Safe Haven

CryptoRights crew teaches encryption survival skills

Once a month or so, volunteers from San Franciscos CryptoRights Foundation travel to Guatemala. There, they teach human rights workers how to secure their computers against hackers, crackers and other species of online vandals. Their students are bright, eager and motivated.

How well they learn their lessons will determine if some of the countrys worst criminals are brought to justice or go unpunished.

Those are the stakes CryptoRights founder Dave Del Torto faces each day. Instead of locking up secrets for corporations or governments, the group he founded in 1999 generally aspires to do exactly the opposite, keep nongovernmental secrets under wraps and out of the hands of prying governments. He thinks his work is making a difference.

"The people I am working with now really want me there," said the 20-year veteran of Silicon Valleys technology scene. "They remember their pass phrases, and you dont need to explain to them why they need long ones."

For 36 years, well into the 1990s, Guatemala faced an armed insurgency and an armed government that fairly tore the nation apart. Year after year, guerrillas would hide out in remote villages. And year after year, government soldiers would chase them from their hiding places, terrorizing villages suspected of harboring the insurgency in the process. Tens of thousands of civilians died, and hundreds of military leaders went unpunished.

But that record is slowly being reversed, in large part because of the testimony contained in more than 5,000 interviews carried out by the countrys small and increasingly persecuted band of human rights workers. Much of that testimony was put together in the early 90s and secured with encryption technologies supplied by trainers from the American Association for the Advancement of Science. Making sure crypto keeps that record intact is a large part of CryptoRights mission.

CryptoRights is an offshoot, of sorts, of the privacy revolution led by the founding fathers of modern cryptography: Whitfield Diffie, who invented public-key cryptography, and Pretty Good Privacy (PGP) inventor Phil Zimmermann. Both attacked the difficulties of the field precisely because they resented the U.S. governments lock on cryptology. Each thought the technology could rein in unbridled government eavesdropping such as that done against activists of the1960s. CryptoRights hopes to make that aspiration real.

So far, the group has received funding from George Soros Open Society Institute and is pursuing more. Its founders have put out feelers to philanthropists in the tech community and hope to branch out to more of Latin America, Asia and even the Middle East. For now, however, their work is focused in Guatemala and Peru. And there is plenty to keep them busy.

One major human rights group that activists visited in early February, for instance, was having recurring problems with information leaks; word of projects it had been working on were filtering out to the military. Harassment of workers suggested that officials had inside knowledge of the groups operations. The group suspected sabotage.

As it turned out, the human rights workers had connected their local area network directly to the local Internet service provider. But the network had no firewall between it and the outside world. Another problem: Every networking option available in Microsofts Windows was being used by default, including one that let anyone on the network read anyone elses files.

Anyone, in this case, included the Guatemalan army, which also happened to run the groups service provider.

Del Torto and fellow volunteer Robert Guerra got to work quickly. They configured the groups network to minimize leaks to the outside. They loaded up many of the machines with the standard package of PGP encryption tools for e-mail and disk scrambling, then returned to the U.S. A short time later, workers found the PGP software had mysteriously disappeared from two of the offices machines. Del Torto soon produced a cheap firewall device that network administrators added to their network.

"The problem there is not only one of encryption, but also the general level of familiarity with normal security tools that we have here," said Guerra, who directs Latin American operations from the safety of his home in Toronto. "They have no idea of where to begin."

Getting people to use the technology is not always so easy. When Del Torto and Guerra initially visited the country earlier this year, they found some human rights workers had stopped using PGP, while others newer to the field had yet to learn. Getting people back up to speed was part of their mission. At the same time, other groups had kept detailed records of intrusions they had experienced. Together with CryptoRights, they are assembling a security guide tailored especially for people in the field.

Human rights workers are under almost constant surveillance and desperately need encryption and other security technologies to protect themselves from harm, said Minky Worden, director of electronic media of Human Rights Watch, which catalogs human rights abuses worldwide.

"The work that CryptoRights is doing to encourage the acceptance of strong encryption is really a tremendous benefit to the activist community," Worden said. "[Human rights workers] really have so few tools to deal with oppressive governments."