[Repost] Google, Amesys – même combat

So, I’ve changed things around here and I’m trying to get some writing done soon. In the meantime, I’ll repost here an oped I wrote at la quadrature du net (From which I’m currently off due to mental health issue, more on that later), so here the original text, in French and, of course, there’s more on LQDN website

Du 21 au 24 novembre dernier, à Villepinte (région parisienne), se tenait le salon Milipol (pour Militaire/Police), « l’événement mondial de la sécurité des États ».

En plus des habituels trafiquants marchands d’armes qui font la fierté de l’industrie française (ayons une pensée émue pour Michèle Alliot-Marie qui exporta en Tunisie notre savoir-faire en matière de maintien de l’ordre), il y a, depuis quelques années maintenant, des marchands de matériel informatique et de solutions de supervision des populations.

Vous avez forcément entendu parler d’Amesys, de Qosmos, de Palantir et autres Hacking Team qui se sont spécialisés dans le développement de solutions clef en main d’espionnage et de surveillance de la population. Et, les affaires étant les affaires, la plupart d’entre eux vendent à toute personne désirant acheter du matériel, qu’il s’agisse des dictatures libyenne ou syrienne, ou des démocraties sociales occidentales compatibles avec l’économie de marché (France, Allemagne, Royaume-Uni). On parle dans ces cas de capitalisme de la surveillance, c’est-à-dire de mesurer la valeur des choses grâce à la fonction de surveillance.

La surveillance se base sur la connaissance. En épidémiologie par exemple, c’est connaître le vecteur infectieux, le documenter, savoir comment il se propage et se transmet, mesurer son temps d’incubation éventuel, déterminer ses symptômes pour comprendre son fonctionnement et trouver éventuellement un remède.

Dans le cadre de la surveillance des personnes, cela se traduit par la connaissance de ces personnes, leur identification dans le temps et l’espace, connaître leurs habitudes et leurs façons de réagir, mesurer leur sensibilité à telle ou telle idée. La surveillance c’est la connaissance. Et la connaissance c’est ce qui permet de définir les choses, de les identifier. Le capitalisme de la surveillance est donc un capitalisme de la connaissance, de l’identité. Ce que vendent Amesys, Palantir ou autres à leurs clients c’est l’assignation d’une identité définie par eux ou par leur client à un groupe de personnes en fonction de mesures et d’observations, i.e. de données.

Dans le cas des États, cette assignation identitaire amène à des conséquences qui peuvent être extrêmement violentes pour certaines populations, amenant à des répressions fortes, une suppression d’un certain type de personnes d’un certain quartier, à de l’injustice prédictive basée sur des statistiques biaisées par des biais racistes – le racisme structurel – et qui donc ne peuvent que renforcer ces biais. Les smart cities, dans leur version la plus extrême, sont les étapes finales de ce processus, l’identification permanente, fixiste, en tous points de tous les individus, l’impossibilité de bénéficier des services communs et publics sans révéler son identité, sans donner aux surveillants encore plus de connaissances sur nos vies et nos identités, pour leur permettre de mieux définir nos identités, de mieux vendre aux États la détermination, l’essentialisation, la réduction des complexités de nos vies à des étiquettes : terroriste, migrant, réfugié, musulman, femme, queer, bon citoyen.

Dans cette analyse qui est faite, on parle très vite, très souvent d’algorithmes ou d’intelligence artificielle. On les accuse de tous les maux, d’être racistes, de faire l’apologie du génocide, d’être sexistes, de censurer les discours d’éducation à la sexualité, d’invisibiliser les minorités sexuelles, comme si les intelligences artificielles, les algoritmes, disposaient de conscience, émergeaient de nulle part, avaient décidé d’être néo-nazi. Pardon, alt-right. Mais, au final, personne ne dit ce que sont les algorithmes, ou les intelligences artificielles. On va commencer par la seconde. L’intelligence artificielle est un algorithme doté d’une grande complexité et utilisant de grosses quantités de données pour donner l’illusion d’une intelligence, mais d’une intelligence ne comprenant pas ce qu’est un contexte et non dotée de conscience. Reste à définir ce qu’est un algorithme donc.

Appelons le wiktionnaire à la rescousse. Un algorithme est une « méthode générale pour résoudre un ensemble de problèmes, qui, appliquée systématiquement et d’une manière automatisée à une donnée ou à un ensemble de données, et répétant un certain nombre de fois un procédé élémentaire, finit par fournir une solution, un classement, une mise en avant d’un phénomène, d’un profil, ou de détecter une fraude ». C’est donc une formule mathématique, ne prenant pas en compte les cas particuliers, et qui a pour but d’analyser des données pour trouver une solution à un problème.

Ces algorithmes ne sont pas en charge de collecter les données, de définir le problème ou de prendre des décisions. Ils analysent des données qui leur sont transmises et fournissent une classification de ces données en fonction de critères qui ont été décidés par les personnes qui les écrivent, qui les configurent et qui les utilisent. L’ensemble des problèmes sur la reconnaissance faciale qu’ont rencontrés la plupart des entreprises de la Silicon Valley résulte du jeu de données utilisé pour identifier une personne et la reconnaître, car il ne contenait que des images de personnes blanches. Le chat bot de Microsoft – Tay – s’est avéré tenir des propos négationnistes ou appelant au meurtre et à l’extermination. Non pas parce que Tay a une conscience politique qui lui permette de comprendre les propos qu’elle tient, mais parce que des personnes l’ont inondée de propos racistes ou négationnistes, fournissant un corpus de données servant de base aux interactions du chat bot, l’amenant donc à écrire des propos racistes et négationnistes. Microsoft a rapidement retiré ce chat bot de la circulation et l’entreprise a depuis promis d’être plus « attentive » .

Parallèlement, nous entendons également, et de plus en plus, parler d’économie de l’attention. De capitalisme de l’attention. Ce qui aurait de la valeur serait ce à quoi nous faisons attention, ce que nous regardons. Sous entendu, nous, utilisatrices de ce système, sommes capables de faire le choix de ce que nous voulons regarder et lire, de faire le choix de la connaissance à laquelle nous avons accès. Internet permet, en théorie, un accès non discriminé à l’intégralité des informations et des données, et donc de la connaissance, du savoir. Après tout, la connaissance est une information à laquelle j’accède pour la première fois. Et cette acquisition de connaissance me permet de comprendre le monde, de me positionner par rapport à lui, et donc de me définir et de le comprendre, exactement ce que font les systèmes de surveillance massive utilisés par les États.

Réguler l’accès à l’information et choisir quels contenus montrer à quelle personne permet donc, également, de contrôler comment vont se définir les personnes, comment elles vont comprendre le monde. L’économie de l’attention est basée sur ce principe. Pour garantir que vous interagissiez avec la connaissance qui vous est proposée, qui est la façon dont ces nouveaux capitalistes mesurent la valeur, il est important de vous surveiller, de vous mesurer, de vous analyser, de vous assigner des identités. Et donc de contrôler la connaissance à laquelle vous avez accès et celle que vous produisez.

Les gigantesques plateformes financées par les GAFAM1 servent exactement à ça. Facebook vous empêche activement d’accéder à l’ensemble de l’information présente sur leur réseau, vous demandant de vous connecter pour accéder à d’autres plateformes que la leur, ou vous pistant partout une fois que vous êtes connectés, leur permettant ainsi de récolter encore plus de connaissances à votre sujet, d’augmenter leur capacité de surveillance et donc d’identification et de contrôle. Remplissant dans ce cas exactement la même fonction que les systèmes répressifs des régimes étatiques.

