CryptoParty Albuquerque: Know Your (Digital) Rights

A few weeks ago I had the pleasure of hosting CryptoParty Albuquerque. If you missed the party (and it was an awesome party), be sure to check out my “what you missed” post about CryptoParty Albuquerque. As I wrote there, my co-host and I began CryptoParty Albuquerque with two back-to-back presentations to ensure that everyone participating got exposed to what we felt are the most fundamental bits of information.

My opening presentation was first and it was a gentle introduction to threats and how to defend against them. After that, I handed the mic to my co-host, who gave a brief “digital know your rights” talk. A video and a transcript of that presentation is below:

So, it’s good to encrypt your data using all the tools available, but what happens when you’re faced with police wanting to search your digital device? Well, the best tool you have then is to know your rights! And thanks to the Electronic Frontier Foundation (EFF) and their helpful guides we know what to do when the police come around asking to search your phone or computer. Tonight I’m going to be talking about what your rights are and how to act around the police, essentially giving you a brief overview of the guides the EFF has available.

With that in mind, I am not a lawyer and I am not giving you actual legal advice, I am just sharing with you what I learned from reading a bunch of stuff on the internet, because I care about these things, but it is not actual legal advice. Please use these suggestions at your own discretion.

The rights protecting your digital advice are pretty much the same that are granted to you by the fourth amendment of the constitution. You are protected against unreasonable search and seizure of your phone. With a few exceptions, you’re not obliged to let the authorities into your device, so we say the fourth amendment mostly applies.

We need to borrow a bit from maymay’s threat model from the previous presentation and figure out who we are and what we are protecting. We’re going to go over four roles in this presentation and those include:

  • a person going about your day
  • a protestor, activist, or someone documenting a protest or the police themselves?
  • an employee at your job?
  • a person crossing the border into the U.S?

Rights are different for each of these roles, and I’ll go over each in more detail.
Before I do, I want to say that if you are not a citizen of the U.S. you are still, amazingly enough, protected by the fourth and fifth amendments, but your interaction with the police may be more complicated depending on your immigration status. Unfortunately, that situation is beyond the scope of this presentation, but there are resources available to you if you are not a citizen and the police are compelling you to let them search your device. Besides the EFF, you can contact the National Lawyers Guild, and locally, Somos un Pueblo unido, a wonderful organization based in Santa Fe, and the NM chapter of the Dreamers. These will have specialized legal resources that can be made available to you as an immigrant, however, the following tips still do apply.

So the first situation is you’re just going about your day, and officer Johnson comes up to you and says “I’d like to search your phone!” What do you do? Well, you should have already encrypted your device. If you encrypt your device, it will be protected against easy access, and you have the right not give up your passphrase under any circumstances. The best protection is a full passphrase with encryption, as screen locks, like the four digits on iOS or the pattern match on Android are easily bypassed. Now, a grand jury or a judge may try to compel you to give up your passphrase and decrypt your device, but the police cannot, and if you find yourself in a situation where a judge or jury is trying to make you give up your passphrase, please call the EFF, they’ll help you out.

Now, you have an encrypted device, and Office johnson wants to search it. Well, don’t consent to a search! say “I do not consent to a search.” In fact, don’t say anything else, and say nothing about your passphrase or how you protected your device. You have the right to be silent and ask to speak to a lawyer before any questioning. Keep saying you don’t consent to a search. If the office has a warrant and they come to your home, don’t open the door, but ask them to slide the warrant underneath the door. Verify the warrant is perfect. It needs four things to be correct: Your name and address, typo-free, the scope of the warrant, meaning what they can search, a judge’s signature, and a deadline that cannot have passed. If any of these are wrong or missing, give the warrant back to them and refuse the search, telling them to come back with a valid warrant. Use that time to encrypt your device. If the warrant is valid, or if they’re conducting a warrantless search on your device without your consent, contact a lawyer if you have one, or the EFF if you don’t. Finally, be careful using biometrics like fingerprints to lock your device. Police can compel you to unlock a device with your fingerprint as these are part of your identity, and the government already has them on file. If you use a fingerprint lock, turn off your phone so the fingerprint is flushed from memory and your passphrase is needed to unlock the device.

If you’re an activist at a protest or documenting a protest or the police, these special tips may be useful to you:

You can legally film the police, anytime, in any public space. If they tell you to stop filming, say you are legally filming the police and it is constitutionally protected. Also be sure to livestream in case they don’t care about your constitutional rights, and most importantly, protect yourself over your device. In fact, consider a burner phone. These are relatively inexpensive phones that you use in protests or as an alternative to your actual personal phone. The idea is that there’s nothing important on these phones, they are single use and can be lost without personal data being sacrificed. Regardless of what kind of phone you bring to a protest, encrypt your device! This makes it harder for the police or anyone to get at whatever you were recording or communicating to your fellow activists. Finally, mass arrests are unfortunately not uncommon at protests and actions, so remember that if you are arrested, after you are released you should get your device back. If not, file a motion for it to be released, even if the police put it into forfeiture or think it holds evidence of a crime, you can still get it back.

