Schneier on Risk

Bruce Schneier, security expert and EFF board member, wrote an article about our rejection of risk and the consequences it has on basic liberties. Interesting new piece of input about the link between freedom and security.

I graduated from a Masters called Risk, Science, Environment and Health and therefore love the link he makes between risk apprehension and freedom. Natural risks and risks coming from humans are different.

 

We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.

[…]

We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings. We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society. The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security.

 

Observe. Hack. Make 2013: time to get subtle

From July 27 to yesterday I was on vacation, including 5 days near Amsterdam for the OHM -Observe, Hack, Make- camp.
I attended many talks and workshops. Here is a summary of.. my summaries.

  • Digital security is complicated. 

Giving advice to activists whose safety depends on digital security is even more complicated. Only saying “use Free Software / encrypt your data and communications / use strong passwords” is simplistic. One also has to take into account the efficiency parameter, as well as the physical and moral, psycho-social components of security. This is an interesting one: if advising not to use (or scaring activists away from) Skype and Facebook leads to their social isolation, to loneliness, depression, moral fatigue or paranoia, it is clearly not a good solution. To save the future, you may still need to talk on Skype to your parents or lover from time to time, because they give you the strength to keep advocating.Everything depends on risk assessment: is exposing your social network endangering it?

Is seems obvious, but carrying on a political struggle through the internet in Berlin, Lomé or Tunis is very different. Do people have their personal computer there? What do local laws say about activism? What kind of technology are people using around the person who needs help? What kind of activity does this activist actually do? Documenting protests or attacks / writing essays / organising people / blowing the whistle.. those actions rely on different tech and have different purpose. For some, one needs to securely gather information from many external sources. For others one needs to reach an audience as wide as possible.

The various workshops I intended about digital security have enriched and clarified my thoughts, thanks to fairly simple concepts. There isn’t one secure way of using technology. I will remember it next time I talk with my friends about their computers: stay practical, understand the risk, understand your priorities and vulnerabilities.

An other conclusion: we need to care about our digital security BEFORE we face actual danger and repression. I would like to say before we are under surveillance but it’s probably too late for that one.

  • KISS

One line of code can cause big vulnerabilities in an operating system. I understand better the KISS principle – for software. After long discussions about life, the universe and everything, I definitely don’t think that it applies to all other areas. We need some fun too 😀

  • Whistle blowing

The US already abuses its surveillance powers to harass and destroy the lives of whistle blowers. Less well known that Snowden and Manning, the cases of Jesselyn Radack and Thomas Drake were impressive. Intimidation, sanctions taken without any legal reasons, smear campaigns… New examples showing that surveillance gives disproportionate power to people in power, and that they do, and will abuse it to protect their privileges.

  • Make a choice

Simple way to link the pro-privacy and copyright reform actions:
Internet, Privacy, Copyright. You can have two of those, but not three. What do you choose?

  • .. as usual..

Of course, the best part of the event wasn’t the talks and workshops. Beloved old friends, great new friends and contacts, discussion, ideas, care and tea. Thanks for being awesome.

<3

Clear answers demanded

Public transparency is an nice idea, as long as governments don’t ask their people to be fully transparent themselves in return. Since finding the limit between public (person, activity) and private is always difficult, caution is needed. Still, last week brought several examples of interesting uses of transparency policies, related to Free Software.

 

  • In Europe

On July 9, during the Juri Workshop in Brussels, someone from the public asked Giancarlo Vilella, Director of the DG ITEC (Innovation and Technological Support) of the European Parliament (EP), what was the proportion of Free and proprietary software in the European Parliament ICT system.

He gave a nice runaround answer, saying that -very likely, more than half of the EP’s system was running Free Software.

In two different letters, the Green/EFA, FSFE and Open Right Group followed up on this, asking the European Parliament to be more precise about their use of Free Software and about the implications of their transparency policy. When they come, the answers should give new arguments to Free Software activists in Europe.

On the European Commission’s side, several parliamentary questions were answered, detailing the concrete actions taken by the Commission to implement its policy regarding interoperability, Free Software and Open Standards.

 

  • In France

In France now, several ministries (Ministére de la ville – Ministry of cities, de l’agroalimentaire – of Agrifood, and du redressement productif – of “Productive Recovery”) published clear reports on their use of Free Software on July 16. They were answering a parliamentary question from MP Isabelle Attard (Green), demanding information related to the Ayrault circular‘s follow up.