Notamment car Facebook, Apple, Google, Amazon, Microsoft décident ce qu’il est moral de faire, quelles identités doivent être renforcées ou au contraire dévaluées. Par exemple, Youtube, en supprimant la possibilité pour un contenu parlant de sexualités de rapporter de l’argent aux créatrices, envoie un message assez clair aux personnes faisant de l’éducation sexuelle, ou parlant de problématique touchant les personnes queer : votre production de connaissance n’est pas bienvenue ici, nous ne voulons pas que des personnes puissent s’identifier à vous. Il en va de même avec Facebook et son rapport à la nudité ou Apple qui filtre également tout ce qui pourrait parler de sexe, quitte à censurer le contenu des musées. En dévalorisant certaines connaissances, en la supprimant de certaines plateformes, les personnes à la tête de ces entreprises permettent d’effacer totalement de l’espace public des pans entiers de la société, de supprimer les voix des minorités, d’empêcher la contradiction de leurs valeurs et permettent donc de renforcer les biais des personnes consommant la connaissance disponible, amenant à une polarisation, une simplification et à une antagonisation du monde.

Alors effectivement, Facebook en soi ne mettra personne dans les geôles de Bachar el-Assad, du moins pas dans une complicité active, mais l’entreprise fait partie d’un système disposant de deux faces. Une face violente, répressive, alimentant les délires paranoïaques des États d’une part, et une face « douce » et insidieuse, utilisant les publicitaires et la restriction de l’accès à la connaissance pour permettre aux entreprises conservatrices de nous imposer leur vision bipolaire du monde, renforcement les sentiments d’appartenance à un groupe identitaire, avec les conséquences violentes que l’on connaît.

Et pour s’en persuader, il suffit de regarder les liens entre ces deux faces. Peter Thiel, fondateur, avec Elon Musk, de PayPal et qui détient maintenant 7% de Facebook est également le fondateur de Palantir Technologies, entreprise qui a, notamment, obtenu le marché public des boîtes noires en France, tout en étant aussi l’outil officiel de la NSA. Thiel a également participé aux nombreux procès qui ont fait mettre à Gawker la clef sous la porte suite à la révélation de l’homosexualité de P. Thiel par Gawker. Thiel, enfin, est l’un des influents soutiens des républicains nord américains, il a notamment participé à la campagne de Ted Cruz avant de rejoindre l’équipe de Trump et de participer à la transition à la maison blanche. Il a de fait nécessairement discuté, échangé et parlé avec Robert Mercer, l’un des directeurs de Cambridge Analytica, une entreprise dont le but est de cibler les électeurs grâce à de nombreux points de collectes, principalement récupérés par Facebook afin de pouvoir les cibler directement et influencer leurs votes.

Alors oui, lorsque l’on pose la question de démanteler Google, la question de démanteler Palantir se pose aussi, et celle consistant à vouloir privilégier les seconds car ils représentent un danger plus important pour la sécurité des uns et des autres. Mais sans l’omniprésence des systèmes d’identification, sans les exaoctets de données récoltées sans notre consentement dans le but d’individualiser le contenu auquel nous avons accès – selon des critères sur lesquels nous n’avons aucun contrôle – la mise en place de la surveillance et de l’identité devient complexe, coûteuse et impossible.

Il faut démanteler les systèmes capitalistes identitaires si l’on veut détruire les systèmes d’oppressions basés sur l’identité ou sur l’accès biaisé à la connaissance. Il faut s’affranchir des moteurs de ce système que sont la publicité, le pistage et l’identification permanente. Il faut questionner et démanteler le racisme, le néo-colonialisme, le sexisme des entreprises de la Silicon Valley au lieu de s’étonner que leurs algorithmes soient racistes. Car ils sont devenus omniprésents et nous empêchent de nous définir, de vivre, d’exister comme nous l’entendons, avec nos cultures complexes et nos identités changeantes.

Redefining privacy

Let’s redefine Privacy, shall we?

There’s a lot of issue with Privacy. I already wrote about it some time ago, but I think that in fact the current definition of Privacy is an issue. For starters, no one is able to provide me with a definition of privacy.

Is Privacy a secret?

The definition I encounter the most can be summed up a bit like this, it’s everything that is "none of your concern". It’s the version of Privacy I used in my previous post and, I think, it’s probably the one that’s defended mostly by people who basically are not discriminated against by system of oppressions (states, but not only).

There’s two main issue with that. First, there’s thing that you cannot "hide", such as your apparent gender, or the color of your skin, and those will submit you to system of oppression – I won’t spend time to expose them, but please feel free to read some useful documentations. Second there’s the fact that secret is used to hide things – that’s the purpose of secret. You want to keep others in the dark about what’s happening. David Cameron just said that his personal investment in Panama are private matters. Conjugal rape and other in-family sexual assault are always hidden under the veil of the "private matters" that should be treated only inside the family.

I mean, clearly, secrecy is a bad thing. Not only for government, but for people in position of power and control over other. I’m not advocating for a full publicity of everything, but for a questioning of is privacy a synonym to secrecy?

Do we really want to hide all of our lives to our society? If we want to redistribute wealth, we need to know about the income of each person. If we want to act upon the discrimination women faces, we need to know about those discrimination, we need to know about who’s identified as a woman and to act upon the people who discriminate them.

If we want a world with a bit more fairness inside, we might need to be able to be a little bit more public about our lives. Society is build on the intersections and interactions we have with each other. The positive ones, and the negatives ones. The society, the cultures we live in, is not – I think – powered by the things we have in common, but by the differences we have and the different experiences we’ve been through.

So, privacy a the thing you keep in the closet is bad – go talk to queers about living in the closet to see why this kind of privacy sucks.

Also, I do not think that the right to privacy – as described by the article 12th of the UNDHR is defined by what we keep secret. This right is defined as protection against arbitrary interference. It doesn’t state that it has to be secret. It protects interferences, meaning, influence, actions, perturbations. Not about knowing about it.

The issue with mass surveillance – and why its so bad – is not because it allow a passive global observer to exist, it is because it create an active global discriminator that will sort people between good citizens and terrorists, based on what data we create. Mass surveillance described as a passive global observer is an issue. The mass surveillance complex is used by power structure to maintain their power over people, by creating and enforcing discrimination. This is clearly a violation of Privacy because it is arbitrary interfering in life of people. But it’s not because they collect the data.

This is one of the thing about mass surveillance, it does not exist in void, it exist as a political tool of social coercion. It'(s not the data collection and gathering that’s the real issue. With the amount of data collected, we could have a real source of interesting data for sociologist to help them describing our society, and gives us clue to change and improve it.

So, no. The fact that a passive global observer exist is not the issue. The issue is that it is a fact an acting and active global discriminatory system. And secrecy is only a way to protect against the passive global observer. It does not enforce privacy. It does not defines privacy. It does not helps you to protect yourself against discrimination.

Is Privacy your identity?

I’m not sure. Identity is a social concept (and a psychological one, it sucks when you use one word for two different things). It’s how you define yourself at some point in time, and how you are recognised and defined by others, based on their cultures and social cues and norms they have.

You decide how you want to define yourself, in regards with the current social cultures you bathe in. You adopt, reject, create or appropriates part of this culture to form your identity and to express to the society who you are, and how you’d like the society to consider you.

Your identity is – at least partly – publicly displayed and used by the society to interact with you. This is where discrimination will take place. If you’re identified as a woman – whether or not you define yourself as one – and the society we live in discriminates women – and we live in such society – then you’ll be discriminated.

