6. privacy and security.html

<!DOCTYPE html>
<html>
  <head>
    <title>LINGI2401 - 6. Privacy and security</title>

    <meta charset="utf-8">
    <style>
      @import url(https://fonts.googleapis.com/css?family=Yanone+Kaffeesatz);
      @import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,700,400italic);
      @import url(https://fonts.googleapis.com/css?family=Ubuntu+Mono:400,700,400italic);

      body { font-family: 'Droid Serif'; }
      h1, h2, h3 {
        font-family: 'Yanone Kaffeesatz';
        font-weight: normal;
      }
      .remark-code, .remark-inline-code { font-family: 'Ubuntu Mono'; }
    </style>
  </head>
  <body>
    <textarea id="source">

class: center, middle

# LINGI 2401 : Open Source strategy for software development

Lionel Dricot
lionel.dricot@uclouvain.be
lionel@ploum.net

@ploum - @ploum@mamot.fr

???

---
class: center, middle

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
– Eric Schmidt, Google CEO

???

Let's play. One represent Google, one represent the goverment, one represent the user who cares about privacy. Let's try to convince the governement to make a law for more or less privacy.


---
class: center, middle

#What is privacy?

Let's share example of what is private, what is public

???
- Position
- Phone number
- Bank account number-
- Name of your first boyfriend/girlfriend
- Your favourite sex fetish
- The mere fact that you had sex
- The last time you masturbated
- Being naked
- Your emails/sms
- Your browser history

---
class: center, middle

background-image: url(https://github.com/ploum/lingi2401/raw/master/images/wc_transparent.jpg)

???
Picture has been put under CC0 licence by the photographer

---
class: center, middle

#It depends with whom you share

Let's list different actors and link it with each previously discussed item

---
class: center, middle

#But why?

Let's list the reason to protect our privacy

???
We are influenced. If we know we are watched, we will act differently. We will mainly try to conform to the idea others have about us. People who are watched does not behave the same way that if not watched.

---
class: center, middle

#Transitivity of privacy

Once an information has been shared, you have to trust every informed system/person to protect the privacy.

---
class: center, middle

#Corolary 

An information transmited to an untrustable party should be considered as public

???
There's no such thing such as "reclaiming secrecy"

---
class: center, middle

#Streisand effect

Trying to hide a public information makes it more visible by turning the attention to it.

---
class: center, middle

background-image: url(https://github.com/ploum/lingi2401/raw/master/images/Streisand_Estate.jpg)

???
In 2003, a photographer took pictures of the Californian coastline in order to document erosion of the coast. Pictures were public. On one particular picture, the mansion of Barbara Streisand was visible. Her lawyers asked for the picture to be taken down and sued for invasion of privacy.

Note, the picture had been only been downloaded 6 times, including 2 by the lawyers themselves.

The picture became immediately one of the most requested picture on the Internet. It has its own Wikipedia page. Lawyers lost the case.

https://en.wikipedia.org/wiki/Streisand_effect

---
class: center, middle

# Why does people want to invade your privacy?


---
class: center, middle

# Why does people want to invade your privacy?

- Surveillance/security
- Marketing/influence

???
Invading your privacy is a way to enforce that you follow some rules either by coercion or by influencing you.


---
class: center, middle

# The good ads myth

???

Ads are designed to sell you stuff by influencing you and transforming your mind. Targetted ads are even more insidious because they transform you in a more subtle way. That's why you there are "loyalty cards". But still…

---
class: center, middle

background-image: url(https://github.com/ploum/lingi2401/raw/master/images/marketing.jpg)

---
class: center, middle

#Impact of ads on your brain

???
It's a lot worse than you think.

Read TV Lobotomie, by Michel Desmurget.

http://www.digitaltonto.com/2009/advertising-on-the-brain/
http://www.pbs.org/wgbh/pages/frontline/shows/persuaders/etc/neuro.html

---
class: center, middle

#App are purposedly designed to steal your attention

???

https://journal.thriveglobal.com/how-technology-hijacks-peoples-minds-from-a-magician-and-google-s-design-ethicist-56d62ef5edf3?gi=2099ca5c1f20#.93vbmi2yh
http://www.timewellspent.io/
 
As I'm currently experiencing a deconnection from social networks and any "news" websites, I can talk about it firsthand.


---
class: center, middle

"If you are not paying for it, you are the product being sold."

???

So, basically, you are spied, your attention is stolen in order to sell you more stuff. That's the naked truth. And you cannot fight it with your willpower alone as this is deeply unconscious.

---
class: center, middle

"The problem in today's society is that the brightest minds are all working on how to serve us more ads."

???
Facebook, Google, Twitter are just incredibly efficient advertising companies.

Do you really believe that you, alone , stand a chance against thousand of the best marketers, neuroscientists and UX designers in the world?

---
class: center, middle

#You are always serving your customer's interests

???
Example of my e-concierge project in the industry cancelled because too expensive vs Google doing it for free.



---
class: center, middle

# Privacy is hard

- There's no clear line.
- It depends of the context
- It depends of your trust
- Privacy perception might be completely wrong
- It's hard to defend the concept of privacy itself

---
class: center, middle

# Anonymisation is not privacy!
- As long as there are enough data to be useful, there are enough to find who you are
- Differential privacy
- Related: strava issue with military bases

???

https://en.wikipedia.org/wiki/Differential_Privacy
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

---
class: center, middle

#What is security?

