Security and Safety

There’s something on my mind that’s been going on for a while. Well, another something going on in y mind.
And it’s about security and/or safety and how those concepts are used today. Or how they’ve been twisted. So, let’s start with what I mean by those terms. They’re often used as synonym for each other, but I keep thinking that they’re not meant to be.

Security, as I see it – at least in the uncountable use – is a concept related to peace of mind (even the latin form securitas is about peace of mind). It means it’s something you do not have to pay attention because it cannot hurt you. I think it’s linked to avoiding accident and incident, to put the potential cause of accident away. That’s the reason we have more and more automated features in cars, like ABS or ESC, who tries to manage traction for you to not care about traction loss (and control loss). They’re meant to avoid accident. Or to significantly reduce your exposure to the risk of an accident. Those are called securities for a reason, they make you able to feel secure while you drive half a ton of metal and plastic at high speed along other people doing the same thing while hopping no-one will fail to avoid collision with each others.
Peace of mind requires to reduce or negates the perceived risks to work. You must been aware that you were exposed to risk and then to be aware of something which allow you to think that perceived risk has been acted upon and that you’re now able to stop being worried about it. Feeling secure is something deeply rooted in most of animals, it meant to have certainty about the fact that you can eat, drink, and not being killed by something while your asleep. It means taking step to ensure that you’ll have that tomorrow, and the day after that, and the day after that, until your death.
Security is being addressed in our communities by laws and regulations. Whether they’re explicit or implicit doesn’t really matters. They’re made to ensure that, at the end of the day, all member of the community can stop thinking about the daily threats they’re facing daily. Security implies rules which purpose is to control behaviors that the community perceive as an existential risk, it also implies active measure to protect one self from them which leads to either individual arming themselves to defend themselves, or giving this power to a group of people devoted to maintain security and to control behavior. And this group of people must display that the rules are enforced, because if they’re not, then they’re not devices for peace of mind. To elaborate more on this, there’s whole segment of philosophy dedicated to it (Foucault’s “Surveiller et punir” being one of them, but 1984 by Orwell or Best of Worlds by Huxley do address this).

Safety is, on the other end, everything that exist to reduce harm done. It’s the plan B, it’s what happens when shit finally hit the fan. To stay on the car analogy, safety are safety belts and airbags. They exists only because there’s a risk of accident that have not been nullified by security measures (laws and regulations). And that is why self-driving cars is such a hard problem to solve, because you can’t have a null risk’s probability.
Safety is what allows Security measures to fail without doing much harm to everyone. It’s not really peace of mind systems, because they only exists because you’re exposed to a risk. When you put a helmet on before riding through whatever traffic with your bike, you become aware of the risks you take, and you try to reduce the harm you’ll suffer when someone you’ll eventually be thrown on the ground in the middle of a street because someone didn’t looked before opening their car door. Safety is knowing that if someone enter your house while you’re in it, you’ll have a place and space to recover and people to provides you what you’re missing.
Safety is not about control of behavior, it is about caring for others. Is is not peace of mind but it is acknowledging that you cannot achieve perfect security, and that you need to accept some harm. It is about recovering, learning, growing up.

Why do I talk about this? Because I hear a lot about (cyber)security, and not about (cyber)safety. Security being about perceived risk, and applying behavior control in a way that will be perceived as a reduction of this risk, leads to the current regime of mass-surveillance we live under.
I’ve red a Story about Jessica a while back. And I think it address the fact that we do not have (cyber)safety, that the infosec community have no clue about safety and what it means. The security focused industry means more surveillance (logging) and behavior control (don’t click on links, upgrade, choose a stronger password, don’t publish your key, and many of the do and don’t prevalent in the infosec community).
In computer science, the safety of the software an entity have to manage is, however, quite pregnant. You’ll have backup of the data, backups of the infrastructure, disaster recovery plans, etc. But this is only about the safety of the software. It is not about safety of users or the people who maintain it. If you cannot achieve software security for your company, you’ll probably end up fired at some point. All the on-calls procedures are just means of maintaining a software in a safe state (alive and running, or at least partly running after a crash).
However, users of the software are not protected by those technical safety solution. What will happens when users data will be leaked? What steps are you taking to reduce the arm being done to them? You must be able to answer this question. It could be providing legal counseling, or collaborating with law enforcement (not that I’m a big fan of cops). It could be being proactive and warn them as soon as you find out something bad happened to their data, and try to provide them assistance in recovering access to your software for instance.

Holistic security goes a deep further into control. It is based on the fact that achieving full security requires you to have a specific mindset, and that you must take care of you in order to achieve security. I find it interesting to link way of life to exposure to perceived risks. If you sleep well, you’ll be better at security. Too bad you suffer from depression and insomnia, meaning your last good night sleep was ten days ago, and it was drug induced. Holistic security tends to be, form my point of view, ableist. If you’re not emotionally, physically and socially fit, you can’t hope for security. You cannot get your mind of all the stuff that’s forbidding you to achieve security. It is, in the long run, blaming the victim. You didn’t took care of you, ergo your security has been breached.
I’m not saying that we must get rid of security. It is important to reduce risk exposure. But it has a cost: surveillance and behavior control. I’m saying that we must focus more on safety, on what happens when the cops gt you during a protest with your unlocked phone (or they unlock it using your face). What harm will you be facing when someone is black mailing you over the nudes you got in your Direct Message – or stored on your computer.
This is the question asked in the stroy about Jessica. And I didn’t find a lot of answer since this been published. Facebook tries to help with revenge porn, and there’s a lot of things being done here (go have a look at what BADASSis doing for instance. And this is an issue where technology can’t save you (it is, again, something that provide surveillance and control behavior). Safety means there’s something to take care of people and to help them to recover. It means about caring about people (not software, their just maths, they can’t be in pain), it means trying to make everyone life better (and not easier). For instance, Code of Conducts are security measures. And they’re important because they allow people coming to your community to know that they’re not at risks. Until you do not enforce your own Code of Conduct for instance.
Having a post-harassment process to help the victims, and the harasser (yes, I mean that), to understand what happened, to document it, and to provide support for the victim is safety. That is what safe space should be about. Not space where you won’t be hurt, but space where, when it happens, you’re allowed to take less harm than if you were alone. It is also a space where you’ll be told something you’ve done did hurt someone – not that you broke a rule. It is a space where people will address your behavior and helps you to stop it, not by expelling you, but by a process. It can mean that, for sometime, you cannot come in certain places. It depends on how your community provides safety.

Safety is feeling welcome, feeling belonging to something, knowing that you can make mistakes, own them, and grow out of them. It is not something you can code in your software and, in fact, a lot of the time, your software works against safety.
If your data collection algorithm can be used by cops to identify perpetrators of a crime, it can also allow anti-gay bigots to identify gay people in their surrounding. It can be used by an abusive husband to identify where’s the woman he lived with as fled. It can be used by adults to expose teenagers sexting each others. It can be used to locate where a camgirl lives to stalk her.

And what’s the perceived risks you’re collection of data is protecting users against? You have to wonder if people can conduct drug traffic or do sex wok using your software, and if, by using your data collecting software, they put themselves at risk if you cooperate with cops. Security, in this case, would be to not use your data collecting software. If you value the possibility for law enforcement community to identify sex workers more than you value their safety, it means that you’ve got a political motivation for keeping several years of activity logs.

Keeping data about people is collaborating with cops, harassers and stalkers. It is not about safety of your users, it is about security and control. If you want to do cyberSafety, then it must be impossible for cops to identify anyone with the data you got. It means that you must not be able to identify formally your users. It also means that you must not do ad tracking. It means that the well being of your users is important for you, whatever they do in their life, whoever they are.
Stop logging, start caring.

[Repost] Google, Amesys – même combat

So, I’ve changed things around here and I’m trying to get some writing done soon. In the meantime, I’ll repost here an oped I wrote at la quadrature du net (From which I’m currently off due to mental health issue, more on that later), so here the original text, in French and, of course, there’s more on LQDN website

Du 21 au 24 novembre dernier, à Villepinte (région parisienne), se tenait le salon Milipol (pour Militaire/Police), « l’événement mondial de la sécurité des États ».

En plus des habituels trafiquants marchands d’armes qui font la fierté de l’industrie française (ayons une pensée émue pour Michèle Alliot-Marie qui exporta en Tunisie notre savoir-faire en matière de maintien de l’ordre), il y a, depuis quelques années maintenant, des marchands de matériel informatique et de solutions de supervision des populations.

Vous avez forcément entendu parler d’Amesys, de Qosmos, de Palantir et autres Hacking Team qui se sont spécialisés dans le développement de solutions clef en main d’espionnage et de surveillance de la population. Et, les affaires étant les affaires, la plupart d’entre eux vendent à toute personne désirant acheter du matériel, qu’il s’agisse des dictatures libyenne ou syrienne, ou des démocraties sociales occidentales compatibles avec l’économie de marché (France, Allemagne, Royaume-Uni). On parle dans ces cas de capitalisme de la surveillance, c’est-à-dire de mesurer la valeur des choses grâce à la fonction de surveillance.

La surveillance se base sur la connaissance. En épidémiologie par exemple, c’est connaître le vecteur infectieux, le documenter, savoir comment il se propage et se transmet, mesurer son temps d’incubation éventuel, déterminer ses symptômes pour comprendre son fonctionnement et trouver éventuellement un remède.

