and I'm really excited, actually, to see so many familiar faces.

And I wanted to tell about my story and how I came to work in anonymity.

18 minutes isn't really a lot of time to sum up a decade of work,

but, I'll try.

And I'll start by saying that I met Roger Dingledine, Rachel Greenstadt

and Nick Mathewson at a Hacker Convention in Las Vegas.

And they told me about this idea, this idea of anonymity.

This idea that every person has the right to speak freely,

the right to read without exception.

This idea that it should be available to each person.

They introduced me to the philosophy but also to the technology.

And the technology was very fascinating to me.

Overall, what I found to be interesting was this idea that

not one human should be excepted from the basic human rights,

that we, generaly, I think, as a world, agree should exist,

should be something that is equally accessible to all,

regardless of class, race, gender, sexual orientation.

But what does that actually mean?

Well, it turns out, for the Tor Project —

which is a free software project for freedom, that I and many others work on —

what it means is to actually put enabling technology into the hands of each person

so that they can choose whether or not they wish to use it.

And so, what Roger and Nick and Rachel and other members of the Tor Project

— who are incredibly inspirational to me —

what they were able to show me was that by making it free software,

this means that each person would be able to inspect the software

— should they wish — or to delegate that task to someone who understands that.

It means that each person without cost

would be able to use the system and it would allow them

to communicate across boundaries that previously were not something

that they could transgress without serious risk.

This kind of idea, it doesn't seem terribly radical, I think, in the West.

But in some parts of the world this is extremely radical,

this notion that you have the right to speak freely,

that you do not have to add a national ID card to every statement that you sign,

that in fact you might want to show evidence of a crime

and you don't want to take any credit at all for that.

In some ways it's a strange thing. But in some fields it makes sense.

We all have our own personal relationship to privacy and to anonymity.

And, we just don't call it that, usually.

So, everyone in this room seems to be wearing clothes, as an example.

I want to use the example of curtains in the window but the Dutch, well —

curtains and windows that's not really a good privacy enhancing technology

since so many people seem to not use them.

But clothes are a good one, because clothes are an example

of how technology and society may not be perfect,

but we're still going to try anyway.

And so, what Tor as an anonymity system is trying to do is to give us some autonomy,

so that we have the ability to choose when we wish,

a thing which we do not claim as perfect,

but we claim is better than what we have without this system.

And, what is that exactly?

It's a simple piece of software that you install on your computer or onto your telephone,

that can be use with web browsers, with chat programs or whatever you'd like.

So if you want to leak a document to the New York Times,

or to a reputable source like WikiLeaks,

then you could very easily use something like Tor to do that.

It is essentially agnostic in the sense that

if it runs over the protocol known as TCP/IP, that's specifically TCP,

then that will be something that will work with Tor.

So, if you use the Internet, you're probably able to do a lot of the things

you do on the Internet with Tor.

But, to actually talk about why you would want to do that,

we sort of have to address what it is that we want to think about.

And so, when we talk about anonymity in the Tor project,

it usually creates a strange feeling for people. For example, they say,

"Well, you know, I don't really have anything to hide"

or "Well, I'm using this service and they promised that they won't,

you know, they won't do anything bad with that data."

So what we want to do is to create a clear dividing line between

what we would call privacy by policy and privacy by design.

Privacy by policy is where a group of people collect all of your private

— ostensibly private — communications and information,

and they promise that they're not going to give it to anyone else.

Sounds like a great deal right?

So, think about it this way: how many of you,

if I could have a show of hands in the audience,

would be willing to have a stranger, completely —

have all of the information on your government issued ID cards

and everything in your wallet,

which was issued by an agency of some kind or a company

how many of people here would just empty their wallet on the street

and show all of that to a random passer-by that asked for it?

Anybody here?

I'm glad there is at least one person. Thanks!

Well, this is an interesting thing, because many of you didn't raise your hands.

I think you probably thought that was the right answer.

But, as it just so happens, the interesting notion here

is this idea that, somehow, because you don't show it to someone,

because the State keeps it in confidence, that it's private.

Well how could it be private information if the State forces you to give it up?

That's kind of strange.

And that only certain members of a privilege class

— of privilege employee class, no-less —

are allowed to have access to that information in an unfettered manner.

Well, that's strange, to me,

that that would be considered private.

But that's the kind of privacy by policy. And sometimes it works alright.

So it works really well in cases where

it is especially not important that that information is not released.

