Category Archives: Activism

Ideas to support the Tor Project: Wikipedia IdeaLab proposal

Special thanks to my open-access comrade-in-arms Lane Rasberry.

Lane emailed me this morning asking for my input on a current proposal that’s on Jimmy Wales very own Wikipedia talk page.

After CC’ing Runa Sandvik from the Tor Project to verify the factuality of my feedback for the Wikipedia community, I posted my comments.

The ongoing issue, that Jacob Appelbaum repeatedly vocalizes, is that Tor users, Jacob included, is not able to protect his identity and contribute to the knowledge base that exists on Wikipedia.

Political activists and dissidents create a critical feedback loop into the controversial dialogue that is only made possible through the Internet and social media. Not only are these people self-empowering, they are the ones most likely to seek out the truth.

From Lane:

If you would be willing to write a brief set of proposals about what Wikipedia should do with Tor, then [Lane] would format those with you in the IdeaLab. This is a space where ideas are stored on Wikipedia so that they would always be found if anyone ever wanted them. I think it would be a good idea just to establish the conversation.

https://meta.wikimedia.org/wiki/Grants:IdeaLab

[If] it is of interest to you, I would help you start a proposal, format it properly, publicize it, and if you know anyone in the Tor community that might want to make a grant proposal for funding to establish and document the relationship between Tor and Wikipedia, then I might be able to advise on how to do that also.

This conversation is happening now live and it does have Jimbo Wales’ attention. It would be awesome to get input from established Tor supporters.

If you would like to create a proposal and have the support of a Wikipedia veteran, please contact Lane directly, and ask for other peoples input! I’m also extremely interested in supporting, I just don’t know what an ideal proposal would look like, and I don’t want to speak on behalf of Tor Project.

Thank you!

Advertisements

Developing an Open Educational Resource on Encryption

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

— Edward Snowden, answering questions live on the Guardian’s website

Society needs an educational resource, covering the complex topics involved with information encryption, that is modular, openly accessible, and freely remixable. This is my proposal to create such a resource.

Open Educational Resources (OER) are freely accessible, openly licensed documents and media that are useful for teaching, learning, educational, assessment and research purposes. The development and promotion of open educational resources is often motivated by a desire to curb the commodification of knowledge[1] and provide an alternate or enhanced educational paradigm.

Utilizing Creative Commons licensing, an OER can be created on oercommons.org, where it will be maintained by a single authority, yet anyone in the world will be able to adapt and create their own work from ours. Oercommons.org provides a long-term support platform for maintaining these resources.

I started publicly asking for help in June of 2013–and I received a very warm welcome. You don’t have to look far to see why.

2013-06-24

August 2013:

2013-08-23 2013-08-23-2

October 2013: KEYNOTE: Journalism in the Age of Surveillance, Threat Modeling: Determining Digital Security for You, [For Journalism] Keeping Under the Security Radar, Improving Your Digital Hygiene

December 2013: United We Stand — and Encrypt by Josh Sterns2013-12-21

December 2013: Arab journalists need training for civil unrest and wars — referencing the CPJ’s Journalist Security Guide

January 2014: A Modest Proposal for Encrypting the Work of Activists by Kate Krauss

2014-01-20

It is clear that a diversity of educational resources are needed. While my original proposal was going to be supported by the United States Open Knowledge Foundation, OKFNUS has since back peddled due to lack of support from central-OKF. I am hoping that the many people behind Crypto.is are interested in spearheading the development of this OER. If they are not, and no other organization is, I will shortly be registering my own domain name to create a project launch page.

The initial launch of the OER can be created using Micah Lee‘s work, of the Freedom of the Press Foundation, Encryption Works: How to Protect Your Privacy (And Your Sources) in the Age of NSA Surveillance. Micah and the Freedom of the Press Foundation graciously licensed this work as CC-BY, allowing us, and even Wikipedia to reuse the work with attribution. I am hoping that Micah, himself, will want to be included in this project.

The target audience, initially, will be journalists, whistle blowers, activists, and dissidents. While these groups are the extreme, their example proves useful for the rest of society.

Please comment on this post, or tweet me, or email me your feedback.

Encryption for journalists #TA3M

Techno activism

Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and software users who are interested in learning or teaching about censorship, surveillance, and various open source technologies for personal computing devices of all kinds. The New York based OpenITP nonprofit is the organization behind starting TA3M in December 2012, with New York, San Francisco and Berlin hosting their first TA3M events in January of 2013. Currently, TA3M events are held in at least 20 cities throughout the world, with many more launching every month.

Seattle hosted its first TA3M event in August 2013. In our November event, 35 people were in attendance to partake in presentations about Geeks Without Bounds involvement, Tor software development, and Tor use on personal computing devices.

