Fluctuat, mergitur

Fluctuat …

I don’t think I need to recall you the events of teh week-end. They’re, like, everywhere on the internet, just grab any website and get a deep look into it.

I did not personally suffered from the shootings and the death of those people. Nobody I know was there, and given my current mental state I kind of grew an emotional dampening for this kind of horror. So, except for the checking on people and the continuous anxious flow of data and information coming from the TV of the twitter, I’ve essentially gone through the events unaffected.

I did not join the spontaneous meetings – because I’m still having issues with crowd, and paranoid crowds are the worse – but we did celebrate a birthday in a bar Saturday evening. In one of the – usually – most crowded place I know to drink beers, which was almost empty. Unusual things happened, like strangers checking on strangers while crossing path in deserted streets.

But mostly, I’ve been through it untouched and unaffected. It’s hard for me to feel empathy and emotion those days, and when I’m not keeping them at bay, I’m learning how to induce and emulates them, in a not that much destructive way.

I’m getting good now at detecting thought patterns that lead to anxiety crisis, I’m able to decide with feeling I wanna run in my brain – more or less. It’s an extremely artificial process, but not everyone can manage their emotions as you do. Mine are tsunamis and typhoon destroying any bits of rationality I can have, and it ends up with me boxing walls until I broke my hands or drinking myself to the point I’m unable to feel.

So, I basically removed those feelings, and gone through the motion. Focusing on people helping each other, closing myself into music and drawings, stuff like that, because the anxiety provided by continuous access to information is just the worst thing that could happens to me.

I rode through the horror with detachment and cynism. I was thinking about all the work we – since I’m working at la quadrature du net right now – will have to do on the coming days to check up freedom and civil liberties. But besides that, I was okay.

And then, during the week-end, I’ve seen fluctuat, nec mergitur everywhere. The Paris motto. People were defending their culture of getting out and drink wine, and coffee, partying. People gathered around what has been – in their perception of things – under assault: the parisian way of life (and, as Jon Oliver said it – good luck with that).

And people were already falling into the us VS them trap. Stating that we – the one who party the one who get drunk, the one who don’t respect anything – are the good guys, and that anyone who would disagree with that are the bad guys.

But people’s heart is not at partying. Mine neither.


And then, there was the Congress. For the one not familiar with the French political institution, the Congress is the gathering of the senate and of teh parliament at the request of the President, and it is gathered essentially for Constitutional patch and updates.

Before that, our President established the state of emergency. Basically, it removes the Habbeas Corpus, and allow for administrative house searching – warrantless house search – among other thing (it also grants prefect of police the capacity of establishing a curfew, it stops the rights to gathering, and close most of public space).

And the president then made a discourse before the Congress. He said mostly three things. First that our freedom is partying and going to bars. Everyone seems to forgot that my freedom is also resisting to injunctions, or asking for respect. Second, that we must go in war against Daesh/ISIS. Which means that we need to sit at a table with Poutin and Obama to found a solution for the Syria crisis – meaning they will work with Assad. Third, he asked for a two month prolongation of the state of emergency and a patch of the constitution (especially the articles 16and 36)

And then, everyone in the assistance applauded. And sang the national anthem. In an extremely nationalist way. And no one was there to oppose that. Every single parties represented as basically followed the president talks about the state of emergency.

And everyne was happy, because we were told to party. We had to. To get drunk is now a sign of resistance toward the horror. And no one cares that no ones is actually trying to fix things. No one cares hat the state of emergency will be updated to account for "new technologies", no one said a thing about the Kurd and rebel in Syria that will get the heat from the French alliance with Russia in Syria.

And I could not stand this. I hoped that, for once, things will indeed go in the good way. But nope. Our freedom has been restrained to the freedom to party. And I’m down. Really. The city that could take anything, that’s proud of its stoicism is drowning.

And I’m crying. I’m crying because I’ll get used to it. In the end, you’ll get use to it. That’s the horrific part. I’m used to the military in the street, I’m used to the suspicion toward refugees and foreigners. I’m used to the fact that politician just don’t care. I’m used to be in pain. But I do not see the point of living.

If it’s just for the pain, then why should I? If there’s nothing but more pain incoming, what’s the point to even bother at standing up in the morning? I’m down the lane. I know how it’s induced. I should eat, I should take some rest. But I do not understand the point, I do not see it. The hope is a lie, there’s none.

GMail … seriously?

[[!meta description="""No, seriously, people are arguing that GMail is in fact a good choice to protect your privacy online. They might be on

GMail: why it’s not a good thing

This post is an answer to jbfavre post[FR], in which he state that – from a metadata point of view, your safer in the mass and so in gmail for instance than if you self host yourself.

In the conclusion he goes on saying that the best choice would be to hand over your mails to associations or small business – which I might agree (under specific concerns).

But he’s not the only one stating that your better with a gmail account than one on your own domain name. manhack and others are also arguing that GMail is best to evade the mass surveillance.

Those person suggest that using GMail, is simple and Google has a lot of cash to invest in security. They’re also trying hard to hinder NSA mass collection of data effort, but I think saying that using Google service is a good way to enforce your privacy is an intellectual bias.

I think this idea come from a misconception of what mass surveillance is. Mass surveillance is the intricate surveillance of an entire or substantial part of a population WP.

On the internet, the mass surveillance is done by a systematic collection of all data and metadata, their archiving and indexing and the fact that action and decisions are made on the results those data will show.

In France, there’s a specific concern because it’s now legal for our government to intercept all the communication and analyze metadata. Then there’s a fallacy stating that if we all use the same host and the same encryption, then it’s impossible for the state to know who’s talking to who and when; opposed to the case where everyone have its own host and its "relatively" easy to know who’s speaking to who and when.

It comes from the fact that, if I’m the only one receiving and sending mail from this computer, then you just need to get the TCP handshake to be sure that someone is talking with me. So it would be safer to have some kind of proxy somewhere, to mutualise those connections and to raise the cost of surveillance isn’t it?

Except that this answer is valid if and only if you have some conditions:

  • The proxy is not itself part of a mass surveillance system
  • The mass surveillance you’re trying to hide from does not go further than just getting the TCP protocol of your connexion
  • Your correspondent also use this sort of mass proxy, or it would be easy to know when he’s talking

So, let’s see what’s the case with gmail.

Is Gmail involved in a mass surveillance system?

The obvious reason would be yes. At least because they can be coerced by the NSA to provide data to the NSA. Even if their was actually few uses of PRISM, the fact that they’re forced by law to collaborate is not a good thing.

You would argue that it’s just the NSA spying on us, they cannot actually do things to you if your not a US citizen which is false. Because there’s at least the Five Eyes coalition, meaning that data gathered on you by the NSA will be shared with other agencies from other government.

Also, I think that saying that NSA mass surveillance has no effect in you is a lack of understanding of what are the impact of mass surveillance, I will not elaborate on that, others are doing that better than me.

But there’s also something else that I want to elaborate, and that we miss in the "governments are evil" stance. It’s the fact that google is collecting and analysing a lot of data. From your GMail data (and metadata) to your search, video historic, or even the blogs you read. They analyse those data and take actions – to present you more accurately targeted advertisement and search recommendation. Basically, they’re doing mass surveillance on their own.

Google is part of the problem. They cannot be a part of the solution to get out of mass surveillance. Sure, they won’t kill someone simply based on metadata you’ll say. But they’re doing something worse, they won’t expose you to information that they deems unrelated to your interests, and you won’t even notice it.

So yes, Google – and Gmail – is part of a mass surveillance system. They might not be collaborate willingly with governments, but they do it at least for their own profit.

Are the mass surveillance system only targeting IP traffic?

We know – since the exposure of a lot of the NSA nasty stuff – that a lot of government have the capacity to intercept traffic on a global scale. The fact that your traffic goes to a datasilo such as google ones, or goes to your own server at home makes no difference, they’re intercepted the same way. What would change is that they would need to get the email metadata from the email you send from gmail, while they do not need to decode them if everyone is on their own box.


They’re already doing that. Equipment setup to break TLS, intercept email communication and compromise your endpoint are already used. So they do not get any benefits to going for something lighter. If you send an email from gmail to another gmail account, those natsec agencies can already read it and extract the metadata they need.

And since stuff like Palantir, hacking team or gamma international are all known companies who are selling solutions to our government. Those solution are based on the infection of your endpoint (your smartphone, tyablet or computer) to not bother with breaking the cryptography of your communications.

After all, if they can read what is displayed on your screen, why should they bother intercepting your TLS connection to a hidden service in Tor?

So, thinking that, being alone on your node, is a compromise on your anonymity is apparently wrong. You do not add metadata to the collection they already have (they already get the headers of your emails, no matter what).

Also, there’s a last one that nobody thinks about. If everyone is on GMail, then you just need to compromise GMail to get all the ddata you need. Just one company. Yes, hacking into Google is something out of my personal scope, but if you’re willing to, you can dot it. It has been done by China before, and I see no reason for things like that not happening again.

Hacking into GMail is just an enormous prize, you get it you can really improve your intelligence. Especially if you stay undetected. Put all one’s eggs in one basket generally ends with an omelette. Even if it’s a titanium basket.

Applying this principle, I then need to have my correspondent apply it

Because communication is – at least – two ways, if you want to protect and hide a communications, you need to protect both ends of communication. So, applying this means that everyone should get a gmail account, because it’s safer for everyone.

I mean, You use GMail and I’m not. I’m running my own mail server. So, you hiding in the crowd does not works, because if I’m getting compromised – and since I do not have Google grade security – you’re being compromised too (after all, they’ll be able to get metadata of the mail you sent me).

So, for this fallacy to be true, you need everyone have a GMail account. Which will makes things worse because, hey, they’re part of the problem – as stated above.

Doing that is exactly than not encrypting data or using Tor because "it would looks suspicious". It does not. Protecting your privacy should not looks suspicious. If you think it is, then it’s kind of too late, you’ve already ate the states toxic memes of security. But let the ones who want to fight them do it.

