Amandine 'cryptie' Jambert, CNIL & FSFE privacy scandals
There have recently been concerns raised on various mailing lists about the identity of Cryptie in FSFE.
For many years, Amandine Jambert has wandered around the free software world using a pseudonym, Cryptie. While anybody else using an alternative name has been accused of trolling, Jambert has had some immunity. Why? As concerns grow about the hidden conflicts of interests and corporate influence in free software organizations and as these organizations use the weight of their reputations to shame and humiliate people, it is more important than ever to identify the controllers of the organizations.
Thanks to Wright's investigations, we can now search for information about Cryptie and search for information about Amandine Jambert @ CNIL and find they are the same person.
The Cryptie case is even more special than a regular conflict of interest. As Mr Wright pointed out in his explosive email, FSFE e.V. covered up the very type of privacy breach that Jambert's employer, CNIL, would be expected to investigate.
CNIL is France's Commission Nationale de l'Informatique et des Libertés. CNIL's mission clearly includes investigating and sanctioning data privacy breaches.
Many parts of the world now have mandatory reporting of privacy breaches.
On 15 March 2018, Matthias Kirschner, president of FSFE e.V., wrote an email to the internal GA mailing list:
Subject: [GA] Report about privacy problem with financial data
From: Matthias Kirschner
Date: 15 March 2018
The archives of finance at lists.fsfe.org, and thereby all the information
including full names, amount, credit card and bank details, were public
from 18 December 2017 until 13 March 2018.
It is incredulous that such data is managed on a mailing list, especially when the list runs on the same public server as Internet-accessible public lists. All serious organizations keep such data on servers in isolated subnets, with mail allowed in through an intermediate box in the DMZ. There is never direct access from the Internet to the box where sensitive data is actually stored.
Germany, where FSFE e.V. is based, has a clear requirement for organizations to report privacy breaches to regulators and victims. Yet in Kirschner's email, he writes that FSFE council chose not to report it: in other words, a cover-up.
It raises serious questions about how Amandine Jambert, an employee of one of the largest national regulatory bodies in Europe, can turn a blind eye. Jambert is a member of the internal FSFE GA mailing list and received the report and subsequent discussion there. Did she discuss FSFE e.V.'s privacy issues with her employer?
FSFE e.V. subsequently admitted further data breaches and used the minutes of their annual meeting to publish defamatory attacks against a former volunteer. This behaviour, deliberately naming and shaming somebody, is an assault on the principles of European data protection laws. It is not clear how Jambert or any CNIL employee can continue being a member of this organization.
This brings us to the question: why does Jambert use a pseudonym, Cryptie, in the FSFE? Why does she not want to use her real name? Is it because she knows that FSFE behaviour is so unprofessional and she wants to hide it from her workplace? Or is it the other way around, Jambert hiding her professional identity from the Free Software community so that they can make undercover investigations into the privacy practices of Free Software organizations?
Many people already feel that national privacy laws and the bodies enforcing them are toothless tigers, with companies like Google and Facebook running amok and doing as they please. With a CNIL employee moonlighting in a non-profit secretly bankrolled by Google, it will only add to the perception of incompetence.