What if you’re an employee and have a work computer? Well, in that case, don’t use your work computer for personal communications of any kind. Use it only for work. This is n’t just what your boss wants, it’s also good for you, as your employer can consent to searches of computers they give you, and furthermore, you don’t know if they’re logging your computer activity. In fact, they probably are. So, you should also encrypt your network traffic as much as possible, especially if your work computer is your only computer and you need to use it for personal reasons occasionally. And if your boss ever asks for your personal paswords, like to Facebook, for example, tell them no, even if they say it is in your contract. It’s illegal for employers to ask employees for personal passwords and any contract with such a clause is illegal. For that matter, don’t mix personal passwords and work passwords.

One last role, and it’s a special one: what if you are crossing the border into the U.S? In this case, the fourth amendment doesn’t apply. Customs and Border Patrol agents at the US borders are empowered to search and often confiscate anything entering the united states, including your digital device. So what do you do? Well, as usual, encrypt your device! and turn it off before you reach the border. Like with the police, you cannot be compelled to give up your passphrase to a device, and even though border agents can confiscate and forensically search your device, it will be difficult for them, and more private for you, if your device is protected by a strong passphrase and encryption. The EFF has even more tips about how to protect your data at the border in the border crossing guide online, so check them out. Lastly, some US states provide stronger protections against confiscation at the border, that is, the agents in these states need probable cause to confiscate your device, so try to enter the U.S. through them. These states include Arizona, shockingly, California, Oregon, Washington, Idaho, Montana, Alaska, and Hawaii. Some territories also provide these protections.. Remember, international airports count as borders.

Now, while this presentation described your rights and some suggested behaviors when dealing with the police, it does not, unfortunately, describe how the police will actually act. As we’ve seen time and again, the police wield great power, and they will not always act in accordance with your rights. So, even if you flex your rights as suggested in these presentations, the police may still illegally search, confiscate, or even destroy your phone or computer. In this case, it is best to not obstruct them, note their name and badge number if you can, stay silent, contact a lawyer or the EFF, and above all, protect yourself so you can share what happened with people who care, and we can signal boost your story.

For more complete information and advice, please visit the EFF, form which I culled much of this information. Oh, and, thanks EFF for all the great work you do. More resources on how to interact with the police is on copwatch.org, as well.

Thanks for watching and be secure out there!

CryptoParty Albuquerque: A Gentle Introduction to Threats and How To Defend Against Them

One of the unique things about CryptoParty Albuquerque was simply the diversity of participants. Not only was CryptoParty Albuquerque the largest cryptoparty I’ve had the pleasure to host (it began with over 35 people, check out this blog post to get a debrief on what you may have missed), but it was also the only one that didn’t have a pre-existing audience specifically in mind. What I mean is that, prior to this cryptoparty, the other cryptoparties I’ve hosted have all been for a single community—queer activists, or reporters, for example—rather than being aimed at “everybody.”

This means that, unlike other cryptoparties that functioned almost like anti-surveillance boot camps, this one really was a party in addition to being a skills-building workshop. The fact that we had ongoing educational activities that were set up kind of like museum exhibits (that you could touch, of course) in the center of the social and food spaces was really helpful. But it also meant that it was bit more difficult to set the stage for the event at the beginning, because we didn’t really know who was going to be there or what they wanted to focus on.

My co-host and I knew we wanted to start the event in one large group, because we wanted to make sure that everyone who participated was exposed to the most foundational concepts and immediately useful information. We decided that this meant we wanted to at least touch on these three things before we split up into breakout sessions:

  • threat modeling,
  • politics, and
  • digital “Know Your Rights” training.

What we ended up doing was back-to-back presentations at the start of the cryptoparty in which I gave a presentation on the first two bullet points, combining an inrtroduction to theat modeling with the political importance of what we are doing. This made sense to us because it is specifically the fascistic politics of the current Amerikkkan surveillance state that threatens the livelihood and pursuit of liberty of most people (of color) around the globe, obviously.

In my usual style, I created a fast-paced visual slideshow and distilled numerous different sources of information into a speech covering the bare essentials of threat modeling and surveillance politics that clocked in at under ten minutes. Unfortunately, my presentation was not recorded live at the cryptoparty itself, but I’ve recreated it in this video embedded below. What follows is the re-created video of my introduction to CryptoParty Albuquerque and an aspirational transcript of my welcome speech:

Are. You. Ready. To. CRYPTO?

:)

Welcome, welcome everybody to CryptoParty Albuquerque, the first crypto party in New Mexico! Thank you to our hosts, thank you to my co-host and co-organizers, to everyone who’s been working so hard this past week to make this event happen. And, of course, thank YOU all for coming!

So, the tagline of this event is “Learn how to protect your data from prying eyes,” and that’s what we’ll be doing during the CryptoParty. You’ll have the opportunity to participate in a hands-on digital safety training, some privacy workshops, and if you take a look around, you’ll see we’ve set up numerous educational activities around the space at our “activity stations.” We’ll talk more about all of these in a just a little bit.

But when we say “learn how to protect your data from prying eyes,” the obvious next question is: “Whose eyes?” In other words, who are we protecting our data from? Well, broadly speaking, there are three main categories of adversaries one might want to protect one’s data from. They are:

  • Governments,
  • Corporations,
  • and malicious individuals.