No, Gmail, Yahoo, Facebook, Twitter, Microsoft or Amazon will not ever be a solution for privacy. They’re part of the problem.

However, there is one specific case where GMail might be a not so bad alternative: throw away mails (as suggestsed by OaklandElle. Besides that? No. It will not improve your privacy, quite the other way around.

Solutions? Stop the dragnet and mass surveillance. Which you can do only at societal and political level. And give a try to the [internetcu.be][] if you’re looking for self hosting, it works. Mostly. It won’t give you better security, but you’ll definetly have better control. And even if you’re still monitored by state, at least you won’t be monitored by an advertisement selling company.

[UPDATE] After talking with jbfavre on twitter, it seems that I didn’t understoof his point. He did not want to advocate for a massive use of GMail as a way of protecting yourself, but rather for small associative clusters.

I think that it’s a good option. Simpler for most people than going full self-hosting, and sufficiently decentralised to hinder the mass collection of data. It’s not the ideal choice – but then we cannot asks high risk people to have their data in their home where it will be seized by cops – but it’s I think a good trade-off between privacy, ease of use and safety.

I’m tired of this shit

[[!meta description="""I’m getting really tired and bored about those crypto nerds who do not understand threat models, general public and who assume they

Shooting the ambulance

It seems that there’s a national sport among crypto nerds, and it’s shooting the ambulance. Yeah, I know, I’ve been kind of naive thinking that some people with common sense could be more vocable than the people who enjoy ranting on stuff, saying that this is shit, and that only them know the truth.

I’m speaking specifically about the own mailbox project and the torrent of flame and more or less accurate accusation it received from @aeris in this three posts. I also like to point out that the answers provided by the Own Mailbox team doesn’t makes them right. There are issues with the project, but I do not think it’s a reason for burning them alive, but instead would have been interesting to help them to improve.

This is something aeris have an issue with – I already pointed that out in the way Crypto Parties are ran around here in Paris.

The point he’s missing in those articles is – as always – what is the threat model own mailbox tries to solve; as well as mixing up a lot of things (blaming a mail server for the insecurity of TLS or for the possibility of MitM attack is … out of scope).

So, let’s try to think about that.

Everything is broken

First, as Quinn Norton once wrote, if you pretend to work in the security and tries to improve the safety of people, you have to acknowledge that: Everything is brooken. It basically states that there’s no way to have a secure system. It does not exists, it will not exists any time soon.

If you look at a project like own mailbox, where you will display decrypted text on an end-point – because if you’re not you’re either using bad crypto or no-one is actually reading the content.

Eventually, you’ll have decoded data – sensitive data – displayed and stored at least in memory of a computer. A computer which is flawed by malware, spyware, adware and other nasty things. Whatever your crypto level is, even if you have a fully patched computer with as few software as you need, you’ll probably have some 0-day active that a motivated attackers can exploit to get access to this memory.

It means that, with a sufficient amount of time and of motivation, someone else than the emitter and recipient of the message would be able to get their hands on your data, for the simple reason that – at some point – you need to read it.

And if you have a bullet-proof mailbox – which is the promises made by own mailbox – well, it’s way much easier to target the end-node and to read the mails at the same time as the user.

After all, Hacking Team was doing basically exactly that. And there’s no reason to believe that they were the only one to do that.

And no, free software will not save you there, with so many attacks on web browser, or PDF, it’s not enough to run free software on your computer. One way to solve this issue is to use an air gap computer, a computer that have never been and never will be connected to a network of a kind. It means you need to burn your mails on a CDRom or a DVDROm and to check them onto the airgap system.

And this is something you cannot do with the general public. Because maintaining such a computer – set asides the financial costs – requires time. Like at least one hour a day. Every day. And to get a good understanding at how the computer works. Which is something a lot of people – because they do not want to or because they cannot to – won’t do.

Also, assuming that the average computer/smartphone/tablet/whatever security is higher than the one of a small brick that cannot be easily improved and extended is a hell of a mistake. Key generation whould only be done on airgap computer with hardware random number generator if you want to have really secure keys – and stored on a read-only devices.

Never forget Jessica

This is the second most important error done I think. We forget about Jessica. Specifically we make two mistakes. The first one, that everyone is willing to spend a lot of time figuring out their safety and to protect themselves and their relatives against a theoretical threat.

Let’s stand back a little bit. We already have hard time to have people using simple means to protect themselves against a real threat like AIDS, syphilis or other STI – use condoms people. Seriously – how would we have them protect themselves against philosophical and political threats?

Especially if we expect them to understand things that could take some months or years to get by? What is the point of full-encrypted mail? What means end-to-end? What’s the NSA/GCHQ/insert-your-own-agency-here doing exactly? And why they’re doing it? They’re trying to protect us, of course. Against terrorism. That’s what they said.

If you want user to actively use crypto, you need them to not think about using it. And if you focus only on the technical issue, you’re missing the point that it’s a political one. Because if your government wants to spy on you, they will sub-contract a hacking team like, and you’ll be screwed.

This is what – I think – aeris is missing. The people who’ll actually get the own-mailbox are people who already understand why they need to protect themselves (yay, there’s actually some of them out there), but who can’t afford to host themselves another way – essentially by a lack of time and of skills.

People who will get these kind of devices are not the hard core activists who tries to avoid cops enter their house to seize computer look-a-like devices. Because, in this situation, hosting your mail in your office is useless at best, dangerous at worst.

So, most of the people who will use this kind of device or services aren’t really people at risk of being sent in jail because they sent an email. They’re probably the one who will use it as a nice gadget, on a side.

This kind of devices have no chance to ever be used in life or death situation. And even if they were, crypto won’t protect you from bullets.

Also, everyone seems to think actual people uses email. They’re not. Less and less. We’re using Facebook messenger, twitter DM, GMail (which is less and less compatible with third-party clients), WhatsApp, SnapChat, SMS, etc …

I’m not saying that it’s a good thing. I’m trying to understand who are the people who’re gonna use this. And it won’t be the social-media addict who only uses a Mac and GMail, it won’t be the Uber Nerd who uses only mutt and altern.org emails, nor will it be company – because they can’t handle the load on those devices.

It won’t neither be the poorest people who do not have access to a correct enough ADSL line. So it will be people who already understand what it means to being watch and wants to add a little bit more security on their devices.

The thing is, we won’t get everyone doing key management the perfect way for – at least – two reasons. The first one being that no one know what is perfect key management. The second one being that even the crypto nerds fails at it on a regular basis.

So this is it.

I really think that own-mailbox commercial team have an issue. Their answer is out of scope. There is some issues to be addressed. The funnier one is pretending that needing JavaScript for a webmail client would be a security issue … it will be if you’re living in a place where there is MitM interception on the line + a way to tamper with TLS. Which is typically the case where you do not want to have a box with all your emails in your houses.

But going after them, saying that the devices is blatantly flawed without even having one at hand in the first place is kind of stupid and counter productive. There’s an issue around the terms used (100% secure is always false), but I believe that – since it’s a free software project – aeris could have, at least, open bugs or ticket. I did not find a repo for own-mailbox though – didn’t look for it hard neither.

But aeris choose to get out for blood. Yes, this porject is far from perfect, but it’s still a plus, and if it gets some people to use more opportunistic crypto, then it’s fine enough for me.

aeris, you really should understand that no, no one can use the tools you’re using as part of their regular routine. And in most case it’s not even a

Crypto fallacies

This post is a follow-up on what I tweeted yesterday – hours before the constitutional council gave its approval of the new French Intelligence bill. First tweet is here

Where I come from

Before writing this article, I think it’s important to give some context about what I’ve done the last few years.

So, before joining the Telecomix Crypo Munition Buro and #telekompaketet, I wasn’t that much in security and crypto. I learned that on the late, and with some specific goals in minds – I’ll be back to that later. I was a mercenary sysadmin, working for anyone willing to pay me to maintain their system.

I didn’t understood the difference between free software and open source back in the time, neither was I aware of a lot of issues in the world. Looking to it through my small internet periscoped visor. Most of the news I was reading back in the time were tied to computer, video games and – to some extent – foreign diplomacy.

Not the mainstream media, but not much better. I worked for government and the police – maintained the fingerprint database used by cops and sold by the former Sagem – now known as Morpho XL. I worked for oen of the traditionalist newspaper. For startup trying to build customer profile and senders of millions of mails.

But I was reading those few news. I was joining the twitter (2009 … damn, that’s already 6 years?) and already having fight with people humping on the Facebook boat.

Because what was clear for me was that my privacy should be kept under my own personal control, not under the control of anyone or anything else. I always been shy about sharing data over over public and free network who will track you in the end.

I got this habit of watching for my privacy since high school. I accessed the internet for the time at this time. And at home we even had high-speed internet (512 Mbps in 1997, was part of an 31337, not chasing for those AOL 50h of free internet CD Roms).

I got this habit not because of the teaching of someone, but because of my father. See, my father wasn’t an abusive one. He was kinda distant, avoiding me, but he was not an abusive one. At the time we had internet and when I discovered some of the endless possibilities of the computers being connected to each other, I also learned that my father was a paedophile. He has been convicted for that. Twice. At least the second time it was related to detention of pictures from internet.

Yep, that’s about how I learned how it was important to understand how things works and why it was paramount to protect your privacy. Because cops would breaks into your house and seize your hardware for the sole purpose of you living in the same house than a sexual offender.

So, everything started there for me. Since then I always had a full encrypted drive, I’ve used the privacy mode in my browser as much as I could, I learned to delete cookies and Internet Cache on a lot of browsers (from Netscape Navigator and Mozaic to chrome to Internet Explorer 6).

This is when I started caring for the law about computers and communication. And censorship. I did not really get a grasp of what politics where, but still, I was keeping an eye at it.

