What is SEM?

SEM (search engine marketing) is a new form of marketing, and as such, is not yet standardized. SEM methods are continuously evolving, along with the changing perceptions of optimization. There are two distinct concerns regarding SEM practices, which can be classified into investors’ concerns and users’ concerns.

Major investors’ concerns are as follows:

• Placing paid search campaigns on search engine results pages have been to topic of significant controversy. In 2002, the Federal Trade Commission (FTC) mandated disclosure of paid advertisements on search engines.
• Private interest groups are reducing the definition of SEM and rendering it synonymous with “pay-per-click” campaigns. This means that search engine optimization (SEO) would fall outside of the SEM definition.
• Trademark infringement by third-party bidding has also been an area of concern.

From a user’s point of view, major privacy and security concerns are as follows:

• Certain advertisements contain external applications, which can often affect users’ browser settings, or show pop-ups in non-affiliated pages. Such applications might also be spyware.
• Third-party cookies can seriously compromise the user’s privacy or anonymity. Such cookies can enable advertisers to trace the address of the browser.

Google Analytics

In June 2010, a controversy arose around new additions to Google Analytics and the privacy issues that it touched upon. With these new additions, it became possible for website operations to use the search engine optimization suite to sift through Facebook profiles and Twitter posts. The software allowed individuals to conduct search engine marketing campaigns to find Facebook and Twitter profiles of individuals who have visited their websites, including a certain amount of personal information about these individuals.

Google’s privacy practices have often been criticized. Privacy professionals have often warned users to be aware of ways to protect their personal information. Regarding this particular Google controversy, the blogger Antoine Pace stated,

“The capacity for linking from Google or Twitter is quite well known and popular. There should probably be a warning saying that, by doing this, you are potentially disclosing you information, or something similar. If you are concerned about the use of your personal information, then you need to protect it. If you are scared about someone stealing your wallet, you don’t put it on the fence outside. Make sure your information is protected from the public.”

Scroogle

In response to search engine privacy concerns, certain web users have begun to use a search engine nicknamed the “Anti-Google.” Scroogle, developed by David Brandt in 2005, is a search engine that has no advertising, rather relies on small donations from its users. Scroogle ensures user privacy by masking the IP address of users who want to use Google search capabilities anonymously. It also offers an option for SSL encryption (256-bit AES key) of all communication between their computer and the search page.

Scroogle functions as a proxy for Google searches, which means that search terms, IP addresses and other search information that Google typically records is anonymized. The service then deletes all logs and cookies on their services within 48 hours, for additional privacy protection.

The increasing use of Scroogle and other similar proxy search engines remains a concern for Google advertisers and other search engine marketers. Although it is only a relatively small percentage of users who are currently using these services, the number is bound to increase, unless user privacy is taken seriously by the big players.

Summary

This post takes a look at search engine marketing (SEM) and search engine optimization (SEO), and how these relatively new ways of marketing can impact the security and privacy of users. The article takes a look at some of the major concerns from an investor’s and user’s perspective. The article also sites a recent SEM controversy, with new features offered by Google Analytics. Finally, the article introduces Scroogle, a search engine that allows users to mask their IP addresses in order to use Google search capabilities anonymously.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• Search Engine Marketing (SEM) (III.B.j.i.)

Encryption/Decryption

Cryptography is used to protect the confidentiality of data. When original data (referred to as plaintext) is transformed cryptographically, it is encrypted, or disguised. The process of encryption produces ciphertext, or cipher. The ciphertext is not readable until it is converted back into plaintext through a process called decryption. The process of decryption can only be initiated by the designated recipient through the use of a key. Examples of ciphertext include substituting letters for numbers, rotating letters of the alphabet, scrambling voice signals, or using computer algorithms to rearrange data bits in digital signals.

The most secure encryption methods rely on mathematical algorithms and a key (or password) for decryption. The key is a variable value, often a random character string, which is necessary for transforming the ciphertext back into plaintext. The key is known only by authorized individuals and should not be shared with other parties.

Encryption and decryption are crucial elements in a number of other processes, including:

• Authentication: this process verifies or establishes the identity of an entity or of the data. User authentication verifies if a user is authorized to enter a system. This is based on three factors of identification: something the user knows (e.g. PIN, password); something the user has (e.g. ID card, smart card, token); or something the user is or does (e.g. biometric identifiers). Data authentication establishes both data integrity and data origin authentication.
• Data confidentiality: this ensures that sensitive data is kept secure. Data confidentiality may involve data that is transmitted between two parties, through intermediaries, or data that is kept in repositories. Ensuring data confidentiality means that sensitive information is not accessed by attackers or other unauthorized parties.
• Data origin authentication: this confirms that the sender of the data is the originator of the data, rather than someone claiming to be the originator.
• Data integrity: a high level of data integrity assures users that the information is trustworthy, complete and untampered with. Data integrity ensures that data is accessible, correct and consistent.

There are a number of different levels of encryption, which depend on the key space. The key space refers to the number of possible keys that may be used to initialize an algorithm. Organizations can choose from different levels, depending on their requirements:

1. File-Level Encryption: this encrypts data at the individual file level. Users can decide which files to encrypt, depending on the sensitivity of their contents. This method is also referred to as folder encryption, since entire folders can be encrypted in a similar fashion. Files are encrypted and decrypted by users who have been authenticated.
2. Full-Drive Encryption: this method encrypts all the data that is on the disk drive. This is done through software on the hard disk driver, or by the hardware in the disk drive. Users must be authenticated when the disk drive is powered on, before they can gain access to the data.
3. Field-Level Encryption: this method encrypts only designated fields in a document. The non-encrypted fields are then able to appear in plaintext when viewed.

