-
after the summer, but maybe a little bit
before. And then the French government is
-
going to try to push it away. As we saw
in the document which we showed in
-
French, the government is trying to get to
gain access to all communications and
-
data. It's very clear in the French
communication we showed.
-
Herald: May I make a suggestion?
They have a fantastic tea house.
-
You have to continue this discussion
later on there with a cup of tea,
-
and some massage maybe. I have
one last call for you both, you know,
-
and the audience: « Indignez-vous ! »
[i.e.“Time for Outrage!”]
-
Ca, c'est! That's why we wanna hear you! (?)
Indignez-vous !
-
applause
-
postroll music
-
Subtitles created by c3subtitles.de
in the year 2018
