Yesterday, 30 November, there was a Cryptofestival in London. What's a cryptofestival? No, it's not about doing the Monster Mash in a graveyard or Zombie Walks for Buy Nothing Day (although there were a few of those as well that day), and only a little bit to do with zombie legislation and spooks.
A cryptofestival or cryptoparty is a chance for people to get together and learn how to communicate more securely and privately using cryptography. A cryptoparty is "free, public and fun" and for everyone regardless of technical ability. So maybe it is like the Monster Mash after all. Cryptoparties have been around for years, but the revelations about just how far the US National Security Agency and other "Five Eyes" spies go, to obtain data on you, me and everyone we know, have given a wake-up shock to people, reviving an interest in using cryptography in everyday communications. PRISM and Tempora mean big online providers like Facebook have backdoors passing our personal communications to hundreds of thousands of US government staff and contractors, the main safeguard currently being that human beings will only look at it if they're interested (a fun video shows how nobody yet takes the rap).
The London Cryptofestival held at Goldsmith's College was very well attended, and there was an impressive diversity of attendees: a few geeks and academics, but also journalists and human rights activists working in the Middle East and Sri Lanka, and local people concerned about the privacy of their own family. Everyone learned something. The main focus was on software tools to use on computers and phones, but there were also questions reflecting on the nature of freedom, privacy, authenticity and disclosure, how we self-censor when someone might be watching, and how current government techniques would have stifled the social change and dreams of Mohandas Gandhi or Martin Luther King Jr. One speaker recalled his shock realisation that pictures of his unborn child were already stored indefinitely online. The Stasi had someone on every street: nowadays companies that sell black boxes to governments around the world claim computer analysis can do much more than the Stasi with far fewer people. There were worries too about how GCHQ and other spooks sometimes can use their £1.9bn budget to undermine security, such as compromising research at top universities using small-grant agreements called ACE-CSR.
There were many options presented on a continuum between the practical and the purist, never actually paranoid. A session on smartphone security inevitably raises the question of how you trust the security software: if it's free and open-source, then experts can verify the software is secure; but what if there is spyware like FinFisher, or the operating system (OS) is closed source like Apple's iOS? And even if the OS is free, like unlocked Android, what about security holes built into the chips in closed hardware? So do we just give in and accept that the "telescreen" from 1984 is here, and carried about in our jacket pockets? I wasn't convinced by the "Bring and Swap" session confusing trails by swapping SIMs or Oyster cards. But there may be a point in a sensible compromise: if I top up my mobile using cash, CCTV in the shop I buy the top-up from can still be used to identify me if I commit a heinous crime using my phone, and it doesn't hide the "social graph" of my contacts, but maybe it still makes the mass correlation of big data that much more difficult (and more data means more false positives.)
Pretty Good Privacy
So here are some of the things mentioned that people can do to encrypt communications:
- Have a secure chat with your friends using Off the Record instant messaging CryptoCat (Easy-Medium, doesn't apply to microchipped moggies who may be first to join the Internet of Things; by the way, the .cat website address is for Catalonia)
- Browse anonymously (if you're careful) with Tor (Easy-medium)
- Make sure you use SSL with https, and turn on TLS settings in your email client. (Easy, common, can sometimes be circumvented)
- Encrypt your email message bodies with OpenPGP (Medium-Hard, see below), using Enigmail
- On an Android phone, use APG and K9 to encrypt email; secure voice with RedPhone (free) or SilentPhone (non-free); and protect SMS with TextSecure (free).
- Cover your tracks on any computer with TAILS, a dedicated GNU/Linux distribution; another privacy-aware distribution is Qubes. (Medium-hard)
PGP is strong encryption, commonly used for email text. Some of the options can be quite obscure, but a simple way of using it is to use Thunderbird as an email program and the Enigmail plugin. To send GreenNet a secure email that can only be read using GreenNet's private key:
- Download and install Thunderbird if you don't have it already (configuration for GreenNet here)
- Download Enigmail - if you're using Linux there's probably a package for it. If you're using Windows, you may need to download GnuPG separately. Similarly for Mac.
- In Thunderbird, go to Tools > Add-Ons, and if you don't already have Enigmail, click on the Tools button, and install from file the file downloaded in step 2.
- Set up your own key in Enigmail to receive encrypted replies, and enable OpenPGP in your account settings.
- Go to OpenPGP > Key management > Keyserver > Search for keys > search for email@example.com and download GreenNet's public key from pool.sks-keyservers.net. It's the one numbered 81476196 you want, or you can copy GreenNet's key from here. (Of course, you have to trust that someone hasn't interfered with your internet connection to substitute another key.)
- Compose an email to us, ensuring the OpenPGP meny has "Encrypt Message" ticked.
- Click send. That's it.
So it looks like 2014 may be the year of crypto. The state, or rather the secretive "state within the state", may indulge in increasingly desperate scaremongering in an effort to keep spying on us all and avoid accountability, but those who know say cryptography will continue to lead to freer, more liberal societies around the world.
It was acknowledged that in the current crypto debate that not everyone will "get it", as the arguments that everyone has something they want to hide can be quite personal and hard to summarise. But any campaign against mass surveillance could do with a good slogan! Get your creative thinking caps on and let us all know your ideas.