[Freedombox-discuss] Relationship driven privacy

Sébastien Lerique seblerique at wanadoo.fr
Wed Jul 13 00:36:04 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/11 20:38, Stefano Maffulli wrote:
> On Tue, 2011-07-12 at 16:05 -0300, Sébastien Lerique wrote:
>> If the
>> Foundation and/or the TAC want to pull back and start planning as a
>> smaller group I'm fine with it (although I would have loved to be part
>> of that process), I think if done properly it would even serve the
>> goals better (as a first step at least). But if that is the case, *we
>> should know* instead of spending time discussing stuff in the wild
>> with some hope that someone knows where all this is going. 
> 
> I'm not a member of TAC and I don't speak for them. I am helping the
> project and what I can say though is that if you haven't seen any
> communication is because there isn't much new to communicate. 
> 

That's very possible indeed. But I would still like to know what role
the Foundation and the TAC have. The role I understand for the TAC,
having been introduced by the Foundation, is in being a legitimate body
to help get a consensus on where we're going and _how_ to get there (not
necessarily being advisory for technical stuff, since a community of
experts like we probably have on this list --not including myself--
could very well fill that role I believe). That consensus is missing, I
believe. Though I could very well be mistaken.

> I saw lots of email messages exchanged talking about threat models,
> identity, sessions, privacy and other keywords on this mailing list and
> these long threads may have given false impressions about the project.
> 
> I would suggest to pick the first point from the list on
> http://freedomboxfoundation.org/learn/
>         
>    * Email and telecommunications that protects privacy and resists
> eavesdropping
> 

Yes I think it is a good way to go (and could fit in a group dedicated
to privacy questions). But what does "protect privacy" mean? Is it only
encryption? End-to-end encryption? Do you want to include stuff like
Wave, for which you have to trust intermediate servers? Does privacy
include hiding your network of contacts or what websites you visit? Do
we want to avoid profiling from the websites a user visits (based on
browser fingerprinting, etc.)? How can that be done? And many more
questions.

> and start assembling software for it.
> 
> I would start putting together one debian image OS that runs on the
> reference hw (the GuruPlug). Then add the basic packages that go in the
> box on top of the OS to reach that goal (tor, anonymous remailer,
> automatic gpg encryption...). Here things start to get tricky: on top of
> apt-get there have to be sensible default configurations and an easy to
> use GUI to configure each package. Anybody up to this task?
> 

That is a way to go, but I don't think we will build a FreedomBox that
will spread if we head right into packaging. I do understand that coding
is important and that we can't stay chatting for life, but I don't think
the existing code can give us all we're aiming for, yet. So to write
that missing code, I think it would be useful to understand what we want
to write before starting.

This is my view of things, after you've given yours. And unless one of
us convinces the other or has more legitimacy than the other (which
could very well be the case, because I have near to none I believe),
we'll each go our way and do what we think is best. This is where the
TAC could enter and say "we, as the Foundation or as TAC people, think
it's best to do like this or like that".

Now I know this is not the way things usually work in free software dev.
But, as I understand, Fbx has ambitions to build greater than before. To
try and make my point clearer, let's take an example. Here's what James
Vasile said on the TAC list back in June[0]:

    The more I think about the FreedomBox, the more I realize it needs a
    unified notion of a person and all the things we might want to
    remember about that person. Individual apps might consume that info
    and supplement it with additional databases, but there is surely
    some core of information, centrally located that can tell us who we
    love and who we trust and how to find them and talk to the them
    securely. Maybe we also want to know what services this box
    provides for that person or even hold some auth credentials, etc.

    The FreedomBox is special because we're building social deep in its
    heart. It feels right that if my FreedomBox trusts your microblog
    feed it also trusts your macroblog feed and knows where to find
    your photos-- even if all that stuff is on different boxes and run
    from different services.

    So how do we start defining that person model? And how does
    developing this model fit into the roadmap?

Which sounds fantastic to me. But I see no way of doing this with
existing software. Sam Hartmann answered[1], and things are very clear here:

    I strongly agree this is necessary.

    One of the hardest things to accomplish in a system like Debian is
    to provide this sort of unification so things fit together.
    With debconf, you can provide it for some basic config things in
    some cases.

    But to be competative with facebook, gmail and the rest of the
    cloud, we actually need to provide federation of our associations.
    We need consistent security, consistent attribute exchange,
    consistent views of people.

    It turns out doing this in a cross-application manner without
    changing all the apps in significant ways is really hard to
    completely impossible.

    [...][continues about applying project Moonshot's solutions]

So that's the kind of challenge we're facing. And heading straight away
to packaging won't get us to solve that kind of thing, I believe. Now
why did that discussion not go further? I'm not sure, but I would say it
is because of lack of organization, and lack of a dedicated group on
that subject (sanctioned by the Foundation / TAC).

I hope this doesn't sound too critical, I'm trying to help the project
reach its goals, nothing more :-).

Best,
Sébastien

[0] http://lists.freedomboxfoundation.org/s/arc/tac/2011-06/msg00002.html
[1] http://lists.freedomboxfoundation.org/s/arc/tac/2011-06/msg00003.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4c6HQACgkQgkn/UaLvmGdvMACcCukvBa7FDwOa4qmu5TmFAXPD
mYgAnAxM9R2w2PG7+O0U6Qu/H5+UovvH
=wVPz
-----END PGP SIGNATURE-----

More information about the Freedombox-discuss mailing list