 So, yeah. Thanks for your attendance, for your interest and joining me today. My name is Max Mier. I'm the Free Software Foundation Europe's Germany coordinator. And today I will be talking about the radio lockdown directive and why this, so what this is, and why this will be a major threat for free software on our radio devices. So, I will start my presentation today with explaining what this radio lockdown is, what this directive is exactly, why it is dangerous for us, for free software people, or for basically all people who are using radio devices, how we can fight it in the future, what we are already doing, what we plan to do. And in the very few minutes, or in the last minutes, I will try to discuss the whole topic and also answer your questions if you have any. So, what is radio lockdown? Radio lockdown, we call this, like the official name is the Radio Equipment Directive, with this very sexy name 201453 slash EU. And the radio lockdown itself is just a small article. So, I don't want to annoy you with legal, too many small legal things, but it's this article 33i. And it's a directive from by the EU parliament. So, past the EU parliament already in the mid of 2014. But it will come in effect in June 2017, so this year. So, this article 33i, what's in there? In this directive, there is this article stating, radio equipment shall be so constructed that it complies with the following essential requirements, then there's a list of some things that make sense and some of that are not that much important to us. But the last point is, so these equipment should support certain features in order to ensure that software can only be loaded into the radio equipment where the compliance of the combination of radio equipment and the software has been demonstrated. So, this sounds pretty boring, right? Why is it so important? Well, first of all, what is this compliance? compliance means that the equipment or the software on it complies with the signal frequencies, the signal strength, and that it contains some certain features that are required by law, like by the radio regulating authorities in the member states. So, how should this happen? So, you still don't seem to be so convinced that it's really bad, but how should manufacturers make sure that software can only be loaded onto the devices that met these requirements? Well, in fact, it's a signature-based verification. And we already know this in other fields with trust chains. Some manufacturers call it high assurance boot. We know this from the personal computer or the computer sector with secure boot, what we've seen with Microsoft happening. And in fact, it's just another digital restriction management, the DRM, so that we as users can no longer access the devices or can no longer do everything with the devices that we could do, but that there's a software restriction on it. So, the regulating authorities are the ones that stand behind that, call that also cognitive radio. And what is that? That's more or less like a real-time communication of each and every radio device, so each device that can send or receive radio, communicating with regulatory authorities. So, again, this could be a solution how this can be realized. It's not, in fact, already installed, but this can be how it can look like. So that every device always knows where it is located, in which member state, in which country, and that it can obtain a spectrum license from this regulatory authority. So that the device always knows, or the software on it always knows, how and what frequencies can I send, with which signal strength. So, for example, in Germany, routers may only send with 100 milliwatts in the Wi-Fi frequency band. So that the device always knows where it is and what it is allowed to do. So, one of the people who is working on that topic too calls it the web dream of the regulators. So, yeah, why is this dangerous? Well, first of all, it affects all radio-capable devices. So, all devices that can send or receive radio waves. So, for example, these are the routers that we were talking about, but this is also a smartphone. Or, excuse me, yeah? Exactly. Yeah, exactly. I'm just repeating that for the stream, that it's also not only sending devices, but also pure devices that only receive signals, like, for example, GPS receivers. Yes, so this is really crazy. This is basically bad for many things. For example, for free software initiatives like OpenWRT, or the communities around the Android custom ROMs, community Wi-Fi projects like Freifunk, but also for the people who are writing the drivers for Wi-Fi devices or something like that. So basically, all people that write software that can be loaded onto hardware devices, which they buy from the shelf somewhere. So this is bad because we still don't know or we have no idea in this directive it's not written how this compliance assessment process should be running. So, the manufacturers have to check or have to make sure that only software can be loaded onto those devices that meet these requirements. But how does this procedure look like? As far as we know, if you write a firmware or software that should be loaded onto a device, you have to send this software to the manufacturer and then somehow magically he finds out whether this is okay or this is not okay. But there is no definition on how long this process should take place if they only have four weeks or four years. This