 Hi everybody, so we're going to to talk again about privacy and I need to click So who am I so I'm not Aaron McSween which was the person that was supposed to come do the presentation Unfortunately, he's home with the flu and so I'm Ludovic Dubost So Aaron McSween is a full-time privacy engineer. I'm I'll define myself more as an open source activist Aaron is our researcher at X-Wiki SIS. I'm his boss and And so Aaron is a full-time Crip pad developer and slash product manager CTO depending so he likes to say it depends on how how important he wants to present himself and so I'm more involved in the Crip pad communication So I get involved in what Crip pad actually does how we communicate about it do marketing or so how we Finance it because I'm the CEO of X-Wiki. So we're 40 people at X-Wiki SIS that is getting its revenue most from building X-Wiki and And and we're doing full-time open source And so the challenge with open source is also how you get to pay for it and how to get people to pay for it I'm also an occasional Crip pad contributor. So in Crip pad the Kanban was my work actually very proud of it and so Actually to try to make a bit the subject want to talk a little bit about floss. So We all hear Users or or creators of floss software and actually when you look at floss and you try to understand Why why do you do floss? Actually, there's one reason which is ethical reasons. So we do we do floss or we get involved in in floss because it's empowering users and And it's because it allows the software to be not only for the people that can pay for it and It's in pouring in pouring the clients and have no luck in now We also have business reasons and there is also interesting business reasons why companies or people do Floss is that it gives an edge over proprietary software It gets more help from other people. So you get contributions So it actually reduces the cost of of of building it or making it known and an openness is actually a feature Also in what we do. So you'll you'll see a bit why we're coming there Why we're talking about this that if you look at the issue of privacy on the internet today Which is more and more a big problem. So Joss explained before Why why privacy is important? and if we're talking if we're starting to talk more about privacy because actually privacy is in danger and This the reason privacy. I mean why is privacy in danger is big because basically we're living in in surveillance capitalism so on one side there is State surveillance But that that's actually one part of the issue around privacy that the states can can know are Trying to know more and more about what we do and there's a lot of debate in some cases We could say I don't care. I trust my state So it's okay in some other cases. It creates serious democratic problems But there is also a problem of surveillance in the business world in the normal world in in a sense that basically most of the internet's business is actually Surveillance is actually based on advertisement that are based on what we do on the internet and actually when we think about it For the people that are as old as I am We felt like Advertising on TV. It's it's oh, it's a pain. We get advertising all the time and we're getting every every hour Advertisement so that we can watch the TV for free. But when we think about it on the internet It's worse get advertisement everywhere while we're while we're actually reading the stuff we read on the internet and this advertisement is Based on method that are way worse than what we got on TV 20 years ago on TV They they they study to try to know who is watching the show Is it woman? Is it guys and we're gonna show advertisement based on that but on the internet They're actually showing advertisement based on who you are the individual that is in front of it And they're trying to know more and more because it makes more money Oh Exactly who you are but everything they want to know everything so that they can make the most money out of it and nobody's stopping them Except GDPR which is doing some some work today Now this thing is is it is it evil actually is it evil that we are in this world? Well, this thing is It's just market and a lot of what what my friend Tristanito works at quant and is doing a lot of talks about privacy He says he says basically Google was supposed to be nice. We're not evil But in the end the the tracking they were doing was not that high, but Facebook came in and Doing more and more individual user tracking about who you are what you do, etc. They ended up being Outsmarted in terms of competition and making money and they end up doing the same thing So it's actually the market the capitalism market is pushing all these companies to go further and further So what we're what we're trying to say Aaron and me is that? The reason is that we've ignored business concerns. We've ignored We've ignored the business aspects of of why the software so and in the end we get only Only software on the internet that is paid by advertisement and that's actually and so We get a lot of stuff for free, but in the end we I mean The thing is we forget that there needs to be a way to pay for it And this way today is advertisement. It's targeted advertising this creating this privacy problem. So and What we're trying to do at a Crip pad is okay Is it possible actually to operate as it need to know basis? Is it possible to say? We'll try to do software that doesn't Doesn't look at everything you do. So that's not operating on this model of working with advertisement and When we look at this well business technical so business and so what we're looking at so Why what is the software we're proposing so we need to look at what type of