Non-Repudiation & Digital Signatures

Cryptography influences non-repudiation, which proves that the integrity and origin of data is genuine. Repudiation is when one party involved in a communication denies involvement in some or all of the communication. Users need to have evidence that messages were sent. This prevents a sender from later denying having sent a message. Non-repudiation falls under two categories:

1. Proof of Origin: Non-repudiation with proof of origin establishes the origin of the data, protecting the recipient in case the sender should deny sending the data. This ensures accountability from the originating party. Often, the term “non-repudiation” is used interchangeably with non-repudiation with proof of origin.
2. Proof of Receipt: Non-repudiation with proof of receipt proves that the data was received as it was originally addressed. This protects the sender in case the recipient should deny receipt of the data.

There are a number of ways to ensure non-repudiation. For instance, a data hash can establish, to a reasonable degree, that the data was not manipulated without detection. Data hashes, or hash functions, convert large amounts of data into single integers. However, data hashes cannot prevent data from being manipulated during the transmission process.

Another way to ensure non-repudiation is to use digital certificates. Digital certificates confirm that information transmitted electronically is authentic. For instance, digital certificates may be used for e-commerce, online banking and other sensitive online services. In these situations, encryption is insufficient; certificates are necessary as evidence of the sender of the encrypted information.

Digital certificates associate an identity to a pair of electronic keys for encryption of digital information. They make it possible to verify a claim to identity and prevent impersonation. Digital certificates usually contain the following:

• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of issuer – this is the certification authority that issued the certificate
• Serial number of the certificate
• Digital signature of the issuer

Symmetric & Asymmetric Encryption

There are two types of encryption schemes: symmetric encryption and asymmetric encryption.

Symmetric key cryptography refers to using the same key for encrypting as well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not distributed, rather is kept secret by the sending and receiving parties. With symmetric encryption, the sender encrypts a plaintext message with a symmetric encryption algorithm and a shared key. This process results in a ciphertext message that is sent to the recipient. The recipient then decrypts this message back as a plaintext with a shared key. With this form of encryption, the two parties must share the key over a secure channel before communications.

Asymmetric cryptography is also referred to as public-key cryptography. Public key depends on a key pair for the processes of encryption and decryption. Unlike private keys, public keys are distributed freely and publicly. Data that has been encrypted with a public key can only be decrypted with a private key.

Asymmetric cryptography is the most recent cryptographic technique. With asymmetric cryptography, the sender encrypts a plaintext message with an asymmetric encryption algorithm and the recipient’s public key. The result is a ciphertext message, which is sent to the recipient. The recipient then decrypts this message back as plaintext, by using the private key corresponding to the public key the sender used to encrypt the message.

Compared to asymmetric cryptography, symmetric cryptography is much simpler, as the same key is shared between sender and receiver. Asymmetric encryption needs more processing resources to encrypt a message then asymmetrically encrypt the shared key. However, asymmetric encryption offers a number of advantages over symmetric encryption, including:

• Simplified key distribution
• Digital signature
• Long-term encryption

Strong Encryption

Strong encryption refers to ciphers that are virtually unbreakable without the decryption keys. This method of encryption relies on a very large number (256 bits) as a cryptographic key. However, the practice of strong encryption is controversial. While most companies and consumers believe it is a security measure, governments tend to view strong encryption as a potential means by which criminal activity or harassment could be concealed. The concern is that stalkers, predators or terrorists could disguise their identities through encryption, essentially becoming untraceable to authorities.

Certain governments, including that of the United States, are pushing for key escrow systems for strong encryption. Key escrow systems involve a trusted third party, who holds the encryption key on behalf of the government. This third party may be a bank or new federal office created by Congress. Everyone who uses a strong encryption would essentially be required to provide the government with a copy of the key. Decryption keys would then be stored securely and only used by authorities with the appropriate court orders. A significant concern about the key escrow system is that the keys are held in a single, central location, which would present a risk for hacker attacks. It is possible for criminals to hack into the key database and steal or modify the keys.

Summary

This article discusses cryptography, the practice of encrypting and decrypting data in order to ensure confidentiality and integrity. The article explores various levels of encryption, including field-level, file-level and full-drive encryption. It also explores cryptography in relation to associated concepts, such as authentication, confidentiality, integrity and non-repudiation. The article then compares two types of encryption schemes: symmetric encryption (also called private key encryption) and asymmetric encryption (also called public key encryption). Finally, it discusses the controversy surrounding strong encryption, which may inadvertently disguise criminal activity.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Cryptography (II.C.a.iii.)
• Digital signatures (II.C.b.vi.5.)
• Non-repudiation (II.C.b.vi.6.)

On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.

What is Personally Identifiable Information (PII)?

M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”

The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:

Safeguarding Against the Breach of Personally Identifiable Information

Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.

Attachment I also created the following new requirements:

Review and Reduce the Volume of Personally Identifiable Information

Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule

Reduce the Use of Social Security Numbers

All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.

Security Requirements

Agencies must implement the following security features to protect all Federal information, not just data containing PII:

• Encryption
• Require two factor authentication using separate devices when accessing information remotely
• Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
• Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
• Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.

Incident Reporting and Handling

Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.

US-CERT Reporting

All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:

• An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
• Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred

Develop and Publish a Routine Use

Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.

External Breach Notification

Attachment 3 of M-07-16 addresses how and when data breaches should be reported to   affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.

Whether Breach Notification is Required

Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:

• Type of information compromised
• Number of affected individuals
• Accessibility and usability of the information
• Likelihood of harm occurring
• Ability of the agency to mitigate harm

Timelines of the Notification

If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.

Source of the Notification

Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.

Contents of the Notification

Notice should be provide in writing and contain the following information

• Type of information compromised
• Whether the information was encrypted or similarly protected
• Steps the individual can take to mitigate harm
• Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
• Contact information for the agency

Means of Providing Notification

Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:

• Telephone
• First-Class mail
• Email
• Existing Government wide services
• Newspapers and other media
• Any accommodations necessary for individuals with disabilities

Who Receives Notification

For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.

Rules and Consequences Policy:

Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.

