Lessons from a Sydney cryptoparty

When ordinary citizens in a modern democracy start taking precautions against government and corporate surveillance, it's time for a re-think.
Written by Stilgherrian , Contributor

"A lot of what we're talking about tonight isn't 'Here's how to make yourself totally secure and defeat the NSA, and you'll never get spied on.' It's about 'If you do these things, and if we all do these things, [surveillance will] become more expensive, and more hassle'," said Tom Sulston over a cup of tea late Friday afternoon.

"You get a bit of a herd immunity, 'cos everyone's doing a bit more encryption."

Sulston is a principal consultant with ThoughtWorks Melbourne, and he was speaking with ZDNet just before the company-sponsored cryptoparty in Sydney on Friday night. His words please me, because I'd been sceptical of the whole cryptoparty thing.

The basic idea of the cryptoparty was conceived in 2012 by Melbourne-based information activist Asher Wolf in the wake of Australia's latest batch of cybercrime laws and proposals for mandatory telecommunications data retention -- proposals which are now law. The concept is sound enough: get people together so they can learn to protect their privacy online by using the commonly-available tools. Usually that means the Tor network, virtual private networks (VPNs), PGP-encrypted email, and more recently off-the-record messaging (OTR) for encrypted chat. Installing those tools on people's devices is usually part of the cryptoparty's agenda.

But the problem here is that hiding from nation-state surveillance is no easy task. You can't do it just by installing a few tricky bits of code on your computer. As I discussed almost two years ago, when Edward Snowden's trove first dropped, security is complicated, and it's more about operational security.

"So you thought you could go up against the NSA -- an organisation with an annual budget of maybe $8 billion, a 60-year heritage of developing secret high-tech snooping gear and vast supercomputers and tens of thousands of best-and-brightest employees, including the world's largest collection of actual mathematicians -- armed with nothing more than a list of tips from the Huffington Post and an adrenalin rush? Well done," I wrote.

There's no point installing Tor on your laptop, for example, if you've already used it online. Its unique IDs have already been sprayed to all and sundry. And fans of Tor often have an inflated sense of its power.

Sulston is across these criticisms, however.

"I've been having a lot of conversations with people who are really into their IT security, and they're all like, 'You can't say that, that's got a flaw in it!' Well, yeah, it probably does, but it's better than nothing," he told ZDNet.

"Unless you are, like, a Chinese dissident, or you really are doing activist work, or political work, or that sort of thing, it's better than nothing because you're just increasing the amount of encrypted traffic. You're making some herd immunity for the people who really do need it, for the people doing that work, because their traffic blends in with yours."

The cryptoparty kicked off with an important slide on-screen too: "Security hygiene is more than tools." The discussion that followed made it clear that one night of software installation won't turn you invisible.

What became interesting for me at that point was the audience. They numbered about 70, somewhat more younger than older but with a wide spread, and a roughly even gender balance. They listened with rapt attention to Crikey's political editor Bernard Keane outline what he called the self-perpetuating War on Terror. They asked questions of Sulston and his ThoughtWorks colleague Felicity Ruby, a former staffer for Greens Senator Scott Ludlam, which indicated that most were not ubergeeks.

These people didn't sound like they were planning to overthrow capitalism or murder their neighbours either. No, they were just ordinary citizens -- whatever they are -- who were concerned enough about their loss of privacy online to want to do something about it. And to judge by their questions, they were as concerned about corporate surveillance in the name of marketing as they were about government surveillance.

Sulston had some thoughts about why the Snowden revelations have such interest.

"The difference between what Snowden showed, and the fact that we always knew that there were spies out there spying 'cos spies gonna spy, is the lack of the targeted nature," he told ZDNet.

"My uncorroborated opinion -- and again this opinion is a personal one -- is that this has not a lot to do with protecting us from security threats like terrorism, because there was like that one guy in the States who was caught sending money to Al Qaeda in Yemen ... He's the guy who got picked up by mass surveillance, right? I actually think this is -- not necessarily an overt intentional move, but it's part of building a surveillance system to suppress internal dissent. That is the effect."

Sulston would like to see a return to more targeted surveillance, rather than the intellectually lazy process of constructing the world's biggest data haystack to search for a tiny number of needles. Current governments probably don't want to build an oppressive surveillance state, but nevertheless they're still constructing a system that could enable one. Citizens are starting to see that, and they don't like it.

It's the same in the business context. Customers seem to be becoming aware -- slowly -- that the big data approach of scooping up every imaginable piece of data about their activities is, as I've called it previously, a dangerous, faith-based ideology.

A truly forward-looking business might notice these rumblings of disquiet, move ahead of the curve, and start respecting people's privacy -- rather than being sucked in by the vendors of storage arrays, databases, and snake oil. A truly forward-looking government might well do the same.

Yeah right. Who am I kidding?

Editorial standards