1 00:00:00,000 --> 00:00:17,135 *34C3 preroll music* 2 00:00:17,135 --> 00:00:24,430 Herald Angel: Good. I have the pleasure and the honor of introducing to you two 3 00:00:24,430 --> 00:00:34,699 persons here who are really working at 'La QuadratureDuNet'. Alors, c'est vraiment 4 00:00:34,699 --> 00:00:39,050 quelque chose en Français ! It's an organization NGO, it's actually working 5 00:00:39,050 --> 00:00:45,979 really on the rights, on freedom of citizens on the internet. I understood 6 00:00:45,979 --> 00:00:52,030 that Agnes is there responsible for the coordination mainly about legal issues and 7 00:00:52,030 --> 00:00:58,500 that Okhin - I'll pronounce this well - is more responsible at the technical side. 8 00:00:58,500 --> 00:01:04,518 He runs as well, I think, a bunch of volunteers, or helping you around. 9 00:01:04,518 --> 00:01:08,370 Please give them a welcome applause. Let the show start! 10 00:01:08,370 --> 00:01:16,870 *applause* 11 00:01:16,870 --> 00:01:20,479 Agnes: Hello, here is Okhin, but he has 12 00:01:20,479 --> 00:01:25,969 already been introduced, the third person from 'La Quadrature du Net', and I am 13 00:01:25,969 --> 00:01:32,460 Agnes and I work on legal and political issues at 'LaQuadrature' as well. So 14 00:01:32,460 --> 00:01:38,270 LaQuadrature is an organization that fights for fundamental rights and freedoms 15 00:01:38,270 --> 00:01:44,090 in the digital area. We are here today to talk about the danger lying above your 16 00:01:44,090 --> 00:01:50,200 jobs, especially if you're building or maintaining cryptographic tools. We're 17 00:01:50,200 --> 00:01:55,579 here because we think it's important to demonstrate that the worst authoritarian 18 00:01:55,579 --> 00:02:05,560 laws don't only come from far right governments such as Hungaria or Poland, 19 00:02:05,560 --> 00:02:09,759 but mostly from the "social democracy compatible with market economy", to quote 20 00:02:09,759 --> 00:02:19,470 Angela Merkel. Along with Germany and the United Kingdom (but with Brexit, exit the 21 00:02:19,470 --> 00:02:26,450 UK), France is one of the biggest forces within the EU. And if France can rally at 22 00:02:26,450 --> 00:02:31,100 least one of the two others on board it can obtain what it wants from its European 23 00:02:31,100 --> 00:02:40,200 partners. It works both ways, of course! But it's important because the problem 24 00:02:40,200 --> 00:02:44,120 with that: France is not only exporting its knowledge and practice of law 25 00:02:44,120 --> 00:02:51,300 enforcement and anti-riot gear to various governments such as Tunisia or others. 26 00:02:51,300 --> 00:02:59,570 France is now also shining for its anti- privacy lobbying as you will see later. 27 00:02:59,570 --> 00:03:12,460 *sound issues on Okhin's microphone* 28 00:03:12,460 --> 00:03:15,460 Okhin: What is interesting here is to think about what we can do as technicians, 29 00:03:15,460 --> 00:03:20,760 developers, sysadmins, sysops, or legal persons 30 00:03:20,760 --> 00:03:26,500 specialised in technology issues. Because the threats come from legal, 31 00:03:26,500 --> 00:03:32,280 political and technical area and endanger not only us but also sex workers, abused 32 00:03:32,280 --> 00:03:36,570 women and abused people, who need to flee their home etc. 33 00:03:36,570 --> 00:03:39,570 We have to think about our role and to find ways to act, to fight 34 00:03:39,570 --> 00:03:44,440 against the threats against encryption. 35 00:03:44,440 --> 00:03:50,960 We're going to start with a quick but sadly non-exhaustive history of laws 36 00:03:50,960 --> 00:03:54,841 trying to weaken or circumvent cryptography in France one way or another. 37 00:03:54,841 --> 00:04:01,520 We are including here everything that talks about spyware and keyloggers, 38 00:04:01,520 --> 00:04:06,260 because they're a direct threat against a lot of cryptographic tools. 