 My name is Reino de Vinta. As I told you, I'm from the Netherlands and we're a French country in Europe. Self-proclaimed geek. I've been programming since I was five or six or something like that. And my main focus is on security and privacy. And what I do is I write, I train and I consult. And as of yesterday, I am allowed to do once in a while a report for a Dutch business news radio. So that's kind of cool, I think. And if you want to know more, buy me a beer. That always works and makes me talk. Torture doesn't work. Why are we here? The thing is that privacy and anonymity are really needed to safeguard free speech. I cannot do my job if I cannot count on those two. I've broken a lot of stories in the Netherlands. Many of them making it to questions in parliament, sparking of debate, and even one vote of confidence for the Secretary of Transportation. Those things are only possible if I have people that are able to tell me what is going down. I cannot make that work myself. I'll cut that, you know, that you would, you would be caught and that wouldn't work. So it's a whole thing about trust. And I know the most of you can't read Dutch. It has to do with blackhead and yesterday. But this is what went down yesterday in the press room. I was sitting the entire day with my three colleagues from France at this table. Hell, I even gave them coffee. And they turned out to be snooping on you in a room where you expect to be nonpart of the blackhead network. They didn't get anything from me, thank God. But still, you know, it didn't make me love the French more. So if there are any friends, I'm sorry if I offended you, but you can always make up that by me, B.O. But this is the whole thing what it's all about. You know, you need to be able to, you need to be able to do your job knowing that you're safe. Why is this important for you? Well, give me a minute. The wake-up call is the thing that I want to tell you about when I arrived last year in the Netherlands. I was arrested for making a photograph. I'll tell you all about it in a second. But that was for me the real wake-up call. And that was for me the thing that I started to understand that we needed to do something about this thing. I think I have an open source project that can make a difference. And if you're not interested in the project, at the very end, I've got a couple of tips to help you out being a little bit more secure. Because for me privacy is part of a very important part of security. So the wake-up call. This guy is not the guy that I was taking. He was quite okay with me taking a picture. But when I returned from Descon, one day later, I was walking in Utrecht, that's somewhere in the center of the Netherlands, and there was this guy coming by on a sec way. Now you know I'm a friend of David. There was this friend coming by on a sec way. And sec ways were outlawed in the Netherlands. Why? We don't know, but it's kind of illegal. So if you see one coming by, you go like, oh, cool. This is something for the blog I'm writing for. So I took a picture. He took a fence, phoned the police. I was arrested. They took my camera and removed the picture. Sorry? No, he's taking the pictures right there. No, that's not the picture. This is a different guy after it all went down. Of course, what the police did was utterly illegal. But the fact is, the picture is gone. You don't have the evidence no more. This part was a big riot with a lot of blogs, with a lot of other journalists. And within two days, the police started to apologize and, you know, they removed my record and they did everything to apologize. But it was a wake-up call. And after that, we've seen a whole bunch of other incidents. And I want to walk through a couple of them. For instance, a cartoonist that was supposed to be a racist, his cartoons were taken offline without a court order. In a normal legal system, you would expect a judge to say, this is illegal, take it down. That's how our world should work. The same cartoonist was jailed for days so that they could verify his identity. The funny thing was, they had verified his identity. Well, I would call that bullying. In the public space, we have seen camera men in the Netherlands being hindered from doing their job. For instance, one of their instances, a journalist was filming an arrest and they basically threatened to take his camera away. Well, we have the laptop searches at the border. And we have in the Netherlands policemen working and government workers full-time on a whole bunch of websites looking for illegal remarks. I called them all support police. And then one of the coolest things is, we have got this website called NoStyle and they got a summation from the police, give me the IP address of this movie that was posted. Somebody posted a movie that they were driving over 200 kilometers an hour. It's something like 150 miles or so. And that's kind of too fast. So if you're speeding, they want to know your IP address. That's kind of interesting. And last but not least, we have the movie of the politician that was made and they tried to present that movie from being published. What else do we have? We've got massive monitoring using CCTV cameras. We've got public transportation cards that will store every move you'll make for at least seven years. And we are introducing a tech system over the road like Easy Pass or something like that. And that will photograph license plates. So if you come to the Netherlands and you go to the toilet, I will know about it. And last but not least, in the perfect fight against child pornography, they have put up a DNS system that will re-route you to police sites if you're fixing forbidden sites. Of course, this is very easy to circumvent and they get very upset if you write about that, how to circumvent that. But the thing, this thing is people think this is normal behavior. This is the scene I'm living in. And this is not the scene in the Netherlands alone. This is the scene in the UK, in Germany, in France. Well, let's not talk about that. And say in Italy, it's