Other than civil liberties activists, people never used to get too agitated over privacy issues. Edward Snowden’s revelations changed all that and it’s possible you were one of the protesters in San Francisco that went to the Sunset Vigil on May 21st to demand that Senator Dianne Feinstein let a section of the Patriot Act expire on June 1st.
Regardless, people around the world hold strong views on protecting privacy. A recent survey from the Pew Research Center shows 74 percent of Americans believe control over personal information is “very important,” yet only 9 percent believe they have such control.
The tech community is trying to change that.
Andy Issacson, one of the co-founders of Noisebridge, a hacker and education space in the Mission District, led a recent Cryptoparty to teach civilians how to use privacy tools. He talked to Mission Local about the importance of digital privacy.
Why is the Mission an important hub to talk about digital privacy issues?
Andy Issacson: San Francisco and the Mission are really exciting places to be in the privacy and technology space right now, because there are so many opportunities and so much work happening. Places like Noisebridge, where we are hoping to have a Cryptoparty on a regular basis, organizations like Open Whisper Systems which is a software development company that builds open source and secure messaging systems, -like Signal and TextSecure-, and the Electronic Frontier Foundation, which is no longer based in the Mission but has deep roots here. All of them are taking steps to advance people’s rights and digital freedoms.
When did this discussion to involve non-tech community begin and how does one speak to that general audience?
AI: It’s been a long journey, we’ve (the tech community) built systems that were secure in some sense, like PGP 20 years ago, but those systems weren’t very useful, they weren’t well matched to our real life communications to be secure. It’s really hard to teach, it has a lot of confusing conceptual hurdles that you have to clear before you can use it confidently. But we’re finally getting to a place where modern systems like Signal have made a giant leap towards building systems that are actually usable in the real world by actual people who have real problems that they need to solve. So that together with other systems like OTR (Off the record) to send instant messages and Cryptocat, another example in browser secure chat application, there’s this whole new generation of modern privacy tools that are making the internet as a whole more secure, and letting individuals take control of their personal digital security, rather than giving up that control to Gmail, for example.
How does a Cryptoparty work and what kind of things do you teach there?
A.I: Thanks to this new generation of tools things like a Cryptoparty become possible. An educator or advocate can go to a community and help them to understand what the privacy tools can and can’t do, because there are still limitations that should be known to use the tools safely. A cryptoparty is a way for people to get excited doing something practical, and taking the first steps towards building a more free and a more secure internet for everyone. We teach them how to download and use the tools for secure communications, and how to navigate in the TOR system.
How would you describe the audience of these Cryptoparties?
A.I: There’s a wide variety of people, and everybody can get something useful out of a cryptoparty. We had lawyers concerned about communicating securely with their clients. We had educators, teachers who might have information that needs to be kept private about their students or “from” their students, if their students are trying to change their grades. We had artists who are concerned about the social implications of mass surveillance or of malware and bad actors affecting people’s privacy on the internet. And we also had some politicians and activists who are interested in what do we need as a society to defend privacy. We expect to do another one in July and to reach a bigger audience in the Mission.
The core ingredient of these workshops is encryption. How do you see the learning of encryption within the general public?
AI: Encryption is a very important ingredient in an overall recipe of digital freedom and personal liberty, but it’s not the only one. We need very smart developers to build encryption systems, but we also need visual designers to help us deliver systems that people can look at and understand. We need educators to help the systems become used by real people. We need back and forth communications with users to come back to the designers to say: this doesn’t work right for me. Because for two to three decades, we as technologists have been building systems that aren’t actually usable. The magic of software is that it can turn an idea into a tangible object and encryption is a beautiful idea that requires many more decades of work, building systems that are a little bit better, a little bit more usable, a little bit more secure. A little bit more capable to bring the benefits of digital freedom and free communications to everyone.
Noisebridge operates a TOR (The Onion Router) node. Can you explain how that project has evolved in the digital privacy field and how aware people are about its possibilities?
AI: The TOR network is a globally cooperative volunteer network of servers that help to preserve people’s anonymity for connections to websites, on the internet, and the network has been running since around 2004. The critical thing that TOR provides that no other VPN or IP hiding service provides, is that no single person or no single organization in the TOR system has the ability nor the possibility of figuring out what user of TOR is browsing what website. We’ve never had a law enforcement agency attempt to compel a TOR operator to break the anonymity or break the privacy of one of our users, but if it were the case, it is impossible to do it because of highly reliable design of the system. The servers are all around the world and no single organization trusted has been able to break the thing, as the keys (encrypted) are in different nodes. That to me is really reassuring. It means that I can use Google to look up a really embarrassing medical condition safely, knowing that Gmail is not going to start showing me ads for that medical condition, because I don’t want my girlfriend or my boss to see that over my shoulder at the office.
