On a frigid Saturday, pink and yellow Post-It notes scrawled with concerns about cybersecurity covered a wall of Eyebeam, a nonprofit art and technology center in Brooklyn. “Identity theft + surveillance = paranoia, plz help,” read one note. “How much of a threat do alt-right hackers pose on social media?” read another. “If you know your device has previously been accessed by NYPD, what can you do?”
Fifty people had gathered at Eyebeam with their laptops and cellphones for a CryptoParty—basically a Tupperware party for learning encryption and web security. Founded in 2012 by Melbourne-based journalist Asher Wolf in response to increased internet surveillance in Australia, CryptoParty is a decentralized grassroots movement that offers free DIY workshops all over the world. If you’re concerned about online privacy (which everyone on the internet probably should be) but don’t know where to start, “Crypto Angels”—as the cybersecurity experts who volunteer at CryptoParties are called—will teach you how to use encryption tools to protect your information from government surveillance, cybercriminals, data-mining corporations, and other threats.
Since the keys to the US surveillance state were handed over to a reality TV star who has spoken favorably about surveilling mosques and cracking down on free speech, interest in cybersecurity has surged, leading more people to seek out CryptoParties. Concerns are particularly high among groups who have been targeted in the past—including activists, journalists, people of color, immigrants, Muslims, and the LGBTQ community—but no one is immune to security breaches. CryptoParty-goers in Brooklyn that night included an immigration lawyer who wanted to help her clients avoid being digitally monitored, a tech-support consultant for leftist nonprofits, and a Justice for Palestine activist concerned about being surveilled during protests in the Donald Trump era.
Adopting concrete cybersecurity habits is more involved than ticking off a quick checklist—install this app on your phone, install this plugin on your laptop, and boom, your information is encrypted!—and even for the tech-savvy, encryption is complicated and time-consuming with no one-size-fits-all solution. While it’s impossible to be completely safe online, you can always be safer. Here are 10 basic encryption lessons, courtesy of CryptoParty.
1. Consider using more secure alternatives than Google Docs
“If you value anonymity and privacy from corporations or the government, you might not want to host all your work on Google’s infrastructure,” said Jamila Khan of Palante Technology Cooperative, who’s researching alternatives to Google Docs for progressive nonprofit clients. “When you use Google products, you’re not the customer—you are the product.” Google watches everything you do using their services, keeps all your data, and monetizes it through advertising. As for secure, private alternatives, Khan suggests word-processing platforms like Cryptpad or Riseup Pad; the latter is an Etherpad web service hosted by the activist network Riseup. These platforms offer real-time collaborative editing, but unlike Google Docs, they don’t collect your data. Riseup Pads are also automatically destroyed after 30 days of inactivity.
2. Don’t leave a digital breadcrumb trail
If you want to keep a piece of information private, don’t put it online unless you have to. This one seems like a no-brainer, but plenty of people are cavalier about the stuff they text, email, write in Google Docs, and record digitally. The receiver of any communication you send can distribute those communications however they please. “People need to ask, ‘Should I be texting this or emailing it at all?’” said activist and poet Candace Williams, who led one of the CryptoParty workshops, and whose 70-Day Web Security Plan for Artists and Activists is a valuable resource.
3. Download a more secure messaging system
Boost your email security by using encryption programs like GPG or PGP (“Pretty Good Privacy”). Getting the hang of PGP can be a bit complicated; here’s a handy guide by CryptoHarlem’s Matt Mitchell. Then try out encrypted text and email messaging platforms. The most popular encrypted messaging app is Signal, which Hillary Clinton’s US presidential campaign used after repeated data breaches. (Downloads spiked post-US election.) Webmail providers like May First/People Link, Riseup Mail, and ProtonMail, offer secure email and communication tools, some specifically designed for activists. But note that the only way to get end-to-end encryption is if both parties in communication use encrypted services (such as Proton to Proton, Riseup to MayFirst).
