We are excited to launch Building a Free Internet of the Future, a new monthly series of interviews with NGI Zero (NGI0) grantees. With funding from the European Commission, NGI0 supports open source, open data, open hardware and open standards projects. It provides both financial and practical support in a myriad of ways, including mentoring, testing, security tests, accessibility, dissemination and so on.
We begin the series with an interview with CryptPad.
The Next Generation Internet (NGI) is a European Commission initiative shaping an internet that responds to people’s fundamental needs, including trust, security and inclusion. NGI0 is a non-profit coalition that provides the NGI an effective funding mechanism, with a mission to support the development of free/libre/open source software and hardware, open standards and open data. NGI0 coordinates several NGI Research and Innovation Actions (RIAs), including NGI Zero Review, NGI Zero Entrust, NGI Zero Core and NGI Zero Commons Fund.
APC is a member of NGI0 consortium led by the NLnet Foundation that implements a range of actions to provide a funding mechanism for over EUR 50 million granted to hundreds of independent researchers and open source developers working on and for a better internet. In addition to receiving a grant, funded projects are supported by domain experts in various fields such as diversity, security, accessibility and licence compliance, among others.
Launched in 2017 by open-source French company XWiki SAS, CryptPad provides a full suite of end-to-end encrypted tools for work collaboration. Their applications have grown from a simple editor to include rich text, spreadsheets, code/markdown, kanban, slides, whiteboard and forms. You can either use the service provided by CryptPad.fr, host a CryptPad suite yourself, or find access to the suite from other providers.
Since 2019, CryptPad has received funding from NGI Assure, NGI0 Pet and NGI0 Entrust, enabling it to work on a number of developments and improvements around security, accessibility and others. The latest funding ended in May 2024 which focused on the use of cryptography on the platform.
APC spoke to David Benqué, graphic designer in charge of UI/UX, and Mathilde Blanchemanche, sysadmin at CryptPad. The interview has been edited for clarity and length.
There are several services across the world comparable to CryptPad with different human rights and ICT governance orientations. These orientations are linked to politics, laws and local and international regulations. How does CryptPad act in these entanglements?
Benqué: There are end-to-end encrypted (e2ee) services [that] are good at messaging (e.g. Signal), personal note-taking (without collaboration, e.g. Joplin) or document storage (without editing, e.g. Proton Drive). [However,] there are actually not many products in the Venn diagram of e2ee + document editing + real-time collaboration.
As an e2ee product, one of our challenges is knowing who uses it since we don’t collect data. We know that CryptPad is used in the EU Commission, for example, and in many NGOs. Recent developments in the EU that make US products such as Office 365 technically illegal in public administration and education should mean that more and more people are seeking alternatives, but in practice I don’t think many people are adhering strictly to these guidelines. Companies like Microsoft are also deploying counter-strategies, such as basing some servers in the EU.
The larger projects we are involved in via XWiki, our parent company, often rely on some notion of “sovereignty”, meaning EU countries recognising the need to have IT solutions that they “own”, and open-source as a good way to do this. However, in our host country France, the government is also unrolling the red carpet for Microsoft data centres and storing everyone’s healthcare data on Amazon Web Services, so it’s hard to find a rational logic behind all of this.
How has CryptPad benefited from the NGI0 grants it received from 2019 to 2022 (including NGI0 Entrust in 2022)?
Benqué: These grants were really crucial in getting CryptPad off the ground. They each added features to CryptPad, such as team drives, helping to build a product that was credible in the market. In my previous role in academia, I was involved in EU funding as part of the FP7 programme (before H2020), and I remember being impressed with how lightweight the bureaucracy was on the NGI grants. They were quite efficient and targeted at delivering tangible improvements.
Coexisting with Google Drive and Microsoft Teams and others, how do you see CryptPad’s influence on end users (both individuals and organisations)?
Benqué: For individuals, communities and small businesses, we hear more about complete replacement of big-tech solutions with people “moving to CryptPad”.
When talking with potential enterprise clients, however, it seems pretty hard to dislodge them from GSuite or Office 365, so what we are seeing is a use of CryptPad alongside these solutions, perhaps for extra-sensitive documents, or for C-suite professionals, a kind of extra secure enclave within the company’s existing infrastructure.
