1
00:00:00,017 --> 00:00:05,957
Who is talking to us about cutting Gordian's end years of focus versus privacy.

2
00:00:06,217 --> 00:00:08,617
Not. Take it away. Yeah, thanks.

3
00:00:13,757 --> 00:00:19,577
It's good to see you here and I'm happy you managed to make it to our celebration

4
00:00:19,577 --> 00:00:26,197
today because we're going to celebrate the year of the Linux desktop.

5
00:00:26,837 --> 00:00:31,777
Hey! Oh no. Wait a second. I need better glasses.

6
00:00:31,937 --> 00:00:42,817
We are celebrating the 25th consecutive announcement of the year of the Linux desktop year party.

7
00:00:43,857 --> 00:00:49,677
But, I mean, why is this so? I mean, the amazing thing is the whole backend

8
00:00:49,677 --> 00:00:51,197
of the Internet runs Linux, right?

9
00:00:51,917 --> 00:00:55,437
But why is the only thing that runs on the desktop is a running joke?

10
00:00:58,337 --> 00:01:03,717
Well, actually, because we have values. And don't get me wrong,

11
00:01:03,837 --> 00:01:04,997
I'm not criticizing this.

12
00:01:06,217 --> 00:01:11,697
Values are the backbone of our community. It is what makes us strong in a world

13
00:01:11,697 --> 00:01:14,877
where values seem to lose their value.

14
00:01:16,037 --> 00:01:21,597
But right now, they're holding us back from conquering the desktop world.

15
00:01:22,537 --> 00:01:26,197
And we're going to change this. I mean, not our values,

16
00:01:26,257 --> 00:01:32,777
of course, but we're going to harmonize our values of privacy and end-user focus

17
00:01:32,777 --> 00:01:38,717
and make the year of the Linux desktop perhaps become reality at some point.

18
00:01:39,977 --> 00:01:46,517
And even more, let's bring our values of digital privacy and sovereignty into

19
00:01:46,517 --> 00:01:50,917
larger society and have everyone benefit from them.

20
00:01:52,317 --> 00:01:57,857
Privacy is the backbone of a free and an open society.

21
00:01:58,597 --> 00:02:04,817
And I truly believe this is possible. And I truly believe this needs to start within our community.

22
00:02:05,897 --> 00:02:09,417
In my talk, I'll outline how this will work.

23
00:02:09,777 --> 00:02:14,517
I'll show what we have already achieved. And I hope that I can inspire you,

24
00:02:14,577 --> 00:02:20,617
dear friends, to help build this better future together. KDE is actually crucial

25
00:02:20,617 --> 00:02:24,457
for this long overdue change in society.

26
00:02:24,977 --> 00:02:30,877
For a society with real and working digital privacy for everyone.

27
00:02:32,257 --> 00:02:33,537
Let's dive right in.

28
00:02:35,337 --> 00:02:39,277
Our manifesto is a great reminder to focus on the end user.

29
00:02:40,437 --> 00:02:44,117
This is why we have an amazing UX group doing incredible work.

30
00:02:44,777 --> 00:02:48,437
Some of the older ones might even remember I had my shares in creating it.

31
00:02:49,437 --> 00:02:54,737
But do you know what UX stands for? It is user experience.

32
00:02:56,077 --> 00:03:00,997
And to truly excel in this art, we need to know a lot about our users.

33
00:03:01,777 --> 00:03:06,517
Because one important pillar of UX work is data-driven.

34
00:03:06,957 --> 00:03:11,817
It's based on the experiences and expectations of our actual or potential users.

35
00:03:13,057 --> 00:03:21,077
And this doesn't fit with our passion for digital privacy, one of the core values of our vision.

36
00:03:21,477 --> 00:03:24,657
We don't want our users to unveil personal information.

37
00:03:25,237 --> 00:03:27,557
We want them to stay private.

38
00:03:28,897 --> 00:03:33,717
And this is actually not only the struggle of KDE. This is the struggle of my

39
00:03:33,717 --> 00:03:39,297
life, being a UX professional and a privacy activist at the same time.

40
00:03:40,117 --> 00:03:46,017
And it's something that we share with most user-facing free software projects out there.

41
00:03:46,857 --> 00:03:52,377
We all value privacy, so we don't know who our users are or what they want,

42
00:03:52,557 --> 00:03:56,077
and thus we cannot innovate our products.

43
00:03:58,357 --> 00:04:02,997
We are missing one of the most important pillars of doing effective UX work.

44
00:04:03,937 --> 00:04:07,237
Commercial user-facing software is doing just the opposite.

45
00:04:07,497 --> 00:04:11,937
They're invading users' privacy and shamelessly use this data next to other

46
00:04:11,937 --> 00:04:14,097
things to innovate their products.

47
00:04:14,937 --> 00:04:19,717
And we can just copy them. We follow up on them, coming second place.

48
00:04:19,717 --> 00:04:26,297
Ways, we as free software have a hard chance on winning the battle of creating

49
00:04:26,297 --> 00:04:28,377
the most innovative user interfaces.

50
00:04:31,957 --> 00:04:36,137
Just imagine for a moment how a world could look like if this were different.