The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:

• The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
• The types of actions that constitute violations including
  • Failing to maintain or implement security controls
  • Accessing PII or disclosing PII to other individuals without authorization
  • Failing to report suspected data breaches or unauthorized disclosures
  • Failing to adequately instruct, train or supervise employees handling PII (for managers)

Summary

The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 07-16 (II.A.c.2.j)

—-

Guests :

Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)

Stéphanie Lacour (SL) – CNRS researcher

Meryem Marzouki (MM) – CNRS researcher

Jean-Luc Dugelay (JLD) – EURECOM researcher

Jean-Marc Manach (JMM) - internetactu.net

—-

Man – The question is about knowing where we are aiming.  And since technologies are moving very fast, we need to look upstream but nothing plays the role of the ethics committee (CCNE) in biological science, for instance when it comes to computer science. The CNIL has a regulating role and it has nothing to do with what the CCNE does. This comparison with Science of Living is relevant to us as there are technologies we didn’t want to develop. We said by thinking upstream, we don’t want reproductive human cloning. We stop research tending to point in this direction. Is there anything equivalent in Computer Science to a technology we would not like to develop?  Though without thinking ahead, industrials would shape it and there would be calls for proposal. To me, the facial recognition can be compared to the artificial uterus: this is something which will radically change security in our society and individual freedom. It is not perfectly running but there is money for funding it. It means there was not the same thinking upstream that one can find in biological science.

MV – IFP?

IFP - Your question is one of the many reasons why the CNIL is transforming itself into something else. Google is an American company. The French people, the 30 millions of customers consuming Google services are obedient to any terms of service the company would like to apply. Today Google respects the Californian law. Some of the services, like Google Latitude (allowing one to identify people in a given spatial environment) respects the Californian law. We may believe it’s tragic, that nothing can be done because most of the big Internet companies are not French. However these companies are opened to discussion with actors like the CNIL about private data since the organization took upstream several initiatives in this field to drive them on taking measures that abide by the French national rights. For instance, in regards with Street View (mapping street photographs with districts showing views of main cities in Europe), as the CNIL was alerted early enough, faces could be anonymised so that the service conforms with the 1995 law. As a result, Google accepted to apply these measures in Europe. I would answer the question by telling that the CNIL has to work more and more in a prospective way with the service offerors so that the process of protecting data really becomes a pervasive concern. It is much more difficult than applying stricto sensu law texts relative to public filing but I think this activity shapes the future of the organization.

JLD – I would like to come back to the global aspects of these things. Among the criteria defining the research areas, there are the national and European industrial calls but there are international competitions as well. As national labs, we want to be competitive towards American or Japanese laboratories for instance, or China which goes off in many domains, like research. We would like to avoid monopolistic situations such as the ones with biometrics or video surveillance by leading competitive research in France.

MV – Another question?

Man - We talk about personal data. I was asked to confirm my presence by signing a paper when I arrived. We talk about carts and knowing what I purchase. Ethical questions are critical. With regards to information technology, we don’t really know how to set limits by preventing ourselves from investigating further in given research areas. Given techniques, politics and ethics as main parameters to be considered, the real question is perhaps not about RFID (which will be deployed and these chips will provide information about what I purchase). Why are we looking closer at Google webmail as something so interesting when incoming and outgoing messages are not safe within private servers either? All that is related to search queries and subsequent profiling activities might be a little bit more of a concern. Are not we running away from the latter by discussing RFID? Those are ethical questions to be asked. Moreover we are not at all in the same context than with biotechnologies. The means to take measures are totally dissimilar with information technology.

SL - There are several camps in this game: the government, the private companies, the citizens. I remain convinced that no solution will come from one of these three players. It might come from the government, for instance the Chinese government forced Google not to provide results for keywords like democracy. I am not sure one would like to fall into a system similar to the Chinese democracy, if I may. The fact is, politics can not be totally passive before choices. When the political decision is made, things move forward. Besides, the technology itself makes things happen. This is true with Internet and also with RFID. Developing technologies upstream, for example in Europe, by following European privacy standards, is one possible solution. As most of these technologies are developed in countries like the United States of America or Korea, where privacy has a totally different meaning, we have to face very difficult issues since privacy protection doesn’t even exist inside the technology itself. When research institutions push collaborations between technology inventors and ethicists, jurists or sociologists, we get closer to the solution. The third part of the solution belongs to each of us. I don’t think the system will be altered in the future by only one of the three ways.

JMM - Let me take another example. In computer science, for a long time, there was IBM the monster absolutely cannibalizing everything. Then came Microsoft with a fabulous business plan equipping today more than 90 or 95 percent of private person computer. Now Google has between 80 and 95 percent of the advertising market shares. Each time, for the reasons why IBM is criticized, Microsoft was and is still heavily criticized, IBM made huge losses, Microsoft is in the same losing process. Reviewing what is going on with the browser market and Internet Explorer would be enough to get convinced. Today in Europe, more than 30-40 % of customers are Firefox users; they are not Internet Explorer users anymore. I can’t see exactly how Internet Explorer will carry on its development. Internet Explorer is being lost. I don’t know how things will turn out for Google in 10 years but it is not unthinkable than Google fade away because of another company offering new services better addressing peoples’ needs and being more respectful of users. The monopolistic role of Microsoft in relation to operating systems may come to an end. The Microsoft operating systems coming along automatically with brand-new computer purchases, called compulsory sales, originated from the European trials against the company. It is well known that it is safer to run Linux instead of a Microsoft operating system given the same privacy concerns so the law project behind stopping compulsory sales would contribute in making Internet safer as well.