39 00:04:06,260 --> 00:04:14,310 Agnes: Okay, so let's be clear here, we are only to talk about very specific 40 00:04:14,310 --> 00:04:20,149 aspects of the digital related law. Access to the Internet, filtering, censorship can 41 00:04:20,149 --> 00:04:25,180 probably be discussed in other talks with the same quantity of laws hindering those 42 00:04:25,180 --> 00:04:33,250 rights. But we will focus here on cryptography only. Before 1998 use of 43 00:04:33,250 --> 00:04:37,720 cryptographic tools for the public was essentially forbidden. The key length was 44 00:04:37,720 --> 00:04:46,560 limited to 128 bits for asymmetric cryptography. There were authentication 45 00:04:46,560 --> 00:04:56,181 of communication or for ensuring integrity of the message a prior declaration 46 00:04:56,181 --> 00:04:59,280 was necessary. For all other uses, especially 47 00:04:59,280 --> 00:05:02,280 for confidentiality, ex ante authorization from Prime Minister was required as well. 48 00:05:02,280 --> 00:05:10,660 Okhin: After lengthy negotiations with 49 00:05:10,660 --> 00:05:15,530 intelligence services cryptography has been freed in 1998. But it still 50 00:05:15,530 --> 00:05:19,620 required that the system used respects one of those three following limitations. 51 00:05:19,620 --> 00:05:23,350 The cryptography system cannot be used for confidentiality purposes without 52 00:05:23,350 --> 00:05:27,120 authorisation. Or the cryptography system is operated by a third party owning a 53 00:05:27,120 --> 00:05:32,110 master key which the police may have access to. Or the user does not need a 54 00:05:32,110 --> 00:05:36,271 strong confidentiality and can use a standard encryption solution with a key 55 00:05:36,271 --> 00:05:37,271 lower than 40 bits. 56 00:05:37,271 --> 00:05:38,271 *bad sound, subtitles now from author's transcript* 57 00:05:38,271 --> 00:05:39,271 Furthermore: people providing encryption tools for confidentiality purposes were 58 00:05:39,271 --> 00:05:40,271 required to give the code, decryption devices or conventions when law required 59 00:05:40,271 --> 00:05:41,271 by them. In 2001 the use of cryptography is freed, but still requires that the 60 00:05:41,271 --> 00:05:42,271 system used has been first registered at the Interior Ministry's office. Now it's 61 00:05:42,271 --> 00:05:43,271 one of the ANSSI mission, the French National Cybersecurity Agency ANSSI that 62 00:05:43,271 --> 00:05:44,271 reports to the Prime Minister. France's doctrine toward cryptography has always 63 00:05:44,271 --> 00:06:56,100 been dictated by intelligence services and the army. They want to collect as much 64 00:06:56,100 --> 00:07:53,350 data as possible, multiple times, and to have the capability to decrypt every 65 00:07:53,350 --> 00:07:54,350 conversation at any given time. This is at this condition that they consented to give 66 00:07:54,350 --> 00:07:55,350 free access to cryptography for the general public. That's why, French law 67 00:07:55,350 --> 00:07:56,350 oblige to declare to the ANSSI the supply or importation of a cryptology tool. 68 00:07:56,350 --> 00:07:57,350 This procedure is an obstacle for the deployment of such services in France, 69 00:07:57,350 --> 00:07:58,350 mostly because you have to face an administrative system which refuses to 70 00:07:58,350 --> 00:07:59,350 speak non-French. The delay for the transportation (?) is at least one month. 71 00:07:59,350 --> 00:08:00,350 For a long time, all administrative documents were in French only, ANSSI 72 00:08:00,350 --> 00:08:01,699 now provides the translation as a courtesy, but you're still supposed 73 00:08:01,699 --> 00:08:04,230 to fill the forms in French. You're supposed to provide your source code, but 74 00:08:04,230 --> 00:08:05,230 since you all develop open software, this is fine, isn't it? And of course, you have 75 00:08:05,230 --> 00:08:06,230 to send it by regular snail mail, there's no electronic version of it, in triplicate, 76 00:08:06,230 --> 00:08:07,230 which is much more expensive, especially if you're not in France. Let's say that 77 00:08:07,230 --> 00:08:08,230 administrative documents are sometimes very complicated for French-speaking 78 00:08:08,230 --> 00:08:09,230 people, who are supposed to be used to them. 79 00:08:09,230 --> 00:08:10,230 Agnes: So.. Okhin: How enabling foreign people - not 80 00:08:10,230 --> 00:08:11,230 French speaking ones - to understand them and to correctly fill them? 81 00:08:11,230 --> 00:08:12,230 *proper sound back again* Agnes: Since then cryptography legislation 82 00:08:12,230 --> 00:08:14,180 has not really evolved. However, one national security or counter terrorism law 83 00:08:14,180 --> 00:08:20,990 after another - we had something like 30 of them in the last 15 years - the 84 00:08:20,990 --> 00:08:27,320 judiciary and repressive arsenal did grow. For example, police were authorized to 85 00:08:27,320 --> 00:08:40,188 