not all that different. The one difference is that in Germany, many of the things that they're trying to do are being stopped by a constitutional law, by a constitutional court. I wonder why. Probably the same reason why many of these things in Japan are stopped based on their constitution. So this is what I'm looking at. This is what I am up against. The thing that I want to do is get it right and let's get it right on privacy and anonymity. First, let's start off on a definition because privacy is something else. And I'm very much aware that for you Americans, privacy has a whole different meaning than for a European. But scientists believe, and this is not what I thought of, but I learned from the University of Amsterdam, that privacy basically is the level of control you have over your own information. So when I get on a bus and they are registering that I'm traveling, I have no control over what people do with my information. If I happen to take the same bus as a notorious terrorist, I cannot oversee the consequences of that monitoring. If my cell phone is in a room with somebody that is wanted, like for three days, let's say on that phone, I cannot oversee the consequences. And I'm not being afraid of being arrested. I'm far more afraid of the things that you cannot see. People that get checked from their jobs, people that try to get a job, all of a sudden can't get it no more, people that are denied entry into other countries. And they don't know why they're on the list. We've got a European member of parliament and she is being flagged every time she flies within the U.S. She doesn't know why and she cannot change it. And we have the same thing in Europe. I mean, I'm not saying that we are so far more sacred than you are. Sorry about it. The other thing is anonymity. It's a whole different ball game. I decided, and that's my level of control, to say that my name is Vrenno de Rinta. I could have stand up here and say, I'm Snoop Doggy Dogg. I don't know if you would have believed me. I could have been anonymous. I've chosen not to. That's a deliberate choice. People have a right in many cases to hide their identity. When I'm doing my job, I meet people all the time that do not want to tell me who they are, but they are giving me information that turns how to be true. That is why anonymity is important. People need to be able to go to a doctor and ask about a disease, you know, with our setting if that's for themselves or for somebody else. And to show you the level of fear that we've got in our country. A couple of months ago, I was working on this riot and they did do a public bid that was very much debated in parliament and somebody called me. I took a picture of my cell phone and I could see a 070 number. That means the hate. So he started telling his story and then I said, like, whoa, what's your name? And then he said, like, I prefer not to tell. So we're like, yeah, but I see a phone number, you know, I can look this up really easy. And then he went like, that's because I mean a bar because I'm afraid. This is the level of fear that he's already placed upon people. Somebody working for my government, leaving a cell phone at home, going to a bar to do this. And now we've got this new law called data retention. And I know somebody in this room is here and he's saying that data retention is a cool thing because you can't find out so incredibly much. But this is a whole different ballgame, I think. The director forces member nations of European Union to introduce a law that will store IP addresses, phone numbers, who they belong to, who is calling whom, when, who tries to call whom, when, how long the call lasts, who is emailing who and who, you know, who is in charge or who is behind a certain address. And this is being used to pretend crying. Let me give you one example. Last year. And she, a beautiful blonde lady was taken out of her bed by the police because she apparently threatened our prime minister. I would say that's kind of stupid, you know, it's but there it is. After some time, the police find out they got the phone number wrong. She went public on television and that's very good for the anti data retention people because nice, hardworking lady with children and looking nice. But all it does is very, very well on television. But it shows the level of mistake. The second and last example on this one, a Dutch man doing business, all of a sudden was arrested and detained for months because he had to be extradited to freeze. Apparently, he threatened somebody in Greece. What turned out to be the case is that there was this website that was illegal and his phone number happened to be on that website. How it got there, he really doesn't know because it wasn't his website. Only before the phone number alone was reason to lock him up for months. That made me nervous. You know, a lot of people don't know my phone number. So you hate me. No, let's not go there. The last thing and that was actively said in Dutch Parliament, what we can do with this information is predict who will commit a crime. Who did see minority reports? But it is not only an issue for journalists. It's also people who want to tip off the police anonymously. Lawyers that need to be contacted by the client. We had several incidents in the Netherlands where there's privilege with the private conversation between a lawyer and the defendant was actually violated. Freeze and other people that are, you know, religious and of course political activists. The downside is, oh, I'm not having luck with this today. Yeah, let me explain what's happening here. I normally work on a Mac. But last week on Thursday, it surfaced that people in the US border can be seen my laptop for indeterminate time. And I've got a lot of sensitive information that I really needed. I need to speak to some people and needed to bring along. So I bought a Windows laptop. And I use true grip to have the hidden partitions and stuff. If people want to search it now, it's too late. It's gone already because I did talking about the documents