Seattle journalists

For December’s TA3M in Seattle, I’ll be presenting on the use of specific open source encrypted communications applications for mobile and personal computing devices. The target audience for my presentation will be for people brand new to using these encryption-optional chat tools, but for people generally familiar with instant messaging platforms.

  • ChatSecure for Android and iOS, by The Guardian Project
  • Orbot for Android, by The Guardian Project
  • Pidgin for Windows, OSX, and Linux

The rough draft of my presentation can be found here.

Tentative event schedule here.

If you are planning to attend this free and open-to-the-public event, and have any questions that technical people such as me can help answer for you, please post questions in the comment section of this post.

 

ChatSecure Tutorial for #TA3M

This post is made for Seattle’s Techno-Activism 3rd Mondays (#TA3M) event on December 16, 2013. For details about the event, stay tuned by this wiki page: https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle

In my presentation I’ll be demonstrating how to use The Guardian Project‘s mobile device application ChatSecure (Android) (iOS), which is a tool for people wanting to keep their text-based conversations private and secure. To demonstrate at #TA3M, I will be using my HTC cell phone and a Windows laptop. My phone will be pre-configured to use ChatSecure, but I’ll install and configure Pidgin and pidgin-otr on my laptop since I’ll have access to a projector. I’ll start the presentation by running through this blog post and its screenshots, but will integrate the Pidgin demonstration once I get to the contact management and OTR initialization screenshots.

Please comment on this post or Tweet at me if you have any feedback.

 

Creative Commons License
This blog post (ChatSecure Tutorial for #TA3M by Christopher Sheats) is licensed under a Creative Commons Attribution 3.0 Unported License. You are free to copy and remix it without restriction.

ta3m

Install ChatSecure. I installed it from the Google Play Store.

15

Open the ChatSecure application.
15

Set a strong password that you can remember. This password is set to protect access to ChatSecure, in case your phone is stolen or compromised. This is an added layer of protection so that adversaries cannot access your past communications or pretend to be you and have conversations with your contacts.
15
15
15

Add an account. For demonstration purposes and ease-of-use, I’ve opted to use my Gmail address. Using a Google account will likely be the lease private means of private conversation. Keep in mind that Google and the NSA will own the metadata of your chats, including:

  1. The fact that you are using the internet (time stamp)
  2. The fact that you are signing in and out of Google (time stamp)
  3. The fact that you are conversing with a specific person (contact and time stamps)

Also keep in mind that when using Off The Record (OTR) messaging, Google and the NSA will not be able to have the information contained in your conversation, since it will be encrypted.

15
15

XMPP and ZeroConf are alternative messaging architectures that may allow you greater privacy if used correctly. Be sure to research what chat protocol is best for you and the risks that you face.
15
15
15

Connecting to Google via the Tor anonymity network is recommended to protect your physical location’s metadata and for ensuring private transit. However, be aware that if you’re using a cell phone, your cell service provider knows where you are, and if the NSA needed to find out where you were during an OTR conversation, could compare the time stamps that Google and your cell service provider have.

Selecting this check box will bring up a dialogue to install Orbot (Android) if you do not already have it installed.
15
15
15

Install Orbot.
15

Open Orbot.
15

Select your language.
15

Read and click through the dialogue.
15
15

If you have not rooted your Android, you will not be able to use Orbot’s advanced functionality. But for the purpose of using ChatSecure and other applications designed to work with Orbot, you are going to be able to utilize the Tor network.
15
15

It looks like Orbot hasn’t been updated to advertise ChatSecure by its new name–formerly Gibberbot.
15
15

Press and hold the ‘power’ icon in the center to start your Tor connection.
15

Orbot will begin connecting to the Tor network automatically.
15
15
15

Now you’re connected to Tor and your ChatSecure application will route its communication through Tor.
15

Sign into your Google account (similar to Google Hangouts).
15

Select the three-vertical-box icon to access Settings.
15
15

Select Chat Encryption.
15

Require encryption for your ChatSecure/OTR conversations.
15

You may need to add a contact.
15

Enter the email or account address of the person whom you wish to converse with.
15

Select the person whom you wish to converse with.
15

Say hello! Keep in mind that the padlock at the top of the screen is not locked. This “hello” will be in cleartext.
15
15
15

Select the padlock to start the encryption (OTR) initialization process. The person with whom you are chatting with must have an OTR-compatible client, ideally the same version of the same software, or at least up-to-date OTR-compatible application, like Pidgin for PC, Mac, and Linux.
15

Your ChatSecure conversation is now encrypted using OTR; however, because the question mark in the padlock is yellow, it is indicating that the person with whom you are chatting with is not verified.
15

Select the padlock again to Verify the person (ID) whom you are chatting with.
15