51
00:04:36,957 --> 00:04:41,437
In this world, users would have total control over their personal data.

52
00:04:42,817 --> 00:04:46,737
A world where personal data, without compromising its owner's privacy,

53
00:04:47,057 --> 00:04:55,497
is used for the good of the individual and the good of society and not mainly

54
00:04:55,497 --> 00:04:56,937
for profit-oriented companies.

55
00:04:57,577 --> 00:05:04,537
A world where KDE knows exactly the same things about their users as every other player on the market.

56
00:05:05,097 --> 00:05:10,617
A world with a working and reliable digital privacy for everyone.

57
00:05:11,257 --> 00:05:14,817
What an amazing place that would be.

58
00:05:16,337 --> 00:05:22,897
And this is the vision we at the nonprofit private EV work on.

59
00:05:25,714 --> 00:05:30,574
All of us are users, and we have a right for digital privacy.

60
00:05:31,114 --> 00:05:39,854
Our mission is to ensure that this right is realized in an easy and manageable way for everyone,

61
00:05:40,034 --> 00:05:46,334
and not only for an elite that can arguably do this already today.

62
00:05:47,214 --> 00:05:56,354
So we are creating the ecosystem needed. Technology, legal frameworks and social pervasion.

63
00:05:56,994 --> 00:06:02,594
And I'm here to ask you to help us achieve this vision.

64
00:06:04,054 --> 00:06:09,894
I'm going to explain this ecosystem now and let me first introduce the relevant players.

65
00:06:10,134 --> 00:06:13,514
To start there's us, the users, everyone.

66
00:06:14,134 --> 00:06:19,634
We have a right for digital privacy. At the Pryvect EV we are representing this group.

67
00:06:19,994 --> 00:06:23,094
We do what we as individuals cannot do ourselves.

68
00:06:24,554 --> 00:06:28,934
So all our personal data and hence our digital privacy is protected.

69
00:06:29,394 --> 00:06:33,174
We always work only in the interest of the users.

70
00:06:34,674 --> 00:06:38,894
We at Pryvect follow a very broad definition of personal data.

71
00:06:39,194 --> 00:06:46,654
Everything we do because of our active actions or even our passive existence,

72
00:06:47,034 --> 00:06:49,654
we consider as personal data.

73
00:06:50,714 --> 00:06:57,314
And we all use products, we call them services here, that provide some value to us.

74
00:06:58,074 --> 00:07:06,654
KDE software, any internet service you use, your IoT bulb, your car are just a few examples.

75
00:07:07,614 --> 00:07:13,274
We have a one-to-one relation to them and usually we have to accept their terms and conditions.

76
00:07:14,374 --> 00:07:20,014
These services nowadays consist of something that you install or use on your

77
00:07:20,014 --> 00:07:21,474
computer or your property.

78
00:07:22,034 --> 00:07:24,834
And something that happens in the cloud.

79
00:07:25,514 --> 00:07:32,754
In the example of KDE, you install KDE applications on your devices And then

80
00:07:32,754 --> 00:07:36,674
user feedback sends some data into the KDE cloud.

81
00:07:38,074 --> 00:07:44,834
While we do this very privacy conserving and well thought, you all know of those

82
00:07:44,834 --> 00:07:51,014
services where the local part is basically for presenting information and surveillance.

83
00:07:52,414 --> 00:07:59,154
While everything else happens in the cloud. And the entire idea of the ecosystem

84
00:07:59,154 --> 00:08:01,214
we are developing is pretty straightforward.

85
00:08:03,172 --> 00:08:10,032
We want that storage and processing of personal data only happens locally.

86
00:08:11,172 --> 00:08:16,672
That's it. So, if you want to be in control of your data, you cannot store it in the cloud.

87
00:08:17,452 --> 00:08:22,552
Storing in the cloud means you have to trust. And trust is the opposite of control.

88
00:08:23,672 --> 00:08:29,872
In our new ecosystem, data needs to be stored in a way that you have control over.

89
00:08:30,552 --> 00:08:33,292
Locally or in places you actively choose.

90
00:08:34,832 --> 00:08:39,452
Computations have to be done locally again, not in the cloud.

91
00:08:40,192 --> 00:08:47,012
And any data transfer into the cloud should be a real exception and well justified.

92
00:08:47,772 --> 00:08:50,812
Of course, for example, if you buy something in an online store,

93
00:08:50,952 --> 00:08:56,612
that store will have to know what you bought, where to send it to and how to get paid.

94
00:08:58,372 --> 00:09:03,692
And to be even more specific, in the new ecosystem, if a service wants or needs,

95
00:09:03,772 --> 00:09:07,212
for legal reasons, for example, to store personal data in the cloud,

96
00:09:07,612 --> 00:09:12,292
handling of this data will automatically get authorized by you.

97
00:09:12,492 --> 00:09:18,792
For this, each data point will get a digital contract assigned by you,

98
00:09:18,932 --> 00:09:24,632
stating for what purpose and how long the service is allowed to store this data.