---
class: center, middle

"Security is the set of actions that a community takes to ensure that its members respect the rules of the community.


---
class: center, middle

"Security is making it harder to break a rule. It is usually never impossible. Only harder or slower."

???
Example of the bike lock


---
class: center, middle

#3 pilars of security
- Moral
- Consequences
- Cost

???

Moral is propaganda and education. Example : piracy is a crime.
Consequences : probability of being caught multiplied by the severity of the punition
Cost : either in time, in equipement, exepertize.

Note that if you add cost to "time", it also means that the probability of getting caught is higher.

When you lock your door, you only add cost of either time (breaking the door) or expertize (a professional would open it in no time)

https://ploum.net/les-3-piliers-de-la-securite/


---
class: center, middle

#Difference between true security and feeling of security

If it is not related to one of the three pilars, then it's not security. It's false security.
???

Example of the security theater. -> military in the street actually make the street less secure!
Example of disc brakes for bikes : https://ploum.net/freiner-moins-bien-pour-entretenir-lillusion-de-la-securite/

Security is highly political : why so much effort against terrorism and not against cigarettes or car crashes?

---
class: center, middle

#True security is the security of your weakest link. 

???
Example of the bottled water at airport by Bruce Schneier. Airport controls are pure security theater which do not improve any security at all (seriously, do you want to attack a plane with a bottle of water and a nail clipper?)

---
class: center, middle

#External trust

???

The weakest link is most than often external trust. If your security depends on trust, it may be deceived. Example with privacy.

---
class: center, middle

#Should we make the world more secure?

???

I ask you. Let's list reason to make it more secure.

Security is not always good. Sometimes, we want to be able to break the rules.

---
class: center, middle

How do we create a true security without trusting external entity but that we can bypass if needed to progress?

---
class: center, middle

#Solutions

- Network of trust. We rely on trust but in a careful way.
- Cryptography. We rely on math.

---
class: center, middle

#Why Open Source?

???
Open Source is a necessary condition to build security. Else, you fall back to trust. But not sufficiant.

---
class: center, middle

#Security by obscurity

"If you can't proove it's secure, then assume it is not"

???
The problem of security by obscurity is that it is basically trusting someone else which has no economic interest in finding security flaws.


---
class: center, middle

#Recent example

Minix is in every intel chip. And we don't know why. Nor if it's secure.

???
http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/

https://libreboot.org/faq.html#intelme

https://itsfoss.com/fact-intel-minix-case/


---
class: center, middle

#Warning

snake oil cryptography : I invented something I can't break. So it must be good.

???

Example of Telegram. 

https://www.schneier.com/crypto-gram/archives/1999/0215.html#snakeoil
https://moxie.org/blog/telegram-crypto-challenge/

---
class: center, middle

#Security is also an UX problem

???
Example of Telegram where you are unsecure unless you start a "secret chat"

---
class: center, middle

#Meta-data

???
If you know all the context, you usually don't care about the messages themselves. That's why Whatsapp encryption and GPG are good things but not sufficient.


---
class: center, middle

#Two strategies for better privacy and security:

- Cryptographic: Signal, Keybase

- Decentralization (aka network of trust): Mastodon, Diaspora, XMPP, Matrix

???
All of them are open-source

---
class: center, middle

background-image: url(https://github.com/ploum/lingi2401/raw/master/images/mastodon.png)

???
Why decentralisation can help

---
class: center, middle

#Can we have a decentralised cryptographic solution?

---
class: center, middle

#That's what the blockchain is trying to build


---
class: center, middle

#Conclusions

- Privacy is important
- Security is essential to protect your privacy
- Open Source is essential to offer good security

???
Security is useful not only to privacy but also to protect you against any kind of attacks.


---
class: center, middle

#Conclusion (2)

- Any improvement in privacy and security is better than nothing.
- It's better to use Firefox on Linux but Firefox on Windows is better than Chrome on Windows.

---
class: center, middle

#My personal recommendations

- Signal or Wire instead of Whatsapp/Messenger
- DuckDuckGo or Qwant instead of Google (but you need to trust them. Searx might be good too).
- Firefox or Safari instead of Chrome
- Linux instead of Windows/OSX
- Keybase (crypted) or Mattermost/Rocket.chat (decentralised) instead of Slack
- Mastodon instead of Twitter
- Diaspora instead of Facebook

---
class: center, middle

#Managing your privacy

- It doesn't mean "not being on Facebook"
- It means being conscious about what's public and what's private
- What's on Facebook is public (even your Messenger history)
- Having a public profile that you control helps improve privacy

???
If you are not comfortable about it being displayed everywhere in Louvain-la-Neuve, then don't post it on Facebook, even in "private group/discussions"

---
class: center,middle

#Business model of privacy

- "Surveillance capitalism" (Aral Balkan)
- If you don't pay, then it's probably hurting your privacy in some 
way (or doesn't make money, like Signal)

???

https://ar.al/index.xml

---
class: center,middle

#Always question business model
- Firefox
- Brave Browser

???

Firefox is 99% funded by Google. So, it's basically Google. Some recent project are not really in line with better privacy. 

Brave Browser has an "attention token", so basically, it wants your attention.








---
class: center, middle
# Discussion time








    </textarea>
    <script src="https://remarkjs.com/downloads/remark-latest.min.js">
    </script>
    <script>
      var slideshow = remark.create();
    </script>
  </body>
</html>