Wikimedia France: new anti-terrorist bill exposes users to mass surveillance

Remember when we learned that Wikipedia was a target of widespread NSA surveillance? Wikimedia Foundation challenged the NSA program siphoning communications directly from the backbone of the Internet in the court. Today in France we may face a similar issue in the form of a new antiterrorist law that would add a grave threat to privacy to the censorship of the Terrorist Content Regulation. 

A secret marriage (engraving), Public Domain

Protecting Wikipedia from mass surveillance

In May 2013 Edward Snowden revealed the existence of several American and British mass surveillance programs. The Wikimedia Foundation and other non-governmental organizations such as Amnesty International and Human Rights Watch have filed a complaint against the NSA, accusing it of violating the first and fourth amendment of the American Constitution, and of having “exceeded the authority conferred on it by Congress”. 

As a result, on June 12th 2015, the Wikimedia Foundation announced the use of the HTTPS communication protocol for all Wikimedia traffic, with a view to countering the mass surveillance exercised by the NSA, which took advantage in particular of the inadequacies of the non-encrypted communication protocol. 

Now, over to France

The new proposed French anti-terrorism bill fits well in the mass surveillance trend, attacking fundamental rights of online users. Presented by the Minister of the Interior, Gérald Darmanin, on April 28, it proposes a number of security measures inherited from the state of emergency of 2015 and the law of 2017 on internal security and the fight against terrorism. It also validates tools such as “black boxes”, responsible for detecting terrorist threats using user connection data, while expanding their use.

What exactly are black boxes and algorithmic surveillance?

In this case black boxes and algorithms technically refer to the same tool. The expression was coined to reflect the technical opacity surrounding these network monitoring systems. The system works thanks to artificial intelligence analysing large quantities of data and, in case of terrorism, identifying behaviors that are out of the ordinary according to criteria defined by the authorities. The identified profiles are then reported to the intelligence services for further investigation. In France this has been the practice between internet service providers (ISPs) and the intelligence services since 2017.

These algorithms analyze only metadata, that is all peripheral information that gives context to a user’s behaviour online and that is enough to understand a lot about her without knowing the content of her communications. Without needing to read a message, which would be considered a privacy violation, a lot can be inferred from what time a message was sent, by whom, from what location, etc.

With this new bill, the government therefore wants to exacerbate surveillance by expanding the system. Gérald Darmanin indeed specified during an interview with France Inter that the URLs of internet websites “would henceforth be collected and processed by the algorithms” of the black boxes of the intelligence services.               

Criticised provisions make their way into the law

The criticism of the bill cuts across all political divisions, coming from all sides and from a variety of actors. Indeed, opponents of monitoring of users’ online behaviours have been denouncing a “liberticidal” drift in the data protection policy in France for several years. In October 2020, prolonged user data retenstion was criticised by the Court of Justice of the European Union (CJEU),  even for the purpose of the fight against terrorism. The CJEU also sanctioned the existence of black boxes, stressing that in principle they should be prohibited  as a “far too serious and unacceptable” attack on democracy. 

The French Commission for Informatics and Freedoms (CNIL), claims that they do not have sufficient information to judge the effectiveness of these black boxes, particularly with regard to the infringement of fundamental freedoms. However, in its 2020 activity report, CNIL recommended experimenting with the idea of ​​expanding the use black boxes. It would be better if, before imagining the continuation and extension of the use of these tools with so many consequences for  internet users, CNIL had precise information and understanding of what is already in place.

The government-backed argument for extending the black box feature to URLs is linked – again – to the terrorist threat. Indeed, collecting “full addresses of Internet resources used” by potential terrorists will enable detecting whether someone “watches a video of a Daesh beheading three or four times” according to Gérald Darmanin. But the URLs of the pages visited by an average user are generally not visible, neither for operators nor for service providers, because they are fully encrypted data. In order to be able to analyze these URLs, it will therefore be necessary to “decrypt” them. 

Encryption exits through a backdoor

Today, the algorithms stop at the domain name, without a possibility to further verify what article has been consulted, what query was written in the search engine, etc. The government makes an attempt to have access to all this data which may reflect your online privacy in great detail. A parliamentary delegation’s report stated, however, that such an extension of surveillance may be against the Constitution.

Several solutions exist in order to collect this data, with the “voluntary flaw” or “backdoor” being the most probable one. If mandated by law, this technique would require providers of communications and cloud services to implement a functionality giving secret access to users’ behavioural data. 

Setting up a backdoor, however, would be catastrophic for the security of user data on the internet. Not only is it a gross violation of privacy, but also it could be discovered by third parties and potentially exploited.

The Minister of the Interior mentioned difficulties in bringing together all the internet intermediaries: “we are discussing with the biggest internet companies: we ask them to let us in through their security. Some accept it, others do not “, indicating at the same time that the future law could make it possible to force foreign operators to do so.

As NextINpact points out, this bill also claims to authorize the retention of data for up to 5 years and 6 years for encrypted data in order to “improve the monitoring tools put in place by the French authorities”. On April 21st, the Council of the State considered that the government was “required to regularly reassess the threat to the territory and to subordinate the exploitation of data by the intelligence services to the authorization of an independent authority “. By twisting the decision of the CJEU mentioned above, the Council succeeded in having the principle of black boxes and data retention validated. As stated by Bastien Le Querrec, researcher in public law and member of the litigation commission at La Quadrature du Net, this goes “against European law, and in particular the right to privacy, respect for personal data, and the right to freedom of expression”.

Next steps:

  • The text was adopted at first reading in the National Assembly on June 2. For such an important text, the legislative process was very (too) fast. Two days only of discussions in public session.
  • Now, the text has been sent to the Senate for a first reading. It is currently at the Law Commission, and we have no date for the various sessions yet.

Originally posted by Naphsica Papanicolaou to Wikimedia France blog on May 31, 2021 and to Free Knowledge Advocacy Group EU blog on June 23, 2021.