Cryptoparty: a fun way to learn about security

At this year’s Internet Freedom Festival, Ian Drysdale and I met human rights workers from all over the world.

Many of the people we met risk their lives in the work they do. In a digital world, they rely on technology to keep themselves and their contacts safe. Too often, ‘security’ is something that’s difficult and boring. People sometimes think that passwords are annoying and that encryption is complicated.

But that’s a problem.

Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age

– Human Rights Council, United Nations, May 2015

It’s important that everyone understands this stuff so we tried to make it fun.

Cryptoparty is a fun way to learn

Screen Shot 2017-04-26 at 16.34.48Inspired by what we’d heard, the Digital Product Research team hosted the Co-op Digital’s first Cryptoparty – a fun space for people to gets hands-on with digital security. It’s a place to discuss, to play and to have a bit of fun.

Cryptoparty is a worldwide movement. It’s a community with few rules and a mission to help people learn to protect their digital lives.

We made great passwords using dice

Screen Shot 2017-04-26 at 16.35.02Passwords aren’t the best way to get a party started. We mixed in some dice and a codebook containing thousands of words, and turned it into a game. Using a jazzy worksheet, we rolled dice and looked in the codebook to make strong, memorable passwords.

People liked the physical aspect of rolling dice and looking in a book. With no computers involved, it felt safe from hackers. The only snag was the 3 desks needed to display the 36 printed pages!

We sent secret messages with Signal

The second activity had people sending secret messages to their loved ones. We installed the free, open source Signal messaging app. Signal was built from the ground up to respect your privacy. As a result, it has become the trusted choice for many journalists and NGOs.

Playing with Signal was a great way to introduce people to end-to-end encryption. That means your messages can’t be read by anyone, including those who make Signal.

If you use WhatsApp you’ll have seen that it also uses end-to-end encryption. The underlying technology is the same – WhatsApp partnered with the Signal developers to build it – but Signal is designed for a more privacy-conscious audience than WhatsApp. All of Signal’s code and design discussions are public, allowing anyone to scrutinise the organisation and the app. That helps build trust that there’s nothing sneaky going on.

We browsed the web privately

In the last activity people installed the private Tor browserCitizens in authoritarian countries use Tor to bypass internet censorship. NGOs use Tor to research illegal activities by corrupt officials. Officials and politicians themselves use Tor to carry out sensitive work. Millions of ordinary people use Tor to protect against identity thieves, unscrupulous marketers, corporations and authoritarian governments.

Tor protects your identity by bouncing your requests through servers around the world. People were surprised when they realised they were viewing the web from Canada or Sweden!

Encryption and anonymity is for everyone

Technology enables wonderful new ways of connecting with each other. How we use technology can be used against us by corporations, criminals and governments. Laws made by ‘good’ governments are inherited by ‘bad’ ones. Historically, arguments about privacy have missed the point, forgetting that privacy sits right after “innocent until proven guilty” in the universal declaration of human rights.

To face the future, we’re going to need better debate and better laws. We want to encourage open and inclusive discussion around these issues. Security and privacy affects everyone, so we all need to co-operate and have a say in shaping the future.

This stuff is important. That’s why we party with crypto!

Would you like to see more work in this area?

Paul Furley
Engineer

How much do you know about your connected devices?

The Digital Product Research (DPR) team at Co-op Digital is exploring new products and services. We’ve been trying out Google Ventures’ Design Sprint, a framework that encourages teams to develop, prototype and test ideas in just 5 days.

Recently, we’ve looked at connected devices; everyday objects that communicate between themselves or with the internet. It’s a running joke that people don’t read terms of service documents, they just dart down the page to the ‘accept’ button so how much do they really understand about what they’ve signed up for?

Many connected devices are doing things people might not expect, like selling your personal data, or they’re vulnerable to malevolent activities, like your baby monitor being hacked. These things don’t seem to be common knowledge yet but when they start getting more coverage we expect there to be a big reaction.

A right to know what connected devices are doing

In the DPR team, we have a stance that the Co-op shouldn’t express an opinion on whether what a device is doing is good or bad. We’re just interested in making the information around it accessible to everyone so that people can decide for themselves.