When it comes to governments, I like to quote Taylor Swift, who says, “Mass surveillance is the elegant oppression, a panopticon without bars. Its cage is small but out of sight, behind the eyes—on the mind.”

Swift is talking here about the global and domestic mass spying conducted by the NSA. And, okay, maybe this isn’t a real Taylor Swift quote, but you get the idea.

If this is a bit too abstract for you, remember that just this week we learned that the Department of Homeland Security has been monitoring the Black Lives Matter movement since anti-police protests erupted in Ferguson, Missouri last summer. DHS agents are even producing minute-by-minute reports on protesters’ movements, even for the most mundane of community events. This shit is real, my friends!

With regards to corporate adversaries, we see plenty of examples of abuse and privacy violating behavior. In November of 2014, for example, Josh Mohrer, the general manager of Uber New York, was busted for using an internal Uber tool called “God View” that shows the company’s execs the real-time location of every single customer and driver. Mohrer was using the tool track the movements of a journalist, without her permission or consent. And just one month before that, in October 2014, two bombshell stories in the New York Times detailed how PR firms representing the oil and gas industry have been openly plotting campaigns of dirty tricks against anti-fracking activists and opponents of the Keystone XL pipeline.

And then, of course, there are malicious individuals:

A normal Wednesday afternoon, this Colorado man is playing his favorite shooting game: heavily armed SWAT teams battling are criminals, when suddenly the imaginary world broke into reality—quite literally.

“I think we’re getting SWAT’ed. What in the world?”

“POLICE! PUT YOUR HANDS UP! HANDS ON YOUR HEAD! GET ON THE GROUND! NOW! MOVE! GET ON THE GROUND! GET ON THE FUCKING GROUND!”

The gamer, known as Kootra, was swatted.

This is a new kind of prank called swatting. This term stands for a mean prank: anonymous hackers reporting feet hostage situations and other violent crimes, all just to see SWAT teams rush in on innocent victims.

Swatting. I also call this: “attempted murder by cop.” So these are some examples of WHO you might want to protect your data from, and why.

Now, you might be thinking to yourself, “Okay, that’s great, but…how?”

The answer to that is: Encryption.

Encryption is just math. But don’t worry! You don’t need to know any math—not even basic addition—because a bunch of very smart people already worked the math out, and a huge community of free software advocates encoded the mathematical algorithms in computer software programs. All you have to learn is how to use the software, and that’s what we’ll do here during the CryptoParty.

For example, If you want to browse the Internet anonymously or bypass online censorship, use Tor, a special Web browser that helps keep your physical-world location secret while you explore the Internet. Or perhaps you want to send a private text message? Use an app called TextSecure. Share a file without revealing your location? OnionShare. Chat secretly? There’s an app for that, too. Software called the GNU Privacy Guard or GPG for short can secure your email, and you can install browser add-ons like Mailvelope to use it with your existing GMail account.

We’ll learn more about all of these tools tonight, during the CryptoParty. But with so many tools to learn, how do we decide what to use? And which one do we use, and when? For that, we need a “threat model.”

A threat model is just a way of narrowly thinking about the sorts of protection you want for your data, and how to go about actually protecting it. Whenever you begin assessing threats to you or your data, ask yourself some basic questions about your situation, like:

  • What do you want to protect? We call things you want to protect “assets.” Assets can be physical, like your laptop or phone. But assets can also be information, like some information in an email, or knowledge of your home address.
  • Who do you want to protect it from? We just talked about adversaries: they are the people or organizations attempting to undermine your security or violate your privacy.

There are also some other questions involved in assessing threats, but the answers to all of these questions are personal and subjective. They’ll be different for different people. And we’re not here to tell you what to think or how to feel. That, obviously, is your government’s job.

So what we’re going to do is introduce a simple framework that you can understand and use to make better informed choices about the technology you use so that you can take steps to protect your privacy, confidentiality, and integrity. Remember, after all, that different people have different assets to protect from different adversaries.

Threat Pyramid

Importantly, different adversaries pose different kinds of threats, based on what capabilities they have. For example, an individual with a grudge may be able to send you harassing e-mails, but they don’t have access to all of your phone records, so they can’t use those against you. Your mobile phone provider, however, does have all your call logs, and therefore has the capability to use that data in harmful ways. Your government has even stronger capabilities.

Notice, also, the number of adversaries who can pose major threats is much smaller than the number who can pose only mild threats or annoyances. The power to do the most harm is concentrated in governments and some multinationals with extremely sophisticated capabilities. The more of a threat these capable adversaries can pose, the more power they have over everyone below them on the pyramid.

Now, it is specifically this hierarchy, where the most resourced governments and corporations have more surveillance capability than everyone else, this situation is sold to us as “security.” And the issue is not that no measure of security can be had from this arrangement. The issue is that whatever so-called “security” this set-up does happen to offer you is a matter of benevolence from everyone above you in the pyramid.

Let’s take a second look at these. What are these things?

Cameras mounted on a wall.

I bet at least half of you are thinking to yourselves, “Those are security cameras,” aren’t you? But these cameras do not, themselves, provide security. These are surveillance cameras. They collect data about everything they can see. That data—that video record—only increases your security if the person who controls the video record has your best interests at heart. Otherwise, the data collected by these cameras only help the people controlling the cameras; think about the huge difference between cameras on cops, and cops on camera.

