The Atlantic | Sept. 10, 2013 — On a warm August night, inside a meeting room at the Berlin House of Representatives, American digital privacy activist Jacob Appelbaum pulled a small electronic device from his backpack and issued a challenge to parliament: The member who agreed to run the device, a custom WiFi node, from an office in the building could have it for free.
“If someone from the parliament here really believes in free speech, I’m happy to give this to them,” said Appelbaum. The node boosts the signal of a worldwide encryption network called TOR. Short for The Onion Router (think protective layers), TOR software provides a web browser that cloaks IP addresses, granting anonymity to Internet users. The National Security Agency’s controversial PRISM program is thought to be using Internet nodes in foreign countries for espionage. TOR nodes create a blanket that shields Web content — emails, instant messages, metadata and browser histories, for example — from the government’s gaze. Without anonymity and privacy, Appelbaum argues, freedom is a fallacy.
“Fundamentally, it’s a very old idea that you should be free to read and free to speak and you should be free to do this without having to identify yourself,” Appelbaum told a packed room of concerned faces — about 60 in all. Appelbaum, a young man with thick-framed glasses and impeccably clear annunciation, acted as a de facto spokesman for WikiLeaks in 2010 after the group released intelligence cables handed over by Chelsea Manning. With TOR, he explained, “instead of the 20th and 21st century surveillance state, you’re returning to a state where privacy is the norm.”
Appelbaum’s audience, a mix of programmers, off-duty journalists, and concerned citizens, leaned forward in their chairs and listened closely. Promoting encryption is a key part of Appelbaum’s agenda. Only a small substrata of Internet users currently go to such lengths. But the more people encrypt, the greater grow the hurdles to the kind of widespread government surveillance brought to light by former intelligence contract Edward Snowden. And an effective way to recruit new members to the encryption movement is through public events like the one in Berlin — what have become known as “cryptoparties.”
* * *
Many Germans have regarded ubiquitous web giants like Google and Facebook with a high degree of skepticism since well before Snowden’s intelligence leaks revealed that NSA surveillance relies on cooperation from some of the world’s most powerful telecommunications companies. A popular rationale for Germany’s collective apprehension cites the country’s history of extensive spying by both the Nazi secret police and then, in the 1980s, by Stasi state security forces. In July, German magazine Der Spiegel published an interview Appelbaum conducted with Snowden in which the former government contractor claimed that the NSA and German authorities are “in bed together.”
As of August 27, Germany was second only to the U.S. in the number of active TOR users (with nearly 49,000 users to the U.S.’s 97,000). In August, global TOR connections spiked to 150,000 monthly users, up from about 50,000 users in June and July. Publicly, incensed Germans are staging street protests and urging lawmakers to intervene with mechanisms that protect their web activities from the prying eyes of government. Privately, they’re turning to hackers for lessons on how to do it themselves.
Laptops open, dozens of people listening to Appelbaum prepared for an evening of privacy instruction. At cryptoparties, privacy activists and software specialists tutor people in the craft of data defense. Appelbaum led a workshop on TOR while two German instructors ran basic primers in encryption protocols called off-the-record messaging (OTR) and “pretty good privacy” (PGP). OTR prevents instant messaging conversations from being logged or viewed by outsiders. PGP is a program used to encrypt and decrypt messages and files, including emails. Communications between Snowden and Guardian reporter Glenn Greenwald and documentarian Laura Poitras were secured using PGP.
A common analogy for explaining the importance of encryption supposes that an unencrypted message sent via, say, Gmail, exposes information to Google and an Internet service provider as if it had been written on a postcard and dropped in the mailbox. “You don’t see the postman but he’s certainly there,” said Anne Roth, a digital privacy activist in Berlin. Cryptoparty attendees are wary of the postman and his loyalties.
As expressions of political activism, cryptoparties first took root in 2011 in Australia when lawmakers were considering hotly contested legislation intended to reign in cybercrime. The bill, which passed in 2012, allows government authorities to force Internet service providers and carriers to retain and relinquish customer data. Even foreign governments could demand the information. In a letter to the Australian government, civil liberties group Electronic Frontiers Australia cautioned that the bill “can potentially enable arbitrary interference with privacy and correspondence.”
