Encryption for beginners
July 20, 2013
Can the event really be called a party? There's no alcohol, no music, it takes place in the middle of the day and in broad daylight. But the organizers insist that yes, it's a party. Just not a conventional one. One laptop next to the other and colorful cables everywhere; routers are blinking, and the sound of typing on keyboards fills the room.
The participants are sitting together in small groups: PGP, GPG, AES, SSL, x509, IPv6 – it's all about cryptic abbreviations like those at the ‘Cryptoparty' in Cologne. For several weeks, cryptoparties have taken place in many German cities. Among the participants in Cologne are a tango teacher, a nursery school teacher, a health professional and several IT experts. They have all come here to learn how they can protect their data from prying eyes.
Party people working hard
An 80-year-old pensioner takes his Windows computer out of his bag. His daughter helps him connect to the local network. He has access to the internet instantly. All's good.
Now he is waiting patiently for one of the mentors to come and tell him all about encryption.
"I want to go with the flow. I want to face the latest developments in technology. That's why I've enrolled in a computer course at the adult education center," he explains, adding that encryption goes far beyond the level of his course at the center.
"You can't rely on the state"
That's why he has travelled all the way from a small town some 100 kilometers (62 miles) away. "I don't have any secrets," says the pensioner, "and still I want to be able to write emails to my daughters with no one else reading them. That's my private business after all." His daughter is meanwhile installing the encryption program. "I have to protect my data myself," she says. "You can't rely on the state."
An increasing number of Germans think this way. Since former US National Security Agency contractor Edward Snowden revealed what he knew, cryptoparties have grown more and more popular. "We used to have three to five people," says Jürgen Fricke, the event's organizer. "There was one time when 12 people came – but that was clearly an exception." Demand has risen considerably since. This time, Fricke even had to turn down applicants because only 20 people are able to fit into his office.
Global grassroots movement
The idea comes from Australia. One year ago, the government planned to introduce a law forcing network providers to step up supervision of their users' activities. Somebody asked on Twitter if anybody could explain to them and to other non-experts just how to better protect yourself from surveillance measures – and ideally in the offline world, as part of a small get-together. The message was retweeted within minutes by many people, and after a short while, the first cryptoparties were organized around the globe.
In Germany, the idea was first taken on board by internet freedom advocates, the Pirate party. But soon, organizers outside the political world joined in, as well. Jochim Selzer, a mathematician, system administrator, and co-organizer of cryptoparties in Cologne and Bonn, insists: "Cryptoparties are an international movement with a cross-party character. All democratically elected political parties have to take the topic of data protection on board. The issue can't be owned by a single party."
Data hocus-pocus and the magic of encryption
So just how does this encryption thing work then? It sounds terribly complicated. But Jürgen Fricke, an IT expert and organizer, does his best to try and calm everybody's nerves and make sure that nobody loses heart. "It's like when you want to make scrambled eggs for the first time on a induction cooker. That requires different pans and of course you have to know how to switch the cooker on. But after a while, you get the hang of it."
But the technological explanation that follows sounds a lot more complicated than making scrambled eggs. Everybody needs two keys – a public and a private one. The public key has to be verified by other participants first. That means: the owner's identity is being checked. Then they can use the key. When the recipient is sure the public key matches the sender the recipient will use their private key to open the mail. "We hope to teach some 10 million citizens in Germany how to use encryption over the next two to three years," says Fricke. And he's optimistic they'll reach that goal.
Some data remains legible
Encryption is also currently keeping German companies busy. IT infrastructure has turned out to be the companies' weakest point. "German companies information security is abysmal at best – it varies from extremely bad to incomplete," says IT security expert Mark Semmler. "A wheel of Swiss cheese is a robust construction in comparison."
Of course IT sessions like cryptoparties will not solve the problem of data protection alone. Encryption technologies help protect email content. But metadata like time, date, and subject heading will always remain visible, warn the organizers: "Every day we participate in joint data striptease activities." Whether we want it or not.