99
00:09:25,292 --> 00:09:28,652
Additionally, this data will be signed by the service's public key,

100
00:09:28,792 --> 00:09:32,052
so only the service can actually use your data.

101
00:09:32,872 --> 00:09:36,772
And this has advantages for you and for the service.

102
00:09:37,412 --> 00:09:41,612
You will always know which data is stored where, for how long and for what purpose.

103
00:09:42,432 --> 00:09:47,752
And the services on the other side can always prove the data they store is legally

104
00:09:47,752 --> 00:09:50,272
OK, it is GDPR compliant. find.

105
00:09:51,652 --> 00:09:59,352
The rest of the ecosystem I'm going to present now is there to make this pretty simple change work.

106
00:10:00,032 --> 00:10:06,012
The change again is allowing local storage and processing of personal data.

107
00:10:07,917 --> 00:10:13,837
But let's first go through the players. Another important player we call research organizations.

108
00:10:14,437 --> 00:10:18,117
They are not interested in your or your or your or my data. They are interested

109
00:10:18,117 --> 00:10:20,077
in how we as a group behave.

110
00:10:20,617 --> 00:10:25,277
This could be KDE trying to figure out what their users like about the software

111
00:10:25,277 --> 00:10:26,917
or what they dislike about the software.

112
00:10:27,197 --> 00:10:32,077
This could also be a university research group trying to understand human behavior

113
00:10:32,077 --> 00:10:37,857
or your local initiative trying to understand how your neighborhood works or what.

114
00:10:37,917 --> 00:10:42,757
Also, startups and commercial companies fit in here as well.

115
00:10:43,557 --> 00:10:51,197
And it is crucial that every research organization has the same access to our collective data.

116
00:10:51,537 --> 00:10:57,257
After all, our collective data is what drives innovation nowadays.

117
00:10:58,957 --> 00:11:02,117
The challenge with implementing something as simple as a traffic jam detector

118
00:11:02,117 --> 00:11:08,437
is not in the code. It is in the access to the needed underlying data.

119
00:11:09,317 --> 00:11:16,377
And this access needs to be broadly available, but always requires the consent

120
00:11:16,377 --> 00:11:22,717
of the individual and must never compromise the individual's privacy.

121
00:11:26,011 --> 00:11:30,991
To make this all work, we'll need another institution that can act as a trustee

122
00:11:30,991 --> 00:11:33,391
and as an advocate for the users.

123
00:11:33,991 --> 00:11:38,691
It will do what we as individuals cannot do on our own.

124
00:11:39,251 --> 00:11:44,371
At the moment, we're calling it the foundation because it's not named yet and

125
00:11:44,371 --> 00:11:46,171
will be legally set up as a foundation.

126
00:11:47,171 --> 00:11:53,551
This, just to be clear, is not the private EV. The goal of the Private EV is

127
00:11:53,551 --> 00:11:58,891
to find partners to help us get the foundation set up and running.

128
00:11:59,231 --> 00:12:03,111
The Private EV is there to kickstart the software development,

129
00:12:03,431 --> 00:12:08,091
to get the legal bit sorted and to work on the social pervasion.

130
00:12:08,991 --> 00:12:14,231
Once the foundation is set up and running, it's time for the EV to bow out.

131
00:12:14,231 --> 00:12:20,531
But like the EV, the foundation will be non-profit and always act in the best

132
00:12:20,531 --> 00:12:23,811
interest of you, of us, the users.

133
00:12:26,671 --> 00:12:32,511
The heart of the foundation's work is maintaining what we call a central database schema.

134
00:12:33,891 --> 00:12:39,391
It doesn't contain any personal data. It just a catalog, it lists and describes

135
00:12:39,391 --> 00:12:44,791
all the data points local databases can potentially contain.

136
00:12:45,331 --> 00:12:52,531
All actual personal data is always and only stored at the user's local databases.

137
00:12:53,931 --> 00:13:04,251
For this to work, services need to tell the foundation about new data points they want to introduce.

138
00:13:05,291 --> 00:13:08,391
The foundation will then check if this data point already exists.

139
00:13:08,571 --> 00:13:12,711
If not, it will create it. And all this process is not about censorship.

140
00:13:13,391 --> 00:13:18,271
This process is about respecting standards and avoiding duplications.

141
00:13:20,727 --> 00:13:26,327
Once the schema is updated with the new data points, it is synced with the local user databases.

142
00:13:26,787 --> 00:13:32,067
From now on, services can store data in the local user database.

143
00:13:32,447 --> 00:13:37,787
And this workflow is non-negotiable. The local database won't accept any data

144
00:13:37,787 --> 00:13:42,207
that hasn't previously been registered at the central database schema.

145
00:13:43,587 --> 00:13:49,207
The main reason for this is to make it efficient to handle your data.

146
00:13:50,767 --> 00:13:54,447
You'll want to share your data with other services too.

147
00:13:54,587 --> 00:14:00,307
Services that only want to read, but didn't write the data in the first place.

148
00:14:01,607 --> 00:14:06,947
They will need a comprehensive catalog of potentially available data points

149
00:14:06,947 --> 00:14:11,947
to find the data they actually need to provide the service you expect from them.

