Privacy Advocate Tristan Nitot on France’s surveillance law “This law is a major step towards a police state”

May 13, 2015
Vote on Hacker News

WireAP_9dc856a148404c1e89bdf8892318b199_16x9_992 With all the data that the IoT and Connected Hardware revolution will generate, securing these devices as well as all the information they utilize and generate is increasingly becoming a concern.  Add to that the increasing level of electronic / internet surveillance by governments around the world, ensuring the protection of our devices and data poses a formidable challenge. This year we’re excited to have security expert, Cozy Cloud COO and previous Mozilla Principal Evangelist with us at Connected Conference to talk to us about this very topic.  In advance of his talk at Connected Conference in a couple weeks, I caught up with him to get his thoughts on the newly voted loi de renseignement (aka France’s equivalent of the US Patriot Act) and it’s implications on IoT and Connected Hardware:

What are the implications of the loi de renseignement on the IoT/connected hardware space? In addition, what type of impact, in particular, do you see this law having on startups working in the IoT/connected hardware space?

This Renseignement bill is clearly bad for business. Basically, it’s allowing mass surveillance in France. It’s damaging the trust that customers put into the Internet: Web hosting companies, ISPs and SaaS providers are turning them into spooks that potentially spy on their clients. Suddenly, the hardware you buy for your house, for example, could be spying what you do in the intimacy of your own home.

Does this law give consumers a real cause for concern? Why or why not?

I think this law is basically a major step towards a police state: the government will soon be allowed to do surveillance on large parts of the French Internet in order to detect “suspicious activities” with an algorithm. For now, it’s only for things that could be related to terrorism and only by collecting meta-data. But we know that with big data, meta-data can reveal a lot of things as it’s actually easier to process that less structured content. Also, once these “black boxes” (actual wording used by the French Government!) are deployed on the Internet backbone, in datacenters and ISPs, it’s easy to extend their use to other purposes that are already mentioned in the bill, such as “promotion of economic interests of France” and surveillance of political opponents and such. I may sound paranoid, but we have a very recent example with the Web site censorship measures that were recently introduced to fight terrorism: they were quickly expanded to cover Music and movies piracy, and some politicians asked to have these measures extended to shut down websites that insult politicians, and then websites that discuss anorexia. Once such a system is allowed, there is tremendous pressure to extend it to cover less serious topics. This is why I’m against these black boxes.

Does the French government (or any government for that matter) have the technological know how and manpower to actually act on all this data on a wide scale? If they don’t now, do you anticipate they will in the future? At what point/when?

They do have significant budget for IT spending, but we’ve seen that they don’t have enough manpower to do their work properly on the ground. The last 4 significant terrorists were on a watch list of the DGSI (French interior intelligence agency) but they were able to operate without getting noticed. On top of that, there are encryption tools such as TorBrowser, VPNs, and such that enable anyone who wants to be anonymous and/or invisible on the Internet. I’ve been told that there are already tutorials and djihad sites on how to use encryption. In short, we’ll pay the social and economic price of mass surveillance without arresting actual terrorists. Maybe we’ll catch uninformed wannabes, but that’s all. All the budget should be used to put more people on the ground to efficiently fight terrorism, not to put the French Internet under mass surveillance and damage the economic growth that the country needs. Join us May 28th-30th for Connected Conference, where we’ll be showcasing the intersection of Industry & Digital, Hardware & Internet, Old & New.