MM – I would like to return to the original question. I was amazed of hearing mentions about ethics, politics and techniques but nothing about rights. Given that rights should not depend on politics, at least not exclusively. Rights exist as rules applied to everybody. Data and privacy protection rights can fundamentally be split into the purpose principle and the proportionality principle. The first one is more and more flouted, as explained by JMM with the national file of genetic footprints and the extension of personal data collecting activities. The proportionality principle is still too fuzzy. When we use the flaws of proportionality such as a period of data retention as arguments in legal recourse, we are saying the length of these periods are directly proportional to the aims at stake. The purpose principle is equally inadequate, for instance, with passports, visas used in targeting foreign people, measures taken for border control, which will serve in police operations with different purposes since databases exist. The principles should be refined so that some population could be made safe. I have quoted the case of foreign people but let us talk about children. All of us were offended when we learned that 13-year-old children could be found in Edwige database. What may offend us as well when considering the French passport regulation, is how biometrics data are collected for 6-year-old children (which is not a requirement at the European level). It shows clearly how collected data can be extended and put into service for other objectives, to control other people, because young people scare (we see it with regulation law proposals about mobs). We are not here in the middle of ethical discussions of new topics without any form of consensus already made about them in the society. Let us revert to fundamental rights, this would be progress.

MV - A last question?

Woman - I would like to know what was the legal reasoning of Internet service providers, which are apparently commercial and actually accomplice of the all-in-one security trends with HADOPI in the LOPSI II law. Were not their positions during meetings meant to address these issues?

JMM -  It depends on the industry we are referring to. It is not all about the same reactions. For instance we know that Free works backwards. They launched the free wifi service access (allowing their customers to access Internet through other customers routers in wireless connections) when the HADOPI law was being discussed. When the main carriers are asked to implement some practices, they usually do it and charge the customers for doing it. Some actors of the industry like Jean Michel Planche were among the first who brought to light the issues coming with the LOPSI law and Internet filtering policies. Some individuals dare expound ideas and spread information. Most of the time, information published in the press about the government intentions come from industry leaking details when not expressing themselves ideas defending their customers. We do not have the same culture in France in comparison with the United States of America. In the USA where there is no such law like the data processing and freedom law, the fight for the customer freedoms and privacy protection is driven by the industrial. They know there is no interest for them in going against the freedom of their customers not to lose them by holding big brother-like roles. In France, the industry doenn’t maintain such policy of protecting their customers. With HADOPI, we are routed to the possibility of the filtering of Internet though professionals.

MV - IFP?

IFP - We should not end this debate on a caricature of the industry. After discussing with many of their representatives, I can stand that many of them were worried by these questions. All actors of the industry are not willing to establish security devices everywhere. There are cases when the technology provides advantages, for instance with warranty services which could be integrated in the articles we consume within RFID chips. There are industries which are sensitive to these questions. I meet with them and I think they are more and more sensitive with them as they realize it worries their consumers, it is also forming part of the sustainable development of their company reputation. It is not only theoretical. We all have this responsibility of finding a balance between security and freedom. The industry has its own role to play, which is also a positive role to be played.

MV - I ask the three of you, a few words to conclude. SL?

SL - Indeed from the collaboration of all actors may emerge the shapes of an answer.

MV - Can we rely on the rights today as a citizen when it comes to data circulation?

SL – The law tells us it is possible but we face a more complex problem when considering attentively how the law can be applied.

MV - There are obviously some vulnerabilities in the texts. MM?

MM - Again, let us return to the fundamentals and remember the Edwige case. Citizen mobilization can have a major impact in addressing other similar questions.

JMM - More and more people should stop acting paranoid and really get informed about the reality of the threats we are confronted with. The more we will look for being informed and the more we will have the right to resist.

MV - JLD?

JLD - Indeed, people should be informed so that they can have their own opinions. To make the right decisions, it is critical to master the technology, not to suffer from monopolistic situations coming with unique circumstances . I think it is important that we have a strong French and European research. Eventually I think there was interesting proposals like the creation of an ethical committee for new technologies, which is something to be widened with different actors and users.

MV - Does it exist already with nanotechnologies, SL?

SL - Something exists already with the CCNE.

MV - Thank you to all of you.

—-

Guests :
Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)
Stéphanie Lacour (SL) – CNRS researcher
Meryem Marzouki (MM) – CNRS researcher
Jean-Luc Dugelay (JLD) – EURECOM researcher
Jean-Marc Manach (JMM) - internetactu.net

—-

MV – SL, would you like to take the lead?

SL – Technologies move forward very quickly. I would like to keep pace with IFP when she evokes this rapid movement but we (consumers) also have to make concrete decisions regarding these technologies. Such aspects were fundamental in the enactment of the 1978 law. When we are asked our personal data, we can still freely provide an answer to gain some advantages. Today, it is still possible to acquire simple coupons with RATP. An anonymous Navigo pass is available but the acquisition cost is a little bit higher (5 €). I am not revealing a universal solution: in this case, about RFID, I think a cape has been rounded relative to what existed before (credit card, cellular phones and other individual tracking technologies) as the existence of a chip inside a Navigo pass is well known and some may be aware of carrying these devices oppositely to the ones that will be massively deployed in the close future over the mass-market and they’ll communicate data without asking for authorizations.  This constitutes a real interesting legal issue in the way the 1978 law has been submitted to new evolving needs in 2004 requiring people’s consent as a central matter of balance: I accept providing parts of my personal data in exchange of advantages and I make a personal decision. Given technologies people carry without awareness of their presence nor whether these technologies provide our data, it becomes even more difficult for us to consent.

MV - What does your survey reveal about how the new generation of individuals perceive this concept of privacy? I imagine oscillations between generations and these technologies being more easily accepted by some age groups. Would some of you like to comment about it?

