Against #chatcontrol

Something terrible is happening in the EU and we need help to stop it. Many people are very busy and understandably don’t have the time to engage deeply with politics. I’ll start with a brief summary and link to some resources on simple actions you can take to help prevent a bad law from being passed.

no #ChatControl - EU citizens, make your voices heard to stop this dangerous proposal. It would do nothing to protect the most vulenerable, and put everone at risk. Contact your MEP. Give feedback through the EU portal

The short version

The office of the European Commission’s’ Directorate-General for Migration and Home Affairs recently announced new legislation, so called #chatcontrol, which would mandate that online platforms scan user-generated content like text, images, and videos to detect instances of child sexual abuse materials (CSAM) and grooming behaviour.

This policy would extend to providers of encrypted platforms (like CryptPad) through a practice known as client-side scanning. In this approach, encrypted platform providers are expected to deploy code to your device which will access and use your encryption keys against you, analyzing your private content and reporting back to the provider if it matches a set of rules defined by a government agency. All of this would be applied indiscriminantly with no need for a court order or reasonable suspicion.

This proposal already faces opposition from members of the European parliament, but they are the minority and they require more public support in order to stop this law from passing. Patrick Breyer, a former judge and current member of European parliament wrote a comprehensive and accessible analysis of what the law would mean for citizens. If you don’t have time to read the full article, skip to the what you can do section to see how to join those organizing to oppose this proposal on social media and beyond.

Such a system will affect people from around the world, not just Europe, but it is primarily Europeans who can do something about it. If you are a European resident or citizen you can also check how your EU representatives voted on the precursor to this legislation. From there it is possible to find your representatives contact information by name or by country.

An overview of #chatcontrol

It’s extremely useful to have short, descriptive names like “#chatcontrol“ for laws like this so that they can easily become a part of a broad public conversation. That said, some people have taken it to mean that these laws would only apply to messaging services and email. Our team read through the full proposal the day after it was released, and it’s obvious that our flagship instance (cryptpad.fr) would be an eligible target if the upcoming parliamentary vote passes.

That would mean that at any time we could be served with a “detection order” and be expected to begin scanning the data of all of our users for illicit content. The people proposing this legislation would like the public to believe the classic argument that “if you have nothing to hide, you have nothing to fear”, that the surveillance mechanisms they want to deploy are reliable and safe, but that simply isn’t true.

Client-Side Scanning is an experimental technology

[Client-Side Scanning] has been promoted as a magical technological fix for the conflict between the privacy of people’s data and communications and the desire by intelligence and law enforcement agencies for more comprehensive investigative tools. A thorough analysis shows that the promise of CSS solutions is an illusion.

In October 2021 a group of fourteen broadly respected experts in the fields of cryptography, privacy, security, and digital policy collectively published a report of the risks of deploying client-side scanning as a tool for combatting child abuse. The report makes it very clear that the technologies are highly experimental and unreliable. They suffer from high rates of both false negatives (failing to detect their intended targets) and false positives (incorrectly identifying benign content as harmful). Worse still, these detection tools are usually trained with biased data sets that are far less accurate when applied to underrepresented subjects. Typically this means people of color, members of the LGBTQ+ community, and people with disabilities, making it very likely that this surveillance will disproportionately affect people who are already marginalized.

If that wasn’t bad enough, that only assesses how these tools perform under ideal circumstances. Things get far worse when we consider adversarial scenarios; cases where certain people are deliberately trying to manipulate the likelihood of false negatives or false positives. In recent years researchers have demonstrated techniques where an image can be imperceptively modified to avoid or trigger detection. This means it’s not only possible for people distributing CSAM to become practically invisible, but that the next meme you download to your device might have been manipulated to have you flagged as a sexual predator.