Ideally you will select Question in order to answer a question for which you and the person whom you are privately conversing with know the answer to. This helps verify that you’re talking to the right person. You should also verify the ‘public key fingerprint‘. For the purpose and ease-of-use for this presentation, I manually approved the identity.
15

Verify the prints!!! and inform the person with whom you’re speaking of yours!!!
15

Now that you have verified the identity of the person with whom you are conversing, ChatSecure changed the padlock icon from a yellow question mark to a purple check.
15

Notice that because OTR (end-to-end encryption) is functioning and the person on the other end is verified, the text that is sent and received from now on also uses the purple padlock.
15
15

By default, ChatSecure will not store your conversation on your mobile device. So when you close a chat window and start a new session, you will have no chat history.
15

This is an example of what “information” Google and the NSA see from your OTR conversation. Privacy rules!
15

DISCLAIMER: The above public key finger prints are not my actual prints. These screenshots are only for the purposes of my demonstration.

A local initiative for the people’s right to privacy

“Gentlemen do not read each other’s mail.”

This was said by Henry L. Stimson in 1929 in support of the US State Department’s defunding of the Black Chamber program that was used to decipher foreign ambassador communications. At that time, Stinson was the Secretary of State under President William Howard Taft. Stinson’s opinion, however, is said to have changed while he served as the Secretary of War under President Herbert Hoover and President Franklin D. Roosevelt, in which the United States government relied heavily on the enemy’s decrypted communications during wartime.

Mass surveillance is a crime against people, not just the American people. The people did not ask for it, not even the special interests behind the development of the Patriot Act. Secret mass surveillance and secret laws are instituted and accepted by people in power, to gain and maintain power, which are acts that are illegitimate of a developing democracy. They are illegitimate acts of a country that developed the Internet.

Civilly speaking, cryptographically encrypting information before transmission is the same as licking and sealing a letter before mailing it. It is the same as closing a clear glass door on a telephone booth before having a private conversation. It is the same as putting on clothes to protect things expected to remain private.

I expect that only entities that privately sign digital certificates that create the foundation for private chats, private socializing, and secure transactions on the internet can decrypt my information. It should be illegal for entities beyond the original signer of public key infrastructure certificates to have a copy of the private key in such a way that allows said entity to view or record the decrypted content that is expected to remain private between two specific parties. It should also be illegal for any entity to attempt to break or subvert encryption mechanisms on common-carrier infrastructure as long as that data is being transmitted or being stored on American soil, no matter the nationality of the person transmitting their encrypted internet content. It is time for the United States to learn from its mistakes and emerge as a civil liberties leader.

What I would like to do is identify other leaders throughout the United States that want to pass a shared city law that makes illegal the above acts. We should all vote for and approve these laws in tandem to reduce the risk of federal or state legal threats. Cities need to come together to protect local internet infrastructure.

Governance representatives are failing to protect the nature of our constitutional protections in law and debate.  They are failing to understand the importance of the Internet. Federal representatives are literally working backwards at times, with the Patriot Act, CISPA, PIPA, and the TPP as perfect examples. It is time to work from the ground up and enact local laws that affect local internet infrastructure.

We cannot let special interest groups, that bribe our representatives, write our laws for us. The interest of the people needs to be voiced through local law. Let us tell state and federal government that it is not okay to subvert public law with secret law, and that mass surveillance cannot be tolerated, period. Law enforcement has worked, successfully, for hundreds of years without mass surveillance. The city laws that I am proposing do not inhibit the normal procedure of law enforcement to acquire a warrant, through justified evidence, to obtain private information about specific individuals to prevent or punish crime.

In addition to hosting DNS root servers and the Seattle Internet Exchange, the Westin datacenter connects us to billions of un-Americans on the other side of the Pacific Ocean. Many other cities throughout the United States host similar infrastructure. These communication points are ideal for the placement of unethical surveillance equipment, and we must make this act illegal in our cities. Let us put pressure on our state by protecting local resources, the technology that ensures the security of our online communications, and the integrity of our local businesses.

From https://www.aclu.org/sites/default/files/assets/lavabit_brief_of_us.pdf, it is clear that sometimes our founding legal frameworks are not explicit.

THE FOURTH AMENDMENT DOES NOT PROHIBIT OBTAINING ENCRYPTION KEYS FOR THE PURPOSE OF DECRYPTING COMMUNICATIONS THAT THE GOVERNMENT IS LAWFULLY AUTHORIZED TO COLLECT

Let us build our own laws for our expectations of privacy. For example, as described in the book, Toward an Information Bill of Rights & Responsibilities (http://yawnbox.com/?p=283):

Preamble

Information privacy is the claim of individuals to determine what information about them is disclosed to others and encompasses the collection, maintenance, and use of identifiable information. Privacy is an important value in a democratic society. For individuals, it enhances their sense of autonomy and dignity by permitting them to influence what others know about them. For associations, privacy enhances the ability of individuals to function collectively by permitting the association to keep deliberations and membership and other activities confidential. For society, privacy fosters individual and associational contributions to society, promotes diversity, and limits undesirable conduct and abuse of authority by government and other institutions.