Some people wonder why they would be under surveillance, why they would be important for the government if for instance they are not doing any kind of political activities. Why is privacy important for everyone?
AI: There is this really weird argument that goes: “If you don’t have anything to hide why are you worried?” And I turn that around and say that everyone has something to hide and that is part of their privacy. Everyone has some medical question that they would like to answer, some friend they don’t want everyone knowing they’re friends with, that teacher who has their gradebook stored on that public gmail folder. And it’s really a question of privilege, social and cultural. There’s a really infamous quote from Mark Zuckerberg (the founder of Facebook) that says: “it’s just not proper for people to not want to use their real name on the Internet”. And that is a voice of incredible privilege speaking right there. He is lucky that he has never had a hobby that could get him ostracised in his hometown where he was stuck. He is lucky to love someone without having to worry about the state telling him that he couldn’t marry that person, and the recognition of that privilege is really lacking in the tech community. For instance during the ‘Say Her Name’ protests in Oakland, Police had profiled the organizers, so some privacy might have helped them to be more effective as activists.
Still, many people choose to expose their lives in social media or are not aware of how much of that data ends up in the wrong hands. How can you make encryption a little bit sexier?
AI: Some people think like the extra cost or the extra struggle or the extra work (of protecting online communication) just isn’t worth it. It’s too much hassle, it’s too limiting and really what do I have that anyone would want to get at? And that’s actually a legitimate position to take. But it’s best to make that decision from a position of power and knowledge than from a position of ignorance or powerlessness. So learning how the tools work and starting to use them in cases where it’s easy, can help you clear the hurdle if it turns out at some point that you need a tool that has the capability. The technical term for this is pretty confusing, it’s “Threat modeling.” What do I have to protect and from who? Whether that’s protecting my privacy, or protecting information from being changed without me knowing it, or protecting my ID from being disclosed unknowingly in a public or commercial space. If you need to protect it against 6th graders, maybe the correct actions are less drastic. If you need to protect it against an organized crime organization because you are trying to help women who have been trafficked into the Mission for sex work or if you are trying to be Edward Snowden and you have nuclear secrets and you’re trying to protect it against the NSA, that’s a different kettle of fish entirely. The tools aren’t useful unless you have some idea of what you’re trying to use them for. And those two pieces make the Crytpoparty useful.
Speaking of Edward Snowden, one of his revelations what that section 215 of the Patriot Act gave the intelligence community the ability to collect information about anyone in the United States. This section is going to expire on June 1st. What has been the role of activists to make people understand that legislators shouldn’t extend this measure?
A.I: The NSA and a couple of other organizations have really broad and sweeping powers to surveil U.S. citizens who were not suspected of any crime. At the time Patriot Act it was passed, back to 2001, America was scared. We were really terrified and anything that would help us be less afraid was going to get passed… carte blanche. But a few reasonable people in Congress weren’t comfortable with giving these powers indefinitely, so they set a sunset date on these section 215 on June 1st. Thanks to Snowden, we know that the intelligence community lied to Congress about how these powers were being used. These tools aren’t actually useful for fighting terrorism, they’ve never been used in an active terrorism investigation, they’ve never resulted in the defeat of a terrorist plot. We still don’t actually know all of the programs that are being run under their supposed section 215 authority. Furthermore, a federal judge found that section 215 was being interpreted incorrectly and it was unconstitutional. So for all of these reasons, the activism thrust over the last few months has been ‘let’s kill the extension’ just let it sunset, let it die.
How has the battle been so far, and what do you think is going to happen on Sunday?
AI: When we started this fight, the consensus among the Washington talking people was that it was a fool’s errand, that there was no way that we would actually win this fight. To our delighted surprise, the Senate Saturday morning (May 23rd) did not vote to extend 215 even by a few days. So there’s gonna be another showdown on Sunday, just a few hours before the sunset date. Even if it turns out the wrong way, just the fact that we’ve gotten to this point is a contradiction for the naysayers. It’s just proof that the people organizing together to stand up and say no this really isn’t ok, can make a huge difference.
Still, Section 215 is not the only piece of law to worry about in terms of Privacy rights…
AI: No. The fight isn’t over. NSA has a team of several hundred lawyers, whose job it is to sift through every law that they can to find some justification for whatever program they want to run. And every time the spokesperson of anyone at the executive branch talks about stopping a collection program, they have to say ‘under this authority’ at the end. Because every program of collection that the NSA has, is covered by multiple secret interpretations of the law. What we need is Congress to give up their claims that they can’t disclose programs. The Senate has a responsibility to address these abuses that happened in the intelligence community and to really clean the house.
If you are interested in digging into these privacy tools and mass surveillance, here are some resources:
The Electronic Frontier Foundation’s page on TOR
More on TOR
Reddit thread about Section 215