In the past two years, cryptoparties have sprung up in Oakland, Boston, Calgary, Cairo, Reykjavik, London, Brussels, Manila, and elsewhere. The event in Berlin was the latest in a series of post-PRISM cryptoparties on German soil – and perhaps the country’s largest to date. The gatherings are often ad hoc, hosted by IT experts, and typically draw between five and a dozen pupils of varying ages, technical experience, and professional backgrounds. One such party in Cologne in July drew, among others, a tango instructor, a healthcare worker, and a schoolteacher.
* * *
The Berlin event was hosted by Alexander Morlang, a parliamentarian who belongs to Germany’s digitally vigilant Pirate party. He made a point of inviting roughly 180 government administrators. None showed.
“It’s important to teach employees of the government in case they want to do some whistle-blowing at some point,” said Morlang, a sturdy, bespectacled man with a pony-tail. His t-shirt read, “Hell yeah it’s rocket science!”
A professional systems administrator, Morlang won his seat in 2011 during Germany’s second wave of Pirate nominations and served as chairman of a parliamentary committee on Digital Management, Data Protection and Freedom of Information until April. The first wave of Pirates were elected in 2009 during heated debate over a data retention law that drew criticisms similar to those raised in Australia. (A year after the German law passed, the country’s high court suspended it, citing privacy concerns.) In the wake of the NSA surveillance leaks, the concerns around which the Pirates built their campaigns — fears that some opponents called paranoid — have gained cross-party resonance.
“All democratically elected political parties have to take the topic of data protection on board,” said Jochim Selzer, a mathematician and cryptoparty coordinator, in an interview with German broadcaster Deutsche Welle in July. “The issue can’t be owned by a single party.”
For their part, the Pirates count digital privacy as fundamental right, not a privilege subject to compromise in the name of national security. Cryptography is a means to that end. It offers a sense of control and relief to people concerned that their personal liberties are being siphoned through their smartphones and ethernet cables.
“I’m worried that the government won’t grant me the privacy I think I deserve,” said Daniela Berger, a developer who attended the Berlin cryptoparty to learn about TOR. Like many Germans, she is both angry and disheartened by her country’s role in NSA surveillance operations. “I think my freedom should be of high value to my government and right now we’re steering in a direction where my privacy is an afterthought, if it’s a thought at all.”
* * *
A common refrain from people who don’t encrypt is that they have nothing to hide, so why bother? Allowing the government to comb through personal data is no problem if it might help foil the next terrorist plot, the reasoning goes.
Appelbaum and Roth would argue that encryption is a means of protecting freedom of expression of government overzealousness. Roth’s partner, Andrej Holm, a sociology professor at Humboldt University in Berlin, was arrested one summer morning in 2007 during a raid on the couple’s home. Authorities suspected him of leading a group of arsonists who had staged attacks in the city months earlier. Language he had used in academic essays about gentrification and urban policy bore similarities to rhetoric the arsonists used when claiming responsibility for the attacks, the government said. A pretrial detention document noted that authorities’ suspicions were triggered, in part, by Holm encrypting his emails.
After he spent time in jail and solitary confinement, a federal court ruled that the suspicions were not justified and overturned the arrest warrant. Holm, who by then was out on bail, did not have to return to jail. “Many people think you must have something to hide if you’re encrypting your email,” Roth said. “It’s something we have to get past.”
“Right now, as soon as someone is encrypting, he gets flagged” by government monitors, Morlang said. His theory is that so few Internet users go to such lengths to shield their data that the act alone is viewed as suspicious, even when the encrypted content is harmless. If the technique were to become the norm — if it reaches a critical mass of, say, 30 percent adoption, Morlang said — that might reduce the risk of getting flagged.
Morlang likened such a proliferation to a denial-of-service (DDoS) attack — a common weapon of hackers around the world that has been used to bring down websites of governments, banks, and news organizations. “We need to show that this surveillance practice is an unsustainable use of government resources,” he said. But couldn’t more encryption make the government’s job of finding potential terrorists more difficult? Rolling a cigarette with his fingers, Morlang chose his words carefully.
“Banning cryptography is not an option, and we will never get the government to stop monitoring,” he said. “But we can make it really expensive. If everyone is encrypting, then the government has to take more care with who it investigates.” Authorities would then have to resort to using more targeted and time-consuming tactics, like a targeted piece of malware. “Maybe they only use that 20 times a year, when they really have to,” Morlang said.
In the meantime, Morlang is coming to terms with the idea that encryption might put its users even more squarely in the government’s sights. “This is the price we pay to win the crypto war.”