It probably sounds like the techniques involved are incredibly sophisticated, and they are, but that sophistication is matched by publicly available tooling. For context, researchers from Apple developed an algorithm intended to accurately detect CSAM and it was broken within 48 hours. Since then, many people have tinkered with different approaches and improved on the initial results, often publishing their code for anyone to use. If client-side scanning is mandated in the EU then it is practically guaranteed that tools for evading or abusing it will become widespread and progressively easier to use.

Deeper risks

“The ability of citizens to freely use digital devices, to create and store content, and to communicate with others depends strongly on our ability to feel safe in doing so. The introduction of scanning on our personal devices—devices that keep information from to-do notes to texts and photos from loved ones—tears at the heart of privacy of individual citizens. Such bulk surveillance can result in a significant chilling effect on freedom of speech and, indeed, on democracy itself.”

There is broad consensus among people familiar with the proposed technologies that they are not sufficiently accurate for widespread deployment. That might be good enough to stop this bill, but it’s likely that we’ll just have to fight such legislation again in the near future when scanning technologies become marginally more accurate. There are deeper reasons why it’s important to say not only that such an approach is unacceptable now, but that it will never be acceptable.

First, tools for encryption remain widely available, and distributors of CSAM can always continue to use existing file hosting platforms to host data that they have encrypted themselves. We can’t eliminate encryption because it is key not only to protect civil liberties, but for basic tasks like online commerce. So there will always be a deeper, darker hole where predators can hide, meanwhile everyone else’s privacy will be in jeopardy.

Second, it’s crucial that we critique not just the technology that would be deployed, but the people deploying it. Databases of CSAM are extremely sensitive in nature and obviously can’t be reviewed by the public. As a natural consequence, it is impossible to independently verify that other types of media are not added to the database. A system that scans for CSAM today can be used tomorrow to detect and report criticism of the government, or its police force.

We don’t have to look far into the past or beyond Europe’s borders to find examples of data misuse. The Luca app which was intended strictly for COVID19 contact tracing in Germany was illegally accessed by police early in 2022 to investigate a suspicious death.

Finally, and perhaps most horrifying of all, is the risk that in trying to stop the distribution of CSAM, the agencies carrying out this task might inadvertently reveal information from their database of known material. Model-extraction attacks are a technique for reverse-engineering machine learning (ML) models, such as the ones used to detect CSAM videos and grooming text in the EU proposal. By making a large number of queries against an ML system and observing the results an attacker can learn what qualities it searches for. With that information it becomes possible to apply those qualities to synthetic images, producing results that are remarkably similar to those in the secret database of training data. The website this person does not exist serves as an example of the level of detail that can be expected.

Our position, and the consensus of experts on the matter, is that client-side scanning is far worse than a slippery slope which might possibly lead to abuse at some distant date in the future. Its risks are so numerous and its safeguards so inadequate that it’s fair to question whether it could ever be safely deployed.

What this law will could mean for CryptPad’s future

Client-side scanning is fundamentally incompatible with privacy. It cannot be implemented responsibly, and its adverse affects will further entrench existing inequalities in society. Knowing this, it would be unethical for us to deploy such a system against our own users.

If this proposal passes its vote and becomes mandatory within the EU we will most likely have to move away from acting as a service provider. This would eliminate revenue which accounts for approximately one third of our budget and put extraordinary pressure on our team when we are already severely under-resourced for the goals we are trying to accomplish.

On a positive note, CryptPad is better prepared for this eventuality than many other platforms by virtue of being open-source. Anyone with the required expertise can host a server, meaning that even without active involvement from our team, our work can provide continued benefits to the public, which is our ultimate goal regardless of whether Europe enforces indiscriminate surveillance. To that end, we recently compiled a list of publicly available CryptPad instances hosted by trustworthy third-parties, and we welcome new additions to this list.

In the longer term, however, being unable to offer our platform as a commercial service will make it very difficult for us to continue improving the software at our current pace. We will become increasingly dependent on donations to continue, and it’s possible that our opposition to this policy will affect our eligibility for research projects funded by the European Commission.

