Foire aux Questions
The Witness Angel Project
The Witness Angel project is actually made up of several distinct initiatives:
- A media relay for the news of the VictimTech (see glossary)
- A think tank for sharing expertise between VictimTech entities
- A technological laboratory to develop personal witnesses
- A technical and ethical label for organizations developing similar recording systems
The core of the project remains the tech'lab, and all the technologies that it develops for the benefit of victims of violence.
By extension, we will say "a Witness Angel" to designate a portable device conforming to the values of the project, like the so-crucial "Familiar" described below in the FAQ.
Write-only (or shared custody): Unlike "read-only" computer data, which can be read by anyone but requires elevated privileges to be written, write-only data can be easily written, but requires special permissions or procedures to be read.
Familiar: Concept inspired by the protective companion-creatures of imaginary universes, which represents the ultimate objective of the Research & Development effort of the Witness Angel project. A Familiar is a portable personal witness, discreet, able to collect a lot of different information (audio, video, GPS...), to encrypt them in write-only, and to remain active during long periods of time. It can take shape as a smartwatch, a jewel, an app for smartphones, a handbag...
Flightbox: A distributed cryptographic algorithm that allows the creation of extremely secure, write-only containers thanks to a "shared custody": these containers can be easily created, but they require a procedure between several entities to be read. The technological devices developed by the Witness Angel project rely heavily on this algorithm.
Bearer (or carrier): Physical person who possesses and carries a Witness Angel device, and controls one of the keys mandatory to decrypt its data.
Revelation: The concerted process of gathering scattered decryption keys between the victim and various trusted third parties, in order to reconstruct evidence of a crime.
Synergy: The informal network of VictimTech organizations (both for-profit and non-profit) that are interested in sharing expertise and insights, in order to increase the common impact for victims.
Trusted Third Party (or Key Guardian): A legal entity, such as an association, company, or government agency, that is responsible for distributing encryption keys to keyholders, and participating in Revelations when requested. Victim assistance associations (hotline, emergency accommodation, legal advice...) are for example good candidates to become key guardians.
VictimTech: Ecosystem of technology initiatives in favor of victims of violence. Their apps and connected objects help raise the alarm, collect evidence, or increase awareness about different types of violence as well as the right ways to respond to them.
Ward: A set of wired variations of Witness Angel devices, designed to be placed in real estate or cars, creating "zones protected by video-testimony". When these zones are in public places, the Flightbox algorithm can use a less geographically extensive set of trusted third parties, to simplify access to data in the event of a crime.
The Witness Angel's team is currently an informal, non-profit collective of freelancers passionate about technology and graphic arts.
These freelancers punctually sponsor internships in order to help the development of computer modules and communication around this concept.
The intellectual property of the project (including the brand and the logo) is protected by the company Prolifik SARL, while waiting for Witness Angel to have its own legal entity to take it in charge.
This legal entity will probably be an association, or a company foundation, or a federation of associations, according to what is most profitable for the initiative.
Becoming a commercial enterprise was an option considered, at the beginning of the project; it would have allowed the Witness Angel project, valued by its innovations such as Flightbox, to quickly access funding and the network of entrepreneurs; and thus greatly accelerated the development and publicity of its technological devices for victims.
However, a for-profit form would have subsequently complicated the relationship with other VictimTech initiatives, whether commercial, associative or state-based. And even if a "social economy" positioning had allowed us to affirm the values of the company, the relationship with initial investors would have remained a constraint for the future.
We have therefore favored a slower approach as a self-financed collective, which gives us more neutrality to discuss with all types of entities, to freely distribute our technological bricks, and to guide the deployment of a complex ecosystem: heterogeneous network of trusted third parties, interconnection with the Justice system, certification of devices developed by third parties...
Eventually, we will have to find funding to increase our communication and research projects, through partnerships with companies or grants, but without - again - competing with other non-profit organizations on the subject.
Everyone can read in the logo of our project the meaning that speaks to him the most.
Some will simply see a play of shapes and inversions with the acronym "W.A".
Others will see angelic wings.
Others will see a left hand extended towards the observer, palm upwards.
Others will see a flame reminiscent of the Olympic Games or the Statue of Liberty.
Others will see waves being pushed back, like the story of the opening of the Red Sea.
The concept of familiar
A Familiar, a personal witness of high energy autonomy, could take multiple physical forms:
- connected bracelet or pendant
- connected glasses
- device integrated in the handbag
- any other wearable form is possible: shoulder pads, belts, shoes...
