PJL Renseignement … stop fleeing!

PJLRenseignement

If you haven’t heard, there’s an emergency law currently “debated” in France, which wants to legalize illegal practices from the Intelligence services (both domestic – DGSI – and foreign – DGSE) and gives them impunity, circumvent the judge, and goes to a massive discriminatory surveillance.

The hashtag is full of report of people opposing it (from Human Right defenders and NGOs to citizen collective such as LQDN to companies and business of all scale). So yeah, it’s the law NSA’s head is dreaming of.

There’s two issues I want to discuss at hand. Not sure how it’ll end, but here it goes. The first one is why fighting surveillance is – in my opinion – the wrong fight and the wrong way of doing it, there’s more to this than just surveillance. The second is about all the geeks and hackers trying to flee out of France, to move their businesses out of it and other “abandon ship” strategies.

Fighting surveillance

So, surveillance. As Quinn Norton and Eleanor Saita stated one year ago in their talk at 30C3, surveillance – in itself – is not inherently good or bad. Surveillance is watching, and – when you want to interact on something – you need to watch it. It’s hard to grab precisely something in the dark (you can do it, but it’s hard).

You need surveillance to expose corruption for instance. Or fascism. Or any wrong doing in fact.

So, the issue discussed is not – and should not be – the surveillance per se. The issue is that this whole process is secret, hidden, non documented, without control or regulation.

What does it mean? First, it means there’s an asymmetry in information. Something knows more about me than I’m able to know about them. What you do not know controls you, it means that this imbalance of power makes the state having more control over you.

It makes them able to act upon you on a discriminatory way. The gigantic issue here is that. It’s not the surveillance, it’s the lack of control. It’s the fact that no one is watching the watchers and have way to act upon them. What frighten me most in this law, are the wording used “secret defense”, “higher interest of the state”, “impunity for state agent” and things like that.

I’ve ranted on twitter about the black boxes that will be able to algorithmically identify threats. The thing is a lot of people lost sight of what an algorithm actually is.

It’s a parametric mathematic function applied to a set of data in order to classify information – or at least that’s what is intended in this specific use case. The magic words in algorithm, machine learning, classification system is just this: parameters. The way you choose your parameters will change the way you classify your data.

How many occurrences of jihadist related news you need to have in your browsing history to be classified as a jihadist? Hom many hours a day you spend in this chatroom? How many times a week you go there?

Those numbers – the one that we as citizens will never heard about – are political tools. The way you choose them, and why you choose them create classification of people and will make you decide who needs to be swatted or not. That’s where the ugliness begins. Those numbers will be chosen to discriminate people depending on their backgrounds.

I mean, they’re already discussing about exceptions for surveillance – especially for journalists – which means that they’re clearly lie when they say it’s an anonymous data collect, they’re already discriminating people based upon their traffic.

So, the surveillance is not the issue. Neither is the privacy. The issue is the lack of control. The issue is the absence of transparency. And stop fighting surveillance saying you have a right to privacy. That’s true, but then it enable politician to call for the “right to be forgotten” which will only help them evading justice.

The issue is that mass surveillance, done by an oppressive system is a tool of segregation and racism. Because in the French context where we do not speak about Arabs anymore, but only about Muslims (and in a way that makes people think that all Muslims are Salafists and potential terrorists), I’ll bet 2 BTC on the fact that they will be the one specifically targeted by this surveillance.

Same goes for the poorer of us. Who happen to be the ones who are not the white guys, who are also the ones who fight for survival and acceptance at all time. I’m quite sure that if the system catchs a white and rich guy, he will go in the false-positive trash and nobody will incriminate him.

So, stop fighting surveillance for the only sake of it. I should not need privacy in a non-oppressive system – that’s even how you determine you’re leaving in a non-oppressive regime: what you do and what you are cannot be held against you as long as it does not threaten the safety of someone else. But go fight the state implemented discrimination.

Don’t run away. Fight.

Which leads me to this other point. We – as citizens, as a collective – need to fight that. I refuse to abandon the ship. I’m witnessing a lot of data-exodus. People actively looking to host their data abroad. Commercial companies – such as OVH – are looking to build datacenter elsewhere.

I can understand why a company would do that. They would because they intend to respect the law. Because they do not want to risk their existence to protect their customers, so they’re running away. But the thing is, if you flee, then what will happen when the country you’ve fled to will also change their law and regulation? Flee again?

That’s not a sane way to do thing. That’s why we have civil society, to oppose the state, to try to restore a bit of balance in the power repartition. If you flee, you say to the state: you can do whatever you want, I just do not care about it.

If you’re a big company, which a lot of money, yes, it might have some power against the government, they will have to choose between reinforcing their power or keeping some jobs in the country. But, well, if the state initially wanted to defend their citizens best interests they won’t be trying to deprive them form liberties, right?

So, fleeing will only preserves you. And, well, you’re still a French company, with offices in France, so you still need to obey the law. OK, you’ll be somehow outside of the DGSI reach. But your customers won’t, since they’ll still be in France and they’ll still connect to your infrastructure from France, from inside the Dragnet. Which, basically won’t protect them and can even gave them a false feeling of security – which is worse.

What can you do? It’s time to protect your customers, your users. The people who’ve put trust in you. You do have a choice – and it’s not an easy or simple or risk-free one. You have to choose between taking care of your users, and actually hold the promises of security you’ve done to them or obeying the law. That’s call civil disobedience and yes, you can end up in jail. But you’re not alone, and a legal defence fund is something you can create or ask for help.

Yes, it might seem easy to say. But that’s what I intend to do with my project. Providing tools for activists and militants groups who need them. In a way that will try to preserve most of their privacy. I do not intend to respect the law to do that. I do not intend to hide myself.

Hosting data for other people is a political statement. I’m sick of hearing people asking for a country where they could safely hosts their data. You can do it wherever you want, if your government has decided to jail you, they will be able to do it – wherever your data are. What we need is not a list of foreign hosters who are out of the French territory and jurisdiction, what we need is a government who actually protects us, not themselves. What we need is actually to take a stance.

Privacy café, camp, cryptoparties et al is good and nice, but it does not solve the main issue. When are we really going to show those who’re in charge who actually is? When are we really going to send them a middle finger?

Do not flee. Do not let them scare you. Fight back. Federate. Protect the