TTIP & CETA: a few reasons for free software advocates to get angry

In the last months of my internship at FSFE, I started following debates around TTIP (the Transatlantic Trade and Investment Partnership). TTIP is a huge “deep and comprehensive” free trade agreement between the US and the European Union, which started to be negotiated in July 2013. Well prepared by the great ACTA scandal of 2012 and by the November 2013 leak of the Trans Pacific Partnership (TPP)’s Intellectual Property chapter (thanks Wikileaks), we immediately looked for the impact of TTIP on software patents, copyright enforcement and DRM (digital rights management) circumvention. After a few months working full time on the topic, I now believe that the problem is much deeper that any of these specific issues.

Policy Laundering: democracy isn’t competitive

This week Tyler Snell wrote an outstanding article about the “deep and comprehensive” trade agreements. He develops the useful concept of policy laundering. Here is what he says:

A growing pernicious trend that is greatly affecting digital policy around the world is called “policy laundering” – the use of secretive international trade agreements to pressure countries to commit to restrictive or overly broad laws that would not ordinarily pass a transparent, democratic process.

Not only is the behind-closed-doors procedure questionable, many of the representatives negotiating such agreements are not elected representatives but rather trade appointees and powerful multinational corporate lobbyists. Policy laundering deprives each jurisdiction, and most important their citizens, the chance to engage in a legitimate legislative debate.

Provisions which failed to pass democratic elected parliaments, brought back to life through international treaties, it sounds much too familiar. A few reasons why the trick does work:

  • The agreements are negotiated for years, in secret.

1) Access to a limited number of negotiating documents is only granted to the few MPs member of trade committees (INTA in the case of the European Parliament). This access is made via “secure reading rooms”. They can take no notes, bring no devices. They cannot come with staff members specialized in Trade Policy.  Seeing the complexity of trade deals’ texts (often over 1000 pages of legalese) and the fact that the devil is always in the details, they are highlight unlikely to manage anything useful with this kind of “access”.

2) Even if they do spot something harmful in the negotiating text, no elected representative sits at the negotiating table. They have very little leverage to influence the negotiating process whatsoever.

3) Secrecy around the negotiations make campaigns very difficult. Activists are often forced to fight without knowing what they fight, until it is too late (building a campaign takes time). They are either restraining themselves in order to not say anything untrue, or basing their work on guesses. It is then easy for the deal’s promoters to dismiss the critics as “lies” or “misleading“. Reversing the burden of the proof this way is highly undemocratic in itself.

Fortunately, there are still great people working in the institutions. Documents are leaked surprisingly often, enabling us to criticize secrecy AND to know what we are talking about when discussing the content. Thank you sources.

 

  •  The ratification process is hardly democratic

After years of negotiation, the deals finally arrive in front of parliaments for ratification. MPs are then supposed to say a simple “yes” or “no” to a thousand pages of text, likely to include good and terrible things. In case of bad wording, loopholes, blurry definitions, harmful provisions, MPs cannot amend but have to reject the whole agreement. The pressure to ratify, after “so much effort put into the negotiating process”, is enormous and trade deals are therefore usually overwhelmingly ratified.

Fortunately, sometimes things do not go as planned, like in the ACTA case.

 

  •  The deals can be put in application before complete ratification

In Europe, trade and investment are EU competences. However, “deep and comprehensive agreements” deal with more, including sectors that are still competences of the Member States. After ratification by the European Parliament, such deals must therefore also be ratified by national parliaments. Because democratic processes take too long, they can enter into force provisionally, which means before ratification – the vote of elected representatives. The provisional entry into force exerts pressure on national parliaments to vote in favor of the agreement. When ratification might be difficult, or event rejected in a country or region (for federal states), the ratification is not put on the Parliaments agenda and the provisional implementation stays in force.

Worst, states who did not ratified a trade or investment agreement, but have it in force because of the provisional application can be attacked via dispute settlement mechanisms included in the deals.

Another great article recently analyzed the $50.02 billion (yes, yes) Yukos ISDS case (Investor-State Dispute Settlement) under the Energy Charter Treaty. Independently from the rest of the story, the author notes that:

[it] needs to be emphasized here that Russia only accepted the provisional application of the Energy Charter Treaty (pending ratification) in 1994 meaning that the country will only apply the Treaty “to the extent that such provisional application is not inconsistent with its constitution, law or regulations.” Same was the approach adopted by Belarus, Iceland, Norway and Australia.

Russia never ratified the ECT and announced its decision to not become a Contracting Party to it on August 20, 2009. As per the procedures laid down in the Treaty, Russia officially withdrew from the ECT with effect from October 19, 2009.