The exact shape of the first prototypes will depend on multiple constraints of miniaturization, autonomy, and aesthetics.
The information linked to a Witness Angel certified device - encrypted records and (de)encryption keys - faces a classical problem of computer data: the need for confidentiality and durability, i.e. protection against both data leakage and loss.
By default, these two properties seem antagonistic: to avoid losing data, it is necessary to replicate it in several geographical locations, but the more some data is disseminated, the more it has risks to fall in illegitimate hands.
Witness Angel solves this problem by using, in its Flightbox algorithm, a threshold cryptosystem, or shared secret: data pieces are separated between N "trusted third parties", and it is necessary to solicit at least a number M of them (with M lower than N) to reconstitute the initial data. Thus, decryption always involves the agreement of a significant number of independent entities (confidentiality), but several of them can disappear without any loss of data (durability).
The system also incorporates mandatory secrets, for example to ensure that a State entity, as well as the bearer himself, are included in any decryption operation; while other trusted third parties can remain relatively interchangeable.
Each entity must follow strict procedures with respect to the partial data it manages: over-encrypting it on reception in order to prevent its theft by devious means; destroying it after a few days if the bearer of the device has decided to do so; and applying emergency actions if a security flaw is detected (new encryption pass with a corrected algorithm, or deletion of the data as a precaution). Most of these procedures will have to be integrated "by default" in the software (client and server side) of the application ecosystem.
Finally, let us note that the Witness Angel system does not require any particular disinterestedness or probity from the trusted third parties. The bits of encrypted data that they hold are unusable as they are, so their own interest, financial (for companies) or reputational (for citizen associations), as well as the fear of judicial repression, will naturally lead them to respect the security procedures of the system.
The length of time the recordings are kept is at the discretion of the bearer. He can decide to keep the data for a few days or weeks before automatic deletion, as is currently the case for "car dashcams". But he can also opt for a higher level of legal protection, by keeping the recordings for years or even indefinitely. The preservation of data - even if only to cope with the growing volume - will then require more consideration.
If a slice of data has been flagged as important (e.g. if its recording was triggered by an event, or if the bearer has subsequently marked it as such), it shall not be automatically deleted.
By default, if the bearer takes his (partial) decryption key to the grave, all the data he has stored becomes unusable, and must even be legally deleted.
This can be a problem for obtaining justice, for example in the case of the murder of the bearer. Hence the idea of allowing, in the long run, a post-mortem testimony of the donor - but obviously within a very strict regulatory and technical framework: it will be necessary that the bearer has designated, for example in his will, one or several heirs of his Witness Angel device, as well as delimited the data that they would be entitled to handle. It will also be necessary that the bearer prepared the legacy of his personal key of encryption, by a confidential process ; such a process will require - again - the intervention of several trusted third parties, so that the heir is the only one able to obtain this legacy key, and only after the death of the bearer.
No human system can be guaranteed inviolable, in particular in a very dynamic field like computing. Despite the unprecedented level of protection offered by the Witness Angel system, one can always imagine a revolution (quantum computer, alien invasion...) that would expose the data of some users, before the purge systems take effect to erase the rest.
But the Witness Angel doesn't need to be inviolable, it just needs to be the "strong link of the chain", the "best defended attack surface". Indeed, what is the point of putting a triple-armored door on a house, if the windows or the walls can be easily pierced?
There is already a wide range of means to spy on an individual's private life: tailing, bugging, computer spyware (e.g. keystroke recorders), hacking of email or personal assistants, spying on social networks, tracking of online browsing with advertising cookies... as long as these means will remain much simpler and more discreet to implement than hacking a single slice of data of a Witness Angel device, the fears about the latter will remain without much relevance.
As a reminder, hacking a Witness Angel requires to retrieve data potentially scattered in several countries, in entities of very different types (public services, companies, associations, personal servers...), and then to break several extremely powerful encryption algorithms using very long keys. Challenges that are currently (2021) too great even for state agencies; hence the pressure to introduce "backdoors" in operating systems and cryptographic software, and the efforts to stop software projects refusing these pressures (this seems to have happened to the Truecrypt project).
Because of its time-stamping mechanism, a Witness Angel ensures the anteriority of the stored data; and various protections (authentication, signature of the digital fingerprints) prevent altteration of encrypted containers without the knowledge of the carrier.
But, like any recording device, it is vulnerable in the event of falsification of the input data streams. However, several systems can be used to greatly limit the risk of spoofing.