A quick summary:

  • the ministries always “consider” Free Software during their procurement procedure
  • most of them are unable to give numbers, their book-keeping doesn’t separate spending on  Free and proprietary software. Spending on hardware with embedded software can also not be counted. The ministry of Agrifood (FR) is the only one showing clear numbers: for 2012 86k€ were spent on proprietary Office suite, 1828k€ on proprietary “infrastructure software” and 174k€ on Free Software
  • Free Software are mostly used in the server side. Office Suite and email clients are also often mentioned.
  • the only number the ministries of Finance and Economic Affairs (FR) can give is about their contribution to Free Software “ecosystem”, whatever they mean by this. One can hope that it means their contribution to Free Software projects: at least 22M euro, it would be nice… But I guess they are just counting spending on support / maintenance contracts -which is important too.
  • One minister (“city”) described an increasing internal expertise ability on software procurement and better collaboration with other ministries for the management of their ICT systems, implying interoperability. According to the document (FR), the ministry of “territorial equality and housing” and the ministry of “ecology, sustainable development and energy” are almost only using Free Software. Desktop computer’s operating system is the only proprietary part left. Those two ministers still spend 6 million euros per year on proprietary software
  • One association -Association of Free Software Developers and Users for administrations and local authorities, ADULLACT (FR)- is freeing some code developed in house and contributes to Free Software projects

French public bodies have terrible names..

 

 

Wiki converter

People seem to blog when they find a nice tool, so here I am, singing my love to a simple HTML-wiki converter. It just saved me at least one hour of boring manual work <3

With it you can choose several wiki dialects, even our MoinMoin.

No licence information.

 

Zombie Free Software provision, update

The commission about which I was writing Wednesday confirmed the Free Software amendment and corrected its wording.

It now states

“Art. L. 123-4-1. – The Public Service for Higher Education provides digital services and educational resources to its users.”
“free software is used as a priority.”

The compromise version, on which members of the Senat and of the National Assembly agreed, still has to be voted by both assemblies in plenary session.

A similar provision on a bill dealing with primary and secondary education was strongly watered down by the French government two weeks-ago, probably because of ignorance. Let’s hope that the government has learned from its mistakes in the meantime.

 

  • Writing to / calling your representatives isn’t very hard

If I had known this I would have started doing it earlier.

– No need to be a genius or an expert on the topic. Telling them why you feel concerned seems very efficient!

– You probably will not talk to the actual elected person but with his/her assistant(s). They are often young and the ones I talked to were always very friendly and helpful.

– Telling your own story helps! On Wednesday I talked about my cartography courses at university, on proprietary software costing a few hundred euro per licence. Of course I was never able to use the knowledge acquired during the course anywhere else.. Universities have to choose. Do they want to

  • teach how to use a proprietary software that one student per class *may* use professionally;
  •  or give free and Free tools and knowledge to all students, who will then use is for any project/course/research/job for which could need it?

This – and many other things, is what I told the MPs and Senators. It’s not hard, anyone can do it! We could organise “Call your MPs” workshops: the first call is the hardest one.

Death (and resurrection?) of Free Software in French schools

 

  • Priority given to Free Software in French school definitely buried

On June 25 the French Senat voted the final version of the law on education, accepting a governmental amendment weakening the bill’s Free Software provision. Procurement for e-learning services now has to “consider Free Software and open format offers, if any”. No more priority given to Free Software solutions, unfortunately.

 

  • Higher education bill: Free Software returns!

Like a zombie rising up from its grave, the prioritisation of Free Software has come back! Thanks to an amendment introduced last week in first reading by the Senat, section 6 of the draft law on Higher Education now states that

the public service for Higher Education prioritises the use of “Copyright-free software”.

We can assume that the wording is just a mistake and will be corrected (all software, including Free Software, is copyrighted; only public domain software is not). In the official explanation of why he introduced the amendment, Senator Le Scouarnec is clearly talking about Free Software and not “Copyright-free software”, as April reports.

A commission composed of members of the Senat and of the National Assembly is meeting this afternoon -probably right now- to write a common new version of the bill. Will it include the Free Software amendment voted by the Senat? Answer in the next episode.

Following April’s call for action (FR), I spent the whole morning calling and writing emails to members of this commission. It would have been nice to coordinate better and earlier; FSFE and its French fellows could have helped!

June in France

Two weeks ago I was writing about the French Government watering down a pro- Free Software amendment. This week brought some interesting news about France again:

 

  • Fleur Pellerin, a Free Software enthusiast?

At Mozilla’s official Paris headquarters’ opening, our Minister in charge of digital economy gave a nice speech (FR) celebrating Free Software.

