[Repost] Google, Amesys – même combat

So, I’ve changed things around here and I’m trying to get some writing done soon. In the meantime, I’ll repost here an oped I wrote at la quadrature du net (From which I’m currently off due to mental health issue, more on that later), so here the original text, in French and, of course, there’s more on LQDN website

Du 21 au 24 novembre dernier, à Villepinte (région parisienne), se tenait le salon Milipol (pour Militaire/Police), « l’événement mondial de la sécurité des États ».

En plus des habituels trafiquants marchands d’armes qui font la fierté de l’industrie française (ayons une pensée émue pour Michèle Alliot-Marie qui exporta en Tunisie notre savoir-faire en matière de maintien de l’ordre), il y a, depuis quelques années maintenant, des marchands de matériel informatique et de solutions de supervision des populations.

Vous avez forcément entendu parler d’Amesys, de Qosmos, de Palantir et autres Hacking Team qui se sont spécialisés dans le développement de solutions clef en main d’espionnage et de surveillance de la population. Et, les affaires étant les affaires, la plupart d’entre eux vendent à toute personne désirant acheter du matériel, qu’il s’agisse des dictatures libyenne ou syrienne, ou des démocraties sociales occidentales compatibles avec l’économie de marché (France, Allemagne, Royaume-Uni). On parle dans ces cas de capitalisme de la surveillance, c’est-à-dire de mesurer la valeur des choses grâce à la fonction de surveillance.

La surveillance se base sur la connaissance. En épidémiologie par exemple, c’est connaître le vecteur infectieux, le documenter, savoir comment il se propage et se transmet, mesurer son temps d’incubation éventuel, déterminer ses symptômes pour comprendre son fonctionnement et trouver éventuellement un remède.

Dans le cadre de la surveillance des personnes, cela se traduit par la connaissance de ces personnes, leur identification dans le temps et l’espace, connaître leurs habitudes et leurs façons de réagir, mesurer leur sensibilité à telle ou telle idée. La surveillance c’est la connaissance. Et la connaissance c’est ce qui permet de définir les choses, de les identifier. Le capitalisme de la surveillance est donc un capitalisme de la connaissance, de l’identité. Ce que vendent Amesys, Palantir ou autres à leurs clients c’est l’assignation d’une identité définie par eux ou par leur client à un groupe de personnes en fonction de mesures et d’observations, i.e. de données.

Dans le cas des États, cette assignation identitaire amène à des conséquences qui peuvent être extrêmement violentes pour certaines populations, amenant à des répressions fortes, une suppression d’un certain type de personnes d’un certain quartier, à de l’injustice prédictive basée sur des statistiques biaisées par des biais racistes – le racisme structurel – et qui donc ne peuvent que renforcer ces biais. Les smart cities, dans leur version la plus extrême, sont les étapes finales de ce processus, l’identification permanente, fixiste, en tous points de tous les individus, l’impossibilité de bénéficier des services communs et publics sans révéler son identité, sans donner aux surveillants encore plus de connaissances sur nos vies et nos identités, pour leur permettre de mieux définir nos identités, de mieux vendre aux États la détermination, l’essentialisation, la réduction des complexités de nos vies à des étiquettes : terroriste, migrant, réfugié, musulman, femme, queer, bon citoyen.

Dans cette analyse qui est faite, on parle très vite, très souvent d’algorithmes ou d’intelligence artificielle. On les accuse de tous les maux, d’être racistes, de faire l’apologie du génocide, d’être sexistes, de censurer les discours d’éducation à la sexualité, d’invisibiliser les minorités sexuelles, comme si les intelligences artificielles, les algoritmes, disposaient de conscience, émergeaient de nulle part, avaient décidé d’être néo-nazi. Pardon, alt-right. Mais, au final, personne ne dit ce que sont les algorithmes, ou les intelligences artificielles. On va commencer par la seconde. L’intelligence artificielle est un algorithme doté d’une grande complexité et utilisant de grosses quantités de données pour donner l’illusion d’une intelligence, mais d’une intelligence ne comprenant pas ce qu’est un contexte et non dotée de conscience. Reste à définir ce qu’est un algorithme donc.

Appelons le wiktionnaire à la rescousse. Un algorithme est une « méthode générale pour résoudre un ensemble de problèmes, qui, appliquée systématiquement et d’une manière automatisée à une donnée ou à un ensemble de données, et répétant un certain nombre de fois un procédé élémentaire, finit par fournir une solution, un classement, une mise en avant d’un phénomène, d’un profil, ou de détecter une fraude ». C’est donc une formule mathématique, ne prenant pas en compte les cas particuliers, et qui a pour but d’analyser des données pour trouver une solution à un problème.

Ces algorithmes ne sont pas en charge de collecter les données, de définir le problème ou de prendre des décisions. Ils analysent des données qui leur sont transmises et fournissent une classification de ces données en fonction de critères qui ont été décidés par les personnes qui les écrivent, qui les configurent et qui les utilisent. L’ensemble des problèmes sur la reconnaissance faciale qu’ont rencontrés la plupart des entreprises de la Silicon Valley résulte du jeu de données utilisé pour identifier une personne et la reconnaître, car il ne contenait que des images de personnes blanches. Le chat bot de Microsoft – Tay – s’est avéré tenir des propos négationnistes ou appelant au meurtre et à l’extermination. Non pas parce que Tay a une conscience politique qui lui permette de comprendre les propos qu’elle tient, mais parce que des personnes l’ont inondée de propos racistes ou négationnistes, fournissant un corpus de données servant de base aux interactions du chat bot, l’amenant donc à écrire des propos racistes et négationnistes. Microsoft a rapidement retiré ce chat bot de la circulation et l’entreprise a depuis promis d’être plus « attentive » .

Parallèlement, nous entendons également, et de plus en plus, parler d’économie de l’attention. De capitalisme de l’attention. Ce qui aurait de la valeur serait ce à quoi nous faisons attention, ce que nous regardons. Sous entendu, nous, utilisatrices de ce système, sommes capables de faire le choix de ce que nous voulons regarder et lire, de faire le choix de la connaissance à laquelle nous avons accès. Internet permet, en théorie, un accès non discriminé à l’intégralité des informations et des données, et donc de la connaissance, du savoir. Après tout, la connaissance est une information à laquelle j’accède pour la première fois. Et cette acquisition de connaissance me permet de comprendre le monde, de me positionner par rapport à lui, et donc de me définir et de le comprendre, exactement ce que font les systèmes de surveillance massive utilisés par les États.

Réguler l’accès à l’information et choisir quels contenus montrer à quelle personne permet donc, également, de contrôler comment vont se définir les personnes, comment elles vont comprendre le monde. L’économie de l’attention est basée sur ce principe. Pour garantir que vous interagissiez avec la connaissance qui vous est proposée, qui est la façon dont ces nouveaux capitalistes mesurent la valeur, il est important de vous surveiller, de vous mesurer, de vous analyser, de vous assigner des identités. Et donc de contrôler la connaissance à laquelle vous avez accès et celle que vous produisez.

Les gigantesques plateformes financées par les GAFAM1 servent exactement à ça. Facebook vous empêche activement d’accéder à l’ensemble de l’information présente sur leur réseau, vous demandant de vous connecter pour accéder à d’autres plateformes que la leur, ou vous pistant partout une fois que vous êtes connectés, leur permettant ainsi de récolter encore plus de connaissances à votre sujet, d’augmenter leur capacité de surveillance et donc d’identification et de contrôle. Remplissant dans ce cas exactement la même fonction que les systèmes répressifs des régimes étatiques.

Notamment car Facebook, Apple, Google, Amazon, Microsoft décident ce qu’il est moral de faire, quelles identités doivent être renforcées ou au contraire dévaluées. Par exemple, Youtube, en supprimant la possibilité pour un contenu parlant de sexualités de rapporter de l’argent aux créatrices, envoie un message assez clair aux personnes faisant de l’éducation sexuelle, ou parlant de problématique touchant les personnes queer : votre production de connaissance n’est pas bienvenue ici, nous ne voulons pas que des personnes puissent s’identifier à vous. Il en va de même avec Facebook et son rapport à la nudité ou Apple qui filtre également tout ce qui pourrait parler de sexe, quitte à censurer le contenu des musées. En dévalorisant certaines connaissances, en la supprimant de certaines plateformes, les personnes à la tête de ces entreprises permettent d’effacer totalement de l’espace public des pans entiers de la société, de supprimer les voix des minorités, d’empêcher la contradiction de leurs valeurs et permettent donc de renforcer les biais des personnes consommant la connaissance disponible, amenant à une polarisation, une simplification et à une antagonisation du monde.