So the people who perform the most powerful surveillance in the world are at the top of the pyramid—that would be the USA, and the UK, etc. Anyone who chooses to rely on such surveillance for their “security” is putting blind trust in everyone who performs more powerful surveillance than they can.

A common fallacy is that with total surveillance comes security. That is, they say that after you give up your privacy, they will give you security. But what we see in reality is that even with that total surveillance, you still have the Westgate Shopping Mall terrorist attack in Kenya, you still have the Boston Marathon bombing, you still have the Emanuel African Methodist Episcopal Church shooting in downtown Charleston, and it is not stopped. Not to mention things like SWAT-ting, abusive phone calls from your evil ex, and the constant small harassments normal people deal with on a daily basis. And these attacks are not stopped because surveillance, itself, is not security.

Surveillance brings the ability to control some people some of the time, because “When we know we might be under surveillance, our behavior changes. We might decide not to go to a political meeting, to censor what we tell friends, family, and colleagues, thinking it might fall into the wrong hands or simply be made public. Under surveillance we may decide not to become a whistleblower.” Surveillance erodes privacy, which is a necessary condition for thinking and expressing oneself freely. But it still does not make us safe.

So our privacy is violated, our ability to express ourselves is controlled. Meanwhile, violent attacks on random individuals are rarely stopped. Our security is far from guaranteed. The people who benefit from surveillance are the people behind the video camera, not the people in front of it.

If we can’t rely on big, powerful surveillance states with sophisticated technology to have our best interests at heart—and we can’t—what can we do to keep ourselves safe and secure?

In the digital realm, we can encrypt, because encryption doesn’t depend on anybody else’s good will. It depends solely on math. No amount of physical force can coerce or threaten math. The police cannot beat up encryption algorithms with a nightstick. Encryption, like an idea, is literally bulletproof.

At this point, maybe some of you are thinking, “Yeah! Encrypt ALL the things!” And maybe some other people in the audience are sitting here thinking, “Augh! This sounds hard!” To you folks, I want to say: Take a deep breath, relax. Remember that you don’t have to be perfect at this. Remember that all things are difficult before they are easy. Remember that you don’t have to encrypt all the things immediately, today. There is a lot to learn!

So pick one thing, just one thing to start out with based on your personal threat model, because every little bit does help. The more encrypted data there is out there, the safer everyone who uses encryption is. And even if all you do is encrypt your apple strudel recipes when you send emails to your mother, you’re still helping by making it harder and more expensive for the adversaries of political dissidents, activists, journalists, friends, colleagues, and family, to target them.

So choose a tool you’re interested in knowing more about, go to a breakout session, and above all else, remember: KEEP CALM AND ENCRYPT.

Thank you all for listening.

What you missed at CryptoParty Albuquerque

CryptoParty Albuquerque, the first cryptoparty in New Mexico, was a huge success. It was by far the largest CryptoParty I’ve ever had the pleasure to help organize, with over 35 people showing up for the very start and more trickling in throughout the day. Due to its size, the format of the CryptoParty varied from other, smaller ones that I’ve hosted before.

We had pizza, popcorn, and drinks set up in the back of our space, where most people gathered to socialize and mingle and get to know one another pre-party. Then, shortly before the start of the event, we cranked up the volume on the four-panel main screen at the front of our space and played the excellent CryptoParty intro video, featuring excerpts from JuiceRapNews, and clips of interviews with Jacob Appelbaum, William Binney, and others. You should watch it, it’s fun:

By the time the intro video had played a third of the way through, everyone in the space had gathered around to watch it:

cryptoparty-abq-juicerapnews

We immediately followed that with two whole-group introductory presentations. I had spent the past few days making a “Welcome and Intro to CryptoParty Albuquerque” presentation, which I presented first. It included an introduction to threat modeling and discussed the importance of pro-privacy and anti-surveillance thinking. My presentation was not recorded live, but I recreated it in this video of the slideshow I used:

Then I handed the mic to my fellow CryptoParty host, who followed me with a Digital Know Your Rights presentation and its own slideshow, which I’ll link to from this post when I get a copy of the slides. Update: here is the Digital Know Your Rights presentation.

Our presentations were ten minutes each, so with the ten minute intro video, these three parts of the CryptoParty took only 30 minutes.

By now, people were ready to get their hands dirty, so we broke the huge crowd up into two groups: people who wanted to learn tools for use on their laptops, and people who wanted to learn tools for use on their smartphones. Thankfully, we had a roughly even number of folks interested in each breakout session. We had created a big grid with masking tape on one of the walls earlier, and during the pre-party socializing we asked people to write their names (or pseudonyms) on sticky notes and post a sticky note into whatever part of the grid was of interest to them. They could post as many sticky notes as they wanted to, and could choose to use either blue-colored sticky notes to indicate that they felt comfortable educating others about the topic in question, or yellow-colored sticky notes to indicate that they wanted to learn about the topic from others. Our “Interest Grid” ended up looking something like this:

cryptoparty-abq-interest-grid

CryptoParty ABQ Interest Grid
Educators are Blue, Learners are Yellow
Hot Knowledge Mobile Desktop
Private SMS/txt messaging
Private phone calls
Secure+Anonymous Web browsing
Secure+Anonymous File Sharing
Private video calls
Full disk/device encryption
Private emails

So we broke the group into separate “Mobile” and “Desktop” workshops, intending to cover as much as we possibly could with such large groups. I lead the “Desktop” workshop session and within the next hour and a half or so, most folks who participated (more than 15) left having installed TorBrowser, OnionShare, and one of Mailvelope, MacGPG, or Thunderbird and Engimail. They also generated a keypair, submitted their keys to a keyserver, and tested sending encrypted email to one another. Everyone who created a keypair successfully sent an encrypted email! There was even a college student who brought her mother to the CryptoParty, and both of them were able to successfully send each other GPG-encrypted emails.

