#PJLRenseignement

If you haven't heard, there's an emergency law currently “debated” in France, which wants to legalize illegal practices from the Intelligence services (both domestic - DGSI - and foreign - DGSE) and gives them impunity, circumvent the judge, and goes to a massive discriminatory surveillance.

The hashtag is full of report of people opposing it (from Human Right defenders and NGOs to citizen collective such as LQDN to companies and business of all scale). So yeah, it's the law NSA's head is dreaming of.

There's two issues I want to discuss at hand. Not sure how it'll end, but here it goes. The first one is why fighting surveillance is - in my opinion - the wrong fight and the wrong way of doing it, there's more to this than just surveillance. The second is about all the geeks and hackers trying to flee out of France, to move their businesses out of it and other “abandon ship” strategies.

Fighting surveillance

So, surveillance. As Quinn Norton and Eleanor Saita stated one year ago in their talk at 30C3, surveillance - in itself - is not inherently good or bad. Surveillance is watching, and - when you want to interact on something - you need to watch it. It's hard to grab precisely something in the dark (you can do it, but it's hard).

You need surveillance to expose corruption for instance. Or fascism. Or any wrong doing in fact.

So, the issue discussed is not - and should not be - the surveillance per se. The issue is that this whole process is secret, hidden, non documented, without control or regulation.

What does it mean? First, it means there's an asymmetry in information. Something knows more about me than I'm able to know about them. What you do not know controls you, it means that this imbalance of power makes the state having more control over you.

It makes them able to act upon you on a discriminatory way. The gigantic issue here is that. It's not the surveillance, it's the lack of control. It's the fact that no one is watching the watchers and have way to act upon them. What frighten me most in this law, are the wording used “secret defense”, “higher interest of the state”, “impunity for state agent” and things like that.

I've ranted on twitter about the black boxes that will be able to algorithmically identify threats. The thing is a lot of people lost sight of what an algorithm actually is.

It's a parametric mathematic function applied to a set of data in order to classify information - or at least that's what is intended in this specific use case. The magic words in algorithm, machine learning, classification system is just this: parameters. The way you choose your parameters will change the way you classify your data.

How many occurrences of jihadist related news you need to have in your browsing history to be classified as a jihadist? Hom many hours a day you spend in this chatroom? How many times a week you go there?

Those numbers - the one that we as citizens will never heard about - are political tools. The way you choose them, and why you choose them create classification of people and will make you decide who needs to be swatted or not. That's where the ugliness begins. Those numbers will be chosen to discriminate people depending on their backgrounds.

I mean, they're already discussing about exceptions for surveillance - especially for journalists - which means that they're clearly lie when they say it's an anonymous data collect, they're already discriminating people based upon their traffic.

So, the surveillance is not the issue. Neither is the privacy. The issue is the lack of control. The issue is the absence of transparency. And stop fighting surveillance saying you have a right to privacy. That's true, but then it enable politician to call for the “right to be forgotten” which will only help them evading justice.

The issue is that mass surveillance, done by an oppressive system is a tool of segregation and racism. Because in the French context where we do not speak about Arabs anymore, but only about Muslims (and in a way that makes people think that all Muslims are Salafists and potential terrorists), I'll bet 2 BTC on the fact that they will be the one specifically targeted by this surveillance.

Same goes for the poorer of us. Who happen to be the ones who are not the white guys, who are also the ones who fight for survival and acceptance at all time. I'm quite sure that if the system catchs a white and rich guy, he will go in the false-positive trash and nobody will incriminate him.

So, stop fighting surveillance for the only sake of it. I should not need privacy in a non-oppressive system - that's even how you determine you're leaving in a non-oppressive regime: what you do and what you are cannot be held against you as long as it does not threaten the safety of someone else. But go fight the state implemented discrimination.

Don't run away. Fight.

Which leads me to this other point. We - as citizens, as a collective - need to fight that. I refuse to abandon the ship. I'm witnessing a lot of data-exodus. People actively looking to host their data abroad. Commercial companies - such as OVH - are looking to build datacenter elsewhere.

I can understand why a company would do that. They would because they intend to respect the law. Because they do not want to risk their existence to protect their customers, so they're running away. But the thing is, if you flee, then what will happen when the country you've fled to will also change their law and regulation? Flee again?