install keyloggers in the LOPPSI 2 law in 2011. Then police were authorized to force 86 00:08:40,188 --> 00:08:50,990 any person or entity they think able to decrypt or to analyze every kind of 87 00:08:50,990 --> 00:08:58,300 encrypted content they get their hands on in the counter-terrorism law of 2014, and 88 00:08:58,300 --> 00:09:07,480 the army and intelligence agency of course can help to do those crypto analysis 89 00:09:07,480 --> 00:09:33,749 if needed. *bad sound, again from author transcript now* 90 00:09:33,749 --> 00:10:05,160 Okhin: And now the so-called "Black boxes" entered the game in the Surveillance Law 91 00:10:05,160 --> 00:10:07,649 of 2015. Those are algorithms collecting and analysing metadata in order to catch 92 00:10:07,649 --> 00:10:10,500 terrorists. We know they are made by Palantir and we had the confirmation on 93 00:10:10,500 --> 00:10:12,310 November of their deployment. The fun fact: the internal intelligence 94 00:10:12,310 --> 00:10:14,019 service signed the agreement with Palantir but the military intelligence and foreign 95 00:10:14,019 --> 00:10:16,649 intelligence services are quite concerned about it, because they would rather maintain a 96 00:10:16,649 --> 00:10:17,779 strategic autonomy. 97 00:10:17,779 --> 00:10:18,909 In the same law, the use of IMSI Catchers is granted to cops 98 00:10:18,909 --> 00:10:20,040 and they can install spyware on your terminal without prior validation of a 99 00:10:20,040 --> 00:10:21,290 judge. IMSI Catchers and spywares may be used to gather any information that may 100 00:10:21,290 --> 00:10:23,970 help protect vague interests, such as the "industrial and economic well being" of 101 00:10:23,970 --> 00:10:29,670 France or the prevention of undeclared protests. *recording audio back to quality* 102 00:10:29,670 --> 00:10:33,089 Thanks to the state of emergency since 2015 and now made permanent in last 103 00:10:33,089 --> 00:10:35,029 October, search warrants may now be delivered on mere rumour and suspicions, 104 00:10:35,029 --> 00:10:36,029 after the fact, without any investigations. They allow for collection of any data found 105 00:10:36,029 --> 00:10:37,029 on site. And data is kept during three months, but if they are encrypted the judge 106 00:10:37,029 --> 00:10:39,089 can decide to retain them indefinitely until they decrypt them. 107 00:10:39,089 --> 00:10:41,149 And without any investigative power. 108 00:10:41,149 --> 00:10:43,209 Agnes: So to conclude this depressive state of affairs 109 00:10:43,209 --> 00:10:47,850 we need to add that cryptography is an aggravating circumstance 110 00:10:47,850 --> 00:10:56,749 in a long list of crimes and felonies linked 111 00:10:56,749 --> 00:11:02,309 primarily to organized crime and terroism, but also conveniently to aiding refugees 112 00:11:02,309 --> 00:11:04,089 for example. So encrypting things makes you even more suspect and more guilty. 113 00:11:04,089 --> 00:11:07,089 Okhin: Oh and we almost forgot - if ever you're operating a cryptographic system 114 00:11:07,089 --> 00:11:10,820 for third parties you have an obligation to provide either decryption key or plain 115 00:11:10,820 --> 00:11:14,910 text to cops if they ask for it and you have 72 hours to comply 116 00:11:14,910 --> 00:11:20,389 - which means a lot of pressure on you. It probably can 117 00:11:20,389 --> 00:11:24,429 apply to yourself if you're being investigated upon, but it might clash with 118 00:11:24,429 --> 00:11:27,420 the right to remain silent and to not self-incriminate we do not have a lot of 119 00:11:27,420 --> 00:11:35,639 choice here. But we recently had cases where cops.., where the law has been used 120 00:11:35,639 --> 00:11:40,019 one of them was to coerce a teenager to provide decryption key for an encrypted 121 00:11:40,019 --> 00:11:44,399 chat with OTR he was operating and which had been used by people who were making 122 00:11:44,399 --> 00:11:55,089 fake bomb alert in schools. And for one we know about, how many of them have gone 123 00:11:55,089 --> 00:11:59,730 unnoticed, people chosing to keep living their lives instead of risking jails time 124 00:11:59,730 --> 00:12:04,300 and huge fines ? Agnes: So here it's important to note that 125 00:12:04,300 --> 00:12:09,639 there's difference being made between cryptography which enforces security 126 00:12:09,639 --> 00:12:15,550 communication and cryptography