Dans le cadre de la surveillance des personnes, cela se traduit par la connaissance de ces personnes, leur identification dans le temps et l’espace, connaître leurs habitudes et leurs façons de réagir, mesurer leur sensibilité à telle ou telle idée. La surveillance c’est la connaissance. Et la connaissance c’est ce qui permet de définir les choses, de les identifier. Le capitalisme de la surveillance est donc un capitalisme de la connaissance, de l’identité. Ce que vendent Amesys, Palantir ou autres à leurs clients c’est l’assignation d’une identité définie par eux ou par leur client à un groupe de personnes en fonction de mesures et d’observations, i.e. de données.

Dans le cas des États, cette assignation identitaire amène à des conséquences qui peuvent être extrêmement violentes pour certaines populations, amenant à des répressions fortes, une suppression d’un certain type de personnes d’un certain quartier, à de l’injustice prédictive basée sur des statistiques biaisées par des biais racistes – le racisme structurel – et qui donc ne peuvent que renforcer ces biais. Les smart cities, dans leur version la plus extrême, sont les étapes finales de ce processus, l’identification permanente, fixiste, en tous points de tous les individus, l’impossibilité de bénéficier des services communs et publics sans révéler son identité, sans donner aux surveillants encore plus de connaissances sur nos vies et nos identités, pour leur permettre de mieux définir nos identités, de mieux vendre aux États la détermination, l’essentialisation, la réduction des complexités de nos vies à des étiquettes : terroriste, migrant, réfugié, musulman, femme, queer, bon citoyen.

Dans cette analyse qui est faite, on parle très vite, très souvent d’algorithmes ou d’intelligence artificielle. On les accuse de tous les maux, d’être racistes, de faire l’apologie du génocide, d’être sexistes, de censurer les discours d’éducation à la sexualité, d’invisibiliser les minorités sexuelles, comme si les intelligences artificielles, les algoritmes, disposaient de conscience, émergeaient de nulle part, avaient décidé d’être néo-nazi. Pardon, alt-right. Mais, au final, personne ne dit ce que sont les algorithmes, ou les intelligences artificielles. On va commencer par la seconde. L’intelligence artificielle est un algorithme doté d’une grande complexité et utilisant de grosses quantités de données pour donner l’illusion d’une intelligence, mais d’une intelligence ne comprenant pas ce qu’est un contexte et non dotée de conscience. Reste à définir ce qu’est un algorithme donc.

Appelons le wiktionnaire à la rescousse. Un algorithme est une « méthode générale pour résoudre un ensemble de problèmes, qui, appliquée systématiquement et d’une manière automatisée à une donnée ou à un ensemble de données, et répétant un certain nombre de fois un procédé élémentaire, finit par fournir une solution, un classement, une mise en avant d’un phénomène, d’un profil, ou de détecter une fraude ». C’est donc une formule mathématique, ne prenant pas en compte les cas particuliers, et qui a pour but d’analyser des données pour trouver une solution à un problème.

Ces algorithmes ne sont pas en charge de collecter les données, de définir le problème ou de prendre des décisions. Ils analysent des données qui leur sont transmises et fournissent une classification de ces données en fonction de critères qui ont été décidés par les personnes qui les écrivent, qui les configurent et qui les utilisent. L’ensemble des problèmes sur la reconnaissance faciale qu’ont rencontrés la plupart des entreprises de la Silicon Valley résulte du jeu de données utilisé pour identifier une personne et la reconnaître, car il ne contenait que des images de personnes blanches. Le chat bot de Microsoft – Tay – s’est avéré tenir des propos négationnistes ou appelant au meurtre et à l’extermination. Non pas parce que Tay a une conscience politique qui lui permette de comprendre les propos qu’elle tient, mais parce que des personnes l’ont inondée de propos racistes ou négationnistes, fournissant un corpus de données servant de base aux interactions du chat bot, l’amenant donc à écrire des propos racistes et négationnistes. Microsoft a rapidement retiré ce chat bot de la circulation et l’entreprise a depuis promis d’être plus « attentive » .

Parallèlement, nous entendons également, et de plus en plus, parler d’économie de l’attention. De capitalisme de l’attention. Ce qui aurait de la valeur serait ce à quoi nous faisons attention, ce que nous regardons. Sous entendu, nous, utilisatrices de ce système, sommes capables de faire le choix de ce que nous voulons regarder et lire, de faire le choix de la connaissance à laquelle nous avons accès. Internet permet, en théorie, un accès non discriminé à l’intégralité des informations et des données, et donc de la connaissance, du savoir. Après tout, la connaissance est une information à laquelle j’accède pour la première fois. Et cette acquisition de connaissance me permet de comprendre le monde, de me positionner par rapport à lui, et donc de me définir et de le comprendre, exactement ce que font les systèmes de surveillance massive utilisés par les États.

Réguler l’accès à l’information et choisir quels contenus montrer à quelle personne permet donc, également, de contrôler comment vont se définir les personnes, comment elles vont comprendre le monde. L’économie de l’attention est basée sur ce principe. Pour garantir que vous interagissiez avec la connaissance qui vous est proposée, qui est la façon dont ces nouveaux capitalistes mesurent la valeur, il est important de vous surveiller, de vous mesurer, de vous analyser, de vous assigner des identités. Et donc de contrôler la connaissance à laquelle vous avez accès et celle que vous produisez.

Les gigantesques plateformes financées par les GAFAM1 servent exactement à ça. Facebook vous empêche activement d’accéder à l’ensemble de l’information présente sur leur réseau, vous demandant de vous connecter pour accéder à d’autres plateformes que la leur, ou vous pistant partout une fois que vous êtes connectés, leur permettant ainsi de récolter encore plus de connaissances à votre sujet, d’augmenter leur capacité de surveillance et donc d’identification et de contrôle. Remplissant dans ce cas exactement la même fonction que les systèmes répressifs des régimes étatiques.

Notamment car Facebook, Apple, Google, Amazon, Microsoft décident ce qu’il est moral de faire, quelles identités doivent être renforcées ou au contraire dévaluées. Par exemple, Youtube, en supprimant la possibilité pour un contenu parlant de sexualités de rapporter de l’argent aux créatrices, envoie un message assez clair aux personnes faisant de l’éducation sexuelle, ou parlant de problématique touchant les personnes queer : votre production de connaissance n’est pas bienvenue ici, nous ne voulons pas que des personnes puissent s’identifier à vous. Il en va de même avec Facebook et son rapport à la nudité ou Apple qui filtre également tout ce qui pourrait parler de sexe, quitte à censurer le contenu des musées. En dévalorisant certaines connaissances, en la supprimant de certaines plateformes, les personnes à la tête de ces entreprises permettent d’effacer totalement de l’espace public des pans entiers de la société, de supprimer les voix des minorités, d’empêcher la contradiction de leurs valeurs et permettent donc de renforcer les biais des personnes consommant la connaissance disponible, amenant à une polarisation, une simplification et à une antagonisation du monde.

Alors effectivement, Facebook en soi ne mettra personne dans les geôles de Bachar el-Assad, du moins pas dans une complicité active, mais l’entreprise fait partie d’un système disposant de deux faces. Une face violente, répressive, alimentant les délires paranoïaques des États d’une part, et une face « douce » et insidieuse, utilisant les publicitaires et la restriction de l’accès à la connaissance pour permettre aux entreprises conservatrices de nous imposer leur vision bipolaire du monde, renforcement les sentiments d’appartenance à un groupe identitaire, avec les conséquences violentes que l’on connaît.

Et pour s’en persuader, il suffit de regarder les liens entre ces deux faces. Peter Thiel, fondateur, avec Elon Musk, de PayPal et qui détient maintenant 7% de Facebook est également le fondateur de Palantir Technologies, entreprise qui a, notamment, obtenu le marché public des boîtes noires en France, tout en étant aussi l’outil officiel de la NSA. Thiel a également participé aux nombreux procès qui ont fait mettre à Gawker la clef sous la porte suite à la révélation de l’homosexualité de P. Thiel par Gawker. Thiel, enfin, est l’un des influents soutiens des républicains nord américains, il a notamment participé à la campagne de Ted Cruz avant de rejoindre l’équipe de Trump et de participer à la transition à la maison blanche. Il a de fait nécessairement discuté, échangé et parlé avec Robert Mercer, l’un des directeurs de Cambridge Analytica, une entreprise dont le but est de cibler les électeurs grâce à de nombreux points de collectes, principalement récupérés par Facebook afin de pouvoir les cibler directement et influencer leurs votes.

Alors oui, lorsque l’on pose la question de démanteler Google, la question de démanteler Palantir se pose aussi, et celle consistant à vouloir privilégier les seconds car ils représentent un danger plus important pour la sécurité des uns et des autres. Mais sans l’omniprésence des systèmes d’identification, sans les exaoctets de données récoltées sans notre consentement dans le but d’individualiser le contenu auquel nous avons accès – selon des critères sur lesquels nous n’avons aucun contrôle – la mise en place de la surveillance et de l’identité devient complexe, coûteuse et impossible.

Il faut démanteler les systèmes capitalistes identitaires si l’on veut détruire les systèmes d’oppressions basés sur l’identité ou sur l’accès biaisé à la connaissance. Il faut s’affranchir des moteurs de ce système que sont la publicité, le pistage et l’identification permanente. Il faut questionner et démanteler le racisme, le néo-colonialisme, le sexisme des entreprises de la Silicon Valley au lieu de s’étonner que leurs algorithmes soient racistes. Car ils sont devenus omniprésents et nous empêchent de nous définir, de vivre, d’exister comme nous l’entendons, avec nos cultures complexes et nos identités changeantes.

