Accessibility links

Breaking News

Tangled Web

Asher Wolf
In August, the Australian Parliament passed a new cybercrime bill that increased the powers of law enforcement to require Internet service providers to monitor and store their users’ data.

The country’s privacy advocates were up in arms. One of them was Asher Wolf (a pseudonym), a 32-year-old who had built up a following on Twitter for tweeting news about WikiLeaks and the Occupy movement and who cared deeply about online privacy. A friend of hers, @m1k3y, tweeted that in light of the new legislation, maybe now was the time to have an “install-the-crypto-apps party,” referring to the programs for computers that help protect a user’s privacy. Wolf half-jokingly agreed: “Let’s get together in the backyard with some chips,” she said, “let’s have a CryptoParty."

Less than four months later, there have been more than 30 CryptoParties held worldwide, many in the West, but also in Manila, Cairo, and on November 27, Tunisia. The concept of CryptoParty is simple: people get together to learn how to use tools to better protect their privacy.

CryptoParty doesn’t have a unified position on which tools it recommends, but Wolf says there is a focus on teaching three core technologies: Tor, which enables users to remain anonymous online; PGP (pretty good privacy), a program often used for encrypting e-mails; and Off-the-Record (OTR), a protocol that encrypts instant-messaging conversations.

"We want to make it bloody hard for governments and businesses around the world to invade the privacy of citizens. We want to teach people responsibility for keeping their information private and we want to give them the tools to do that," Wolf says.

A decentralized, leaderless movement, no one CryptoParty is the same. Wolf says that they tend to attract a diverse crowd. At the ones she’s attended there have been mothers, university students, and journalists who don’t want to expose their sources.

Cryptography, the practice of communicating securely, has always been in the hands of elites. Once it was the sole domain of governments and the military who believed that, in the wrong hands, keys, codes, and ciphers could be as lethal as weapons-grade plutonium. The growth of the cypherpunk movement in the 1990s changed all that. These activists argued that cryptography should not just be the preserve of governments but should be used by civilians to protect their privacy against the "surveillance state." Cryptography, they argued, wasn’t just for militaries and governments -- it was for everyone.

Except for a while, it wasn’t. It remained in the hands of a few devoted activists with sophisticated tech skills, many of them deeply antigovernment and with strong libertarian streaks. The cypherpunks developed the programs and the protocols, but for the average computer user many of the tools were intimidating and hard to use.

A single mom with a toddler, three years ago Wolf didn’t even own a laptop (she used a smartphone) and was using Facebook instead of the more privacy-conscious Twitter. After studying communications media and criminology at university, she worked for an NGO and does not have a computing background. “I call myself a citizen technologist,” she says, “which means I stuff around with things I don’t really understand completely yet.” After her 3-year-old goes to bed she teaches herself how to use the tools to better protect her privacy online.

Usability Vs. Security

For Wolf, CryptoParty has always been about bringing the conversation down to the level of the average user. “You have all these people turning up who are experts in the fields of cryptography and have expert skills in things like Tor and OTR and PGP and they’ve actually never tried to teach anyone to use them before," she says. "Suddenly they stand in front of a group of journalists and university students and activists and they begin talking about command lines and everyone looks at them like, ‘What the hell is this?’”

This summer, a piece of software called Cryptocat became the focus of much attention on listservs and in the tech press. (Read about it here, here, and here.) Cryptocat is an instant messaging platform that is installed in a user’s browser. Part of its initial appeal was that the user didn’t have to bother installing additional software and it was very simple to use. But critics of the software said that it was flawed and vulnerable to certain attacks.

The discussion about Cryptocat touched on a broader debate within the crypto community about the tradeoffs between, on the one hand, usability and design, and on the other, security. A simple-to-use tool that offers lousy security or a highly secure tool that can only be understood by someone with a computer-science degree are both of little use to activists. (The holy grail is the tool that offers near-perfect security and click-and-go usability.)

