Having been involved in numerous Cryptoparties, as both a presenter and a facilitator, I thought I might share some reflections on my experiences. CryptoParties are decentralised, casual events, aimed at teaching citizens practical methods for protecting their privacy and digital rights. Each CryptoParty I have attended has had a completely different and unique feel, due to a combination of the venue, topic and attendees.
Hearing attendees share their stories, and their need for privacy and security protection, I am further convinced of the need for grass-roots events such as CryptoParty. Some stories I have heard from attendees included the need for protections :
- Against human rights abuses of activists in West Papua;
- Of women suffering from stalking;
- For investigative journalists being surveilled by corporate interests.
Inevitably, being a free event advertised on Facebook or MeetUp, a significant amount of people sign up to attend the event, yet won't show up on the night. I've organised events with over 30 potential attendees, only to have less than ten appear on the night. The first time this occurred, I felt a pang of despair; however, every cloud has a silver lining - a smaller group of attendees results in greater fellowship, with the opportunity for a closer rapport with attendees, and less rush. One option for decreasing 'no-shows', would be to charge a nominal fee for signing up, or offer food/drinks as part of the event. Charging a nominal fee makes me feel a little uncomfortable, it feels contra to the spirit of CryptoParty. An alternative is to embed the CryptoParty within another event or conference. I've had first hand experience of success with embedding a CryptoParty into another event at The Australian International Documentary Conference. The CryptoParty was offered as the sole post conference evening event, and delegates were encouraged to bring a drink from the bar, to ensure the CryptoParty remained a casual affair.
If you will be running a practical demonstration of privacy software over the internet, specifically Tor, it is important to ensure the internet/wireless at the venue does not block Tor. Ironically, the venues that you least expect to be blocking Tor, such as universities and libraries, have a history of blocking Tor. An alternative, or a contingency to using in-house WI-FI, is a 3G/4G wifi dongle. 3G/4G dongles are less than optimal for a CryptoParty - they are slow (downloading The Tor Browser Bundle, for a single computer can take more than 10 minutes), which can give the impression that Tor is slower than it actually is—this compounds when multiple devices are using the dongle.
If attendees will need to install software under Windows or OS X, a good option is to provide the software on USB memory sticks, with one memory stick per attendee. Sharing USB sticks is not a great idea, as there is a risk that attendees devices may have viruses or malware, which can be spread from device to device by USB stick.
Though the need to bring a device may seem obvious, advertising for the event should stress the need for attendees to bring their laptops and mobile devices. I have attended a few events where attendees were not asked to bring their laptops and mobile devices and my impression was those without devices missed out on the kinesthetic learning aspect of the CryptoParty.
CryptoParties are not monologues, and should involve dialogue and discussions, just like any other party. Communication should not be one way—as if it is a traditional lecture—instead communication at CryptoParties should be two-way dialogues, with audience members being able to learn from each other, not just from the speakers or facilitators. Apart from just providing the audience with participation, dialogue can assist the CryptoParty facilitator to discover the needs and skill level of the audience, by asking leading questions. One of the questions that I ask the audience is what do they expect to learn, or take away from the CryptoParty. Other questions that can start a dialogue with the audience are "what is metadata?" and "why should we protect our privacy?".
Attendees have different backgrounds, different learning styles, and will progress at a CryptoParty at different paces. Helpers, otherwise known as 'Angels', can assist the slower attendees in completing tasks at the CryptoParty. It's important not to have too many dependencies between tasks, in case attendees get too far behind, or stall due to skill/technological issues. At a few CryptoParties, I've seen groups of attendees split off onto different tables, with tables often split based on the skills of attendees, such as an 'advanced' table or a 'novice' table. Conversely, I believe that it's much more effective and efficient for the event if there is a mix of skills on tables, with attendees with advanced skills sharing a table with less advanced attendees.
As CryptoParties are privacy related events, inform attendees of the rules and intentions surrounding photography at the event, as well as any other ground rules, such as policies relating to harassment and other unwanted behaviour. A good compromise, allowing photography and promotion, yet allowing attendees to protect their privacy, is to have an audience seating area that is off-limits to photography. For inspiration on how to prevent harassment and other unwanted behaviour, the linux.conf.au code of conduct is a great place to start.
An ethical consideration that needs to be impressed upon attendees is that security is not binary. Something is not either 'secure' or 'insecure'. Security is relative; configuration/product 'a' can be more or less secure than product/configuration 'b'. Security and privacy technologies are a moving feast, in a state of flux; a CryptoParty is just the beginning of the process for attendees to discover what is practical for themselves, and what fits into their risk profile. In a worst case scenario, information and products learnt at a CryptoParty could be wrong or found to be vulnerable within days of the CryptoParty. Leading on from this, at some point during the CryptoParty, a discussion about the trade-off between ease-of-use and level of security occurs.
To get the word out for your Cyptoparty events, you might want to consider:
- Creating a Twitter account; please don't just use the account to promote your event - get involved with the digital rights community in your town or city. I have had success recruiting speakers using only the event's Twitter account. Example Twitter accounts are @CryptopartyBLN, @CryptopartyLUX, and @CryptopartyMelb. Don't forget to give a shoutout to @asher_wolf, the founder of Cryptoparty.
- Adding the event, and event details on cryptoparty.in - Melbourne is a good start for a template for your city.
- Creating a meetup.com group. MeetUp is an easy option for creating a community around your event. The drawback to MeetUp is the cost associated with a 'Pro' account, and the potential negative privacy implications of identifying event attendees. Belfast is exemplar of a CryptoParty MeetUp page.
As an added bonus, there have been some Powerpoint slides circulating through the Australian CryptoParty scene. The slides are attached, and there are no restrictions on their use, or requirements for attribution.