Got a degree in computer science and got working, trying to earn my independence and to get out of my parents house – almost 20 years later I still can’t speak to my father and yes, it’s part of the reason I’m severely depressed – and so on.

We’re now in 2009, end of the year and I’m bored at work. There is a lot of signal coming from Tunisia that things will getting ugly there. That’s when I started to act for someone else than me.

I was self hosted, so I had spaces. And root access to my servers. Slim Ammanou was interviewed in some media I was reading (Cant’ remember if it was Read Write Web fr or the blog of Jean Marc Manach, not really important I guess). And some people were doing mirrors of censored blogs in Tunisia.

I was bored, I did knew bash, so I scripted some things to help. WHen someone figured out that the ATI was dropping the SSL around facebiik to catch login and password, I crote a one line that could generates gigabytes of fake password for a specific account.

And someone told me to join IRC and #telekompaketet@irc.telecomix.org. I haven’t fired up an IRC client since the 2000′ so it felt a bit odd, but then a lot of things changed for me, starting with the immolation of Mohamed Bouazizi, the Egyptian revolution and the Syrian civil massacre.

During those last five years I developed my security and crypto skills, and tried to train activists who needed it to communicate. I’ve quit my job and worked for an NGO for nearly a year and a half, chain burning-out myself to the point of severe anxiety disorder and depression, mixed with my attention disorder it doeswn’t goes well.

So this is where I come from. I hope that it will helps you to understand what and why I’m going to say the next few things.

Crypto fallacies

The crypto fallacies is to think that your freedom relies on the tool you use. That, if you use the correct tools, in the way they’re intended to, then you have nothing to fear from an oppressive regime.

It’s false, first because IT security on the general computing is a disaster – and I’m not sure it can be fixed anytime soon – but lmost of all it’s false because you’re opposing an oppressive regime.

If you’re not actively opposing an oppressive regime, you’re silently accepting it and then you’re an accomplice. So, you’re opposing an oppressive regime. An oppressive regime as one specific characteristics, it’s using arbitrary detention and arrest to spread terror and keep thing under control. And no amount of crypto can fight that.

I’ve seen kill list in Syria, written with a carbon pen on a piece of paper. Based on denunciation by neighbors, assumptions by people or just because people did not live in the correct address. I’ve seen people getting shot for no other reason than their skin color, or the way they were dressed.

But most of all, I’ve seen people getting arrested, tortured and shot at because they were protesting into the street. And that’s the thing cryptonerds needs to understand. In the end, the purpose of an activists, is to get in the street, to oppose – violently – the state, and end up in jail (in the bes case scenario). The crypto, or the tech gyzmo you can provides them with won’t prevent that.

Also, if your freedom relies on a specific piece of tech, or a specific knowledge, it means that each and every people who has no access to it can’t be free. Which raises an issue that I have not seen adressed by the most vocal voices in the OpSec for activists people. Sure, you can do IT Training in Mali, but when you have power outtage several hours a day and when the temperature will frequently raises above 40°C, most of our tech is made unusable – believe me, we tried that.

I’ve also seen crypto nerds going extremists and refusing to even consider talking to an activists over an unencrypted channel. That’s an interesting stance since then, the activist would never know how to do that

That’s also a good way to forbid communication, which is mandatory for coordinating actions, getting information out, and care about people. If we would follow those extremists, we would end up in an autistic mode without communicating because it would exposes you to a risk. Risk that still needs to be determined.

And, in the end, if you want to undermine and destroy an oppressive regime, you need to accept the risks. You need to accept that you’ll end up in jail. You need to accept that you’ll be beaten up. You need to accept the fact that if you do not take the streets, then it’s your opponent who have them. And you need to take that back.

And you cannot do it from a computer.

Sure, sysadmin and service operators providing good opportunistic cryptography, with fluid interface and where the security doesn’t get in the way of the user, while protecting their users from the government are needed – and it’s the path I’ve choose, but you have to accept that it’s illegal in most states. Even in NATO countries, or in the EU.

But those sysadmins won’t be protected by crypto. Their freedom is at risk as soon as they decide to fight and to help. And no crypto tool you can use can tight your organisation to a point where no exterior influence can destroy it. We’ve seen it before – with Sabu for instance – we’ll see it again because that’s how things works.

The only thing crypto will buy you is time. This time should be used to coordinate, to share, to care, but it won’t get you out of jail (even TPB founders did serve time). But that’s about it, once you’ll be in the street, you’ll end up in jail whatever the crypto you’re using.

And that is called OpSec (Operation Security). The purpose of OpSec is to be able to run an operation. If the crypto you’re using makes you unable to run it, then you’ve failed your OpSec. And running no Operation is also an Operational failure.

So, yes, crypto is usefull, because it gives you time and space to breathe. It allows you to get some room to distress and coordinates. But your freedom does not rely on a piece of tech. It relies only on you to take it.

Go into the street.

As-t-on besoin de vie privee ?


Those are the notes I used for my talk at the Ubuntu Party in May 2015. So it’s in French – sorry but feel free to translate.

It’s about privacy, and it intends to give other way to talk about it.

As-t-on vraiment besoin de vie privée?

"On the internet nobody knows you’re a dog".

Depuis les débuts d’Internet, la vie privée à toujours été une problématique forte. Qu’il s’agisse de l’utilisation de pseudonyme, des Anonymous ou des problématique autour de l’immixtion arbitraire dans la vie privée, la vie privée à toujours été débattue sur la place publique.

C’est une notion qui est présente dès que l’on parle de communication et d’information – le secret des correspondances date de bien avant UseNet – mais qui est également utilisé à tort et à raison par des personnes fort différente. Du droit à l’oubli demandé par les politiciens au coming out pratiquée par les communautés LGBTIQ en passant par l’invisibilisation et le conformisme parfois volontaire, parfois subit, que recouvre vraiment la notion de vie privée, et mark Zukerberg a-t-il raison quand il affirme que la vie privée est un artefact du passé?

Ça fait un peu de temps que je réfléchit à ce qu’est une identité, a ce qu’est la vie privé et aux problèmes que cela peut soulever dans la construction de soi. En tant que personne bisexuelle ce sont des questions qui me touchent personnellement et ne sont pas forcément simple.

Mais d’abord quelques définitions.

Qu’est-ce que la vie privée? Et autres définitions nécessaires.

Vie privé / Vie publique

Citée par tous les défenseurs des droits, notamment par l’article 8 de la Convention Européenne des Droits Humains et par l’article 12 de la Déclaration Universelle des Droits Humains de l’ONU, la protection des personnes contre l’immixtion dans leur vie privée est considérée comme un droit fondamental. Mais elle n’est jamais définie dans ces textes et chartes. Généralement car la notion de vie privée évolue avec les mœurs mais aussi avec la technologie. Il y a peu de chance que – en 1948 – l’ONU ai pu imaginer que nous nous baladerions tous avec un appareil capable de nous localiser au mètre près et capable d’enregistrer ces données sur plusieurs dizaines d’années.

Quand je parle de vie privée, je parle donc de tout ce qui n’est pas public. Ce qui est public c’est ce qui est accessible par une entité qui n’est ni émettrice ni réceptrice d’un message. La vie privée ne concerne donc que ce qui est connu par un groupe définit et restreint.

On peut d’ores et déjà remarquer qu’il y a différentes vie privées et publiques en fonction des différents cercles sociaux auxquels ont appartient. Et dans un monde favorisant les connexions entre ces différents groupes, toute la difficulté de gestion de la vie privée vient de là.

Entropie de l’information

Retournons aux bases de l’informatique et de la science de l’information avec la théorie de l’information de Shannon, telle qu’il l’a formulée en 1948, afin de définir l’entropie de Shannon.

L’entropie d’un système d’information est – en gros – inversement proportionnelle à la possibilité de prédire la prochaine information venant d’une source. Par exemple, si un émetteur n’a émis que des ‘a’, alors la source possède une entropie faible. Mais si jamais un ‘b’ apparaît, c’est une information à forte entropie (et nécessitant peu de bit pour être codée) car ce comportement n’a pas pu être prédit en considérant la source d’information.

Dans un monde normé, composé uniquement de ‘a’, exprimer une différence – de manière voulue ou non – est donc une information à forte entropie. Moins il y a de ‘b’, ‘c’, etc… plus leur apparition sera entropique et donc considérée comme anormale, comme une anomalie.

A l’inverse, dans un monde peu ou pas normé, dans lequel toutes les expressions sont reconnues et existe, être différent n’a que peu d’entropie, peu d’impact sur cet ensemble.

Nous vivons actuellement dans un monde normatif, encourageant le conformisme à un modèle donné. Ce modèle est véhiculé par différents médias : la publicité par exemple, qui véhicule une image de bonheur ou de beauté qui ne peut être atteint que par un certain type de personne, ayant un certain corps, une certaines couleur de peau etc… ; mais aussi par les gouvernements qui définissent les bons et mauvais citoyens grâce aux lois qui définissent la marge (stupéfiants, prostitutions, squats, hackers, etc…)


Un panopticon est une prison idéale théorisée en Angleterre au dix huitième siècle et qui se base sur le fait que les prisonniers savent qu’ils peuvent être surveillés en permanence, mais qu’ils ne voient pas si ils sont effectivement surveillés.

La concrétisation de la menace de surveillance – et de répression en cas de non respect des règles établies – est suffisante pour garder les prisonniers sous contrôle.

Michel Foucault étendra ce principe à d’autre milieu sociaux en 1975, et expliquera que ce système de contrôle – la peur d’une surveillance omniprésente – est présente à de nombreux stades de notre société : à l’école, dans l’entreprise, à l’atelier et bien au-delà de la simple prison.

Un système panoptique est donc un système qui entretien une illusion de surveillance doté de capacité de répression afin de forcer les personnes à se conformer et à obéir à des règles. Il n’y a aucun besoin que cette surveillance soit réelle ou efficace, il suffit qu’elle soit visible et présente dans les esprits.