In recent years Europe has earned a solid reputation as a welcome home to leaders in the field of privacy-preserving technologies. As such, we are far from alone in opposing this legislation (see statements from The European Pirate Party, the Chaos Computer Club, Tutanota, Protonmail, EDRi). I’m confident the people working to strengthen safeguards for privacy will find ways to continue, even if they are forced to do so elsewhere. What is less certain is how much damage will be done to people’s trust in elected officials and public institutions. It’s vital that we organize to defeat this legislation, and work to strengthen institutions so that such a proposal is never considered again.

Given recent experience in multiple countries of hostile-state interference in elections and referenda, it should be a national-security priority to resist attempts to spy on and influence law-abiding citizens. CSS makes law-abiding citizens more vulnerable with their personal devices searchable on an industrial scale. Plainly put, it is a dangerous technology. Even if deployed initially to scan for child sex-abuse material, content that is clearly illegal, there would be enormous pressure to expand its scope. We would then be hard-pressed to find any way to resist its expansion or to control abuse of the system.

April 2022 status: The public instance list goes live

We have been talking about our project site for a while. Its main purpose is to improve communication about CryptPad (the open-source project) and to differentiate it from Cryptpad.fr (the flagship instance we administer). Last week we added an important feature to the site: the list of public CryptPad instances.

Screenshot of the updated project site. Clicking "Try CryptPad" takes visitors to the public instance list

The purpose of this list is to make the meaning of “open-source” clearer, as most people don’t otherwise know or care about it: CryptPad can be hosted by anyone who likes, and they are free to offer the service, even in a commercial capacity. For us the development team, this list is also a new way for instance administrators to contribute to the project. Cryptpad.fr exists to provide financial support for development through its paid plans. Administering this instance, for example responding to support tickets, is a significant part of our workload. When a third-party instance accepts to take care of “free” users and their associated support questions it effectively helps us to dedicate more time to improving CryptPad itself for everyone.

Publishing this list is not straightforward however, especially for a privacy-focused project like CryptPad. What if we inadvertently direct people to a careless or malicious instance that puts their data at risk? To address this we put in place a set of criteria that an instance has to meet in order to be listed:

  • It has to be up-to-date with the latest version, meaning the latest security fixes will be applied
  • It has to pass a comprehensive series of tests to ensure all recommended security settings are enabled
  • Some basic information has to be provided such as the location where encrypted data is hosted and a privacy policy

In addition to this the instance administrators have, of course, to opt-in for their instance to be listed.

As of today the list is still short, with only 2 instances aside from CryptPad.fr. However we expect to see this number rise as more of the ~20 administrators who have opted in bring their instance in line with the requirements.

In addition to the list requirements, we have released two versions this month that take a stronger stance on enforcing correct configuration for all CryptPad instances. We want to prevent CryptPad from providing a false sense of security to users while being misconfigured by administrators and actually putting user information at risk. This is why from version 4.14.0 and 4.14.1 CryptPad will not work unless the security guarantees we expect are actually implemented.

Over the coming weeks we plan to add more information to the project site. Some time ago we launched a survey in which we asked people to tell us what they love about CryptPad. Their responses will be displayed on the home-page. We will also be promoting hosted instances with “Your Own CryptPad” aimed at different sectors: education, NGOs, and enterprise. These will be installed and maintained by the development team for organizations who want the benefits of their own instance.

March 2022 status: catching up on recent news

The beginning of 2022 has been sufficiently busy that we decided to skip two of our usual monthly status update blog posts. Things have not calmed down that much in March, but we didn’t want to go any longer without an update.

DAPSI wrap-up and FOSDEM

A diagram depicting a client sending content to a server for conversion

In January we concluded the INTEROFFICE project which was sponsored by NGI DAPSI. The DAPSI project administrators arranged a final event where all the projects they’d funded summarized their results in brief five-minute pitches. David Benqué, our design lead, managed to fit our most interesting results into this limited timespan. His presentation is available on YouTube.