already. You don't care about it until it hits you. And if you use tools to save part of privacy, they are generally user unfriendly. I expect everybody in this room to be able to install three net and tour. I have a heart and asking this to my sister, who's a physician. And let's not start with my mother. That's a 76 year old. It's way too complex. Many people are unaware when I write down that they will sort the data of way of traveling on this little card for seven years. I every time get new responses. And somebody wrote in a report that privacy wouldn't be an issue if the press wouldn't make it an issue. And then there's this other problem. I need to pick up a fresh letter and then they will tell me again that I'm not allowed to take pictures without people consent. Why? Because you can identify people on the picture. If I photograph three people on the picture, you still can identify them. But if I go into a stadium and stand on the central stage and then take a picture up, it's hard to identify anybody. The larger the group, the harder it is to identify who is doing what. The biggest help for privacy, without any doubt, is getting a large group of people using a tool. I don't really care if tour is perfect or not. The thing is that if you own one percent of the network, apparently it's no longer secure. So this six billion people are running around. Owning one percent is a lot harder than 130,000 users. That is the whole thing on the privacy part. So we need to get more people in. And then we have the whole thing that I told you about at that border by what is different levels used for this conference to obfuscate data because you don't want people at the border finding it. Of course, you can place a lot online and that's what I would have done if that were possible. But in my case, it wasn't. This is where I hope that my open source project can make a difference. First of all, I don't want to reinvent the wheel. There are a lot of good projects out there that I use on a daily basis. If I'm reinventing the wheel, I will fill in two ways. One is that the tool basically won't be as good as the other tools that are already out there. It will take longer. And second, I drive to part of the community. And I just told you that you have to set the center stage of a big stadium and then make a picture. If you change, of course, you want to contribute back to all the projects that pose the same. But we aim at a larger user base. And what I want to do is deliver tools that are easy to install, easy to work with. And most of all, work. And besides having the tool, you need to do a lot of marketing together. That's why I'm out here as well. And I hope to meet people after this talk that are willing to do a little bit. At this point, I've got over 100 people on my mailing list. And I can say that I've approximately 10 active contributors. What will the tool do? Well, in the beginning, two things. Enable email and chat by making that for the outside world anonymous and for the inside world you can choose. So when a message pops up in my email box, I either know who's from or it will be anonymous. And if it's totally anonymous, then, of course, you can select if you want to receive anonymous email or not. No, I generally don't care about the standards just too much. If you want to, if you not want to chase people away, you need to integrate with what you currently already have. Most people, whether you like it or not, are using your outlook. After nearly a week with this new computer, I wonder why, because I've got such a hard time working with it, but that's a whole different subject. But the reality is they are using it. I'm used to Thunderbird, and you can say from cutie sense that's not perfect, but at least work for me. Many people are using messenger type of software. We need to perfectly integrate with that type of software in order to ensure that they can use the tools and they don't have to think about security. And the last but not least, if you have an app hole and you see the contact list application, you know it's a pretty good application. Maybe the interface could be a little bit better, but the good part of this is when you install Skype, all the addresses are integrated. When you install all the tools, it totally integrates. It blurs into the environment. Wouldn't it be nice to offer such a tool platform independent, for instance, by using Python? What I want to do is encrypt messages, and maybe I should take a small step back. What is a message? A message is any type of communication, being a chat, being an email, but also being status information on what your, for instance, what your system is doing or storing data in the cloud. If I can store a large chunk of data in the cloud, then I didn't have to buy a new laptop. I think OpenPGP or more specifically, NoopyG, is very good in making such message well protected. Second thing you want to do is use other hosts. If the gentleman with the red shirt over there would be surprised to put this data in the cloud, then it's pretty hard to know that I send the data off. Unless, of course, I send it directly, but that's why it's called Tor in this world. The next question is, how do you do that? And what's the cloud? My cloud would typically be FreeNet, because that's the infrastructure that's already there to store data in the cloud, and it makes it very hard to take down. And after you're not using the data, it alternately falls off the cloud. Sounds funny when you say that. So you take FreeNet to put data into the cloud. Using IDs and hashes, you can search the data so you can see what files are there for me that are new. Using some type of anonymity as well, of course, like Tor or anything else. But that basically means that to create a route to put data in the cloud, somebody else, whenever they are online, can take it out. They can take off a list. Like, OK, I've got this message now. Decrypt it and use it. I've been working on this very long. I have a whole different complex mechanism, and then I needed to know everybody