- The streams can be analyzed with the usual means of investigation, to verify that they are not edits created in advance, or recordings tampered with on the fly by algorithms (e.g. adding artificial voices to the soundtrack).
- Physical sensors (e.g. photographic) have their own fingerprint, which can be used to recognize the origin of multimedia streams.
- The spatio-temporal comparison of data from several Witness Angel devices present on a scene can reveal inconsistencies, and thus manipulations.
- Sensors (cameras, microphones...) coming from certified organizations can sign the data streams as soon as they are captured, and thus attest to their non-fraudulent origin - hacking such hardware chips would be an extremely complex operation. However, this will probably not prevent even these sensors from being fooled, for example by filming a screen, or recording an audio speaker; they will therefore provide marginal protection compared to those above.
On the contrary, Witness Angel is in our opinion an anti-1984 remedy.
The dystopia of the novel 1984 is already strongly in place on our planet, with :
- The excessive multiplication of surveillance cameras, whose "crunchy" recordings end up on the Internet, when it is not the whole camera that is publicly exposed to voyeurs - for example on the Insecam directory.
- The extreme ease of recording people without their knowledge, on a smartphone or via small spy cameras available on the market at a low price.
- The plundering of user data by websites (down to mouse movements and keystrokes) as well as mobile applications (some of which activate the microphone without your knowledge); a phenomenon aggravated by the economic model of social networks, where the user is the commodity, and where data is resold in all directions, as the Cambridge Analytica scandal has shown.
- The "Big Brother" devices to buy yourself, like Google Home or Amazon Echo, which record even the most innocuous conversations in your home, analyze them, and store them without much security, or even send them to contacts by mistake.
- The opacity, on the other hand, in which states and multinationals swim (defense secrecy, tax secrecy, business secrecy...), opacity that is only disturbed by a few whistleblowers and their data leaks.
- A.I. software and algorithms allowing to counterfeit videos, to change words or faces in an almost indiscernible way (deep fakes), and thus to create an "alternative truth".
- Automated recognition of biometric data, faces, walks, which is becoming "democratized" (if one can say so), sometimes coupled with surveillance from the sky (e.g. in China).
- The generalized rating of citizens that is being implemented, again in China, etc.
Witness Angel, it is on the contrary the proof that there is no contradiction between the right to security and the right to privact, and that each human being can be guarantor of the truth and guardian of his personal data, in maximum autonomy.
The unprecedented level of protection added to the device (which can only be exploited within an official judicial framework, with the agreement of its bearer, and cannot be "seized" by the authorities), and the freely auditable nature of its code, allow any competent citizen to check by himself that this anti-1984 philosophy is respected.
The Witness Angel is therefore a rebuff to those who use fear (of aggression, of terrorism...) to implement excessive surveillance of citizens; and a counter-example to those who think that the massive exploitation of personal data is an imperative to offer new innovative services.
"Paranoia" is mainly born out of vulnerability and insecurity. If many people go to work in fear, it is because they know that their superiors or colleagues have them in their power, and can continue to harass or grop them with almost complete impunity.
A person who is allergic to bees will be much more anxious about field trips if he/she does not have an adrenaline syringe at hand. A violinist will be much more cautious when traveling if his instrument is not insured. A buyer will be much more suspicious if he has to pay for his goods by an unsecured means. A mountain climber will be much more fearful if he climbs a wall without being secured by a rope. And there is nothing wrong with these reactions. "Fear is wisdom in the face of danger. It's nothing to be ashamed of." (Sherlock: The Abominable Bride).
Protective measures are the consequences of fears, not their causes. On the contrary, it is when they know they are protected that humans can interact freely with each other. The Witness Angel is a device that will strengthen trust in human relationships, since lying and manipulation will not pay as much as before, and victims will be able to testify without having their word immediately questioned.
A Witness Angel device does not cause problems of image rights, because the recordings can only be deciphered in a judicial context, where suspects and victims already have their personal lives thoroughly searched by prosecutors and lawyers, and where the confidentiality of the proceedings is largely regulated by law.
On the contrary, by allowing rapid access to the truth, this device makes it unnecessary to have endless debates about the intimacy and past of the protagonists, which are used by the prosecution or the defense to discredit their testimonies (unreliable demonstrations if there ever were some).
The need for the consent of recorded persons, which derives from this right to image, is similarly rendered unnecessary by the device; unless we need the consent of the criminals before having the right to collect evidence against them.
This principled prohibition is based on harms such as invasion of privacy, or media manipulation, harms that do not exist in the Witness Angel system.