which enforces confidentiality. In this 127 00:12:15,550 --> 00:12:19,649 presentation we're addressing the issue of cryptography in the concept context of 128 00:12:19,649 --> 00:12:26,639 confidentiality only. To illustrate that this debate goes beyond the classic lines 129 00:12:26,639 --> 00:12:32,689 of left/right politics we like to display some quotes on the topic by various 130 00:12:32,689 --> 00:12:39,769 ministers, candidates, elected representatives and prominent political 131 00:12:39,769 --> 00:12:47,009 speakers. For example, Éric Ciotti, he is a member of parliament from the right- 132 00:12:47,009 --> 00:12:56,740 wing. He wants to fine Apple 1.5 million euro, if they refuse to give encryption 133 00:12:56,740 --> 00:13:02,170 keys, among other outrageous things he said, this is one taking hold. 134 00:13:02,170 --> 00:13:07,529 Okhin: François Molins, Paris Prosecutor, wrote about that in the New York Times 135 00:13:07,529 --> 00:13:11,990 against cryptography. The title is quite explicit it states: "When Phone Encryption 136 00:13:11,990 --> 00:13:20,089 Blocks Justice" And he talks about the importance of privacy rights of the 137 00:13:20,089 --> 00:13:24,220 individual in the same paragraph of the "marginal benefits of full disk 138 00:13:24,220 --> 00:13:29,129 encryption". He signed this bullshit with his colleague Cyrus Vance Jr, District 139 00:13:29,129 --> 00:13:32,879 Attorney of Manhattan, Adrian Leppard, commissioner of London City Police and 140 00:13:32,879 --> 00:13:37,760 Javier Zaragoza, chief prosecutor of the national court of Spain. I let you read 141 00:13:37,760 --> 00:13:46,279 the full quote in all its splendor. Agnes: So we have also Guillaume Poupard 142 00:13:46,279 --> 00:13:53,420 from the ANSSI we talked about before. He said just before the Bataclan attack in 143 00:13:53,420 --> 00:13:59,970 2015 that backdoors and key sequestrations is a bad idea and that he instead proposes 144 00:13:59,970 --> 00:14:06,939 to work on "points of cleartext". Whatever it means it probably stands for transport 145 00:14:06,939 --> 00:14:10,410 security and against confidentiality of communications. 146 00:14:10,410 --> 00:14:15,259 Okhin: Emmanuel Valls, then Prime Minister, used the term "legal 147 00:14:15,259 --> 00:14:18,799 cryptography" in interviews where the official discourse for the last 20 years 148 00:14:18,799 --> 00:14:27,720 was that all cryptography was legal. Agnes: Here the digital national council, 149 00:14:27,720 --> 00:14:34,790 then chaired by Mounir Mahjoubi, who is now Secretary of State for digital issues, 150 00:14:34,790 --> 00:14:39,929 did oppose the ideas of backdoors and did advocate for the use and development of 151 00:14:39,929 --> 00:14:44,160 end-to-end encryption just before the presidential electoral race - you'll see 152 00:14:44,160 --> 00:14:47,879 later why it's important. Okhin: Bernard Debré, another elected 153 00:14:47,879 --> 00:14:54,220 representative from the right wing he actually ordered drugs online, cocaine for 154 00:14:54,220 --> 00:15:00,519 80 euros a gram on onion-services to prove how dangerous it is. He also said you can 155 00:15:00,519 --> 00:15:05,269 buy body parts and guns there and that it's easier than ordering shoes online. He 156 00:15:05,269 --> 00:15:09,699 also bought a lot of drugs from a non- identified website in Netherlands, so 157 00:15:09,699 --> 00:15:18,379 surely the encryption is at fault here. Agnes: So Jean-Jacques Urvoas who was 158 00:15:18,379 --> 00:15:25,399 Minister of Justice said he wants to access computers, Skype communications and 159 00:15:25,399 --> 00:15:34,790 so on and to put all suspects and their entourage under permanent recording. 160 00:15:34,790 --> 00:15:40,809 Between the first and second turn of the last presidential elections he broke the 161 00:15:40,809 --> 00:15:46,579 professional secret and sent to Thierry Solère who is a member of parliament from 162 00:15:46,579 --> 00:15:53,480 the white ring the information that he was investigated upon. He sent a message by 163 00:15:53,480 --> 00:15:59,679 Telegram and the note was saved on Thierry Solère's phone and found during a police 164 00:15:59,679 --> 00:16:06,799 search at his house later on. Okhin: In August 2016 there was a joint 165 00:16:06,799 --> 00:16:11,209 declaration of Thomas de Maizière and Bernard Cazeneuve, interior ministers of 166 00:16:11,209 --> 00:16:16,519 Germany and France respectively about European internal security and they stated 167 00:16:16,519 --> 00:16:20,579 that: "At the european level, it will require to force the non cooperatives 168 00:16:20,579 --> 00:16:24,829 operators to remove illegal content or to decrypt messages during investigation." 