Those [Mozilla and Free Software’s] values are access to knowledge for all, trust and amplification of the Internet’s general interest aspect. It is also social values: forwarding a virtuous, open, participatory model of society, where data is above all considered as a good accessible to the greatest possible number of people and a source of knowledge that anyone can use, improve and share.

She talked about how great Free Software is for innovation and economy, and stressed the work of the current government on the issue – especially with their 2012 memorandum (EN) about the use of Free Software in French public administration.

French Government and digital freedom, one step forward two steps backward (or the contrary…)?

 

  • What is MIMO …?

This week again, we discovered a blog post by the Document Foundation welcoming “MIMO” in its Advisory Board. MIMO seems to be an interdepartmental working group composed of representatives of 9 French ministries, working on “open office software” (bureautique ouverte).

Here is the only official page I could find about MIMO. Lovely design!

I don’t really get the idea. They made a CD to install (a special?) version 3.5  of Libre Office for Windows. They should also offer other Free Software for the administration, but I could not find much on their list.

According to the Document Foundation, MIMO is testing and approving one version of LibreOffice per year. They ensure that it is compatible with the IT infrastructure and processes of member ministries. They are said to have several working groups (cloud computing, the organisation and planning of IT systems, Open Source…) but have no official website. Intriguing..

 

  • A provision on unitary patent hidden in a draft law on Advanced Education and Research

Talking about intriguing things, April highlighted (FR) two interesting amendments to the draft law on Advanced Education and Research that will be discussed this week by the French Sénat in plenary session.

They would allow the ratification of the European agreement on unified patent jurisdiction. As the law is examined under an emergency procedure, it will only be discussed once in the Sénat. Nice way to put a highly controversial issue to vote.

The agreement on unitary patent gives a lot of power to the European Patent Office (EPO). And even if they are not supposed to exist in Europe, EPO has been granting software patent for years, calling them patent on “computer implemented inventions”.

Let’s see if it generates any debate in the French Sénat..

 

  • Priority to Free Software in education: second reading in the Sénat

The weak new version of the law will be discussed again on Monday 24, next week.

Busy time!

Big Data, dear new Monster

“Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.” Solzhenitsyn

As highlighted once more by the recent Verizon and PRISM scandals, mass surveillance is a reality. The increasingly centralised architecture of the internet makes spying easy: having access to ten companies’ servers means having access to the private lives of billions of people. This scandal has helped bringing surveillance into the public eye: but realisation is only the first step towards change. Today, a week after the Guardian’s article, the French press is still full of related coverage! People may be interested in this topic, after all!


Surveillance, a political question

I have (used to have?) the bad habit of blaming “technological progress” for the nightmarish surveillance it enables. Powerful entities’ ability to process huge amount of data makes possible a constant and reflexive monitoring of our behaviour.
Trying to be constructive, I will for now stick to the “there is no bad technology, only bad uses of technology” motto. And the best way to fight harmful uses of technology is political activism.

A global movement of citizens is the only way to have privacy established as a new pillar of our political systems -demanding it to be considered as one of the basic civil liberties that have to be protected.

Those who are joining the fight now will be happy to learn that the technical and ideological basis of this movement exist! For the last 30 years the hacker community has been building tools, systems and ideas with freedom, empowerment and privacy at their core.

Choose inherently privacy-protecting communication systems
eMail, instant messaging, social networks or phone calls carry a tremendous amount of information about us, as content or metadata. Aggregated, all the small pieces of information collected give impressively precise pictures of who we are, what and who do we like, dislike, have interest in, what is our normal behaviour and so on. With time passing the daily formation of our thoughts, ideas, opinions and personality can be studied -and used. The government doesn’t care about your diet or favourite pizza. Patterns are what tells a lot, we are facing profiling at a scale yet unknown. Knowledge is power. Why are we, as societies, giving so much power to those who are already in powerful positions, corporations or governments?

As was indicated, what the intelligence community is doing is, looking at those numbers, and durations of calls. They are not looking at people’s names and they’re not looking at content. But, by sifting through this so-called metadata they may identify potential leads with respect to folks who might engage in terrorism.

President Obama, June 7 2013
Bouh

The technology underlying the services we use can provide strong protection for users if it is based on a few principles: a decentralised architecture, the possibility to use encryption, Open Standards, implementation in Free Software


Some concrete ideas

Use end-to-end encryption for your email:
GNUPG offers email protection based on public and private keys. For it to work, both sender and recipient must use it, its strength relies on peer to peer dynamics and everyone’s involvement. For beginners, Enigmail, a Thunderbird add-on, is fairly easy to use. If I was able to install and use it, anyone can do it!

Until recently, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing. And exponential growth in computer power is making the same thing possible with voice traffic.

