Free speech, crypto, and Free Software

On Document Freedom Day (March 26), FSFE and the Greens/EFA group in the European Parliament are organising an event in the European Parliament to discuss how cryptography can help us break the grip of the surveillance state.

The draft program looks amazing. We’ll have Werner Koch (of GnuPG fame, and one of FSFE’s founders), Karen O’Donoghue (Internet Society), French journalist Amaelle Guitton, and Swedish IT security expert Joachim Strömbergson.

Free speech is a human right, and a cornerstone of any democratic society. To enable communication, it is important that documents can be opened and read by the people who are meant to receive them. In today’s world, it is equally important that we have the ability to ensure that documents are read /only/ by the people meant to receive them, to prevent a scenario where both censorship and self-censorship degrade the ability of citizens to speak freely to each other, develop new ideas, and drive the progress of our society.

If encryption tools are to be considered trustworthy, their workings must be fully transparent. The encryption programs themselves need to be Free Software, so that anyone can independently assess how they work, and verify that they do not contain any defects or back doors.

The encryption methods are perhaps even more crucial. Encryption can only work with Open Standards. Cryptography as a field is developing rapidly, and the topic has long been far too complex for any single person to comprehend it fully. The best way of dealing with this complexity is to standardise cryptographic methods.

Such standards need to be created in a process that is open to public participation and assessment; collaborative; and fully transparent. In other fields of technology, closed, proprietary methods are merely an inefficient approach. In cryptography, such methods mean that the tools relying on them cannot be audited, and are therefore considered untrustworthy. In addition, the lack of independent review of the methods used frequently leads to poor-quality programs and systems.

Open Standards in the field of encryption, on the other hand, mean that cryptographic tools can rely on widely accepted methods which have been extensively reviewed, criticised, and validated by experts in the field. If those encryption tools are distributed as Free Software, the tools themselves can be efficiently audited. This is not only essential to ensuring that the tools do not contain any critical mistakes or back doors. It also opens those tools up to an ongoing process of improvement.

Registration for the March 26 event will open soon.


#IloveFS: The humble downloader that could

There are lots of reasons to love Free Software. The stack of little games that comes pre-packaged with most GNU/Linux distributions. The way it makes you feel empowered rather than constrained. How it has taught an entire generation to see sharing knowledge as the normal thing to do, not as the exception.

And all those handy little tools it provides, right there at your fingertips. Like wget. This little program, part of the GNU project that aims to create a free operating system, downloads stuff. Nothing more, nothing less. Fire up a command line, type “wget” plus the URL of the file you want to download, and off you go. In its simplicity, you can compare wget (and its cousin curl) to a screwdriver. Regardless of what it is that you’re working on, you’ll want one around.

Information is power. wget’s specialty is to move information from one place to another with great efficiency and speed. Add the “-r” option to you command line, and wget will happily copy to your computer whatever files it can find on the target server.

Reports say [Warning: the article isn't very good] that it was this humdrum sysadmin tool that Edward Snowden used to collect a stash of internal NSA files documenting the agency’s aggressive, and frequently illegal, surveillance programs. And it was this tool that Chelsea Manning used to collect the documents she handed over to WikiLeak, documenting illegal killings, torture, and much bumbling by the US government in Iraq and elsewhere.

Only last week, a French journalist was fined for downloading a batch of files that a French government agency had made available on its servers, without realising that they were accessible to the general public. Perhaps information really wants to be free, and wget opens the doors of its cages.

As we fight for our freedom, and against surveillance, censorship and oppression, simple tools like wget may be some of our best weapons.

Three things to do on The Day We Fight Back

Today is “the day we fight back” against mass surveillance, and here at FSFE we’re proud to be part of the struggle.

Mass surveillance is a huge problem. Governments are spying on you, endangering the very fabric of democracy. Corporations are asking you to deal away your privacy for a little convenience, with much the same effect.

Mass surveillance is also a hard problem to solve. Essentially, we are up against a very human fear of dangers hidden somewhere in the dark. We’re being told that surveillance will protect us.

Our task is to make everyone understand that surveillance not only fails at protecting us. It also makes everyone worse off in the long run. Difficult, but we have to start somewhere.

So here are three humble suggestions for small steps you can take to secure a democratic future for our societies:

  1. Make your web browsing more secure by installing the HTTPS Everywhere extension in your browser. This will make it much harder for potential snoopers to intercept your connection with the web sites you look at, and will help to protect any data you send there.
  2. Generate a GPG key, and start using it to encrypt your data – especially your email. (There’s help on the web.)
  3. Write to one or more of your political representatives. Explain that you are deeply concerned about mass surveillance, and ask them to help end the practice. Be polite, brief and clear.