That's not a sane way to do thing. That's why we have civil society, to oppose the state, to try to restore a bit of balance in the power repartition. If you flee, you say to the state: you can do whatever you want, I just do not care about it.

If you're a big company, which a lot of money, yes, it might have some power against the government, they will have to choose between reinforcing their power or keeping some jobs in the country. But, well, if the state initially wanted to defend their citizens best interests they won't be trying to deprive them form liberties, right?

So, fleeing will only preserves you. And, well, you're still a French company, with offices in France, so you still need to obey the law. OK, you'll be somehow outside of the DGSI reach. But your customers won't, since they'll still be in France and they'll still connect to your infrastructure from France, from inside the Dragnet. Which, basically won't protect them and can even gave them a false feeling of security - which is worse.

What can you do? It's time to protect your customers, your users. The people who've put trust in you. You do have a choice - and it's not an easy or simple or risk-free one. You have to choose between taking care of your users, and actually hold the promises of security you've done to them or obeying the law. That's call civil disobedience and yes, you can end up in jail. But you're not alone, and a legal defence fund is something you can create or ask for help.

Yes, it might seem easy to say. But that's what I intend to do with my project. Providing tools for activists and militants groups who need them. In a way that will try to preserve most of their privacy. I do not intend to respect the law to do that. I do not intend to hide myself.

Hosting data for other people is a political statement. I'm sick of hearing people asking for a country where they could safely hosts their data. You can do it wherever you want, if your government has decided to jail you, they will be able to do it - wherever your data are. What we need is not a list of foreign hosters who are out of the French territory and jurisdiction, what we need is a government who actually protects us, not themselves. What we need is actually to take a stance.

Privacy café, camp, cryptoparties et al is good and nice, but it does not solve the main issue. When are we really going to show those who're in charge who actually is? When are we really going to send them a middle finger?

Do not flee. Do not let them scare you. Fight back. Federate. Protect the people who've put their trust in you. They'll protect yourself then.

I'm depressed. It's quite obvious if you look at it from the symptom part. But I'm still reading or getting comment from people who thinks it's just a small blues - like a Monday morning blues when the week-end is done and you've got to get to work.

It's like saying that the small bruises you got for falling of your bike is the same thing that getting your leg rip apart without anesthetic or - if I believe what women told me - deliver a child.

First thing is you do not live with a depression. I do not live. Living implies being able to project yourself in time. The closest thing I found about this state is stated by Buffy. In this part of the show she's obviously depressed, she's just going through the motion.

My depression takes this form. Time is just irrelevant, I'm stuck into the now and go forward or look backward. It's not apathy, because apathy doesn't removes you the capacity to make a difference between next week, yesterday and next year.

This has insidious effect. For one, I'm unable to move forward. I cannot just going better because it implies to project myself into the future. Happiness is an alien concept and I do not see the reason to live. It's absurd and it has no point, in the end I'll die. I could as well kill myself, it would not change a thing.

Another thing is that my depression is not a lack of feeling. It's quite the opposite. Anticipation - meaning something I know will happen in the next few hours - generates anxiety attack. Those attack manifest by an unability to think and sort my thoughts, shacking, craving, loghorea, headache. I have pills to take to calm this down (Valium).

I feel. A lot. Too much. Reading a mail I slightly disagree with will makes me burst into rages. Picture or news of protesters shot by cops will makes me cry and fall in a near catatonic states. I'm only nerves and I can react violently to someone who touch me - even if it's someone I love.

That's called exhaustion of emotional bandwidth. Where non depressed people have a way to manage, delay and rationalize their feelings, I have lost this ability. This is because I have something in my brain - Serotonin neuro transmeters who don't catch the Serotonin - that makes me in a perpetual state of stress and hypervigilance.

I'm scorched and even the lightest of the wind hurts like hell. There's no end, no light at the end of the tunnel. I've got no memories of happiness - that's another aspect of this thing. I can have some joy, some people can makes me smile. But it does not last. Soon, it's another wave - or tsunami - of feeling that come and overwhelm me.

