But adopting concrete cybersecurity habits is more involved than ticking off a quick checklist.
On a frigid Saturday, pink and yellow Post-It notes scrawled with concerns about cybersecurity covered a wall of Eyebeam, a nonprofit art and technology center in Brooklyn. “Identity theft + surveillance = paranoia, plz help,” read one note. “How much of a threat do alt-right hackers pose on social media?” read another. “If you know your device has previously been accessed by NYPD, what can you do?”
Fifty people had gathered at Eyebeam with their laptops and cellphones for a CryptoParty—basically a Tupperware party for learning encryption and web security. Founded in 2012 by Melbourne-based journalist Asher Wolf in response to increased internet surveillance in Australia, CryptoParty is a decentralized grassroots movement that offers free DIY workshops all over the world.
If you’re concerned about online privacy (which everyone on the internet probably should be), but don’t know where to start, “Crypto Angels”—as the cybersecurity experts who volunteer at CryptoParties are called—will teach you how to use encryption tools to protect your information from government surveillance, cybercriminals, data-mining corporations and other threats.
Because the keys to the U.S. surveillance state were handed over to a reality TV star who has spoken favorably about surveilling mosques and cracking down on free speech, interest in cybersecurity has surged, leading more people to seek out CryptoParties. Concerns are particularly high among groups who have been targeted in the past—including activists, journalists, people of color, immigrants, Muslims and the LGBTQ community—but no one is immune to security breaches. CryptoParty-goers in Brooklyn that night included an immigration lawyer who wanted to help her clients avoid being digitally monitored, a tech-support consultant for leftist nonprofits, and a Justice for Palestine activist concerned about being surveilled during protests in the Donald Trump era.
Adopting concrete cybersecurity habits is more involved than ticking off a quick checklist—install this app on your phone, install this plugin on your laptop, and boom, your information is encrypted!—and even for the tech-savvy, encryption is complicated and time-consuming with no one-size-fits-all solution. While it’s impossible to be completely safe online, you can always be safer. Here are 10 basic encryption lessons, courtesy of CryptoParty.
1. Consider using more secure alternatives than Google Docs. “If you value anonymity and privacy from corporations or the government, you might not want to host all your work on Google’s infrastructure,” said Jamila Khan of Palante Technology Cooperative, who’s researching alternatives to Google Docs for progressive nonprofit clients. “When you use Google products, you’re not the customer—you are the product.” Google watches everything you do using its services, keeps all your data and monetizes it through advertising. As for secure, private alternatives, Khan suggests word-processing platforms like Cryptpad or Riseup Pad; the latter is an Etherpad web service hosted by the activist network Riseup. These platforms offer real-time collaborative editing, but unlike Google Docs, they don’t collect your data. Riseup Pads are also automatically destroyed after 30 days of inactivity.
2. Don’t leave a digital breadcrumb trail. If you want to keep a piece of information private, don’t put it online unless you have to. This one seems like a no-brainer, but plenty of people are cavalier about the stuff they text, email, write in Google Docs and record digitally. The receiver of any communication you send can distribute those communications however they please. “People need to ask, ‘Should I be texting this or emailing it at all?’” said activist and poet Candace Williams, who led one of the CryptoParty workshops, and whose 70-Day Web Security Plan for Artists and Activists is a valuable resource.
3. Download a more secure messaging system. Boost your email security by using encryption programs like GPG or PGP (“Pretty Good Privacy”). Try out encrypted email and text messaging platforms, especially ones tailored to activists. The most popular encrypted messaging app is Signal, which Hillary Clinton’s U.S. presidential campaign used after repeated data breaches. (Downloads spiked post-U.S. election.) Webmail providers like May First/People Link, Riseup Mail and ProtonMail, offer secure email and communication tools, some specifically designed for activists.
4. Surf the web safely. For anonymous web browsing, download Tor. Use a search engine that doesn’t track you, like DuckDuckGo. The Tor browser protects your anonymity by bouncing your communications around a distributed network of Tor servers around the world, and encrypting that traffic so it can’t be traced back to your computer.
5. If you go to a protest, leave your phone at home. “When it comes to securing your phone at a protest, the threat model is tricky,” says activist Rose Regina, who taught a workshop on threat modeling at the CryptoParty. Depending on the nature of the protest, demonstrators’ phones might be surveilled by local police with stingray tracking devices, or even the FBI; as the Intercept first reported, U.S. federal agencies have regularly monitored the Black Lives Matter protest movement since Ferguson, even watching over events like a funk music parade. “If it’s a low-key climate march, you might not need to take extra steps,” Regina says. “But if you’re going to do a hardlock in front of construction equipment building a pipeline, the likelihood is pretty much 100 percent that you’ll get arrested and your phone will be taken.” In that case, think about leaving your phone at home. If you can’t bear to part with it, use Signal to communicate while at the protest, making sure your phone has a screen lock protected with a passcode. You should also disable fingerprint activation, which the police can ask you to use if they have a search warrant for your phone, and perhaps craft a signal-blocking cell phone pouch like the ones protesters used at the Republican National Convention.
6. Get serious about your passwords. Enable two-factor authentication on all online accounts. Change your passwords every few months—and make sure they’re strong, which means random and unique. As goes the tech-nerd motto, “The only secure password is one you can’t remember.” Store your passwords using tools like 1Password, Dashlane, or LastPass, which will both securely store your passwords and generate random new ones for you.
7. Think about how you present yourself on social media. The information you’re providing about yourself on social media profiles could become a liability. In the event of a crackdown on free speech, your posts on Facebook, Twitter, Instagram and YouTube could become a form of self-incrimination, even if you haven’t committed a crime. In mid-November, for example, after a Rutgers University lecturer tweeted about flag-burning and other “incendiary” topics, the New York Police Department showed up at his door and forced him to undergo a psychiatric evaluation. NYPD’s persistent monitoring and targeting of people of color on social media platforms has been called the new stop-and-frisk, which warrants caution about even jokingly posting online about criminal activity.
8. Know your threat models. In cybersecurity land, “threat modeling” is the process of systematically analyzing the vulnerabilities of a given network or individual and identifying what measures should be taken to protect against probable threats. Whether you’re devising a threat model for securing your phone at a protest, your laptop when you don’t trust your roommate, or your online banking, ask yourself who you’re protecting yourself from, and how many layers of security you need.
9. Adopt encryption measures even if you don’t think you’re a likely target. Some people still assume that if they’re a law-abiding citizen, they have nothing to hide and therefore don’t need encryption. But history suggests that’s naive. (See: Snowden’s warning about the National Security Agency collecting your dick pics.) “A dream is to make being safe on the internet as automatic and normal as buckling your seatbelt in a car,” Candace Williams said. “The more people adopt privacy practices, the safer everyone is. It’s partly a future-proofing strategy.”
10. Don’t get paranoid, if you can help it. “Power, not paranoia,” goes one CryptoParty catchphrase. While countless books and how-to articles teach DIY encryption, attending a CryptoParty has the added benefit of connecting you to real live humans with similar concerns, which can allay paranoia. “If you Google how to protect yourself online, it can be like looking up symptoms on WebMD—you’re going to get nightmare scenarios,” Williams says. Alternatively, attending a CryptoParty is like visiting a doctor who offers individualized advice—and tells you not to freak out.
The beauty of the CryptoParty movement isn’t just the way it makes encryption more accessible: It also helps build activist communities and networks of resistance, encouraging average citizens to take their civil liberties into their own hands when they can’t trust people in power to protect those liberties for them.
For a list of dates and locations of upcoming CryptoParties around the world, head here.
NEXT STORY: EPA looks to VA for new CISO