product we're proposing So why do we have a what do we have a software that's actually interesting the second thing is okay? What what is what data are we are we capturing for people and then okay? What are the risks? The business risks and the technical risk. So if we don't collect the data Can we actually offer that product for free? So if we're not Get getting ways to make money off the data. Well, how do we actually provide that software for free? And what are the consequences if the data is leaked? So when we look at this so we do a Cost-benefit analysis. So how difficult is it to implement something? That's fully private. Is it actually technically possible? to build something that's totally private and how how would it work and And will people actually be happy with it? So Well, that's what we're trying to do with script pad. So we're trying not only to solve the technical problem of Privacy can we actually make a software that allows to protect users privacy? But we're also trying to solve the business issue around it So this is important is this this is why this talk is not only about a technical solution Around Crip pad. It's also about whether how how do how can we as a community or can we as users? Do so that we get software That is protecting our privacy and so what so what is script pad? So our pitch is it's like at the pad, but it's encrypted. So who knows at the pad here? Okay, good. We know script pad actually Few okay, so well at the pad or like you could also say like Google Docs Type at the same time But everything's encrypted So that's actually Interesting is it it's not easy to do So it's already not easy to do a software where people are typing at the same time So the story of Crip pad actually is because we're trying to do that for xwiki So for the xwiki software we needed we need a real-time editing and we've done we work with researchers to do that That's the original story of of Crip pad So it's already not easy to do to have people typing at the same time. Well It's even harder when you say okay, let's make so that the server doesn't know what we're doing and so this is what it is so to Mention one thing is in the open source world. We use licenses to define how data is made public Well in the world of Crip pad and software for security. We're actually using cryptography to define how how data can be used in private so and This is a point where we differ a bit with Crip pad with next cloud Next cloud is proposing as a solution for privacy decentralization So we at the Crip pad we say yeah decentralization is interesting. It's good But actually we need to go one one step further if you put your server on a cloud Service you need to trust that cloud service that they're not going to look at your data And so we believe that if we want to really be sure That our data is safe. We need to use cryptography Cryptography is key if we want privacy we need to go the whole way to Encrypting the data and so we're using cryptography To define how the data can be used So in the end what is Crip pad and I'll make a demo So is it's actually much more than Etapa because it's a full range of Collaborative tools it goes from rich text a rich text editor that goes further than then what you get in Etapa It's a full CK editor Editor that you have in in Crip pad, but it's also a pad where you can do markdown or syntax highlighting of code You can do slideshows. This is actually a Crip pad document stored on Crip pad afar You can you can store encrypted files which themselves can be used in rich text or in presentations So we have images in this presentation. They're stored as Individually encrypted files in the Crip pad drive We have a Crip pad drive inside that Crip pad drive. We can do shared folders So you can make a folder in your drive that will be shared with other people. We have whiteboards poles We have Kanban. We have a messaging between people and we're working on office We just released two days ago spreadsheets inside Crip pad and I'll show that in in the end Where what we're trying to provide is strategies and technology that ensure privacy which can effectively Generalize across a wide variety of application domains. So we're not trying to just encrypt files or secure files. We're trying to Allow to build applications that are secured by design and private by design So that use encryption all the way and that's what is in the Crip pad technology inside Crip pad They're pretty advanced technology to to to secure Documents that are modified in real time by multiple people and so potentially It can go very far in terms of what we can build on top of it However, there's a lot of work because when you work privacy by design you kind of have to rebuild everything from there So basically you cannot just adapt other software to become private private by design You have to actually have it in the core of the system that encryption is everywhere Because it changes for the mentality. This is why for us X wiki Crip pad. It's the same company, but with two different software They they cannot really work together So let me demo a bit oops So the best way to demo is to have two screens So here First thing is a drive. So I have a drive with With folders. So this is my my personal drive with a lot of folders. We can have found there. So I'll take a hop a spreadsheet document I'll take it on this side too Hop a spreadsheet document here. Actually, it's a bit too zoom. Yeah Oops, it's not very well zoom and so here I can do hop 600 Yeah, you can see so I changed the number here My graph was changed in my spreadsheet in real time. It was sent to the other to the other client So actually the way it works is every time we do something in a pad