Which basically seemed to be a good match for arbitral interfering ad specified earlier. It seems that the elements you use to define yourself, the elements used by other to identify you and to relates to you seems a better candidates for me than the one you keep secret.

What it means is that our privacy, what’s private, is the core of how we see ourselves. It’s not what we want to substract to public scrutiny. It’s how we want to be identified. And our rights to have a privacy is basically our rights to defined however we want – in a social context – without being discriminated for it.

It does not means that if you want to define yourself as a patriarcal asshole you’ll be able to act onto people as you want. It just means that defining yourself as a patriarcal asshole shouldn’t means that you’ll be treated in a specific way. The thing you’ll say, the thing you’ll do are what will bring your trouble, but not your identity.

Basically enforcing privacy is trying to find a way to end discrimination of any kind. It’s not providing tools – secrecy – to create more discrimination. Fighting for privacy is understanding that the world is non-binary, that no identity should be infeoded to another, it’s fighting for sanctioning people for what they do and not what they are.

Yeah, OK, but where’s the cryptography comes into play?

Cryptography is needed because – in a world of oppression – you need to organize yourself to change those. And to organize you need secrecy at least temporary – until you act. It is not a right has protected by any of the article of the UNHRD, but it is mentioned in the preamble:

Whereas it is essential, if man is not to be compelled to have recourse, as a last resort, to rebellion against tyranny and oppression, that human rights should be protected by the rule of law,

Meaning that, if you’re right to Privacy is not respected, then you need to react and fight for it. And for that you need secrecy, you need to hide from the spies and the forces that tries to remove your rights.

Because, in the end, the only rights you have are the one you fight for. And this is where cryptography will helps you. Cryptography will allow you to disobey, to organise dissent, to rebel, to have some time to breathe. But it will not helps you to enforce Privacy and the right to self determination.

And I think we all need to rethink that privacy is not what is secret, but it’s what makes us individuals. It what gives us the right to coexist in the same society. And this is why we all need to fight for it. Without privacy, there’s only bland human without identity. Without privacy there’s no place for non-mainstream person. Without privacy there’s no way to evolve and progress. Without privacy, there’s no I or You. There’s only us. Forced in an identity we didn’t choose, think, defined, accepted, created.

Those identities are the one created by the global active discriminator to divides us. They are the nationalist ones, they are the Charlie’s one. They’re the one of the dominant classes and we’re stuck with them, without a possibility to exist out of those scheme without being violently confronted.

We should fight for this privacy. For the possibility for anyone to self-determine themselves. And stop believing that we currently have access to it, or that cryptography will suffice.

GMail … seriously?

[[!meta description="""No, seriously, people are arguing that GMail is in fact a good choice to protect your privacy online. They might be on

GMail: why it’s not a good thing

This post is an answer to jbfavre post[FR], in which he state that – from a metadata point of view, your safer in the mass and so in gmail for instance than if you self host yourself.

In the conclusion he goes on saying that the best choice would be to hand over your mails to associations or small business – which I might agree (under specific concerns).

But he’s not the only one stating that your better with a gmail account than one on your own domain name. manhack and others are also arguing that GMail is best to evade the mass surveillance.

Those person suggest that using GMail, is simple and Google has a lot of cash to invest in security. They’re also trying hard to hinder NSA mass collection of data effort, but I think saying that using Google service is a good way to enforce your privacy is an intellectual bias.

I think this idea come from a misconception of what mass surveillance is. Mass surveillance is the intricate surveillance of an entire or substantial part of a population WP.

On the internet, the mass surveillance is done by a systematic collection of all data and metadata, their archiving and indexing and the fact that action and decisions are made on the results those data will show.

In France, there’s a specific concern because it’s now legal for our government to intercept all the communication and analyze metadata. Then there’s a fallacy stating that if we all use the same host and the same encryption, then it’s impossible for the state to know who’s talking to who and when; opposed to the case where everyone have its own host and its "relatively" easy to know who’s speaking to who and when.

It comes from the fact that, if I’m the only one receiving and sending mail from this computer, then you just need to get the TCP handshake to be sure that someone is talking with me. So it would be safer to have some kind of proxy somewhere, to mutualise those connections and to raise the cost of surveillance isn’t it?

Except that this answer is valid if and only if you have some conditions:

  • The proxy is not itself part of a mass surveillance system
  • The mass surveillance you’re trying to hide from does not go further than just getting the TCP protocol of your connexion
  • Your correspondent also use this sort of mass proxy, or it would be easy to know when he’s talking

So, let’s see what’s the case with gmail.

Is Gmail involved in a mass surveillance system?

The obvious reason would be yes. At least because they can be coerced by the NSA to provide data to the NSA. Even if their was actually few uses of PRISM, the fact that they’re forced by law to collaborate is not a good thing.

You would argue that it’s just the NSA spying on us, they cannot actually do things to you if your not a US citizen which is false. Because there’s at least the Five Eyes coalition, meaning that data gathered on you by the NSA will be shared with other agencies from other government.

Also, I think that saying that NSA mass surveillance has no effect in you is a lack of understanding of what are the impact of mass surveillance, I will not elaborate on that, others are doing that better than me.

But there’s also something else that I want to elaborate, and that we miss in the "governments are evil" stance. It’s the fact that google is collecting and analysing a lot of data. From your GMail data (and metadata) to your search, video historic, or even the blogs you read. They analyse those data and take actions – to present you more accurately targeted advertisement and search recommendation. Basically, they’re doing mass surveillance on their own.

Google is part of the problem. They cannot be a part of the solution to get out of mass surveillance. Sure, they won’t kill someone simply based on metadata you’ll say. But they’re doing something worse, they won’t expose you to information that they deems unrelated to your interests, and you won’t even notice it.

So yes, Google – and Gmail – is part of a mass surveillance system. They might not be collaborate willingly with governments, but they do it at least for their own profit.

Are the mass surveillance system only targeting IP traffic?

We know – since the exposure of a lot of the NSA nasty stuff – that a lot of government have the capacity to intercept traffic on a global scale. The fact that your traffic goes to a datasilo such as google ones, or goes to your own server at home makes no difference, they’re intercepted the same way. What would change is that they would need to get the email metadata from the email you send from gmail, while they do not need to decode them if everyone is on their own box.

But.

They’re already doing that. Equipment setup to break TLS, intercept email communication and compromise your endpoint are already used. So they do not get any benefits to going for something lighter. If you send an email from gmail to another gmail account, those natsec agencies can already read it and extract the metadata they need.

And since stuff like Palantir, hacking team or gamma international are all known companies who are selling solutions to our government. Those solution are based on the infection of your endpoint (your smartphone, tyablet or computer) to not bother with breaking the cryptography of your communications.

After all, if they can read what is displayed on your screen, why should they bother intercepting your TLS connection to a hidden service in Tor?

So, thinking that, being alone on your node, is a compromise on your anonymity is apparently wrong. You do not add metadata to the collection they already have (they already get the headers of your emails, no matter what).

Also, there’s a last one that nobody thinks about. If everyone is on GMail, then you just need to compromise GMail to get all the ddata you need. Just one company. Yes, hacking into Google is something out of my personal scope, but if you’re willing to, you can dot it. It has been done by China before, and I see no reason for things like that not happening again.

Hacking into GMail is just an enormous prize, you get it you can really improve your intelligence. Especially if you stay undetected. Put all one’s eggs in one basket generally ends with an omelette. Even if it’s a titanium basket.