150
00:14:12,767 --> 00:14:17,367
A good example for this is your address data. Lots of services will need it,

151
00:14:17,427 --> 00:14:22,447
but when you move house, You will want to change it once and for all of these services.

152
00:14:24,667 --> 00:14:30,827
But you also need to control which service is allowed to access which part of your personal data.

153
00:14:31,247 --> 00:14:34,847
So for the foundation maintaining the central database scheme,

154
00:14:35,087 --> 00:14:38,347
this also includes the categorization of data points.

155
00:14:38,727 --> 00:14:44,827
These categories could be anything from health data to location data to financial

156
00:14:44,827 --> 00:14:49,487
data. Again, this categorization gets synced with the local databases.

157
00:14:50,627 --> 00:14:55,727
When a service now asks you to access your personal data, you can choose to

158
00:14:55,727 --> 00:14:59,207
allow or deny access to any categories.

159
00:14:59,767 --> 00:15:03,667
This is just like today you allow apps on your phone, for example,

160
00:15:03,667 --> 00:15:06,287
to access your camera, your address book, or whatever.

161
00:15:07,267 --> 00:15:13,347
In consequence, you will always have full control over which services can access

162
00:15:13,347 --> 00:15:16,187
which categories of your personal data.

163
00:15:18,063 --> 00:15:21,203
And finally, we need to get all of this into a legal framework.

164
00:15:21,643 --> 00:15:28,063
If a service wants to join the ecosystem, it'll have to sign the foundation's terms and conditions.

165
00:15:29,043 --> 00:15:35,423
These terms and conditions will give the foundation the right to audit whether

166
00:15:35,423 --> 00:15:39,863
the service follow the rules of local processing and storage of data.

167
00:15:40,503 --> 00:15:45,163
And this is a big win for us users in terms of legal protection.

168
00:15:45,983 --> 00:15:50,603
If we want to use a service, we have to agree to their terms and conditions.

169
00:15:51,063 --> 00:15:55,643
But these now have to be in line with the Foundation's terms and conditions.

170
00:15:56,223 --> 00:16:02,563
And this is a civil law obligation for services to follow the Foundation's rules,

171
00:16:02,803 --> 00:16:05,643
which we will enforce if needed.

172
00:16:06,123 --> 00:16:11,923
For example, in the EU we don't have to wait for the Irish Data protection commission

173
00:16:11,923 --> 00:16:16,723
to take legal action against services that aren't following the rules.

174
00:16:17,403 --> 00:16:22,663
The foundation will handle this on behalf of those affected by data fraud.

175
00:16:23,283 --> 00:16:27,383
This is going to be a big improvement in the legal situation for all of us.

176
00:16:28,283 --> 00:16:32,143
And services will get something valuable in return.

177
00:16:32,863 --> 00:16:37,743
They can use the foundation seal at the point of sale or the point of usage

178
00:16:37,743 --> 00:16:41,743
to show they they respect users' privacy and take part in the ecosystem.

179
00:16:42,643 --> 00:16:46,023
This is important because from the user's perspective.

180
00:16:48,599 --> 00:16:52,619
Using this system will be just as easy as buying ecological food.

181
00:16:53,559 --> 00:16:59,199
As a user, you will just have to look for the seal to be on the safe side.

182
00:17:01,299 --> 00:17:05,019
Technically, the first compliance service will install all the needed dependencies.

183
00:17:06,279 --> 00:17:10,359
This is just a few clicks for you as a user. And after this,

184
00:17:10,419 --> 00:17:14,419
you as a user just have to choose the right products, the ones carrying the

185
00:17:14,419 --> 00:17:17,579
seal, to reliably protect your privacy.

186
00:17:18,059 --> 00:17:20,479
Everything else will just work.

187
00:17:21,959 --> 00:17:25,499
And this is how the system works from the services perspective.

188
00:17:25,859 --> 00:17:31,139
To sum it up, services are one-on-one services, products that make your life

189
00:17:31,139 --> 00:17:33,119
easier. You choose to use them.

190
00:17:33,819 --> 00:17:38,599
And in the new ecosystem, they are required to store and process data locally.

191
00:17:38,759 --> 00:17:45,099
In return, they can use the foundation seal. and to differentiate on the market against a competition.

192
00:17:45,939 --> 00:17:50,439
And they will be compliant with all legal requirements.

193
00:17:52,759 --> 00:17:59,439
Personally, I would love to see a local running AI assistant that can access

194
00:17:59,439 --> 00:18:04,679
all my personal data and help me to stay healthy or manage my day-to-day tasks.

195
00:18:06,199 --> 00:18:11,559
But as I said before, Therefore, the Envisioned ecosystem isn't just about what's

196
00:18:11,559 --> 00:18:12,599
good for us as individuals.

197
00:18:13,039 --> 00:18:17,679
As I said before, our collective data is what drives innovation nowadays.

198
00:18:18,459 --> 00:18:23,379
Our collective data will help us solve the big and small problems we face in society.

199
00:18:23,939 --> 00:18:29,059
At the same time, we need to make sure our individual data is always protected.