There is actually a legal void for this new concept; and this happens very often in technological innovation:
- There was no law governing electric scooters when they first appeared. Should they be used on the sidewalk or the road? At what speed? Their use became widespread, and the law came to regulate it.
- Initially, there was no law governing drones and their cameras. Where could they fly, what could they film? Here again, regulations have filled in their own gaps.
From then on, our goal is to spread the Witness Angel concept and its prototypes, and to accompany legislative evolutions to take into account the specificities of these devices; devices which are in any case under the constant supervision of Justice during their phase of Revelation of the records.
However, there are some encouraging facts:
- Sexist, homophobic, child abuse, and other forms of violence have been in the spotlight in recent years, so society is looking for solutions.
- A certain awareness is already in place regarding the "privacy vs. security" debate. Institutions like the French CNIL, regulations like the European RGPD, have been set up to tackle the problems brought by new technologies. The Witness Angel will therefore not arrive in a legal desert.
- Car dashcams have set a precedent, showing both their invaluable contribution (e.g. with insurance scams) and their limitations regarding privacy.
- The French police have been equipped with dashcams since 2016, and firefighters have been working on them since 2019; devices that are much less secure than a Witness Angel, and asymmetrical because civilians do not benefit from them, but devices that are nonetheless well received on the whole; police officers in the USA also use such cameras, with again the risks associated with the absence of write-only system.
If, for example, a person is stabbed in the street, the exploitation of Witness Angel device(s) present at the scene could sometimes reveal embarrassing information about passers-by not involved in the case.
But the following facts should be noted:
- The invasion of privacy is immeasurably stronger when it is a question of usual surveillance cameras, or of a traditional investigation which will dissect the schedules of all the people implied from near or far.
- The disclosure of the recordings of the Witness Angel is done in a restricted circle, only with people linked to the legal procedure, and subjected to the same level of secrecy as this one.
- The same technologies which allow today the people of the Web to spy on private life can be used to minimize the revealed information. Thus, it is possible to entrust artificial intelligences with the search for relevant passages (scenes of quarrel, presence of certain protagonists...) without having to visualize everything. And it is possible to stratify the information (e.g. automatically blur faces, nudity and license plates) as long as more details are not required by the investigation.
- The wearer will have the ability to finely filter what he/she wants to show or not show in court, just as he/she would carefully choose words for an oral or written testimony.
Thus, if Witness Angel does not entirely erase the intrusion of judicial investigation into privacy, it limits it drastically, which is an undeniable progress compared to the current situation.
Many people reacted in the same way when seat belts or smoke detectors were introduced into society, and then got used to them very well. As long as Witness Angel protects the victims of crime without harming the innocent, and as long as it only adds privacy constraints to existing means of recording, one can predict that it will eventually be washed away from prejudice, and become part of the landscape.
The difference with the seat belt and the smoke detector is that in its very concept, a Witness Angel device requires to never be mandatory.
Indeed, being only a consolidation of the individual testimony - testimony to which the right to silence can be opposed - this personal "black box" can be used only with the full agreement of its bearer. The important thing will be that those who want to protect themselves with Witness Angel devices can do it.
Of course, nothing will prevent an authoritarian state neither to massively violate the private life of civilians, nor to force its citizens to carry recorders. But it will be then an initiative without relation with Witness Angel : such a state will not bother itself with the technical and legal protections which go with this device, and on the contrary will require a direct and unlimited access to the collected data.
Because of its "write-only" design, the Witness Angel prevents any voyeurism. What could happen, on the other hand, is that someone makes up a standard recorder to look like a Witness Angel. But on the one hand, it will be much easier and more discreet to use a hidden recorder (e.g. a spy pen, or an application running in the background on a smartphone...). On the other hand, it is planned that a Witness Angel device can be easily audited (including by a simple citizen), so that its software and its hardware prove at any time to be in conformity with their founding principles.
The Witness Angel device being hermetic to misappropriation (blackmail, buzz videos, revenge porn...), an aversion to it will be more a story of "taste and color", or of phobia, than of rationally justified fear. A society could democratically judge that this "moral discomfort" is more important than the protection of millions of victims and wrongly convicted people; but a society that banishes the Witness Angel without proposing an alternative will have no credibility to be outrage in front of the injustices and judicial fiascos that fill the news.
By design, the Witness Angel system is not intended to demonstrate the non-existence of a fact. For example, if a perpetrator ties a bag of drugs under a bearer's car, the bearer will not be able to easily demonstrate that he had nothing to do with the trafficking. A deep search (preferably automated) of the available records over a long period of time might partially exonerate him from participation in a criminal network, but only other elements of the investigation will provide tangible evidence of his innocence.