See, that wasn’t so hard. You have not only made yourself a little more secure, you have also helped others to improve their privacy, and have contributed to driving political change. Thank you!

Here’s a fourth thing you can do: Support FSFE by joining the Fellowship. FSFE is dedicated to working for freedom in the digital society. We need your help to carry this struggle forward in the years to come.

European Parliament calls for distributed systems

At the Free Software Foundation Europe, we have long advocated building networked systems that have no central point of control.

In a world where Facebook owns your social network, where Google follows almost everything you do on the web, and governments merrily intercept your private information without regard for legal niceties, this idea provides us with an alternative to the Orwellian dystopia we’re increasingly moving towards.

Many systems we use every day today – think email or the web – owe their success to the lack of a central point of control. They have come to be a foundation of our daily lives precisely because they have no “off” switch that anyone with an agenda can flick at will. Yet most of today’s large network services treat their users as products to be sold, not as customers to be served.

In this context, any sign of progress is encouraging, however small. On December 10, 2013, the European Parliament passed a resolutionthat, among other things, highlights the need for decentralised services with strong privacy protections:

The European Parliament [...] 49.  Calls on the Commission to promote the development, jointly with stakeholders, of decentralised services based on free and open-source software that would help harmonise practices across cloud providers and enable EU citizens to regain control over their personal data and communication, for example by means of point-to-point encryption; [...]

Sure, this isn’t world-changing in and of itself. (And here at FSFE we would word such a text a bit differently.) But it’s something that campaigners like you and me can point out to the people we talk to when we try and persuade them to join our vision of a distributed future.

Transparency in EU policy making: a modest proposal

Today I participated in a lunch discussion run by EurActiv that was supposed “to explore the opportunities for more transparent and efficient EU

Under discussion was an EU-funded project that would somehow rank people trying to influence policy making in Brussels, and make it easier to see who’s working on what.This would supposedly make the whole policy making process in the EU more open and efficient.

Fair enough. But while we were looking at the slides and nibbling sandwiches, it occurred to me that there’s a much, much simpler way to achieve the same goal. It’s called transparency.

Continue »

UK to pick ODF as default document format

On Tuesday, the UK government published a proposal to make the Open Document Format the standard format for all government files.As The Register notes,

The Cabinet Office’s Standards Hub explained its thinking on the matter and published the recommendation this week, using the following language:

“When dealing with citizens, information should be digital by default and therefore should be published online. Browser-based editing is the preferred option for collaborating on published government information.  HTML (4.01 or higher e.g. HTML5) is therefore the default format for browser-based editable text. Other document formats specified in this proposal – ODF 1.1 (or higher e.g. ODF 1.2), plain text (TXT) or comma separated values (CSV) – should be provided in addition. ODF includes filename extensions such as .odt for text, .ods for spreadsheets and .odp for presentations.”

The proposal is open for public comment until February 26. FSFE will submit a statement, and so should you.

What I like best about this announcement is that it’s not just a bureaucratic decision made by someone, somewhere, without regard to practical realities. This is actually based on a lot of research that the UK’s Government Digital Services (GDS) has done with the very people who will be affected by this decision.

A blog post by the leader of that research exercise gives some impression of the length that GDS has gone to to make sure their recommendations are relevant and practical:

As part of our parallel discovery project we have:

- analysed feedback on using government documents that we received through GOV.UK customer support and transformation projects

- interviewed people in government to understand what they use electronic documents for, how they work, and who they share with

- carried out a survey of 650 citizens and businesses, to ask them about their experience when using documents produced by the government

The UK government has a record of going two steps forward, one step back on Free Software and Open Standards. This here is definitely a step or two forward. It’s also the right way to go about such complex decisions. The European Commission and other public administrations around Europe should take note.

European Commission still in denial on vendor lock-in

If you’re suspecting that the European Commission isn’t entirely serious about using and supporting the Open Document Format, you might be on to something. Responding to questions from the European Parliament about whether the EC’s Microsoft addiction might have lead it into being locked into the Redmond giant’s products, the Commission basically says “move on, nothing to see here.”

Read on for the gory details.

Continue »

European Parliament: MEPs, staffers have their emails cracked, should demand change

The French website Mediapart reports that at the European Parliament in Strasbourg, a technically skilled person managed to intercept 14 Members of the European Parliament and their staffers using trivial tools. (Original article behind paywall, English version, report by Der Spiegel in German.)