169 00:16:24,829 --> 00:16:32,360 Agnes: However, so it was a joint communication but French written version 170 00:16:32,360 --> 00:16:38,649 of the joint declaration was different than Germans. Only France kept the part 171 00:16:38,649 --> 00:16:43,809 about how it would be so great to have back doors or golden keys. So either 172 00:16:43,809 --> 00:16:50,040 Germany did not want to publicly advocate for backdoors or they had a different 173 00:16:50,040 --> 00:16:56,480 strategy, but unfortunately very recently the same de Maizière announced that he 174 00:16:56,480 --> 00:17:01,480 wanted to force tech and car companies to provide the security services with hidden 175 00:17:01,480 --> 00:17:07,220 digital access to all devices and machines. He probably did not know that if 176 00:17:07,220 --> 00:17:11,159 you lowered the security of cars you dramatically increase the risk of accident 177 00:17:11,159 --> 00:17:15,470 among others. Okhin: All this was before Macron was 178 00:17:15,470 --> 00:17:22,579 elected last spring. It's like an actual photo. It's not a Photoshop. During his 179 00:17:22,579 --> 00:17:27,630 presidential campaign Emmanuel Macron said that we should put an end to cryptography 180 00:17:27,630 --> 00:17:31,610 by forcing the biggest companies to provide encryption keys or to give access 181 00:17:31,610 --> 00:17:38,269 to the complete content stating that "one day they'll have to be responsible of 182 00:17:38,269 --> 00:17:45,600 terror attacks complicity". Agnes: So Mounir Mahjoubi again. He was 183 00:17:45,600 --> 00:17:54,130 then concealing the candidate and he is now internet minister. He has been forced 184 00:17:54,130 --> 00:17:59,210 to backpedal and to explain that messing with end-to-end cryptography was out of 185 00:17:59,210 --> 00:18:03,630 question and that they'd rather force companies to cooperate faster with police 186 00:18:03,630 --> 00:18:09,639 forces. He specifically emphasized the importance of cryptography by companies to 187 00:18:09,639 --> 00:18:16,890 protect trade and industrial secrets and since then Mounir Mahjoubi has become 188 00:18:16,890 --> 00:18:24,680 totally silent on this topic. So it seems that encryption for confidentiality is a 189 00:18:24,680 --> 00:18:30,000 real problem for them. Would you be surprised to know that to communicate with 190 00:18:30,000 --> 00:18:34,590 his political party and representatives Emmanuel Macron, now president, uses 191 00:18:34,590 --> 00:18:41,090 telegram? An application regularly described by a lot of representatives as 192 00:18:41,090 --> 00:18:48,460 an enabling terrorism tool and which should be banned. Their words, not ours. 193 00:18:48,460 --> 00:18:52,670 Animal Farm is back: We are all equal with the use of cryptography, but some are more 194 00:18:52,670 --> 00:18:58,630 equal than the others. Coupled with this focus on protecting companies' secrets 195 00:18:58,630 --> 00:19:03,220 this confirms that the Start Up Nation doesn't care about protecting citizens but 196 00:19:03,220 --> 00:19:08,610 only about business and powerful friends. This becomes blatantly obvious when you 197 00:19:08,610 --> 00:19:12,120 look at Macron's social and economy's policies. 198 00:19:12,120 --> 00:19:16,610 Okhin: Last but not least, successive French government put pressure to add in 199 00:19:16,610 --> 00:19:21,289 the law possibility for cops to ask you for all of your online handles, including 200 00:19:21,289 --> 00:19:25,960 that all Yahoo mailboxes, ICQ numbers, your Twitter or Facebook account, all the 201 00:19:25,960 --> 00:19:30,620 weird nicknames you use on IRC and stuff like that. That's why mine is currently a 202 00:19:30,620 --> 00:19:34,970 fork-bomb embedded into a shellshock, but I think we can get more creative and find 203 00:19:34,970 --> 00:19:39,179 a way to be more destructive for a system when cops would have to enter it into 204 00:19:39,179 --> 00:19:46,440 their systems. Two attempts have been made already and rejected at some point. This 205 00:19:46,440 --> 