And Justice for all

Trigger Warnings: Rape, Paedophilia

Prison song

I’m not really elaborate on the fact that the current prison system (either in the US, or – basically – everywhere else) is broken and walk on its head. If you want to contemplate the disaster, you can watch Prison Valley, get facts from OIP or read testimony made by, basically, every inmates, their family, their friends about what the prison is doing to them.

I could tells you what the incarceration of my father for paedophilia did to me, how I had to hide it, to lie every single days to basically everyone, to pretend it did not happens for the sole purpose of surviving through middle school, and that it didn’t solve anything, Because he got convicted a second time for similar crimes years later. You’ll notice that neither I, my sisters or my mother have been found guilty of anything, but still, we paid a price. For justice.

I will not argue that prison is the worst solution to any problems. At best, you put people on hold and free them, expecting them to behave when they’ll get out. At worst, it’s a political tool used to criminalize populations and build resentment upon some populations (yes, it’s a tool used for power to keep people in check) while creating more sociopaths, storing them away in inhumane conditions, and forcing them to work – and so destroying jobs outside of jail.

Prison should not exist. Even for serial rapists, paedophile, killers, abusers of all sorts. If you’re only answer as a society is to store them away, in a dark room, and hopping they’ll get better you’re delusional. I do believe people can change, but they need help, acceptance, and an possibility of failure.

The thing is, prison is intricately mixed with the notion of justice. We tend to think we deserve justice, but I’m not sure we really think about what it means. The justice system, as its currently implemented in most part of the world, is a punitive one. The principles behind it is that if you do a wrong to someone, you should pay for it, one way or one another. You should not pay to the victim, but to the society.

Basically, it’s the biblical principle of the Talion’s Law: an eye for an eye, with interests. Those interests exist to dissuade further wrong to be done and because the perceived loss might be above the material loss. When it come to non material wrongs, it gets complicated.

The justice system tries to determine what is the impact of the wrongdoing, what are the personalities of victims and perpetrators to find an appropriate sanction. Basically the process of justice tries to evaluate the cost of a human life, which is an extremely capitalist view. The life of a worker, or of a woman worth less than the one of a CEO for instance. That’s why stealing and destruction of property is so harshly sanctioned, while rape or harassment of the work place is rarely sanctioned.

We deserve nothing

But you probably all know that, I’m just writing down some ideas on a text file. The thing I want to get too is that we deserve nothing. We do not deserve justice. It sound harsh, I know, but when you look at it, all the justice system is build around punishing.

And if you want to not act randomly, because you know, you’re a sophisticated society built on principle from the XVIII° centuries. Principles formed by white people of the bourgeoisie, then you need to defines what should be punished and what should not. You need to establish what is the norm and to enforce it. You need to make sure everyone understand what are the personal costs of transgressing this norm, and you need to know who is behaving and who is not. You need to be Santa Claus, knowing all the dirty secrets of every kids, and decides which on will get presents and which one won’t have anything.

You’ll justify it with the Law. The Book Of The Law. We modernised the process since the biblical times (where Moses got high on drugs in a mountain and wrote stuff on marble tablets because he was afraid of losing he’s grasp on power). You’ll enforce it with a dedicated group of people: cops. And then you’ll gave them the power to sort people between good and bad guys. To do that you’ll give them the power of mass and systemic surveillance.

This notion of justice most of people wants requires mass surveillance. And prison. And a norm. And I’m still wondering: do we deserves justice? I tend to believe that, as a member of a society, we deserves nothing. We do not deserves to be happy, to have a good life, and the like. Deserving something means that, inherently, the world in which you live, should give you something.

I think the only thing we deserve, as individual, is the fulfilling of our needs (physiological and/or mental). Not justice, not love, not a family. I could insert here a reference to the Maslow’s pyramid, but the model is a bit simplistic and outdated. I don’t think the notion of justice is a need. The closest thing that would be associated to a need, is the need to be recognised, to be esteemed by other. To live in dignity and respect. And either everyone deserves that, or no one.

As stated before, prison strips individuals of their dignity, of their respect, of their esteemed (by other or by themselves). And I think the notion of justice cannot be dissociated of the notion of prison. As long as you ask for people to be thrown in prison, you’re losing your access to live in dignity.

Where do we go from here

We do not deserve justice, and I think that, in our communities, we really should work on that. Justice is an outdated system used to justify incarceration, mass surveillance and therefor systemic discrimination.

What we need to think of is harm reduction, which is at the core of the Transformative Justice theory. The idea behind harm reduction is to provide communities with tools to help them avoiding harm in the first place, and then reducing the impact of it.

That’s the idea behind collective insurance for instance. A collective effort can help reducing the burden of an accident. It requires to accept the fact that some people might not want to behave, or are not able to. And that you need to have structures to act before something happens. Calling out rapist or aggressors helps to do that, but it deprives the aggressor of the possibility of change. This is a community response to a traumatism. It does not reduces the traumatism of the victim, but it tends to reduce the potential harm that a person can do.

But I think we can go further. Paedophiles for instance are almost universally perceived as monster that should rot in jail for ever because they hurt children by kidnapping them and tying them in a closet making them their sex slaves. Which is as accurate as the depiction of rapist being a stranger that will jump women in the street to rape them and kill them.

In Berlin, a program has been started to help paedophile who did not commit an aggression. You can read about it here and it seems to be successful. They allow paedophile to talk about their issue, to have access to treatment and t manage their life with dignity and without hurting kids. This is not the only program, but a lot of them are targeting offenders (you need to have molested a child to enter some of those program)

Which is a better outcome than sending them to jail, with a so-called obligation of treatment (it did work so well that my father did get back to jail ten years after), or stacking them in prison cells, refusing to deal with them don’t you think?

I have to add that, on a community level, I think this can works well with inside violence, not from harm done by the outside. You deserve dignity, so you should protect yourself against aggression, especially as a community. A neo-nazis entering a self-managed bar is an aggression, so you should gives yourself ways to protect against these violence from outsiders.

I think that the idea of transformative justice is interesting. The idea is to change the society to reduce harm being done, not trying to repair the victims (which is restorative justice) or trying to avenge them and dissuade potential perpetrators (traditional justice).

To ease the way of harm reduction, we – as a society – needs to be able to accept that perpetrators exists and are human being. And that they can change. We need to accept that, most of the time, a victim will endure some traumas that cannot ever be repaired fully – but they can learn to lives with it. We need to accept that, as a society, we have a role to play in aggressions and mitigating them.

One of the way of mitigation is to think of what enables aggressors. What makes them act and why would they think it’s OK to act this way. With the traditional justice system it’s often the perceived impunity. If a cop will not accept the complaint made by a victim, then the aggressor will never ever be confronted to the harm he did, so he will act and probably repeatedly.

Another enabler factor, is the social status of the perpetrator. A well established person, with power over a community – because they’re doing important things – will enable perpetrator to do whatever they want, think about R. Polanski, J. Depp, J. Applebaum for instance.

That is why it is important to avoid social structures which enables people to do harm. Meaning, you should not have only one person in charge of this important thing you need your social group to survive. Every structures which have only one person in charge, will lead to harm. That is why I think it’s important to attributes success and failures on collectives, not on individual among those collective.

We also needs to think about the friends of the perpetrators. Some of them are enablers, some are afraid of consequences if they act against their friends. I also tend to think that stripping a perpetrator of his friends by punishing them for actions he did, will not help those person to come forward and discuss an issue that bother them.

I think that most of the harm reduction process is about communication and speech. Being able to talk about something, without being thrown out of a group is something important. And you should be supported to come forward, you should be accepted for that. If someone does not understand consent for instance, or have trouble with it, this person should be able to talk about it, at least to someone. Yes, it means that you need to keep those discussions private.

Last point, you do not need for everyone to agree to that. But you need to have people who wants to try it and to work on it You should also be careful about not converting them o enabler, that’s why it’s something that needs to be addressed by your communities.

I really think we have an issue with justice. We claim we deserve justice while it’s a tool made by and for the power. Or we tends to mix justice and revenge. I think we should really works on those topics. Protection of whistle blowers, privacy and other related issues cannot occur in a traditional justice system since it is intertwined with mass surveillance, systemic discrimination and the like.

I’m not advocating for vigilantes either, which is a protection from the outside (and yes, you might need, at some point, to have people who can physically resists to adversaries, but that’s a different topic). But really, if we want to reduces aggression made by member of our communities toward other members of this communities, we cannot rely on the notion of justice,

Redefining privacy

Let’s redefine Privacy, shall we?

There’s a lot of issue with Privacy. I already wrote about it some time ago, but I think that in fact the current definition of Privacy is an issue. For starters, no one is able to provide me with a definition of privacy.

Is Privacy a secret?

The definition I encounter the most can be summed up a bit like this, it’s everything that is "none of your concern". It’s the version of Privacy I used in my previous post and, I think, it’s probably the one that’s defended mostly by people who basically are not discriminated against by system of oppressions (states, but not only).

There’s two main issue with that. First, there’s thing that you cannot "hide", such as your apparent gender, or the color of your skin, and those will submit you to system of oppression – I won’t spend time to expose them, but please feel free to read some useful documentations. Second there’s the fact that secret is used to hide things – that’s the purpose of secret. You want to keep others in the dark about what’s happening. David Cameron just said that his personal investment in Panama are private matters. Conjugal rape and other in-family sexual assault are always hidden under the veil of the "private matters" that should be treated only inside the family.

