 Good, I have the pleasure and the honor of introducing to you two persons here who are really working at La quadrature, il faut bien me La quadrature du net alors c'est vraiment quelque chose en français and it's an organization NGO It's actually working really on the rights on freedom of citizens on the internet. I I Understood that and yes, is there responsible for the coordination mainly about legal issues and That Okin pronounce as well. He's more responsible out the technical side. He runs as well I think get a bunch of volunteers who are helping you around Please give them a welcome applause Let's the show So Hello, so we are here is Okin, but he has already be introduced the third person from la quadrature du net and I'm Agnes and I'm I work on legal and political issues At la quadrature as well So like what I choose an organization that fights for fundamental rights And freedoms in the digital area We are here today to talk about the danger lying above your jobs Especially if you're building or maintaining cryptographic cryptographic tools. We're here because We think it's important to demonstrate that the worst authoritarian laws don't only come from far Only don't only comes from far-right governments such higher such as a hangaria or Poland But mostly from the social democracy compatible with market economy to quote Angela Merkel So along with Germany and the United the United Kingdom, but with Brexit exit the UK France is one of the biggest forces within the EU and if France can rally at least one of the two others on board it can obtain what it wants from its European partners it works both ways of course But it's important Because the problem is that France is not only exporting its knowledge and practice of law enforcement and anti-briot gear To various governments such as Tunisia or others Francis know also shining for its anti-privacy lobbying as you will see later No so What is interesting is to think about what we can do as technicians Developers his admin C's ops or legal person specializing technology issues Because the threats come from legal political and technical area and that and you're not only us But also sex workers abused women and abused people who need to flee their home And so on We have to think about our role and to find ways to act to fight against the threats against inscription We're going to start with a quick but sadly non-exhaustive history of flaws Trying to weaken a circumvent cryptography in France one way or another. We're including everything that talks about spyware And kilo girls because they're direct a direct threat against a lot of cryptographic tools Okay, so let's be clear here we are only to Talk about very specific aspects of the digital related law Access to the internet filtering censorship can probably be discussed in other talks with the same quantity of laws hindering those rights But we will focus here on cryptography only before 1998 Use of cryptographic tools for the public was essentially forbidden the key lengths was limited to 128 bits for asymmetric cryptography There were authentication of communication or for ensuring integrity of the message declaration is necessary For all other uses especially for confidentiality ex-ante Authorization from prime minister was required as well After lensing negotiation with the intelligence services cryptography has been freed in 1998 But it's required that the system used respect one of those three limitations The cryptography system cannot be used for confidentiality purposes without authorization Or the cryptography system is operated by a third party owning a master key which the police may have access to Although user does not need a strong confidentiality and can use a standard encryption solution with a key lower than 40 bytes So So since since then cryptography legislation Has not really evolved However, one national security or counter-terrorism law after another We had something like 30 of them in the last 15 years The judiciary and repressive arsenal did grow for example police were authorized to install kilo girls in the Lope C law in 2011 then Police were authorized to force any person or entity to think well They think able to decrypt Or analyze it to analyze every encrypted content they get their hands on in the counter-terrorism law of 2014 and the army and intelligence agency of course can help to do so those cryptanalysis if needed 2015 All the prevention of undeclared protests and thanks to the state of emergency since 2015 and no made permanent in last October Such warrants may no be delivered on mere humor and suspicions After the fact without any investigations They allow for collection of any data from onsite and that are kept during three months if they're encrypted And if they're encrypted the judge can decide to retain them indefinitely until they decrypt them Such and without any investigative power So to conclude this depressive state of affairs we need to add that cryptographies and aggravating circumstances in the long list of crimes and felonies linked to Terror Link from primarily to organize crime and tourism but also conveniently to adding profiteges for example So encrypting things makes you even more suspect and more guilty Oh, and we almost forgot if ever you're operating a cryptographic system for third parties You have an obligation to provide either decryption key or blank text to cops if they ask for it and you have 72 hours to comply Which means a lot of pressure on you It probably can apply to yourself if you're being investigated upon but it might clash with the right to remain silent and to not Self incriminate we do not have a lot of jurisprudence here But we recently had cases where Cops Was was also has been used one of them was to coerce a teenager to provide decryption key for an encrypted chat with Hotel he was operating and which had been used by people who were making fake bomb alarm fake bomb alert in schools For one more we know and for one case for one of such case we know about how many of them have gone unnoticed People choosing to keep their life going and to avoid the jail at jail time and face huge fines So here it's important to note that there's difference being made between cryptography which enforces security communication and Cryptography which enforces confidentiality in this presentation We're addressing the issue of cryptography in the concept context of confidentiality only To illustrate that this debate goes beyond the classic lines of left-right politics We like to display some quotes on the topic by various Ministers candidates elected representatives and prominent political speakers for example Eric Sioti he's a member of parliament from the right wing He wants to find Apple 1.5 millions Euro if they refuse to give an encryption keys Among other outrageous things he said this is one taking hold Francois Moulins Paris prosecutor vote an op-ed in the New York Times Against cryptography the title is quite explicit its date when phone encryptions blocked justice And he talks about the importance And even if he talks about the importance of privacy rights of NVIDIA video landing the same