Applying this principle, I then need to have my correspondent apply it

Because communication is – at least – two ways, if you want to protect and hide a communications, you need to protect both ends of communication. So, applying this means that everyone should get a gmail account, because it’s safer for everyone.

I mean, You use GMail and I’m not. I’m running my own mail server. So, you hiding in the crowd does not works, because if I’m getting compromised – and since I do not have Google grade security – you’re being compromised too (after all, they’ll be able to get metadata of the mail you sent me).

So, for this fallacy to be true, you need everyone have a GMail account. Which will makes things worse because, hey, they’re part of the problem – as stated above.

Doing that is exactly than not encrypting data or using Tor because "it would looks suspicious". It does not. Protecting your privacy should not looks suspicious. If you think it is, then it’s kind of too late, you’ve already ate the states toxic memes of security. But let the ones who want to fight them do it.

No, Gmail, Yahoo, Facebook, Twitter, Microsoft or Amazon will not ever be a solution for privacy. They’re part of the problem.

However, there is one specific case where GMail might be a not so bad alternative: throw away mails (as suggestsed by OaklandElle. Besides that? No. It will not improve your privacy, quite the other way around.

Solutions? Stop the dragnet and mass surveillance. Which you can do only at societal and political level. And give a try to the [internetcu.be][] if you’re looking for self hosting, it works. Mostly. It won’t give you better security, but you’ll definetly have better control. And even if you’re still monitored by state, at least you won’t be monitored by an advertisement selling company.

[UPDATE] After talking with jbfavre on twitter, it seems that I didn’t understoof his point. He did not want to advocate for a massive use of GMail as a way of protecting yourself, but rather for small associative clusters.

I think that it’s a good option. Simpler for most people than going full self-hosting, and sufficiently decentralised to hinder the mass collection of data. It’s not the ideal choice – but then we cannot asks high risk people to have their data in their home where it will be seized by cops – but it’s I think a good trade-off between privacy, ease of use and safety.

Fuck Privacy

Privacy … Really?

What’s privacy? It’s quite easy, it’s everything that’s not in the public space. But public space is the reflect of our society. What you see in the public space, is the reflect of the society.

That’s exactly why cities try to hide homeless people, or – at least – send them in places where people won’t see them. To display something that is better than the reality. To hide things that would be shameful. To hide their failure or what they think is not proper.

And this is the main issue regarding privacy. What people are expecting to keep for themselves is what is judged by other as "non proper" or "inconvenient" or "indecent". What you’re supposed to keep private are the things that do not conform to someone idea of proper behaviour.

Privacy is not chosen, it’s enforced. It’s enforced by a dominant and oppressive system, whatever it is. Most of the people have nothing to hide. And that’s probably true. They have nothing to hide, because their behaviour is the one that follow the dominant moral code, the dominant comportment. And then, what they’re doing doesn’t interest anyone else but them; and I’m not saying they’ve got shitty life they just have a life similar to the life of everyone around them.

But if you’re not on this side of the world, then people will ask you to keep things in private. To behave. To not expose yourself. To not claim what you are.

When you says to someone to keep things private, you refuse their right to be.

And that’s why privacy sucks. It sucks when you asks my suicidal and depressive trans-gender-fluid friend who express themselves on social space to keep their pain for themselves because it’s improper. It sucks when you asks my friends to hide their love because they have the same gender while you’ll expose your heterosexuality without being ashamed. It sucks when you says to a woman whose body has been exposed that she should have keep those pictures private or that she should be ashamed to dare exposing herself.

You’ll say that you have a right to privacy. Except that people going fine, tells it – whatever the consequences on their neighbour or friends. Except that male genitals are basically exposed everywhere without consequences for them while a nipple is indecent in the public space – which means that having a female body is something that you should be ashamed of. Except that you can demonstrate your affections to the people you love while me or my friends can’t because we should keep that private.

Privacy is Censorship

In the end, privacy is censorship. It’s an argument used by oppressors to force oppressed people to conform to an oppressive form of society.

Asking to someone to be decent, discrete or to conform, is forcing them to behave, to not express themselves. To not define themselves. People who should have privacy, are the ones who do not conform to your vision of moral. It’s women, queers, sex-workers, porn actors and actress, etc.

And this is a form of censorship. And censorship is the oppresser’s tool. And it sucks. I oppose censorship not because of freedom of speech, but because of freedom of self-determination. I need words to define myself. And by censoring them, by forcing me not to use them, you remove me the possibility to define, to exist in the public space.

If you do not have the words to define an idea, then you can’t formulate this idea – that’s the whole purpose of novlang in 1984.

The interesting part of that is: if you need a law to censor something, then this something is named and then exist. It’s like in Inception (the movie), where the character played by Di Caprio states that:

If I want you to think about elephants, I just have to tell you not to think about elephants.

(And now, all my readers re thinking about elephants)

For instance, the word nigger/nigga has been used to discriminate against afro-american people. But some of them used took back control of this word, and reappropriate it to define themselves. They use it to define themselves. They exist because this word exist, and yes it leads to discrimination but it has a name and then you can fight it.

You can’t fight what you can’t name. And forbidding the use of specific speech do just that. It makes groups and communities unable to exist. Censorship doesn’t protect minorities. Freedom of self-determination does. Yes, it means that you’ll have hate speech. And yes, hate speech should probably be sanctioned in some way. But you must be able to discuss it.

If you cannot discuss racism, or fascism, or sexism then you can’t fight it. That’s why most of the teachers – at least not the creationist one – do oppose censorship.

But … Privacy is a human right?

Yes it it. It’s written in the UDHR and it’s the 12th article. The thing is, this declaration is not directed to citizen. It’s not meant to be implemented by them. It’s directed toward state, and it’s supposed to be what they should do, and to protect citizens from states – the way constitutions do.

And, for the sake of the argumentation, I’ll quote it here:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attack upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attack.

It basically state that you shouldn’t asks me to behave. To keep things private. To be decent. That you shouldn’t attack my honour or that I shall not be treated differently by the state – hence the society – for what I am.

The privacy defined here, is the one that you use to shelter yourself from discrimination of states or oppressive groups. It’s the survival mechanism one should not need to use, but sadly exist because there’s enough bigot out there in the world to threaten your life – think being openly gay in Uganda for instance.

Privacy in this context is a shield. However it disable you the right to being seen as what you are. It removes you the right to be. To define yourself. It’s a crappy shield, but it can makes you living.

And that’s why it’s important to be able to activate some sort of shielding, because you can go in jail for that. Or being killed by fascists. And as a human you have the right to protect yourself.

But if anyone else can define themselves in the public space, and if I can’t, if you ask me to be decent, you’re basically denying me the right to exist. You’re violating this 12th article that you claim to defend. And you’re doing that because you do not need privacy.

On the internet, being a white hetero cis-male means that you really do not need privacy. You won’t be ashamed because you had sex. Or because you exposed your body. Or because you demonstrate affection to the person you love. Privacy isn’t of any use to you, because you’re on the privileged side of an oppressive system. You won’t be beaten up because you were indecent. Or non-conforming to the society.

So, no more Privacy?

No. Sadly, we might need privacy. As I said beforehand, it is a shield from repression. Shielding yourselves is, however, denying what you are. It’s validating the oppressive society you’re leaving in.

If you want to fight that, then you need to abandon your privacy. Because you need to publicly exist. Also, that’s how you’ll find support among people going through similar issues. That’s how you can fight oppression. By existing in the public space, not only in the private space.