Against that background, for Wolf, CryptoParty isn’t just about teaching people how to better protect their privacy, it's also about creating a feedback loop between developers and users. What’s needed sometimes, she says, is to tell developers, “your app is great, but the accessibility and user features are sh*t or really difficult for the average user to understand.”

When Wolf first started promoting the idea of CryptoParty on Twitter, she says she felt resistance from some in the crypto community. She felt that people were saying to her, “Come kneel before us and lick our feet.” But instead of getting riled, she called their bluff. “If you think that our way of dealing with cryptography is flawed or teaching cryptography is flawed, then please show us how to do it better. We invite you to come along and we’ll shout you a beer,” she says. “It sorted the critics from the people who were just whiners. And very quickly you found the people who had a real commitment to cryptography.”

In its short lifespan, CryptoParty has mushroomed and more and more cities are planning CryptoParties. It has received messages of support from Electronic Frontier Foundation activists and many others in the crypto community. As veteran hacker Oxblood Ruffin said in an e-mail, “CryptoParty is Anonymous for grown ups.”

The movement faces some challenges. A 392-page CryptoParty Handbook, created by CryptoPartiers in Berlin, took some heat for its technical errors and for recommending what some experts thought were less-than-secure tools. And some within the digital-activism community believe that the CryptoParty model is more applicable for Western democracies than repressive states. (Holding CryptoParties openly would be a giant red flag to the authorities and put attendees under more government surveillance.)

One way around this, Wolf says, is to hold CryptoParties online or in closed sessions. “We certainly wouldn’t be promoting people holding CryptoParties in certain countries.” She gives the example of a CryptoParty in Egypt which was closed and not advertised.

In fact, rather than an organization, Wolf sees CryptoParty more like a meme. “We’re spreading a meme and that meme is privacy, the right to privacy.” CryptoParty is both cause and effect: it is helping move the needle in terms of greater privacy-awareness, but it is also a product of our more privacy-conscious culture. “Memes are things that we always knew, we just didn’t have a way to express it.”

Originally, Wolf says, the idea behind CryptoParty was selfish. It was about her wanting to learn how to protect herself better online. “I wasn’t thinking about Tunisia when we did this,” she says.

“I’m just doing it because when I look at pictures of LOLcats to relax at 2 a.m., I really don’t like the idea of thinking, well, everything I look at and every conversation I have with my friends in Europe, that every part of me that’s special or private gets handed to somebody in some banal bureaucracy somewhere,” she says. “I want something more for my life, for my child’s life. And this is my way of pushing back.”
I got a chance to see "We Are Legion: The Story of the Hacktivists" recently. It's a great film and in 90 minutes packs in plenty of interviews with Anonymous activists and experts, putting Anonymous in a broader context of Internet culture, protest movements, and hacktivism.

The film is particularly good on how Anonymous became politicized, how the movement (for want of a better word) went from pranking to taking on the Scientologists through to supporting WikiLeaks and helping out Tunisian revolutionaries. There is plenty of nuance here and the film rightly portrays Anonymous as a multifaceted and diverse movement that's hard to pin down -- it covers, for example, the splits between the so-called moralfags and hatefags, between those Anons who wanted to do good versus those who just wanted to wreak havoc.

Where the film is less good is when the director, Brian Knappenberger, seems to be too enamored with his subject. Many of the Anons interviewed in the film speak a lot about "freedom" -- an inoffensive mix of John Perry Barlow, Occupy, and the Arab Spring. “Their [the government’s] opinion no longer mattered because someone was out on the Internet kicking ass,” says one of them, Mercedes Haefer, who could face up to 15 years in jail for her alleged role in distributed denial of service (DDoS) attacks on PayPal. You won’t find too many people disagreeing with the notion of holding governments and corporations more accountable.