00:19:50,590 kind of registration already exist in the UK in the US and we hope the government 206 00:19:50,590 --> 00:19:54,480 won't succeed in France to put this kind of limitation in law. 207 00:19:54,480 --> 00:20:00,740 Agnes: So, as demonstrated France is one of the very active power against 208 00:20:00,740 --> 00:20:05,190 cryptography within the EU. Even if some of other member states did express some 209 00:20:05,190 --> 00:20:13,120 concerns namely Poland, Croatia, Hungary, Italy, Latvia, and other countries, those 210 00:20:13,120 --> 00:20:18,210 concerns have been prompted by other member states and probably France. Each 211 00:20:18,210 --> 00:20:23,679 new bill is a risk to reduce the use of cryptography especially with the criminal, 212 00:20:23,679 --> 00:20:30,580 digital or judiciary laws that are coming soon. For instance France is pushing hard 213 00:20:30,580 --> 00:20:37,550 for avoiding any obligation on end-to-end encryption in the ePrivacy regulation. 214 00:20:37,550 --> 00:20:45,220 They explicitly ask to gain access to any communication or metadata, which is what 215 00:20:45,220 --> 00:20:51,460 is written here in French. Sorry, we didn't translate it. The government also 216 00:20:51,460 --> 00:20:57,539 pushes to obtain EU legislation on encryption which would limit end to end 217 00:20:57,539 --> 00:21:04,500 encryption, of course. The government intends then to use this EU legislation 218 00:21:04,500 --> 00:21:11,919 for justifying its position while it did create this proposal at the first place. 219 00:21:11,919 --> 00:21:20,519 In the next month the discussions eEvidence will start at the EU level. They 220 00:21:20,519 --> 00:21:26,570 will probably be a lot of talks about cryptography in the next "counter- 221 00:21:26,570 --> 00:21:32,230 terrorist package" expected in 2018. Counterterrorism is always a good way for 222 00:21:32,230 --> 00:21:37,580 the governments to make some provisions to enhance security and to lower the rights 223 00:21:37,580 --> 00:21:43,220 and freedoms. They threaten the Parliament to be responsible of the next attacks and 224 00:21:43,220 --> 00:21:48,409 the members of parliament thus vote anything just because they don't want to 225 00:21:48,409 --> 00:21:54,200 be responsible. Okhin: So as technician, what can we do? 226 00:21:54,200 --> 00:21:58,590 From a technical perspective we think we should operate communication 227 00:21:58,590 --> 00:22:03,600 infrastructure and systems in an illegal and clandestine way. It is important to 228 00:22:03,600 --> 00:22:07,139 build undetectable and encrypted communication systems that break the link 229 00:22:07,139 --> 00:22:11,440 between your online communications and yourself. Making those tools available to 230 00:22:11,440 --> 00:22:15,899 the general public and mass adopted by them is a critical and non trivial issue 231 00:22:15,899 --> 00:22:19,980 to address. Especially as French legal registration system might block access to 232 00:22:19,980 --> 00:22:25,210 high-quality privacy preserving encryption tools. For instance, Apple requires you to 233 00:22:25,210 --> 00:22:29,380 fill the ANSSI form and obtain a certificate from them to put your software 234 00:22:29,380 --> 00:22:34,639 on the Apple App Store already. Moreover it is paramount to think wider, 235 00:22:34,639 --> 00:22:38,870 because if your encrypted communication relies on centralized infrastructure at a 236 00:22:38,870 --> 00:22:44,809 highly identifying piece of information such as for instance a phone number, then 237 00:22:44,809 --> 00:22:49,630 a passive listener such as an IMSI catcher can get your phone number from a protest 238 00:22:49,630 --> 00:22:54,669 you were at for instance and then guess what your account is and then, they got 239 00:22:54,669 --> 00:22:59,240 your phone number, so they can ask to deploy key loggers and spyware on your 240 00:22:59,240 --> 00:23:08,750 phones. And this defeating all the security based on your phone number. At a 241 00:23:08,750 --> 00:23:11,730 time where more and more governments want to hinder encryption and secret of 242 00:23:11,730 --> 00:23:15,799 communications, it is critical to have access to communication systems that are 243 00:23:15,799 --> 00:23:19,250 free, pseudonymous, decentralised and distributed to the widest audience 244 00:23:19,250 --> 00:23:24,200 possible, meaning