Editor’s note: We’re pleased to continue our series of guest posts with one from our good friends of the UK Radical Librarians Collective. RLC’s incredible work organizing librarians across the UK and Ireland is a great inspiration to us at LFP, and so we’re especially excited to share their experience of running a local CryptoParty and implementing some FLOSS technologies in their work. We hope it will encourage other librarians and affinity groups to do the same.

In 2013, the public learned of extensive programs of corporate and state surveillance operating through the web and internet technologies that have become embedded in our lives. Data about citizens and consumers is routinely harvested, retained, traded, and examined without the informed consent of the public. Thanks to the leaks of Edward Snowden, subsequent revelations about the UK’s TEMPORA Project, the UK Government’s proposed ‘Snooper’s Charter’, and the more recent “extremism clampdown” in UK Higher Education, surveillance is known to be a widespread embedded practice that restricts our freedom in a variety of ways. The more aware we are of this, the more we can defend ourselves.

Recently the Library Freedom Project has been successful in initiating Tor relay nodes in libraries and battling US law enforcement. The discussions about digital privacy rights that followed this prompted @RLC_SE to host a CryptoParty allowing us to share some practical skills about cryptographic tools to help people protect themselves from online surveillance. After an expression of intent, the appetite for this was confirmed on Twitter when the @RadicalLibs and @RLC_SE accounts received messages from librarians interested in attending. This motivated us to start planning and in organising the event we grew more confident that our limited skills and knowledge of encryption tools could satiate the demand.

Over PGP-encrypted email, we discussed how to approach the event. Predicting turnout at RLC meetings is always tricky so, rather than make specific plans, we decided that we would largely organise the operational aspects of the event among the group on the day. This would allow us to meet local needs and not invoke too much of a hierarchy; something we’re always keen to avoid. We especially wanted to avoid setting a few individuals as authorities on cryptography.

On the day of the CryptoParty, we politically contextualised the rationale for protecting privacy online and introduced some of the politico-technological issues: many privacy-enhancing technologies have been designed and implemented under the free/libre and open source software (FLOSS) philosophy. This allows the code to be scrutinised by anyone at any time and, in turn, gives users confidence as they know that the community can ensure that security breaches are identified, discussed, and patched rapidly. Proprietary software, on the other hand, means that users are reliant upon vendors protecting users from security breaches. This adds a layer of threat as users cannot vet the code. Vendors of proprietary software are also known to use the personal data of their customers to commercial advantage, which introduces problematic dynamics for user privacy.

The tools and behaviours discussed included:

Threat modelling;
Password generation and retrieval;
Search engines and alternatives to the commonly used one(s);
Encrypting hard drives and mobile phones;
Mobile phone security issues;
Operating systems;
VPNs;
HTTPS, EFF plugins, web browsers (specifically Tor Browser);
Instant messaging, Off The Record;
Key based encryption:
Signal/TextSecure (for secure text messaging)
PGP email, and a general discussion surrounding email insecurity
Key signing
Keypairs for Linux server access

With the exception of a rather luke-warm interest in OTR instant messaging, all of these discussion topics were well received. Participants encrypted their devices in real time, discussed migrating to Linux systems (including trialling live-booting from USB sticks), and engaged in discussions about their own web behaviours and use of tools that we had not specifically introduced (e.g. comparing LastPass to KeePassX and other password managers). Where users had brought their devices with them, we were able to help them set up specific tools such as PGP email, with a terminal-based key signing party at the end of the session.

A recurrent theme throughout the day was the process of de-Googlisation that several members of the collective are trying. Though it has been relatively easy for most of us to migrate web browsers, change and store passwords outside of browsers, use alternative email providers and mail clients, there were some specific tools for which it was proving difficult to find FLOSS alternatives for. For example, Google Docs/Drive and Google Calendar were of particular importance to collaborative working. This discussion continued on social media after the CryptoParty and Alison reminded us of the awesome sandstorm.io that she had told us about several months ago! Within hours, RLC clubbed together some money to pay for our own Linux server space on which to host a Sandstorm server, installed it, and had it up and running. This blog post was collaboratively written on it! This is a significant thing for RLC as we are now able to support collaborative working and keep our data safe and secure through FLOSS technology. We would be happy to assist anyone with configuring their own Sandstorm server. Just get in touch!

Though the turnout was relatively low on the day, @RLC_SE’s CryptoParty has acted as a starting point for RLC to be more proactive in the sharing of skills for digital privacy. We have received various follow up queries from attendees on the day to provide further assistance in configuring software to maximise security and have had even more interest through the collective’s various Twitter accounts. We have also received many enquiries via our personal social media profiles. We look forward to holding subsequent CryptoParties at other local RLC meetings. We are also planning to make key signing a standing item on the future agenda for subsequent RLC meetings to keep online security and digital privacy issues at the forefront of the collective’s agenda.