Alors effectivement, Facebook en soi ne mettra personne dans les geôles de Bachar el-Assad, du moins pas dans une complicité active, mais l’entreprise fait partie d’un système disposant de deux faces. Une face violente, répressive, alimentant les délires paranoïaques des États d’une part, et une face « douce » et insidieuse, utilisant les publicitaires et la restriction de l’accès à la connaissance pour permettre aux entreprises conservatrices de nous imposer leur vision bipolaire du monde, renforcement les sentiments d’appartenance à un groupe identitaire, avec les conséquences violentes que l’on connaît.

Et pour s’en persuader, il suffit de regarder les liens entre ces deux faces. Peter Thiel, fondateur, avec Elon Musk, de PayPal et qui détient maintenant 7% de Facebook est également le fondateur de Palantir Technologies, entreprise qui a, notamment, obtenu le marché public des boîtes noires en France, tout en étant aussi l’outil officiel de la NSA. Thiel a également participé aux nombreux procès qui ont fait mettre à Gawker la clef sous la porte suite à la révélation de l’homosexualité de P. Thiel par Gawker. Thiel, enfin, est l’un des influents soutiens des républicains nord américains, il a notamment participé à la campagne de Ted Cruz avant de rejoindre l’équipe de Trump et de participer à la transition à la maison blanche. Il a de fait nécessairement discuté, échangé et parlé avec Robert Mercer, l’un des directeurs de Cambridge Analytica, une entreprise dont le but est de cibler les électeurs grâce à de nombreux points de collectes, principalement récupérés par Facebook afin de pouvoir les cibler directement et influencer leurs votes.

Alors oui, lorsque l’on pose la question de démanteler Google, la question de démanteler Palantir se pose aussi, et celle consistant à vouloir privilégier les seconds car ils représentent un danger plus important pour la sécurité des uns et des autres. Mais sans l’omniprésence des systèmes d’identification, sans les exaoctets de données récoltées sans notre consentement dans le but d’individualiser le contenu auquel nous avons accès – selon des critères sur lesquels nous n’avons aucun contrôle – la mise en place de la surveillance et de l’identité devient complexe, coûteuse et impossible.

Il faut démanteler les systèmes capitalistes identitaires si l’on veut détruire les systèmes d’oppressions basés sur l’identité ou sur l’accès biaisé à la connaissance. Il faut s’affranchir des moteurs de ce système que sont la publicité, le pistage et l’identification permanente. Il faut questionner et démanteler le racisme, le néo-colonialisme, le sexisme des entreprises de la Silicon Valley au lieu de s’étonner que leurs algorithmes soient racistes. Car ils sont devenus omniprésents et nous empêchent de nous définir, de vivre, d’exister comme nous l’entendons, avec nos cultures complexes et nos identités changeantes.

You Tube really sucks lately

[UPDATE]: Added some more concerning impacts – 2017-03-22

Being invisible

Ohai.

I’m going to be personal for a little bit here. I’m not comfortable with it because it’s still a mess in my head. But I think I’m past overdue about it and, also, it will probably help making some points later.

It took me thirty years to understand that I’m bisexual. That I’m not straight. It took me that long because I didn’t knew it was possible. I didn’t knew that the sexual attraction I had for boys was not something that everyone else was going through and that no one spoke about.

I’m thirty seven years old now. And when I look back, I can only assume that my current mental state of severe depression is more than probably linked to the fact that I suppressed those impulse, to behave like everyone else.

Let’s do the time warp and go back in time.

The first tie I was confronted to homosexuality, was in elementary school, where faggots was used as a slur. Since I was there during the nineties, it was also associated with AIDS. Still as a slur.

In high school, when my father got incarcerated for sexual assault on minor – and some friends of mine – I closed myself to others. No internet yet, and so my social input were made by the only representation available there : heteronormativity (and no, there’s no way I would have been able to spot and understand it), I locked deep down inside me my attraction to boys. I was also scared (and have been for almost twenty years now) that this attraction to boys was in fact paedophilia, that I would have inherited from my father.

I landed on Internet in 1997. Mainly inside roll play communities, but since I did not knew I was queer, there was no possibility to get access to those communities.

Same for most of my studies. I’ve never been in contact with queers, lesbians, gays, bis, trans*. I did not understood what the lyrics of Queen’s song meant, I will still fighting most of my feelings, learning to lie to anyone about anything (because of course, I had to lie about my father, you know, everyone keeps asking “what are you’re parent doing for a living” and you cannot really answer “he’s locked in jail”, so you lie. Constantly, to anyone about anything, it doesn’t help).

And even if I managed to get that they’re was gays and lesbians somewhere, bisexuality was kind of something limited to a sexual fetish in my world. And I was trying to blend in, to disappear, to have everyone not asking questions. I’m very good at it now, to not answer questions and to lie, sometimes without thinking (yeah, I do have a good score on “Are you a sociopath ?” tests).

The first time I encountered a non straight and out person was quite late in my life. It was at Le Loop’s Grand Opening, and quota_atypique happened to be there and, since she was doing an ethnology study of the hackerspaces – it was around January 2011 all the hype didn’t got there – and I think she told me she was lesbian (she did come out as bi later) in probably less than 10s after saying “Hi”.

I’m not sure I’ve thanked you for that Quota, but meeting you did have an … interesting … impact on my life. From there we met at the hackerspace, talks about stuff (from the beauty of command line interfaces to being queer in hackerspaces). It was at this time that I got involved in Telecomix too. A lot of conference was happening in Paris, and I did some about inclusions of people (not only women, but also trans* in the hackers communities. I build up a political culture from the popular one.

I met my boyfriend later on (I did get through a tough breakup before that, questioning my ability to manage a single dedicated relationship) at the Congress, even if we started dating later. We were in 2013 or something like that (or 2014, I suck at time frames). It took me a lot of time to accept it, to fight the interiorized shame, and to admit it.

We’re in 2017 now. I’m still not fully at ease with it, but it gets better. And when I look at all this pain I’ve been through, that could have been avoided if, like teenagers and kids today, I did have access to all this queer material, online communities, accessible without especially looking for it, at least we – the ones who grew up alone during the nineties – will be the last ones suffering from invisibility.

The main reason it took me 32 fucking years and part of my depression is because I didn’t have access to the possibility of a positive alternative of bisexuality. It was just invisible hidden. To know it wasn’t a shame, that you could be happy being bi and, it required to actively search for content.

And this is why I’m shaking with rage and anger while writing this (but Show Must Go On is playing now and helps me keep t under control).

YouTube sucks

YouTube, for the one of you who lived in a cave for the last ten years, is a media broadcasting company, which pays itself by selling targeting advertisement to its customers. One of the side effect of their product is that it happens they’re quite good at hosting and promoting videos, clips, documentaries, and whatever you can imagine doing with those cheap camera.

For years free software activists have advocated against the danger of this kind of platform. I’m going to speak a lot about YouTube, but have a look at the #FreeTheNipple campaign on Facebook or Twitter, the censorship of nudity on most of the platform powered by Apple or Facebook.

So, YouTube create a Restricted mode. Before they did that, there was a flag that – as an uploader – you could activate to hide explicit content (mostly nudity) and which would have requires someone to log in to see the content. And a way to report content that you think were offensive.

And there were copyright bots in charge of removing or monetizing content in violation of Intellectual Property basically killing fair use, one example I do like, is the Edward VS Buffy video.

But, in the end, uploaders and creators were able to post whatever contents they wanted without too much intervention from YouTube Inc. or Alphabet or whatever is the name of the thing that’s supposed to manage the platform.

What they did with the Restricted Mode is one step toward nullification on alternatives-cultures. Let’s get a little into details about what this filter exists, and speculation about the why, what are the impact and why it sucks.

What is it ?

From YouTube’s page:

Restricted Mode is an optional setting that you can use to help screen out potentially mature content that you may prefer not to see or don’t want others in your family to see.

So, it looks like Parental filter for youtube. They’ll defed themselves by saying it’s an optional features, but I bet it will be on by default until you log in not s long in the future.

But what is ‘potentially mature’ content you’ll ask ? Well, it’s not defined. But it appears that all LGBT content is considered as ‘potentially mature’. There’s a lot of outrage about it, I’ll just quote an article from The Independent in which a Youtube spokesperson say that the potentially mature content is – and I quote, in bold character, with emphasis :

A YouTube spokesperson later clarified that those more sensitive issues are particularly videos that cover subjects like “health, politics and sexuality”.

Basically, if YouTube thinks that you might potentially talk about politics, then you’ll be hidden in Restricted Mode. One of the first collaterals is the fact that, under Restricted mode, most of the queer produced content is off-limits. Some tests were run, just having the word “gay” in a video title is enough to have it blocked.

Why ????

My guess is that they did not specifically target a community. And we’re lucky that queers can be loud, other communities have probably been targeted and e don’t now which ones yet. Well, they didn’t intentionally targeted us.

Alphabet is currently having some issues with their customers (brands who wants to rent advertisement space online). For instance, they placed ads on extremists website, which raised concern with brands – no one really wants to get associated with neo-nazis. See here for instance.