user-friendly, yes, and to think about way to push those tools 245 00:23:24,200 --> 00:23:30,850 everywhere. It is also important to lead political battles. We need all available 246 00:23:30,850 --> 00:23:34,809 help to slow down this attack at the national and European levels. We need to 247 00:23:34,809 --> 00:23:39,509 get out of the security discourses and to break the link between encryption and 248 00:23:39,509 --> 00:23:44,779 security for the state and to control the argument that only people committing 249 00:23:44,779 --> 00:23:49,100 crimes and felonies do use cryptography. We need a positive discourse about 250 00:23:49,100 --> 00:23:53,250 cryptography: how it helps people with their daily lives, how it impr 251 00:23:53,250 --> 00:23:57,059 oves social structures, how it protects the identity of queers, how it helps 252 00:23:57,059 --> 00:24:01,200 abused women to seek help and to escape their home, how it enables a positive 253 00:24:01,200 --> 00:24:05,659 change in the society, as main change often comes from activities not approved 254 00:24:05,659 --> 00:24:11,410 by the society. If you want more concrete steps and ways to help we're currently 255 00:24:11,410 --> 00:24:15,750 running a support campaign so you can help us there at support.laquadrature.net. 256 00:24:15,750 --> 00:24:21,570 After the Q&A, because we have some time left, you can come drink some tea at the 257 00:24:21,570 --> 00:24:28,490 teahouse in the CCL building and have some tea and chat with us. Thank you all for 258 00:24:28,490 --> 00:24:34,270 listening and if you have any question I think we have some time. 259 00:24:34,270 --> 00:24:40,799 *applause* Herald Angel: Alright we have 5 minutes 260 00:24:40,799 --> 00:24:50,299 for questions. Are there people out there, maybe on the internet? No, are there some 261 00:24:50,299 --> 00:24:55,830 people here who have questions for this lovely organization? Well I have a 262 00:24:55,830 --> 00:25:01,669 question actually: So you gave us some advice regarding using avatars, alter 263 00:25:01,669 --> 00:25:08,780 egos. You know what, I'm teaching as well and my colleagues teachers even in that 264 00:25:08,780 --> 00:25:13,090 kind of digital age that we live in are always wondering why I am using several 265 00:25:13,090 --> 00:25:20,880 avatars, several devices. It seems like it's not accepted actually because they're 266 00:25:20,880 --> 00:25:27,039 looking at you like "Are you a criminal or what? What did you do wrong?" Don't you 267 00:25:27,039 --> 00:25:29,149 get that kind of questions as well from your audience? 268 00:25:29,149 --> 00:25:34,879 Ohkin: Yes, we got that a lot. The thing is, a lot of people commit crimes using 269 00:25:34,879 --> 00:25:39,559 their real name and IDs and stuff like that. Most of the people are asking people 270 00:25:39,559 --> 00:25:42,610 online, for instance, to not use a pseudonymous account or something like 271 00:25:42,610 --> 00:25:47,429 that, they want to be known as our same people and stuff like that. So it's like 272 00:25:47,429 --> 00:25:50,540 we need to get out of this kind of discourse and say: "I can do whatever I 273 00:25:50,540 --> 00:25:55,210 want with my online identities. It's not your business. And if I'm doing something 274 00:25:55,210 --> 00:25:59,550 wrong, you have to prove it, like with due process of law and stuff like that. 275 00:25:59,550 --> 00:26:04,690 Herald: Ok, I see there's a question raised in here. Microphone number two. 276 00:26:04,690 --> 00:26:10,110 Mic2: What counts in practice as import and export of cryptography. I mean, if I'm 277 00:26:10,110 --> 00:26:16,409 in France and I download open SSL, do I have to fill out the ANSSI form? 278 00:26:16,409 --> 00:26:25,850 Okhin: Not for open SSL, because it's not protocol that have a goal to provide 279 00:26:25,850 --> 00:26:28,970 confidentiality of communication which is end-to-end encryption. 280 00:26:28,970 --> 00:26:34,760 Mic2: So GPG? Okhin: Yeah, GPG is supposed to have an 281 00:26:34,760 --> 00:26:37,399 important certificate and I think they have it. 282 00:26:37,399 --> 00:26:39,889 Mic2: For individuals or for organizations? 