The French news paper Mediapart published a long article today, explaining how a hacker got access to private and professional communications of 14 MEPs using basic tech and a flaw in Microsoft Active Sync. Targeted people accepted a rogue certificate, enabling a man-in-the-middle attack.

A few comments:

• the attack was partly caused by the Parliament’s technology, (it is relying on proprietary technology, denying people the possibility to use encryption they trust) but also on the lack of understanding of how technology works.
• IT should be empowering. Betters (Free) tools are good, but a great deal of education is needed too…

The whole operation aimed at stressing the lack of awareness about IT security before the European elections, and making it an issue.

Mediapart quotes him:
“On one side we have citizens who know almost nothing of what is happening behind the scene in those institutions, links between political and economical powers.. on the other side, almost omniscient intelligence services can, thanks to their spying, decide the future of a political figure or influence decisions.”

The hacker said “I have the impression to see puppets, I wanted to shake them, to raise awareness.”

A big part of the article deals with security flaws in Microsoft’s products, unfair tenders in Europe and aggressive lobbying. The last section is about Free Software, with quotes from the two French associations promoting it: April and Aful.

The article finished with quotes from the very pro-Free Software French MP Isabelle Attard, stressing the absolute lack of understanding and interest of MPs for digital issues altogether.

I hope this great article will make it into international press

–> mediapart is an investigation online newspaper. Articles are not accessible without subscription. If you are interested by the full text, it seems that I can “offer” you the article thanks to my subscription, please ask.

The EFF issued a quick overview of actions we can take against the NSA spying. It doesn’t mention Free Software but I love the last piece of advice:

Be an ally. If you understand and care enough to have read this far, we need your help. To really challenge the surveillance state, you need to teach others what you’ve learned, and explain to them why it’s important. Install OTR, Tor and other software for worried colleagues, and teach your friends how to use them. Explain to them the impact of the NSA revelations. Ask them to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node, or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.

Teach each other. Gain control over your computing through understanding. Teach people around you how to do the same. Knowledge is power! Knowledge is empowering!

For French speakers, read the digital self defense guide, and share it with your friends and grandma. It explains in two hours what I have been trying to understand for two years.

If you think that you are not facing targeted surveillance, it’s the right time to learn how to use crypto and a Free Software operating system! You will screw up, make mistakes and learn from it: better do it when your life isn’t at stake!

I’m for example trying to work at home using Tails (The amnesic incognito system) and OpenBSD as much as possible. I struggle, read a lot of documentation, talk about it and have my friends have a look at what I’m doing. And I’m always wondering about a lot of things. Is that safe? Is this dangerous? I don’t understand the subtle way Tor works! How can I configure my email without disclosing anything? How should I manage the persistence? My passwords!? Security of my keys!? I keep discovering good practices and new tools.

Having to learn all that urgently, under pressure would just have made my mind blow – I probably wouldn’t have been able to cope and give up the activism I would have felt threatened for. Good luck to those in that situation… you have my full moral support…

In short, nothing to hide, everything to learn!

By the way, the next cryptoparty we’ll run in Berlin will be on Nov 8.
Join, teach, learn, share.

Petitions are far from being my favourite mean of action but..

here is an interesting one

“Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.” Solzhenitsyn

As highlighted once more by the recent Verizon and PRISM scandals, mass surveillance is a reality. The increasingly centralised architecture of the internet makes spying easy: having access to ten companies’ servers means having access to the private lives of billions of people. This scandal has helped bringing surveillance into the public eye: but realisation is only the first step towards change. Today, a week after the Guardian’s article, the French press is still full of related coverage! People may be interested in this topic, after all!

Surveillance, a political question
I have (used to have?) the bad habit of blaming “technological progress” for the nightmarish surveillance it enables. Powerful entities’ ability to process huge amount of data makes possible a constant and reflexive monitoring of our behaviour.
Trying to be constructive, I will for now stick to the “there is no bad technology, only bad uses of technology” motto. And the best way to fight harmful uses of technology is political activism.

A global movement of citizens is the only way to have privacy established as a new pillar of our political systems -demanding it to be considered as one of the basic civil liberties that have to be protected.

Those who are joining the fight now will be happy to learn that the technical and ideological basis of this movement exist! For the last 30 years the hacker community has been building tools, systems and ideas with freedom, empowerment and privacy at their core.

Choose inherently privacy-protecting communication systems
eMail, instant messaging, social networks or phone calls carry a tremendous amount of information about us, as content or metadata. Aggregated, all the small pieces of information collected give impressively precise pictures of who we are, what and who do we like, dislike, have interest in, what is our normal behaviour and so on. With time passing the daily formation of our thoughts, ideas, opinions and personality can be studied -and used. The government doesn’t care about your diet or favourite pizza. Patterns are what tells a lot, we are facing profiling at a scale yet unknown. Knowledge is power. Why are we, as societies, giving so much power to those who are already in powerful positions, corporations or governments?

As was indicated, what the intelligence community is doing is, looking at those numbers, and durations of calls. They are not looking at people’s names and they’re not looking at content. But, by sifting through this so-called metadata they may identify potential leads with respect to folks who might engage in terrorism.