I mean, clearly, secrecy is a bad thing. Not only for government, but for people in position of power and control over other. I’m not advocating for a full publicity of everything, but for a questioning of is privacy a synonym to secrecy?

Do we really want to hide all of our lives to our society? If we want to redistribute wealth, we need to know about the income of each person. If we want to act upon the discrimination women faces, we need to know about those discrimination, we need to know about who’s identified as a woman and to act upon the people who discriminate them.

If we want a world with a bit more fairness inside, we might need to be able to be a little bit more public about our lives. Society is build on the intersections and interactions we have with each other. The positive ones, and the negatives ones. The society, the cultures we live in, is not – I think – powered by the things we have in common, but by the differences we have and the different experiences we’ve been through.

So, privacy a the thing you keep in the closet is bad – go talk to queers about living in the closet to see why this kind of privacy sucks.

Also, I do not think that the right to privacy – as described by the article 12th of the UNDHR is defined by what we keep secret. This right is defined as protection against arbitrary interference. It doesn’t state that it has to be secret. It protects interferences, meaning, influence, actions, perturbations. Not about knowing about it.

The issue with mass surveillance – and why its so bad – is not because it allow a passive global observer to exist, it is because it create an active global discriminator that will sort people between good citizens and terrorists, based on what data we create. Mass surveillance described as a passive global observer is an issue. The mass surveillance complex is used by power structure to maintain their power over people, by creating and enforcing discrimination. This is clearly a violation of Privacy because it is arbitrary interfering in life of people. But it’s not because they collect the data.

This is one of the thing about mass surveillance, it does not exist in void, it exist as a political tool of social coercion. It'(s not the data collection and gathering that’s the real issue. With the amount of data collected, we could have a real source of interesting data for sociologist to help them describing our society, and gives us clue to change and improve it.

So, no. The fact that a passive global observer exist is not the issue. The issue is that it is a fact an acting and active global discriminatory system. And secrecy is only a way to protect against the passive global observer. It does not enforce privacy. It does not defines privacy. It does not helps you to protect yourself against discrimination.

Is Privacy your identity?

I’m not sure. Identity is a social concept (and a psychological one, it sucks when you use one word for two different things). It’s how you define yourself at some point in time, and how you are recognised and defined by others, based on their cultures and social cues and norms they have.

You decide how you want to define yourself, in regards with the current social cultures you bathe in. You adopt, reject, create or appropriates part of this culture to form your identity and to express to the society who you are, and how you’d like the society to consider you.

Your identity is – at least partly – publicly displayed and used by the society to interact with you. This is where discrimination will take place. If you’re identified as a woman – whether or not you define yourself as one – and the society we live in discriminates women – and we live in such society – then you’ll be discriminated.

Which basically seemed to be a good match for arbitral interfering ad specified earlier. It seems that the elements you use to define yourself, the elements used by other to identify you and to relates to you seems a better candidates for me than the one you keep secret.

What it means is that our privacy, what’s private, is the core of how we see ourselves. It’s not what we want to substract to public scrutiny. It’s how we want to be identified. And our rights to have a privacy is basically our rights to defined however we want – in a social context – without being discriminated for it.

It does not means that if you want to define yourself as a patriarcal asshole you’ll be able to act onto people as you want. It just means that defining yourself as a patriarcal asshole shouldn’t means that you’ll be treated in a specific way. The thing you’ll say, the thing you’ll do are what will bring your trouble, but not your identity.

Basically enforcing privacy is trying to find a way to end discrimination of any kind. It’s not providing tools – secrecy – to create more discrimination. Fighting for privacy is understanding that the world is non-binary, that no identity should be infeoded to another, it’s fighting for sanctioning people for what they do and not what they are.

Yeah, OK, but where’s the cryptography comes into play?

Cryptography is needed because – in a world of oppression – you need to organize yourself to change those. And to organize you need secrecy at least temporary – until you act. It is not a right has protected by any of the article of the UNHRD, but it is mentioned in the preamble:

Whereas it is essential, if man is not to be compelled to have recourse, as a last resort, to rebellion against tyranny and oppression, that human rights should be protected by the rule of law,

Meaning that, if you’re right to Privacy is not respected, then you need to react and fight for it. And for that you need secrecy, you need to hide from the spies and the forces that tries to remove your rights.

Because, in the end, the only rights you have are the one you fight for. And this is where cryptography will helps you. Cryptography will allow you to disobey, to organise dissent, to rebel, to have some time to breathe. But it will not helps you to enforce Privacy and the right to self determination.

And I think we all need to rethink that privacy is not what is secret, but it’s what makes us individuals. It what gives us the right to coexist in the same society. And this is why we all need to fight for it. Without privacy, there’s only bland human without identity. Without privacy there’s no place for non-mainstream person. Without privacy there’s no way to evolve and progress. Without privacy, there’s no I or You. There’s only us. Forced in an identity we didn’t choose, think, defined, accepted, created.

Those identities are the one created by the global active discriminator to divides us. They are the nationalist ones, they are the Charlie’s one. They’re the one of the dominant classes and we’re stuck with them, without a possibility to exist out of those scheme without being violently confronted.

We should fight for this privacy. For the possibility for anyone to self-determine themselves. And stop believing that we currently have access to it, or that cryptography will suffice.

PJL Renseignement … stop fleeing!

PJLRenseignement

If you haven’t heard, there’s an emergency law currently “debated” in France, which wants to legalize illegal practices from the Intelligence services (both domestic – DGSI – and foreign – DGSE) and gives them impunity, circumvent the judge, and goes to a massive discriminatory surveillance.

The hashtag is full of report of people opposing it (from Human Right defenders and NGOs to citizen collective such as LQDN to companies and business of all scale). So yeah, it’s the law NSA’s head is dreaming of.

There’s two issues I want to discuss at hand. Not sure how it’ll end, but here it goes. The first one is why fighting surveillance is – in my opinion – the wrong fight and the wrong way of doing it, there’s more to this than just surveillance. The second is about all the geeks and hackers trying to flee out of France, to move their businesses out of it and other “abandon ship” strategies.

Fighting surveillance

So, surveillance. As Quinn Norton and Eleanor Saita stated one year ago in their talk at 30C3, surveillance – in itself – is not inherently good or bad. Surveillance is watching, and – when you want to interact on something – you need to watch it. It’s hard to grab precisely something in the dark (you can do it, but it’s hard).

You need surveillance to expose corruption for instance. Or fascism. Or any wrong doing in fact.

So, the issue discussed is not – and should not be – the surveillance per se. The issue is that this whole process is secret, hidden, non documented, without control or regulation.

What does it mean? First, it means there’s an asymmetry in information. Something knows more about me than I’m able to know about them. What you do not know controls you, it means that this imbalance of power makes the state having more control over you.

It makes them able to act upon you on a discriminatory way. The gigantic issue here is that. It’s not the surveillance, it’s the lack of control. It’s the fact that no one is watching the watchers and have way to act upon them. What frighten me most in this law, are the wording used “secret defense”, “higher interest of the state”, “impunity for state agent” and things like that.

I’ve ranted on twitter about the black boxes that will be able to algorithmically identify threats. The thing is a lot of people lost sight of what an algorithm actually is.

It’s a parametric mathematic function applied to a set of data in order to classify information – or at least that’s what is intended in this specific use case. The magic words in algorithm, machine learning, classification system is just this: parameters. The way you choose your parameters will change the way you classify your data.

How many occurrences of jihadist related news you need to have in your browsing history to be classified as a jihadist? Hom many hours a day you spend in this chatroom? How many times a week you go there?

Those numbers – the one that we as citizens will never heard about – are political tools. The way you choose them, and why you choose them create classification of people and will make you decide who needs to be swatted or not. That’s where the ugliness begins. Those numbers will be chosen to discriminate people depending on their backgrounds.

I mean, they’re already discussing about exceptions for surveillance – especially for journalists – which means that they’re clearly lie when they say it’s an anonymous data collect, they’re already discriminating people based upon their traffic.

So, the surveillance is not the issue. Neither is the privacy. The issue is the lack of control. The issue is the absence of transparency. And stop fighting surveillance saying you have a right to privacy. That’s true, but then it enable politician to call for the “right to be forgotten” which will only help them evading justice.

The issue is that mass surveillance, done by an oppressive system is a tool of segregation and racism. Because in the French context where we do not speak about Arabs anymore, but only about Muslims (and in a way that makes people think that all Muslims are Salafists and potential terrorists), I’ll bet 2 BTC on the fact that they will be the one specifically targeted by this surveillance.

Same goes for the poorer of us. Who happen to be the ones who are not the white guys, who are also the ones who fight for survival and acceptance at all time. I’m quite sure that if the system catchs a white and rich guy, he will go in the false-positive trash and nobody will incriminate him.

So, stop fighting surveillance for the only sake of it. I should not need privacy in a non-oppressive system – that’s even how you determine you’re leaving in a non-oppressive regime: what you do and what you are cannot be held against you as long as it does not threaten the safety of someone else. But go fight the state implemented discrimination.

Don’t run away. Fight.

Which leads me to this other point. We – as citizens, as a collective – need to fight that. I refuse to abandon the ship. I’m witnessing a lot of data-exodus. People actively looking to host their data abroad. Commercial companies – such as OVH – are looking to build datacenter elsewhere.