has to happen probably for every single software that is written, so for every update as well. So if you're a developer of OpenWRT, for every security update you may have to send your software to the manufacturer and he then has to assess whether the software meets the requirements. So this is raising the costs extremely, the time-wise costs, and maybe also the hardware costs for community Wi-Fi projects. Maybe they have to choose other models, other router models, for example, that are more costly because the manufacturers have a better process of assessing the software. And this is just crazy bureaucracy because for everything we have to send the software somewhere and have to check it somehow and we have this trust chains and so on. This is really bad for free software businesses. It's a completely legit business model to buy off-the-shelf hardware and build a software or firmware around it and then sell it to your customers. And this directive installs a huge competition issue because the manufacturer of the original hardware can just take or take himself a long time to assess the software of the software or the free software business or whatever business. So they can influence how fast software updates can be rolled out and features can be rolled out. This is really bad for device security because it disables us, the users and the people outside to update their firmware or to install new software, new firmware on the devices that we own, actually. Many people want to install more secure or more privacy-friendly software on their devices. For example, if you buy a smartphone nowadays, it's full of proprietary software and maybe you want to install a custom ROM which contains at least less proprietary software or more free software on it. So these people will be hindered to secure themselves. And then this whole signature checking process involves that on the devices they will most likely be running a virtual machine. So we have another attack vector on our devices. So it's another small computer inside these computers that can be attacked and most probably this will be a black box, the proprietary software. So we lose, again, control over our devices. This is really bad for sustainability and the environment because, for example, I take the routers again. Routers after two or three years, they don't get any updates anymore. So I use to then maybe installing other firmware on it like the mentioned LEED or OpenWRT to lengthen the life cycle of their hardware. If the manufacturer then doesn't assess the software anymore for older devices and doesn't allow the software to be loaded, the devices that we bought are, in a few years, very insecure and we have to throw them away because we cannot use them anymore productively. And, in fact, it's rather senseless, all this stuff. As was mentioned here in the audience, it's also affecting receiving devices that do not send anything and that do not interfere with other hardware and evil people who want to do evil stuff and tune their devices to send other frequencies or with bigger signal strengths will find ways how to circumvent that. So this is targeting normal users, people who don't want to do something illegible. And, in the past, we've seen only very few incidents where hardware has been sending on frequencies or with signal strengths that are not allowed. And these incidents were not free software firmwares or devices that have been loaded with free software or other alternative firmwares, but these have, in most cases, been cheap China devices or something like that. So, many people ask, where does this senseless directive? Something which is, you can put there, it's the task of research for universities whatever, increasing tremendously because now they have to buy special devices that are not locked up. Yes, very good. Yes, I repeat that. He mentioned that it also raises the cost for researching projects for universities because they now have to buy other devices that maybe have disabled these signature-based features. So, yeah, this is another problem. And there are many more. So, this list is not finished yet. So, you will find many, many sectors where people are harmed. But again, I'm coming to this point. Where does this directive actually come from? As far as we know, we still don't have all the information. It's coming from the Etsy, which is the European Telecommunication Standards Institute. And as far as we know, they are concerned about software-defined radio, SDR. So, SDRs, I'm no technician, so, sorry if I talk a little bit crap, but in fact, these are cheap chips and they are not limited to certain frequencies or certain signal strengths anymore because the older chip design was that it had a fixed-soldered frequency and maybe also a limitation on strength. And now, with these SDRs, for example, they could be able to send Wi-Fi signals and, sorry, Wi-Fi signals and Bluetooth signals at the same time with the same chip that decreases costs and, yeah, it's more or less the future. But, yeah, of course, you will also be able to do a lot of, so, with the software, when I can control the software that I can also send on frequencies that are maybe not allowed to send one. So, this is the downside, of course. So, the Etsy or the people who stand behind this directive may also have been targeting the 5G mobile networks or the technology that may come up in the future. Still, again, I'm no