Philip Zimmermann, Why I Wrote PGP

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he’s hiding. Fortunately, we don’t live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There’s safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

Philip Zimmermann, Why I Wrote PGP

Encrypt your instant messaging:
XMPP is a widely used encryption-friendly Open Standard enabling people to create decentralised networks which are hard to track and control. Used with a Free Software client it allows you to chat in freedom. It can be combined with optional encryption add-ons like ‘Off The Record’ for Pidgin. Encrypted Voice OverIP services also exist but I don’t know much about it.
With Google discontinuing Google Talk (using XMPP), my buddy list will soon be 100% geeky. Friends, join us! Here you can find a simple How To.

Use a pro-privacy social network:
there are pro-privacy, decentralised social networks which let users decide where their data is stored, when it is deleted and what is shared with whom. As they are networks, each new person joining it makes it more attractive for others. Top of the list of privacy protecting social networks is Diaspora* – a Free Software, decentralised web application which has no central data store.
I tried to use it when I left Facebook, but quickly lost interest in the whole social network thing. Now may be the right time to have a look at it again…

Use Free Software and Open Standards:
Free Software and Open Standards put users and programmers in control. Without the four freedoms of Free Software (use, study, share, improve) the tools mentioned above could not have been created.
Even if you don’t program, using Free Software and Open Standard protect you and protect the technology and the ideas behind it. The more users the more solid in the long-run Free ICT systems will be.


The urge of advocacy

Empowering technologies become as powerful as their user and developer base is broad. Raising awareness about the need for privacy and about existing freedom-protecting technologies are two sides of the same struggle.

Here are some links which I find extremely useful to advocate digital freedom:

Join or support one of the many organisations or projects fighting against surveillance. Some are building technical tools, some are influencing legislations other are raising awareness about the importance of privacy and digital freedoms… Join the momentum!

Prism

[Another metaphor better captures the problems: Franz Kafka’s The Trial. Kafka’s novel centers around a man who is arrested but not informed why. He desperately tries to find out what triggered his arrest and what’s in store for him. He finds out that a mysterious court system has a dossier on him and is investigating him, but he’s unable to learn much more. The Trial depicts a bureaucracy with inscrutable purposes that uses people’s information to make important decisions about them, yet denies the people the ability to participate in how their information is used.

The problems portrayed by the Kafkaesque metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition. Instead they are problems of information processing—the storage, use, or analysis of data—rather than of information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives.

Legal and policy solutions focus too much on the problems under the Orwellian metaphor—those of surveillance—and aren’t adequately addressing the Kafkaesque problems—those of information processing. The difficulty is that commentators are trying to conceive of the problems caused by databases in terms of surveillance when, in fact, those problems are different.

Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist Schneier aptly notes, the nothing-to-hide argument stems from a faulty “premise that privacy is about hiding a wrong.” Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.

The deeper problem with the nothing-to-hide argument is that it myopically views privacy as a form of secrecy. In contrast, understanding privacy as a plurality of related issues demonstrates that the disclosure of bad things is just one among many difficulties caused by government security measures. To return to my discussion of literary metaphors, the problems are not just Orwellian but Kafkaesque. Government information-gathering programs are problematic even if no information that people want to hide is uncovered. In The Trial, the problem is not inhibited behavior but rather a suffocating powerlessness and vulnerability created by the court system’s use of personal data and its denial to the protagonist of any knowledge of or participation in the process. The harms are bureaucratic ones—indifference, error, abuse, frustration, and lack of transparency and accountability.

One such harm, for example, which I call aggregation, emerges from the fusion of small bits of seemingly innocuous data. When combined, the information becomes much more telling. By joining pieces of information we might not take pains to guard, the government can glean information about us that we might indeed wish to conceal. For example, suppose you bought a book about cancer. This purchase isn’t very revealing on its own, for it indicates just an interest in the disease. Suppose you bought a wig. The purchase of a wig, by itself, could be for a number of reasons. But combine those two pieces of information, and now the inference can be made that you have cancer and are undergoing chemotherapy. That might be a fact you wouldn’t mind sharing, but you’d certainly want to have the choice.
[…]
A related problem involves secondary use. Secondary use is the exploitation of data obtained for one purpose for an unrelated purpose without the subject’s consent. How long will personal data be stored? How will the information be used? What could it be used for in the future? The potential uses of any piece of personal information are vast. Without limits on or accountability for how that information is used, it is hard for people to assess the dangers of the data’s being in the government’s control.]

Why Privacy Matters Even if You Have ‘Nothing to Hide’
By Daniel J. Solove