So, Alphabet made a promise to their customers. We will be able to display your advertisement right next to the content that would improve your return on investment. For that they need to be sure that no one will associate neo-nazis with a brand of lipstick. That’s why they need the Restricited mode.

They need to create a consensual public space, which will suits their customers. A space where you won’t talk about politics, where you won’t talk about sexuality, where everything is about the mainstream culture.

The mainstream culture, for advertisement purposes. The culture of heteronormativity, of whiteness, of sexism. The culture which has no issue with anyone as long as they comply, hide their differences, and consume goods targeted specifically for them on a large scale.

Assimilation or death is basically what the restricted mode is. It is the removal from a public space of everything which does not match the cultural consensus, and this cultural consensus has no room left for us.

Impacts!

Lots of them.

Beyond the invisibilisation which will makes life of all those teenager and person questioning themselves a lot harder, which will lead to isolation (if you know no one with whom you can share it gets harder to construct yourself) and depression; there’s also the end of anonymity for everyone who want to access anything beyond the Restricted Mode.

You do not have to log in yet. But Google do not needs you to log in to know who you are and what you’re watching. It gets worse with restricted mode because it states that you’re explicitely calling for access to ‘potentially offensive’ content when you disables it. Which in some country, might be illegal or otherwise gets you in trouble. It also means that they’re not making any difference about a sex-ed video and pornography.

Or maybe you’ll be in places where you do not know the restricted mode is enable,d for instance on a high school of family computer. And you have question about your personal health – like how to get an abortion. You just won’t be able to find any content, which is endangering people, not getting them safe.

Yes, it’s not n by default. But given the pace at which terms of uses change, and the fact that Alphabet really needs this functionality to sustain their business of analysing your comportment and selling it to advertisers, I do not think it will takes long before it’s getting on by default. At which point, the only way would be to log in to disable it.

The impact on creator of those videos, some of them trying to earn some money with it – using patreon or other similar platform for instance – is even bigger. Making content online, maintaining a community, informing them, entertaining them is, sometimes, one of the few recourse left to queers to earn their life. Being Restricted will cut them from their community and from getting new viewers.

And the beauty of it is, the more you have content flagged as restricted, the more you’ll be restricted in the future.

We are not alone

At this point, and after getting back home on my bike, I fellethat there’s more to it. Using those three specifics topix “health”, “politics” and “sexuality” YouTube cand decide to silence any community of their chosing.

I said earlier that they weren’t purposedly targetting queers, I’m not so sure about it. They want a consnsual space of pure entertainment they can sell to advertisers who wants to target the dominant part of the society (because they’re theone consumng ost of their products).

But really the issue is that they can silence any one who can potentially speak about politics, health or politics. And since a lot of woman can potentially speaks about feminism, woman health, reproductive rights, You Tube can use this to silence any women on they’re platform.

Which, when the platform is one of the most used one, having a wider audience than the classic television networks, is basically removing them from public space.

They can decde that all rap music is potentially politics and removes it from Restricted Mode. As well as a lot of punk or any other political content. They already removed some Lady Gaga content.

And getting removed from public space, is being removed from politics and policies. If you cannot show that you exists, then – from a society point of view – you do not exists, ergo you do not need your needs to be fulfilled, you do not need abortion clinics, you do not need full adoption, you do not needs rights, because you do not exists.

Where do we go from here

YouTube Restricted ban is a blatant statement that minorities are not a priori concern of a multi billion company. It shouldn’t be news to anyone, but we were tolerated there, not warmly welcomed.

And even if YouTube says they will try to fix the issue, the fact that you cannot talk about sex on a video without getting Restricted is a hell of an issue.

The issue here is that we let a private interest to manage a public space of expression. The only solution is to build other platforms. To create our own medias, to fight assimilation.

Internet has always been about decentralisation getting your content online, sharing information without filters but since the advertisement took over one of the big chunk of it (heck, even getting into your phone and homes to gather data), this decentralisation is dying.

It’s never too late, there’s a lot of alternatives a=out there. But we need to accept that the road will not be easy. Storage and bandwidth are expensive, architecture costs human time to be maintained and improved. Some groups are working on it, they need our support.

I know that Framasoft is working on a tube-like platform for instance. But we, as a community, need to accept that we’re not welcome anymore on YouTube. We also need to ensure who else has been left out the Restricted mode.

And we need to move out of the advertisement business. I refuse to comply to

And Justice for all

Trigger Warnings: Rape, Paedophilia

Prison song

I’m not really elaborate on the fact that the current prison system (either in the US, or – basically – everywhere else) is broken and walk on its head. If you want to contemplate the disaster, you can watch Prison Valley, get facts from OIP or read testimony made by, basically, every inmates, their family, their friends about what the prison is doing to them.

I could tells you what the incarceration of my father for paedophilia did to me, how I had to hide it, to lie every single days to basically everyone, to pretend it did not happens for the sole purpose of surviving through middle school, and that it didn’t solve anything, Because he got convicted a second time for similar crimes years later. You’ll notice that neither I, my sisters or my mother have been found guilty of anything, but still, we paid a price. For justice.

I will not argue that prison is the worst solution to any problems. At best, you put people on hold and free them, expecting them to behave when they’ll get out. At worst, it’s a political tool used to criminalize populations and build resentment upon some populations (yes, it’s a tool used for power to keep people in check) while creating more sociopaths, storing them away in inhumane conditions, and forcing them to work – and so destroying jobs outside of jail.

Prison should not exist. Even for serial rapists, paedophile, killers, abusers of all sorts. If you’re only answer as a society is to store them away, in a dark room, and hopping they’ll get better you’re delusional. I do believe people can change, but they need help, acceptance, and an possibility of failure.

The thing is, prison is intricately mixed with the notion of justice. We tend to think we deserve justice, but I’m not sure we really think about what it means. The justice system, as its currently implemented in most part of the world, is a punitive one. The principles behind it is that if you do a wrong to someone, you should pay for it, one way or one another. You should not pay to the victim, but to the society.

Basically, it’s the biblical principle of the Talion’s Law: an eye for an eye, with interests. Those interests exist to dissuade further wrong to be done and because the perceived loss might be above the material loss. When it come to non material wrongs, it gets complicated.

The justice system tries to determine what is the impact of the wrongdoing, what are the personalities of victims and perpetrators to find an appropriate sanction. Basically the process of justice tries to evaluate the cost of a human life, which is an extremely capitalist view. The life of a worker, or of a woman worth less than the one of a CEO for instance. That’s why stealing and destruction of property is so harshly sanctioned, while rape or harassment of the work place is rarely sanctioned.

We deserve nothing

But you probably all know that, I’m just writing down some ideas on a text file. The thing I want to get too is that we deserve nothing. We do not deserve justice. It sound harsh, I know, but when you look at it, all the justice system is build around punishing.

And if you want to not act randomly, because you know, you’re a sophisticated society built on principle from the XVIII° centuries. Principles formed by white people of the bourgeoisie, then you need to defines what should be punished and what should not. You need to establish what is the norm and to enforce it. You need to make sure everyone understand what are the personal costs of transgressing this norm, and you need to know who is behaving and who is not. You need to be Santa Claus, knowing all the dirty secrets of every kids, and decides which on will get presents and which one won’t have anything.

You’ll justify it with the Law. The Book Of The Law. We modernised the process since the biblical times (where Moses got high on drugs in a mountain and wrote stuff on marble tablets because he was afraid of losing he’s grasp on power). You’ll enforce it with a dedicated group of people: cops. And then you’ll gave them the power to sort people between good and bad guys. To do that you’ll give them the power of mass and systemic surveillance.

This notion of justice most of people wants requires mass surveillance. And prison. And a norm. And I’m still wondering: do we deserves justice? I tend to believe that, as a member of a society, we deserves nothing. We do not deserves to be happy, to have a good life, and the like. Deserving something means that, inherently, the world in which you live, should give you something.

I think the only thing we deserve, as individual, is the fulfilling of our needs (physiological and/or mental). Not justice, not love, not a family. I could insert here a reference to the Maslow’s pyramid, but the model is a bit simplistic and outdated. I don’t think the notion of justice is a need. The closest thing that would be associated to a need, is the need to be recognised, to be esteemed by other. To live in dignity and respect. And either everyone deserves that, or no one.

As stated before, prison strips individuals of their dignity, of their respect, of their esteemed (by other or by themselves). And I think the notion of justice cannot be dissociated of the notion of prison. As long as you ask for people to be thrown in prison, you’re losing your access to live in dignity.

Where do we go from here

We do not deserve justice, and I think that, in our communities, we really should work on that. Justice is an outdated system used to justify incarceration, mass surveillance and therefor systemic discrimination.

What we need to think of is harm reduction, which is at the core of the Transformative Justice theory. The idea behind harm reduction is to provide communities with tools to help them avoiding harm in the first place, and then reducing the impact of it.