Privacy sucks

Identité « par défaut »

Ce qui est public c’est ce que l’on connait d’une personne lorsque l’on l’on interagît avec elle. Comment elle s’habille, sa coupe de cheveux, les stickers sur son laptop, sa photo de profil sur Facebook, le contenu de sa page Wikipedia où les résultats de recherche retournés par Google quand je cherche à savoir à qui j’ai affaire.

Bien entendu, la façon dont on est perçu par les autres dépend des normes sociales. Le fait d’avoir les cheveux longs n’a pas le même impact pour les garçons aujourd’hui qu’il y a 40 ans. Et il est également parfaitement possible de jouer avec ces codes pour passer dans une autre classe sociale que la sienne. Porter une blouse blanche vous fera passer pour un scientifique – et vous permettra de bénéficier d’un biais d’autorité – de même que porter un costard vous rendra plus crédible auprès de votre banquier pour obtenir un prêt.

Cet ensemble de code sociaux qui permettent de définir rapidement l’appartenance d’une personne à un groupe social est définie comme l’identité sociale. Cette identité sociale – à ne pas confondre avec l’identité personnelle – permet généralement de compléter ou de projeter les parts non explicite et non publique d’une personne. Typiquement, quelqu’un qui traine sur le chan #tor@oftc aura une identité sociale de hacker, avec tout ce que cela implique. Les hackers étant majoritairement des hommes blancs cis-hétéros, à moins qu’une personne n’explicite directement certains aspects de son identité personnelle – et donc abandonne une part de sa vie privée, j’aurais tendance à supposer que je parle à un homme cis-hétéro lorsque je parle avec quelqu’un de ce canal IRC.

L’assomption "On the internet nobody knows that you’re a dog" part du principe qu’il est possible de ne pas avoir de marqueurs sociaux en ligne. En effet, lorsque l’on se connecte il est parfaitement possible de ‘passer’ pour un utilisateur standard. Un profil twitter non personnalisé, avec un pseudo non genré ne révèle que peu de chose sur vous. On ne sait pas si vous êtes un homme ou une femme, noir ou blanc, un chien ou un chat.

Mais notre cerveau a besoin de catégoriser les personnes pour pouvoir interagir avec elles. Pour éviter les impairs, mais aussi parce que notre cerveau fonctionne par analogie (et reconnaissance de motif) et que des hormones telles que l’atropine permettent d’amplifier ces comportement.

Et un utilisateur d’internet a une identité sociale. Plus de la moitié des utilisateurs d’internet sont basés dans les pays dit développés (Europe et Amérique du Nord principalement), et l’utilisateur "moyen" (au sens statistique) d’internet est donc un homme blanc cis-genre hétéro. L’identité sociale d’un utilisateur d’internet est celle-là. Ce qui veut dire que, à moins d’afficher des marqueurs permettant de vous classifier en dehors de cette identité sociale, j’aurais un ‘passing’ d’homme blanc cis-genre.

Quand j’ai une photo de profil d’œuf dans ma timeline sur twitter, je suppose que cette personne est un homme blanc cis-genre. Je lui assigne inconsciemment cette identité, et je m’attend à ce qu’elle se conforme à cette identité.

De même quand je croise une personne dans la rue. Les données que j’emmagasine sur elle en analysant la façon dont elle s’habille, se coiffe, marche, la façon dont elle parle, tout cela me donne des indices sur l’identité sociale de cette personne.

Cette identité n’est pas nécessairement son identité personnelle, il est important de le noter. Si je m’habille comme ça, c’est parce que j’ai envie d’être identifié comme un hacker, ce n’est pas forcément pour ça que je pense en être un. De même une personne efféminée passera pour une femme ou un homo, même si ce n’est pas nécessairement comme cela qu’elle se définirait.

Cette identité "par défaut", sociale, fait que pour pouvoir exister hors de cette norme, pour pouvoir être considéré par les autres comme ce que l’on est et non pas comme cette identité par défaut, il est nécessaire d’abandonner partiellement notre vie privée. Le fait que je vous dise que je soit bisexuel me permet de ne pas être entièrement classé dans cette identité par défaut, et donc d’enrichir une diversité d’identité. Cette diversité peu s’avérer vitale dans un système social, nous le verrons plus loin.

L’identité par défaut peu cependant avoir des avantages. Par exemple, LEGO en choisissant de faire ses figurines à la peau jaune avait établi à l’époque que c’était pour éviter les histoires de racisme. Ce jaune plastique à d’ailleurs été réutilisé un peu partout comme couleur ‘neutre’ et a été dérivée un peu partout. Les smileys et émojis jaunes par exemple.

Sauf que cette couleur a été assimilée à la couleur par défaut. De même que le blanc, ce jaune est devenu la couleur de peau par défaut, et donc ce jaune est devenu synonyme de blanc. Spécifiquement, lorsque la firme LEGO a commencé à développer la licence Star Wars. Lando Calrissian fût un des personnages à ne pas avoir sa mini figurine.

Plus tard, le set LEGO Sports représentant différentes personnalités du sport, donna aux joueurs de la NBA une peau noire, ce qui valida bien que la couleur "par défaut" jaune est en fait celle du système dominant en place. De même les emojis – au début tous jaunes – sont maintenant déclinés dans de nombreuses tonalités de peau afin de permettre à chaque personne de choisir comment elle veut être identifié.

Il y a aussi un trope au cinéma qui établit que l’homme est le "défaut" pour l’humanité. Un personnage de fiction est, par défaut, mâle. Si c’est une femme, il y a une raison spécifique pour – ou alors cela va générer une vague de commentaire et d’attaque. C’est ce que l’on appelle l’androcentrisme : on considère qu’une femme est une "anomalie" alors qu’elles constituent en fait 50% de la population humaine.

Le problème de cette identité par défaut est que, du coup, elle impose à celleux qui ne veulent pas être associées à cette identité par défaut la responsabilité de se démarquer, et de devoir abandonner des bouts de leur vie privée en les affichant car ces éléments sont privés pour les personnes se conformant à l’identité sociale par défaut.

Injonction à l’invisibilisation

Le discours que j’entends beaucoup dans le milieu geek/cryptonerds est basé sur le fait que l’on a forcément quelque chose à cacher et que donc, il faut nécessairement le cacher. Il suffit d’assister à un Café Vie Privé, ou de regarder les intitulés des conférences de l’Ubuntu Party par exemple.

Le discours est – en gros – vous devez tout dissimuler car le gouvernement/Facebook/Amazon/Google vont exploiter toutes ces données pour vous oppresser, vous exploiter, vous transformer en vache à lait et vous déshumaniser.

Selon ce discours, on devrait tous accepter l’identité par défaut. On devrait tous être des hommes blancs cisgenre hétérosexuels, puisqu’on ne devrait afficher aucune différence par rapport au modèle par défaut.

En suivant ce discours, les personnes opprimées parce qu’elles affichent une différence devraient cacher leur différence derrière leur vie privée et se conformer au modèle dominant et oppressif, au lieu de questionner ce modèle oppressif en affichant leurs différences.

Cette injonction, ce devoir d’utiliser sa vie privée pour se protéger des agressions, pose un double problème. D’abord, parce qu’il est formulés essentiellement par des hommes cis-hétéro blanc qui correspondent beaucoup à l’identité par défaut. Ces personnes n’ont que peu de choses à craindre d’un système oppressif car elles font parties – volontairement ou non – de cette classe oppressive. C’est donc une injonction d’oppresseurs à opprimés qui est formulées dans ce discours.

L’autre problème sous-jacent est que, si je suis discriminé, agressé, tabassé parce que je suis bisexuel et que je le revendique, alors on me dira que je n’avais qu’à dissimuler cette particularité. Que je n’avais qu’à me taire et me conformer. Ce discours ne remets pas en cause l’oppression systémique et classiste, voire l’encourage. Après tout, si quelqu’un n’est pas capable de chiffrer correctement ses communications et se fait prendre, ben c’est qu’elle l’a bien cherché, elle n’avait qu’à utiliser Tor.

Demander à supprimer de l’espace public les spécificités et les différences des uns et des autres, revient à uniformiser tout le monde derrière l’identité par défaut. Parfois utile pour mettre en retrait des informations qui pourrait parasiter un discours vis à vis d’un oppresseur – typiquement le black bloc ou les anonymous – cette uniformisation est nuisible si elle est maintenu en permanence et dans tous les espaces de notre société.

Déjà, parce qu’elle augmente l’entropie nécessaire à afficher une différence. Si personne n’est comme moi, alors il est coûteux d’afficher cette différence, et cela pourrais même être vain. Après tout, si je suis seul à ne pas être comme les autres, je n’ai aucun intérêt à l’afficher.

Mais surtout parce que cette uniformisation est présente partout où je vais. Dans la rue, le métro, au taff, dans les conférences techniques, etc…. L’espace public n’appartiens pas aux minorités. Le discours de la Manif pour tous – et leur défense quand on les accuse d’homophobie – est qu’il n’ont rien contre les homos, du moment qu’ils ne s’embrassent pas dans la rue. Ils justifie cela par une agression de leur modèle exprimée par le fait que deux personnes du même genre se tiennent par la main dans la rue ou s’embrassent.

Cette injonction à la vie privée est une ostracisation. Elle force les opprimés à se regrouper dans des endroits safe, dans des ghettos, dans des quartiers à eux où ils peuvent exprimer leur identité sans se faire emmerder. Demander à quelqu’un de tout chiffrer, de ne pas utiliser facebook ou Google parce qu’elle pourrait être profilée, c’est mettre la responsabilité de l’agression sur la personne qui aurait afficher une différence, qui aurait pu très bien se conformer.

Dire que si je ne chiffre pas mes communications et que je ne me conforme pas à l’identité dominante par défaut alors le gouvernement viendra m’emmerder, c’est valider le fait que le gouvernement est légitime pour aller emmerder les personnes à la marge. Dire que pour me protéger du harcèlement en ligne, il suffit que je ne dise pas que je suis une meuf, revient à ne pas remettre en question le fait qu’il y ait du harcèlement.