200
00:18:29,719 --> 00:18:33,979
And we probably don't want to support research from every institution.

201
00:18:33,979 --> 00:18:39,579
So I'd be happy to participate in a KDE survey, but there are lots of companies

202
00:18:39,579 --> 00:18:42,259
out there I wouldn't want to donate my data to.

203
00:18:44,879 --> 00:18:49,579
So how do evaluations on our collective data work in the new ecosystem?

204
00:18:49,979 --> 00:18:55,519
How can we make sure that everyone involved has given their full consent and

205
00:18:55,519 --> 00:18:57,779
that their privacy is protected?

206
00:18:58,879 --> 00:18:59,779
To start.

207
00:19:01,922 --> 00:19:05,542
The foundation is going to provide a web service where research organizations

208
00:19:05,542 --> 00:19:10,642
can ask their research question in a way the system can understand.

209
00:19:11,382 --> 00:19:17,422
Once again, the central database schema is the source for all the data points

210
00:19:17,422 --> 00:19:19,282
that are available for research.

211
00:19:20,802 --> 00:19:26,202
Once the research gets started, it hops through all the users following what

212
00:19:26,202 --> 00:19:29,702
we call the federated secure aggregation protocol.

213
00:19:30,382 --> 00:19:34,302
Then it goes back to the foundation server where we do last privacy breaching

214
00:19:34,302 --> 00:19:37,502
checks. This could be something like low numbers in certain cells.

215
00:19:37,762 --> 00:19:43,102
We're going to mask those and send the data to the research organization.

216
00:19:43,602 --> 00:19:49,162
So how do we get user consent for the query issuer? And how does the federated

217
00:19:49,162 --> 00:19:50,942
secure aggregation protocol work?

218
00:19:51,622 --> 00:19:53,982
Let's first look at the consent part.

219
00:19:55,382 --> 00:20:03,202
Research organizations can report on their social impact and behavior on a number of categories.

220
00:20:03,902 --> 00:20:06,822
These categories will evolve over time.

221
00:20:07,262 --> 00:20:13,042
But to give you a heads up, some possible examples are the industry they work

222
00:20:13,042 --> 00:20:14,862
on. Are they for profit or nonprofit?

223
00:20:15,502 --> 00:20:22,762
How about employee insurances like unemployment insurances or health insurances?

224
00:20:23,982 --> 00:20:30,382
The existence of unions? Or how many women are on the board?

225
00:20:31,702 --> 00:20:38,622
What about their current CO2 balance? And how are they planning to reach carbon neutrality?

226
00:20:39,982 --> 00:20:46,482
These are just a few questions they can answer. And just like with services.

227
00:20:48,068 --> 00:20:56,548
The foundation will get the right to audit these research organizations,

228
00:20:57,468 --> 00:21:03,808
this time focusing on the before-mentioned categories to make sure that the

229
00:21:03,808 --> 00:21:07,988
information the research organizations provided are actually true.

230
00:21:09,948 --> 00:21:15,688
Now, as a user, you don't have to accept or decline to individual queries. theories.

231
00:21:16,928 --> 00:21:23,668
Instead, you can define how you want an organization to socially behave and

232
00:21:23,668 --> 00:21:29,488
exact the same categories the research organizations had to answer before.

233
00:21:30,008 --> 00:21:34,428
If the organization that's asking for your data behaves the way you expect,

234
00:21:34,808 --> 00:21:39,368
then your data will automatically be included in the actual query.

235
00:21:39,608 --> 00:21:42,248
If not, you will not contribute your data.

236
00:21:42,888 --> 00:21:46,588
We are matching you and the research organizations.

237
00:21:47,448 --> 00:21:55,728
As an example, when you think proportion of women in company management should be more than 40%,

238
00:21:55,728 --> 00:22:00,968
then your data will only be included in research from research organizations

239
00:22:00,968 --> 00:22:04,208
that actually have more than 40% women on board.

240
00:22:05,068 --> 00:22:13,068
And this mechanism basically turns your access to your data into a direct political instrument.

241
00:22:13,928 --> 00:22:20,108
You can directly express what you expect from organizations in terms of how

242
00:22:20,108 --> 00:22:21,728
they should socially behave.

243
00:22:22,628 --> 00:22:29,248
And this will, in return, encourage organizations to work on improving their behavior.

244
00:22:29,808 --> 00:22:35,228
That's because if they do, they'll get access to larger pools of people who

245
00:22:35,228 --> 00:22:37,048
will take part in the surveys.

246
00:22:38,768 --> 00:22:46,388
Meanwhile, the companies will always be aware of the bias in the queries because

247
00:22:46,388 --> 00:22:48,728
they always know who's taking part and who's not.

248
00:22:51,399 --> 00:22:56,759
There's one notable exception to this rule. And this is a research organization,

249
00:22:57,119 --> 00:23:02,999
or as a research organization, services can always query the data they've entered

250
00:23:02,999 --> 00:23:04,779
into the local user databases.

251
00:23:05,199 --> 00:23:07,659
Let's look at KUserFeedback for an example.

252
00:23:10,579 --> 00:23:15,099
KUserFeedback writes data into the local user database as a service.