that was around. And it had a chat channel in it. And then a cryptographer said, why go so complex? And that's why I don't have a tool yet. And he pointed out that the complexity actually would make the project feel in the end. This is kind of simple. If I can read somebody anonymous, if that person would be kind enough to put it online, if I can verify it anonymous, that it is online after a certain time, the other person can pick it up as Elijah. Leisure. Leisure, yeah. And you don't need local storage or anything yourself. So when they take your laptop away, there is no evidence besides part of a encrypted, free-net thing on your hard drive. Life sometimes can be so simple. Only creating the tools, that is, of course, not so simple. And what I thought of was what this, of what this. You've got the cloud. You've got a small sister search engine. Well, I don't need to explain the name, small sister, I guess. And the communication engine will do all types of communication. It will retrieve the message from the email or the instant messenger, encrypt it, process it, place it on the network. The other one is the communicator itself, the program that you offer to people to maintain a contact list. The program that you offer to say, OK, we've got an alternative email solution if you want to, so that you 100% sure that 100% of the messages are encrypted. And that basically should do the trick. Now the communicator will be the hard part of the project. Because it needs, I don't know, a billion plug-ins. It's a lot of work to get at least going and blurring into an environment. And people are lazy, so you do want to make this as user-friendly as possible. So I would like to ask anybody who cares about it to at least join my mailing list. Because we need a lot of people to code, to do something about it, or to criticize me or other people in order to make sure that the technology works. And I feel one criticism coming up already that you can predict, one of the criticisms is, of course, you know this technology is not 100% perfect. And this is where you have to make a security trade-off. Do I go for perfect technology that makes 100% sure that nobody can find out? Or am I going for the big crowd and does ensure in the privacy? It may be very clear what choice I made. So we need users, we need doers. So if you feel like it, go to www.smallsister.org, subscribe to the mailing list. Now if you want to protect yourself, you think, OK, guy, you're bullshitting, you're from the Netherlands, you can't help us, that's it. Don't worry about it. Do something yourself that makes little sense. One of the things I did is, like four years ago, write an article 10 ways to circumvent data retention. That took the minister of justice to an emergency debate in parliament, because all of a sudden, politicians started realizing that probably this is not the best way to secure ourselves. And probably it's easy to circumvent. You know what happened in that debate? They said, like, yeah, but the stupid people will still be clothed. The article says terrorist, and now we're down to stupid people. That's kind of interesting. And that made me realize when I was preparing this talk, that made me realize that we've got a fair chance of undoing the harm for a part. Not only by using the tool, but showing the tool and saying, like, well, what are we doing? This is so simple to circumvent. This is so simple to overcome. Why are we spending precious legal resources on this? We've got a shortage of policing. Last year in the Netherlands alone, and we are a nation of 16 million people, 423 cases of child pornography did not make it because police were lacking people. We cannot throw scarce resources away. So we might overcome this, actually. One of the funny things is, if you want to be anonymous and you want to do something that might trigger attention, is go to your neighbor. And in my case, I need to go five houses down the road, but then I can serve a fee. Yeah, but that's illegal, I know. But if I'm using my cell phone, my iPhone, would police really know if I'm serving the T-Mobile network in the Netherlands? Or would they really think, oh, he's surfing in London asleep? And of course, it's smarter to go to a different city, et cetera. But that's one of the things that might obfuscate it. And that's also one of the dangers. Because if you're searching for, for instance, SEMTACs, Bomb, and Airplane using Google, and if they can see that search, that would raise attention. Only it would draw their attention to the one person. Second one is use a pre-paid GSM in the Netherlands. Or you use it, you call it play as you go, right? In the Netherlands, you can still buy it anonymously. And I tried it. And at this store, they said, you have our discount card. So I went, oh, I would like to have an anonymous discount card, please. I've got an anonymous discount card. Bought a phone. It worked great. The only thing was when the lady was packing up the bag and giving me the phone, she said, like, there you go, Mr. de Winter. She turned out to be somebody I was in school with. And anonymity doesn't always work. Then, actually, you should leave the phone lying around for a couple of months because they have camera images of you. And then you have a fair chance of communicating anonymously. Be aware if you do that. Be aware that you can trade devices very well. So if you have your regular cell phone on and your pre-paid GSM, and you do that for three days, it's kind of easy to find out that that's you. Especially if you call all the same numbers over and over again. One of the things, and I've been doing that and testing that a lot, is using SSH or Clip of Tunnels to work non-European service. And the funny thing is then you're outside of the legal jurisdiction and you're gone. If you have a closed service, and this is really funny, if you're in the Netherlands, if you have a closed service, like my small sister project is not for everybody, but everybody minus one. Then it's closed service. And then you can say, like, oh, we