And if you do not belong to an oppressed party, then you do not need privacy, for you’re not going to be assaulted just because of what you are or think. You do not have privacy because it interest no one, because you’re in the "normal life" area of the world.

So yeah, we must fight for people being able to have a privacy. Because they could die if they have not. But no, you can’t asks me to being decent. Or to keep things private.

Fuck it.

GMX, Security and Privacy.

[[!meta description="""Yet another story about why you need to hide things from the rest of the world, and why commercial company can’t help you with

Once upon a time

I have this friend – Milou. She’s going to be a good journalist, and she worked a lot for NGOs during her studies. Hence she travelled a lot. As a NGO worker and apprentice journalists, she travelled in … hmmm … interesting places, and a country in particular – let’s call it Zoukinistan.

You’ve probably heard about Zoukinistan, it’s one of these countries the US – and part of EU – are at war with, and where those almighty democracies^Wpowers tried to create a Democracy they own.

So, this woman was going there, doing a job of getting in touch with local activists, reporting human right violations, doing journalisms, stuff like that. And she met there a lot of interesting people.

Not all these people are on the side our governments are comfortable dealing with. Not necessarily warlords or fundamentalists either. They probably just don’t want any more foreign interferences in their country. Yeah, the ones governments probably call terrorists. Or enemies. Or just those who want to expose corruption of their US backed government.

So, as a journalist, she maintains contact with those. No one knows when the next things to expose will blow up. And since she’s quite aware of all the NSA doing nasty things on US hosted servers – essentially trying to graph people in contact with this kind of activists – she goes for a non-US based email provider, and a free one.

And then GMX entered the dance.

Since Milou knows me, and since I worked a bit with her, she uses Tor, OTR, and free softwares. And I think she understands why it’s needed, and why she needs to protect her sources.

So, she created an account on https://gmx.com and used the webmail using Tor, naively thinking GMX – being a German company – would protect her communications.

It appears that GMX is part of United Internet, a German holding which also owns 1&1 and mail.com. And they own 7 datacenters in the EU and the US according to their about page. So they have data on US soil, under the Patriot Act – and you definitely don’t want to have data there if you try to protect sources from US Gov. But nothing says that the former French Caramail they bought and became part of gmx.com is hosted there – in fact, and for strict latency reasons, I think they’ll leave it in EU soil, just to have good performances.

Anyway, let’s put those considerations aside for now.

So, Milou and her friend exchange emails using GMX. I’ll skip the fact https is not enabled by default. Or that they implemented it quite late between servers – after all, Google did it only after NSA had leaked a nice post-it – it’s not really that important since, after all, all emails are probably stored in clear text on a corporation server.

However, Germany, home nation of GMX, is involved in military and security mission in Zoukinistan. We also now that NSA did infiltrate German Internet companies and that the German secrete services do cooperate with NSA.

And then the Milou’s GMX account has been closed for security reasons. Since the IT support doesn’t provide any details and that I could not find anywhere on the net anything related to closing of the accounts if used via Tor – even if they made it hard for anyone to do so – and given the lack of security on their side, I think that it must be read as national security reasons.

My guess is that GMX has been required to terminate this account because it represented a threat to national security.

The interesting part would be to know which nation asked for it. Could be France (Caramail which became GMX.com was French after all), US since they would not like my friend to chat with a terrorist or the German wanting the same thing.

I don’t know. Hard to find evidence when the tech people in the company refuse to provide any. And that’s weird. They could have pretended some unusual traffic came from Milou’s computer – unusual meaning in this case via Tor and Ubuntu – or that they detected some attack and the account had to be terminated, or anything else.

But no, they just "can’t answer", won’t provide any email backup, nor even any support. I don’t like drawing conclusions without facts, but it really seems like someone read those emails and have GMX close this specific account.

My nightmare is coming true

Context

There’s a lot of heat those day in France about a call for project made by the RATP (the more or less public organism which is in charge of managing all the private and public parts of the Parisian and Île de France commutation system). It’s a simple project that would be used to help regular customers to automatically pay their monthly fee using a facial recognition system.

If you’re not Parisian, or a suburban, you have to know that there’s actually two legal way to use the commutation system. One trip tickets, or monthly pass. Those monthly pass are either paid directly by taking the money from your bank account, or every month by the mean you choose (cash, check, credit card). Those pass are either anonymous (you buy them 5€ and you write yourself the data on it, so they don’t have your name in a database) or linked to a account in a database (but the pass itself is free, and they geenrally makes you a discount). This whole system is the Navigo system and is, surprisingly, quite safe (given the security of other system you may have met).

So, now they want people in their databases (those who, most probably, have an automatic monthly paiement already in place) to automagically pay their pass using a facial recognition system (so, instead of the credit card they’re not currently using). It must be this because, you know, other people don’t want to have an automagic paying system (or they would already use it).

You’re wrong!

If you think it’s only about payement, then you’re wrong. The people who can benefit of a real gain of time (we’re speaking about half an hour once a month), have the year pass and they do not really care.

So, now that we agree on the fact that this whole "it will be easier to pay" is a lie, let’s look at other things.

First, when people found the document (online, in a public dropbox, no encryption – seriously people???) and made some publicity about it, the RATP did remove the call for project from their website and, a little bit later, the project. But internet is cool, and the streisand effect still works fine, so you’ll find it everywhere. It juste mean they’re ashamed of it or do not want people to be aware of this project.

Another interesting point is to look at all those European Funded Project into which RATP – as well as arms manufacturer – is involved. The most interesting one I found lately is the VANAHEIM project, developped with the RATP equivalent of Torino. They have now a fully automatic system which can do machine learning and can interpret unusual behaviour (such as someone falling in stairs, someone jumping the fence, a lost tourist or – and it’s used as an example – someone distributing some flyers to people) and launch an alert.

These kind of systems have been widely used in the RATP subway system for a while, and they’re ineffective because, in case of agression, the mother fucking cops arrive in more than fifteen minutes.

You’re wrong!!

If you think it’s a privacy invasion. It’s not about privacy. You’re privacy is at stakes in the EU Parliament, and you should speak about it with https://www.laquadrature.net or https://nakedcitizens.eu, but this is not the issue at stakes with this kind of project.

I mean, there’s already way to much CCTV cams in the subway (just getting inside and outside of the subway system makes me going through 30 of them, for a 100m trip that’s a lot).

Besides, since you’ve bought the fame, you’ve got a tracking device in your pocket making you leaking a lot of data about your errands, who you’re with, and the call you’ve made (just search for FinFisher ‑ and don’t think they’ve stopped doing that because it has been exposed).

There’s also the fact that you want to check on your (girl|boy)friend, where your kids are or if the elders one are ok. You asked for it. You beg for it. You want to spy people around you instead of trusting them, and you can now buy a GPS tracking devices to tap your partner for less than 100€. And after that, you complain about someone else than you doing the same thing. You deserved it.

But in this case it’s not about privacy, the RATP can barely do more harm to your privacy than what they’re doing right now. They’re currently linking biometrics data (picture), names, travel history for the last 48h (that’s what they claim), bank account and now, since they’re selling a device to load your pass from your computer, they even got the address and details about the computer you’re using at home (and with the possibility for them to install a software on your computer). So no, this facial recognition system (one another) is not about your personal data or your privacy.

It’s about being able to analyse your behavior, the way you dress, the way you walk, and to automatically launch an adequate response (I’ll go for cops right now, but it won’t last long before they send drones or before an automatic fee being paid directly by your bank without your knowledge).