L’injonction à la vie privée permet, in fine, aux dominants de ne pas e remettre en question. Cette injonction au chiffrement permet de ne pas attaquer l’état sur la légitimité de la surveillance massive. Ce n’est pas parce que je n’utilise pas Tor que la NSA a le droit de surveiller mes communications.

Mais au final, la question la plus important à laquelle ne répond pas le chiffement c’est que si tout est privé, alors qu’est ce qui est légitime à exister dans l’espace public? Qu’est-ce qu’il est légitime de faire en public? Si tout le monde à la même apparence, le même genre, le même uniforme, au final quelle liberté j’ai dans l’espace public? Si porter une cravate rouge au lieu d’une cravate noire deviens un acte subversif, qu’est-ce que ça nous dit de notre société?

Le refus de la vie privée comme acte militant

Rendre publique une partie de sa vie privée est un acte militant. S’affiche comme membre de telle ou telle communauté, et donc hors de la norme établie, permet de faire évoluer cette norme, de réduire l’entropie d’être différent.

C’est une stratégie qui a déjà été beaucoup utilisée. Le manifeste des 343 salopes par exemple a permis de faire avancer le débat sur l’avortement en France et à amené à la loi Weill. 343 femmes ont abandonnées une partie de leur vie privée et se sont reconnues coupable d’un délit, afin de remettre en question ce qui à l’époque était l’état de la loi.

C’est également la stratégie du coming out développée par Harvey Milk entre autres, stratégie qui permettra son élection au poste de maire d’un district de LA, puis à son assassinat.

Cette stratégie est basée sur le fait que si une personne straight connait une personne homosexuelle, que c’est un ami, un frère, une sœur, alors il y a moins de chance que cette personne straight considère l’homosexualité comme une tare ou que la discrimination contre les homos soit quelque chose qui ne la concerne pas.

S’afficher ouvertement comme faisant partie d’une minorité permet aussi aux autres personnes de cette minorité de ne pas se sentir seul⋅e⋅s ou abandonné⋅e⋅s. Cela leur donne un contact, un point d’entrée vers des groupes d’entraide et de soutien, et cela peut amener d’autres personnes à essayer de comprendre les oppressions systémiques.

On le voit, par exemple, dans le mouvement féministe sur twitter. Les féministes font blocs et se soutiennent parce qu’elles se revendiquent en tant que telle. Certes, cela les expose a du harcèlement en ligne et hors ligne, mais avoir un groupe, une communauté, leur permet de aprtager leurs expériences, de se soutenir quand ça ne va pas, de faire front contre les agressions et aussi de s’autogérer c’est à dire de pouvoir s’organiser entre elles, sans qu’un homme blanc cis-hétéro viennent les "aider".

Cette autogestion permet la réappropriation des espace publics. Qu’il s’agisse d’espace hors-ligne – tels que les marches de nuits ou la non-mixité dans certains lieux – ou en-ligne – avec tumblr par exemple qui est essentiellement féminin – cette réappropriation de l’espace public n’est possible que par un abandon partiel de sa vie privée.

En exprimant une injonction à la vie privée et donc en validant le système oppressif actuel, vous empêchez cette réappropriation de l’espace public. Vous forcez les minorités et groupes opprimés à n’exister que dans la sphère privée, loin des regards. Vous les forcez à la clandestinité, à exister hors de votre espace public.

Cette mise à l’écart, cette ostracisation forcée gomme de l’espace public les personnes concernées. Elles n’ont plus le droit d’avoir une identité sociale en lien avec leur identité personnelle. Dans 1984, si tout le monde porte un uniforme c’est pour qu’il ne soit pas possible d’exister hors de l’Angsoc. Les seuls qui ne portent pas cette uniforme sont les personnes qui ne sont pas membres du parti et qui vivent dans les bidonvilles. Ces personnes n’existent pas pour le personnel administratif.

Si vous empêchez les femmes d’exister sur internet, ou les LGBT, alors vous les invisibilisez. Vous leur refusez le droit de s’exprimer dans l’espace public, vous les empêchez de verbaliser les agressions qu’elles subissent. Et si ces agressions ne peuvent être verbalisées, alors peut-être qu’elles n’existent pas. Ou qu’elles ne sont pas systémique. Si je me fais fouiller par les flics, ce n’est pas parce que j’habite à Saint Ouen et que j’ai l’air d’un dealer, c’est juste un contrôle aléatoire. Si il n’est pas possible de faire de statistiques sur les contrôles au faciès parce qu’il n’est pas possible de faire de statistique ethnique, alors il est impossible de mesurer efficacement le racisme de la police.

Si on ne peut mesurer le racisme de la police, alors c’est qu’il n’existe pas. On ne peut pas en prouver l’existence. Tous les débordements et toutes les bavures seront la faute d’individus, pas d’un système raciste et oppressif.

De la même façon, en demandant à tout le monde de tout garder privé, vous validez l’invisibilisation des minorités, vous leur niez le droit et la possibilité d’exposer des oppressions. Faire le choix militant de se revendiquer d’un groupe social, d’abandonner une partie de sa vie privé, est le seul moyen de confronter la société à ses inégalités et injustice.

Ce n’est pas du tout un choix aisé et il y a de nombreux endroits dans le monde où je ne pourrais pas dire que je suis bisexuel sans être instantanément menacé de mort.

Privacy rox

Comme moyen de défense

Ces discriminations basées sur l’identité personnelle sont la raison pour laquelle toutes les déclarations des droits définissent un droit à la vie privée pour se protéger contre ces discriminations.

Ce droit permet à chaque personne de s’aménager un espace personnel dans sa vie quotidienne, espace dans lequel il lui est possible d’essayer de se construire de se définir.

La vie privée permet d’avoir un espace d’expérimentation, un espace dans lequel on peux essayer des choses ou faire des choses que l’on a pas nécessairement envie d’exposer au public parce que l’on ne sait pas encore si on approuve ou pas ces choses. Il peut s’agir par exemple de questionner son identité de genre ou sexuelle, de se demander si le FN n’aurais pas tort et proposerait des choses intéressante ou même de faire une blague sexiste.

Après tout, dans un cadre privé et où tout le monde se connaît, il est possible de baisser sa garde, de laisser échapper un mot ou une blague oppressive et que cela soit compris comme cela, comme une erreur, comme un dérapage ou juste comme un lâcher prise. Et ce n’est pas parce que l’on lit Mein Kampf que l’on est nécessairement un sympathisant d’Adolf Hitler.

Ces expérimentations, sont extrêmement importantes car elles permettent d’apprendre. En explorant des voies alternatives sans être soumis au jugement des autres, il deviens possible de se construire, d’essayer de se définir.

On peut parfaitement avoir besoin de Windows pour travailler, parce qu’il n’est pas possible de faire changer seul toute la politique des système d’information d’une entreprise de 600 personnes et pour laquelle on est qu’un employé comme un autre. Ou juste parce que c’est plus pratique pour dépanner l’ordinateur des personnes qui viennent aux Repair Café et que non, on ne va pleur mettre Ubuntu parce que ce n’est pas la raison pour laquelle ces personnes sont venues – et que l’on ne veut pas qu’elles nous appellent dès qu’un .docx va planter sur leur machine. En revanche l’annoncer ici, publiquement, va déchaîner l’ire de nombreuses personnes.

Ou bêtement parce qu’un rm -rf –no-preserve-root / malheureux va vous exposer à d nombreuses années de moqueries.

L’espace public n’est pas vraiment un espace tolérant à l’erreur ou à la différence, essentiellement parce qu’il est accaparé par les oppresseurs. La vie privée permet de se négocier un espace dans lequel exister sans se confronter aux oppressions. C’est dans ce sens que la DUDH protège – par son article 12 – les citoyens contre les immixtions arbitraire dans leur vie privée.

Cette protection est nécessaire afin de permettre aux états de traiter tous les citoyens de manières égales. Se conserver une vie privée permet de se protéger contre les injustices du système ou de la société. Quand l’environnement extérieur cherche à vous stigmatiser et à vous rejeter, il est nécessaire de se conformer pour souffler et pour éviter d’être soumis à des violences physiques, sociales ou psychologique parfois extrêmement violente.

Il est également parfois nécessaire de passer pour quelqu’un du groupe dominant afin de pouvoir faire valoir certains points politique. L’identité par défaut, passe souvent pour une identité neutre et donc objective. Se parer de cette identité permet ainsi de bénéficier d’une aura d’objectivité qui permet d’asseoir son propos. Il suffit de voir les mèmes tels que "Fake Geek Girl" par exemple. C’est un mème qui se base sur le fait que les meufs n’y connaitrait soi disant rien en culture geek, et se base sur le fait qu’elle ne savent pas répondre à un obscur fait de trivia basé sur cette culture pour leur refuser l’appartenance à cette culture geek. Fait qui est – très souvent – ignoré par une grande partie des hommes faisant partie de ce groupe.

Se faire passer pour un homme dans ce milieu permet donc à une femme de ne pas se faire jeter dehors, juste sous le simple prétexte de son identité de genre non conforme au milieu, et donc de pouvoir se faire écouter par des mecs qui ne l’auraient pas écouter sinon.

Il y a aussi plusieurs espaces publics ou privés. Des choses qui sont parfaitement acceptées dans un sous-groupe, peuvent être sujet à discrimination dans un groupe plus grand ou différent. Démarrer un Mac OS X à NUMA sera parfaitement bien vu, mais vous vaudra quelques regards en coin si vous le faites au Loop. L’intersections et les interactions entre ces cercles sociaux et ces groupes rendent encore plus complexe et flou la notion de vie privée et de vie publique.