That’s the idea behind collective insurance for instance. A collective effort can help reducing the burden of an accident. It requires to accept the fact that some people might not want to behave, or are not able to. And that you need to have structures to act before something happens. Calling out rapist or aggressors helps to do that, but it deprives the aggressor of the possibility of change. This is a community response to a traumatism. It does not reduces the traumatism of the victim, but it tends to reduce the potential harm that a person can do.

But I think we can go further. Paedophiles for instance are almost universally perceived as monster that should rot in jail for ever because they hurt children by kidnapping them and tying them in a closet making them their sex slaves. Which is as accurate as the depiction of rapist being a stranger that will jump women in the street to rape them and kill them.

In Berlin, a program has been started to help paedophile who did not commit an aggression. You can read about it here and it seems to be successful. They allow paedophile to talk about their issue, to have access to treatment and t manage their life with dignity and without hurting kids. This is not the only program, but a lot of them are targeting offenders (you need to have molested a child to enter some of those program)

Which is a better outcome than sending them to jail, with a so-called obligation of treatment (it did work so well that my father did get back to jail ten years after), or stacking them in prison cells, refusing to deal with them don’t you think?

I have to add that, on a community level, I think this can works well with inside violence, not from harm done by the outside. You deserve dignity, so you should protect yourself against aggression, especially as a community. A neo-nazis entering a self-managed bar is an aggression, so you should gives yourself ways to protect against these violence from outsiders.

I think that the idea of transformative justice is interesting. The idea is to change the society to reduce harm being done, not trying to repair the victims (which is restorative justice) or trying to avenge them and dissuade potential perpetrators (traditional justice).

To ease the way of harm reduction, we – as a society – needs to be able to accept that perpetrators exists and are human being. And that they can change. We need to accept that, most of the time, a victim will endure some traumas that cannot ever be repaired fully – but they can learn to lives with it. We need to accept that, as a society, we have a role to play in aggressions and mitigating them.

One of the way of mitigation is to think of what enables aggressors. What makes them act and why would they think it’s OK to act this way. With the traditional justice system it’s often the perceived impunity. If a cop will not accept the complaint made by a victim, then the aggressor will never ever be confronted to the harm he did, so he will act and probably repeatedly.

Another enabler factor, is the social status of the perpetrator. A well established person, with power over a community – because they’re doing important things – will enable perpetrator to do whatever they want, think about R. Polanski, J. Depp, J. Applebaum for instance.

That is why it is important to avoid social structures which enables people to do harm. Meaning, you should not have only one person in charge of this important thing you need your social group to survive. Every structures which have only one person in charge, will lead to harm. That is why I think it’s important to attributes success and failures on collectives, not on individual among those collective.

We also needs to think about the friends of the perpetrators. Some of them are enablers, some are afraid of consequences if they act against their friends. I also tend to think that stripping a perpetrator of his friends by punishing them for actions he did, will not help those person to come forward and discuss an issue that bother them.

I think that most of the harm reduction process is about communication and speech. Being able to talk about something, without being thrown out of a group is something important. And you should be supported to come forward, you should be accepted for that. If someone does not understand consent for instance, or have trouble with it, this person should be able to talk about it, at least to someone. Yes, it means that you need to keep those discussions private.

Last point, you do not need for everyone to agree to that. But you need to have people who wants to try it and to work on it You should also be careful about not converting them o enabler, that’s why it’s something that needs to be addressed by your communities.

I really think we have an issue with justice. We claim we deserve justice while it’s a tool made by and for the power. Or we tends to mix justice and revenge. I think we should really works on those topics. Protection of whistle blowers, privacy and other related issues cannot occur in a traditional justice system since it is intertwined with mass surveillance, systemic discrimination and the like.

I’m not advocating for vigilantes either, which is a protection from the outside (and yes, you might need, at some point, to have people who can physically resists to adversaries, but that’s a different topic). But really, if we want to reduces aggression made by member of our communities toward other members of this communities, we cannot rely on the notion of justice,

Redefining privacy

Let’s redefine Privacy, shall we?

There’s a lot of issue with Privacy. I already wrote about it some time ago, but I think that in fact the current definition of Privacy is an issue. For starters, no one is able to provide me with a definition of privacy.

Is Privacy a secret?

The definition I encounter the most can be summed up a bit like this, it’s everything that is "none of your concern". It’s the version of Privacy I used in my previous post and, I think, it’s probably the one that’s defended mostly by people who basically are not discriminated against by system of oppressions (states, but not only).

There’s two main issue with that. First, there’s thing that you cannot "hide", such as your apparent gender, or the color of your skin, and those will submit you to system of oppression – I won’t spend time to expose them, but please feel free to read some useful documentations. Second there’s the fact that secret is used to hide things – that’s the purpose of secret. You want to keep others in the dark about what’s happening. David Cameron just said that his personal investment in Panama are private matters. Conjugal rape and other in-family sexual assault are always hidden under the veil of the "private matters" that should be treated only inside the family.

I mean, clearly, secrecy is a bad thing. Not only for government, but for people in position of power and control over other. I’m not advocating for a full publicity of everything, but for a questioning of is privacy a synonym to secrecy?

Do we really want to hide all of our lives to our society? If we want to redistribute wealth, we need to know about the income of each person. If we want to act upon the discrimination women faces, we need to know about those discrimination, we need to know about who’s identified as a woman and to act upon the people who discriminate them.

If we want a world with a bit more fairness inside, we might need to be able to be a little bit more public about our lives. Society is build on the intersections and interactions we have with each other. The positive ones, and the negatives ones. The society, the cultures we live in, is not – I think – powered by the things we have in common, but by the differences we have and the different experiences we’ve been through.

So, privacy a the thing you keep in the closet is bad – go talk to queers about living in the closet to see why this kind of privacy sucks.

Also, I do not think that the right to privacy – as described by the article 12th of the UNDHR is defined by what we keep secret. This right is defined as protection against arbitrary interference. It doesn’t state that it has to be secret. It protects interferences, meaning, influence, actions, perturbations. Not about knowing about it.

The issue with mass surveillance – and why its so bad – is not because it allow a passive global observer to exist, it is because it create an active global discriminator that will sort people between good citizens and terrorists, based on what data we create. Mass surveillance described as a passive global observer is an issue. The mass surveillance complex is used by power structure to maintain their power over people, by creating and enforcing discrimination. This is clearly a violation of Privacy because it is arbitrary interfering in life of people. But it’s not because they collect the data.

This is one of the thing about mass surveillance, it does not exist in void, it exist as a political tool of social coercion. It'(s not the data collection and gathering that’s the real issue. With the amount of data collected, we could have a real source of interesting data for sociologist to help them describing our society, and gives us clue to change and improve it.

So, no. The fact that a passive global observer exist is not the issue. The issue is that it is a fact an acting and active global discriminatory system. And secrecy is only a way to protect against the passive global observer. It does not enforce privacy. It does not defines privacy. It does not helps you to protect yourself against discrimination.

Is Privacy your identity?

I’m not sure. Identity is a social concept (and a psychological one, it sucks when you use one word for two different things). It’s how you define yourself at some point in time, and how you are recognised and defined by others, based on their cultures and social cues and norms they have.

You decide how you want to define yourself, in regards with the current social cultures you bathe in. You adopt, reject, create or appropriates part of this culture to form your identity and to express to the society who you are, and how you’d like the society to consider you.

Your identity is – at least partly – publicly displayed and used by the society to interact with you. This is where discrimination will take place. If you’re identified as a woman – whether or not you define yourself as one – and the society we live in discriminates women – and we live in such society – then you’ll be discriminated.

Which basically seemed to be a good match for arbitral interfering ad specified earlier. It seems that the elements you use to define yourself, the elements used by other to identify you and to relates to you seems a better candidates for me than the one you keep secret.

What it means is that our privacy, what’s private, is the core of how we see ourselves. It’s not what we want to substract to public scrutiny. It’s how we want to be identified. And our rights to have a privacy is basically our rights to defined however we want – in a social context – without being discriminated for it.

It does not means that if you want to define yourself as a patriarcal asshole you’ll be able to act onto people as you want. It just means that defining yourself as a patriarcal asshole shouldn’t means that you’ll be treated in a specific way. The thing you’ll say, the thing you’ll do are what will bring your trouble, but not your identity.

Basically enforcing privacy is trying to find a way to end discrimination of any kind. It’s not providing tools – secrecy – to create more discrimination. Fighting for privacy is understanding that the world is non-binary, that no identity should be infeoded to another, it’s fighting for sanctioning people for what they do and not what they are.

Yeah, OK, but where’s the cryptography comes into play?

Cryptography is needed because – in a world of oppression – you need to organize yourself to change those. And to organize you need secrecy at least temporary – until you act. It is not a right has protected by any of the article of the UNHRD, but it is mentioned in the preamble:

Whereas it is essential, if man is not to be compelled to have recourse, as a last resort, to rebellion against tyranny and oppression, that human rights should be protected by the rule of law,

Meaning that, if you’re right to Privacy is not respected, then you need to react and fight for it. And for that you need secrecy, you need to hide from the spies and the forces that tries to remove your rights.