You’re wrong!!1

If you think it’s only a RATP issue. I mean, Thales is working on it. They are weapon manufacturers (and sellers), they build missiles and drones. The transportation system is just a sand box and an experiment for them. The police will use it soon (what, you’d expect they’ll leave human behind screens to interpret CCTV data? Well, with all the CCTV – heck, sensors there’s microphones now and I expect infrared camera that interpret feelings or electromagnteic scanners who scan backpacks, like there’s already some of them in airports customs system).

If you’re interested, there’s a whole bunch of similar project funded by the EU, just look for INDECT.

We know that a lot of private companies are already spying on everyone, and they’re not even limiting their job to borders (hint: borders don’t exists but to jail you), look at what Gamma is doing, or Qosmos (with HackerTeam – oops, another Franco-Italian alliance in tech) or even Google or Facebook (hey, they’re also doing facial recognition).

Those systems are used worldwide to detect insurrectional comportment, to identifies bad citizens, ask China or Belarus about that. And now they’re going one step further. They’re just trying to remove the human from the decisional system because human is expensive and may have one day a moral issue with doing this job. (hey, go look at the spyfiles if you do not think they’re doing this)

We now have systems which can analyse and track "bad" citizens in the world on one hand, and, on the other hand, we have assassination systems (drones) ran by private corporation (asks the CIA who’s operating their drone – for the record CIA is NOT a military organistaion it’s just a civil one), to kill people without trial wherever in the world. They’re working on automatic drones (because you can’t rely on the stability of communication in times of war) which will be unstoppable once launched, just too ensure the result of the mission, whatever electronic warfare is deployed on the other side.

I’m just wondering at what point they will connect the two systems (and then the Santa Claus will be happy, all the "bad" kids will be killed once detected by the system). I mean, they will, I just don’t know when it will be done. We do have "analysts" who are now filling data gathered by autonomous system to determine who to kills first and who then launch an automatic assassination system without supervision, or accountability. The day where the analysts will disappear isn’t that far.

YOU’RE FUCKING WRONG!!!!

If you think it is a nation-state related issue. The nation don’t need an imprecise and automatic system to kill people without trial. If it’s a democratic state it should not do that, if it is not, dictatorship are already effective at that (the history is full of people mass-murdering their population without any computer aided system).

Who’s gonna benefit from that? Come on, it’s easy. It starts with a B and end with a USINESS. Business. Money. Profit. Control. This is what corporations feeds on.
Arms dealers need war. Security dealers need insecurity. Cyber-defense sellers need cyber-threats.

This is the rise of new automated systems. Google has already built the root of an AI and they paved the way to mega-scaled computing to exploit and make sense of data to answer the best way possible to questions (such as "what is Finfisher?"), Thales (and Safran / Morpho, and a lot of other companies) now have an efficient system of analysing the comportment on a city scale. We do have autonomous weapons. The financial systems doesn’t depends on human intervention (another question for Google: "What is High Frequency Electronic Trading?"). The legal systems of all the countries are threatened by the operators of those not yet sapient AI (continue asking Google some questions: "What is ACTA?", "What is TAFTA?") because they just want more control.

I said efficient? Well, it’s not. There’s a lot of false positive. But those companies don’t care, all they want is the system to be efficient enough to be sold. The fact that thousands of people have been killed by drones doesn’t mean that those people were all targets. They just were at the wrong place at the wrong time. Or the operator was high or drunk and just thought he was playing Medal of Honor. This is probably the worst part.

This is a new era. The rise of the machines. And, according to James Cameron, it won’t end well. I’m not opposed to computers and technology. I’m opposed to technology who take control of my life and yours (because then they can control my life)

GAME OVER


Thanks to the whole karmeliet team who did a lot of correction here

Facebook and Contestation

Where did it starts?

This post is the result of a discussion I had with @ElodieChatelais, @jujusete and @oOBaNOo following the publication of an article on indymedia written by NADIR (the piece is here. This article, a bit harsh but hey activists can be harsh, expose the implication of using Facebook to plan the contestation.

The context in which it has been publicized is the occupation of the ZAD in the NDDL airport battle (because,yes, it looks like a battle).

There is, in fact, two problems at stakes here. The first one is the question of the tool used to plan and organise a contestation or a social movement that can lead to repression from a form of government (may it be civilized or not). The second one is the communication around a manifestation, this communication is a necessity to give a movement some momentum.

The people I’m talking with about those issue generally says that they use Facebook, even if they know the so called danger, because everyone is doing it and because there’s no time to develop new tools to communicate,it’s time to fight.

And, as you may expect it, I disagree with that.

What exactly is Facebook

Facebook is a tool. It’s not a place (for it has no physical boundaries), so people aren’t on Facebook – they are connected or not. It’s a tool that is, apparently, good at building and growing social networks and bonds. It’s a tool that is, apparently, good to propagate idea and memes.

It is supposed to be the perfect tool to organise your private life except that it is a lot of thing, except private. Facebook is the biggest database of consumering habits and the biggest maps of social network that have ever existed. It is run by a private corporation whose only goal is to monetize your privacy by selling it to everyone who is willing to pay for it.

Let’s be clear about that, Facebook is to freedom what arsenic is to life. Facebook don’t want you to leave their pages, they want to know exactly where you’re going, who you’re talking with and what you’re talking about. They want to control what is said, what has been said and they want to keep a log of everything, even if you’ve deleted it. They even have personal profile and data collections about people who do not even have an account. If,at any time, a form of government asks you to wear a GPS enabled device, to permanently wear a voice recorder, and to asks an ID for everything you’re doing (from reading newspaper, to shopping) you will call it a fascist state,but that’s why Facebook is doing. They’re gathering data about your habits online, and you do not even know what they know about you (also, they also possess all the content you’ve generated on their websites).

So yes, Facebook is a poison.

Organise

So, organisation. If you’re plotting something on Facebook, they will know about it. I mean, you’re gonna use a platform that keeps deleted personal messages, do not hash those messages (granting the ability to read them), is centralized and closed, and maps social networks for profit.

Imagine a government wanted to infiltrate a social network,Facebook provides them with the perfect tool. They can create profiles and join your social group quite easily. They can probably forces Facebook to collaborate and to just give them all the data they got on you – which is way too much.

So, organising yourself for something that can bring to repression is endangering yourself as well as all the other ones implied, even if they’re not using Facebook. By the only fact that one person is using it among the people who tries to organises themselves put the whole organisation at risk.

I’ve been told that Facebook is a good way to authenticate the people you’re speaking with. Well, it does not protect yourself from impersonation, someone stealing, or building, an identity that they will later uses to infiltrate your network – But it’s not a Facebook related issue – and it’s not a proof of authenticity. A session can be hijacked, a password can be stolen, etc. The only way you have to authenticate is cryptography (using a pre-shared secret) and Facebook does not provides tool for that.

You need to organise your contestation. You do not need Facebook for that. What you need is tools that will be usable, decentralized and free – as in freedom. They exist, you do not need to build them. Pick one, there are wikis, communication server (think jabber for instance), platforms such as https://kune.cc (based on Wave) or https://riseup.net already exists and are tailored for paranoid activists (well, each activists should be paranoid).

If you’re not in total and full control of your communication link, it means that your communication link is controlling you and your organisation. And the only way to get in total control of those links is for them to be free and decentralized (and, in the ideal case, to be run by each and everyone on his personal home box).