253
00:23:15,099 --> 00:23:22,159
Now KDE can query this data as a research organization without having to fulfill

254
00:23:22,159 --> 00:23:24,079
all users' requirements.

255
00:23:24,439 --> 00:23:28,379
That is because as a user you have a one-to-one service relation with KDE.

256
00:23:28,579 --> 00:23:31,199
This overrides the other rule.

257
00:23:31,679 --> 00:23:36,599
If on the other hand GNOME wants to query the KUser feedback data,

258
00:23:36,719 --> 00:23:41,999
which they can, then they would have to match users' expectations as an organization.

259
00:23:41,999 --> 00:23:46,779
So, they will only get the information from users where this matching works.

260
00:23:50,499 --> 00:23:57,619
That's for the consent part. Let's at last point look at the federated secure aggregation protocol.

261
00:23:58,779 --> 00:24:06,699
Once the query is published, clients can check if they want to participate and register.

262
00:24:06,699 --> 00:24:11,259
Register and once there are enough clients that have registered the server will

263
00:24:11,259 --> 00:24:14,959
assign randomly one of those clients as the aggregation client.

264
00:24:16,299 --> 00:24:21,199
This aggregation client will create a private public key pair for encryption

265
00:24:21,199 --> 00:24:26,359
used for message encryption and send the public key to the server.

266
00:24:27,839 --> 00:24:34,119
This key is used for message encryption. Next the server will create another

267
00:24:34,119 --> 00:24:39,639
key pair this time using the PAYE ecosystem, the PAYE crypto system.

268
00:24:39,979 --> 00:24:46,159
PAYE is an additive homomorphic encryption system and this is used for data encryption.

269
00:24:46,739 --> 00:24:53,179
The server now shares the two keys and the survey itself with all the clients.

270
00:24:54,119 --> 00:25:01,799
Each client now fills out the survey, encrypts the data using the PAYE key,

271
00:25:02,899 --> 00:25:07,899
encrypts the message using the message key and sends all the data to the server,

272
00:25:07,999 --> 00:25:10,939
which will forward it to the aggregation client.

273
00:25:11,259 --> 00:25:15,659
The aggregation client is now able to decrypt the message, not the data,

274
00:25:15,779 --> 00:25:20,319
but it can aggregate the encrypted data using the PAYE system.

275
00:25:21,859 --> 00:25:27,279
Once that's done, the still PAYE encrypted data gets sent back to the server,

276
00:25:28,019 --> 00:25:34,979
which can then decrypt the aggregated data without knowing any details whatsoever

277
00:25:34,979 --> 00:25:36,519
other than the final result.

278
00:25:40,470 --> 00:25:44,870
This federated secure aggregation protocol is a combination of well-established

279
00:25:44,870 --> 00:25:48,090
data protection and analysis methods.

280
00:25:48,410 --> 00:25:50,490
It combines the benefits of

281
00:25:50,490 --> 00:25:54,650
federation with encryption and includes final checks for privacy breaches.

282
00:25:55,030 --> 00:26:01,610
This way we can be sure that everyone is protected while we can make statements about groups of users.

283
00:26:04,170 --> 00:26:08,430
You now have a first overview of how the new ecosystem is going to work.

284
00:26:09,150 --> 00:26:14,010
There are lots of more details and we'll hopefully have some time to answer

285
00:26:14,010 --> 00:26:15,070
your questions at the end.

286
00:26:15,370 --> 00:26:20,430
We also offer two Birds of Feathers events on Monday and our developers,

287
00:26:20,510 --> 00:26:24,270
who unfortunately couldn't make it today, will be around then to answer questions

288
00:26:24,270 --> 00:26:26,850
which I can't answer, so the more technical ones.

289
00:26:27,810 --> 00:26:31,230
And we'll show you a demo of what we got.

290
00:26:31,990 --> 00:26:35,210
We were in the lucky situation that we got funding from the German prototype

291
00:26:35,210 --> 00:26:38,950
fund and let me take the chance to say thank you for that, it was a great opportunity

292
00:26:38,950 --> 00:26:43,650
and the German prototype fund is a real good great funding program.

293
00:26:44,850 --> 00:26:47,730
And to give you more insight into the current state,

294
00:26:47,910 --> 00:26:55,190
we have created a patch that allows KUser feedback to store data as a service

295
00:26:55,190 --> 00:27:01,670
in a local database and we've created the server that allows KDE to evaluate

296
00:27:01,670 --> 00:27:04,810
this data using the federated secure aggregation protocol protocol,

297
00:27:05,070 --> 00:27:11,830
and thus to get insights into our user base.

298
00:27:12,870 --> 00:27:17,430
So as a result, we will be able to learn about our users, what they're trying

299
00:27:17,430 --> 00:27:21,270
to do, what they like about our software, what they don't like about our software,

300
00:27:21,350 --> 00:27:25,030
and all of this without compromising their privacy.

301
00:27:26,030 --> 00:27:30,730
This lets us do great work without having to compromise our values.

302
00:27:31,550 --> 00:27:37,410
Gordian's knot has been cut. And who knows, there might be a chance for the

303
00:27:37,410 --> 00:27:39,430
year of the Linux desktop to become a reality.

