[Freedombox-discuss] Relationship driven privacy

Sébastien Lerique seblerique at wanadoo.fr
Wed Jul 13 02:55:54 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well it looks like the recent news update on the foundation's website
gives answers to many questions. My apologies if I sounded too critical
in my previous posts.

I maintain the suggestion for the working groups, and if anybody is
interested in the privacy-related one please drop me an email. We could
start a sub-mailing-list if enough people think it's worth it.

I'll be contacting shortly what researchers I can, to try and make a
model for what we mean by "privacy", what we want to guarantee, and how
to implement it.

Best regards,
Sébastien


On 12/07/11 21:36, Sébastien Lerique wrote:
> On 12/07/11 20:38, Stefano Maffulli wrote:
>> On Tue, 2011-07-12 at 16:05 -0300, Sébastien Lerique wrote:
>>> If the
>>> Foundation and/or the TAC want to pull back and start planning as a
>>> smaller group I'm fine with it (although I would have loved to be part
>>> of that process), I think if done properly it would even serve the
>>> goals better (as a first step at least). But if that is the case, *we
>>> should know* instead of spending time discussing stuff in the wild
>>> with some hope that someone knows where all this is going. 
> 
>> I'm not a member of TAC and I don't speak for them. I am helping the
>> project and what I can say though is that if you haven't seen any
>> communication is because there isn't much new to communicate. 
> 
> 
> That's very possible indeed. But I would still like to know what role
> the Foundation and the TAC have. The role I understand for the TAC,
> having been introduced by the Foundation, is in being a legitimate body
> to help get a consensus on where we're going and _how_ to get there (not
> necessarily being advisory for technical stuff, since a community of
> experts like we probably have on this list --not including myself--
> could very well fill that role I believe). That consensus is missing, I
> believe. Though I could very well be mistaken.
> 
>> I saw lots of email messages exchanged talking about threat models,
>> identity, sessions, privacy and other keywords on this mailing list and
>> these long threads may have given false impressions about the project.
> 
>> I would suggest to pick the first point from the list on
>> http://freedomboxfoundation.org/learn/
> 
>>    * Email and telecommunications that protects privacy and resists
>> eavesdropping
> 
> 
> Yes I think it is a good way to go (and could fit in a group dedicated
> to privacy questions). But what does "protect privacy" mean? Is it only
> encryption? End-to-end encryption? Do you want to include stuff like
> Wave, for which you have to trust intermediate servers? Does privacy
> include hiding your network of contacts or what websites you visit? Do
> we want to avoid profiling from the websites a user visits (based on
> browser fingerprinting, etc.)? How can that be done? And many more
> questions.
> 
>> and start assembling software for it.
> 
>> I would start putting together one debian image OS that runs on the
>> reference hw (the GuruPlug). Then add the basic packages that go in the
>> box on top of the OS to reach that goal (tor, anonymous remailer,
>> automatic gpg encryption...). Here things start to get tricky: on top of
>> apt-get there have to be sensible default configurations and an easy to
>> use GUI to configure each package. Anybody up to this task?
> 
> 
> That is a way to go, but I don't think we will build a FreedomBox that
> will spread if we head right into packaging. I do understand that coding
> is important and that we can't stay chatting for life, but I don't think
> the existing code can give us all we're aiming for, yet. So to write
> that missing code, I think it would be useful to understand what we want
> to write before starting.
> 
> This is my view of things, after you've given yours. And unless one of
> us convinces the other or has more legitimacy than the other (which
> could very well be the case, because I have near to none I believe),
> we'll each go our way and do what we think is best. This is where the
> TAC could enter and say "we, as the Foundation or as TAC people, think
> it's best to do like this or like that".
> 
> Now I know this is not the way things usually work in free software dev.
> But, as I understand, Fbx has ambitions to build greater than before. To
> try and make my point clearer, let's take an example. Here's what James
> Vasile said on the TAC list back in June[0]:
> 
>     The more I think about the FreedomBox, the more I realize it needs a
>     unified notion of a person and all the things we might want to
>     remember about that person. Individual apps might consume that info
>     and supplement it with additional databases, but there is surely
>     some core of information, centrally located that can tell us who we
>     love and who we trust and how to find them and talk to the them
>     securely. Maybe we also want to know what services this box
>     provides for that person or even hold some auth credentials, etc.
> 
>     The FreedomBox is special because we're building social deep in its
>     heart. It feels right that if my FreedomBox trusts your microblog
>     feed it also trusts your macroblog feed and knows where to find
>     your photos-- even if all that stuff is on different boxes and run
>     from different services.
> 
>     So how do we start defining that person model? And how does
>     developing this model fit into the roadmap?
> 
> Which sounds fantastic to me. But I see no way of doing this with
> existing software. Sam Hartmann answered[1], and things are very clear here:
> 
>     I strongly agree this is necessary.
> 
>     One of the hardest things to accomplish in a system like Debian is
>     to provide this sort of unification so things fit together.
>     With debconf, you can provide it for some basic config things in
>     some cases.
> 
>     But to be competative with facebook, gmail and the rest of the
>     cloud, we actually need to provide federation of our associations.
>     We need consistent security, consistent attribute exchange,
>     consistent views of people.
> 
>     It turns out doing this in a cross-application manner without
>     changing all the apps in significant ways is really hard to
>     completely impossible.
> 
>     [...][continues about applying project Moonshot's solutions]
> 
> So that's the kind of challenge we're facing. And heading straight away
> to packaging won't get us to solve that kind of thing, I believe. Now
> why did that discussion not go further? I'm not sure, but I would say it
> is because of lack of organization, and lack of a dedicated group on
> that subject (sanctioned by the Foundation / TAC).
> 
> I hope this doesn't sound too critical, I'm trying to help the project
> reach its goals, nothing more :-).
> 
> Best,
> Sébastien
> 
> [0] http://lists.freedomboxfoundation.org/s/arc/tac/2011-06/msg00002.html
> [1] http://lists.freedomboxfoundation.org/s/arc/tac/2011-06/msg00003.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4dCToACgkQgkn/UaLvmGdxDgCdGN5ztBY5nyDd8UU71BPE/9C2
B3MAoLrNPNaGGI34iEgUys79SHnIx9mF
=ekFM
-----END PGP SIGNATURE-----



More information about the Freedombox-discuss mailing list