JMM - We’re referring here to the privacy paradox. On one hand people are using these technologies: notably visible on the web with social networks, Facebook and the collaborative Web, where people don’t hesitate in disclosing a lot of information. I’m wondering if you’ve heard about Google and Mark L.’s personal history.  This story appeared famously hitting the headlines at the beginning of the year. This gentleman’s portrait was issued in a French magazine named “Le Tigre”. A fellow was described in his habits exclusively from what could be found on the Web. They didn’t put him naked but it was close. So many photos, videos of his travels, and stories were posted across the Web that they managed to retrace his life. We heard about it because it exhibited the propensity of people for disclosing personal data. On the other side, when the man discovered this article published among the news, he was very, very scared.  Before the article, he didn’t descry how easily these data could be aggregated - this is the privacy paradox. Mark L. expressed himself carelessly until his voice was put in such nearly official report and he got very scared. Being particularly afraid of Big Brother doesn’t prevent anyone from using these technologies (even in enforced situations as it was mentioned early). Today obtaining a passport comes with biometrics, an anonymous Navigo pass is more expensive and so on. We are more and more urged in behaving similarly. What could be the possible extensions? We don’t exactly know. I recently wrote an article entitled “Privacy, a schmuck problem”, about a comparison made by an American team between sexual revolution and what is going on with privacy. Forty years ago, women could not wear miniskirts without being accused of incitement to rape and declaring homosexuality would provoke someone’s face smashing. Mentalities are not the same anymore. Some laws were voted. Activism led to wearing miniskirts without being indicted for incitement and telling one’s homosexuality doesn’t necessarily imply someone’s rage.

MV – Are we at a disinhibited digital stage?

JMM - What has to be clarified relates to the part of control we’ll keep for ourselves over the network. Would all this data be rendered available to merchants, policemen, public services and administration and would not there be any pending transformation of some Big Brother-like self-censored totalitarian system kinds. This is a real political issue.

MV – Do you agree? We’ll listen to your opinions and then we’ll take another question.

SL – I’m a course instructor and conference presenter on these topics: privacy protection on the Web, traceability of individuals. When I start a new course, I am generally seen as a schmuck in front of the students. They stare at me wondering what I could tell them? Things like the Internet is dangerous, especially with all the pedophiles around. By the time I close a course, students come to me and say they will terminate their Facebook profile. In general, I explain to them that it is already too late. However this effort to inform is very fruitful. People strongly react against the Edwidge file. Young people are currently no more ready than aged people to let recruiters find photos of them drunk while they run as a candidate for a job. They don’t accept it better than people of the previous generation. It is this effort where the CNIL is concentraing. It has preserved a worthwhile policy concerning traces for years and the CNIL is not the only relay. In my opinion, this information has to be loudly broadcasted.

MV - MM then JLD.

MM – I would like to return to the comparison made with the living. The CCNE gave two outstanding judgements, the first for biometrics and RFID and the second for using DNA. The DNA ruling was for paternity tests when they were introduced in the 2007 law. About facing long term problems with research projects, it has to be underlined that these projects have clauses. It started with parity between partners working on European projects. There had to be as many women working on the projects as men. Beyond these immediate palliative measures, the consent appears. Knowing if the consent is free overpasses communicating about it. And the consent is not free, not for administration nor for police filing. It is not free either for private filing. I don’t really agree with the parallel made between sexual revolution and privacy on the Web as sociologists proved the existence of a great mastership of Facebook users for their data. They are not young children but young active people (about thirty) who want to exhibit themselves by having a clear conscience. Let us return to the first TV reality show (Loft Story), we heard of it equally in the news. There were lots of exhibitions. The social consent existing behind it is the commodification of bodies and intimacy. With the living, there are debates about surrogacy. We apprehend this commodification. We can fully understand it and we can have arguments about selling a belly. I don’t ask any question now but I ask the following ones to my students. Who doesn’t use a free mailing box (Gmail, Yahoo!, Hotmail whatever)? Who doesn’t use free services? Who ever rejected giving away some personal data to take advantage of a service? One immediately receives the benefits of services while providing few details of oneself. The consciousness raising of the data collection, the possible interconnections and resulting portraiture comes later. Different reaction periods are at stake. In 1996, I offered already a solution commented as soft insanity. The fundamental question is: Can we make people happy without their consent? If we can, then we should think of an “holification” of personal data and intimacy. We are not talking about vital data but patrimonial and geolocalization data, with bodies taken as identities with their biometrics and DNA. This is very close to debates occurring with the living and body intimacy might be an argument to forbid collecting and processing some personal data even with consent.

MV - Could not we equally compare GMO with nanotechnologies? JLD, IFP and the public then.

JLD – Just a quick idea, specific clauses appeared in multimedia for disabled people so that they can access the services. We have to abide by some terms. There are cogitations in European projects with ethics committees delivering recommendations, which are sometimes a bit surprising. We have a program extracting the largest amount of information possible from a face, like age, eye color, etc… We were asked not to discriminate men from women as it was considered as not acceptable by a committee.  As a result, we didn’t work it.

MV – IFP?

IFP – I believe this concept of personal data has completely evolved. It was absolute before (protected by the 1978 law) and now it is subject to negotiation. There is a big difference today and in the way we are now referring to the capital of personal data dwelling around all of us. This approach is closely a proprietary one. Some even say they are owners of such data, and whether there is consent or not,  they should be able to do whatever they want with it. We recognize the debate of the human body: if there is consent, then we should be able to lease a belly. Some can not cut one’s harm but… We know that laws about reproduction cared for by the state, and bodies not belonging to anybody (in France) were constructed against this on behalf of higher principles. I wonder if personal data are about to be added to one’s patrimonies, since they belong of course to our intimacy. Should not we be reacting here? There are worries welling up in the polls: the first fear concerns personal data. There is confusedly something. At the same time, it doesn’t prevent them from consuming services. Some of us will wake up soon or later. Should not there be a stronger corpus of renovated and unalterable principles of privacy by letting individuals make separate choices, not just one for everything?

MV – Sir?

Man - Hello, I’m a member of the organization “Democracy and Freedom” objecting to the plan of camcorder installation in Paris. I would like to return to the technological argument. Video surveillance is clearly feeding a race for progress as we have heard with Mr. JLD. It is all about a sequel of new devices bearing the lacks of previous devices.

JLD – You see it as if applications were driving researc,h but it is not always true. We want to progress in image analysis. It is our first goal then that this analysis can serve different purposes (medical imagery, video surveillance etc.). We naturally talk about biometrics and video surveillance today but the first goal of most of researchers is not about improving specific applications. We are willing to improve audio, video and signal processing. I believe there is a little misunderstanding at this level.