I can understand why a company would do that. They would because they intend to respect the law. Because they do not want to risk their existence to protect their customers, so they’re running away. But the thing is, if you flee, then what will happen when the country you’ve fled to will also change their law and regulation? Flee again?

That’s not a sane way to do thing. That’s why we have civil society, to oppose the state, to try to restore a bit of balance in the power repartition. If you flee, you say to the state: you can do whatever you want, I just do not care about it.

If you’re a big company, which a lot of money, yes, it might have some power against the government, they will have to choose between reinforcing their power or keeping some jobs in the country. But, well, if the state initially wanted to defend their citizens best interests they won’t be trying to deprive them form liberties, right?

So, fleeing will only preserves you. And, well, you’re still a French company, with offices in France, so you still need to obey the law. OK, you’ll be somehow outside of the DGSI reach. But your customers won’t, since they’ll still be in France and they’ll still connect to your infrastructure from France, from inside the Dragnet. Which, basically won’t protect them and can even gave them a false feeling of security – which is worse.

What can you do? It’s time to protect your customers, your users. The people who’ve put trust in you. You do have a choice – and it’s not an easy or simple or risk-free one. You have to choose between taking care of your users, and actually hold the promises of security you’ve done to them or obeying the law. That’s call civil disobedience and yes, you can end up in jail. But you’re not alone, and a legal defence fund is something you can create or ask for help.

Yes, it might seem easy to say. But that’s what I intend to do with my project. Providing tools for activists and militants groups who need them. In a way that will try to preserve most of their privacy. I do not intend to respect the law to do that. I do not intend to hide myself.

Hosting data for other people is a political statement. I’m sick of hearing people asking for a country where they could safely hosts their data. You can do it wherever you want, if your government has decided to jail you, they will be able to do it – wherever your data are. What we need is not a list of foreign hosters who are out of the French territory and jurisdiction, what we need is a government who actually protects us, not themselves. What we need is actually to take a stance.

Privacy café, camp, cryptoparties et al is good and nice, but it does not solve the main issue. When are we really going to show those who’re in charge who actually is? When are we really going to send them a middle finger?

Do not flee. Do not let them scare you. Fight back. Federate. Protect the

The NSA and the hypocrisis

Context

Finally, the French governement is going to react to the NSA mass spying. Just after the first article published by Le Monde (there might be a paywall). Technically, it’s nothing really new since we’ve read the same for Mexico, England and Germany those last days – use your search-engine fu to find related articles.

Oddly enough, 6 month after the first revelations, the French Foreign Ministry has summoned immediatly the NSA^WUS ambassador to talk about it. AT the time I’m writing this, the results of the meetings are not yet public (and I don’t even know if the US Ambassador will answers at all) but, in the end, nothing will change.

Also, we currently have, in France, yet another debate around yet another expulsion of yet another school girl (directly from school) and a lot of discontent about or Ministry of Interior. I’m not thinking the summoning of the US ambassador is done only to try to heave people forgetting about this issue, but the timing is troubling.

First, the obvious – Why do the NSA is spying on French

This is the first time that a national newspaper of broad audience (Le Monde) is directly releasing and analysing Snowden’s document. Before today, it was only comment and translations of foreign newspaper and some analysis done by smaller press apparel.

Le Monde is used to do this kind of release since it was the partner of Wikileaks for the CableGate and, at least parts of, the Warlog. And they’ve got a lot of attention when they did that, so I suppose that this article, and the apparently starting collaboration between Snowden’s news agency and Le Monde, is starting to gather political momentum.

And the french governement is craving for achievments. There’s a lot of miscontent right now – not enough to pull people in the streets, but enough to increase the extrem right wings voter pool – and they might want to do something good. Political momentum from NSA scandal might be the good one to convert into good reputation.

However, they always seems to discover the fact that the NSA had spies on French citizens and officials. They know it since, at least, June and I won’t admit that they didn’t had strong suspicion before that. This is just something they’re doing to occupy the news space, and try to divert people from ongoing issues – hate speech, immigration, economic situation, jobs issues, pick one or many of them and you can even add to the list.

Friends and foes

NSA says they’re spying on anyone to find terrorists. So, it means that:

  1. They do not trust us and think that there’s a risk big enough to have a terrorist-strike on the US soil coming from the french soil. If that’s the case, it means they do not trust their allies. So why are we even part of NATO?
  2. They trust us, but they think our own spying services are lame. I can get it, but then, since we’re allies, they’re probably sharing intel with us. As they’re doing with the UK secret services: GCHQ (GCHQ seems to be the NSA’s reach in EU).
  3. It’s not about terrorism, or a risk of war. Then it’s mainly an economic issue and the NSA uses its powers to take over some market for the benfits of US companies – the ones who works with the NSA.

The economic angle

The economic angle is something interesting. In the french IT industries, we have mainly two actors favored by the state. Former State companies – France Telecom aka Orange, Bull but it was a failure, etc – and big names well established – and for the computer stuff it will be US companies.

One single example is quite interesting. Since France is part of NATO, we must comply to some interoperability on different levels such as ammunitions, information system and managemenbt and strategies.

I like the ammunition aprt, because it explains well what interoperability is. The NATO calibers are standards. And if you want to have your rifles, guns, rocket laucnhers, whatever approved and used on NATO battelfields, you must be able to fire them.

It doesn’t means you must use the Colt’s M16, just that you’re own rifle must be able o fire the NATO ammos. In France we use the FAMAS (French automatic Rifle), the US use the M-16. That’s interoperability.

For the information management, NATO requires the sale level of interoperability. You must be able to send and receives data to and from any NATO system. The US used their own version of Microsoft Windows Hardened for their specifid needs.

The France use the Bull system. No, it’s a joke. Mouhamar Khadafi use the Bull/AMESYS system we sold him. We prefer using the Microsoft system for our critical infrastructure whoch is the army. We’re able to manufactures great tools and weapons and we can even sold them to dictators without blinking, but for our own needs, we’d rather relies on the armed arm of the NSA: Microsoft. The Open Bar contract has been exposed in Avril 2013, just some month before the Snowden revelations.

And we now know that Microsoft is a big part of Prism since the 9/11/2007. The fact that the french military’s head didn’t even thought about it is an issue. And I would suspect Microsoft to have used the NSA to spy and influence the deal.

The strategic angle a.k.a they do not trust us

In the diplomatic game, you can’t really rely only on the good behavious of your allies. Especially since allies or your allies can be your ennemies. For instance, Turkey is an ally of the US since it’s part of NATO. But I’m not sure all the Turkey’s allies are allies of the US.

Same goes for Pakistan.

So, a paranoid and schyzophrenic state like the US is spying on its allies. That’s standard diplomatic procedures, and that’s what embassies are for. However, in this specific cases, the NSA is going way further than a simple state spying. They’re spying everyone – I mean, we’re talking of about 7M phone calls from France in a month – that’s a lot.

Also, France has been criticizing the US on some key political and foreign issues such as Iraqi intervention, and the US stance toward the whole Israel/Palestinian SNAFU. So, they might be interested on some data, and since we host some movment which threatens US interests, they woudl suspect that France can host the next team for a suicide bombing toward US interests. That’s why they would want to spy on the French citizens.

The interesting part of it is: did the French government benefited of it? Or any other governement. Or companies. For now, there’s nothing in the documents leaked by Snowden that would give us a solid proof for that.

They knew it

I really think that the french government knew it and benefited from the NSA mass surveillance program. But, before jumping to this conclusion, we need to ellaborate a little bit on how it works.

The presentation in Le Monde, highlight a fact a lot of people forget about. When routing on the internet, you’re not going through the physical shortest route, but through the most efficient one.

I’m going for an analogy for those of you who do not know what routing is. If I want to go from Lyon to Bordeau by car, I can take the shortest path, made of – at best – national roads. You’re going to go accross a ot of villages, and smallest road. Or you can go through the fast highway. It will cost you some kilometers (and money, but that’s not the point) because there’s some kind of mountain in between, but you’ll arrive faster.

That’s the same thing for internet. The physical shortes path, is probably not the one you’re going to use. For instance for going from Latin America to Africa, the direct route is to jump to Europe (5Gbps) then to Africa (343Gbps), but in fact, you’re probably gonna do one more hop through US & Canada (2.918 Gbps), then Europe (4.972Gbps) and then Africa. Way more faster, way more efficient.

If you want more data, have a look at Telegeography it’s full of maps and data about the internet and telecomunication infrastructures.

Peer to beer?

Another thing are peering agreements. Peering agreements are what makes internet. It’s an agreement between two exchange node ran by companies or other organisations – let’s call them A and B. This agreement, determines how the traffic coming from the network A to the network B and vice-versa will be managed and paid. In most of the case, fair peering (which is: since traffic coming from A to B or from B to A are more or less equals or because both network will benefit from it, let’s peer for free), more info about Peering can be found on the Internet, but globally it’s an economic interest.

And it’s been, in France at least, a long-raging battle between all of the operators. For instance, France Telecom vs COGENT back in 2005 FT cut their peering with Cogent, in 2003 it’s a battle between France Telecom and Free, SFR and OVH battled around 2011 and a battle between Free vs Google is still raging as of today (and it’s standing for a long time).

Also, and a funnier part when you look at it with this NSA angle, is that we have here the ARCEP – an equivalent of the US FCC – which is in charge to regulate and document the Telecommunication infrastructure. In 2012, they tried to force each party involved with peering in France to document their formal agreement of peering – Owni did a great piece about it – and what’s fun was that, in fine, Verizon refused to collaborate with the state because it was too much of work. The very same Verizon who gave full access to its infrastructure to the NSA.