So, in the case of, say,

you're a victim of domestic violence,

it is probably the case that if that information exists somewhere,

and someone could get it, it would be quite damaging to you.

It could be damaging to your literal life.

So, in a privacy by design world,

what we might do is create a system where

you no longer release your real home address when you need to give that up.

In the State where I live in the United States,

there's the thing called the address confidentiality program.

And what they do is they give you a special card

and this card allows you to say that this is your home address.

But if an abusive person exists within one of these State's agencies,

— say you being harassed by a law enforcement, as an example —

then if you are in this database,

then it would allow you to make sure

that the only people that could get that information

were people who could get it from the agency that keeps it safe,

including from all of the other agencies.

This is a kind of privacy by design system, but still a not very strong one.

Because ultimately, the authority to release your information

rests with someone other than you.

So with Tor, what we're trying to create is a system

— and we have created this system —

where that isn't the paradigm.

The paradigm is an absolute privacy by designed system,

given certain constraints.

So, assuming that, the person that wishes to know you are

cannot watch the entire Internet, all at the same time.

When you use the Tor network, your local network,

that is usually the place where censorship and surveillance occur

in a way that is linked to you,

to your national ID card, to your credit card, to billing information,

that connection only sees that you're connecting to this anonymity network.

So that's really fascinating because it means that when you visit a website

or when you visit a service of some kind,

it does not know that you're in Belgium anymore.

So if you've ever seen one of these movies where they trace a hacker

all the way around the world, and they say,

"Oh, they're over here! Oh, they're over here!",

it sounds kind of cheesy, but it's true.

What Tor enables you to do is exactly that,

except that the tracing stops at the Tor network.

And the idea is to compartmentalize this

because if you have to trust one agency to never betray you

that means there's only one agency, there's only one group,

there's only one database that needs to be compromised to ruin your day.

And in some cases the things that are disclosed —

perhaps a disease status,

perhaps what gender you're actually born regardless of how you present —

these things become public information in a way that cannot be non-public again.

So, if you happen to be doing research for business,

if you happen to be doing this in some context

that has legal ramifications, that kind of thing can destroy your career.

But if you happen to be a gay rights activist in Uganda,

it could also be the end of your life.

Where surveillance is often in support of authoritarianism,

and specifically in support of violence.

Surveillance is one of the pieces of the puzzle

that allows an authoritarian regime to do serious harm to people.

Because it is the all-seeing eye.

It knows who you talk to, it knows what you say,

— these kinds of so called lawful interception systems —

they can cause a lot of harm.

So what Tor seeks to do is not to go to war with these countries, where

— we'll call them Overthereastan — that's not the goal.

The goal is to empower each person

to choose whether or not they wish to have the ability to speak freely.

Each person gets to choose whether or not they are going to read a thing

and not have to suffer the consequences of having read a thing.

Cause when we talk about privacy, we're actually talking about dignity.

We're talking about autonomy.

And we're talking about the ability

for each of us to develop as a human without that exploration phase,

which hopefully last our whole lives, without part of that exploration phase

irreparably damaging our lives.

This notion of "it will go down on you're permanent record"

has never been more true than it is now.

Because it is the case, that what we do, it is recorded.

And, unfortunately, it is not just a problem of Overthereastan,

it is a problem here.

For example, Bits of Freedom, in the Netherlands

recently published a document about the so called "Clean IT" program.

And this program essentially seeks to

monitor the entire Internet.

Even when people in this room are not suspected of a crime

all of the things they do, all of the places they go with their cellphones,

— which are tracking devices that make phone calls —

(Laughter)

All of that data would be used

and would be allowed to be retroactively used to police,

which sounds fantastic except it gets rid of this presumption of innocence.

And then, instead it creates this chilling effect

where the things that we do, the places that we have gone,

the people we have associated with, the people we have talked to,

and in some cases, in many cases in fact

the full content of what we have said

all of that information being recorded, proactively.

And then when someone needs to find,

allegedly, a criminal, then that data is there for them.

But the problem is that data that is retained,

for example in the data retention policies of the European Union,

well, it tells a story about you potentially,

that is made up of facts, but is not necessarily true

to the narrative that someone else has told with those facts.

So to give an example, I know of a person by second relation

who, while being surveilled,

decided that he wanted a free day.

And so he put his train, which he takes all of the time,

onto his schedule as he always does,

and he put his phone into the train,

and he got off at the next stop.