Nevertheless, Russia is bound by its commitments under the ECT till October 19, 2029 because of Article 45 (3) (b) which states that “In the event that a signatory terminates provisional application…any Investments made in its Area during such provisional application by Investors of other signatories shall nevertheless remain in effect with respect to those Investments for twenty years following the effective date of termination.”

I strongly encourage you to read the whole analysis. What it means is that a government can sign any treaty, with far reaching consequences for its population, economy, environment and ability to legislate, and the state can face the all the consequences of the agreement without ever having asked the parliaments’ approval.

 

Why does it all mean for free software

Free software is important, but it is only one of many crucial policy issues. Trade deals like TTIP or CETA can have an impact on free software – and I will describe concretely how in a next post -,  like on everything else you care about, be it pesticides control, financial regulation or animal welfare.

More importantly, they modify policy making as a whole, making it less transparent, less democratic and harder to reform for the best.

However, ff enough pressure is put on members of the European Parliament, 2014 might see the second strong rejection of a dangerous secret deal, after ACTA. CETA ( Comprehensive Economic and Trade Agreement), the EU-Canada deep and comprehensive free trade agreement, was concluded last week. It will be initiated in September and its ratification process in the European Parliament will start this Autumn. A good moment to send a strong message to the European Commission and to our governments: policy laundering is not a legitimate way to legislate, and should never be.

14 MEPs emails intercepted by a hacker, thanks to Microsoft’s tech and lack of education

The French news paper Mediapart published a long article today, explaining how a hacker got access to private and professional communications of 14 MEPs using basic tech and a flaw in Microsoft Active Sync. Targeted people accepted a rogue certificate, enabling a man-in-the-middle attack.

A few comments:

  • the attack was partly caused by the Parliament’s technology, (it is relying on proprietary technology, denying people the possibility to use encryption they trust) but also on the lack of understanding of how technology works.
  • IT should be empowering. Betters (Free) tools are good, but a great deal of education is needed too…

The whole operation aimed at stressing the lack of awareness about IT security before the European elections, and making it an issue.

Mediapart quotes him:
“On one side we have citizens who know almost nothing of what is happening behind the scene in those institutions, links between political and economical powers.. on the other side, almost omniscient intelligence services can, thanks to their spying, decide the future of a political figure or influence decisions.”

The hacker said “I have the impression to see puppets, I wanted to shake them, to raise awareness.”

A big part of the article deals with security flaws in Microsoft’s products, unfair tenders in Europe and aggressive lobbying. The last section is about Free Software, with quotes from the two French associations promoting it: April and Aful.

The article finished with quotes from the very pro-Free Software French MP Isabelle Attard, stressing the absolute lack of understanding and interest of MPs for digital issues altogether.

I hope this great article will make it into international press

–> mediapart is an investigation online newspaper. Articles are not accessible without subscription. If you are interested by the full text, it seems that I can “offer” you the article thanks to my subscription, please ask.

Cryptoparty for journalists

Yesterday night a dozen international journalists (Spain, Finland, Japan, Germany, Poland) gathered at IN-Berlin, thanks to Hauke and Malte. After almost two hours of interview, we introduced them to email encryption with Free Software.

The interview part was extremely enjoyable. Unlike during our usual cryptoparties, we didn’t give any formal talk at the beginning but answered all their questions. The discussion went from Snowden leaks to computer security, Free Software, global surveillance, social media to basic ITC technical and political concepts (software, service, open standard, vendor lock-in, network effect..).

There was as many woman than men in the journalist group as well as in the “teachers” group: impressive ratio in the Free Software world. In general, the Berlin cryptoparty team is getting better, more united and grows each time we work together; and that is inspiring.

Ten Steps You Can Take Right Now Against Internet Surveillance

The EFF issued a quick overview of actions we can take against the NSA spying. It doesn’t mention Free Software but I love the last piece of advice:

Be an ally. If you understand and care enough to have read this far, we need your help. To really challenge the surveillance state, you need to teach others what you’ve learned, and explain to them why it’s important. Install OTR, Tor and other software for worried colleagues, and teach your friends how to use them. Explain to them the impact of the NSA revelations. Ask them to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node, or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.

Teach each other. Gain control over your computing through understanding. Teach people around you how to do the same. Knowledge is power! Knowledge is empowering!

For French speakers, read the digital self defense guide, and share it with your friends and grandma. It explains in two hours what I have been trying to understand for two years.

If you think that you are not facing targeted surveillance, it’s the right time to learn how to use crypto and a Free Software operating system! You will screw up, make mistakes and learn from it: better do it when your life isn’t at stake!