Surveillance de masse et discrimination

La surveillance de masse a pour but de pouvoir surveiller l’entièreté d’une population. Cette surveillance ne se limite généralement pas à l’espace public, mais concerne l’ensemble de la vie d’une personne ou – pour être précis – l’indexation et l’analyse de l’ensemble des données personnelles, privées ou non, disponible par une entité étatique ou commerciale.

Ce qui est surveillé devient, de fait public. Connu par l’état ou par les autres. Votre statut relationnel est mis à disposition du public par facebook, de même que votre identité de genre par exemple. La RATP sait quels trajets vous effectuez et peu donc vendre des publicités mieux ciblées aux annonceurs via sa filiale Metrobus.

Si tout est surveillé, tout est alors public. On se retrouve dans le modèle du Panopticon tel que envisagé par Foucault dans "Surveiller et Punir". On ne sait même pas si on est surveillé, mais le simple fait que cette menace existe nous force à nous conformer et donc à nous contrôler. Les boîtes noires de la Loi sur le Renseignement n’ont même pas besoin d’exister ou de fonctionner pour être efficace, il suffit simplement que nous soyons persuadés qu’elles existent et qu’elles analysent intégralement notre vie privée devenue publique pour que nous ayons déjà commencés à modifier nos comportements et notre rapport à la vie privée.

Dans un monde sans vie privé et ayant pour but de forcer au conformisme, alors l’anti conformisme devient suspect. Les personnes ayant le plus à perdre du panoptique sont les personnes qui refusent ce conformisme, car c’est elle que le panoptique cherche à identifier. Toute personne refusant de se conformer est désormais suspecte d’atteinte à la sureté de l’état.

De fait, la surveillance de masse est nécessairement discriminatoire. Elle ne concerne pas les personnes faisant parti de la classe dominante, ou désirant s’y conformer. La surveillance de masse ne va détruire la vie privée que des personne opprimées. Cette surveillance impose donc une forme de conformisme, d’uniformité et – on l’a vu – cette uniformité amène à une invisibilisation des marges et à leur suppression de l’espace public. Or, sans espace privé, ces personnes ne peuvent exister, il deviens impossible de formuler une oppression.

Se négocier un espace privé est donc un moyen de lutte contre la société panoptique et conformiste. Pouvoir vivre en dehors du système de surveillance de masse permet de préserver son individualité, qui ne peut s’exprimer que dans sa vie privée dans un système social de ce type. Sans vie privé, il devient impossible de formuler une idée qui va contre le système social ou d’expérimenter. Il devient impossible d’évoluer ou de se penser différemment des autres ce qui amène à la disparition de toutes les différences vis vis des autres et à l’assimilation de notre identité personnelle à notre identité sociale. Nous ne sommes plus des personnes mais des fonctions et des rôles.

L’invasion de notre vie privée par toute sorte de système panoptique (administration et état d’une part, mais aussi toutes les entités se gavant au big data) amène donc à la suppression des individus et à notre assimilation à une identité sociale hors de notre contrôle. Il est donc littéralement vital que nous reprenions le contrôle sur nos données personnelles – qui ne sont jamais définies comme privées par les opérateurs – afin de savoir qui a le droit de savoir quoi sur moi. Quitte à ce qu’Amazon ne puisse pas me proposer de livre que j’aimerai à tous les coups.


La vie privée est donc quelque chose d’extrêmement important, on l’a vu elle seule permet de pouvoir remettre en question un système oppressif et conformiste en permettant à chacun de se construire son identité personnelle.

Cela dit, l’injonction à la vie privée, dire à tout le monde qu’il faut tout cacher, c’est justement se conformer au système panoptique. C’est refuser aux individus le droit d’exister comme ils le veulent.

C’est un droit consacré par plusieurs déclarations des droits humains. Mais c’est un droit, pas un devoir. Je n’ai aucune obligation à cacher mon identité sexuelle, ni à la révéler. C’est un choix que je fais et que je suis seul à pouvoir faire.

Et c’est un choix qui évolue dans le temps et le contexte social. Ce n’est pas parce que je balance des choses sur moi dans un cercle social défini que je le ferai dans un autre. Il n’y a pas de règle universelle de ce qui doit être privé ou public, il n’y a que des curseurs que l’on essaye de contrôler pour exposer plus ou moins de sa vie privé, pour différentes raison.

Mais oui, il est absolument nécessaire de réfléchir aux outils pour protéger sa vie privée, notamment en ligne. Mais il faut aussi se poser la pertinence de ces outils et de ses usages. Ces outils doivent permettre aux personnes qui le désirent de choisir quelles informations rendre publiques et lesquelles doivent rester privées.

Il faut aussi se poser la question de la lutte globale contre la surveillance généralisée, parce que Tor, GPG, OTR ou autre ne sont pas la solution universelle. Ces outils ne résolvent pas le fait que les états est

PJL Renseignement … stop fleeing!


If you haven’t heard, there’s an emergency law currently “debated” in France, which wants to legalize illegal practices from the Intelligence services (both domestic – DGSI – and foreign – DGSE) and gives them impunity, circumvent the judge, and goes to a massive discriminatory surveillance.

The hashtag is full of report of people opposing it (from Human Right defenders and NGOs to citizen collective such as LQDN to companies and business of all scale). So yeah, it’s the law NSA’s head is dreaming of.

There’s two issues I want to discuss at hand. Not sure how it’ll end, but here it goes. The first one is why fighting surveillance is – in my opinion – the wrong fight and the wrong way of doing it, there’s more to this than just surveillance. The second is about all the geeks and hackers trying to flee out of France, to move their businesses out of it and other “abandon ship” strategies.

Fighting surveillance

So, surveillance. As Quinn Norton and Eleanor Saita stated one year ago in their talk at 30C3, surveillance – in itself – is not inherently good or bad. Surveillance is watching, and – when you want to interact on something – you need to watch it. It’s hard to grab precisely something in the dark (you can do it, but it’s hard).

You need surveillance to expose corruption for instance. Or fascism. Or any wrong doing in fact.

So, the issue discussed is not – and should not be – the surveillance per se. The issue is that this whole process is secret, hidden, non documented, without control or regulation.

What does it mean? First, it means there’s an asymmetry in information. Something knows more about me than I’m able to know about them. What you do not know controls you, it means that this imbalance of power makes the state having more control over you.

It makes them able to act upon you on a discriminatory way. The gigantic issue here is that. It’s not the surveillance, it’s the lack of control. It’s the fact that no one is watching the watchers and have way to act upon them. What frighten me most in this law, are the wording used “secret defense”, “higher interest of the state”, “impunity for state agent” and things like that.

I’ve ranted on twitter about the black boxes that will be able to algorithmically identify threats. The thing is a lot of people lost sight of what an algorithm actually is.

It’s a parametric mathematic function applied to a set of data in order to classify information – or at least that’s what is intended in this specific use case. The magic words in algorithm, machine learning, classification system is just this: parameters. The way you choose your parameters will change the way you classify your data.

How many occurrences of jihadist related news you need to have in your browsing history to be classified as a jihadist? Hom many hours a day you spend in this chatroom? How many times a week you go there?

Those numbers – the one that we as citizens will never heard about – are political tools. The way you choose them, and why you choose them create classification of people and will make you decide who needs to be swatted or not. That’s where the ugliness begins. Those numbers will be chosen to discriminate people depending on their backgrounds.

I mean, they’re already discussing about exceptions for surveillance – especially for journalists – which means that they’re clearly lie when they say it’s an anonymous data collect, they’re already discriminating people based upon their traffic.

So, the surveillance is not the issue. Neither is the privacy. The issue is the lack of control. The issue is the absence of transparency. And stop fighting surveillance saying you have a right to privacy. That’s true, but then it enable politician to call for the “right to be forgotten” which will only help them evading justice.

The issue is that mass surveillance, done by an oppressive system is a tool of segregation and racism. Because in the French context where we do not speak about Arabs anymore, but only about Muslims (and in a way that makes people think that all Muslims are Salafists and potential terrorists), I’ll bet 2 BTC on the fact that they will be the one specifically targeted by this surveillance.

Same goes for the poorer of us. Who happen to be the ones who are not the white guys, who are also the ones who fight for survival and acceptance at all time. I’m quite sure that if the system catchs a white and rich guy, he will go in the false-positive trash and nobody will incriminate him.

So, stop fighting surveillance for the only sake of it. I should not need privacy in a non-oppressive system – that’s even how you determine you’re leaving in a non-oppressive regime: what you do and what you are cannot be held against you as long as it does not threaten the safety of someone else. But go fight the state implemented discrimination.

Don’t run away. Fight.

Which leads me to this other point. We – as citizens, as a collective – need to fight that. I refuse to abandon the ship. I’m witnessing a lot of data-exodus. People actively looking to host their data abroad. Commercial companies – such as OVH – are looking to build datacenter elsewhere.

I can understand why a company would do that. They would because they intend to respect the law. Because they do not want to risk their existence to protect their customers, so they’re running away. But the thing is, if you flee, then what will happen when the country you’ve fled to will also change their law and regulation? Flee again?

That’s not a sane way to do thing. That’s why we have civil society, to oppose the state, to try to restore a bit of balance in the power repartition. If you flee, you say to the state: you can do whatever you want, I just do not care about it.

If you’re a big company, which a lot of money, yes, it might have some power against the government, they will have to choose between reinforcing their power or keeping some jobs in the country. But, well, if the state initially wanted to defend their citizens best interests they won’t be trying to deprive them form liberties, right?

So, fleeing will only preserves you. And, well, you’re still a French company, with offices in France, so you still need to obey the law. OK, you’ll be somehow outside of the DGSI reach. But your customers won’t, since they’ll still be in France and they’ll still connect to your infrastructure from France, from inside the Dragnet. Which, basically won’t protect them and can even gave them a false feeling of security – which is worse.

What can you do? It’s time to protect your customers, your users. The people who’ve put trust in you. You do have a choice – and it’s not an easy or simple or risk-free one. You have to choose between taking care of your users, and actually hold the promises of security you’ve done to them or obeying the law. That’s call civil disobedience and yes, you can end up in jail. But you’re not alone, and a legal defence fund is something you can create or ask for help.