A diagram depicting a server sending a conversion engine to a client

Approximately two weeks later David gave a somewhat longer presentation at FOSDEM, titled INTEROFFICE: Making CryptPad more interoperable with common office formats, in the Collaborative Information and Content Management Applications dev room. The talk’s description, video recording, slides, and links to related talks from the same track can be found on FOSDEM’s website.

Even more information about the project can be found on DAPSI’s website, where we are listed as one of the program’s success stories.

Intigriti bug bounty program and new releases

Late in 2021 we were invited to participate in a bug bounty program coordinated by Intigriti and sponsored by the European Commission. The program began in mid-January and continued up until mid-March, with independent security researchers probing CryptPad’s code looking for issues which could negatively impact users.

Our 4.13 release addressed a number of security issues which are described in its release notes, however, we’ve noticed that relatively few third-party instance administrators have applied these updates. Furthermore, many that have updated have not done so correctly, and in some cases this means that their users’ data may be at risk.

Up until now we’ve tried to make it easier to configure CryptPad correctly by providing our admin installation guide, including clear and detailed explanations of the update process in each release’s notes, as well as shipping a built-in diagnostics page which tells administrators what they need to correct. The trouble with this approach is that many admins don’t read the docs, the release notes, or review the diagnostics page. With this in mind, we’re starting to consider that the only reliable way to communicate with admins is through the platform’s code.

Starting with our upcoming 4.14 release we plan to shift our strategy towards making CryptPad harder to configure incorrectly. We have made a number of changes that cause misconfigured instances to abort loading entirely, rather than proceed without the expected level of security.

We are also expanding our definition of correct configuration to include things like privacy policies and terms of service. If an instance permits registration of user accounts but has not included either of these links then the diagnostics page will suggest that they add such pages or deactivate registration.

Some of these features are already live on cryptpad.fr, and we plan to tag the latest code as a release on GitHub as soon as we’ve finalized its notes.

What’s next

Our 4.7.0 release release introduced an option permitting administrators to opt-in to inclusion in a directory of public instances. At the time no such directory existed because we wanted to confirm that there was actually interest from a sufficient number of administrators. At this point there are nineteen admins who have indicated their interest, ten of which are running an up-to-date instance which passes its tests, so we’re moving forward with the project.

We’ve decided to make the 4.14 release the last major version of the 4.0 cycle and have begun preparing for a 5.0 release. We’re going to introduce a new look for CryptPad with a simpler home page, with more information moved out of the platform itself and onto our project site (cryptpad.org), which will also host the public instance directory.

Since our team consists of only three full-time developers we’re trying to create more ways for the community to get involved with the direction of the open-source project. We’ve created a space on the federated Matrix network where members of the community can connect with each other. It offers dedicated rooms for instance administrators, developers, translators, and general discussion about the project’s roadmap and governance.

As always, if you like what we’re doing and would like to support our continued effort, you can donate through our OpenCollective campaign or purchase a subscription for a premium account on cryptpad.fr.

Preparing for 2022

With the end of the year nearly upon us I am keeping up my tradition of writing a retrospective of what the CryptPad team has done over the past twelve months and an overview of our plans for the next twelve.

The year in retrospect

NGI research

We’ve been very fortunate to have received continued support from the European Commission’s Next Generation Internet Initiative. We completed two research projects funded by NGI0 PET and launched a new project funded by NGI DAPSI which will wrap up in January.

We released the last components of the CryptPad for Communities project which made the platform quite a bit easier to set up and administrate. We deployed our administrator guide, added a variety of configuration options on the admin panel, and developed an instance diagnostics page to automatically detect common configuration issues and suggest remediations.

NGI0 also funded this year’s Dialogue project which comprised of a new Form app and a variety of supporting features, including a new calendar app, an internal reminders API, and more admin panel features for broadcasting instance-wide announcements.