So, peering was done, back in the time, by private companies and by a public one. France Telecom (which then became Itineris, Wanadoo and Orange for its ISP part). They were building physical infrastructure with public money and were interconnecting it with US and UK infrastructure. I won’t believe that noone there suspected or saw anything like some weird and unauthorized traffic coming through their equipment, especially since the french intelligence services must have put some things in place to protect themselves and to spy on the people and other states.

Especially since most of the interconnexion toward Africa has been done by french industrial (such as Alcatel Lucent, a US-French consortium, but more on them later). There’s also a big road to middle-east going through Europe and Germany in particular (that’s why routing to and from Syria often transit through Germany Exchange node – Info from 2007)

However, the french net-isolationism (especillay the will of the local companies to push for their product and to refuse to peer with their US counterpart) has favored emergence of the Uk, DE and NL Exchange. Have a look at this map and you’ll note that France is quite low on the Exchange Node values, and datas found on Wikipedia don’t show the France as a big peering country.

Complacency

But who’s building those system? It appears that the previously mentionned Alcatel Lucent company is a good one. Have a look at the BlueCabinet wiki to understand why. They’re providing submarines cables, infrastructures to 130 countries – including Burma and China – they’re a mix between french and US interests and they’re involved in a lot of French and European infrastructure.

So, if the NSA is collecting data going through France and given that a big part of the interconnection infrastructure in France uses at least a part of Alcatel-Lucent technology and that trans-atlantic cables are at least partially deployed by the US-French consortium, you really think the french secret services would have ignored that the NSA will use and deploy tools to spy on us? Especially when the states add shares into this Company? It’s exactly the same issue when Frecnh governement claims they didn’t knew about Amesys solding arms of mass surveillance to Lybia. They’re lying.

You would argue that those tools don’t need to be deployed on the french soil, they need to be deployed in main Exchange node like in UK, NL or DE. And US also. But it does not cover the landline wiretapping exposed by Le Monde today. So, they have a tap inside the network on the french soil – because the cheapest route on phone network between France and France is to route through France. And since most of it has been deployed by public companies, or subsides of french public companies, or subsides of governmental and military contractor, they know about it.

Because if they do not, it is extremely worrying. It means that any foreign power can come in, wiretap our whole infrastructure and uses it against us without our knowledge. And that’s something I can’t rationalize enough to admit it as true. It can be done – and it has probably be done – for some specific wiretap and people, but not on a scale of 7.4M of phone calls a month. At least the trafic generated by the leak of data must have been noticed.

Now, let’s admit that french secret servcies knew about it. Why keep it secret then? An international scandal could profit for the state and could have lead to a stronger foreign policy and a bit more of defiance toward the US. It would have help defeat things like ACTA or the incoming TIPP, just because EU governement would have been suspicious enough, and it would have increased the power of France and developped for a better diplomatic situation reagrding the rest of the world.

They knew it, and they didn’t used that knowledge to gain power over the US and to empower themselves? From people whose job is to use information to take over other interests, they would have done a poor job.

So, they might have something to gain by keeping it silent. I would go for access to the data. Our national intelligence backbone is not as good as the UK or the US ones (see the reports about Thalès interception platform) and is essentially directed toward phone calls – we have a long history of illegal wiretapping used as political scandal and it didn’t lead to any change in the way wiretapping has been done since then.

I really think there is both cooperation and defiance into this spying affair between the NSA and French intelligence services. I also suspect that most of the intelligence services works in defiance of there own governement and in cooperation with both foreign intelligence services and companies.

And now what?

Nothing. Since everyone except citizens is wining on this mutual sharing of mass surveillance system informel deal I do not except things to change in a short term.

However, there is some good news. First, peering deals, and a lot of the necessary system to maintain internet, are out of reach of the different governement. The informal way that governs them doesn’t helps for regulation and controls by governement (that’s why they seek for it). You still have to keep your data out of big datacenter, but that’s not that hard (have a look at yunohost for hosting most of your data) the social networking part is the biggest and hardest one I think – alongside with search engine, but at least you have duckduckgo.

Second, a lot of governement, starting by South American one are really upsets and are starting to act. The Internet Governance summit held recently in Brazil also gave some hopes about the Internet still staying out of control. I’m not sure it will be followed by impact, because the NSA spying is possible due to some key infrastructures issues, but it’s a start.

I’m quite disapointed that the EU didn’t follow the Brazil on this, since we have some good infrastructure and technologies to help. But then again, I do not think those US/EU commercial agreement will cease for the benefits of citizens or sovereignity they have too much industrial and bank pressure on them.

But as always, nothing will come from the politicians. They must knew about the NSA spying in France and they even collaborate or they’re dangerously incompetent. They benefit from it because it’s a coercion measure (the same way CCTV cams are) and industrial groups earns money doing it. Even if they o have gag orders. They would have been motivated for your privacy, they would have fight those gag orders.

And that’s why nothing new will emerge from this meeting between the french foreign ministry and the – currently in shutdown – US embassy.

Bring Moar Fire!!!!

TL;DR Oh,well. Fuck you, you should read and stop being a lazy asshole.

Acknowledgement

I am privileged. Whatever I can say about the state of the world, I’mborn in the best side of it. I can express myself without risking getting beaten up and torture. I can go in the street to buy my food without risking being shot by a sniper. I know that I’ll sleep in a safe place every night. I can have three (or more) meals a day (as long as I do not forget to eat).

And I won’t be insulted, assaulted, raped, considered as a minority, feels in danger by simply walking in a street.

All of that because I’m a white male. I was granted some privileges (and I did not asks for them) the day I was born around here at this period of time. And that sucks. I mean, the fact that I have privileges means that I have power over someone. And that sucks because it means some people (the ones I have power over) are not free, and then it hinder my freedom (if people around me can’t be free, then I can’t benefit of my freedom)

So yeah, being a privileged makes your life easier, but it sucks. I do not want it. And to get rid of it will take some time because the society I live in needs to change on a more global scale. And it starts by raising awareness of the situation (and then to change it and to abandon this power).

Facts & Statistics

If there’s no discrimination in education, then the skills are equally split across the whole population, so you should find educated and skilled people everywhere. Imean, if there’s 20% of people blue-skinned then, 20% of the people good at cooking should have their skin blue. Sounds OK to you?

So, if our educationnal system works fine and tend to develop interest and curiosity equally across the population. What it means is that the simple fact that I’ve met 5 women since I started my studies in technological background (one in a company, the four others were classmate) is either a statistical error, or a proof that the system is borked. I’ve met other woman in tech department I’ve worked in, but they were mostly in the "creative" one (design, integration, etc).

Hence, there’s something broken. I’ve quite an issue to spend a lot of time in a company, In the 13 years I’ve been working (yeah, started early), except the company I’ve spent my aprenticeship,I didn’t spend more than a year in a company. So it’s almost 8 of them. Of different size and of different background.

Never met a woman in the IT department. Sometimes I was the IT department, but even then, in the development teams I haven’t met a woman. The only womans in tech I’ve meet is from the hacker scene (and yeah, most of the timeIdidn’t knewbefore meeting in the meat, but that’s another topic).

So, when someone tells me about sexism that if it’s not broken, don’t try to fix it as an argument to not think about anti-harassment policy, I think they’re wrong. There is a problem.

And a wild politician appears

The other day (two or three days ago at time of writing), @_LaMarquise was assaulted in the street by some guy jerking of in public, and she tweeted about it. Some clever guy @romain_pp thinks it would be funny to joke about it. The thing is that this person happens to be one member of the French and Swiss Pirate Party, and, if I get those party right, anyone can speaks in the name of the party. It’s even written on the name of twitter account, and in the twitter background. So yeah, it was the speach of the Pirate Party.

The things gone a bit wild on twitter, most of the argumentation against @_LaMarquise was that she wasn’t rational. I’ll develop that a bit later, but basically I tend to think that you can’t expect for someone inshock to be rational.

She was also told that she is agressive, that she should not go public about private matters like agression (well, then why do people twitt about their personallife then?), that she was disturbing their life.

The Pirate Party did wrote a letter to @_LaMarquise. They did it in private (since I’m not able to find it online). Which I find weird for a Party who claims transparency at alllevel of society. However, computer system are nice, because it does not cost much to copy things and here is a copy of it (provided by the offended, I have no reason to doubt about her). In essence they say they regret what their member says, and they also regret the "buzz" around it. They do not take the opportunity to engage in a more active position, neither they’ve blamed their member.

Basically this letter is an attempt to shut the things down without aking a stance for or against sexism. If they’re against sexism, they should, at least, get rid of Romain, if not they did not need to write it. This letter prove that what’s important for them, is to avoid being drag into the mud not to defend some position.

What’s a shame is also that they tend to be the first to condemn such comportment in other party. There’s also an issue about freedom of speech, But I’ll get to that later.

About the violence

To live in fear of being assaulted or raped does not help to keep you head cold. As I said (and other said), keeping your head cold is a privilege of people in power, don’t forget that. Insurrection, and a need for a change, will lead to violence. That’s inevitable. This piece summarise it quite well, and the foreword is interesting:

Submission of the oppressed relate to established order. May he disturb this order by beaking its chains and by hitting the master, that is the scandal. In the master language which became the common language, the violent is notthe one who do violence, but by the villain who dares to rebell. – Igor Reitzman

When someone yells at you about something, you should listen to them, because this something is important for them (if not for you). You don’t imagine the French Revolutionnaries to ask kindly to Louis XVI if he would surrender the power. A lot of people don’t want to abandon power and you’ll have to forces them to do so.