283 00:26:39,889 --> 00:26:44,059 Okhin: For the organization which provides you the access to the tool. Like Google is 284 00:26:44,059 --> 00:26:51,299 supposed to provide that, Apple, Microsoft, Debian. Debian I think filled 285 00:26:51,299 --> 00:27:00,370 the paperwork. Each Linux distribution should do it. 286 00:27:00,370 --> 00:27:03,639 Herald: Question here, microphone number one? 287 00:27:03,639 --> 00:27:07,649 Mic1: Okay, thanks so much for the talk. I'd really love to hear a little bit more 288 00:27:07,649 --> 00:27:13,960 about the very crunchy in-depth bits about encryption policy in France. Now might not 289 00:27:13,960 --> 00:27:20,870 be the right time, but building off of the last question: What kinds of laws or 290 00:27:20,870 --> 00:27:25,340 policy are around taking encryption technology outside of France, like across 291 00:27:25,340 --> 00:27:30,120 a border? Agnes: Well for exporting to closed 292 00:27:30,120 --> 00:27:36,970 encryption technology there is the Wassenaar Arrangement signed by several 293 00:27:36,970 --> 00:27:55,889 countries, so I don't know by heart everything in there, but for example a 294 00:27:55,889 --> 00:28:07,710 system that can use for war and for other use. Then you have it's forbidden or you 295 00:28:07,710 --> 00:28:12,440 have to declare that you're exporting such tools etc. So for exporting you have this 296 00:28:12,440 --> 00:28:23,850 Wassenaar agreement and I think there is nothing else if it's not a double use 297 00:28:23,850 --> 00:28:25,710 system. Mic2: Thank you! 298 00:28:25,710 --> 00:28:29,740 Herald: Okay, one last question, please there, mister three. 299 00:28:29,740 --> 00:28:35,009 Mic3: It seems to me that all of these laws are mostly falling under national 300 00:28:35,009 --> 00:28:39,881 security. Are there any laws way to challenge any of this in the European 301 00:28:39,881 --> 00:28:44,059 level? So on the European level there's wonderful direct data protection 302 00:28:44,059 --> 00:28:47,789 directives and all the stuff. But my understanding is that all of these 303 00:28:47,789 --> 00:28:53,820 directives any state can kind of opt out of them for national security reasons. So 304 00:28:53,820 --> 00:28:59,090 is there anything that can be done on any level without invoking a national security 305 00:28:59,090 --> 00:29:04,620 exception? Agnes: Yeah well all data protection 306 00:29:04,620 --> 00:29:11,100 regulation policies at the EU level and especially the GDPR, general data 307 00:29:11,100 --> 00:29:19,450 protection regulation, has a specific provision that enable member states to 308 00:29:19,450 --> 00:29:28,420 say: okay, it doesn't apply because it's a national security issue. What I said, what 309 00:29:28,420 --> 00:29:35,120 I showed here, is that in in the ePrivacy regulation, which is currently under 310 00:29:35,120 --> 00:29:45,389 negotiation at the EU level, the EU Parliament has already adopted a position 311 00:29:45,389 --> 00:29:51,719 which promotes encryption as soon as it's possible to have end-to-end encryption. 312 00:29:51,719 --> 00:29:57,269 And that's why the French government is trying to push it away, there will be 313 00:29:57,269 --> 00:30:03,270 negotiation between the Council, the European Parliament and the European 314 00:30:03,270 --> 00:30:07,009 Commission. The Council represents all member states, so there will be a 315 00:30:07,009 --> 00:30:13,049 negotiation with all the institutions, beginning this summer probably. Or just 316 00:30:13,049 --> 00:30:20,269 after the summer, but maybe a little bit before. And then the French government is 317 00:30:20,269 --> 00:30:30,710 going to try to push it away. As we saw in the document which we showed in 318 00:30:30,710 --> 00:30:38,659 French, the government is trying to get to gain access to all communications and 319 00:30:38,659 --> 00:30:43,330 data. It's very clear in the French communication we showed. 320 00:30:43,330 --> 00:30:48,310 Herald: May I make a suggestion? They have a fantastic tea house. 321 00:30:48,310 --> 00:30:52,210 You have to continue this discussion later on there with a cup of tea, 322 00:30:52,210 --> 00:30:56,849 and some massage maybe. I have one last call for you both, you know, 323 00:30:56,849 --> 00:30:59,999 and the audience: « Indignez-vous ! » [i.e.“Time for Outrage!”] 324 00:30:59,999 --> 00:31:04,979 Ca, c'est! That's why we wanna hear you! (?) Indignez-vous ! 325 00:31:04,979 --> 00:31:09,689 *applause* 326 00:31:09,689 --> 00:31:23,199 *postroll music* 327 00:31:23,199 --> 00:31:30,781 *Subtitles created by c3subtitles.de in the year 2018*