1 of 19

Don't shoot the rhino

2 of 19

Geeks and privacy

Three kinds of geek protection

Geeks who think they can protect themselves (but can’t)

Geeks who know how to protect themselves (but don’t)

Geeks who do protect themselves (but it’s useless)

Whatever we choose, we lose, because we missed the point.

Don't protect yourself: protect people around you

3 of 19

Don’t shoot the rhino

4 of 19

Wrong on the Internet

Simple solutions are simplistic

Email is, by far, not the only way we communicate today.

Privacy by isolation is not communication.

Single point of failure will fail.

This is Internet, stupid !

5 of 19

How it works

6 of 19

Restoring privacy value

Privacy Index

Define a “privacy index” for each message, based upon protocol, encryption, terminal security...

Display this index with each message received.

Explain user how to increase those indexes, and help him to do so.

We must regain the sense of confidentiality, lost when it comes to digital

7 of 19

Restoring privacy value

Broaden Privacy Index principle

Every element in Caliopen should have its own PI displayed, from user account to devices.

Each metric is specific.

We may have to define a PI even for the Caliopen instance itself.

Privacy Index is at the core of the project

8 of 19

Restoring privacy value

Privacy Index calculation

Our metric must be understandable by users, there should be no hidden parameter.

Part of the result will be based on the user behavior.

Each user effort to comply with Caliopen’s tips should be rewarded.

We have to help to improve, never force

9 of 19

Practical example

Login in overseas

In a public Internet place

From an unknown device

Will use double authentication

Won’t show anything (contacts included) above 0 PI

Won’t let you use your private key

Privacy

as a

game

10 of 19

Bad behaviour penalty

Override default behaviour is always possible, but:

User account will lose PI points
Displayed messages PI will be lowered
Concerned contacts will be notified

User in such a situation should act accordingly his public PI level (his contacts relied on this when they wrote their messages).

By warning users acting dangerously for their contacts, Caliopen fully shows how privacy works.

Teaching people how to recover privacy won’t be easy

Privacy

as a

game

11 of 19

Privacy

as a

game

Gamification rewards

Caliopen makes it easy to level-up user’s PI.

User gets a better reputation: his messages have a higher importance level in his contacts timeline, and he can write to people refusing incoming low-level messages (Poitras/Snowden case).

Seeing his friends messages being poorly rated, user is motivated to urge them to improve their PI (by using a Caliopen service, for example).

The more one’s contacts PI are high, the more his PI rises too.

By gamifying privacy, we can make it a virtuous circle

- Existence d'une clé publique, type et taille de la clé, méthode de création, nombre et origine des signatures de la clé (web of trust). De 0 à 9, à détailler.

- Niveau de confidentialité du device de référence (0 à 9)

- Niveau moyen de confidentialité des contacts (0 à 9)

- Utilisation de son propre MX (0/1)

- Type d'identification (password: de 0 à 2, double-auth avec carte de correspondances aléatoire: 3 à 4, certificat client: 5).

- Type de stockage des échanges (chiffrés serverside avec la clé publique utilisateur: 2, effacés serverside régulièrement: 1, sinon 0) - ceci est une variable mi-technique mi-comportementale à mieux définir à l'usage)

- Type de client utilisé pour se connecter (client natif: 2, client IMAP/TLS ou XMPP/TLS: 1, client IMAP/XMPP sans TLS: 0). On retiendra la valeur du client de plus basse valeur utilisée durant les 3 derniers jours.

- Fréquence d'utilisation de devices secures/insecures (quand l'utilisateur se connecte depuis un device sécurisé, cette composante augmente, elle diminue quand il se connecte depuis un device insecure, par pas de 1 ou 2 points selon le niveau de condifentialité des différents devices (un device entre 75 et 100 vaut 2 points, un device entre 50 et 75 1 point, entre 25 et 50,0 point, entre 10 et 25 -1 point, et -2 points en deçà) dans une limite de 10 points).

- Fréquence de déconnexion (la déconnexion automatique de type bancaire n'est pas imaginable dans un environnement dédié à la discussion, mais on encourage l'utilisateur à se déconnecter manuellement dès qu'il cesse d'utiliser l'interface Web en lui attribuant des points lorsqu'il le fait. 1 point par déconnexion manuelle dans un délai de 2h après la connexion, 0 sans déconnexion entre 2 et 4h, -1 point sans déconnexion manuelle au delà de 4h, dans une limite de 5 points à affiner à l'usage).

- Fréquence du chiffrement des communications (fonction directe du pourcentage d'envoi de messages chiffrés avec la clé publique du ou des correspondants dans le total des messages émis, dans une limite de 10 point).

- Fréquence d'échanges avec des correspondants d'un niveau de confidentialité égal au supérieur au sien (plus de 50%: 2 points, entre 30 et 50% 1 point, en dessous de 30 0 point dans une limite de 5 points).

- Une réponse non chiffrée à un message chiffré (si on dispose de la clé du correspondant) implique une pénalité de 5 points.

- L'affichage d'une discussion sécurisée sur un terminal de sécurité moindre implique une pénalité de la valeur de la différence dans une limite de 20 points.

12 of 19

How it works

User Interface

A main timeline shows user’s conversations (time sorted by default).

Only those with at least one message above a dynamic user defined importance level are displayed.

Importance index is based on PI, contact and tag status, spam detection…
Tags are either user defined or system-wide predefined (“Work”, “Family”, “Friends”...).

Every search can be registered as a “view” and assigned to a device.

Base principles are simple, but highly powerful

13 of 19

14 of 19

How it works

Sending message

Caliopen selects the safest protocol to use when user chooses recipients

15 of 19

How it works

Protocols

Any service involving private communication is aimed at being included in Caliopen.

We are focusing on having e-mail working in alpha, but abstraction layers for XMPP, Gmail, Skype, WebRTC and all majors social networks are already explored. Down the road, a Caliopen service should be able to gather SMS in conversations too.

We are also working on the future private inter-Caliopen secured encrypted protocol (RoCoCo - Routing Caliopen to Caliopen).

The goal of Caliopen is to gather all private messages in one secure place

16 of 19

How it works

17 of 19

How it works

Ecosystem

Although being Open Source, Caliopen is not designed for self-hosting (but it can be, of course).

End users won’t rely on code auditing, so we have to create a “label” they can trust.

The label comes with a certificate needed to access the RoCoCo based network (value added by exchanging users PI).

Success of Caliopen should be evaluated on number of services using it

18 of 19

Why we lost privacy

Economic equation

Wiretapping is cheap: because of Internet centralization, once you listen the four majors (Google, Yahoo, Hotmail and Facebook), you know everything about everyone.

It will cost you four microphones

19 of 19

Why we lost privacy

Social equation

Privacy lost all its value these days. Because of reality shows, social networks, CCTV, anti terrorism laws and so on (who knows ?). The (false) motto is "If you've got nothing to hide, you've got nothing to fear".

There's little to lose socially in watching whole populations