Communication

The other issue is communication. Protesting, disobeying, contesting is, in fine, a communication issue. You will need communication to tell other people what you’re doing and why and, since you’re convinced you’re on the good side, to try to convince them to join you, to develop your movement.

So, you need to reach out. And to go where people are. The common mistakes is to publish your content on Facebook. By doing so, you’re doing two things. First, you give a non revocable, non exclusive licence on your content to Facebook. Second you centralise all the information in one site.

When Tim Berners Lee invented the World Wide Web, he designed a handy tool to help the sharing of information. This tool is the hyperlink. It grants to someone the possibility to go from one website to another one by just following a link. No registration system, no directory system, just the URL describing the resource to go onto. Facebook tries to discourage this (because most of the interaction done is made by like of Facebook hosted content) and so Facebook tries to destroy the basis of the Web.

Hypertext is all that is needed to propagate information. This text as a Uniform Resource Locator (yeah, URL) and that’s all what you need to access it. A content on Facebook requires you to have an account to access it.

But, people are on Facebook you’re going to tell. Well, no. People arein their houses. They’re not on Facebook. You can reach them with so much tools that I won’t count them. Also, I’m not sure that seeing a like (one among so many others) on a wall will create implication. Evgeny Morozov has wrote some good pieces about slacktivism and you should read it.

I do believe that, when I reach out to people, I’m best in the flesh, having a casual talk with my inner circle friends. They’re the people I have most influence on, and this is mutual (hell, friends exist for a reason: manipulate them and being manipulated by them). It won’t take me long top have ten more people fighting a cause (maybe an evening, perhaps two) when having a discussion. To get this same results on any social media (and I do not mean 10 likes, I mean 10 people that will do something), it will takes me way much more works.

I do not think you need Facebook to get momentum and to motivate people. You do not need Facebook to have media coverage. You do not need Facebook to change the world. You do not need a megaphone to speak – even if that’s classy – you need arguments, idea, and freedom. Facebook can’t provides any of them.


I am a terrorist (and?)

So, those days two events where directly directed toward people who wants to enforce and protect their privacy, or toward the ones that would maybe participate in an Anonymous group. One here, in France, another in the US.

The blowing of EDF

The first affair, that everyone’s discussing about, is a thing that started 6 months ago. When the landing page of EDF (The main company that’s selling electricity in France, public business but in a market open to concurrency) was hit by a DDoS. That was in June, and the thing hits the news[FR]. It was not that long after the serious problem in Fukushima, and there was a lot of pressure around nuclear power at this time. The DCRI (French secret police), following the leads they had, found that people was using a public pad hosted by piratendpad.de, the German Pirate Party, to synchronise the attack. They asked for an access to the logs to their cross borders colleagues, and then the police raided the server, just some days before an important local election for the German Pirate Party (where they made a big score by the way). The story was covered in the press, particularly on Ars Technica.

Last week, they finally went after two guys linked to Anonymous (but who does not?) and put at least one of them in custody for 60 hours in a row (the interview of the guy is at owni[FR]). The police said 45h and that he waited for 15h in a cell. That still 60h of custody. That’s more than the legal limit of 48h, so it’s a special exception for fighting terrorism (yeah, US got Patriot Act, we got at least 2 LOPPSI, and 2 other National Security Law during the last ten years). Oh, and the goal of the DCRI is to catch terrorist (and to put everyone under a CCTV cam). The evidence was that the guy IP was found in the webserver logs (so, he just visited the website of the company that sold him electricity, probably to pay his bill for instance… Surely, he is a terrorist).

The thing that worries me here, besides the fact that they do not understand the internet, is that they used terrorism allegation. terrorism is destroying critical infrastructure and killing people to spread terror in a part of the world. A DDoS on a public website (even if I disapprove it) must not be a threat to a power plant. Especially if it’s a nuclear one. So, there was no risk at all of destroying critical infrastructure to spread terror, so not terrorism. If their was a risk (meaning, a computer of the plant LAN connected to the internet), first a DDoS on the public (and non-related) website would not have destroyed the plant, but that’ will be the evidence that those people are idiot and incompetent and dangerous, they should do jail time.

The FBI poster about terrorism

Fear. Uncertainty. Doubt

The governments are doing this because they’re afraid. They’re panicking, they do not understand what’s slipping between their hands. They’re loosing the battle, so they’re panicking. What they want, besides controlling everything and everyone, is killing Anonymous and other hackers movement. One efficient way to do it, is to use the Fear of the people, by using Uncertainty of facts (there’s a possible terrorism risk) and by disseminate Doubt in the people minds (are hackers good or evil?). That’s why they want to control the information, and the media. It’s so bad for them that a lot of media do like us since the Arab Spring and the Occupy Movement all over the world.

They want to makes us terrorists, because everyone have an unrational fear of terrorism. Terrorism is perceived as a high profile threat, with an extremely high probability for terrorism event to occur, while it’s not. I mean, there’s more people killed on the road each year in France (about 6 000), that by a terrorism act since the last ten years. But it’s a risk a government can pretend to fight by chowing things like policeman equipped with shotgun and assault rifle, servicemen in public space, invasion of privacy for a greater good. That’s why they want us to be terrorists, it’s because they need it to control the cyberspace and they want to kick us out their world.

The thing they did not get is what we are already out of their world. John Perry Barlow wrote some time ago the Declaration of the Independence of Cyberspace, and that have never been so true. We fight government and corporations. We stand for people when all of you have fled from the battle. We will be the last line between them and our privacy, and that will be an epic battle. Not using guns and spilling bloods, but using speech to spill words, laws and regulations, computer and internet to spill data all over the place. This is the real cyberwar people told it exists. People, host, bots and cats from the internet, versus the control freak of the nation states and corporation.

I will fight for my freedom. And you should od the same. They called us terrorists so you are not at threat, we will takes the pressure, we can manage stress and staying awake for nights, you should join us and make your voice heard because you have something to say. The crypto ammunition box is now full open, come and get some. If you still need to know why and how, read the Cyphernomicon.


Let’s talk about Privacy, Intimacy, Anonimity and Identity

Let’s talk about privacy, intimacy, anonimity and identity

I wanted to write about those topics for a while because I think they’re important topics, eseentially nowadays due to the ever growing ubiquitous surveillance. I think that most of them are not perceived the same way by everybody, so i’ll try to write down and define what I put behind the concept of identity, privacy, anonymity and intimacy.

So, we’re going to start with some definitions, see how they are linked etc. I wo’nt use many links, because it’s what I think it’s probably not original and unique, but that’s how I fell things are working. Also, we are going to eat Information Theory.

The identity problematics

We walk in the world as an emitter and receiver of signal (part noise, part information). This signal is directed toward one((unidirectional communication, also named unicast by network engineers)), some((multidirectionnal communication, named multicast in network operation)) or all((wide communication, or broadcast)) receivers in range.

The etymology of ”Identity” comes form the latin identitas (sameness) annd indicates what information are emitted by the same entity, thing. That means two things. There’s a track to previous information emitted by this entity, and the receiver can link the emitter to this entity. The identity is then the sum of all the information about an entity an emitter can perceive, and an entity can have multiple identity, in general one for each space (public or private) the entity evolves into.

One thing about information, if they’re not archived and indexed, they will disappear with time. Who remember who Jessi Slaughter is?

What’s my name?

The name is the unique handle of an identity. It can be a unique number, a common name, a description, etc. The name of an entity is how you will access all the information you can find about it. This is the bit of information you need to know to find out who an entity is and then accessing all the information available about this identity in the space you’re standing.