Man – The problem is that technological arguments are provided by the chief constable, for instance, emphasizing the old systems obsolescence and inputs of the new devices. As I follow news about camcords, I found a funny picture of a policeman from the 60s with his stick and cape. We moved to analog camcords. As they were inefficient, we moved to digital camcords which are magnificent.

JLD – Video surveillance didn’t trigger the digital revolution. We moved from analog devices to digital devices for many reasons.

Man – Well, I want to express your participation to be a headlong rush. When talking about digital camcords, you said while someone is moving, it is difficult to see his face and a facial technology has to be developed as a compensation and so on. The next argument could be skin color and ethnical statistics from videos. We clearly discern an unstoppable dynamic here. Technology is seen as a solution, but not humans?

JLD – This discussion is very interesting, but we can get pretty far that way. For each technological progress, there are new issues (positive, and negative ones as well). I agree with you. What should we do then? Should we end research? It is a society problem.

MV – SL.

SL – I understand the argument of headlong rush. However I don’t think technologies are the main arguments of politics. For videosurveillance, we know camcords of the market are not satisfying, for instance in terms of individual spotting. Technology doesn’t tell the chief constable that what exists today will work to find Mr. X on the street Y because he attacked Mr. Z, and it won’t prevent the political decision. It is exactly the same with RFID, consisting in telling the citizens they’re taken care of and their privacy is as well. The RFID chips can be disabled, but there is a big advantage for them as consumers at check out time. The big benefit for supermarkets is about making logistical decisions and profiling consumers in real time. The benefits are a little bit unbalanced, but let us assume people can check out more quickly. Public powers aware of privacy issues could impose requirements where the chips are disabled after checkout. In the present state of things, the government has already authorized the RFID deployment over the market, but the technology can not guarantee these tags being disabled after checkout. The only way how to really disable a tag after checkout consists in breaking it.

MV – JMM.

JMM – I take the example of a company called Visiowave created by Swiss students. They wanted to carry TV on the Internet. Image compression algorithms were developed. In 2001, the dot-com bubble burst and they wondered how to earn some money. They started to think of smart closed-circuit television. Visiowave was bought by TF1 and it is quite funny that TF1 might become the world’s number one smart television channel. Since then it was sold to General Electric. I’m talking about it because Visiowave is the system sold to RATP to equip buses. What was TV became videosurveillance and might return to TV with an inverted channel (news broadcasted in buses). The same system deals with videosurveillance and advertising. There is indeed a headlong rush with these technologies creating usages depending on the market needs. Some researchers are trying various experiments and we wonder what to do with the results. By meeting the CNIL people, I notice they are facing similar issues. Technology progresses fast and the political choices in terms of regulation affects what is related to security or emotions (to get elected again) instead of willing to be efficient. Don’t we go to far? Isn’t it too dangerous? Is it too late for the politics when they start snatching at these questions?

MV – Sir, good night, a new question?

Man – My questioning concerns the company Google. Today, thanks to their free accounts, we can take advantage very easily of emails and standard searches. A panel of services, such as the calendar application, allows them to know where we are and when. Advertising is contextual. Youtube allows them to know what we watched. Google books provide them with information about what we read…

MV – What is your question?

Man – What matters the most thanks to the analytics part is that even sites consulted directly without using Google search engine, are related to logs taking advantage of google accounts if a session has been opened. What do you think of the behaviour of this company which claims today keeping “don’t be evil” as a motto?

The PlayStation 3 cluster at the École Polytechnique Fédérale used in breaking 112bit Elliptic Curve Cryptography

A so called np-hard problem, elliptic curve cryptography is based on the Discrete Logarithm Problem (DLP), or the ease of calculating the next value of a curve over a finite field.  Essentially, it’s easy to calculate the next value, but very hard to find the previous.  ECC is a type of public key crypto, and the DLP problem it is based on is the same mathematical issue used in RSA cryptography.

While this is a so-called brute force attack, where a computer tries all 2⁶⁰ key combinations to break the encryption, it still demonstrates the processing power to perform this sort of attack is available, and not that far from accessible.  The researchers used a bank of 200 Playstation 3s over one year, but estimate the computations would have taken only 3 months with optimizations they made throughout the experiment.  As Moore’s Law dictates computing power doubles every 18 months, so too must cryptographic methods.  The weakest ECC standard currently used is 160 bits, which is 1 million times stronger in terms of complexity than that broken by the Swiss researchers.  By 2010, the National Institute of Standards and Technology, the governing body for cryptography, will replace the 160 bit version with a higher strength, 224 bit version.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Information Security (Foundations: II.C) including: Encryption (data-at-rest) and Threats & Vulnerabilities

Man – My question is closely related to your last topic, perhaps a little bit provocative : there are politics, technics and ethics. There are ethics committees, decision makers handle politics and technicians determine what can be implemented. From what you have said since the debate started, we are quite far from responding to every ethical issues raised by new technologies. We can focus on epiphenomena but in general all of us are controlled in different ways. Mobile phone usage makes locating anybody at any time possible. I don’t see how this could be prevented. Besides, even when they can be prevented, nothing is done. For instance, I don’t know what the current status of social filing is but I don’t see it as overused…
JMM – Ten interconnections between social databases were made last year.
Man – Yes, exactly and each database has to be a social database since it contains data about individuals. I don’t know if any policeman at any police station can get access to any piece of information about anybody.