Yes, it might seem easy to say. But that’s what I intend to do with my project. Providing tools for activists and militants groups who need them. In a way that will try to preserve most of their privacy. I do not intend to respect the law to do that. I do not intend to hide myself.

Hosting data for other people is a political statement. I’m sick of hearing people asking for a country where they could safely hosts their data. You can do it wherever you want, if your government has decided to jail you, they will be able to do it – wherever your data are. What we need is not a list of foreign hosters who are out of the French territory and jurisdiction, what we need is a government who actually protects us, not themselves. What we need is actually to take a stance.

Privacy café, camp, cryptoparties et al is good and nice, but it does not solve the main issue. When are we really going to show those who’re in charge who actually is? When are we really going to send them a middle finger?

Do not flee. Do not let them scare you. Fight back. Federate. Protect the

My depression

I’m depressed. It’s quite obvious if you look at it from the symptom part. But I’m still reading or getting comment from people who thinks it’s just a small blues – like a Monday morning blues when the week-end is done and you’ve got to get to work.

It’s like saying that the small bruises you got for falling of your bike is the same thing that getting your leg rip apart without anesthetic or – if I believe what women told me – deliver a child.

First thing is you do not live with a depression. I do not live. Living implies being able to project yourself in time. The closest thing I found about this state is stated by Buffy. In this part of the show she’s obviously depressed, she’s just going through the motion.

My depression takes this form. Time is just irrelevant, I’m stuck into the now and go forward or look backward. It’s not apathy, because apathy doesn’t removes you the capacity to make a difference between next week, yesterday and next year.

This has insidious effect. For one, I’m unable to move forward. I cannot just going better because it implies to project myself into the future. Happiness is an alien concept and I do not see the reason to live. It’s absurd and it has no point, in the end I’ll die. I could as well kill myself, it would not change a thing.

Another thing is that my depression is not a lack of feeling. It’s quite the opposite. Anticipation – meaning something I know will happen in the next few hours – generates anxiety attack. Those attack manifest by an unability to think and sort my thoughts, shacking, craving, loghorea, headache. I have pills to take to calm this down (Valium).

I feel. A lot. Too much. Reading a mail I slightly disagree with will makes me burst into rages. Picture or news of protesters shot by cops will makes me cry and fall in a near catatonic states. I’m only nerves and I can react violently to someone who touch me – even if it’s someone I love.

That’s called exhaustion of emotional bandwidth. Where non depressed people have a way to manage, delay and rationalize their feelings, I have lost this ability. This is because I have something in my brain – Serotonin neuro transmeters who don’t catch the Serotonin – that makes me in a perpetual state of stress and hypervigilance.

I’m scorched and even the lightest of the wind hurts like hell. There’s no end, no light at the end of the tunnel. I’ve got no memories of happiness – that’s another aspect of this thing. I can have some joy, some people can makes me smile. But it does not last. Soon, it’s another wave – or tsunami

  • of feeling that come and overwhelm me.

So no, I’m not living with a depression. I’m drowning into it. I take drugs to help me, they gave me some buoyancy. Friends keep trying to maintain this buoyancy. But there’s always the calm of the abyss down below, under my feet. One day I’ll stop fighting and I’ll drown into the abyss.

I won’t be at peace, I’ll cease to exist, feel and think. And from my point of view it’s like heaven. It’s the end of the line. End of the pain. And it’s



So, I receive queries for people wanting my point of view on various things – ok no, on internet and surveillance, privacy and stuff like that, they do not consult me for issues like climate change and the like. So my email adress is like public data, and people finds me.

It’s not always easy, because there’s a lot of people out there wanting to do a subject on “hackers” without more precision. You need to asks them a lot of things, help them to understand that “hackers” in not a precise enough subject and that they should focus on a specific problematics. And then you need to know the media who’s asks for the job, especially when you’re dealing with students in journalism.

Speaking of student in journalism, I try to be available, to answer them or to put them in contact with others more suited to answer their specific questions.

That’s why this one is a tough one for me. Because it puts me in front of a paradox. I always thought that convincing people needs to talk to them. I inhereted that from Telecomix, and I tried to do it on each occasion. If someone as an angle that I disagree with, then it’s probably because one of us (at least) is missing a point somewhere, and it can only be solved by more discussion.

However, I know the media behind the query. And they’re known to pose hackrs as sociopath who are after your credit card. They capitalize on fear, not on information sharing, and I tried twice to get around that and it did not work.

Hence this blog post. It’s the email I shoud probably write to this person, but I think it might be beneficial to have it somewhere more public. Name are changed, and no metadata of the original mail. Traduction is mine.

Questions and answers

Hello Okhin

Hey Mat,

I’m 19, and I’m writing and embodying a TV documentary in which I try to prove to my parents generation that, no, I did not abandon my privacy, and that Internet is more than a simple tool for my generation.

Cool. Sounds like a good project and I agree that your generation didn’t abandon their privacy, even if you – and I – spent a good part of it online. And I couldn’t agree more on the fact that internet is not only a tool, it’s a form of communication that enables a lot of different form of societies.

I’m focusing on the problematic of Digitals Native freedom, close to the freedom concept of the libertarian (like Larry Page, Elon Musk …) who emphasize the freedom and happiness of the man. My generation is not Foucault’s one, meaning a generation institutionnalized from childhood to retirement, but the libertarian’s ones, building a new world of economic collaboration in a reinvented society.

I’m not a libertarian. Libertarian – at least in the French way – are basically asking for total freedom for corporations (either single person company of worldwide megacorporations). Libertarian choose to inforce economic freedom over social ones.

And you do it also. You’re not speaking about the social aspect of internet, how Internet did change the balance of power between egemonic corporations, states and citizen. No, the aspect you’re focusing one is the economic one. Larry Page and Elon Musk are probably visionary, they did help to build a non-sentient AI, and to fix part of the way we exchange money.

But they’re building a world for an elite. We’re still below a tird of the worldwide population connected to the internet. Worse, most of the countries not connected to it are currently exploited by neo-colonial corporations to exploit them in order to build all those gadgets we use everyday to make our lives easier.

The world for those libertarians is a world where the weak can’t exist. I do agree that economic freedom might help – wel, economy is clearly not my strong suit – but we’re elaving in a world where companies – through Lobby group – actually pass law and can sue states under secret trade agreement.

For me Internet is a social tool. It can helps connect people, build communities, strengthen social link, and get a better understanding of the world. It can helps people throwing away a governement, organise dissent, but also to have care and help of communities members.

Yes, it can be used to build “new” economic system – altough libertarians are around since before Internet so I really do not think a totally free and unregulated market that will have no other purpose than justifying its existence and not to support mankind is something that exited long before the internet (since the first industrial revolution I’d say).

And I do think that the biggest mistake pioneer of the internet did back in 1990-ish is to allow advertisment network and monetization system to get a foot on internet. It certainly fast-tracked the “massive” adoption of internet, but it also give way to much power to those few groups who earned a lot of money selling those advertisment to take control of data – and part of the infrastructure.

I’d rather have an internet build by a community and for communities – using taxes and yes a state – the purpose of state is to maintain wellfare and infrastructure for all people not to govern.

It will be embodied documentary for the mainstream audience.

Currently, I’m focusing on a different angle. I think that I could make a stronger point if I speak about code. “Code is Law”, while showing that conding nowadays, is having power. What I wrote here is EXTREMELY narrow, but I try to know more on this subject (for instance [A state TV] is interested by my project only if I develop this part) and to have a good grasp of the issue. I also need time to immerse myself into this culture.

So, you want to basically say that hackers – people who codes and understand it – are an elit and that they’ve seized control of the world? It might be true (there’s currently an elitism in this so-called hacker community which is an issue), but I try to oppose it as much as I can.

That’s why there’s free software. Free software exists to ensure that no elit could be left in charge because they’re the only one to know how things works. That’s what’s in the hacker manifesto after all, And in every things that hackers do.

And also, if you really need to code to use a system, then you should need to build a car to drive it. You should need to know agronomics to eat vegetables. Even if I do admit that all those exampls are true, there’s a big issue in it, it states that we are born with all the same capacity. Which is false. Prejudicies, handicaps, social stigma, life accident, all these can lead to someone not being able to code. Or to understand how a car angien works, or what are the implication of eating meat instead of vegetables on the global scale.

You cannot asks to a single mother of three to learn how to code to use a system. And still, she can use it. And that’s a good thing. If you make code skill a requirement to use internet then internet is no longer a tool for emancipation, it became a tool of oppression. I want my communities to be inclusives. I want care takers in my communities. And I think internet enable that. And I really think you do not need to code to do that. Or to send enrypted email – or at least you shouldn’t.

So no, I will not say that code is a requirement to live in our world. Even if the french governement currently thinks that we need to teach kids to code instead of – for instance – criticism, building a thinking process and giving thel the key to explore and understand the world they live in.

I’ve came to see you with the director at a conference you made and we really liked your way to explain the issue 🙂 [This is a reference to this talk]. In this case, with our documentary we’re clearly speaking to “old farts” who tries to graps the issues of the Internet world. It’s kind of rare to be able to get this mssage out on the television even if it done – it’s true – simplistic approach (the young connected person that I embody, etc …).

Yeah, well, since you’re condescending with your audience I have big issues. Also – and you’ve probably never been confronted to that since you’re a young documentarist – a national TV will never let a positive message about internet get broadcasted.

I mean, I’ve tried twice. I got burned, I stop. If you think you can do it, then go for it. But you really should stop considring that people who aren’t conencted to the internet or who doesn’t see it the same way you see it do not live in the same world than you. They have a different culture, but you both share the same world. And excluding them from it won’t give you a better world, it will give you a world where you’ll be in power.