So no, I'm not living with a depression. I'm drowning into it. I take drugs to help me, they gave me some buoyancy. Friends keep trying to maintain this buoyancy. But there's always the calm of the abyss down below, under my feet. One day I'll stop fighting and I'll drown into the abyss.

I won't be at peace, I'll cease to exist, feel and think. And from my point of view it's like heaven. It's the end of the line. End of the pain. And it's not even a pain I like anymore.

Context

So, I receive queries for people wanting my point of view on various things - ok no, on internet and surveillance, privacy and stuff like that, they do not consult me for issues like climate change and the like. So my email adress is like public data, and people finds me.

It's not always easy, because there's a lot of people out there wanting to do a subject on "hackers" without more precision. You need to asks them a lot of things, help them to understand that "hackers" in not a precise enough subject and that they should focus on a specific problematics. And then you need to know the media who's asks for the job, especially when you're dealing with students in journalism.

Speaking of student in journalism, I try to be available, to answer them or to put them in contact with others more suited to answer their specific questions.

That's why this one is a tough one for me. Because it puts me in front of a paradox. I always thought that convincing people needs to talk to them. I inhereted that from Telecomix, and I tried to do it on each occasion. If someone as an angle that I disagree with, then it's probably because one of us (at least) is missing a point somewhere, and it can only be solved by more discussion.

However, I know the media behind the query. And they're known to pose hackrs as sociopath who are after your credit card. They capitalize on fear, not on information sharing, and I tried twice to get around that and it did not work.

Hence this blog post. It's the email I shoud probably write to this person, but I think it might be beneficial to have it somewhere more public. Name are changed, and no metadata of the original mail. Traduction is mine.

Questions and answers

Hello Okhin

Hey Mat,

I'm 19, and I'm writing and embodying a TV documentary in which I try to prove to my parents generation that, no, I did not abandon my privacy, and that Internet is more than a simple tool for my generation.

Cool. Sounds like a good project and I agree that your generation didn't abandon their privacy, even if you - and I - spent a good part of it online. And I couldn't agree more on the fact that internet is not only a tool, it's a form of communication that enables a lot of different form of societies.

I'm focusing on the problematic of Digitals Native freedom, close to the freedom concept of the libertarian (like Larry Page, Elon Musk …) who emphasize the freedom and happiness of the man. My generation is not Foucault's one, meaning a generation institutionnalized from childhood to retirement, but the libertarian's ones, building a new world of economic collaboration in a reinvented society.

I'm not a libertarian. Libertarian - at least in the French way - are basically asking for total freedom for corporations (either single person company of worldwide megacorporations). Libertarian choose to inforce economic freedom over social ones.

And you do it also. You're not speaking about the social aspect of internet, how Internet did change the balance of power between egemonic corporations, states and citizen. No, the aspect you're focusing one is the economic one. Larry Page and Elon Musk are probably visionary, they did help to build a non-sentient AI, and to fix part of the way we exchange money.

But they're building a world for an elite. We're still below a tird of the worldwide population connected to the internet. Worse, most of the countries not connected to it are currently exploited by neo-colonial corporations to exploit them in order to build all those gadgets we use everyday to make our lives easier.

The world for those libertarians is a world where the weak can't exist. I do agree that economic freedom might help - wel, economy is clearly not my strong suit - but we're elaving in a world where companies - through Lobby group - actually pass law and can sue states under secret trade agreement.

For me Internet is a social tool. It can helps connect people, build communities, strengthen social link, and get a better understanding of the world. It can helps people throwing away a governement, organise dissent, but also to have care and help of communities members.

Yes, it can be used to build "new" economic system - altough libertarians are around since before Internet so I really do not think a totally free and unregulated market that will have no other purpose than justifying its existence and not to support mankind is something that exited long before the internet (since the first industrial revolution I'd say).

And I do think that the biggest mistake pioneer of the internet did back in 1990-ish is to allow advertisment network and monetization system to get a foot on internet. It certainly fast-tracked the "massive" adoption of internet, but it also give way to much power to those few groups who earned a lot of money selling those advertisment to take control of data - and part of the infrastructure.

I'd rather have an internet build by a community and for communities - using taxes and yes a state - the purpose of state is to maintain wellfare and infrastructure for all people not to govern.