In our April status update we introduced the DAPSI-funded INTEROFFICE project, through which we’ve aimed to improve interoperability with other platforms through the use of common file extensions. Unlike most online platforms which convert between formats on their cloud infrastructure, we’ve had to develop new methods which process data entirely in your browser so that your private data is never revealed to anyone.

A graph of desired workflows for conversion between different formats based on the results of our user studies

Our October status update went further, announcing our integration of OnlyOffice’s Document and Presentation editors. These are fully open-source and available to anyone self-hosting the platform but remain in early access for premium users on CryptPad.fr. This phased release model is new for us, but so far it’s been very effective as a means to solicit quality feedback from a few active users without us getting overwhelmed by duplicated bug reports.

Community contributions

Each new feature we add to the platform requires text in the form of labels for buttons, descriptions of the effects of different account and document settings, and of course various warnings, prompts, and error messages. CryptPad is hosted on hundreds of different servers all around the world and used by people who don’t necessarily speak English or French. As such, all that text needs to be translated.

For the past few years, German-speaking members of our community have very reliably kept up with all the new text we’ve added, and have even gone as far as to translate our user guide. This year they’ve been joined by native speakers of Japanese, Russian, and Brazilian Portuguese to make the platform more accessible to a much broader range of people.

Status of CryptPad's translations as of December 2021 with six languages at least 99% complete

Project maintenance and administration

Revenue from premium accounts on CryptPad.fr goes towards answering premium support tickets first. Any funds that are left over are combined with donations to our OpenCollective campaign to fund all the work that isn’t covered by our research grants. That allows us to review translations, keep our documentation up to date, write detailed release notes, triage bug reports, and answer questions submitted via email or social media.

This year there have been multiple occasions when a new version of a major browser broke support for critical features, forcing us to drop whatever we were doing at the time and find alternative solutions for these regressions. When code isn’t simply rotting out from underneath us, there are always critical security notices that need to be attended to, most recently with the sudden disclosure of vulnerabilities in the log4j library.

This year we saw an increasing number of subscriptions and donations from our supporters which allowed us to keep up with these surprises and to catch up on a bit of a backlog of maintenance. It helped that 2021 was overall somewhat less surprising than 2020, but we don’t want to rely on that continuing to be the case.

What the future holds

Our general plan for the coming year is to scale back the proportion of our budget which is covered by European research grants and to focus more heavily on projects sponsored directly by clients. To that end, we’ll soon add a number of pages to our project website (CryptPad.org) which will differentiate the open-source project from our commercial offering on CryptPad.fr. We’ll list various support packages tailored for education, enterprises, and NGOs.

Screenshot of CryptPad.org, providing general information about the open-source project

Earlier this year we included options in the platform’s admin panel to allow administrators to mark their instance as intended for public usage, and to opt-in to inclusion in a directory of public instances. We wanted to wait and see if there was sufficient interest in such a listing before we went to the trouble of building it. The good news is that at this point 11 operators have opted in, so it seems worthwhile to build. The bad news is that a number of these don’t seem to be configured correctly. We plan to reach out to these administrators in the near future to rectify these concerns before including them in the directory.

Wrapping up our the INTEROFFICE project

The last remaining milestone for our INTEROFFICE project is to publish our client-side office conversion utilities as an open-source software library usable outside of CryptPad. After that our work and that of the other grantees will be evaluated by NGI DAPSI’s expert reviewers, but this won’t be the end of our efforts to improve office functionality.

Local computation (executing functions on your device instead of one in the cloud) is a critical component of privacy-respecting software, but there are other clear advantages to it. It enables more functionality to continue to operate when you are offline or on an unstable network connection. It also makes it feasible to host web services on less powerful devices, potentially making network infrastructure accessible to a wider audience. We hope that these diverse interests will align more developers to work toward the same goals for the public’s benefit.