I don’t know exactly how well the mobile session went, because I wasn’t there, but from I heard, the results were similarly great. Most folks left the workshop having TextSecure and Redphone (for Android) or Signal (for iOS) installed and working, and had verified one another’s fingerprints. I also heard there was a lot of success getting Orbot and Orweb installed on people’s Android devices, and OnionBrowser for the iOS users.

There were also some folks who didn’t go to either breakout workshop, either because they didn’t bring any devices at all, they were just there to socialize, or because they were already familiar with what we were teaching. I also noticed that some of the folks who said they were familiar with the technologies we’d teach really moved up and helped the people sitting next to them get things installed in the odd case where something didn’t work or someone was feeling a bit lost. It was so great to have that much in-crowd help for groups this large!

Mostly, the rest of the folks hung around the food area to socialize, but they also explored the various “activity stations” my fellow CryptoParty host and I had set up before the start of the party. These included an old laptop running WireShark, an old MacBook running Tails off a USB stick, and a “Ask a Hacker” box that people could write questions on index cards and drop in the box to be answered later. The Tails demo station and the WireShark network traffic viewing station generated a lot of really great questions from people, and I think everyone enjoyed having the ability to click around on the computers knowing they weren’t going to screw anything up, particularly the people who had never heard of WireShark or Tails before.

In addition to the “Activity Stations,” several local artists set up their artwork around the social areas of our party space. Behind the food, there was a flatscreen TV showing a demo of a new game design tool called MeshTracer, courtesy Kurt Hollowell and DogEatDogGames.com, which looked something like this:

On the other side of the social space were these hollow glass sculptures filled with various different gasses, created by Albuquerque local Carl Willis:

cryptoparty-abq-glass-gas-sculptures

All throughout the space, including in the workshop areas, we also printed up a bunch of CryptoParty posters and other artwork along a cypherpunk and anti-capitalist theme. This set of posters taped on one of the pillars was my favorite:

cryptoparty-abq-kill-capitalism-posters

Other posters featured Anonymous-style Guy Fawkes masks with derisive things about the NSA, retro-style Tor promo posters, and the like.

After the breakout workshops, everyone regrouped for a short debrief, where my fellow host and I answered some of the “Ask a Hacker” questions. One of the questions was “How secure are my dick pics?” Another was about BitTorrent, so I referred folks to the beginner’s BitTorrent guide I wrote up previously. Here’s a pic of us doing that:

cryptoparty-abq-ask-a-hacker-qa

By this point, the band was all set up and ready to play, so we were all treated to a live Ugly Robot set! They gave away free merch (I won an Ugly Robot shirt!), lead us all in a “dance like a robot” mini-march, and got me in trouble for figuring out how to turn off the lights in the venue (kill the right breakers, duh) so that their custom-programmed visualizers behind them would look better. (LoL, capitalists and their “entrepreneurial” venues don’t know how to have any fun.)

cryptoparty-abq-ugly-robot-set

While the band played, the more technical among us had a keysigning party, where we signed on another’s pre-existing GPG keys, and showed the less experienced what this was all about. There was still pizza and beer, which was good because more people showed up specifically to hear the band. They got in the fun, too, though, and most of them left with EFF handouts and other pocket guides for how to deal with police harassment that we had printed up and placed on all the clear surfaces.

By the end of the night, people were already talking about CryptoParty Albuquerque number 2, and several folks suggested different venues that might want to host it. My hope is that the next event chooses a venue that doesn’t have such a stick up their asses about having a party and turning down the lights for a band, sheesh.

Anyway, I’d say we sparked some interest! All in all, a massive success!

Software Development as Direct Action

Recently, I was invited to speak at the local Code for America brigade in Albuquerque, Code4ABQ. The presentation I put together with the help of R. Foxtale was the first public articulation of the development methodology we have been using for some time in projects like the Predator Alert Tool, the WordPress SeedBank plugin, and other, newer projects still under development (but here’s a sneak peek). It’s also a term we’ve coined to distinguish between common misconceptions of “hacktivism,” which seem to primarily invoke ideas of digital breaking and entering (cracking), or leaking.

Although “software development as direct action” can legitimately be called a form of hacktivism, its focus is explicitly productive: building new stuff. My presentation told the story of the Predator Alert Tool as a way to showcase what we mean when we say “direct action software development.”

A video of the presentation, along with a transcript, is below. As per usual, all of my presentation materials for “Software Development as Direct Action” are Creative Commons licensed; you are encouraged to download and remix this work for non-commercial purposes. :)

Okay, so we’re here to talk about Software Development as Direct Action, and we don’t have much time. There are big problems out there and they need solving today. In the next ten minutes, I’m going to show you how you can solve them.