There is a patch that is created encrypted on the client side. The key never leaves the browser The patch that is encrypted is sent to the Crip pad storage The storage will send it to all the other users that are part of the session And then the patch will be applied on the other client and the Crip pad algorithm will manage conflicts If there is changes on at the same time from both users, there's a way to manage that in the algorithm So this is our latest spreadsheet document Then we can show here hop a Document if people have a browser they can even join with that URL is that gd Crip pad for them if they won't so you can have an image here So for example, I can change The size of my image it will change on the other side. I can type here It will go on the other side So you can see the different features we have here So we have the text code Presentation polls can then etc. So for example, if I create a Kanban document It takes a little second to create it and then I can give the URL here to the other users And up and I can start editing the document like that So a Kanban document is actually a JSON file So every time we make a change here. It changes a JSON a JSON model that is the JSON model is synchronized over the Crip pad system and And we can then apply it on the other side So Crip pad is actually quite extensible new new document types can be created The only thing that is needed is JavaScript JavaScript application so Crip pad can only work with JavaScript modules. You need something that works only on JavaScript For example, there are JavaScript libraries that can edit mind maps. We can integrate mind maps in Crip pad We want to integrate Kanban. We've used the JavaScript library Oh, it would have been nice to use we can which is a very well known actually a well-known open source Kanban system the problem is everything is based on the server. So you can't do it So basically then the the requirement for integrating something in Crip pad is that it needs to be built client side It needs to have no server component Basically, the server is only doing is only doing storage is only storing encrypted data I'm finishing up Get back to the slides So now what is the business aspect of Crip pad? So if we don't sell the data There's a question. How do we actually make the software so we could sell it? Well, the thing is we want to do open-source at xwiki and in that Crip pad And the other thing is that if we believe that if you really want to do Security software software that is secured you need to have it auditable So it needs to be shown to the world that the world can verify. There's a few things We haven't done in Crip pad. So Crip pad afar is a service run by us Everything on our servers is encrypted. The thing is how do you actually verify that it's true? How do you actually as a user verify that we're not injecting code in the JavaScript? We're sending from Crip pad afar That would read the data on the client side and then send it to us So the problem is that there's a few more steps to get to full privacy So right now if you want very good privacy you take the code of Crip pad from Github You install it on your own server. You know what you're running and You know that the data on that service encrypted even if somebody is stealing that database Nothing he can do is it because the keys are on your client. You need to secure your client So there's a few things that so we believe that Secure software needs to be open source and now the thing is if it's open source, how do we sell it? We don't read the data. We don't sell advertisement on the data So what how do we do to sell it? So we we can do we're doing paying subscriptions. So on Crip pad afar, you can actually pay For an account that goes over 50 megs We can sell enterprise support. We haven't started to do that. We can do research projects We're doing that where we're Candidating and so Crip pad is actually born out of research project that is financed by by France And we're looking at European fundings to continue to fund that and then there is crowd funding So we actually have an open collective where where you can chip in and it's actually important for us So right now we're mostly we believe that in the next year We're going to mostly finance Crip pad through Through the research projects and we also have people that are buying subscriptions because they actually go over the 50 megs And that Crip pad afar is an interesting service Now the thing is if we really want to have enough money to pay for the actually complexity of everything that needs to be built Like if we want to do everything that Google does On the Google app suite. There's a huge amount of work And so before we can fund this with paying subscription We will have we will have to have way more users than we have today and so We believe that we're going to finance this with research projects short term But actually crowdsfunding and paid subscriptions are really important to us Because they allow us to show to the people that are funding the research project that there's actually people interested in the software And that I believe that it's important that we get this type of software Working so What I want to point out and this is goes back to the business aspect of of of software and privacy Well, if we don't want the world where everything is paid by advertisement and and and made with systems like Facebook Well, we need to think About paying the our software last slide you can try out what we do and and so try it out on Crip pad afar and you can also take the code from From github this is our staff to show that there is a lot of people visiting what we do And here is our contacts if you want to talk to us