Because, in the end, the only rights you have are the one you fight for. And this is where cryptography will helps you. Cryptography will allow you to disobey, to organise dissent, to rebel, to have some time to breathe. But it will not helps you to enforce Privacy and the right to self determination.

And I think we all need to rethink that privacy is not what is secret, but it’s what makes us individuals. It what gives us the right to coexist in the same society. And this is why we all need to fight for it. Without privacy, there’s only bland human without identity. Without privacy there’s no place for non-mainstream person. Without privacy there’s no way to evolve and progress. Without privacy, there’s no I or You. There’s only us. Forced in an identity we didn’t choose, think, defined, accepted, created.

Those identities are the one created by the global active discriminator to divides us. They are the nationalist ones, they are the Charlie’s one. They’re the one of the dominant classes and we’re stuck with them, without a possibility to exist out of those scheme without being violently confronted.

We should fight for this privacy. For the possibility for anyone to self-determine themselves. And stop believing that we currently have access to it, or that cryptography will suffice.

Onionify

Hidden services

So, for those of you who never heard about it, there’s some hidden services in the wild. They’re called .onion if you use Tor – and you should.

Facebook, for instance, also have a .onion. My blog to.

It’s neat, it helps protect privacy of the user and escape mass surveillance and censorship. Anyone should do it if they’re even remotely interested in protecting their users (I mean, even facebook did it. You can’t be worse thanthem on this bsasis, except if you’re a bank).

But, users still need to know that the .onion exist, and they still need to redirect there. And the onion adresses are anything but human friendly. They’re hard to remember, and a mistake in one character might land you on a totally different website.

It would be nice that, the same way HTTPS Everywhere redirects you to https enabled website when you go for the non-encrypted version, there would be some way to redirect users who uses tor to the .onion version.

Onionify all the things

The cloudflare way

So, you can perfectly do the same thing that cloud flare is doing. Get a list of exit nodes, and – on your web-server – when a queries go from one of them, redirect to the hidden services.

It needs an updated list of exit node. Can probably be done, but then you also need control of the webserver (which might not necessarily be the case) and some cron jobs.

I need to do a bit more research on that anyway.

HTTP Headers

You can also probably add a header server side which would advertise the .onion. Or advertise address in DNSSEC zones one way or another. But then, you need the browser to be aware of that and to do those check before going on the website.

I think it’s probably the best way to do it. And it probably isn’t a lot of code (might need to do a plugin for that, to agree with everyone on a standard, and write a RFC).

Plain JS

Or you can control the browser with something on your content whch is aware of the onion. And which can check if the browser is able of using them.

That’s what JS is for. A simple HEAD query sent by the client to the onion will tell you if the client can connect to your .onion.

It’s probably dirty, it’s JS it does asks permission to do it, but the bit of script I’ve write works fine.

It can be embedded on any page to redirect to a hidden service.

Code

The code is straightforward. No dependencies. You do not need jquery for doing just a query, you need XMLHttpRequest.

It ca also be easily adaptable (just change the content of the onion variable), and it works from anywhere your client lands.

Better privacy for the user in 15 lines of JS.

The code is here, licenced under WTFPL. There’s probably way to do it in a cleaner way, and I said earier, I think it would be better to have a .onion dectection feature in the browser, but it’s there now.

And the more you’ll use it, the more people will land on your onions. WHich will improve both Tor network – more casual surf is always good – and the privacy of your users.

Have fun.

To friends.

there. But also because there’s weird things going on."""]]

Remember, Remember, the 13th of November

Hey Friend, been a long time. Usually this would be a conversation I have with you over an instant messaging media. We would argue, because I need to confront my views, and you’ll help me to step back a little bit and try to force me to take care of me.

This conversation would probably splitted across several media and people, because this is how I function, in weird ways and without focus.

On the 13th of November, coming back from le Louvres to Saint Denis – where I live – you sent me a SMS asking me if I was safe. I did heard a loud noise from the Stade de France when I was heading out the subway to my home, but since there was a match I just flagged it as "weird noise made by sports fan". I didn’t understood why I received this text.

Then, once home. I started a web browser. After receiving half a dozen a tweet of various instance of you, I reassured you by posting that I was home and safe on twitter. And then, with my room-mate and coworker we just thin about the huge amount of work that we would have to do on Monday – and even before that.

I told you, I work in strange ways. I wasn’t emotionally affected by the death of 300 people. It’s random and I knew no one there. The shooting happened in places I can happen to go, but it’s as random as a plane crash (and in fact there’s a higher probability to be killed in a plane crash than being hit in a terrorist event).

I checked upon friends (or waited for news)(yeah, I suck at maintaining friendship, I think you’re kind of aware of that now) to be sure everyone was mostly safe. And then I waited for the political disaster that will ensure. Until the next Monday I really hoped that our politicians would do something clever, like calling for respect and fraternity and unity.

You called me naïve, but if I’m not that naïve, then I turn cynical. I tried very hard to shut down my inner voices warning me of what would come next. And since you told me that being cynical might hurt you, I try to avoid that. Also it’s better for my moral and my depression.

And then our Beloved Socialist President of the Republican Democratic Palpatine ordered the Senate to vote the martial law … Mmm, no, I’m on the wrong movie here. It was the talk of Mr. Hollande in front of the congress – higher and lower chamber gathered at Versailles – when he asserted that we were at war. And that we need to form an alliance with Putin and Assad to fight ISIS. And that we need to extend and modify the State of Emergency, and the Constitution.

This is where I broke up. Syria is still a hard political subject for me. You know that since I talk a lot about it. You even asked me to get diagnosed because I might have some sort of trauma. SO, yes, this is where my emotions finally set me adrift.

What people call emotion wave or surge are – in my case – chaotic tsunamis destroying anything that might be related to reason. That’s my poison. That’s what will kill me in the end. You’re important there, in the fact that you help me resurface in those situation and kind of freeze the emotional disaster.

We talked about it. I see no hope in our current situation. Warrant-less search and warrant-less house arrest; total stop of support of any kind toward the refugees – who already had a hard time; suspension of the right to protest and, more generally, confiscation of the political debate by the politicians – Mr. Valls said that he won’t accept any discussion about the incidence of social or economic factor on terrorism; those are what we live on now.

I mean, I’m used to see army in the street of Paris. In fact, I never knew them without troops – the bombing attack of 1995 happened at a time I wasn’t that much in Paris and since then troops are always in the street. But now, their in battle suit, helmet and bullet proof vests, way to much weapon for my sanity, etc.

Cops did change also. They weren’t on a short leash before, but now they’re out for blood and revenge. Usually, even on the few forbidden protests I was at, there’s always a way to get out if you ask nicely, they will let you go without hustle – they’re basically filtering you to be sure you won’t sucker punch them, but in the end you can escape before they arrest everyone. But on the 28th of November, there wasn’t such a thing like a possible escape. They wanted to fight.

There was a public announce that unemployment was on the raise just before the COP21. And nothing in the government deemed important to say anything about it. I mean, they’re supposed to be socialists for fuck sake. They should at least says that they will work on a new way to count unemployed people, or that they will do something about it. But they only speaks about security. Mr Valls eve stating that "Security if the first of liberty" which, ironically, is a quote made by JM. Le Pen as a slogan for it’s presidential elections back in the eighties.

We have a socialist prime minister, defending a security only program, based on pricniple established by the far right movement.

That’s about the state of our politics in France. But don’t get me wrong, The FN is a bit worse than he PS in that he will actually do what they said they’re gonna do, and they plan to cut funding for planed parenthood (which depends largely on regional funding), and other nice stuff.

Politicians wants me to vote to block the National Front, in a national movement aganst fascism. But I won’t. I do not see the point on voting for a lack of response to social issues, just for the sake of protecting us against fascism. Politicians who enabled the police state, who are asking for a republican merge, who are saying that young people in teh suburb should cultivate themselves, who plans to bomb people in collaboration with Turkish, Russian and Syrian – all extremely democratic – governments, who reduce democratic life to vote, who won’t do a thing about the unemployment, wants my vote to oppose fascism?

You see my dearest friend, you asked me to look on the bright side. But it’s more than hard to do that. You told me that bitterness is like Beaujolais Nouveau. You can drink a bit of it, it can even be good – and I disagree on Beaujolais Nouveau being a good wine ever – but too much and it will kills you. Or hurt you.

I don’t know.

I work at La Quadrature du Net now. And I really try to avoid the repetitive self destruct pattern that leads me to chain burn out. Me or other staffers. Or you.

During the attacks on the 13th of November, I focused on the solidarity part of it. That’s what I’m trying to do. That’s why I keep informed on the Syrian situation by following the White Helmets.