As a matter of principle, the Witness Angel system prohibits forcing a bearer to reveal the contents of his recordings. This can be frustrating if the bearer is suspected of a crime and closes himself in silence, or delivers only a few carefully chosen (and thus non conclusive) extracts; but it must be kept in mind that a single infringement of this principle of "extended right to silence" would massively discourage the citizens from wearing the device, which would have much more serious consequences on the judicial truth in the longer term. The justice will thus have, sometimes, to fall back entirely on the other means of establishing facts, even when active Witness Angels were present on the scene.
The Witness Angel will not always be able to protect children and othe persons under guardianship: if their legal guardian is also their abuser, he/she may obstruct the use of this device. But social services could take the lead in such cases, and impose protective measures, according to what will be provided by the law. In the same way, some vulnerable people (battered spouses) will have greater difficulties in using the device without risking retaliation, but the miniaturization of the device could help the state and associations to collect evidence anyway.
In an authoritarian state, where the police can arrest and torture a citizen at any time to force him to reveal his/her secret code, and where the judical system no longer respects fundamental rights, the Witness Angel will not be a useful device; human rights defenders will be better off relying on concealed and unilaterally encrypted recording devices, to gather and disseminate evidence about government crimes.
Another limitation is inherent to the incomplete aspect of the recordings: according to the periods of use of the device, and the chosen duration of archiving, certain key moments could be missing at the time of a Revelation procedure; it will then be necessary to hope that other witnesses of the scene had a Witness Angel switched on, and a sufficient conservation of the data.
A technical constraint concerns the size of the stored data: being encrypted, they will have a high "entropy" of their binary content, which will prevent them from being efficiently compressed. And since they will be encrypted, it will not be possible to convert them into better or less accurate audio/video formats when they get older (and therefore less likely to be reused later). A good compression "at the source" of the data will therefore be necessary in order not to waste bandwidth and disk space.
Finally, the last known limitation, also technical, is that of the autonomy of the Witness Angel: recording, encrypting and transmitting data is an extremely energy consuming process; some forms of this embedded device will not be able, in the current state of science, to operate more than a few hours between each charge. But the use of chips dedicated to encryption, and alternative energy sources (skin heat, movement, wireless energy...), will eventually improve the autonomy of portable devices.
Rapid herd immunity: even if a tiny minority of society embraces the Witness Angel concept, it will have a great psychological impact among criminals and stalkers, who will not know if their next victim can trap them at their own game; non-carriers will therefore benefit from this drop in crime. Compare this, for example, to the herd immunity of vaccines, which typically requires more than 60% of the population to be vaccinated before the rest of the population gets protected as a side effect.
Judicial optimization: by giving a fast and probative access to elements of proof, Witness Angel will accelerate the legal procedures, will unclog the courts, and will allow important savings on legal expenses; while avoiding the "great unpacking of private life" which harms the protagonists of the cases, even those innocent.
Simplification of human relations: many aberrant procedures are born of lies and the mistrust they engender. Thus, if (in France) the joint guarantor of a tenant is obliged to recopy at length, by hand, a page of legal jargon, it is to avoid that he/she later denies having been informed of what she was committing to. The Witness Angel, anti-bad-faith weapon, will make this kind of administrative embarrassment largely unnecessary.
Ergonomics in emergency situations: when an incident occurs, Witness Angel bearers can react in an appropriate way, instead of taking out their cell phone to film the scene (which sometimes looks like not helping a person in danger); wide-angle sensors, or even front-back sensors, can then compensate for the absence of manual framing of the device. This will not prevent some witnesses from using standard cameras, to "make the buzz" or sell images to tabloid media, but this is another problem.
The exact economic model of Witness Angel devices is a secondary issue, which might vary enormously from one country to another.
It will be shaped by the constraints of the system (such as the respect of the independence of the trusted third parties, the auditability of the hardware and software...) as well as the decisions of the bearers, as much regarding the purchase of the device as in the choice of the guardians of the keys - or even of the data.
The Witness Angel ecosystem will thus be able to mix citizen associations, commercial companies, regulated professions (bailiffs, notaries...), and state organizations - of which the Ministry of Justice of course.
The essential will remain that the core values of the system are respected, among which the affordability allowing any person to get a Witness Angel; even if everyone will not have the desire or the means to pay for advanced options (long duration archiving, complementary alarm system...).