President Obama, June 7 2013
Bouh

The technology underlying the services we use can provide strong protection for users if it is based on a few principles: a decentralised architecture, the possibility to use encryption, Open Standards, implementation in Free Software

Some concrete ideas

Use end-to-end encryption for your email:
GNUPG offers email protection based on public and private keys. For it to work, both sender and recipient must use it, its strength relies on peer to peer dynamics and everyone’s involvement. For beginners, Enigmail, a Thunderbird add-on, is fairly easy to use. If I was able to install and use it, anyone can do it!

Until recently, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing. And exponential growth in computer power is making the same thing possible with voice traffic.

Philip Zimmermann, Why I Wrote PGP

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he’s hiding. Fortunately, we don’t live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There’s safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

Philip Zimmermann, Why I Wrote PGP

Encrypt your instant messaging:
XMPP is a widely used encryption-friendly Open Standard enabling people to create decentralised networks which are hard to track and control. Used with a Free Software client it allows you to chat in freedom. It can be combined with optional encryption add-ons like ‘Off The Record’ for Pidgin. Encrypted Voice OverIP services also exist but I don’t know much about it.
With Google discontinuing Google Talk (using XMPP), my buddy list will soon be 100% geeky. Friends, join us! Here you can find a simple How To.

Use a pro-privacy social network:
there are pro-privacy, decentralised social networks which let users decide where their data is stored, when it is deleted and what is shared with whom. As they are networks, each new person joining it makes it more attractive for others. Top of the list of privacy protecting social networks is Diaspora* – a Free Software, decentralised web application which has no central data store.
I tried to use it when I left Facebook, but quickly lost interest in the whole social network thing. Now may be the right time to have a look at it again…

Use Free Software and Open Standards:
Free Software and Open Standards put users and programmers in control. Without the four freedoms of Free Software (use, study, share, improve) the tools mentioned above could not have been created.
Even if you don’t program, using Free Software and Open Standard protect you and protect the technology and the ideas behind it. The more users the more solid in the long-run Free ICT systems will be.

The urge of advocacy
Empowering technologies become as powerful as their user and developer base is broad. Raising awareness about the need for privacy and about existing freedom-protecting technologies are two sides of the same struggle.

Here are some links which I find extremely useful to advocate digital freedom:

• Why freedom of thought require Free media and why Free media require Free technology (video), Eben Moglen
• Why privacy matters even if you have nothing to hide, Daniel J. Solove
• Not in my department, 29c3 keynote, Jacob Appelbaum (Youtube video, sorry…)
• EFF, Report on Data Aggregation

Join or support one of the many organisations or projects fighting against surveillance. Some are building technical tools, some are influencing legislations other are raising awareness about the importance of privacy and digital freedoms… Join the momentum!

[Another metaphor better captures the problems: Franz Kafka’s The Trial. Kafka’s novel centers around a man who is arrested but not informed why. He desperately tries to find out what triggered his arrest and what’s in store for him. He finds out that a mysterious court system has a dossier on him and is investigating him, but he’s unable to learn much more. The Trial depicts a bureaucracy with inscrutable purposes that uses people’s information to make important decisions about them, yet denies the people the ability to participate in how their information is used.

The problems portrayed by the Kafkaesque metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition. Instead they are problems of information processing—the storage, use, or analysis of data—rather than of information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives.

Legal and policy solutions focus too much on the problems under the Orwellian metaphor—those of surveillance—and aren’t adequately addressing the Kafkaesque problems—those of information processing. The difficulty is that commentators are trying to conceive of the problems caused by databases in terms of surveillance when, in fact, those problems are different.

Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist Schneier aptly notes, the nothing-to-hide argument stems from a faulty “premise that privacy is about hiding a wrong.” Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.

The deeper problem with the nothing-to-hide argument is that it myopically views privacy as a form of secrecy. In contrast, understanding privacy as a plurality of related issues demonstrates that the disclosure of bad things is just one among many difficulties caused by government security measures. To return to my discussion of literary metaphors, the problems are not just Orwellian but Kafkaesque. Government information-gathering programs are problematic even if no information that people want to hide is uncovered. In The Trial, the problem is not inhibited behavior but rather a suffocating powerlessness and vulnerability created by the court system’s use of personal data and its denial to the protagonist of any knowledge of or participation in the process. The harms are bureaucratic ones—indifference, error, abuse, frustration, and lack of transparency and accountability.

One such harm, for example, which I call aggregation, emerges from the fusion of small bits of seemingly innocuous data. When combined, the information becomes much more telling. By joining pieces of information we might not take pains to guard, the government can glean information about us that we might indeed wish to conceal. For example, suppose you bought a book about cancer. This purchase isn’t very revealing on its own, for it indicates just an interest in the disease. Suppose you bought a wig. The purchase of a wig, by itself, could be for a number of reasons. But combine those two pieces of information, and now the inference can be made that you have cancer and are undergoing chemotherapy. That might be a fact you wouldn’t mind sharing, but you’d certainly want to have the choice.
[…]
A related problem involves secondary use. Secondary use is the exploitation of data obtained for one purpose for an unrelated purpose without the subject’s consent. How long will personal data be stored? How will the information be used? What could it be used for in the future? The potential uses of any piece of personal information are vast. Without limits on or accountability for how that information is used, it is hard for people to assess the dangers of the data’s being in the government’s control.]

Why Privacy Matters Even if You Have ‘Nothing to Hide’
By Daniel J. Solove