In our first sprint we looked at how people relate to the connected devices they have in their homes. We found that though the people we interviewed were reluctant to switch them off at first, or to disable the ‘smart’ functionality, they were open to learning about what their devices are doing.

Influencing the buying decision

With that in mind, we looked at an earlier point in the buying process. We mapped the buying journey.

Mapping the buying journey on a whiteboard. Shows customers want to buy a TV. They research products by reading expert reviews, user reviews, looking on retailer websites and asking friends. Then they make a decision.

What if journalists and reviewers of connected devices were encouraged to write about privacy and security issues? Maybe this could satisfy our aim to influence consumers. If manufacturers knew that their terms and conditions would be scrutinised by reviewers and read by potential customers, maybe they’d make them more transparent from the start.

Our prototype

We made a website in a day and named it Legalease. The purpose of the website was to gather research. It was a throwaway prototype that wouldn’t be launched. It wasn’t Co-op branded so we could avoid any preconceptions. The site showed product terms and conditions and made it easy for reviewers to identify privacy and security clauses that could be clearer.

Shows a screenshot of Legalease prototype. The page shows an LG smart TV and highlights some of the T&Cs. Eg, 'please be aware that if your spoken word includes personal or other sensitive info, it will be captured if you use voice-recognition features'. Page shows someone's comment below: 'and then what happens to it? is it transmitted anywhere?'

The product page showed ‘top highlighted’ parts of the privacy policy ranked by votes. Annotations called into question the highlighted passage.

Shows a screenshot of another tab on the same page as first screenshot. This tab shows the T&Cs in full and contributors can highlight and comment on parts.

Another page showed the ‘full text’ – the full privacy policy document with annotations. The idea is that anybody who’s interested in this sort of thing can create an account and contribute. We imagined a community of enthusiasts would swarm around the text and discuss what they found noteworthy. This would become a resource for product reviewers (who in this case were our user research participants) to use in their reviews.

We interviewed reviewers

We spoke to a mixture of journalists and reviewers from publications like the Guardian and BBC and lesser known review sites like rtings.com. We got to understand how they write their stories.

Objectivity versus subjectivity

We found that what they write can be anywhere on the scale of objective to subjective. For example, a reviewer at rtings.com used repeatable machine testing to describe product features while a writer for The Next Web was able to introduce their own personal and political slant in their articles.

Accuracy

We found that the accuracy of their article was important to them. They’d use their personal and professional contacts for corroboration and often go to the source to give them chance to reply.

Sensationalism is winning!

We’re in danger of ‘fake news’. One of our research participants said:

“Now, with everything being on the internet, it’s pretty easy for someone who just has a couple of mates to throw stuff together on a blog and it look very persuasive.”

We found that they used a mixture of analytics and social media to measure their impact. There was no mention of being concerned with the broader impact their articles might have in terms of whether or not people bought the products based on certain aspects of what they wrote about.

Reviewers thoughts on our product

Some of our research participants made comparisons with websites that have similar structure and interactions like Genius and Medium. The annotations on the Legalease prototype highlighted ambiguity in the terms and conditions but our participants didn’t find that useful – they expected more objectivity. They were also concerned about the validity of the people making the annotations and said that lawyers or similar professionals would carry more weight and authority.

How ‘Co-op’ is the idea?

Our participants thought our prototype was open, fair and community-spirited so it reflects Co-op’s values. There were question marks around whether older organisation like Co-op can reinvent themselves in this way, though.

Reviewing security as well as features

Security and privacy are starting to show up more often in:

But after our research we don’t think reviewers would use something like a Legalease site to talk about security and privacy. Some of the journalists we spoke to thought their readers didn’t care about these issues, or that people are resigned to a lack of privacy. One said:

“People tend to approach tech products with blind faith, that they do what they say they do.”

Connecting the abstract with the real world

Our participants told us their readers are bothered by being bombarded by targeted ads and being ‘ripped off’. This leads us to consider exploring how to connect the more abstract issues around data protection and privacy to these real-world manifestations of those issues. Then we should explain why these annoying things keep happening — and in plain, everyday language.

James Rice
Product designer