don't maintain logs. We don't do that. So that undermines the effectiveness of law, but it also helps. And of course, if you don't want to use small tests, then you score, use off, or you screen it. Use tools that are available. Yeah, but you know, I don't really need to do that. Do it for the other people. Make the crowd bigger. Then a couple of things of the obvious. I've got nothing to hide. I don't know if you'll read Bruce Rice's blog, but last week he had this link up to a professor that was telling why you shouldn't talk to the police. And my good friend, Don Blumenthal, in the audience he'll tell later today or tomorrow why you should talk to the police. But he mentioned at a certain point there's over 10,000 laws of federal level in the US alone. So if you don't do anything illegal, you know a lot about law. That would make you a very, very, very intelligent person, which of course we all are. I always wonder if people have nothing to hide. A couple of month ago I was giving a lecture and then somebody said like, I've got nothing to hide. So I asked him what his name was and I started googling him and showing a couple of his child pictures and then he got very upset with me. So apparently he did want to hide his childhood. I've met this guy, he's a lawyer, and he was in a radio show in the Netherlands. And at a certain point he was talking about anonymous blogging. And this show host confronted him with a remark he made 17 years earlier that he thought he should be able to have a sexual relationship with a 15-year-old boy. He's gay. That in itself would be very illegal in the Netherlands. The fact, however, is that he was just 16 and that changes the dynamic and the context a lot. It's not right, but it's a whole different context all of a sudden. However, 70 years later, he looked like a pedophile. So that simple remark that was still available through Google turned out something you really had to hide. At that point it looked very innocent. I'm not sure that what I'm saying today and what I'm telling and talking to people and the things that I do today are still legal tomorrow. And I always wondered like, okay, from whom have you got something to hide? I've got a lot to hide from you. For instance, the names of my sources. I get a lot of questions, especially from Dutch government workers. Don't you trust your government? Don't you trust your prime minister? Don't you trust your minister of the interior? And I always say I trust them fully. Like my family trusted their government in 1939. I don't trust my government in 2013 because I don't know it. My family never got to see the government that was there after 1945. That is the issue. You are not hiding, you're protecting your data. Having said that, that is basically the thing that I wanted to share with you. I'm kind of early. I'm a quick poker, I guess. So if there are any questions, I would be happy to take them. And I believe that afterwards is also room in a Q&A room. And if you want to debate it more, I would really, really love to do so. So I don't know if there are any questions. Yeah. Okay, I get the question, like we have conservators in Canada and things in America. And now you have this whole story about police watching websites and what happened. I think what happened, and this is pure speculation, but I think what happened is that the Dutch government and other governments were very much behind on technology. And we've got a, when I sometimes write an article and you know you've got a politician inside, like, hey, what do you think of it? Oh, that's outrageous. I need to ask questions in parliament. And then the politicians go, like, yes, something needs to be done about it right now. And then something happens. I guess that's part of it, like, oh, it's only websites, it's not language you should take it down. And we're trying to find a way how to deal with that. I think we're going through a very important place at this moment, so that's one. And the other thing what happened is I think there's a hunger for control. Controlling what you cannot control. You had a question? Yes. There's a big difference between America and Europe. Absolutely true. The thing is in Europe, the data that you store, and it's like my name and my date of birth, is my data. If I go into a store and there hangs a camera by legal right, I can ask them, send me the images of me. Nobody does it, but you can. In the US, it's like, if you store a database with my data, it's your database. Thank God you've got an agency like the FTC that cracks down on it when something goes really wrong. But you know, if it goes wrong like in the smaller, like only a couple of hundred people, you're screwed. You know, your fingerprint is not being regarded as privacy sensitive information. With your fingerprint and a registration in the Netherlands, I can spend your money because they only verify it on the fingerprint. So I don't know if you like what you eat, if you eat kosher or halal, if that is something that would be privacy sensitive. But by nature, it is because it says a lot about your religion. Potentially says a lot about your religion, of course. Yes, yes. He's saying, oh, yes. He's pointing out the structural issue that is there that I said like Germany and Japan, stopping a lot of the privacy erosion going on. And he's pointing out that they are mainly based on the US Bill of Rights, which is absolutely true. I've seen people here that say that there has been an erosion in the US as well. Actually, I had a friend who put the Constitution on eBay, apparently, because the Americans are not needing it anymore. So, yeah. Yeah, well, he's a great guy, by the way, but the whole of him. Any other questions? I'm done early. Normally, they have to drag me down. Okay. Well, thank you very much for your attention. I really, really hope that you at least consider visiting the website, lurk on the mailing list at least, or maybe do a contribution. And not just for me, but I think for a lot of people that are unaware of the issue right now. Thank you.