304
00:27:40,010 --> 00:27:45,310
We can finally start to innovate driven by real data from our actual users.

305
00:27:47,448 --> 00:27:52,708
So, what's the plan for the next steps? First of all, let us start a discussion

306
00:27:52,708 --> 00:27:56,668
about how we want to adopt this new technology into our tech stack.

307
00:27:57,468 --> 00:28:02,708
What we have is a demo, a proof of a concept, not a finished product.

308
00:28:04,068 --> 00:28:07,928
Together with you, we can take the demo and turn it into a product.

309
00:28:08,228 --> 00:28:10,428
A product we are willing to upstream.

310
00:28:11,868 --> 00:28:16,348
Once we've launched our first product, we'd also love to see our friends benefit from it.

311
00:28:16,928 --> 00:28:21,728
We are not the only community that respects privacy, but in return does not

312
00:28:21,728 --> 00:28:23,148
know enough about their users.

313
00:28:24,308 --> 00:28:28,928
LibreOffice, for instance, is eagerly waiting for us. If we team up with them,

314
00:28:28,988 --> 00:28:33,008
we can take the product beyond the Linux world into Mac and Windows space.

315
00:28:33,328 --> 00:28:38,248
This way, we want the ecosystem to mature, step by step.

316
00:28:38,768 --> 00:28:43,948
Because basically, all user-facing free software communities have the same problem

317
00:28:43,948 --> 00:28:46,688
as we do. and we'd love to help them out.

318
00:28:47,088 --> 00:28:50,208
This is also why we did not set this up as a KDE project.

319
00:28:51,228 --> 00:28:56,828
We're definitely rooted in KDE, but the whole project is meant to grow beyond.

320
00:28:57,668 --> 00:29:01,368
Once we've grown to the point where several free software projects have adopted

321
00:29:01,368 --> 00:29:05,568
the technology, it is time to officially establish the foundation.

322
00:29:07,325 --> 00:29:13,605
We want free software to benefit from it, but we also want everyone to reclaim

323
00:29:13,605 --> 00:29:15,345
privacy in their digital lives.

324
00:29:16,025 --> 00:29:20,705
That's why we need commercial proprietary services to get involved.

325
00:29:21,565 --> 00:29:25,785
And at that point, there are plenty of reasons for proprietary services to join.

326
00:29:26,625 --> 00:29:32,385
EU legislation, for example, the EU Data Act, requires services to open up access

327
00:29:32,385 --> 00:29:33,605
to the data they produce.

328
00:29:34,045 --> 00:29:36,105
And they will need a working marketplace.

329
00:29:36,785 --> 00:29:42,185
With lots of free software projects using the ecosystem, there'll be millions

330
00:29:42,185 --> 00:29:45,185
of users that have already installed the needed software.

331
00:29:45,645 --> 00:29:51,625
It'll be a proven solution and we provide a legal partner and a transparent marketplace for data.

332
00:29:51,805 --> 00:29:57,165
So services will only have to adjust their technology to work locally again

333
00:29:57,165 --> 00:30:03,225
and they can join a working ecosystem system and save a lot of money because

334
00:30:03,225 --> 00:30:08,225
they need less cloud services and less overhead to stay for example GDPR compliant.

335
00:30:09,125 --> 00:30:13,665
And once commercial services are up and running, we'll have a business model

336
00:30:13,665 --> 00:30:19,925
that lets us keep the infrastructure in good shape and make it better where it needs to be.

337
00:30:21,325 --> 00:30:27,625
We've created an ecosystem that saves everyone's privacy for the benefit of us, the users.

338
00:30:30,525 --> 00:30:39,225
And as a free and open society. An ecosystem that will always remember its roots. The KDE community.

339
00:30:40,385 --> 00:30:45,065
Well, thanks for your attention. We have some time for questions now.

340
00:31:13,045 --> 00:31:17,985
So thanks for your talk. One question, like here we have many developers and

341
00:31:17,985 --> 00:31:23,205
we see homeographic encryption, that makes sense to us and we can trust it and we can look at the code.

342
00:31:23,605 --> 00:31:28,665
But how would I convince my mother that it's really safe for her to share us

343
00:31:28,665 --> 00:31:30,605
the data? You don't need to.

344
00:31:31,785 --> 00:31:35,765
Because, well, we would do. We as KDE adopt the technology.

345
00:31:36,005 --> 00:31:38,985
It's not private or the foundation trying to convince anybody,

346
00:31:39,205 --> 00:31:43,305
but it is trusted parties like the KDE community, like LibreOffice,

347
00:31:43,445 --> 00:31:48,425
like other free software projects that sort of stand there and say, this is safe.

348
00:31:48,565 --> 00:31:52,705
And we have not sort of asked for your personal data in the last years because

349
00:31:52,705 --> 00:31:54,785
there was no safe way, but now we trust it.

350
00:31:54,785 --> 00:32:02,045
So basically, we are sort of, you know, instrumentalizing other trusted instances

351
00:32:02,045 --> 00:32:05,265
to get distributed and to find users.

