CryptoParty hosted by Newcastle City Library

On Sunday (22 May) I attended an event hosted by the council-run Newcastle City Library, the main library which sits in the centre of Newcastle, and ORG North East, a local Open Rights Group. The event was a two-hour CryptoParty. The aim was to help people set up their devices (phones, tablets, laptops) with applications to improve their online privacy. On hand were several volunteers with knowledge on different applications. The set-up of the event was informal with attendees able to drop-in at tables to ask questions and set up their devices.

The main applications were

  • Signal (from Open Whisper Systems) – a private messeging app similar to WhatsApp except metadata isn’t skimmed off by Facebook
  • Tor browser – a web browser that doesn’t look much different to any other web browser but keeps your information private by use of Tor relays (more about this below)
  • PGP – a way of encrypting your email messages
  • Protection of your Windows/Mac computer with full disc encryption

I had already installed Signal on my phone some months ago but I did clarify that just because I’m using it doesn’t mean my messages are secure because only a handful of my contacts are also using it.  It does offer me the option to invite others to join, but I think like most of these things, most people aren’t too interested so I haven’t bothered.

Tor browser was something I’d been meaning to install for some time but I had conflated it with the whole ‘Tor’ conversation that I’ve been hearing about which is much more to do with the Tor relays. Tor relays, in simple terms (correct me if I’m wrong), are servers set up and run by voluneers that allow internet traffic to hop between several of these before sending/receiving whatever it is you are accessing online. The Tor browser is exactly that, a browser based on Firefox and as easy to download and install as any browser. It is suggested that you actually review the tutorial before you start using it as there are some real DON’T’s users should heed (i.e. using BitTorrent while connected to Tor). You can also download the browser for your Android phone or iPhone. Be sure you download the apps from The Tor Project, not any of the copycat apps. For Android you have to download two different apps – not sure about iPhone as I don’t have one of these.

I can’t say that I am any closer to understanding and getting my head around PGP. From what I understand if you use gmail for example, you need to use a third party mail application like Thunderbird with an add on like Enigmail. There was a lot of mention of public and private keys, but it wasn’t really clear how you went about establishing these. We were shown some demonstrations of messages being encrypted but it all seemed rather complex, and, as I said, I’m no closer to implementing this. Lots of gaps in my knowledge still…

Regarding encrypted email I did ask about a webmail client that I learnt about via Twitter some weeks ago – ProtonMail – but none of the folks on hand had heard of this. I registered for an email account a few weeks ago but haven’t made the move. Again it seems that if the person at the other end isn’t using it then it’s all a bit moot. I’d be happy to  be convinced otherwise. The thing is with ProtonMail that it is very similar to gmail so it would be something, like Signal, that shouldn’t be difficult to get other people to adopt. From what I understand from people far more knowledgeable about these things is that it’s still not great because the encryption is being done by the provider so they can still read your messages. Can anyone clarify this is a way that makes sense to someone like me?

Unfortnately I wasn’t able to speak to the expert about full disc encryption before the end of the event (and I had to go) so I’m hoping there is another event in the near future where I can maybe get some more clarity about PGP and start to get to grips with full disc encryption.

All in all it was a good event with about a dozen people attending (and half a dozen experts on hand). It seemed to be really well received by those that attended but a few of us did discuss the fact that a majority of people don’t feel they need to protect their privacy and that those of us implementing these technologies have something to hide and/or are highly paranoid. This isn’t an area that I’m well versed in in terms of public opinion so I’m not sure how we go about convincing the general public that they should be more interested in their online privacy though Ian Clark has written about this recently both in a peer-reviewed paper and on his blog.

Ian also posted about the novelty of this particular event as it appears to be the first of its kind in the UK that was not only hosted by a public library, but also promoted by the council. You can read his post to get some further detail.

It’s also worth pointing out for the librarians amongst you, and library/librarian sympathesisers, that there is a group of librarians that discuss these types of issue via a monthly Twitter journal club, through their mailing list, and at an annual meet-up. That group is the Radical Librarians Collective (RLC) and I urge you to check them out. This is a UK-based group and there are other groups in other countries. This short-ish piece written by members of the RLC and published by CILIP is probably a good place to start.

The Library Freedom Project is an excellent resource for those, especially librarians, interested in online privacy. It has information about what you can do individually and on a library scale.

If there are future events like this I’d be keen to learn more about Tor and Tails, full disc encryption, the best ways of making things like tablets private, and PGP in terms of actually a walk-thru of setting things up.

Advertisements

2 thoughts on “CryptoParty hosted by Newcastle City Library

  1. Thanks for the write up! Glad you enjoyed the party.

    One of the things I like most about Signal is how similar it is (in terms of features) to services like WhatsApp that people are already using, so I’ve had better luck trying to get friends to switch to using it than I have with something that’s pretty involved like PGP.

    And regarding PGP, yep… it’s definitely a head-scratcher when you’re new to it. In fact, even some of the most prolific guys in tech aren’t particularly fond of how clunky it is to use (https://thehackernews.com/2014/08/cryptography-expert-pgp-encryption-is_19.html), but it’s pretty good at what it does, so it will probably be around until something better comes along.

    I’ll work on seeing if I can put together a handout for PGP like I did for the other topics, which will hopefully help out more. In the meantime, I can highly recommend the Electronic Frontier Foundation’s ‘Surveillance Self Defence’ page about it: https://ssd.eff.org/en/module/how-use-pgp-windows

    Shame I missed your question about ProtonMail, but I’m familiar with it, and I think I know what you mean. If I remember rightly, ProtonMail will let you use PGP without needing to use desktop software like Thunderbird (in the browser, like GMail).

    There are upsides and downsides to a service like ProtonMail, though. On the upside, they keep your encryption keys for you. This makes it much more difficult to lose them and makes the encryption process much easier for you. It also means you can do everything through a browser without needing extra software, if that’s what you prefer. On the downside, they keep your encryption keys for you. This also means that there is a danger that someone malicious may get access to the keys (any number of ways) and either impersonate you using them, or read encrypted email that has been sent to you. You’re also right in thinking that the mail encryption will only work for others who also using ProtonMail (or PGP). But, if the upsides here outweigh the downsides for you, then a service like ProtonMail is probably worth trying.

    Full disk encryption we will try and cover properly at the next party if people are interested (the downside to it is that it’s not really something we can do ‘hands-on’ at the event but I’m sure I can work something out). It takes several hours to encrypt a disk that already has data stored on it, so we avoided suggesting that people start trying it there-and-then. There should be enough info on the handout to get you going – but if you’re more comfortable having been shown how to do it first, then I’ll definitely try and get a demonstration put together for the next party.

    Hopefully some of this helped. Feel free to ask more questions on the mailing list if you’re still stuck with anything!

  2. Pingback: CryptoParty Newcastle and user privacy in libraries - informed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s