Matt Mitchell's 10 Steps to Starting a "Cryptoparty"
How to keep your privacy private in a digital world.
On a cool spring night in late April, a group of about 30 people have gathered at Creative Workspace in Harlem to talk about secrets. This is Crypto Harlem, a monthly cryptoparty organized by security researcher Matt Mitchell.
In a world of increasingly troubling surveillance, so-called cryptoparties are part of a growing movement to arm folks with digital security training and literacy. In the room tonight is a racially diverse crowd of tech workers, hackers, and activists, as well as laypeople who are just generally curious about how a VPN works.
Mitchell has been running Crypto Harlem for three years and this meet-up has a distinctly intersectional element to it.
“After the death of Trayvon Martin I was like, ‘I should probably do something,’” says Mitchell, who has lived in Harlem for the past 16 years. “For me, it was organizing this event for people in my community so they could learn more about surveillance and circumvention technology.”
Mitchell’s long list of credentials mean that he’s well connected in the digital security world and has access to some pretty amazing guest speakers. During Inverse’s visit, Siim Teller, the marketing director of Wire, video called from Berlin — via Wire — to answer questions about the new encrypted chat app. After that, the group heard from high-profile hacker John Threat, who video called to talk about his experiences in the 1990s hacker scene in New York.
Mitchell says this isn’t always the format; sometimes an entire meeting is spent doing a workshop on some facet of privacy technology. At most meetings, Mitchell makes a point to open up the floor and get a discussion going. Attendees asked him questions about security strategies, and an excited, free-form discussion erupted over software-defined radios and decentralized communication.
The format works. Crypto Harlem is incredibly engaging, easy to follow along, and most importantly: it’s fun.
But fun aside, the idea here is to get as many people as possible engaged in practicing digital security, and cryptoparties like Mitchell’s are really meant to inspire even more cryptoparties. If you’ve ever thought about facilitating, as far as Mitchell’s concerned, you should. All you really need is a computer, wifi, and a little practical know-how.
Here are 10 steps to starting your own cryptoparty, according to Mitchell:
10. Don’t Worry About Being an Expert
“You don’t have to be teaching people — in fact you shouldn’t be — you’re facilitating a conversation and bringing a community together,” Mitchell says. You don’t need to be a software engineer or a security expert to run a cryptoparty. You can teach a great source, like the Electronic Frontier Foundation’s Security Self Defense Guide. Read it through a few times on your own, and then just go through it with everybody at a meeting.
Mitchell uses the example of the early days of the AIDS epidemic; often it was community members, not doctors and scientists, who were teaching people about safe sex and putting condoms on bananas. It’s the same idea, except instead of condoms, you’re protecting yourself with encryption apps and Tor.
9. Start Small
A cryptoparty can be as simple as five people around a table at a diner somewhere. “You want it to grow organically,” Mitchell says. A small meeting isn’t a bad thing because you get a lot of intimacy. Pick a mellow space where everyone can hear each other talk without a microphone. Mitchell says 50 people should be the max. You start to lose connection after that.
8. Set Yourself An Agenda
To help move your cryptoparty along, set out an agenda for yourself and present it to the group at the start. It could include guests and an open discussion, but it should also cover:
- Education on risk assessment aka threat modeling.
- Operational security and information security basics.
- Ways to learn more and keep up to date.
7. Don’t Do a Cryptoparty in a Hacker Space
“Cryptoparty is about community. It’s not about, ‘Let me show you how cool I am and how much I know,’” Mitchell says.
He chose a centrally-located community center with wifi because he doesn’t want his cryptoparty to feel intimidating to beginners. The space has to be extremely neutral. “It’s like sovereign ground. Nobody’s comfortable there. That’s a good start.”
6. Start Thinking About Security From New Angles
It’s important to Mitchell that CryptoHarlem brings new voices into the room to talk about different security needs. “From being in the hacker scene I know all these people that work on all these projects personally, but they’re not thinking about certain threats — and those are the threats people in this community face every day.”
Someone Mitchell knows who works at a domestic violence shelter once asked him about ways to block people on Signal. At the time, the chat app didn’t have the ability to mute or block people. “So your phone would be blocking people from writing you, and then Signal would let them through,” Mitchell says. “Because Moxie (Marlinspike, the creator of Signal) wasn’t thinking about that threat, he was thinking about other threats.”
The feature has since been added, but having a voice like that in the room added another level to a conversation about privacy.
5. Decide Who You’re Trying to Reach With Your Cryptoparty
Because of institutionalized racism and income inequality, the kinds of people who need this knowledge the most often have it the least. So while cryptoparties should be available to all people, it’s good to focus on one group that you’re either a member of, or you have a certain affinity for, and try to help them. “Especially if that’s a marginalized group or a group that’s specifically affected,” Mitchell says. “Because surveillance is bad, but it’s not metered out evenly. It affects some people more than others.”
4. Do Your Outreach IRL
Go to the neighborhood where you’re going to do your cryptoparty and do some legitimate outreach. Mitchell says for the last Crypto Harlem he spent three hours flyering and talking to kids in the neighborhood. “Find the coffee shops, find the barber shop, find the hair salon, find the mosque, talk to the imam, talk to the pastor of the church,” Mitchell says. “You want real people to show up? Real people don’t use the internet, they’re too busy trying to pay their bills.”
Getting more neighborhood folk in the door helps you avoid the trap of a room full of technology-proficient people just spitballing on topics they already fully understand. “I don’t want it to be an echo chamber of nerds,” Mitchell says.
3. Set Some Rules to Build Trust
In order for attendees to feel comfortable and safe, cryptoparties go by the Chatham House rule. It doesn’t hurt to remind people that a good practice is if you’re taking notes, maybe don’t write down the names of who said what. Don’t let people record or film your meeting, unless every single person says they’re comfortable with it. “Which no one will agree to,” Mitchell says.
2. Never Teach From a Place of Fear
It can be really easy to become overwhelmed — and frankly, afraid — when you realize the many ways your digital footprint can be tracked or compromised. But if you approach your cryptoparty with a doomsday attitude, people will not come back.
You want attendees to feel like they’re exploring and learning. “People enjoy the sense of community, they like talking about this stuff in a relaxed way,” Mitchell says. “I mean there are problems that there are no solutions for, they are things that keep me up at night. But I don’t talk about that stuff.”
1. Encourage Others to Present
Mitchell says a good way to keep people engaged is to encourage people to present. If they show up once, ask them if they want to do a presentation on Tor the next time they come out. It helps the group feel egalitarian and also might encourage participants to start their own cryptoparties. If you can do it, so can they.
Correction 5/17/17: In the original version of this article it was stated that Siim Teller spoke at Crypto Harlem via Skype, when, in fact, he was video calling via Wire. The article has been edited to reflect that fact.