Privacy is not an absolute right. It must be balanced with competing values and interests, including First Amendment rights, law enforcement interests, and business or economic interests in information. The following Code of Information Rights and Responsibilities attempts to strike an appropriate balance between privacy and competing interests, in an environment shaped be technological breakthroughs in the ability of organizations to collect and disseminate personal information.

A number of characteristics of the new information environment make it imperative to adopt a Code of Information Rights and Responsibilities. These include:

  • Technological enhancements in the ability to capture, store, aggregate, exchange, and synthesize large quantities of information about individuals, their transactions, and their behavior;
  • Proliferation of powerful computing capacity to the desktop;
  • Creation of worldwide networks through which information about individuals can easily, cheaply, and quickly flow;
  • Increasing use of target marketing, modeling, and profiling;
  • New technological abilities that permit individuals to access personal data maintained by others;
  • Decreasing cost of computing technology used to manipulate data;
  • New social and cultural values and developments regarding personal information.

Two general principles apply to all of the provisions of the Code of Information Rights and Responsibilities. First, an individual is entitled to greater protection and due process when information is used to make determinations about his or her rights, benefits or opportunities. Second, the protection of privacy must be interpreted consistently with First Amendment principles. Resolving the inherent tensions between the values of privacy and the First Amendment must take place on a case-by-case basis.

The scope of the Code of Information Rights and Responsibilities is limited to individual and associational privacy as defined above, and does not cover government and corporate interests in secrecy. It addresses how activities of information keepers and processors involving the collection, maintenance, and use of personal information should be evaluated when privacy interests overlap or conflict with other interests, values, or significant community needs.

First Principles

A. Collection
There should be limits on the ability of information keepers and processors to collect personal information. Information should only be collected when relevant, necessary, and socially acceptable.

A-1.
Information should be collected directly from the individual whenever possible.

A-2.
When not collecting information directly from the individual, notice, access, correction, and other rights should be provided if the information is used to determine rights, benefits, and opportunities.

B. Notice/Transparency
Individuals providing information to an information keeper and processor have the right to receive, at the time that information is provided, a notice of information practices describing how the information will be used, maintained, and disclosed. Information keepers and processors must provide a copy of notice of information practices upon request. There should be no secret systems containing personal information. Individuals have a responsibility to make informed choices about how information about them is to be used.

C. Access and Correction
Individuals have the right to see and have a copy of any information about themselves maintained by others, consistent with the First Amendment and with other important public and private policy interests. Individuals have the right to seek correction of information that is in error. When a correction is made, the individual may require that copies of the corrected information be provided to all previous recipients. Where this is a disagreement about the accuracy of information, the individual may include along with the disputed information a statement of disagreement.

D. Use
Information may only be used for a purpose that is identified and described at the time that the information is collected. Other uses may be permitted only if they are not inconsistent with the original understanding.

E. Disclosure
Disclosures other than those described at the time of collection may be made to third parties only with the consent of the individual or where required by law. Explicit consent by the data subject shall be required for personal information of the highest sensitivity and may be implied for less sensitive personal information. (Whether consent must be express [opt-in] or may be implied [opt-out] is an open question.)

F. Accuracy
Information keepers and processors must take appropriate steps to assure the accuracy, completeness, timeliness, and security of the information. Information keepers and processors must devote adequate resources to these functions.

G. Enforcement
Rules about the collection, maintenance, use, and disclosure of information should be enforced through suitable mechanisms, such as administrative processes, professional standards, civil actions, criminal penalties, government or private ombudsmen, and other means.

H. Oversight
There is a need for an independent federal entity to conduct privacy oversight and policy-making activities.

  • Information keepers and processors and others should be encouraged to explore technical means to protect privacy.
  • There should be an exploration of other means to promote self-determination in the use of personal information, including proprietary rights and dual control mechanisms.
  • The creation of information trustees who maintain personal data on behalf of diverse information keepers and processors should be considered.
  • There is a need to explore the rights and responsibilities of individuals and information keepers and processors when changes in the use and disclosure of information are developed after the time of collection.

Together we must begin drafting a law that can be shared by the people, city governance, and our local businesses. Together we must approve these measures and begin putting a stop to mass surveillance on any and all people, not just Americans, while also demonstrating our right to privacy.