352
00:32:09,512 --> 00:32:14,512
Yeah, thanks for the talk. I think it's a very cool idea to have this secure aggregation protocol,

353
00:32:14,712 --> 00:32:20,272
but I don't quite understand how it works because I understand that the splits

354
00:32:20,272 --> 00:32:24,392
between the server and the aggregation client is for the purpose that the server

355
00:32:24,392 --> 00:32:25,552
cannot see the individual data.

356
00:32:25,832 --> 00:32:30,812
But how can the other clients trust that the server doesn't select a device

357
00:32:30,812 --> 00:32:34,352
that the server controls as the aggregation client?

358
00:32:34,912 --> 00:32:37,972
If I, as the server, want to get all the individual data points,

359
00:32:37,972 --> 00:32:39,432
I can just make the server select

360
00:32:39,432 --> 00:32:42,692
my smartphone as the aggregation client and then I have all the keys.

361
00:32:43,112 --> 00:32:46,612
So what do you really win by doing this pattern?

362
00:32:47,732 --> 00:32:53,632
Well, you can't remove trust from the whole equation. We can only try to minimize

363
00:32:53,632 --> 00:32:54,912
the needed amount of trust.

364
00:32:55,152 --> 00:33:00,112
And obviously the foundation is an institution that will have to earn the trust

365
00:33:00,112 --> 00:33:06,752
that is needed so you can rely on it not working as a bad actor.

366
00:33:06,752 --> 00:33:11,312
We've set up the technology in a way that it sort of minimizes the need to trust,

367
00:33:11,472 --> 00:33:15,332
but in the sense if you want to attack a system, you can attack any system.

368
00:33:15,472 --> 00:33:24,312
And there is trust left that the foundation needs to earn and needs to justify that it has.

369
00:33:24,492 --> 00:33:28,532
And we want to try to use best patterns there are.

370
00:33:28,592 --> 00:33:31,772
So we obviously do everything open source. We want to, you know,

371
00:33:31,792 --> 00:33:35,992
have the foundation, the foundation itself needs to get audited by external

372
00:33:35,992 --> 00:33:39,092
instances that it actually does what it claims to do.

373
00:33:39,312 --> 00:33:44,792
Yeah, we want to encourage white hat hackers to, you know, find flaws in our

374
00:33:44,792 --> 00:33:46,052
system and so on and so on.

375
00:33:46,092 --> 00:33:51,232
So we want to improve, we want to apply all the best practices that are out there.

376
00:33:51,592 --> 00:33:55,992
But in the end, you're right, if you want to sort of criticize it to the end,

377
00:33:56,012 --> 00:33:58,572
there is trust needed. Yeah.

378
00:34:09,852 --> 00:34:17,452
So you talked about the conditions that you would like the research organizations

379
00:34:17,452 --> 00:34:25,072
to answer about themselves that would be used to select which end users,

380
00:34:25,372 --> 00:34:28,872
and the end users have answered and similar questions about which of which they're willing to share with.

381
00:34:30,192 --> 00:34:34,252
That's going to require a lot of thought is the place I sort of need to put.

382
00:34:34,552 --> 00:34:44,332
For example, you go, okay, we will ask a question that is, does your board comply

383
00:34:44,332 --> 00:34:48,772
with 50% female representation, for example, and as an end user I said I want that.

384
00:34:49,892 --> 00:34:54,772
But then the research organization that gets set up.

385
00:34:57,369 --> 00:35:00,529
Need for by businesses that

386
00:35:00,529 --> 00:35:03,989
do not conform to those rules and is

387
00:35:03,989 --> 00:35:09,609
set up with enough funding to do that and is independent once it's set up can

388
00:35:09,609 --> 00:35:15,469
gather that information and sell it to the available customers and in order

389
00:35:15,469 --> 00:35:19,689
to survive as a business it's going to need to do that and so it's going to

390
00:35:19,689 --> 00:35:23,829
sell the data on to people who don't necessarily conform to those constraints rates.

391
00:35:24,349 --> 00:35:30,829
So some care may be required in formulating the conditions on research organizations.

392
00:35:31,709 --> 00:35:36,209
Yeah, well, you point to a problem that can't be solved technically.

393
00:35:36,489 --> 00:35:38,709
That's a problem that has to be solved legally.

394
00:35:39,209 --> 00:35:44,389
So basically, that's something that will have to be addressed in our terms and conditions.

395
00:35:44,589 --> 00:35:50,049
And we'll have to audit organizations to behave well. And if they don't, we have to sue them.

396
00:35:50,649 --> 00:35:55,109
But this is something we can do as a foundation because this is something you

397
00:35:55,109 --> 00:35:56,929
can't do as a user. You can't sue Google.

398
00:35:57,489 --> 00:36:03,129
That just won't work out. But this is something we want to do and this is why

399
00:36:03,129 --> 00:36:08,849
I said it's not only technology, it's also the legal bits and pieces and it

400
00:36:08,849 --> 00:36:10,389
is the social pervasion.

401
00:36:10,489 --> 00:36:14,789
These are the three important pillars we have to work on and technology is only one of those.