It will be embodied documentary for the mainstream audience.

Currently, I'm focusing on a different angle. I think that I could make a stronger point if I speak about code. "Code is Law", while showing that conding nowadays, is having power. What I wrote here is EXTREMELY narrow, but I try to know more on this subject (for instance [A state TV] is interested by my project only if I develop this part) and to have a good grasp of the issue. I also need time to immerse myself into this culture.

So, you want to basically say that hackers - people who codes and understand it - are an elit and that they've seized control of the world? It might be true (there's currently an elitism in this so-called hacker community which is an issue), but I try to oppose it as much as I can.

That's why there's free software. Free software exists to ensure that no elit could be left in charge because they're the only one to know how things works. That's what's in the hacker manifesto after all, And in every things that hackers do.

And also, if you really need to code to use a system, then you should need to build a car to drive it. You should need to know agronomics to eat vegetables. Even if I do admit that all those exampls are true, there's a big issue in it, it states that we are born with all the same capacity. Which is false. Prejudicies, handicaps, social stigma, life accident, all these can lead to someone not being able to code. Or to understand how a car angien works, or what are the implication of eating meat instead of vegetables on the global scale.

You cannot asks to a single mother of three to learn how to code to use a system. And still, she can use it. And that's a good thing. If you make code skill a requirement to use internet then internet is no longer a tool for emancipation, it became a tool of oppression. I want my communities to be inclusives. I want care takers in my communities. And I think internet enable that. And I really think you do not need to code to do that. Or to send enrypted email - or at least you shouldn't.

So no, I will not say that code is a requirement to live in our world. Even if the french governement currently thinks that we need to teach kids to code instead of - for instance - criticism, building a thinking process and giving thel the key to explore and understand the world they live in.

I've came to see you with the director at a conference you made and we really liked your way to explain the issue [This is a reference to this talk]. In this case, with our documentary we're clearly speaking to "old farts" who tries to graps the issues of the Internet world. It's kind of rare to be able to get this mssage out on the television even if it done - it's true - simplistic approach (the young connected person that I embody, etc …).

Yeah, well, since you're condescending with your audience I have big issues. Also - and you've probably never been confronted to that since you're a young documentarist - a national TV will never let a positive message about internet get broadcasted.

I mean, I've tried twice. I got burned, I stop. If you think you can do it, then go for it. But you really should stop considring that people who aren't conencted to the internet or who doesn't see it the same way you see it do not live in the same world than you. They have a different culture, but you both share the same world. And excluding them from it won't give you a better world, it will give you a world where you'll be in power.

So yes, I could have accepted to meet you, but I will not. You can go see a lot of people, for instance Stéphane Bortzmeyer can probably deals with the "code is law" part. But I will not because I disagree with a lot of your ideas.

I hope you'll find some answers in this post, and that it will raises some questions.

I wih luck in your project.

Last year (or so)

For the last year, and a good part of the year before, I was working for a NGO: The International Federation of Human Rights as an ICT manager. Which - for anyone who ever worked as an operational engineer in an NGO -implies doing way to much work. From helpdesk to help to write reports about internet censorship, from system administrator to webmaster, from training activists during clandestine mission to training officers to use free software. It requires adaptabality, skills and an iron will when it tuns to defend free software on a daily basis.

I learned a lot of things there. Working with interesting people doing advocacy for human rights in the whole world brings a lot. Passionat and dedicated people. I learned what human right are and why they're important. I developped a lot more cynism than what I previously had - and yes, it means a lot more of cynism - mostly due to some way of realism. I developped a better comprehension of how diplomatics and economics intertwined themselves.

I also learned that you can eshift extremeley fast from defending rights to defending your interests. I see egos destroying interesting project. I witnessed personal interests taking over principles of humanism. I was confronted more than once to paradoxes - for instance people advocating for right for the worker in asia and begging for Apple computers.

I also leraned a lot about me. For instance that I'm not meant for help desk. It's too much stress and it makes me wanting to rip the throat of people with my teeth. I ended more than once a phonecall for support in a state of almost blind rage and needing to go out and walk or hit something. Or crying. I discovered that I probabaly developped a traumatism by being exposed to too much videos and pictures and texts about horror in the world. I had at least two diagnosed burn-outs in those 15 months. And I did anxiety attack on the job - not because we had attacks on our infrastructure, this part of the job is the kind of pressure I do manage.