If an entity has no name, and is in fact anonymous, then you won’t be able to find any information about it. But then, the ‘Girl with Nice Boobs who was at the party yesterday’ and the ‘Bunch of people that sing in the subway’ in a name. A temporary one, but it’s still a name. You can discuss about those person with other people who were in the same space at the same time, but the information will probably be wuickly dissolved in the flux of data we live in.

A name stand for an identity. Or should. The tricky part is the homonyms. Two (or more) different identities covered by only one name. To find out which entity you’re communicating with, you will try to find context that is, previously stored information that you can then use to find out which entity your dealing with. You deal Homonimy the exact same way that Usurpation. Using the information you can find about an entity, you can know who they are to you, independently of their name.

Trust

The trust is the biggest thing in social relation. It exists in principally three states. You trust an entity, you distrust it or you have no idea of the trust you should have into the entity. The trust is the accountability. When something you trust gives you an information, you know the information is correct. If someone you trust claims a name, you won’t check his history back to confirm or infirm it. Someone you trust is alos someone who will probably not takes information about you out of the space you are communicating.

The people you distrust is easy, you won’t believe them and try to verify every information they send because you can find a source of information you trust to confirm or infirm their identity.

The world is small anyway, so you can probably build a trust chain to this entity and confirm or infirm the identity link for an entity you do not trust.

Trust is not bidirectionnal and is personnal. That’s not because you trust me that I trust you. ANd that’s not because I trust someone taht you should trust it by default, but it will gives it more trustability (because you trust me and I’m telling you that this entity is really who they claim to be), so that will help you to decide if you want to trust this entity.

What’s privacy then?

Privacy opposes to publicity. If something is not in the public space, that means it’s in a private space (or that it’s in no space, which is not possible due to some contrsaints such as physics).

So, what is public then? From etymology it is linked to the people((From the latin poplicus which is a derivative from populus, the people)). That mean everybody can access and see a public thing. At least, there is no authorisation needed to access something public.

For instance, when you walk in the street, you are in a public space. When you enter a bar or a restaurant, you’re still in a public space. When you pay the fee to access a museum or a night club, you are in a public space (it’s not an authorization, it’s a cost). When you surf the web reading at datas that do not requires a password to access to, you’re in a public space.

That mean that everybody in the same public space as you can access all the information you’re emitting. Wether it being you’re apparent age, skin color, gender (not your sexual identity however), the thing you’re saying or the song you’re singing. If you are in a public space, everybody can access and see and track all the information you’re emitting there.

So, the privacy opposes itself to the publicity. That is, you’re in privacy, and so in a private space, when you access a non public place. A place that requires you to have an authorization of a kind. It could be a good old key for your house or your locker, a password to access a private sharing space online, a simple door closed with a sign on it stating ‘Access forbidden’ is a delimitation between a public and a private space.

Privacy is then a matter of limiting access to the information you emit. If you have the key to enter a private space, you can access the private information.

Intimacy

The intimcay, again from etymology, comes from the inside. This is what’s inside an entity, that’s all the information you’re not emitting. It’s when you opt-out totally, with no emitter of information you cannot control, and all the one you control shut down. You generally add your closest friend into this intimacy, as long as all the ‘special’ people, those are people that won’t tell those information to anyone.

The intimacy is the part of yourself that no one knows about, except the specials ones. Intimacy is way more than privacy, privacy is intresting, as it allow you to communicate with people of choice without being put in danger for what your saying. It allow you to have multiple identities and to use them in multiple social circles. Intimacy is what’s out of all social circle.

let’s explore the world!

We now have our concepts defined. Almost. So, now, let’s go online, because everything is funnier if you add network and computers to it.

Let’s enter the world of information

So, it’s easy to get a grasp on the private/public problem in the physical space. I can live with a bunch of people in an open space like a loft, or a squat, but still have some private space (the one I close with a key I own). What’s hard is when you add some layers, and, for instance the cyberspace. I can sit in a private space (my room, locked) and accessing a maybe-public space.

The thing is, independently of the thing you’re gonna access, every bits of information that goes out of your device of choice will go through different intermediaries before reaching the data you want to access. The origin and the destination of the packets are know, as long as a lor of other stuff. Those information are needed to route the packets through the diferents network, but they are data you emit in the public space (anyone on the route of yourpacket can see it and access to this information).

Wether you’re accessing your facebook page (which is more or less private, dependings on the settings you choose), your webmail (which is private, given the fact that only you is supposed to have the password needed to access it) or your mails, reading a website, downloading a video using P2P protocols, etc, you will emit a lot of information that a lot of people (or computers) can read.

So, remember what I told about the lock in the previous part? You need to put a lock on the information you want to keep private. You can’t lock all the information in the packets, some of them are needed to grants you access to the resource you’ve asked for. Those are mainly routing and protocol information, because that’s the way computers works, they need to talk a lot to each other to get things done. But the others informations, the ones you want to keep private, you can lock them to deny anyone the possibility to read them without a key of a kind.

That’s the cryptography goal. Forbidding a data being physically readable by anyone and restricting it to whoever got the key.

So, you’re in the private space only when you use string cryptography. yeah, encrypt everything you want to make private. If something goes online without encryption, it belongs to the public space.

A wild corporation appears!

Corporations, at least internet ones, suck at two things. Security (but that’s the burden of everyone) and transparency. When you land on a ‘secured’ website of a company, they will require you to proove your identity while they’re doing the same (using ssl certificates). They’re not asking you for a key (an authorization), they’re using your identity as a key. They’re using the whole set of data they can build about you as the key to access their services. You cannot know what data they have on you, you cannot opt-out those data, they’re building a strong identity of you. And they’re following you everywhere they can, without telling you.

So, they build an identity about you, one you don’t know anything about and they’re building it using data from a private space that they’re not supposed to share with everyone else (except if you explicity opt-in). They’re archiving everything information you emit, stocking it in extremly redundant servers becasue tehy do not want to lose any bits of identity about you. And then, they will replace the wall of the private space they made by polarised window, giving everyone who can afford it to penetrate theprivate space without the key and without your consent. When someone goes into your place without authorization, generally you call the authorities or shoot the trespassor. You’re not allowed to do it for corporation taht sells personnal data, some of them they shoudl not have.

I mean, they do not need your name for running their business. The only reason they need it is becasue they want to cross check into other database – private space – what you’re doing when not undr their radar. That’s what real-name policies are, they’re a meta identification token spanning all the databases taht uses the same policy. And that’s why they’re so bad.

The financial data stored in non banking websites is bad to. They do not need it. They need to know, in the worst case, who buys what to who and when. Not the bank name, the card number or any othr details on it.

So, corporation are robbing your identities. They lure you in confy private space, then put you on national broadcast. I’m not even speaking about the risks of a data leak or a breach in the infrastructure. People accuses hacker when information about them isleaked. But hackers did not archived this information in frist hand, they did not make huge files to track people and to spy them and to rape and destroy their privacy. What hackers do is finding a part of a public space that was hidden behind a curtain. So, next time someone is doxing you, asks the company why they had those information about you in clear text.

You can access a company server, if they store all the private information (or what they define as private) in an encrypted format you won’t be able to read it. That’s the way to go, if you want an information to be private, then encrypt it. If it touch toyour intimacy, do not publish the information. The internet and computers have an endless memory of extreme precision.

Protect yourself. Encrypt everything that moves. Give momentum to everything that do not move.


Version 1.0 of this entry was written by okhin on 2012/01/26. Use it as you wish. Or follow the WTFPL.