So yes, I could have accepted to meet you, but I will not. You can go see a lot of people, for instance Stéphane Bortzmeyer can probably deals with the “code is law” part. But I will not because I disagree with a lot of your ideas.

I hope you’ll find some answers in this post, and that it will raises some questions.

I wih luck in your project.

Back Online

Last year (or so)

For the last year, and a good part of the year before, I was working for a NGO: The International Federation of Human Rights as an ICT manager. Which – for anyone who ever worked as an operational engineer in an NGO -implies doing way to much work. From helpdesk to help to write reports about internet censorship, from system administrator to webmaster, from training activists during clandestine mission to training officers to use free software. It requires adaptabality, skills and an iron will when it tuns to defend free software on a daily basis.

I learned a lot of things there. Working with interesting people doing advocacy for human rights in the whole world brings a lot. Passionat and dedicated people. I learned what human right are and why they’re important. I developped a lot more cynism than what I previously had – and yes, it means a lot more of cynism – mostly due to some way of realism. I developped a better comprehension of how diplomatics and economics intertwined themselves.

I also learned that you can eshift extremeley fast from defending rights to defending your interests. I see egos destroying interesting project. I witnessed personal interests taking over principles of humanism. I was confronted more than once to paradoxes – for instance people advocating for right for the worker in asia and begging for Apple computers.

I also leraned a lot about me. For instance that I’m not meant for help desk. It’s too much stress and it makes me wanting to rip the throat of people with my teeth. I ended more than once a phonecall for support in a state of almost blind rage and needing to go out and walk or hit something. Or crying. I discovered that I probabaly developped a traumatism by being exposed to too much videos and pictures and texts about horror in the world. I had at least two diagnosed burn-outs in those 15 months. And I did anxiety attack on the job – not because we had attacks on our infrastructure, this part of the job is the kind of pressure I do manage.

I’ve been diagnosed with a severe depression, and for the last two month (or so) I’m now under drugs to keep my mind out of the suicide path he wanders on.

Off the grid

My contract is now over. And believe me, it was a great experience and I do not regreat it at all. I cannot afford to continue working like that though and I needed a full month off the grid.

No talks, no interviews, no code no nothing, not going to the hackerspace. Just playing video games (so in the last month I’ve done Dragon Age Inquisition, Mass Effect 1, 2 and almost the three, Saint Rows the Third and Saint Rows 4, Shadowrun Returns: Dragonfall) and watching movies and tv shows.

And sleeping (10 to 12 hours a day, thanks to melatonin). I’ve spent a lot of time inside my flat with my bunnies and getting out only for food – and the occasional social event with two or three people.

I’m still in this kind of state. Stuck in the present, unable to get outside and to walk into the world o to project myself into the future. I’m witting this from the café down the street, and it took me at least a full week to find the motivation to get there and write this (and read my mail).

So yeah, I was a bit off the grid. Off the world. I used part of this time to think about what I’m going to do next. I cannot imagine doing a job which is not inline with at least some of my political views, which blacklist most of the startups and comapnies I know.

I cannot work for other association or NGO because they will have the same issue and need for a five legged sheep as an ICT person. That rules a lot of things out.

Back online

So, I have no other choice but to find a way to pay the bills and to try to contribute to fight for a world with a bit more fairness in it. The thing that most collective lacks is a way to manage their online data.

Most of them relies on youtube – for instance – to upload their videos, exposing wrong doings and the like. Or use a centralized web services for managing their emails or to share documents.

Most of those collectives have other priorities than to learn key management, or to maintain a dedicated servers. It can even be illegal or dangerous for some of them. When reaching out to a foreign journalists or tweeting about your givernement can have you locked up in a jail without trial, you do not have the time to learn GPG, or how to host a website in TLS.

But this is things I was doing for the last year (and the years before with the telecomix crew). It’s something I wrote about, and I’ve been running cryptoparties for a while.

Also, there is a lot of projects promising about privacy and security of communications. Most of them needs that someone runs a server with the code and maintain it. Which is out of scope for most of the organisation and collectives I know – heck even the nation-wide newspaper here barely have the ressources for it.

This is what I’m going to do. I’ll try to find a way to earn my life with that, but the idea is to provide a mutualized solutions for individuals and collectives who cares about privacy and security. Using only free software, and contributing to them. Providing email, chat, storage and syncing, hosting made for those groups and individual.

I’ll need some help at some point, but the goal is to build a small company which can thrive on it. So yes, it will be a service you’ll have to pay for. Some services will be free – mostly the one that requires few ressources and works – but running server have a cost.

And I do not want to pay that cost with the data of my future users. Or with advertisement (which is the same in the end).

So, I’ll try to start that. I’m doing a lot of thinking and writing about it. Of course I’ll disclose everything about it.

Crypto parties.

Once uppon a time

When AsherWolf coined the term Crypto Party, there was an actual need for a specific part of the population to get trained to use encryption tools. We were in the middle of all the revelation of censorship done in the Maghred dictatorship and dictators were thrown out on an almost weekly basis.

I started to do them with journalists. I got in touch with Reporters without borders and we set-up some session to train a specific part of the population: journalists, field activists, netizens – as RWB keeps calling them.

This is where I learned a lot about GPG/PGP, the advanced use of Tor and of full-disk encryption. Doing those workshops and training did helps me to taught myself how thsoe tools works, what is operational security and threat modelling. I still have a lot to learn on those topics, but that’s how I started it, and that’s also why I did run the first CypherPunk workshop at Le Loop hackerspace.

I did’t have the idea at the time that it will works so well. Then Snowden makes me not a paranoid guy anymore. Things gets crazy, mass-media were screaming on loud that there’s no way you can have privacy online, that rogue agencies were going after each and any of us and everyne gets paranoid. Not careful, paranoid. Everyone lose focus on threat modelling.

Cryptography became hype, I heard speaking about Tor, LUKS, and other things on TV and in the press. I did my share of speaking to journalists, learning how the media works on the field, I did makes mistakes in communication, but in the end I tried to get the message that yes, there’s privacy issue, and no, crypto-geeks aren’t the one with the solution but citizens – people in fact – are the one with solutions.

The local cryptoparty group kept growing. People I used to train were now the trainers, and that’s fracking nice. We gathered more and more people, we tried to get out of the hackespace and to go meet people, creating the Privacy Café, in local bars, with diverse people with all their own problematics.

How we failed the people

And we basically failed them. I once wrote about the Responsability of teaching because I thought we were missing a point. When we set-up those workshops, we have a responsability toward the people who’ll eventually come. We need to give them all the necessary key to understand the problematics, we need to reassure them because most of them are not in a case where they face being jailed by a governement due to a tweet they sent.

The thing is, I wanted the crypto party to be able to function without a central person. Also, I was going through – and I’m still into it – a big depression so I needed to take some step out of things I’m doing, so I let it go its way, because I think it’s the only sane way to do things.

Also, I was growing tired of doing all the same workshops. I wanted something else, playing with new tools, learn new things, experiments new paradigms.

And I think that doing those workshop is not thesolution. I learned that a bit late maybe, but having time to go to a workshop, with your own hardware and a will to develop new skills is a privilege a lot of people cannot afford, I’ll send you to this blog entry wrote by a pop star doing infosec for reference: [A story about Jessica][1]

And fear of internet was more and more used as a teaching tool. And Fear is clearly the worst tool to use if you want people to learn. And I witnessed the militarisation fo the languages which bugs me. A lot. I even done a conference on this topic because we need to not scare the people away from the internet, or the Internet will die and we really need to be inclusive.

And being inclusive means we need to provide security by default. And it means, we need to build network and protocols who’ll take care of that. And that’s one point of strong disagreement with a part of the team. Some of them think that if you’re not able to run command line tools, then you do not deserve to be protected. They think that an interface to a tool necessarily implies a weaker security.

I do agree with that, command line tools with all their flags, are the best way to have a crypto disaster for instance (yes, command line IS an interface). The thing is, we do have some tools with good cryptography AND no interface at all (or almost no interface at all). For instance the Tor Browser Bundle. You launch it, it connects, it disapear and you’ll never hear about it and still you’re connected to the privacy network – and if it can’t connect you can’t use it therefore you can’t put yourself at risk.

Yes, Enigmail – and PGP – is a mess. As well as everything that’s based on key management. For one part because key management is about identity, and a lot of people want anonimity – so no identity – also because no one knows what a good key management solution is. The interface sucks, because the tool it’s based on sucks.

And we could build a mail solution where GPG will disappear, working more or less like TLS, with a warning when the key looks weird, or when youhave no encryption. But we – as the crypto party collective – prefers tell people they’re not good enough to use cryptographic tools.

Well, in fact I stopped teaching GPG in the cryptoparties. I prefer have them use OTR for instance, and install XMPP servers everywhere I can, with strong TLS setup, and have them configure OTR to autostart. It works, they do not even need to worry about it (except the color of the OTR button). Neither they need to worry about authenticate (some people might – depends on the threat model) their contact.

But still, I do have a lot of issues with this attitude I see in this group of people that they know best, they do not question their knowledge. They use fear as a tool, they think that you need to work to deserve protection not that we – as experts, geeks, technicians, whatever – need to build a community oriented and driven network of people with anonimity built at its core – yes, it’s supposed to be what internet is.

And that brings me to this tough issue, wether I should continue working on cryptoparties, or try to do something else. I think it’s easy to quit, to let them be. It’s harder to try to do something with the people who are willing to, and to move forward with them. But there is things in what they say that makes me thinking that we do have a gap in what we want to do with those cryptoparties.

Not being inclusive, not understanding the principles of privileges and discrimination, using fear and militarisation of your vocabulary. All of those are no go for me. And I did not find a way to discuss about that yet, tried the mailing lists but git no answer, tried to meet AFK, but no answer either.

So I’m wondering, maybe I should stop fighting for that and quit. Give the admin access to the lists for them to go the way they want to go and start something else. It’s not easy, but maybe it’s a failure.

I should probably just quit.