Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. She teaches digital security to journalists and helps media organizations improve their security posture. We caught up with her before her RSA Conference session Cryptoparty: tuTORial—Learn How to Use TOR to Be Anonymous Online to talk about Tor, privacy and what happens at a cryptoparty.
RSAC: What sparked your interested in security?
Sandvik: I think it was the challenge — that there’s always a new puzzle to solve, always something to figure out. I think that is what initially caught my interest. I liked the challenge of it, and the opportunity to learn more and more.
RSAC: What is a cryptoparty?
Sandvik: It is a term used for meet-ups around the world, organized by volunteers with the one goal of teaching attendees about encryption. In some cases there have been cryptoparties specifically geared towards journalists or activists. You can, for example, learn how to be anonymous online, how to make encrypted phone calls and how to securely store information on your computer.
RSAC: Why do you think encryption is important?
Sandvik: At a very basic level, encryption protects our data. That data can be what you’re searching for on Google, which news article you’re currently reading, or your financial information. The content doesn’t really matter; it doesn’t have to be something very sensitive.
RSAC: What is the value in protecting that?
Sandvik: It’s easy to see how encryption can be used to protect activists and journalists, but encryption protects everyone else—people like you and me—as well. By protecting our data, encryption essentially protects our privacy online. Privacy from service providers, data brokers, malicious attackers, etc.
RSAC: What is Tor?
Sandvik: Tor is a tool that allows you to be anonymous online; it accomplishes this by bouncing your traffic through random servers around the world, making it difficult to link who you are and where you are going. Users of Tor include activists, journalists, security researchers and law enforcement.
RSAC: What is the value for normal people?
Sandvik: My session at RSAC will show that Tor is not just for activists and journalists. There is value in using the tool for normal people as well. A part of my session will also discuss ways in which Tor can be useful for businesses; I will talk more about what the benefits are and why businesses should follow Facebook’s example of supporting the users who wish to access the site using Tor.
RSAC: What are the benefits for companies?
Sandvik: The benefits for companies may include things like safer research on certain topics, access to content that would otherwise be unavailable, and the ability to better support users who wish to access their site and/or services using Tor. There is far more to Tor than online anonymity, which is something I will discuss in the session.
RSAC: What else can people to do protect their data and privacy?
Sandvik: There are a number of different tools and technologies available to help you protect your data and privacy. Using the Tor Browser is one option. Another one is installing an ad blocker and HTTPS Everywhere into your normal browser. You can also look into mobile apps for secure communication, which prevents your service provider from knowing who you’re communicating with, how often, for how long, and about what.
RSAC: What’s the biggest mistake you see people making when it comes to online privacy?
Sandvik: If I had to pick one thing, it’s probably the lack of awareness. For a lot of people, online privacy is not a topic until they’ve had something happen—whether that’s having their iCloud accounts hacked or their Facebook accounts stolen. Many assume that they retain control over their personal information once that information has been put online. We need to do a better job of educating the public about the challenges with online privacy.
RSAC: Why should people come to your session at RSA Conference? What will they learn?
Sandvik: My session will focus not just on what Tor is and how it works, but also discuss some of the benefits Tor can have for businesses. I also want to try and dispel some of the myths around the tool. There will be more than enough time for questions too.