It can be disheartening to be against such giants, to be honest: it’s not just GAFAM but anyone who is funded by venture capital. Basically any one of our competitors operates on budgets that are at least one order of magnitude more than ours, if not more. Over the years, CryptPad has accrued functionality to the point that it aims to be usable as a complete office suite solution (with the exception of email, which I doubt we will ever enter).
There is a “CryptPad for non-profits” plan, where testimonials from justice and climate activists, journalists, human rights defenders, etc. can be seen. Is CryptPad a useful tool to reduce the digital divide and the impact of digitisation, when marginalised populations are not taken into account in decision-making processes?
Benqué: We’d like to think CryptPad is useful to marginalised populations and groups. I’d have to [qualify] this, however, as CryptPad relies on the client to encrypt/decrypt everything – the person’s device is a key part of our product. So the better your laptop and internet connection, the better your experience of CryptPad will be. At the moment, for example, CryptPad is very hard to use if your only access to the internet is a smartphone.
How do you define accessibility within CryptPad? How do you you work on this technically?
Benqué: It’s one of our focuses. For the record, I joined the team in 2019 as a UI/UX designer. So in that capacity, in fact, a lot of things already existed; the product more or less already existed in its current form. There are a few things that have changed since then in terms of functionality; but there was a huge debt in terms of design and accessibility that just hadn’t been taken into account at all until that point. Personally, I didn’t have a lot of experience with that either, but I did learn about it through the feedback we got on NGI projects. I applied for a position with XWiki as an employee, and I took some training courses to find out how I could push this forward.
At the moment we have a part-time junior called Daria working in the team. She’s been doing just that since her internship last summer. We have a huge debt. I think anyone who can audit an application can see quite quickly that CryptPad isn’t great in terms of accessibility. We have a huge technical debt here.
Google Docs recently cut off access for a romance writer to all her works in progress. What does CryptPad do with the content of people who use it? Does it, with its general terms of use, have access to what people write or post on CryptPad.fr?
Blanchemanche: There are two different things here. There’s the CryptPad product itself, the software, and then there’s the server that we host, CryptPad.fr. It’s important to make a distinction between the two. The CryptPad product is governed by a code of conduct [while] the CryptPad.fr service is governed by general terms and conditions of use, a privacy policy, etc.
You can find our privacy policy on CryptPad.fr, which states that everything is end-to-end encrypted, so we don’t have access to the content of the documents (see the section “What we know about you and how we use this information”).
We also have a lot more information in our Terms of Service. We define rules that form a framework that will enable us to work on moderation and then on content. For example, we define that “people using CryptPad are not allowed to publish racist, xenophobic, homophobic, transphobic, validist or classist content”. There’s a whole list of things in detail.
It’s interesting that you should ask this question, because we’ve been contacted several times recently by people who are involved in erotic literature and who were worried about this, whether CryptPad could be a solution for their work, or simply for respecting their privacy. Which in the end also more or less touches on the sex work environment, in a way. We’ve revised our terms and conditions of use several times, the last on 27 March 2024 when, thanks to feedback from several users, we amended [them] to make them clearer and explicitly permit the use of the platform and service for this type of action.
We used to say something along the lines that we couldn’t publish content [pertaining to] any physical or sexual abuse. Typically, this is a clause that can be used by service providers to block access, to delete content, particularly from people who write erotic stories where there may be things that could be interpreted ... [as] abuse, even if that part of the content [contained] consent. Since then, we'’ve changed the sentence saying that the user agrees not to publish content that promotes physical or sexual abuse in the real world. This is for the French version, because the English translation has always been a bit complicated on these terms. Typically, victims’ stories and any documentation about abusers can be published on the service, no problem.
These issues are important because they are extremely political and extremely intimate, but they are rarely put on the table of discussion in the area of free software.
Blanchemanche: Quite often, yes. I’ve been in the free software world for 15 years [and] what I’ve noticed is that there is a very legalistic vision of free software. We talk about software neutrality and refer to the legal framework, saying “I don’t want to do anything wrong with moderation a priori because I don’t want to risk being sued for defamation.” In short, “I’ll do what the police or a judge orders me to do.”
We are trying to go a little further than that, especially as we have a particular responsibility in the sense that the product we’ve created, and which we use to run our service, prevents us from accessing the content that is put online, that is written by people. So there is a whole new issue around moderation: how to act, how to pass on information, how people can contact us, report undesirable content. And we deal with it upstream.