paragraph of the marginal benefits of full-disc encryption He signs his bullshit with his colleagues Sirius Vance junior of district attorney of Manhattan Adrienne Lepard commissioner of London city police and Javier Zaragoza chief prosecutor of I've court in Spain, I let you read the full court in all its splendor So we have also From the AN SSI we talked about before he said just before the Bataclan attack in 2015 that Backdoors and key sequestrations is a bad idea and that he instead proposes to work on points of clear text Whatever it means It probably is a stands for transport security and against confidentiality of communications Emmanuel Valtz then prime minister use the term legal cryptography in interviews while the official discourse for the last 20 years Was that all cryptography was legal? Here The digital national council then chaired by Munir Majubi Who is no secretary of state for digital issues? Did oppose the ideas of factors and did advocate for the use and development of end-to-end encryption just before the presidential electoral race You'll see later why it's important Bernard de Bray another elected representative from the right wing He actually ordered drugs online cocaine for 80 euros a gram On an onion services to prove how dangerous it is He also said you can buy body parts and guns there and that it's easier than ordering shoes online He also bought a lot of drugs from a non-ident services website hosted in netherlands. So surely the encryption is at fault here So Jean-Jacques Urbouas The who has a minister of justice said he wants to Access computers Skype communications and so on And to put all suspects and their entourage under and their permanent recording He also Well between the first and second turn of the last presidential elections He bought the professional secret and sent to Terry solar who is a member of parliament from the right wing The information that he was invested in gated upon if he sent the message by with the telegram and Donut was saved on cherry solar's phone and found during a police search At his house later on In august 2016 there was a joint declaration of Thomas de messier and bernard casin of entire ministry ministers of germany and france respectively About your pen internal security and the state that at the european level It will require to force the non cooperatives operator to remove illegal content or to decrypt message during investigation However So it was a joint communication, but french written version of the john court declaration was different than germans Only France kept the part about how it would be so great to have backdoors or golden keys So either germany didn't want to be publicly advocated for backdoors or they had different strategy But unfortunately very recently the same de messier announced that he wanted to force tech and car companies To provide the security services with hidden digital access to all devices and machines He probably did not know that if you lower the security of car you dramatically increase the risk of succident among others All of this was before Macron was elected last spring It's like an actual photo. It's not a photoshop During his presidential campaign emmanuel macron said that we should put an end to To cryptography by forcing the biggest company to provide encryption key or to give access to a Decrypted content starting stating that quotes one day they'll have to be responsible of terror attacks complicity and quotes So when you're about to be again He was then concealing the candidate and no he is now internet minister He he has been forced to backpedal and to extend that Messing with end-to-end cryptography was out of question and that that rather forced companies to cooperate faster with police forces he specifically emphasized the importance of cryptography by companies to protect trade and his industrial secrets and Since then when you're about to be has become totally still silent on this topic So it seems that Encryption for confidentiality is a real problem for them Would you be surprised to know that to communicate with his political party and representatives Emmanuel Macron now president uses telegram an application regularly described by a lot of representatives as an enabling terrorism tool and Which should be banned their words not ours? Animal farm is back. We are all equal with the use of cryptography, but some are more equal than the others Copied with his focus on protecting companies secrets this kind of him that the startup nations Doesn't care about protecting citizens, but only about business and powerful friends This become blatantly abused when you look at Macron's socials and economies policies Last but not least Successive French government put pressure to add in the laws the possibility for cops to ask you For all of your online dolls including that all your mailboxes I see two numbers your Twitter of his book account All the weird nicknames you use on IOC and stuff like that That's why mine is currently for bomb and but it will shell shock But I think we can get more creative and find a way to be more destructive for a system when cops would have to enter It into their systems To attempt have been made up already and rejected at some point This kind of registration already exists in the UK and the US and we hope the government won't succeed in France to put this Kind of limitation in law so as demonstrated France is one of the very active Power against cryptography within the EU even if some of other member states did express some concerns Concerns namely Poland, Croatia, Hungary, Italy, Latvia and other countries Those concerns have been prompted by other member states and probably France Each new bill is a risk to reduce the use of cryptography Especially with the criminal digital or judiciary laws that are coming soon For instance France is pushing hard for avoiding any obligation on end-to-end encryption in the privacy regulation They explicitly ask to gain access to any communication or metadata Which is what is written here in French. Sorry, we didn't translate it The government also pushes to obtain EU legislation on encryption which would limit end-to-end encryption of course The government intends then to use this EU legislation for justifying its position While it did created those proposals at the first place in the next month the the discussions on e-evidence Will start at the EU label as well There will probably be a lot of talks about cryptography in the next counter-terrorist package expected in 2018 Counter-terrorism is always a good way for the government to make some provisions to enhance security and to lower the rights and freedoms They straightened the parliament to be responsible of the next attacks and the member of parliaments Thus vote anything just because they don't want to be Responsible So as technician what can we do From a technical perspective we think we should open communication infrastructure and systems in an illegal in clandestine way It is important to build undetectable and encrypted communication systems that break the link between your online communications and yourself Making