4. Surf the web safely
For anonymous web browsing, download Tor. Use a search engine that doesn’t track you, like DuckDuckGo. The Tor browser protects your anonymity by bouncing your communications around a distributed network of Tor servers around the world, and encrypting that traffic so that it can’t be traced back to your computer.
5. If you go to a protest, leave your phone at home
“When it comes to securing your phone at a protest, the threat model is tricky,” says activist Rose Regina, who taught a workshop on threat modeling at the CryptoParty. Depending on the nature of the protest, demonstrators’ phones might be surveilled by local police with stingray tracking devices, or even the FBI; as the Intercept first reported, US federal agencies have regularly monitored the Black Lives Matter protest movement since Ferguson, even watching over events like a funk music parade. “If it’s a low-key climate march, you might not need to take extra steps,” Regina says. “But if you’re going to do a hardlock in front of construction equipment building a pipeline, the likelihood is pretty much 100% that you’ll get arrested and your phone will be taken.” In that case, think about leaving your phone at home. If you can’t bear to part with it, use Signal to communicate while at the protest, making sure your phone has a screen lock that’s protected with a passcode. You should also disable fingerprint activation, which the police can ask you to use if they have a search warrant for your phone, and perhaps craft a signal-blocking cell phone pouch like the ones protesters used at the Republican National Convention.
6. Get serious about your passwords
Enable two-factor authentication on all online accounts. Change your passwords every few months—and make sure they’re strong, which means random and unique. As goes the tech-nerd motto, “The only secure password is one you can’t remember.” Store your passwords using tools like 1Password, Dashlane, or LastPass, which will both securely store your passwords and generate random new ones for you.
7. Think about how you present yourself on social media
The information you’re providing about yourself on social media profiles could become a liability. In the event of a crackdown on free speech, your posts on Facebook, Twitter, Instagram, and YouTube could become a form of self-incrimination, even if you haven’t committed a crime. In mid-November, for example, after a Rutgers University lecturer tweeted about flag-burning and other “incendiary” topics, the New York Police Department showed up at his door and forced him to undergo a psychiatric evaluation. The NYPD’s persistent monitoring and targeting of people of color on social media platforms has been called the new stop-and-frisk, which warrants caution about even jokingly posting online about criminal activity.
8. Know your threat models
In cybersecurity land, “threat modeling” is the process of systematically analyzing the vulnerabilities of a given network or individual and identifying what measures should be taken to protect against probable threats. Whether you’re devising a threat model for securing your phone at a protest, your laptop when you don’t trust your roommate, or your online banking, ask yourself who you’re protecting yourself from, and how many layers of security you need.
9. Adopt encryption measures even if you don’t think you’re a likely target
Some people still assume that if they’re a law-abiding citizen, they have nothing to hide and therefore don’t need encryption. But history suggests that’s naive. (See: Snowden’s warning about the NSA collecting your dick pics.) “A dream is to make being safe on the internet as automatic and normal as buckling your seatbelt in a car,” Candace Williams said. “The more people adopt privacy practices, the safer everyone is. It’s partly a future-proofing strategy.”
10. Don’t get paranoid, if you can help it
“Power, not paranoia,” goes one CryptoParty catchphrase. While countless books and how-to articles teach DIY encryption, attending a CryptoParty has the added benefit of connecting you to real live humans with similar concerns, which can allay paranoia. “If you Google how to protect yourself online, it can be like looking up symptoms on WebMD—you’re going to get nightmare scenarios,” Williams says. Alternatively, attending a CryptoParty is like visiting a doctor who offers individualized advice—and tells you not to freak out.
The beauty of the CryptoParty movement isn’t just the way it makes encryption more accessible: It also helps build activist communities and networks of resistance, encouraging average citizens to take their civil liberties into their own hands when they can’t trust people in power to protect those liberties for them.
For a list of dates and locations of upcoming CryptoParties around the world, head here.