But there’s something that is absent of our political life in France. We have traditional organisations who covers for themselves without caring about anything else than their way to power: syndicates, political parties. We do have old style NGO, advocating nd lobbying behind the scenes. We have radical groups who are busy fighting cops. But we do not have orgs who works on party. Militantism in France is a serious business. And if you’re not working yourself to death you’re doing it wrong. ANd you end up without anyone willing to take up the fight, to think on long term strategies, to federate smaller groups who exhausts themselves beyond repair.

And I hear you. I need to focus on the positive sides. So that’s what I’m trying to do. There’s some good stuff happening. LQDN is finally having a nice and more inclusive community – there’s a lot of effort to do, but it’s in progress. I’m working there to build tools to bother our deputies – piphone and similar stuff, provide tools to flatten the democratic process. Or at least to help the circulation of information.

And that’s my target. You said me that we’re in for a long fight. I’m not even sure we can win this fight, and the nihilistic part of me keep thinking that it’s useless. But since I try to not killing myself, I need something. If I can bother an intelligence officer, a head of office somewhere, deputies or senators, ministers or head of state that’s a win.

If, when they see us, in the press, or elsewhere, or when they hear about us those people think "Oh no … not them again … my day is now ruined" then, it’s a win. It won’t makes them stop doing shit, but at least, I’ll smile when thinking about all the pain they’ll get.

And in the meantime, we should try harder working with other small organisation specialised in other aspect of the fight. There’s a lot to do with queers, feminists, ant antiracist groups. And I really think that’s where I can help – beyond the purely technical point.

So, you see, I’m trying to stop sipping the bitterness part of things. It’s hard ’cause I’ve turned cynical/realist. And because I love the bitterness. But you’re right. I should stop drinking it.

I’m happy you’re here. Because at least I can talk to you. And there’s here also. This post is fucked up, and makes no sense. But I think it’s a bit like what’s the political life looks like. Socialist calling voters to vote for traditionalists.

It’s fucked up. But I’m gonna ignore that, because it’s useless and I can’t spend any more energy on that. I’ll focus on building things.

Fluctuat, mergitur

Fluctuat …

I don’t think I need to recall you the events of teh week-end. They’re, like, everywhere on the internet, just grab any website and get a deep look into it.

I did not personally suffered from the shootings and the death of those people. Nobody I know was there, and given my current mental state I kind of grew an emotional dampening for this kind of horror. So, except for the checking on people and the continuous anxious flow of data and information coming from the TV of the twitter, I’ve essentially gone through the events unaffected.

I did not join the spontaneous meetings – because I’m still having issues with crowd, and paranoid crowds are the worse – but we did celebrate a birthday in a bar Saturday evening. In one of the – usually – most crowded place I know to drink beers, which was almost empty. Unusual things happened, like strangers checking on strangers while crossing path in deserted streets.

But mostly, I’ve been through it untouched and unaffected. It’s hard for me to feel empathy and emotion those days, and when I’m not keeping them at bay, I’m learning how to induce and emulates them, in a not that much destructive way.

I’m getting good now at detecting thought patterns that lead to anxiety crisis, I’m able to decide with feeling I wanna run in my brain – more or less. It’s an extremely artificial process, but not everyone can manage their emotions as you do. Mine are tsunamis and typhoon destroying any bits of rationality I can have, and it ends up with me boxing walls until I broke my hands or drinking myself to the point I’m unable to feel.

So, I basically removed those feelings, and gone through the motion. Focusing on people helping each other, closing myself into music and drawings, stuff like that, because the anxiety provided by continuous access to information is just the worst thing that could happens to me.

I rode through the horror with detachment and cynism. I was thinking about all the work we – since I’m working at la quadrature du net right now – will have to do on the coming days to check up freedom and civil liberties. But besides that, I was okay.

And then, during the week-end, I’ve seen fluctuat, nec mergitur everywhere. The Paris motto. People were defending their culture of getting out and drink wine, and coffee, partying. People gathered around what has been – in their perception of things – under assault: the parisian way of life (and, as Jon Oliver said it – good luck with that).

And people were already falling into the us VS them trap. Stating that we – the one who party the one who get drunk, the one who don’t respect anything – are the good guys, and that anyone who would disagree with that are the bad guys.

But people’s heart is not at partying. Mine neither.

Mergitur

And then, there was the Congress. For the one not familiar with the French political institution, the Congress is the gathering of the senate and of teh parliament at the request of the President, and it is gathered essentially for Constitutional patch and updates.

Before that, our President established the state of emergency. Basically, it removes the Habbeas Corpus, and allow for administrative house searching – warrantless house search – among other thing (it also grants prefect of police the capacity of establishing a curfew, it stops the rights to gathering, and close most of public space).

And the president then made a discourse before the Congress. He said mostly three things. First that our freedom is partying and going to bars. Everyone seems to forgot that my freedom is also resisting to injunctions, or asking for respect. Second, that we must go in war against Daesh/ISIS. Which means that we need to sit at a table with Poutin and Obama to found a solution for the Syria crisis – meaning they will work with Assad. Third, he asked for a two month prolongation of the state of emergency and a patch of the constitution (especially the articles 16and 36)

And then, everyone in the assistance applauded. And sang the national anthem. In an extremely nationalist way. And no one was there to oppose that. Every single parties represented as basically followed the president talks about the state of emergency.

And everyne was happy, because we were told to party. We had to. To get drunk is now a sign of resistance toward the horror. And no one cares that no ones is actually trying to fix things. No one cares hat the state of emergency will be updated to account for "new technologies", no one said a thing about the Kurd and rebel in Syria that will get the heat from the French alliance with Russia in Syria.

And I could not stand this. I hoped that, for once, things will indeed go in the good way. But nope. Our freedom has been restrained to the freedom to party. And I’m down. Really. The city that could take anything, that’s proud of its stoicism is drowning.

And I’m crying. I’m crying because I’ll get used to it. In the end, you’ll get use to it. That’s the horrific part. I’m used to the military in the street, I’m used to the suspicion toward refugees and foreigners. I’m used to the fact that politician just don’t care. I’m used to be in pain. But I do not see the point of living.

If it’s just for the pain, then why should I? If there’s nothing but more pain incoming, what’s the point to even bother at standing up in the morning? I’m down the lane. I know how it’s induced. I should eat, I should take some rest. But I do not understand the point, I do not see it. The hope is a lie, there’s none.

GMail … seriously?

[[!meta description="""No, seriously, people are arguing that GMail is in fact a good choice to protect your privacy online. They might be on

GMail: why it’s not a good thing

This post is an answer to jbfavre post[FR], in which he state that – from a metadata point of view, your safer in the mass and so in gmail for instance than if you self host yourself.

In the conclusion he goes on saying that the best choice would be to hand over your mails to associations or small business – which I might agree (under specific concerns).

But he’s not the only one stating that your better with a gmail account than one on your own domain name. manhack and others are also arguing that GMail is best to evade the mass surveillance.

Those person suggest that using GMail, is simple and Google has a lot of cash to invest in security. They’re also trying hard to hinder NSA mass collection of data effort, but I think saying that using Google service is a good way to enforce your privacy is an intellectual bias.

I think this idea come from a misconception of what mass surveillance is. Mass surveillance is the intricate surveillance of an entire or substantial part of a population WP.

On the internet, the mass surveillance is done by a systematic collection of all data and metadata, their archiving and indexing and the fact that action and decisions are made on the results those data will show.

In France, there’s a specific concern because it’s now legal for our government to intercept all the communication and analyze metadata. Then there’s a fallacy stating that if we all use the same host and the same encryption, then it’s impossible for the state to know who’s talking to who and when; opposed to the case where everyone have its own host and its "relatively" easy to know who’s speaking to who and when.

It comes from the fact that, if I’m the only one receiving and sending mail from this computer, then you just need to get the TCP handshake to be sure that someone is talking with me. So it would be safer to have some kind of proxy somewhere, to mutualise those connections and to raise the cost of surveillance isn’t it?

Except that this answer is valid if and only if you have some conditions:

  • The proxy is not itself part of a mass surveillance system
  • The mass surveillance you’re trying to hide from does not go further than just getting the TCP protocol of your connexion
  • Your correspondent also use this sort of mass proxy, or it would be easy to know when he’s talking

So, let’s see what’s the case with gmail.

Is Gmail involved in a mass surveillance system?

The obvious reason would be yes. At least because they can be coerced by the NSA to provide data to the NSA. Even if their was actually few uses of PRISM, the fact that they’re forced by law to collaborate is not a good thing.

You would argue that it’s just the NSA spying on us, they cannot actually do things to you if your not a US citizen which is false. Because there’s at least the Five Eyes coalition, meaning that data gathered on you by the NSA will be shared with other agencies from other government.

Also, I think that saying that NSA mass surveillance has no effect in you is a lack of understanding of what are the impact of mass surveillance, I will not elaborate on that, others are doing that better than me.