Yet, the problem is that Knappenberger never really attempts to unpack or challenge these sentiments. What exactly do they stand for? What do they hope to achieve? Like the film’s soundtrack, Anons talking in grandoise terms about freedom gives a seductive and intoxicating sense that something truly momentous is happening, but ultimately, when left unchallenged, it all ends up sounding a little empty.

The only person who falls under real scrutiny in the film is Aaron Barr, the security consultant who got monumentally pwned after his company intimated that it was going to expose the identities of Anonymous activists. In the film, Barr rightfully gets grilled by the interviewer about his role and he flails and stumbles when answering questions. Good, his company, HB Gary, deserves that scrutiny. But I was left thinking: why doesn’t the filmmaker take the same harsh line of questioning with the Anons? Why do they get a free pass? You can still be broadly supportive of something, yet still put it under scrutiny.

“We Are Legion” does mention some of the nastier things Anonymous has been alleged to have done, such as posting flashing GIFs on epilepsy forums. But they are just glossed over with a filmic shrug. Or as one activist says, Anonymous has done some pretty off-color things in the name of getting cheap laughs, “but that’s part of the culture.” Anonymous’s nature as a leaderless, decentralized nongroup, where anyone can act in its name, has advantages, but also disadvantages. It gives Anonymous the ultimate plausible deniability -- "that might of been in our name, but it wasn’t us" -- but it also means black-hat hackers can use the Anonymous brand to get media attention for their nefarious exploits. We hear plenty of Anonymous rhetoric about the hive mind, about the power of collective action, but there is a downside to that. What happens when the hive mind becomes the groupthink of the mob?

Underneath all the savvy visuals and revolutionary rhetoric, there are troubling aspects of Anonymous’s activism. Take the case of Amanda Todd, a young girl who committed suicide after being bullied. (The case happened well after the film was made, but it’s still a good example.) Some Anons, acting with what seemed to be decent motivations, exposed the identity of her tormentor. Except they didn’t. They got the wrong guy. Even if they had got the right guy, is that how we want society to function, with roving bands of online vigilantes seeking to expose people's identity, outside of the judicial process?

Or take the case of the 2011 DDoS attacks on Sony’s Play Station Network, which was claimed by Anon activists. Anonymous carried out the action in protest against Sony’s case against hacker George Hotz. But, while attention is given to Anonymous motivations, there is little thought given to the thousands of gamers who are prevented from using a service they have chosen to spend their money on. Whether you think taking down Sony is a legitimate form of protest or not, let’s not pretend it’s a victimless act. Just because it “happened online” doesn’t mean there are no consequences.

Of course, there are many, many Anons who get this only too well -- that, after all, was much of what the “moralfag” movement was about. There are many who spoke out against the Sony hack; there are many Anons who spoke out after LulzSec hacked PBS. Speaking in the film, security researcher Joshua Corman puts it in the context of the rise of the chaotic actor working outside the system -- sometimes they do good like Robin Hood, sometimes they’re more like the Joker.

What Anonymous did do, as one of the commentators points out in the film, is give journalists and the general public something to hold on to. There was this chaotic and amorphous Internet subculture, hard for outsiders to understand, and suddenly there was a Guy Fawkes mask and a vaguely ominous, robotic voice. It was brilliant PR and branded a movement that almost defied categorizing.

In years to come, Anonymous might be recognized more for its cultural legacy than its political acts. More than just the revolutionary PR, the 2012 U.S. presidential election was dubbed the “meme election,” a reference to the online virals that were pervasive in the campaigning. The meme has gone mainstream. We owe that to Anonymous and 4Chan, that open petri dish of thriving Internet cultures. The dog-eat-dog world of Internet memes, the ethos of remix, of irreverence, the humor, and grotesqueness -- we have Anonymous to thank for that.

"We Are Legion" is a great film, but a little bit more scrutiny and distance from its subject would have made for an even better film. Corporations and governments need to be held accountable for their actions, but so sometimes do people on the Internet.

Load more