[Update: I've changed "hacked" to "crack" in the title. As you'll be aware, "hack" refers to a clever solution to a problem, while "crack" refers to a malicious attack.]

Based on the information in the article, it appears that the attacker set up a basic man-in-the-middle attack, using a laptop to act as a network connection point for the email client software on the victims’ mobile phones. In this scenario, the victims’ phones probably displayed a certificate warning, which they ignored.

This incident highlights just how shoddy the Parliament’s IT infrastructure is. It’s up to the Parliament’s IT administration to fix this, and it’s up to the MEPs to demand change. Der Spiegel says that MEPs who wanted to use encryption were actually kept from doing so by the Parliament’s IT services. If true, that would be rather discouraging, to put it mildly.

Educating people not to ignore certificate warnings might help. But it’s hardly a solution. To actually improve the situation, MEPs should demand that the Parliament’s IT services give them reliable, secure end-to-end encryption on their devices.

It goes without saying that in order to be secure, such encryption technology needs to be fully auditable, and thus needs to be Free Software. The Parliament’s IT services should take a look at GnuPG and the clients that use it, for a start.

Address lookup in Mutt with mu

Mutt is a great little email client. I’ve been using it on a daily basis since ca. 2007, and have never looked back.

Somehow every time I talk about Mutt with someone who doesn’t know the program, we end up discussing the things it doesn’t do. Many things that people expect from an “email program”, Mutt simply leaves to external programs of the user’s choice. Which happens to be how I like it. This leaves Mutt to concentrate on what really counts: Processing large amounts of email quickly, effectively and with a minimum of pain.

One of the many things Mutt doesn’t do is looking up addresses of your contacts. You can have an external program do that via the query_command variable.The default keybinding for the query command in Mutt is “Q”.

I have just started to use the mu mail indexer (as part of a project to better integrate Mutt with org-mode, of which more some other time.) It has a great little command called “mu cfind”, which returns contacts matching a string. Getting Mutt to use this is really easy. Just put this in your .muttrc:

# looking up addresses with mu cfind
set query_command=”mu cfind ‘%s’”

UPDATE: This sometimes causes problems, see comments. This below works:

# looking up addresses with mu cfind
set query_command=”mu cfind –format=mutt-ab  ‘%s’”

Reload the config (or just restart Mutt), and you’re done. Now you can press Q to search for addresses.

Renault will remotely lock down electric cars

For a long time, cars were a symbol of freedom and independence. No longer. In its  Zoe electric car, car maker Renault apparently has the ability to remotely prevent the battery from charging. And that’s more chilling than it sounds.

When you buy a Renault Zoe, the battery isn’t included. Instead, you sign a rental contract for the battery with the car maker. In a Zoe owner’s forum, user Franko30 reports that the contract contains a clause giving Renault the right to prevent your battery from charging at the end of the rental period. According to an article in Der Spiegel, the company may also do this when you fall behind on paying the rent for the battery.

This means that Renault has some way of remotely controlling the battery charging process. According to the Spiegel article, the Zoe (and most or all other electric cars) collect reams of data on how you use them, and send this data off to the manufacturer without your knowledge. This data tells the company where you are going, when, and how fast, where you charge the battery, and many other things besides. We already knew that Tesla was doing this with its cars since the company’s very public spat with a journalist who reviewed one of their cars for the New York Times. Seeing the same thing in a mass market manufacturer like Renault makes clear just how dangerous this trend is.

This sort of thing fits well into the dystopian picture which Cory Doctorow paints in his 2011 talk “The coming war on General Computation” (which you really must watch, if you haven’t already), where he argues that “we don’t have cars anymore, we have computers we ride in”. The question then becomes who is in control of this computer: You, the manufacturer, or someone else?

If there is a mechanism to remotely control what your car does, some will make use of this mechanism at some point. This could be the manufacturer, shutting down your car as you fall behind on the battery rent because you just lost your job, meaning that it becomes harder for you to find work. It could be the government, compelling the manufacturer to do its bidding. In his forum post, Franko30 predicts that at some point, governments may simply ask car manufacturers to block charging near controversial political events (e.g. a G8 summit), in order to prevent you from participating in demonstrations. Or it could be any random criminal out there, gaining access to this mechanism by bribing a Renault employee.

The only way out of this is to stay away from cars and other computers that you can’t fully control; and to build systems that put users in charge. At the Free Software Foundation Europe, we are empowering and supporting people who build systems where you, the user,  are in control. Please help us with a donation.