Like millions of others, NYU graduate student Allison Burtch was shocked by Edward Snowden’s leaks in June. But as internet users got used to the news that major companies were funneling data to the NSA, she wondered what effect it was actually having. "When Snowden first leaked the documents, I was sitting around with friends, and I asked them 'Okay, are you still using Facebook? Are you still using Gmail? Are you still on whatever internet provider?’" she says. "And none of us had changed our internet habits." In response, Burtch and other volunteers with the art and technology collective Eyebeam organized PRISM Breakup, a combination art exhibit and three-day conference meant to make encryption and security accessible to everyone.

That goal has motivated privacy advocates for years, but the recent leaks have brought their lexicon front and center. "Everyone knows what metadata is," says fellow organizer Aurelia Moser. "I had this alert on Google for all of the articles about metadata [before the leaks], and nothing would come to my inbox every week. Now, I get this dump of about 40 articles about metadata. People are talking about it in sitcoms." While the similarly named but unrelated PRISM Break gave users alternatives to products by Google, Microsoft, Apple, and others, PRISM Breakup provided a physical meeting point. Its biggest issue, though, wasn’t teaching people to secure their data. It was figuring out how to gather a host of different problems under the banner of "anti-surveillance."

Img_5020

Dan Phiffer, founder of the Occupy.here darknet.

If you’re white, American, and reasonably wealthy, you might still be the explicit target of surveillance. If you’ve had contact with a major tech company like Google or maintain a US phone number, you’re almost certainly in one of the phone and internet record databases the NSA maintains. But your everyday life, in most cases, isn’t considered fair game for examination. The same isn’t true for Muslim New Yorkers whose restaurants and places of worship are infiltrated by police, or welfare recipients who must prove they’re worthy of receiving help. For people who are already targeted by law enforcement in the US and elsewhere, the problem isn’t simply that privacy is being violated. It’s that any increase of government surveillance powers means more avenues for profiling and discrimination.

As New America Foundation research fellow Seeta Peña Gangadharan said in an early talk, being surprised by surveillance is a luxury: "Welcome to our world, Edward Snowden." In one panel — appropriately titled "But I have nothing to hide!" — attendees practiced extracting details about someone’s life from their metadata: call logs can reveal where your family lives, broad web history can indicate your gender and where you work. The purpose of many "nothing to hide" rebuttals is to pull all of us into the same boat, to prove that everybody has something they’d rather keep private. Coming right after Gangadharan’s talk, though, it just drove home the fact that those secrets are much more likely to be used against some people than others.

That split — between privacy as abstract right and privacy as survival tool — necessarily pervades something like PRISM Breakup. Pro-privacy activism can mean protecting citizen journalists from arrest, and it can mean creating a whimsical red "phone booth" that acts as a tiny, private cell tower. But when you put those two things in close proximity, the latter can come off as posturing.

"The people who need security the most are usually not those who understand it the most."

Panelists and workshop instructors all urged participants to work towards encryption that wasn’t just for the technically adept. Barbra Mack, who helps manage a decade-old encrypted database tool called Martus, warned against getting caught in an "engineering-tech loop" by making software more secure but impossibly difficult to use — sure, a randomly generated on-screen keyboard could thwart click-tracking malware, but would anyone bother typing on it? "The people who need security the most are usually not those who understand it the most," she said.

Martus is meant to let people secretly document human rights abuses, and the people Mack describes are often living under despotic regimes. But when we talk about opening up encryption to everyone, we often mean people who are vaguely unsettled by PRISM but think setting up secure communications is more trouble than it’s worth. Nadim Kobeissi created Cryptocat, which offers encryption without the need to install or configure special software, partly to address this problem. "I want to chat with my mom using Cryptocat, you know?" said Kobeissi in one talk.

That simplicity can come at a price. In 2012, the purely browser-based Cryptocat was criticized for its potentially insecure Javascript-based cryptography. Kobeissi soon moved to a plugin model, but the year after, a volunteer uncovered a bug that fundamentally compromised Cryptocat’s group chat function. "We require a peer review process for scientific research that can affect people medically," wrote security expert Jeffrey Paul shortly after the bug was fixed. "We, as a community, should require the same of software that can affect people’s well-being when used in environments with hostile governments willing to imprison or hurt those who use such software with an expectation of privacy."

Img_5016

Artist Ryan Jennings Clark's technological collage.

That’s the fundamental problem confronting privacy activists: how do you make a new tool that’s palatable to the mainstream without turning it into a glorified security blanket? People with "nothing to hide" can still benefit from encryption, but that doesn’t mean they’re in the same boat as a Syrian dissident. Make cryptography too difficult, and nobody but encryption experts will use it. Make it too easy, or experiment too much with untested new models, and you risk failing those who have the most to lose.

Strike the right balance, though, and everyone will be better off. The venerable privacy tool Tor is helpful for some and necessary for others, but right now, just using it is enough to mark you as suspicious in the eyes of intelligence analysts. Creating a critical mass wouldn’t just protect the privacy of everyday internet users, it would make targeting individuals harder. Workshop participants like developer Adam Bedell stressed the need for people to not only use the network but host their own nodes.

"Your hammer isn't going to teach you to properly build a table."

So where does the conversation go from here? Several panels emphasized that the ultimate solution isn’t cryptography. Kobeissi mocked the idea of purely technical fixes: "Your hammer isn't going to teach you to properly build a table," he said. "It's the same for encryption software." Instead of preaching to the choir, he wants activists to ally with the NRA and other strange bedfellows. Katherine Maher, of the Stop Watching Us project, outlined a series of legislative changes for Congress to consider. Eyebeam, meanwhile, hopes to keep PRISM Breakup alive, but organizer Heather Dewey-Hagborg is coy about its plans. "We shouldn’t say anything," she says. "Let’s just say that we’re beginning the conversation."