But first, I want to introduce you to Professor_Oni. And to Mabus. And John Black. And GamerGeekGuy. And all of these people….

These people have been accused by numerous different women of repeated sadomasochistic rapes. We know who they are because of this tool, a tiny browser extension called the Predator Alert Tool. These two-hundred and sixty or so lines of JavaScript—the entire source fits on this one slide—sparked years of debate and has catalyzed hundreds of thousands of lines of criticism, praise, ridicule, panic, relief, and hope across the blogosphere and in corporate board rooms alike.

The Predator Alert Tool is one example of what we’ve come to call “direct action software development.” The purpose is simple: maximum social impact. The method, simpler: Minimum lines of code.

What is direct action software development?

First, I’m going to assume that you already know a bit about what “software development” is. This is a pretty familiar idea: writing code to build apps, websites, or other technology products for use by people with laptops or smartphones. Writing code is the basic act required to produce software. No code? No software.

But what is “Direct Action”? We’ve found that what people think “Direct Action” really is varies based on, bluntly, how much brainwashing they’ve been subjected to. So let me take a moment to quickly describe what we mean when we say direct action.

When we talk about “Direct Action” we mean:

Any action that immediately addresses the root cause of a problem.

That sounds rather obvious. You may even be asking yourself, “Why would people waste time taking actions that don’t immediately address the root cause of a problem?” Well, there are several reasons:

  • Maybe certain actions aren’t permitted by an authority. Some people will limit themselves only to actions that they have permission to take.
  • Maybe they don’t understand, or they misunderstand, the root cause of a problem. In this case, people will often take actions they think will help, even if those actions don’t make much of a difference.
  • Maybe they don’t have some resource they need; they lack the skills, knowledge, or other materials to take immediate action.

Here are some examples of direct action in the physical world:

In most cases, tackling a problem with the direct action approach provides the most immediate solution. It’s also often dangerous, maybe illegal, and definitely disruptive. If successful, it will piss someone off. But at the end of the day, direct action is the single most effective and efficient thing you can do to make meaningful positive change. Historically, no lasting social change has ever been accomplished without a direct action component. Not once. Not ever.

Back to software. “Direct action software development” is a translation of direct action to the digital realm. It is:

Any code that immediately addresses the root cause of a problem.

Code is action. Remember Professor_Oni? He is a member of a fetish dating website called FetLife. In January 2012, a controversy that had been brewing amongst the FetLife community for years finally rose to national prominence when women came forward to accuse numerous prominent FetLife members of sexual assault. In response, the FetLife management deleted the survivor’s postings and threatened to ban them for violating the site’s Terms of Use. This went about as well as you’d expect: word of the heavy-handed censorship spread like wildfire and within a few weeks, many more women had come forward with similar stories, including some who accused the site’s founder, John Baku, of sexual assault. Once again, FetLife’s response was to delete or edit the new postings.

But by June of that year, the topic of sexual assault within the supposedly “safe, sane, and consensual” BDSM subculture was flashing across headlines of Salon.com, the New York Observer, and other high-profile media outlets. Activists from within the BDSM community had been organizing “Consent Culture” working groups for some time, and their membership numbers swelled.

Rape is exceedingly common in the BDSM scene. In fact, even the community’s own lobbying groups such as the National Coalition for Sexual Freedom—one of their board members doubled as FetLife’s community manager, by the way—admit to a 50% higher occurrence of consent violations among BDSM practitioners than the general populace. That’s nearly as bad as police officers, who statistically speaking are also twice as likely to be perpetrators of domestic violence. The BDSM scene has a self-delusional belief that they are “all about consent,” but in reality, they are at least as bad with sexual consent as everybody else, and likely a lot worse given their penchant for eroticizing abuse. Many women and Submissive-identified people within that community, including myself, had been saying this for a long time, but had been routinely ignored.

Even during the height of these national debates about “the BDSM community’s consent crisis,” the Consent Culture working groups were pitifully meek. They had collectively decided that “something must be done,” but what they chose to “do” was make a petition calling for the removal of the clause in FetLife’s Terms of Use that the site’s management was using as justification for censoring rape survivors. But as is often the case, when you must beg for something from a master, you find that they will not grant your request. Three years later, FetLife has still refused to change their policy and is still censoring rape survivors—unless those survivors use the Predator Alert Tool.

In October 2012, I realized that the root cause of the FetLife problem was simply that site management got to control what users saw when they browsed the site. But the Internet, which was made famous by mashups, allowed a unique opportunity to route around FetLife’s censorship in a way FetLife could not control. I wrote a simple mashup between a public Google Spreadsheet and FetLife that enabled anyone to report a negative experience with a FetLife member. With a mere 260 lines of JavaScript, that information could then be overlaid directly on FetLife.com.

With Predator Alert Tool for FetLife, the problem of FetLife’s censorship all but vanished: FetLife users could now warn other FetLife users about predatory behavior, and FetLife’s site management was powerless to stop it. Just a few weeks ago, we met a woman right here in Albuquerque who had used the tool to alert others about a local “Master” violating her consent.