MV – Respecting ethics, JLD, you are a researcher designing new technologies. You can probably explain to us in few words what you do with faces in biometrics.
JLD – We try to integrate dynamic parameters with faces. Today, facial representation works well if camerawork is kept relatively simple (frontal, good lighting conditions etc.), which is rarely the case when people are walking along a corridor… To improve the “scoring”, we add the dynamic facial parameters, the way how one smiles, the way how one talks… combined with gaits.
MV – So, you design these instruments?
JLD – We try to get rid of these locks then…
MV – You are quibbling… You design these machines serving security and surveillance.
JLD – I don’t have such a vision. I am maybe a little bit naive as I am a scientist.
MV – I’m not blaming you… It is a fact.
JLD – I don’t have such a negative picture in mind.
MV – It’s not negative…
JLD – I find all these questions very interesting as we need to raise the possible negative aspects and I am entirely fine with it. It is great that there are people for doing it. However I see also positive aspects. About RATP, I think they do really want to improve security. Customers are asking for it, customers who are taking the RER (the transit system) everyday in the suburbs wish rightly or wrongly more security.

MV – Perhaps we will return to the perception of security a bit later. Do you, as a researcher, feel concerned about ethics and when does one start wondering about the related issues?
JLD – Rather quickly as…
MV – Basically, it may look a bit like Einstein inventing the nuclear weapon and then…
JLD – No, no… First of all, I am here for discussion. Researchers are used to discussions with other people and it is very nice. The ANR (the National Research Agency) encourages us in working with people from other areas, which we do willingly. We ask ourselves questions as citizens as well but there are different levels. Research depends on mathematical foundations, signal processing etc. which is rather independent from applications. I’m providing you with a single instance: we examine faces to recognize skin colors. There are equal requests from people developing virtual makeup software and those who want to retrieve someone’s ethnic origins. From a mathematical approach, both these requests are nearly the same. This is just an example enlightening how ambiguous research can be and how different the applications are.
MV – MM?
MM – I come to rescue my colleague, a computer scientist who risks being the bad guy in this debate.
MV – Not at all!
MM – As you referred to the ANR, we need to realize that we are aiming at more and more contracting activities in research areas. If we want simply to conduct our research with scientific goals, we have to submit our projects with the nice phrasing so to say that it can be immediately useful, for technics in security, for biometrics, for improving video surveillance, for making it smarter and then it works. We get money for conducting our research and if we don’t do this, we don’t get the money. The problem remains upstream. Above all in the following areas: in computer science, in micro electronics, in nanoelectronics now, we are forced to promote public-private cooperation, otherwise nothing is done and we fold our arms (and I say we for solidarity even if I am not in this area anymore). We fold our arms, we can not lead projects, we can not take Ph.Ds. All this makes sense and it’s comforting. I have seen myself, projects submitted to the ANR involving a partnership with the gendarmerie for experimenting filtering technics. These projects are always submitted by taking into account the best objectives in the world, for our old people not losing themselves on the bus, for producing makeup as white skins won’t react the way how coloured skins would – nevertheless there is ethnic profiling behind it. Biometrics resellers vindicate buying their products with the best arguments: for instance, on asian and african markets for improving transparency and democracy during election periods since there are no well-structured vital statistics in these countries and there is not really any voter register. So we always have the best arguments, but the root of the problem is not related to this or that technique.  Though each technique has to be investigated properly, it resides in massive, systematic usage of these techniques and their interconnections. This is where problems are originate.

MV – Short answer to take another question.
JMM – Another instance comes with the GIXEL (Electronics Industrial Group). A few years ago, a blue paper informing about what had to be done for developing the industry, was addressed to the government. According to this paper, people are scared by video surveillance technologies, biometrics, RFID and control technologies. People see “Big Brother” when told about them and this act as a brake on their business. It was explicitely written that, to develop their industry, we had to deploy RFID, biometrics and video surveillance devices with kindergartens and nurseries, so that parents and children can get used to these technologies, would stop seeing “big brother” and not to be scared anymore. When this was pointed out at one of the Big Brother Awards sessions, the blue paper was published again, with the sensitive parts removed. This is one of the issues industrials are confronted with and how they try to infiltrate into our minds. Since then, we have seen nurseries with biometrics devices…
MV – There are also these wristbands in maternities…
JMM – There are now RFID wristbands, supposedly preventing kidnapping.
MV – We’re are in the same field…
IFP – I would like to answer the question, which appears absolutely fundamental to me. In the background, we notice the rise of the technologies and we wonder what can be done. I think the situation is very different from the one we had in 1978 when the CNIL was founded. In some way, everything was quite simple in 1978. There were large scary public files. The CNIL was mainly established for controlling these files. Today the “threat” is totally decentralized. There are still these public files. M. Manach told us they keep expanding. Moreover there is personal information everywhere which are not even put together as files (this is the newest part) but are available. Each of us even offers it. The processing tools help in making scripts out of them. This is how these kind of smaller files are formed. We understand intuitively the solution has to be different. The CNIL as a regulator has to adapt and this adaptation is on its way since 2004.  But the global chain has to follow the same logic. That’s why I was insisting on individuals having a role to play in terms or personal data protection and companies as well. Each link of the chain has to play a role in terms of the security-freedom balance.
MV – We are going to develop the topic with chip usage inside companies. JLD, a few words and another question.

JLD – I agree with the fact that Europe, and France in particular, deliver invitations to tender and organize research. They influence decisions as they launch proposal invitations, but sometimes we reply to invitations which are not really expected and we suggest our own projects. For instance, I’m strongly interested in system reliability and I think it is crucial showing to the general public that systems are not one hundred percent reliable. Thalès played the game with a project aimed at demonstrating that impostures can lead to vulnerabilities in some biometric systems and soon we are going to receive the answer to our proposal.
Man – The question is about knowing where we are aiming.  And since technologies are moving very fast, we need to look upstream but nothing plays the role of the ethics committee (CCNE) in biological science, for instance when it comes to computer science. The CNIL has a regulating role and it has nothing to do with what the CCNE does. This comparison with Science of Living is relevant to us as there are technologies we didn’t want to develop. We said by thinking upstream, we don’t want reproductive human cloning. We stop research tending to point in this direction. Is there anything equivalent in Computer Science to a technology we would not like to develop?  Though without thinking ahead, industrials would shape it and there would be calls for proposal. To me, the facial recognition can be compared to the artificial uterus: this is something which will radically change security in our society and individual freedom. It is not perfectly running but there is money for funding it. It means there was not the same thinking upstream that one can find in biological science.