We plan to present the results of this project at FOSDEM in early February and hopefully to continue working with the broader community to make this approach the norm.

Stronger and more diverse authentication measures

Many administrators of third-party instances will be happy to hear that we’re going to start working on adding support for identity provider services like LDAP and SSO. This will allow them to restrict who can access their services, adding an extra layer of security for existing users of their service.

We’ll complement this top-down approach to security with another bottom-up method, employing various second-factor authentication methods to give individual users more control over access to their account. We hope to introduce both app-based TOTP and emailed magic links. We’ll publish a survey in the near future to determine how to prioritize these and possibly other methods.

Better support for offline access

With all of our pending research projects wrapping up we’re going to revisit some promising prototypes which we developed in late 2020. We experimented with using the Service Worker API to cache CryptPad’s browser code, allowing it to be loaded as normal even while fully offline. The basic concept is pretty simple, but it required a lot of additional controls in the UI to choose to operate offline, to update the cached version, to allow persistent storage on the device to be used, and so on.

Solving these basic usability problems related to offline functionality will provide a solid basis for us to develop CryptPad to be more like a mobile or desktop application, paving the way for more advanced (and highly requested) features like filesystem synchronization.

Accessibility

We’ve corresponded with a number of groups that aim to improve the state of accessibility in open-source software, but we’ve lacked the time to follow through on their recommendations in a meaningful way. This is going to be a clear priority for our team with dedicated time on our roadmap in the new year.

Hiring

There’s a lot more that we would like to do in 2022, but realistically the work described above is likely to take a lot of time to get right. In order to accomplish more of our goals we’ll need to hire additional team members, possibly as many as three.

If you are a web application developer with an interest in privacy and usability we want to hear from you. Our team works remotely, but for accounting purposes we’d prefer candidates from within the EU. We offer flexible working hours, competitive salaries for western Europe, four-day weeks every second week, and the opportunity to serve the public interest through free software.

If you think you could help us accomplish our goals, send us (jobs@cryptpad.fr) a brief introduction and a CV or resume indicating your relevant qualifications or experience. We tend to receive a disproportionate number of applications from certain demographics. To account for that bias, we’d like to encourage members of communities that are underrepresented in the tech industry to overcome their hesitation and apply. We want to hear to from you!

Get ready!

We’ve gotten this far because we’ve had your help. You’ve introduced CryptPad to friends, family, and colleagues. You’ve written great bug reports that have helped us find and fix stubborn problems. You’ve boosted, retweeted, and liked our updates. You’ve translated the platform for your community, subscribed to a premium subscription, donated to our cause, all of which have had a tremendous impact.

We’re extremely grateful for all your support, proud of what we’ve created together, and excited to continue this journey with you in the new year!

See you in 2022!

November 2021 status: Talks and testimonials

This month we released some minor fixes with 4.12.1. We have been busy making preparations for the upcoming upgrade to OnlyOffice 6.4.2. This will include the much-requested conditional formatting in Sheets and dark mode support. We have also spent time considering strategy and long-term goals as we prepare the project website, which brings us to:

Call for project site testimonials

As we have mentioned before we are currently working on a project website for CryptPad. This will be used to promote the project and to better communicate the distinction between CryptPad and cryptpad.fr (the flagship instance).

The new site will include a public instance list, new pricing for hosted instances, and pages tailored to various sectors such as NGOs, education, and enterprise.

We are planning to include testimonials on the site. If you use CryptPad and have a few minutes to share some words of support using our new survey, that would be much appreciated.

Recent and upcoming talks

Ludovic presented CryptPad at the Campus du Libre on 6th November in Lyon. We don’t have video (yet) but the slides are online (in French).

David will present CryptPad to a healthcare and free software audience on December 10th as part of GNU Health Con 2021.

Promotion image for CryptPad at GNU Health Con 2012

That’s it for this month. We are looking forward to launching the new OnlyOffice editors, you will probably read about that in the next status update.