Users of the tool then began asking for a similar capability on other sites, like OkCupid and Facebook. There are now seven variations of the Predator Alert Tool browser add-on, each designed to work with a particular social network or dating site. Importantly, none of these tools has been developed in collaboration with the social network in question. Most sites have refused to acknowledge the tool, despite inquiries from journalists and community members. Some sites are actively hostile, sending DMCA takedown notices and even threatening to ban Predator Alert Tool users. Meanwhile, the already overwhelming positive response from the user community continues to grow.

Predator Alert Tool arose directly from the needs of the community that it serves. It enabled the user community to do exactly what the authorities at FetLife didn’t want done, or what OkCupid and Facebook don’t want users thinking too critically about. And it accomplished this by just implementing that capability rather than waiting for permission to do so. Its impact was immediate and disruptive—on purpose. These characteristics are indicative of all direct action software development projects.

Today in 2015 the petition proposed by the “Consent Culture” working groups has still not achieved its goal of stopping FetLife from silencing rape survivors. Predator Alert Tool was able to accomplish that goal in one night of coding, with these 260 lines of code, three years ago.

In 2014, Creative Commons creator Larry Lessig appealed to technologists, to you, to take up this cause of immediate, direct action software development:

[T]here is a movement out there that has ENORMOUS needs which you, uniquely, can provide. The obvious ones, the technical needs. This is a movement that will only succeed if we find a way to knit together people in a different model from the television advertising model of politics today. […] This movement is STARVED for people with your skill who can figure out how to make this work. It desperately needs this type of skill offered by people who genuinely believe in the cause as opposed to people who are just trying to get rich.

If you want to change the world, but you don’t want to make a lot of money doing it, let’s talk. We’ve been doing direct action software development since before we knew what to call it, and we’re going to keep doing it. It would be wonderful to find other people who are excited about working with us. There are big problems out there. And they need solving.

Today.

You’re invited to CryptoParty Albuquerque: Learn how to protect your data from prying eyes!

Recently, I’ve been helping these folks get the first ever CryptoParties happening in New Mexico. If you’re going to be in or around the Albuquerque, New Mexico area next weekend, join us for a party! Either way, tell your friends. :)

CryptoParty Albuquerque, a new small collective of hackers, makers, and doers of various ages, with various levels of technical knowledge, is getting together next Sunday, July 26 at 4pm to throw a kick ass party while learning and teaching one another about privacy and security, encryption, digital safety, cryptography, and free software. And YOU’RE INVITED!

When Officer Friendly asks:

CryptoParty Albuquerque is a free and public event where we will run digital safety training and anti-surveillance workshops to help activists, journalists, change makers, and other vulnerable people protect their data from the prying eyes of the government, local police departments, and corporate spooks. The party and workshops are being hosted at Fat Pipe (200 Broadway Blvd NE, Albuquerque NM).

More information as available at our website: ABQCryptoParty.com.

What is a CryptoParty? Watch any of the short introductory videos here:

abqcryptoparty.com/intro

CryptoParty Albuquerque is free, there will be food, there will be solidarity, there will be music! Hell, there may even be dancing! Ain’t no party like a CryptoParty! :)

If you use Facebook, you may also invite folks to the event using this link:

https://www.facebook.com/events/917582934947858/

Thanks for your attention and we hope to see you at CryptoParty Albuquerque!

Remembering Caspar Bowden on “The Cloud Conspiracy”

“We live in a comic book.” It’s what friends and I say to remind one another that the dystopian future Orwell and others ominously predicted have come true. But just as the dastardly deeds of corrupt government officials and other villains implementing panoptic surveillance on the scale of Hollywood’s best plots has come true, so too have regular people like you and me been transformed into comic book-like super heroes.

Last week, privacy campaigner Caspar Bowden passed away from a malignant melanoma cancer. He was 53 years old. Caspar Bowden is most recently famous for independently deducing the existence of illegal NSA mass domestic and foreign spying (global warrantless wiretapping) using only publicly available sources such as public record legal documents. He was roundly ignored and sidelined, immediately being fired from his position as Chief Privacy Advisor at Microsoft, but he rose to renewed prominence after NSA whistleblower Edward Snowden revealed that his deductions were correct.

Caspar Bowden became a strong proponent of Free, Libre, Open Source Software (FLOSS) and joined the board of the Tor Project. In 2014, he gave a speech at the 31st Chaos Communications Congress titled “The Cloud Conspiracy” about his story. Like any thrilling comic book, it begins with an internal board meeting at the headquarters of one of the world’s corporate superpowers:

For 9 years, I was Chief Privacy Advisor at Microsoft. And I have to explain a bit about what that job was. I didn’t have any responsibility for legal compliance, thankfully. I didn’t do anything, really, in US privacy.

My job was to advise 40 “National Technology Officers” around the world. And at Microsoft, a National Technology Officer is a guy with a big brain, often one or two Ph.D.s, able to function essentially as Microsoft’s ambassador to governments around the world at a very senior level, normally citizens of their own country. In a sense, you could boil down their job to: if Steve Ballmer wanted to get a Prime Minister on the phone in half an hour, it was the NTO’s job to get that done.