It took me sometime to understand that, because it’s not pleasant to have people yelling at you. It’s irritating and you tend to answer agression with agression. I’m not sure I’m fully ok with that, but I try to understand why people are yelling now (also, I try to not answers quickly for it generally don’t help the situation, whatever the situation is).

So, yeah, some feminists will use violence, either physical, either verbal. And if it disturbs you it means that it’s working. You should asks and try to understand why they’re upset, not to calm themselves.

About freedom of speech

However, I’m against censorship. It means that I condemn the fact of suppressing speach. I want nazis to speak their mind, because that’s how you’ll find their ideas can be dangerous. And I want mysogyn to speak their mind, because that’s how you’ll know them. And it’s also the only way to discuss with them about those issue.

But freedom of speach goes both way. It’s not because someone is allowed to say something that they should not been contradicted, ashamed, punished or whatever. You have the right od so a sexist jokes. And I have the right to say it’s not funny. Heck, I even have the right to tell the world about it. If you don’t want that and if you want to be able to say whatever you want without consequences, then you’re defending censorship.

So yes, it makes me uncomfortable about what happened at Bsides (here’s the violet blue point of view and here’s the adainitiative one). Basically a prevention talk about sex and drugs, which had been announced late has been removed from schedule due to some fear of witch hunt by the BSides staff (whether or not the adainitiative initiate this isnot clear forme) under the pretext that there could have been rape survivor who could be put in a stress state (it seems that’s how PTST works) if they attend the talk, and that speaking about how drugs works and, especially, the GHB in a talk labbelled “sex +/- drugs: known vulns and exploits” is an incentive to rape.

The arguments is that, in hacking conferences, people giving talk named known vulns and exploits do that to encourage the exploitation of those vulnerabilities. Well, there’s a misconception here. Most of the talks about known vulns are more about how toprotect yourself against them than exploiting them.

In general, the vulns is being patched at the time of the speech, or at least, the people exploiting the software or system are working on it (if they taking their jobs seriously I mean). Of course some people will uses them to their own profits, but that’s not a majority.

And, in fact, people using vulns for their own profits, don’t want the vulns to be known. Going public about them is prevention and education, it’s not for arming people. This is how preventions works.

Now, should we do preventions in the tech community? Of course we should. There’s an history of sexual agression and rape in tech conferences. If you don’t speak about it, you can’t educate people and you won’t changes them. The adainitiative says that they organises their own camp to discuss about it. But it’s like doing a drug prevention talk in a straight edge camp, you won’t help drug addicts to manage their addiction.

So yes, we must educates our fellow hackers, especially in occasion where there’s alot of drugs, alcohol and sleep deprivation, because it changes your perceptions of things. So talking about it is a necessity. And, if the talk happens tobe offensive, then people should says it and condemns it,but you can’t know that until the talk happens.

There’s still the problem with rape survivors and the PTST syndrom. I can understand why people who survived an agression and/or a rape don’t want to be exposed to some talking about it (hey, one should manage their pain as they see fit). And it seems there’s a custom about trigger warning, which I do not fully understand yet (seems to work a bit like the PEGI labels for video games)

End

Mmm, I might have missed some points somewhere. Or I can be wrong about some stuff.

Hackers and Politics

Context

It’s always important to have context. And the why I wrote things is probably more important than what I wrote. So, here is the context. Frédéric Bardeau, founder of an ethic communication agency directed to NGO (Agence Limite) is gravitating around the problematics of collaboration between Hackers and NGO and he gave an interview to Reflets.info: Hacktivists must change their stance [FR] which started a sort of flame war inside the so-called hacker scene.

Basically, he’s stating that the hackers are wrapped around their ego claiming that they don’t care about people issues. He also pretend that hackers must go further along the political process and grow a political consciousness.

I won’t answer point by point to his interview. You should read it (and goes beyond the sometime aggressive tone he uses), the comments and grow yourself an idea. I will try to put what Politics and Hacking means to me and, frankly, at this time, I do not know where I’ll land.

Politics and motivations

You do politics when you’re working on things that will impact life of the others. So you’re doing politics when people are saying it. So, when media asks the hackers if hacking is a political act the answer is necessarily yes. Even if you’re not conscious of this fact and especially if you’re not doing it for a political motivation. And yes hacking is politics (since you subvert things to do other thing with it than their initial purposes).

The question is not if hacking is a political act in fact. The question is the motivation of this act. And this is, I think, where hackers differs from activists. Activists act for a cause, hackers hack for their personal interest.

Yeah, it hurt. But this is the truth. The only reason I’m hacking things is because I want to either understand how they work, because I need to achieve something and I have nothing ready at hand and I will twist something to achieve my goal or because it’s fun. I’m not hacking things for the only purpose of helping people and help them to change their life.

Frack, who the hell I am for that? It would be insanely pretentious to tell you how you must change your life.

Activists, on the other hand, acts following a political agenda on purpose. If an activist is doing something it is because they think it will help them to achieve their political motivations. NGO are, by essence, groups of activists. They have a political agenda and all the things they’re doing is related to this agenda.

And for this reasons, NGO are quite effective in their field of specialisation. But you cannot asks Green Peace to send medical supplies to Syrians. This is the main problem with entities and people who have an agenda. They can’t spend a lot of resources on non related things.

While hackers, and the doocratic system, can. It is the cathedral versus the bazaar. One reason I do like working in clusters of hackers is that I can do just that: What I want, what interests me.

Politics unconsciousness

People, and Frédéric Bardeau among them, says that hackers lacks of politic consciousness. I second that. But I do not think it’s important. Most of the people who says that you do not have politics consciousness generally means that they do not share your ethics.

Politics consciousness means that you are aware (or you try to) of the impact of your actions on other people. Not that you have a political minded message nor that you fully understand two hundred years of political history. It means that you’ve think about the impact on the society of your actions.

Hackers, as weird social animals, tends to dodge discussion they think are unnecessary.Mainly because you can talk or do, but not both at the same time.And if you want to hack, you can’t talk about it while you’re hacking, mainly because it is like trying to solve a puzzle in the dark. You know what you want to achieve (more or less), but you do not know how you’ll get there and you have to think about it, not to speak about it.

So yeah, sometimes (who said most of the time?) hackers looks like freaky monster that will eat your soul because they haven’t slept for two days and are dosed with caffeine (may the Spaghetti Monster be blessed for the caffeine) because they are doing things that matters to them.

They do not care if it’s a democratic or republican issue, or if it’s a left or right one. What hackers tend to care about is how. You can blame us for being political unconscious. But you know what? Maybe it’s the basic principle of political consciousness which need to be changed. I mean, politics should be done by people. Not by a political cast or system that place itself above the others.

Political consciousness haven’t change much things those thirty years. At least in France. Not in the same order of magnitude that internet and counter-culture have changed. And I’m not sure the beatniks had a political agenda when they build internet. They needed it, so they built it it’s quite simple.

Thinking about how your actions will change the world instead of doing them will result in a lot of text, but not that mush things done. I do not care hackers should acts without thinking, but that’s why ethics is for.

I claim the freedom of acting without being questioned on my politics agenda for I have none. You can question my ethics (after all ethics exist to be discussed and confronted) or the way I’m doing things, in fact,you must question ethics and the actions of people.

Hackers are closed on themselves

People blame hackers for not helping them on various topics. Let’s get some things sorted first. Imagine you’re a mechanics. You like fixing and improving engines of famous cars and you do that on your spare time. And people came at you asking you to change their tires, check their oil level, or change a light bulb. All of them being trivial operation that can be achieved by simply reading the manual and actually trying to understand how things works.

Imagine that those annoying people came to see you several times a day. Asking for your time for no compensation while this engines is just waiting for you to take care of it. And those non-skilled operations, operation you’re already doing for a leaving, takes you time.

You can be the good guy. And losing your time hour after hour. Or you can, after having patiently helped three people who do not understand anything about mechanics, send the other to hell.

And yeah, the guy will looks like a bastard who do not want to help people. It is the same thing with hackers. Someone saying me they do not know how to use the mail system without a webmail is someone that did not even tried. I can do it for my pay-job, but I’m paid for it. I won’t do it on my free time.

If you want help, then you need to invest yourself and you need to understand how things works. The fact that you’re a computer illiterate is your fault, not mine. However it’s not a fatality. I mean, I know Syrians that had a computer culture of almost nothing a year ago and who are now able to teach to other how GNU/Linux works, how to set-up a VPN, to understand some weird network problematics and to work around the censorship issue they have there.

And they do not even speaks a good english. So if they can, you can understand how it works. You just need to accept that computer tech is not black magic. You must helps me to helps you. And you must abandon the idea that fail is something bad. Fail harder fail better as we say.

So, if you come to see us without this in mind, yeah, you will be called a fucktards, a noob, an asshole. It’s not because we are closed on ourselves or imbued by our ego (ok, it might be),it’s because you do not make the necessary effort of trying to understand.

But I’m moving out of my original topic. We are not building a hacker world, if we are building a world at all, we are building a free and open world. Most of the hackers are adept of the sharing of knowledge across the world. We need to access the knowledge we’re going to need to do things. People tends to think that internet is our private playground. It is not. Internet is not a place, it does not belong to anyone.