those tools available to the general public and mass-adopted by them is a critical and untrivial issue to address Especially as French legal resistance system might block access to high quality privacy preserving encryption tools For instance Apple requires you to fill the ANSI form and obtain a certificate from them to put your software on the Apple App Store already Moreover it is paramount to think wider because if your encrypted communication relies on centralized infrastructure and a highly identifying piece of information such as for instance a phone number Then a passive listener such as an AMSI catchers can get your phone number from a protest you were at for instance And then guess what your account is and then they got your phone number. So they can ask to deploy kilo girls and spyware on your phones And and thus defeating all the security based on your phone number At a time where more and more government want to end our encryption and secret of communication It is critical to have access to communication systems that are free to do Nemo's decentralized and distributed to the widest audience possible meaning user-friendly yes, and to think about way to push those tools everywhere It is also important to lead political battles We need all available help to slow down this attack at the national and European levels We need to get out of the security discourses and to break the link between encryption and security for the state And to control the argument that only people committing crimes and philony do use cryptography We need a positive discourse about cryptography how it helps people with their daily lives I would improve social structures. I would protect the identity of queers I would help abuse woman to seek help and to escape their home I would enable a positive change in the society as mentions often come from activities not approved by the society If you want more concrete state and ways to help we're currently running a support campaign So you can help us there at support dot like what at your dot net And after the Q&A because we have some time left So you can come drink some tea at the tea house in the CCL building and have some tea and chat with us Thank you all for listening and if you have any question, I think we have some time All right. We have five minutes for Questions are there people out there maybe on the internet because I Don't see it. No Are there some people here who have questions for these this lovely organization? Well, I have a question actually So you gave us some advice regarding using avatars Alter egos. That's one one thing there. You know what I what happens. I'm teaching as well And my colleagues teachers even in that kind of digital age that we live in are always wondering when I'm using several avatars several devices Is that is that it's not it seems like it's not accepted actually because they're looking at you like are you a criminal or what? What did you do wrong? Don't you get that kind of questions as well from your audience? Yes, we got that a lot The thing is a lot of people commit crimes using their real name and ideas and stuff like that Most of the people are seeing people online for instance Do not use pseudonymus account or system like that They want to be known as asking people and stuff like that So it's like we need to get out of this kind of discourse and say I can do whatever I want with my online identities It's not your business And if I'm doing something wrong you have to prove it like with due process of law and stuff like that Okay, okay, okay. I see there is a question raising here microphone number two What counts in practice as import and export of cryptography? I mean if I'm in France and I download open SSL Do I have to fill out the? NSSI form or Not for open SSL because it's not device that it's not protocol that Have a goal to provide a confidentiality of communication which is end-to-end encryption So about GPG or yeah GPG requires is supposed to have an import certificate and I think they have it For individuals or for organizations for the organization which provides you with the access to the tool like Google is supposed to provide that Apple to Microsoft Debian, Debian is I think Debian have filled Fill the method paperwork Each the Linux distribution should do it and stuff like that. Okay Good question here Mike for number one. Hey, thanks so much for the talk I'd really love to hear a little bit more about the very crunchy in-depth bits about encryption policy in France now might not be the right time But building off of the last question what kinds of laws or policy are around taking encryption technology? outside of France like across the border Well for exporting technology and encryption technology if there is a vassnar agreement signed by several countries and So I don't know by heart everything in there, but for all Which is about all a double W's W's systems for example a system that can use for war and for other Use I mean Then you have it's forbidden or you have to declare that you're exporting such tools, etc So for exporting you have this vassnar agreement and if if There is a I think there is nothing else if it's not a double use system Okay, one last question, please there mr.. Tree It seems to me that all of these laws are mostly falling under national security Are there any laws? Way to challenge any of this in the European level so on the European level There's wonderful direct data protection directives and all the stuff, but my understanding is that all of these directives Any state can kind of opt out of them for national security? Reason so is there anything that can be done on any level without invoking a national security exception? Yeah, well all data protection the data protection regulation Policies at the EU level and especially the the regular the GDPR the general data protection regulation Has a specific Provision that enable member states to say okay. It doesn't apply because it's a national security issue Right now What I said what I showed here What is that in in the e privacy regulation, which is currently under negotiation at the EU level the the EU parliament has already adopted a Position which Promotes encryption as soon as it's possible to have an end to an encryption and that's why the French government is trying to push it away there will be Negotiation between the council the European Parliament and the European Commission the council represents all member states So there will be a negotiation with all the the institutions Beginning this summer probably or just after the summer, but maybe a little bit before And then the French government is going to try to push it away so to try and as as we saw in the document with ice with we show in in French the government is trying to Get to gain access to all communications and data It's very clear in the French communication. We we showed Manic suggestion. They have a fantastic tea house You have to continue this discussion later on there with a cup of tea and some massage maybe I have one last call for you both, you know and the audience and the new you That's what we want to hear and in your food