So, I didn’t know about [the NSA’s secret spying program now known as] PRISM when I was at Microsoft, and what I’m about to tell you I deduced from open sources and deciding to read the American laws. Nobody asked me to do this. What happened to me after that I explained to a big internal Microsoft strategy conference about cloud computing, with all of the cloud management there, all of my National Technology Officers there, the deputy general counsel of Microsoft there, what I’d discovered. And I said to my technology officers, “Look, you ought to know this. If you sell Microsoft cloud computing to your own governments, then this law means that the NSA can conduct unlimited mass surveillance on that data.”

So the deputy general counsel at Microsoft turned green. I’d never seen anyone turn green before, but she did. There was dead silence in the room. In the coffee break, I was threatened with being fired, and then two months later they did fire me without cause.

So, since then, I’ve really, since 2011, went around trying to tell as many people as I could about what I’d discovered. And I’ve given variants of this speech now about 20 times, I suppose. But I hope this brings things right up to date as of about 2 weeks ago, and also, I’m going to tell you some things which I haven’t told before.

In the speech that follows, Caspar gives a breathtakingly detailed yet accessible overview of the legal, political, economic, and societal pressures that lead to total deadlock in the European Union’s highest level of government, leaving its citizens vulnerable to the NSA’s predations and other increasingly militarized cyber-intelligence operations.

Watch Caspar Bowden’s whole speech here.

So. “We live in a comic book.” Are you a 1 or a zero?

In Memoriam

Today is the fourth anniversary of Len Sassaman‘s passing. Len was a gifted programmer, he was a passionate privacy advocate—Len pioneered and maintained the Mixmaster anonymous remailer software for many years—and he was a very, very kind person. He was also a friend.

Len was the first person to walk me through setting up OTR (encrypted chat), and one of the only people I have ever known of his awesome caliber who was nevertheless able to make you feel comfortable asking what were obviously “newbie” questions.

A lot has happened in the last four years. Len’s passing lit a fire under me, personally. I couldn’t have gotten to where I am today, both in terms of practical skills and in terms of philosophical approach, without the brief but powerful influence Len had on me. I’m not the person who knew him best, but I miss him all the same.

I’ve got nowhere near the expertise he had, and if it weren’t for him, I might have let that stop me. Thanks to him, I’m not. It’s slow going, but I’m still moving forward.

Tonight, I’m publishing a small, simple utility script called remail.sh that makes it just a little bit easier to use an anonymous remailer system such as the kind he maintained. It’s not much, but hopefully it can serve as a reminder that privacy is a timeless human need, and that it needs people like Len to support it as much as people like Len need supporters like us.

Len Sassaman (b. 1980 d. July 3, 2011). I miss you.

Predator Alert: Mark Elrick (Albuquerque Police Officer) and Elizabeth Escogne (“Community Support Worker”)

This is a public service alert.

Meet Elizabeth Escogne (left) and Mark Elrick (right):

Elizabeth Escogne with Mark Elrick.

Mark Elrick is a cop in the Albuquerque Police Department. Elizabeth Escogne is a “Community Support Worker” employed by AgaveHealth, Inc., an Arizona-based company whose mission to provide “health care to communities within the state of New Mexico” would seem great at first blush, until you’re privy to the kinds of things their employees talk about with their cop friends when they think no one who cares is listening. What sorts of things? In the span of overhearing just one conversation, Elizabeth and Mark:

  • gloated over the fact that a group of anti-police brutality protesters in New York were physically attacked; they exchanged pictures on their smartphones and literally laughed out loud at the violence.
  • complained that people who were “homeless by choice” always “make their jobs difficult.” (boo hoo)
  • agreed that funding support services for houseless populations “is a bad idea.”

Their conversation ended when Mark remarked that he had to be on his way to harass a houseless family who have been living in an RV.

Elizabeth is a gun collector and cop apologist while Mark is, well, a cop. (So, y’know, ’nuff said). Both participate in “historical medieval battles” as part of a team team whose uniforms are patterned after the United States’ flag:

They’re basically what you would expect: a cross between murderous Crusaders and people who believe they’re real-life versions of Captain America. In other words, people who have drunk all the propagandistic kool-aide you can imagine, and then some.

I’m writing this on my blog instead of in the Facebook Cop Block Tool and the Predator Alert Tool for Facebook due to a bug in those pieces of software that will hopefully be fixed soon. Once fixed, please report these two to those databases if they’ve not yet been added by someone else.

Police do not equal protection. #PoliceArePredators

Knowledge is a seed. Sow it! SHARE THESE RESOURCES:

BYOC: Your Blog, Your Way

For bloggers who really want to own their own content, Bring Your Own Content (BYOC) is a free toolkit for creating and managing content on one or more free web hosting providers simultaneously using a single, familiar dashboard.

https://github.com/meitar/byoc/#readme

You might have read about BYOC on LifeHacker some time ago. This is the first reproducible release, utilizing Vagrant and Packer, to make it super easy for developers to contribute improvements and to ease installation of the virtual appliance on end-user machines.

Get the binary 0.0.1-beta.1 release for the full thing, which includes the prepared virtual disk image, or simply install the prerequisites and vagrant up meitar/byoc to get started!

Publishing to Tumblr, WordPress.com (or any self-hosted WordPress blog), and the Diaspora pod of your choice is supported out of the box.