Cats, tubes, computers

Internet is now a part of the society. It’s a fantastic multi directional read/write media available to anyone. Internet is used by activists to carry on their message, and by government to spy on their people. Internet is a political act by essence. And a lot of hackers will stand and fight for it as it was when Osni Moubarak shat down the tubes in Egypt.

And the internet is the media of datalove. It has been built for exchanging data across long distance at a reasonable rate. If you want to restrict the sharing of data, you’re then interfering with the internet. The fact that some might be shocked by the fact that their personal data are found online must not blame the datalove and the hackers for that, but rather the entities that have built those files, collecting their personal data.

Conclusion

Yeah, I think it’s time. I’m getting lost. Hackers are – mainly – humans. They are far from perfect and some of them do not care about politics. But I think that most of the things people blamed hackers for are the same you can blame most of the people.

Do not forget we have the doocracy. We have caffeine. But most important of

The pirate Part and I

Once upon a time in the web

I was gonna write a disclaimer about me not being objective about the Pirate Party, and them who will probably jump on me because I’m saying shit. But, well, fuck objectivity. I am nothing like objective and you probably know that. And if you take this too seriously,then, it’s not really my problem.

So, why this. Some will say it’s a free shot at the Pirate Party and, well, it is. More or less. But the point of having a blog is to express personal opinions, right? Also, a lot of people ask me on a regular basis what do I think of it and, since I do not want to rant endlessly I just avoid the subject.

And I’ll continue. What will follow are my personal views of what I perceive what is the Pirate Party and why I think they’re wrong and why they’re going in the wrong direction.

Hackers are not, in my mind, people that fix things. Hackers are the ones who divert a system to do something else with it than its intentional purposes. So, when people says they’re hacking politics it is with the intent to divert the political system to do something else than it’s initial purpose – managing the city. Hacking politics could be, for instance, have the political system serving your own personal agendas, or discussing laws about the lolcats or whatever.

Hacking politics is not trying to have it working on its initial purposes. This is fixing politics. Make it working the way it should work – should being personal but it could be working along the rules the political system choose to follow.

Also, it is extremely hard to divert the system when you’re only a user of it. This is why hackers seeks for privileged access when they want to hack their way into a system, and this can be done using software, a solder iron, a set of tools or whatever. It can be accomplished only from the outside of the system, you need to analyse and measure the output of the system when it receives some input or some constraint. Even better, you need the DNA, the source code, the schematics, all relevant documentation about the system, it will ease your way in.

The Pirate Party

People all around th world thought that the issues around copyright, sharing and mass surveillance deserved to be fought by a dedicated Party. Don’t get me wrong here I do think they’re critical issues and that the answers provided by the traditional system aren’t good for anything (including business).

However, it is for the citizens to stand up and fight. Not some self proclaimed representative authority who, by design, must follow an insane number of rules, including the ones which asks for the structure to have a leader.

I believe in doocracy and autonomy. I can accept temporary delegation of my voice to a person I think share the same views than I on a specific topic. Even if liquid democracy is a problem (will discuss that later). I do not believe in pyramidal structures whim only goal is to gather more power to have a chance to be heard by the others.

Beside, I think the problematics raised by the Pirate Party – privacy, sharing, mass surveillance – are cross partisan ones, each political party should defends them because they are linked to basic human rights. A bit like every political party opposes torture, for instance, all of them should opposes mass surveillance.

It is a bit like ecology in fact. It’s a group of public interests and each part of the democratic process should have it’s opinion on it. I cannot imagine today a politician blatantly saying that ecology sucks, we need moar pollution. They can have different views and solution to the problematics, but it is now something beyond the classic right/left paradigm.

Civil liberties, the right to intimacy, the accountability of the society, the right to copy and share are problematics that are tied to society management – which is, by essence, politics – and every political groups have a stance about those issue. It’s not a defining paradigm (like liberalism, socialism, communism, fascism, whateverism) of a political group.

And by being a political party, and so a political group, the Party Pirate claims that they are the only one to defend those issue, and that all other groups are, de facto, against those issue.

To make things worse, being a political party, besides the amount of paperwork needed and the fact that you need to have a chain of command, if you want to have some weight and to have representative you must make alliance with other groups. Since you fight for specific issues, they’ll stand for them also. But then, their foes will oppose your ideas (friends of my foes are my foes) instead of fighting for them.

You’ll end up with almost half of the people opposing your ideas because they oppose your allies. And you will be stuck with promises you’ve done and concession you’ve made to get those allies.

And you’ll end up either disappearing (you made no concession, so you have no representative, and you’re not existing) or by compromise yourself (defending ideas that aren’t yours).

Just because the representative system is bugged by design and is maintaining itself.

Hacking politics, ORLY?

However, I must admit that, being a national or cross-national party can be useful. Political party usually consider other party as being like them and it can be a handy way to have them talking about some issue.

But, it is the wrong way to do it. First, it enforces them in the position of an elite of people that can make laws and regulations without having to be accountable of what they’ve done. Some might think that a vote can change that, but, since you can vote only for a person who present itself and who – if you really want things to change – must be backed up by an already existing entity, things won’t change much with only a vote. Also, I tend to think that the people in charge want us to just vote and not speak our mind.

Second, citizens must speak out. I do not need a political party to speak for myself. I need my representative to do what he’s supposed to do: represent me, speak for me, and be accountable before me for that. This is what civil liberties groups are. And La Quadrature du Net is one of them, EFF is another. The Party Pirate could be if they weren’t so eager to have representative elected among them. Those civil liberties groups are good to deploy memes in the public space. We won’t have heard about ACTA for them leaking it and fighting it (for four years in a row).

The fact that ACTA has been rejected in the EU parl is the proof that, when citizens are doing their job – asking their representative to represent them, not to represent private interests – the representative have no choice but to do what they should, not what they want (and yes, it’s harsh, but they have a lots of benefits from this job, they should do the part they don’t like or quit it).

And yes, the two representative (for all the Europe) in the EU Parl have done some good job about raising those issue, but it’s not because they were a party they were effective, it’s because they were doing their citizen job.

So, what?

In the end, my main problem with the Pirate Party is that, instead of changing the system, they validate it, makes it stronger. And they want to have representative elected, instead of just using the mediaspace to deliver a message and to try to convince everyone that they’re speaking the truth and that some things might end (and other starts). It could have been an amazing tool, but it has been shaped by politicians that were already well established.

It is maintaining the illusion that the actual implementations of a democratic system we have is valid and can work.

Liquid democracy

To finish that, let’s talk about liquid democracy.

Liquid Democracy is based on the simple fact that any citizen have a equal voice and uses it on each issues that is debated. They can choose to delegate this voice to someone who they think is an expert in a given field. And they can cancel or change this mandate at any moment and for no reason. They can also gives their voice for a specific issue to a different expert.

For instance, I can perfectly choose to give my voice to a person that I (and only I) judge as competent for all the issues relating to urbanism for I suck at urbanism, while I’ll keep my voice for myself for all the issue about computers and intertubes.

And you can delegate all the voice you received the same way. It means if someone gave me their voice for urbanism problematics, I will delegate it to my urbanism expert.

It sounds like a good idea but there’s two problems.

The consensus issue

First it is based on democracy. It means that, to do something, you call for a vote and you’ll wait until you have a consensus about what you’re going to do.

From my perspective, you do not need a consensus to do what you want. You just need to do it. If people dislike sit, thy will tell you, if they’re outraged by it they’ll try to destroy it, if they want to change it, they’ll change it.

And it will be this way until one part abandon it because they judge it does not worth the effort.

Also, I do think that a majority of people can be wrong (else, Skype or Facebook won’t be used that much). So having a consensus is not a sane objective (and it’s the best way of doing nothing).

The reputation of expert

The other problems is the one about the reputation of the experts. If someone have twenty voice for problems related to intertubes, you’ll think they are competent (or they won’t have twenty voices). And you’ll gave them your voice.

And, since you judge them being competent, they will keep your voice until your proven they’re not. And they can only be proven incompetent by another expert of the same domain, with a better reputation.

Where it became weird is that, if this second expert is better than the previous one, why didn’t you gave him your voice from the beginning? The system will end up with one, maybe two, experts competent on a domain, and probably a lot of independent citizens with one or two voices who cannot do anything since the expert have the majority of the voices (else they won’t be expert and people won’t gave them their voices). And the expert won’t change.

Also they can create expert. If I’ve got quite a good reputation on a particular field and I give my voice to someone else in another field, a lot of people whom I already possess voices for my field of expertise, will gave their voices to them.

This is how you end with a tyranny of so-called experts.

It’s easy to fix however. You must keep the number of voice you have secret. And I’ll assume there’s a technical way of not juking the system. So, you know nothing about intertubes and you want an expert. And you can’t find one, because no one can. So you’re going to make a choice based on what you can read. It means each expert have to expose their view and explains the issue.

And then, something magic will appear, you’re going to learn some basic skills about the experts’ domain. And you won’t need an expert anymore, for they’re more or less forced to publish everything, so you can learn. And votes for yourself.

If the experts refuses to publish, then they’ll have to convince you differently, and we end up with the current system.

So, liquid democracy can’t work. As a citizen you should never delegate your voice to anyone. And you should slaps anyone who asks you that with a large trout.

And this is why I cannot stand that someone describing themselves as a pirate asks me just that.