But there’s also something else that I want to elaborate, and that we miss in the "governments are evil" stance. It’s the fact that google is collecting and analysing a lot of data. From your GMail data (and metadata) to your search, video historic, or even the blogs you read. They analyse those data and take actions – to present you more accurately targeted advertisement and search recommendation. Basically, they’re doing mass surveillance on their own.

Google is part of the problem. They cannot be a part of the solution to get out of mass surveillance. Sure, they won’t kill someone simply based on metadata you’ll say. But they’re doing something worse, they won’t expose you to information that they deems unrelated to your interests, and you won’t even notice it.

So yes, Google – and Gmail – is part of a mass surveillance system. They might not be collaborate willingly with governments, but they do it at least for their own profit.

Are the mass surveillance system only targeting IP traffic?

We know – since the exposure of a lot of the NSA nasty stuff – that a lot of government have the capacity to intercept traffic on a global scale. The fact that your traffic goes to a datasilo such as google ones, or goes to your own server at home makes no difference, they’re intercepted the same way. What would change is that they would need to get the email metadata from the email you send from gmail, while they do not need to decode them if everyone is on their own box.

But.

They’re already doing that. Equipment setup to break TLS, intercept email communication and compromise your endpoint are already used. So they do not get any benefits to going for something lighter. If you send an email from gmail to another gmail account, those natsec agencies can already read it and extract the metadata they need.

And since stuff like Palantir, hacking team or gamma international are all known companies who are selling solutions to our government. Those solution are based on the infection of your endpoint (your smartphone, tyablet or computer) to not bother with breaking the cryptography of your communications.

After all, if they can read what is displayed on your screen, why should they bother intercepting your TLS connection to a hidden service in Tor?

So, thinking that, being alone on your node, is a compromise on your anonymity is apparently wrong. You do not add metadata to the collection they already have (they already get the headers of your emails, no matter what).

Also, there’s a last one that nobody thinks about. If everyone is on GMail, then you just need to compromise GMail to get all the ddata you need. Just one company. Yes, hacking into Google is something out of my personal scope, but if you’re willing to, you can dot it. It has been done by China before, and I see no reason for things like that not happening again.

Hacking into GMail is just an enormous prize, you get it you can really improve your intelligence. Especially if you stay undetected. Put all one’s eggs in one basket generally ends with an omelette. Even if it’s a titanium basket.

Applying this principle, I then need to have my correspondent apply it

Because communication is – at least – two ways, if you want to protect and hide a communications, you need to protect both ends of communication. So, applying this means that everyone should get a gmail account, because it’s safer for everyone.

I mean, You use GMail and I’m not. I’m running my own mail server. So, you hiding in the crowd does not works, because if I’m getting compromised – and since I do not have Google grade security – you’re being compromised too (after all, they’ll be able to get metadata of the mail you sent me).

So, for this fallacy to be true, you need everyone have a GMail account. Which will makes things worse because, hey, they’re part of the problem – as stated above.

Doing that is exactly than not encrypting data or using Tor because "it would looks suspicious". It does not. Protecting your privacy should not looks suspicious. If you think it is, then it’s kind of too late, you’ve already ate the states toxic memes of security. But let the ones who want to fight them do it.

No, Gmail, Yahoo, Facebook, Twitter, Microsoft or Amazon will not ever be a solution for privacy. They’re part of the problem.

However, there is one specific case where GMail might be a not so bad alternative: throw away mails (as suggestsed by OaklandElle. Besides that? No. It will not improve your privacy, quite the other way around.

Solutions? Stop the dragnet and mass surveillance. Which you can do only at societal and political level. And give a try to the [internetcu.be][] if you’re looking for self hosting, it works. Mostly. It won’t give you better security, but you’ll definetly have better control. And even if you’re still monitored by state, at least you won’t be monitored by an advertisement selling company.

[UPDATE] After talking with jbfavre on twitter, it seems that I didn’t understoof his point. He did not want to advocate for a massive use of GMail as a way of protecting yourself, but rather for small associative clusters.

I think that it’s a good option. Simpler for most people than going full self-hosting, and sufficiently decentralised to hinder the mass collection of data. It’s not the ideal choice – but then we cannot asks high risk people to have their data in their home where it will be seized by cops – but it’s I think a good trade-off between privacy, ease of use and safety.

I’m tired of this shit

[[!meta description="""I’m getting really tired and bored about those crypto nerds who do not understand threat models, general public and who assume they

Shooting the ambulance

It seems that there’s a national sport among crypto nerds, and it’s shooting the ambulance. Yeah, I know, I’ve been kind of naive thinking that some people with common sense could be more vocable than the people who enjoy ranting on stuff, saying that this is shit, and that only them know the truth.

I’m speaking specifically about the own mailbox project and the torrent of flame and more or less accurate accusation it received from @aeris in this three posts. I also like to point out that the answers provided by the Own Mailbox team doesn’t makes them right. There are issues with the project, but I do not think it’s a reason for burning them alive, but instead would have been interesting to help them to improve.

This is something aeris have an issue with – I already pointed that out in the way Crypto Parties are ran around here in Paris.

The point he’s missing in those articles is – as always – what is the threat model own mailbox tries to solve; as well as mixing up a lot of things (blaming a mail server for the insecurity of TLS or for the possibility of MitM attack is … out of scope).

So, let’s try to think about that.

Everything is broken

First, as Quinn Norton once wrote, if you pretend to work in the security and tries to improve the safety of people, you have to acknowledge that: Everything is brooken. It basically states that there’s no way to have a secure system. It does not exists, it will not exists any time soon.

If you look at a project like own mailbox, where you will display decrypted text on an end-point – because if you’re not you’re either using bad crypto or no-one is actually reading the content.

Eventually, you’ll have decoded data – sensitive data – displayed and stored at least in memory of a computer. A computer which is flawed by malware, spyware, adware and other nasty things. Whatever your crypto level is, even if you have a fully patched computer with as few software as you need, you’ll probably have some 0-day active that a motivated attackers can exploit to get access to this memory.

It means that, with a sufficient amount of time and of motivation, someone else than the emitter and recipient of the message would be able to get their hands on your data, for the simple reason that – at some point – you need to read it.

And if you have a bullet-proof mailbox – which is the promises made by own mailbox – well, it’s way much easier to target the end-node and to read the mails at the same time as the user.

After all, Hacking Team was doing basically exactly that. And there’s no reason to believe that they were the only one to do that.

And no, free software will not save you there, with so many attacks on web browser, or PDF, it’s not enough to run free software on your computer. One way to solve this issue is to use an air gap computer, a computer that have never been and never will be connected to a network of a kind. It means you need to burn your mails on a CDRom or a DVDROm and to check them onto the airgap system.

And this is something you cannot do with the general public. Because maintaining such a computer – set asides the financial costs – requires time. Like at least one hour a day. Every day. And to get a good understanding at how the computer works. Which is something a lot of people – because they do not want to or because they cannot to – won’t do.

Also, assuming that the average computer/smartphone/tablet/whatever security is higher than the one of a small brick that cannot be easily improved and extended is a hell of a mistake. Key generation whould only be done on airgap computer with hardware random number generator if you want to have really secure keys – and stored on a read-only devices.

Never forget Jessica

This is the second most important error done I think. We forget about Jessica. Specifically we make two mistakes. The first one, that everyone is willing to spend a lot of time figuring out their safety and to protect themselves and their relatives against a theoretical threat.

Let’s stand back a little bit. We already have hard time to have people using simple means to protect themselves against a real threat like AIDS, syphilis or other STI – use condoms people. Seriously – how would we have them protect themselves against philosophical and political threats?

Especially if we expect them to understand things that could take some months or years to get by? What is the point of full-encrypted mail? What means end-to-end? What’s the NSA/GCHQ/insert-your-own-agency-here doing exactly? And why they’re doing it? They’re trying to protect us, of course. Against terrorism. That’s what they said.

If you want user to actively use crypto, you need them to not think about using it. And if you focus only on the technical issue, you’re missing the point that it’s a political one. Because if your government wants to spy on you, they will sub-contract a hacking team like, and you’ll be screwed.

This is what – I think – aeris is missing. The people who’ll actually get the own-mailbox are people who already understand why they need to protect themselves (yay, there’s actually some of them out there), but who can’t afford to host themselves another way – essentially by a lack of time and of skills.

People who will get these kind of devices are not the hard core activists who tries to avoid cops enter their house to seize computer look-a-like devices. Because, in this situation, hosting your mail in your office is useless at best, dangerous at worst.

So, most of the people who will use this kind of device or services aren’t really people at risk of being sent in jail because they sent an email. They’re probably the one who will use it as a nice gadget, on a side.

This kind of devices have no chance to ever be used in life or death situation. And even if they were, crypto won’t protect you from bullets.

