In August, the Australian Parliament passed a new cybercrime bill that increased the powers of law enforcement to require Internet service providers to monitor and store their users’ data.
The country’s privacy advocates were up in arms. One of them was Asher Wolf (a pseudonym), a 32-year-old who had built up a following on Twitter for tweeting news about WikiLeaks and the Occupy movement and who cared deeply about online privacy. A friend of hers, @m1k3y
, tweeted that in light of the new legislation, maybe now was the time to have an “install-the-crypto-apps party,” referring to the programs for computers that help protect a user’s privacy. Wolf half-jokingly agreed: “Let’s get together in the backyard with some chips,” she said, “let’s have a CryptoParty."
Less than four months later, there have been more than 30 CryptoParties held worldwide, many in the West, but also in Manila, Cairo, and on November 27, Tunisia. The concept of CryptoParty
is simple: people get together to learn how to use tools to better protect their privacy.
CryptoParty doesn’t have a unified position on which tools it recommends, but Wolf says there is a focus on teaching three core technologies: Tor,
which enables users to remain anonymous online; PGP
(pretty good privacy), a program often used for encrypting e-mails; and Off-the-Record (OTR)
, a protocol that encrypts instant-messaging conversations.
"We want to make it bloody hard for governments and businesses around the world to invade the privacy of citizens. We want to teach people responsibility for keeping their information private and we want to give them the tools to do that," Wolf says.
A decentralized, leaderless movement, no one CryptoParty is the same. Wolf says that they tend to attract a diverse crowd. At the ones she’s attended there have been mothers, university students, and journalists who don’t want to expose their sources.
Cryptography, the practice of communicating securely, has always been in the hands of elites. Once it was the sole domain of governments and the military who believed that, in the wrong hands, keys, codes, and ciphers could be as lethal as weapons-grade plutonium. The growth of the cypherpunk movement in the 1990s changed all that. These activists argued that cryptography should not just be the preserve of governments but should be used by civilians to protect their privacy against the "surveillance state." Cryptography, they argued, wasn’t just for militaries and governments -- it was for everyone.
Except for a while, it wasn’t. It remained in the hands of a few devoted activists with sophisticated tech skills, many of them deeply antigovernment and with strong libertarian streaks. The cypherpunks developed the programs and the protocols, but for the average computer user many of the tools were intimidating and hard to use.
A single mom with a toddler, three years ago Wolf didn’t even own a laptop (she used a smartphone) and was using Facebook instead of the more privacy-conscious Twitter. After studying communications media and criminology at university, she worked for an NGO and does not have a computing background. “I call myself a citizen technologist,” she says, “which means I stuff around with things I don’t really understand completely yet.” After her 3-year-old goes to bed she teaches herself how to use the tools to better protect her privacy online.
Usability Vs. Security
For Wolf, CryptoParty has always been about bringing the conversation down to the level of the average user. “You have all these people turning up who are experts in the fields of cryptography and have expert skills in things like Tor and OTR and PGP and they’ve actually never tried to teach anyone to use them before," she says. "Suddenly they stand in front of a group of journalists and university students and activists and they begin talking about command lines and everyone looks at them like, ‘What the hell is this?’”
This summer, a piece of software called Cryptocat became the focus of much attention on listservs and in the tech press. (Read about it here
, and here
.) Cryptocat is an instant messaging platform that is installed in a user’s browser. Part of its initial appeal was that the user didn’t have to bother installing additional software and it was very simple to use. But critics of the software said that it was flawed and vulnerable to certain attacks.
The discussion about Cryptocat touched on a broader debate within the crypto community about the tradeoffs between, on the one hand, usability and design, and on the other, security. A simple-to-use tool that offers lousy security or a highly secure tool that can only be understood by someone with a computer-science degree are both of little use to activists. (The holy grail is the tool that offers near-perfect security and click-and-go usability.)
Against that background, for Wolf, CryptoParty isn’t just about teaching people how to better protect their privacy, it's also about creating a feedback loop between developers and users. What’s needed sometimes, she says, is to tell developers, “your app is great, but the accessibility and user features are sh*t or really difficult for the average user to understand.”
When Wolf first started promoting the idea of CryptoParty on Twitter, she says she felt resistance from some in the crypto community. She felt that people were saying to her, “Come kneel before us and lick our feet.” But instead of getting riled, she called their bluff. “If you think that our way of dealing with cryptography is flawed or teaching cryptography is flawed, then please show us how to do it better. We invite you to come along and we’ll shout you a beer,” she says. “It sorted the critics from the people who were just whiners. And very quickly you found the people who had a real commitment to cryptography.”
In its short lifespan, CryptoParty has mushroomed and more and more cities are planning CryptoParties. It has received messages of support from Electronic Frontier Foundation
activists and many others in the crypto community. As veteran hacker Oxblood Ruffin said in an e-mail, “CryptoParty is Anonymous for grown ups.”
The movement faces some challenges. A 392-page CryptoParty Handbook
, created by CryptoPartiers in Berlin, took some heat
for its technical errors and for recommending what some experts thought were less-than-secure tools. And some within the digital-activism community believe that the CryptoParty model is more applicable for Western democracies than repressive states. (Holding CryptoParties openly would be a giant red flag to the authorities and put attendees under more government surveillance.)
One way around this, Wolf says, is to hold CryptoParties online or in closed sessions. “We certainly wouldn’t be promoting people holding CryptoParties in certain countries.” She gives the example of a CryptoParty in Egypt which was closed and not advertised.
In fact, rather than an organization, Wolf sees CryptoParty more like a meme. “We’re spreading a meme and that meme is privacy, the right to privacy.” CryptoParty is both cause and effect: it is helping move the needle in terms of greater privacy-awareness, but it is also a product of our more privacy-conscious culture. “Memes are things that we always knew, we just didn’t have a way to express it.”
Originally, Wolf says, the idea behind CryptoParty was selfish. It was about her wanting to learn how to protect herself better online. “I wasn’t thinking about Tunisia when we did this,” she says.
“I’m just doing it because when I look at pictures of LOLcats to relax at 2 a.m., I really don’t like the idea of thinking, well, everything I look at and every conversation I have with my friends in Europe, that every part of me that’s special or private gets handed to somebody in some banal bureaucracy somewhere,” she says. “I want something more for my life, for my child’s life. And this is my way of pushing back.”