I've been diagnosed with a severe depression, and for the last two month (or so) I'm now under drugs to keep my mind out of the suicide path he wanders on.

Off the grid

My contract is now over. And believe me, it was a great experience and I do not regreat it at all. I cannot afford to continue working like that though and I needed a full month off the grid.

No talks, no interviews, no code no nothing, not going to the hackerspace. Just playing video games (so in the last month I've done Dragon Age Inquisition, Mass Effect 1, 2 and almost the three, Saint Rows the Third and Saint Rows 4, Shadowrun Returns: Dragonfall) and watching movies and tv shows.

And sleeping (10 to 12 hours a day, thanks to melatonin). I've spent a lot of time inside my flat with my bunnies and getting out only for food - and the occasional social event with two or three people.

I'm still in this kind of state. Stuck in the present, unable to get outside and to walk into the world o to project myself into the future. I'm witting this from the café down the street, and it took me at least a full week to find the motivation to get there and write this (and read my mail).

So yeah, I was a bit off the grid. Off the world. I used part of this time to think about what I'm going to do next. I cannot imagine doing a job which is not inline with at least some of my political views, which blacklist most of the startups and comapnies I know.

I cannot work for other association or NGO because they will have the same issue and need for a five legged sheep as an ICT person. That rules a lot of things out.

Back online

So, I have no other choice but to find a way to pay the bills and to try to contribute to fight for a world with a bit more fairness in it. The thing that most collective lacks is a way to manage their online data.

Most of them relies on youtube - for instance - to upload their videos, exposing wrong doings and the like. Or use a centralized web services for managing their emails or to share documents.

Most of those collectives have other priorities than to learn key management, or to maintain a dedicated servers. It can even be illegal or dangerous for some of them. When reaching out to a foreign journalists or tweeting about your givernement can have you locked up in a jail without trial, you do not have the time to learn GPG, or how to host a website in TLS.

But this is things I was doing for the last year (and the years before with the telecomix crew). It's something I wrote about, and I've been running cryptoparties for a while.

Also, there is a lot of projects promising about privacy and security of communications. Most of them needs that someone runs a server with the code and maintain it. Which is out of scope for most of the organisation and collectives I know - heck even the nation-wide newspaper here barely have the ressources for it.

This is what I'm going to do. I'll try to find a way to earn my life with that, but the idea is to provide a mutualized solutions for individuals and collectives who cares about privacy and security. Using only free software, and contributing to them. Providing email, chat, storage and syncing, hosting made for those groups and individual.

I'll need some help at some point, but the goal is to build a small company which can thrive on it. So yes, it will be a service you'll have to pay for. Some services will be free - mostly the one that requires few ressources and works - but running server have a cost.

And I do not want to pay that cost with the data of my future users. Or with advertisement (which is the same in the end).

So, I'll try to start that. I'm doing a lot of thinking and writing about it. Of course I'll disclose everything about it.

This is me. Going back online. Trying to survive in this ocean of pain.

Once uppon a time

When AsherWolf coined the term Crypto Party, there was an actual need for a specific part of the population to get trained to use encryption tools. We were in the middle of all the revelation of censorship done in the Maghred dictatorship and dictators were thrown out on an almost weekly basis.

I started to do them with journalists. I got in touch with Reporters without borders and we set-up some session to train a specific part of the population: journalists, field activists, netizens - as RWB keeps calling them.

This is where I learned a lot about GPG/PGP, the advanced use of Tor and of full-disk encryption. Doing those workshops and training did helps me to taught myself how thsoe tools works, what is operational security and threat modelling. I still have a lot to learn on those topics, but that's how I started it, and that's also why I did run the first CypherPunk workshop at Le Loop hackerspace.

I did't have the idea at the time that it will works so well. Then Snowden makes me not a paranoid guy anymore. Things gets crazy, mass-media were screaming on loud that there's no way you can have privacy online, that rogue agencies were going after each and any of us and everyne gets paranoid. Not careful, paranoid. Everyone lose focus on threat modelling.