Also, everyone seems to think actual people uses email. They’re not. Less and less. We’re using Facebook messenger, twitter DM, GMail (which is less and less compatible with third-party clients), WhatsApp, SnapChat, SMS, etc …

I’m not saying that it’s a good thing. I’m trying to understand who are the people who’re gonna use this. And it won’t be the social-media addict who only uses a Mac and GMail, it won’t be the Uber Nerd who uses only mutt and altern.org emails, nor will it be company – because they can’t handle the load on those devices.

It won’t neither be the poorest people who do not have access to a correct enough ADSL line. So it will be people who already understand what it means to being watch and wants to add a little bit more security on their devices.

The thing is, we won’t get everyone doing key management the perfect way for – at least – two reasons. The first one being that no one know what is perfect key management. The second one being that even the crypto nerds fails at it on a regular basis.

So this is it.

I really think that own-mailbox commercial team have an issue. Their answer is out of scope. There is some issues to be addressed. The funnier one is pretending that needing JavaScript for a webmail client would be a security issue … it will be if you’re living in a place where there is MitM interception on the line + a way to tamper with TLS. Which is typically the case where you do not want to have a box with all your emails in your houses.

But going after them, saying that the devices is blatantly flawed without even having one at hand in the first place is kind of stupid and counter productive. There’s an issue around the terms used (100% secure is always false), but I believe that – since it’s a free software project – aeris could have, at least, open bugs or ticket. I did not find a repo for own-mailbox though – didn’t look for it hard neither.

But aeris choose to get out for blood. Yes, this porject is far from perfect, but it’s still a plus, and if it gets some people to use more opportunistic crypto, then it’s fine enough for me.

aeris, you really should understand that no, no one can use the tools you’re using as part of their regular routine. And in most case it’s not even a

Crypto fallacies

This post is a follow-up on what I tweeted yesterday – hours before the constitutional council gave its approval of the new French Intelligence bill. First tweet is here

Where I come from

Before writing this article, I think it’s important to give some context about what I’ve done the last few years.

So, before joining the Telecomix Crypo Munition Buro and #telekompaketet, I wasn’t that much in security and crypto. I learned that on the late, and with some specific goals in minds – I’ll be back to that later. I was a mercenary sysadmin, working for anyone willing to pay me to maintain their system.

I didn’t understood the difference between free software and open source back in the time, neither was I aware of a lot of issues in the world. Looking to it through my small internet periscoped visor. Most of the news I was reading back in the time were tied to computer, video games and – to some extent – foreign diplomacy.

Not the mainstream media, but not much better. I worked for government and the police – maintained the fingerprint database used by cops and sold by the former Sagem – now known as Morpho XL. I worked for oen of the traditionalist newspaper. For startup trying to build customer profile and senders of millions of mails.

But I was reading those few news. I was joining the twitter (2009 … damn, that’s already 6 years?) and already having fight with people humping on the Facebook boat.

Because what was clear for me was that my privacy should be kept under my own personal control, not under the control of anyone or anything else. I always been shy about sharing data over over public and free network who will track you in the end.

I got this habit of watching for my privacy since high school. I accessed the internet for the time at this time. And at home we even had high-speed internet (512 Mbps in 1997, was part of an 31337, not chasing for those AOL 50h of free internet CD Roms).

I got this habit not because of the teaching of someone, but because of my father. See, my father wasn’t an abusive one. He was kinda distant, avoiding me, but he was not an abusive one. At the time we had internet and when I discovered some of the endless possibilities of the computers being connected to each other, I also learned that my father was a paedophile. He has been convicted for that. Twice. At least the second time it was related to detention of pictures from internet.

Yep, that’s about how I learned how it was important to understand how things works and why it was paramount to protect your privacy. Because cops would breaks into your house and seize your hardware for the sole purpose of you living in the same house than a sexual offender.

So, everything started there for me. Since then I always had a full encrypted drive, I’ve used the privacy mode in my browser as much as I could, I learned to delete cookies and Internet Cache on a lot of browsers (from Netscape Navigator and Mozaic to chrome to Internet Explorer 6).

This is when I started caring for the law about computers and communication. And censorship. I did not really get a grasp of what politics where, but still, I was keeping an eye at it.

Got a degree in computer science and got working, trying to earn my independence and to get out of my parents house – almost 20 years later I still can’t speak to my father and yes, it’s part of the reason I’m severely depressed – and so on.

We’re now in 2009, end of the year and I’m bored at work. There is a lot of signal coming from Tunisia that things will getting ugly there. That’s when I started to act for someone else than me.

I was self hosted, so I had spaces. And root access to my servers. Slim Ammanou was interviewed in some media I was reading (Cant’ remember if it was Read Write Web fr or the blog of Jean Marc Manach, not really important I guess). And some people were doing mirrors of censored blogs in Tunisia.

I was bored, I did knew bash, so I scripted some things to help. WHen someone figured out that the ATI was dropping the SSL around facebiik to catch login and password, I crote a one line that could generates gigabytes of fake password for a specific account.

And someone told me to join IRC and #telekompaketet@irc.telecomix.org. I haven’t fired up an IRC client since the 2000′ so it felt a bit odd, but then a lot of things changed for me, starting with the immolation of Mohamed Bouazizi, the Egyptian revolution and the Syrian civil massacre.

During those last five years I developed my security and crypto skills, and tried to train activists who needed it to communicate. I’ve quit my job and worked for an NGO for nearly a year and a half, chain burning-out myself to the point of severe anxiety disorder and depression, mixed with my attention disorder it doeswn’t goes well.

So this is where I come from. I hope that it will helps you to understand what and why I’m going to say the next few things.

Crypto fallacies

The crypto fallacies is to think that your freedom relies on the tool you use. That, if you use the correct tools, in the way they’re intended to, then you have nothing to fear from an oppressive regime.

It’s false, first because IT security on the general computing is a disaster – and I’m not sure it can be fixed anytime soon – but lmost of all it’s false because you’re opposing an oppressive regime.

If you’re not actively opposing an oppressive regime, you’re silently accepting it and then you’re an accomplice. So, you’re opposing an oppressive regime. An oppressive regime as one specific characteristics, it’s using arbitrary detention and arrest to spread terror and keep thing under control. And no amount of crypto can fight that.

I’ve seen kill list in Syria, written with a carbon pen on a piece of paper. Based on denunciation by neighbors, assumptions by people or just because people did not live in the correct address. I’ve seen people getting shot for no other reason than their skin color, or the way they were dressed.

But most of all, I’ve seen people getting arrested, tortured and shot at because they were protesting into the street. And that’s the thing cryptonerds needs to understand. In the end, the purpose of an activists, is to get in the street, to oppose – violently – the state, and end up in jail (in the bes case scenario). The crypto, or the tech gyzmo you can provides them with won’t prevent that.

Also, if your freedom relies on a specific piece of tech, or a specific knowledge, it means that each and every people who has no access to it can’t be free. Which raises an issue that I have not seen adressed by the most vocal voices in the OpSec for activists people. Sure, you can do IT Training in Mali, but when you have power outtage several hours a day and when the temperature will frequently raises above 40°C, most of our tech is made unusable – believe me, we tried that.

I’ve also seen crypto nerds going extremists and refusing to even consider talking to an activists over an unencrypted channel. That’s an interesting stance since then, the activist would never know how to do that

That’s also a good way to forbid communication, which is mandatory for coordinating actions, getting information out, and care about people. If we would follow those extremists, we would end up in an autistic mode without communicating because it would exposes you to a risk. Risk that still needs to be determined.

And, in the end, if you want to undermine and destroy an oppressive regime, you need to accept the risks. You need to accept that you’ll end up in jail. You need to accept that you’ll be beaten up. You need to accept the fact that if you do not take the streets, then it’s your opponent who have them. And you need to take that back.

And you cannot do it from a computer.

Sure, sysadmin and service operators providing good opportunistic cryptography, with fluid interface and where the security doesn’t get in the way of the user, while protecting their users from the government are needed – and it’s the path I’ve choose, but you have to accept that it’s illegal in most states. Even in NATO countries, or in the EU.

But those sysadmins won’t be protected by crypto. Their freedom is at risk as soon as they decide to fight and to help. And no crypto tool you can use can tight your organisation to a point where no exterior influence can destroy it. We’ve seen it before – with Sabu for instance – we’ll see it again because that’s how things works.

The only thing crypto will buy you is time. This time should be used to coordinate, to share, to care, but it won’t get you out of jail (even TPB founders did serve time). But that’s about it, once you’ll be in the street, you’ll end up in jail whatever the crypto you’re using.

And that is called OpSec (Operation Security). The purpose of OpSec is to be able to run an operation. If the crypto you’re using makes you unable to run it, then you’ve failed your OpSec. And running no Operation is also an Operational failure.

So, yes, crypto is usefull, because it gives you time and space to breathe. It allows you to get some room to distress and coordinates. But your freedom does not rely on a piece of tech. It relies only on you to take it.

Go into the street.