MV – Sir, did you have a question?

Man – What I would like to touch on, is not really a question but a topic: the human traceability inside Paris. It would be related to automated identification with RFID and biometrics.

MV – SL, isn’t it a topic you’re interested in?

SL – Indeed, this matters a lot to me. This kind of device, like a RFID chip in a biometric passport, comes from security needs. Since the 2001 attacks, it’s clearly all about protecting our countries from international terrorism so security measures are strengthened, particularly concerning our ids and at the borders. Does cropping our privacy guarantee our safety? There are very generic answers, clever surveys from philosophers, etc. about this issue. I’m not getting further into it but basically what we encounter very quickly is that these devices that are supposed to bring us safety are producing security risks. For instance, this is especially flagrant with RFID chips within passports. There are endless security issues, which means we don’t know how to secure these electronic devices properly. These issues exist because of lots of technical reasons and economic reasons as well. The technology is not mature enough presently for offering a satisfying result. On this point, we could accept the situation, as traveling documents have never really been fully secure even when it was only about a piece of paper. Convincing oneself about it would just require checking out how often the formats of such documents are renewed, for adding additional security assets. In this current configuration, we are forcing the introduction of a device which encompasses vulnerabilities and we don’t necessarily look for how to fix them because these agreements made about adding RFID chips in passports are agreements made at an international level and the United States of America was not insisting on a satisfying level of security. Another reason is that adequate investments in cryptology were not accepted. Such investment would have enabled securing these passports, or securing them further anyway. All this might look circumstantial, but the truth is that offering security means at the expense of security itself, is still annoying.

Woman – Excuse-me, just a short question… What exactly do you call vulnerability?

SL – Well, I’m going to provide you with a basic example with regards along with passports: two or three months ago, Elvis Presley crossed the Netherlands border.

JMM – I have another instance: two years ago, computer scientists created a bomb prototype which explodes exclusively nearby American passports. If you’re American and you’ve got the passport, the bomb explodes, if you’re not and you don’t own such passport, nothing happens.

MV – IFP, what about about RFID chips as we’re referring to it in the frame of Paris, as our guest was probably thinking of the Navigo pass and the occasions we have of using it?  What does the CNIL say about the data which are embedded in these chips?

IFP – Before talking about RFID I just would like to react in relation to the passports and to confirm that all discussions we have about them are not national. Of course, some decisions of standardization were taken at the international level and France had to take part in these discussions and to adapt its own (transport) titles. We made choices which are more maximalist than the ones made on the international scene, which is absolutely true but every country is heading to this kind of traveling documents. On another hand, in response to SL, I would like to mention that the market is not only originated by the state. There is a global market, there is a market of fear and technologies are there to respond to this market. All of us (individuals, states, companies) are accomplices of this market. Here is an example: the CNIL was recently seized about an organization taking care of disabled seniors with extremely reduced mobility. There is a bus picking up these people and some of them lose themselves because of being disoriented. Their families asked us about providing them with electronic tagging, instead of employing someone who would make sure each individual gets off the bus exactly at the place where he or she is supposed to. As things are kept simple this way, without worries, we would be automatically warned each time something would go wrong, each time someone would accidentally leave a perimeter of movement. We must realize, all of us are sustaining this market one way or another from our different fears. As a result, if in our opinion this market is too broad, we all (and the state particularly) have to assess our real needs about RFID.

MV - At the local level…

IFP – At the local level, of course, the CNIL is extremely vigilant relatively to this new technology allowing smart labeling. We might find it anywhere. It would allow theoretically any item communicating with you. You are in the street, you go before a poster and this poster sends you a message onto your phone asking you if you’d like to receive an advertisement or you walk before a shop, a chain store, you receive a short message and you might be interested in opting in for some services since you might get some discount in this shop… These technologies are obviously attractive for the general public. The CNIL doesn’t have a general solution for RFID but case-by-case answers depending on the variety of existing applications.

MV -Fine! We are about to see what is linked to citizen rights with SL concerning personal data in this chips. JMM, you had a reaction to share before moving forward with the next question?

JMM -About traceability at the level of Paris, there are camcords but they are not “smart” currently, not in the public area, at least. They are not paired with software capable of individual identification. But the RATP (Autonomous Operator of Parisian Transports) also has camcords belonging to its realm including buses, that are connected to a face recognition system, which is officially not activated yet. When will they activate it? Will they activate it? I don’t know. Anyway, you were referring earlier to the state of the art in terms of biometric recognition with video surveillance. It is not perfect yet. There are still many failures but many researchers are working on it. The other issue consists in the RFID chip contained in the Navigo pass which was imposed on everybody without any explanation. As a journalist, I was wondering why and I never received any answer. Nobody is telling why it was enforced. The Navigo pass stores the three last distances you have traveled. The data are deleted after 48 hours or 24 hours whereas the CNIL permits keeping them for 3 days at most. Each time the CNIL asks for some data on behalf of the police, the RATP needs an approval from a rogatory commission. The time needed to transfer this approval lets the data be deleted. Therefore, officially the RATP cannot reply positively to any police request. Today the infrastructure exists and it is all about making decisions for more traceability, keeping the data longer, activating the smart video surveillance systems and transforming the public RATP area into an even more totalitarian sphere. I said it is just about making decisions as the FNEG (National DNA File) was originally created for fighting against multi-recidivist sexual criminals and pedophiles, highly violent people. In few years, this file was extended to nearly all the crimes and derelicts. I believe that there are presently 125 or 135 crimes or derelicts which are concerned with the FNEG. So few years are enough for extending something dedicated to multi-recidivist criminals to the entire population. Maybe a particularly odious crime in the RATP area would trigger the activation of the smart video surveillance system and the traceability of anybody. It’s perhaps a political decision which might come from a news item and it depends also on the business. It’s a bit expensive. The technology is already inside the RATP anyway.