Cryptography became hype, I heard speaking about Tor, LUKS, and other things on TV and in the press. I did my share of speaking to journalists, learning how the media works on the field, I did makes mistakes in communication, but in the end I tried to get the message that yes, there's privacy issue, and no, crypto-geeks aren't the one with the solution but citizens - people in fact - are the one with solutions.

The local cryptoparty group kept growing. People I used to train were now the trainers, and that's fracking nice. We gathered more and more people, we tried to get out of the hackespace and to go meet people, creating the Privacy Café, in local bars, with diverse people with all their own problematics.

How we failed the people

And we basically failed them. I once wrote about the Responsability of teaching because I thought we were missing a point. When we set-up those workshops, we have a responsability toward the people who'll eventually come. We need to give them all the necessary key to understand the problematics, we need to reassure them because most of them are not in a case where they face being jailed by a governement due to a tweet they sent.

The thing is, I wanted the crypto party to be able to function without a central person. Also, I was going through - and I'm still into it - a big depression so I needed to take some step out of things I'm doing, so I let it go its way, because I think it's the only sane way to do things.

Also, I was growing tired of doing all the same workshops. I wanted something else, playing with new tools, learn new things, experiments new paradigms.

And I think that doing those workshop is not thesolution. I learned that a bit late maybe, but having time to go to a workshop, with your own hardware and a will to develop new skills is a privilege a lot of people cannot afford, I'll send you to this blog entry wrote by a pop star doing infosec for reference: A story about Jessica

And fear of internet was more and more used as a teaching tool. And Fear is clearly the worst tool to use if you want people to learn. And I witnessed the militarisation fo the languages which bugs me. A lot. I even done a conference on this topic because we need to not scare the people away from the internet, or the Internet will die and we really need to be inclusive.

And being inclusive means we need to provide security by default. And it means, we need to build network and protocols who'll take care of that. And that's one point of strong disagreement with a part of the team. Some of them think that if you're not able to run command line tools, then you do not deserve to be protected. They think that an interface to a tool necessarily implies a weaker security.

I do agree with that, command line tools with all their flags, are the best way to have a crypto disaster for instance (yes, command line IS an interface). The thing is, we do have some tools with good cryptography AND no interface at all (or almost no interface at all). For instance the Tor Browser Bundle. You launch it, it connects, it disapear and you'll never hear about it and still you're connected to the privacy network - and if it can't connect you can't use it therefore you can't put yourself at risk.

Yes, Enigmail - and PGP - is a mess. As well as everything that's based on key management. For one part because key management is about identity, and a lot of people want anonimity - so no identity - also because no one knows what a good key management solution is. The interface sucks, because the tool it's based on sucks.

And we could build a mail solution where GPG will disappear, working more or less like TLS, with a warning when the key looks weird, or when youhave no encryption. But we - as the crypto party collective - prefers tell people they're not good enough to use cryptographic tools.

Well, in fact I stopped teaching GPG in the cryptoparties. I prefer have them use OTR for instance, and install XMPP servers everywhere I can, with strong TLS setup, and have them configure OTR to autostart. It works, they do not even need to worry about it (except the color of the OTR button). Neither they need to worry about authenticate (some people might - depends on the threat model) their contact.

But still, I do have a lot of issues with this attitude I see in this group of people that they know best, they do not question their knowledge. They use fear as a tool, they think that you need to work to deserve protection not that we - as experts, geeks, technicians, whatever - need to build a community oriented and driven network of people with anonimity built at its core - yes, it's supposed to be what internet is.

And that brings me to this tough issue, wether I should continue working on cryptoparties, or try to do something else. I think it's easy to quit, to let them be. It's harder to try to do something with the people who are willing to, and to move forward with them. But there is things in what they say that makes me thinking that we do have a gap in what we want to do with those cryptoparties.

Not being inclusive, not understanding the principles of privileges and discrimination, using fear and militarisation of your vocabulary. All of those are no go for me. And I did not find a way to discuss about that yet, tried the mailing lists but git no answer, tried to meet AFK, but no answer either.

So I'm wondering, maybe I should stop fighting for that and quit. Give the admin access to the lists for them to go the way they want to go and start something else. It's not easy, but maybe it's a failure.

I should probably just quit.

--