I’m for example trying to work at home using Tails (The amnesic incognito system) and OpenBSD as much as possible. I struggle, read a lot of documentation, talk about it and have my friends have a look at what I’m doing. And I’m always wondering about a lot of things. Is that safe? Is this dangerous? I don’t understand the subtle way Tor works! How can I configure my email without disclosing anything? How should I manage the persistence? My passwords!? Security of my keys!? I keep discovering good practices and new tools.

Having to learn all that urgently, under pressure would just have made my mind blow – I probably wouldn’t have been able to cope and give up the activism I would have felt threatened for. Good luck to those in that situation… you have my full moral support…

In short, nothing to hide, everything to learn!

By the way, the next cryptoparty we’ll run in Berlin will be on Nov 8.
Join, teach, learn, share.

Privacy and freedom of speech require Free Software

For a few weeks I have been working on a 3 fold leaflet about privacy and Free Software. The text and basic layout are pretty much done.

The main point of the leaflet is that in the internet age, Free Software is a necessary condition for us to have some basic rights (privacy and freedom of speech..) because of the collective control is grants to users. It also clearly states that Free Software is not sufficient.

The leaflet targets a non technical audience, people who already care about privacy but don’t get the link between it and technological choices.

I need you!
No matter how much I want this leaflet to be ready for print and distribution soon, I am facing my own limits: I don’t have the skills, time and knowledge to create attractive and meaningful graphics for the leaflet, nor to do the general design work.

You’re a designer, illustrator or graphic artist, care about privacy and want to contribute? Welcome! Join! Please use the Contact form on the right side of this page. I’ll send you the drafts and we can improve it.

If you don’t have anything to do with design but still care about privacy and Free Software, please contact me too. Several brains are worth much more than a single one.

Schneier on Risk

Bruce Schneier, security expert and EFF board member, wrote an article about our rejection of risk and the consequences it has on basic liberties. Interesting new piece of input about the link between freedom and security.

I graduated from a Masters called Risk, Science, Environment and Health and therefore love the link he makes between risk apprehension and freedom. Natural risks and risks coming from humans are different.

 

We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.

[…]

We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings. We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society. The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security.

 

Big Data, dear new Monster

“Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.” Solzhenitsyn

As highlighted once more by the recent Verizon and PRISM scandals, mass surveillance is a reality. The increasingly centralised architecture of the internet makes spying easy: having access to ten companies’ servers means having access to the private lives of billions of people. This scandal has helped bringing surveillance into the public eye: but realisation is only the first step towards change. Today, a week after the Guardian’s article, the French press is still full of related coverage! People may be interested in this topic, after all!


Surveillance, a political question

I have (used to have?) the bad habit of blaming “technological progress” for the nightmarish surveillance it enables. Powerful entities’ ability to process huge amount of data makes possible a constant and reflexive monitoring of our behaviour.
Trying to be constructive, I will for now stick to the “there is no bad technology, only bad uses of technology” motto. And the best way to fight harmful uses of technology is political activism.

A global movement of citizens is the only way to have privacy established as a new pillar of our political systems -demanding it to be considered as one of the basic civil liberties that have to be protected.

Those who are joining the fight now will be happy to learn that the technical and ideological basis of this movement exist! For the last 30 years the hacker community has been building tools, systems and ideas with freedom, empowerment and privacy at their core.

Choose inherently privacy-protecting communication systems
eMail, instant messaging, social networks or phone calls carry a tremendous amount of information about us, as content or metadata. Aggregated, all the small pieces of information collected give impressively precise pictures of who we are, what and who do we like, dislike, have interest in, what is our normal behaviour and so on. With time passing the daily formation of our thoughts, ideas, opinions and personality can be studied -and used. The government doesn’t care about your diet or favourite pizza. Patterns are what tells a lot, we are facing profiling at a scale yet unknown. Knowledge is power. Why are we, as societies, giving so much power to those who are already in powerful positions, corporations or governments?

As was indicated, what the intelligence community is doing is, looking at those numbers, and durations of calls. They are not looking at people’s names and they’re not looking at content. But, by sifting through this so-called metadata they may identify potential leads with respect to folks who might engage in terrorism.

President Obama, June 7 2013
Bouh

The technology underlying the services we use can provide strong protection for users if it is based on a few principles: a decentralised architecture, the possibility to use encryption, Open Standards, implementation in Free Software


Some concrete ideas

Use end-to-end encryption for your email:
GNUPG offers email protection based on public and private keys. For it to work, both sender and recipient must use it, its strength relies on peer to peer dynamics and everyone’s involvement. For beginners, Enigmail, a Thunderbird add-on, is fairly easy to use. If I was able to install and use it, anyone can do it!