technician, but I think it's because they're also inter-device communications and so they want to regulate that a little bit. And some people said that it's because of the weather radars, because in the 5 gigahertz Wi-Fi band there were interferences with weather radars. So, these routers have to have inbuilt a special mechanism that is communicating with these weather radar stations so that they are not interfering with each other on certain frequencies. And some of these devices which are not compliant, yeah, don't support this certain feature, this intercommunication feature and, therefore, interfere with weather radars. But, again, the number of cases where this network has taken place is very little. And people also ask, is this somehow combined with this FCC router lockdown in the U.S.? Yes, it is. As far as we know, this FCC router lockdown is a reaction on what Etsy or the European institution planned for the European markets. So, they said, hey, guys, in the U.S., we want to regulate this sector. You also have to do something similar in the U.S. so we can cover the two large markets. But, in fact, what we have in Europe is much worse than what we have in the U.S. Because in the U.S., it's only limited to Wi-Fi frequencies. And in Europe, it's really, as I said, all devices, all frequencies, sending and receiving devices. So, what can we do to get rid of this radio lockdown? Legally, we cannot do much anymore because this directive has passed the European Parliament. There is little chance that we can attack it in front of the courts. So, we have to somehow find other ways. One problem we still have is that we still have too little background information. So, we still don't really know what is the position of certain industries or do they already know about this radio lockdown? What do the European institutions or the Member States institutions think about that? For example, yeah, we have in all those Member States, we have network agencies or something similar. What do they think about that? And what are politicians thinking about that? What is their position or do they already know what will come up in the future? I really doubt it. But, initially, so, about one year ago, we started, the FSE started setting up a joint statement against radio lockdown. And up to this day, there were 46 organizations and companies signing this joint statement where we summarized what radio lockdown is, why it is bad, and stating some demands to the EU institutions. And yes, we are still trying to increase this list and this is only a small selection of the organizations and companies that are supporting us. But now, coming to how we can really fight it in the future, this was only raising awareness. In the directive, there's a passage that the European Commission is allowed to make delegated acts. And delegated acts are a possibility to, in this case, to define the classes of devices which are affected by radio lockdown. This sounds a little bit complicated, but the European Commission can define, for example, that all devices that send Wi-Fi signals are excluded from the radio lockdown. In order to influence this, we applied for an expert group of the EU Commission, just mid of January. And we hope to get into there to influence this definition of classes. But we still don't know what, as I said, we still don't know what the EU institutions and the policymakers are targeting at. If they want to make broad exceptions for the wise classes, or if they just wanted to stay the same. And we also want to get in there to gather some information. As far as I know, the Free Software Foundation Europe applied for that, and also two other organizations that we know that share large parts of our opinion on that. So yeah, let's hope that we can get into this body. And in fact, we are still, or from the first day on, we are trying to build alliances with other sectors. So, for example, with the science sector, we started to write and communicate what they're thinking about that and what their position is. And yes, the position of them is really opposing radio lockdown. We are trying to raise awareness in other industries. So we have little information on how it is in the router segment, but we still don't know what, for example, with the GPS industry, what's happening there. We are trying to find alliances or allies in the civil society with amateur radio operators or with community Wi-Fi projects like Freifunk or Ninox in Italy and so on. So yes, that's something that we still do and that's something that I have been doing today, raising awareness in front of you, telling you that this is a really major threat for Free Software and for our freedom of access. And if you're an organization or company, please sign our joint statement. It's linked down here from this page. Join our mailing list. We have a moderated mailing list or you can join this and to discuss the issues and help us finding answers for the questions we have. And yes, please discuss about that. Talk with that about that with your colleagues and so on. And yes, please find me if you have any questions and we cannot answer all the questions. Find me at the E-booth in Building K in the ground floor. Thanks for your attention. Thanks, Max. Question? We have skin in this game. Little IoT devices. Two small to run digital signatures, for example. So have you spoken to any people who consider themselves into the IoT game