Until recently, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing. And exponential growth in computer power is making the same thing possible with voice traffic.

Philip Zimmermann, Why I Wrote PGP

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he’s hiding. Fortunately, we don’t live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There’s safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

Philip Zimmermann, Why I Wrote PGP

Encrypt your instant messaging:
XMPP is a widely used encryption-friendly Open Standard enabling people to create decentralised networks which are hard to track and control. Used with a Free Software client it allows you to chat in freedom. It can be combined with optional encryption add-ons like ‘Off The Record’ for Pidgin. Encrypted Voice OverIP services also exist but I don’t know much about it.
With Google discontinuing Google Talk (using XMPP), my buddy list will soon be 100% geeky. Friends, join us! Here you can find a simple How To.

Use a pro-privacy social network:
there are pro-privacy, decentralised social networks which let users decide where their data is stored, when it is deleted and what is shared with whom. As they are networks, each new person joining it makes it more attractive for others. Top of the list of privacy protecting social networks is Diaspora* – a Free Software, decentralised web application which has no central data store.
I tried to use it when I left Facebook, but quickly lost interest in the whole social network thing. Now may be the right time to have a look at it again…

Use Free Software and Open Standards:
Free Software and Open Standards put users and programmers in control. Without the four freedoms of Free Software (use, study, share, improve) the tools mentioned above could not have been created.
Even if you don’t program, using Free Software and Open Standard protect you and protect the technology and the ideas behind it. The more users the more solid in the long-run Free ICT systems will be.


The urge of advocacy

Empowering technologies become as powerful as their user and developer base is broad. Raising awareness about the need for privacy and about existing freedom-protecting technologies are two sides of the same struggle.

Here are some links which I find extremely useful to advocate digital freedom:

Join or support one of the many organisations or projects fighting against surveillance. Some are building technical tools, some are influencing legislations other are raising awareness about the importance of privacy and digital freedoms… Join the momentum!

Prism

[Another metaphor better captures the problems: Franz Kafka’s The Trial. Kafka’s novel centers around a man who is arrested but not informed why. He desperately tries to find out what triggered his arrest and what’s in store for him. He finds out that a mysterious court system has a dossier on him and is investigating him, but he’s unable to learn much more. The Trial depicts a bureaucracy with inscrutable purposes that uses people’s information to make important decisions about them, yet denies the people the ability to participate in how their information is used.

The problems portrayed by the Kafkaesque metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition. Instead they are problems of information processing—the storage, use, or analysis of data—rather than of information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives.

Legal and policy solutions focus too much on the problems under the Orwellian metaphor—those of surveillance—and aren’t adequately addressing the Kafkaesque problems—those of information processing. The difficulty is that commentators are trying to conceive of the problems caused by databases in terms of surveillance when, in fact, those problems are different.

Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist Schneier aptly notes, the nothing-to-hide argument stems from a faulty “premise that privacy is about hiding a wrong.” Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.

The deeper problem with the nothing-to-hide argument is that it myopically views privacy as a form of secrecy. In contrast, understanding privacy as a plurality of related issues demonstrates that the disclosure of bad things is just one among many difficulties caused by government security measures. To return to my discussion of literary metaphors, the problems are not just Orwellian but Kafkaesque. Government information-gathering programs are problematic even if no information that people want to hide is uncovered. In The Trial, the problem is not inhibited behavior but rather a suffocating powerlessness and vulnerability created by the court system’s use of personal data and its denial to the protagonist of any knowledge of or participation in the process. The harms are bureaucratic ones—indifference, error, abuse, frustration, and lack of transparency and accountability.

One such harm, for example, which I call aggregation, emerges from the fusion of small bits of seemingly innocuous data. When combined, the information becomes much more telling. By joining pieces of information we might not take pains to guard, the government can glean information about us that we might indeed wish to conceal. For example, suppose you bought a book about cancer. This purchase isn’t very revealing on its own, for it indicates just an interest in the disease. Suppose you bought a wig. The purchase of a wig, by itself, could be for a number of reasons. But combine those two pieces of information, and now the inference can be made that you have cancer and are undergoing chemotherapy. That might be a fact you wouldn’t mind sharing, but you’d certainly want to have the choice.
[…]
A related problem involves secondary use. Secondary use is the exploitation of data obtained for one purpose for an unrelated purpose without the subject’s consent. How long will personal data be stored? How will the information be used? What could it be used for in the future? The potential uses of any piece of personal information are vast. Without limits on or accountability for how that information is used, it is hard for people to assess the dangers of the data’s being in the government’s control.]

Why Privacy Matters Even if You Have ‘Nothing to Hide’
By Daniel J. Solove