and ask them if they're happy to quadruple the price of their product to put a smarter chip in to even be able to do any of that stuff? No, we have not directly spoken to anyone in this sector, but... Because it sounds like it kills the whole lot stone dead. But I think they will be obliged to comply with this directive, so they have to somehow implement a virtual machine or a chip that is checking these signatures. Let me tell you, it's not happening with the sort of stuff we're doing. So it would eliminate our product category, essentially. Yeah, in the best case, yeah. Sure, it would be 10x, even maybe more. Hi, very interesting talk. It wasn't clear from the text of the directive are existing hardware devices affected as well or just new devices that are coming from the market? Just new devices starting with those who come into the market from June 2017. So existing ones are excluded, as well as, and maybe I can mention that, as well as amateur hardware, like hardware that is only available for amateur radio operators. But most amateur radio operators use off-the-shelf hardware that they can buy in the store. So it's rather senseless. Hi, thanks for your talk, Max. My name is Sebastian, I work for Julia Reda, who is the standing repertor in the European Parliament on the directive. And thank you for you up there who raised the question regarding the embedded devices that won't be able to check these signatures. So if I may, I would like to clarify that the signature checks are only a theoretical idea. So for now, we don't know how manufacturers will try to implement the whole measure at all. And I think, so what is happening right now is that an expert group, firstly needs to define the classes of devices that are at all affected by the directive. For now, there is no class definition ready yet. And as far as I know, if it's not ready by June 2017, then I don't know what happens with the deadline regarding the manufacturers, because they are told that they cannot any longer provide these devices on the European market anymore if the class definitions aren't done until then. So I would expect that for these, I will call them dumb devices that won't be able to check signatures, that won't be able to receive updates, because once in a while, something will be broken and then certain devices will need to be, you know all that from Blu-ray, so I won't go into it. So I would expect that these devices would be taken out of the definition. Now, my question, I do have a question, but it may not be to you, but rather to the audience, is so we have a couple of people who we know who have applied for this expert group. And my question to the audience is, do you know how we can define a number of devices that should be excluded from the directive without telling the Commission what basically exclude all SDR devices, because that won't happen? Hold on a second. Speaking to the microphone, thank you. I might have to get straight on the tank. You could probably start with, I mean, I've only read the UK version of the thing which defines all the EU bans and how you're allowed to use them and the duty cycles and so on, but you could probably sensibly say that anything which is allowed to use a shared channel and has limits on its duty cycle and its power providing it is compliant with those should be excluded, and that would probably exclude 90% of the non-threatening thing straight away, because you've already got wording which you could probably latch onto to make that happen with a stroke of a pen. Okay, one more follow-up, Gerv, and then we have one last question. It seems to me that the big problems are with bands and radiated power, and what we want to be able to do is just put our software on the device. So if the class definition excluded devices where the bands and radiated power were regulated in hardware, manufacturers could then put a little circuit on the device that prevented it going outside those bands and radiated power, but then the entire software of the device could still be open because the software wouldn't be able to break the limits imposed by the hardware. That might be a way of getting completely free software on the devices while still making sure that they couldn't go outside their limits and the definition could say if the limits were in hardware, none of this applies. I'm sorry, we only have time for one last question. You had your hand up earlier. Maybe one comment to that. One problem we have with the member states, oh, we have one problem with the member states that in the 28 member states there are different limitations on frequencies and signal strength as far as I know. So manufacturers would have to set the limits for each and every country individually. But there are some that are harmonized, so those could be covered where it is harmonized. What about your harmonization? Sorry. Sorry, there was some... But we can discuss later, maybe. It would be really fun. Reading literally the directive. All the devices having fast converters analog to digital would be banned. You can have a radio transmitter using a Raspberry Pi with PWM. So you should ban everything. You can write PTIA as a board which is a oscilloscope. But you can use FPGA to create a radio transmitter. So how can you check all these kind of devices? That's true. Thank you very much, Max. Unfortunately, we have to clear out of the dev room now. Thanks again. Thank you.