Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Electronic Frontier Foundation Encryption Government Privacy

EFF Unveils Plan For Ending Mass Surveillance 282

An anonymous reader writes: The Electronic Frontier Foundation has published a detailed, global strategy for ridding ourselves of mass surveillance. They stress that this must be an international effort — while citizens of many countries can vote against politicians who support surveillance, there are also many countries where the citizens have to resort to other methods. The central part of the EFF's plan is: encryption, encryption, encryption. They say we need to build new secure communications tools, pressure existing tech companies to make their products secure against everyone, and get ordinary internet-goers to recognize that encryption is a fundamental part of communication in the surveillance age.

They also advocate fighting for transparency and against overreach on a national level. "[T]he more people worldwide understand the threat and the more they understand how to protect themselves—and just as importantly, what they should expect in the way of support from companies and governments—the more we can agitate for the changes we need online to fend off the dragnet collection of data." The EFF references a document created to apply the principles of human rights to communications surveillance, which they say are "our way of making sure that the global norm for human rights in the context of communication surveillance isn't the warped viewpoint of NSA and its four closest allies, but that of 50 years of human rights standards showing mass surveillance to be unnecessary and disproportionate."
This discussion has been archived. No new comments can be posted.

EFF Unveils Plan For Ending Mass Surveillance

Comments Filter:
  • by Anonymous Coward on Tuesday January 27, 2015 @02:30AM (#48911845)

    So, Slashdot, should we expect your support?. https, when?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      So, Slashdot, should we expect your support?. https, when?

      Be thankful that AC posting is still legal here.

      Or anywhere on the internet for that matter.

      • While AC posting might obscure your username, the IP address that's likely logged will not.
        ( Unless you're coming in via proxy )

        Long time users can be matched up by the style in which they write. How well they phrase things, sentence styles, etc.
    • You seem to be under the impression that https is secure.

      http://blog.cryptographyengine... [cryptograp...eering.com]

    • They're not even IPv6 capable. Give these poor lazy fuckers a break.
  • Executive Order 12333
    https://www.cia.gov/about-cia/... [cia.gov]

    (forgot to refresh...)

  • Support the EFF (Score:5, Insightful)

    by OldSport ( 2677879 ) on Tuesday January 27, 2015 @02:47AM (#48911933)

    Seriously, to put it simply, these guys are the shit. I figure most Slashdotters are well aware of what the EFF does, but if you aren't, definitely check out their website, blog, etc., look at what they've done, and consider donating to support them. (FWIW, I am in no way affiliated with the EFF. I just think it's a great organization.)

    • Re:Support the EFF (Score:5, Informative)

      by Xest ( 935314 ) on Tuesday January 27, 2015 @03:27AM (#48912115)

      Agreed, but it's worth noting that they're very US-centric (and that's not a criticism, just a statement of fact) so if you're not from the US you may find your money better spent elsewhere.

      For example, in the UK, the Open Rights Group is far more relevant and helpful towards dealing with these issues in the UK than the EFF is. Presumably the options in countries like Sweden and Germany would be the much better organised respect Pirate parties there.

  • by TrollstonButterbeans ( 2914995 ) on Tuesday January 27, 2015 @02:54AM (#48911975)
    Good Luck! You'll Need It!

    And what I mean by this --- the average Joe likes to post all his stuff on Facebook. He knows his communications aren't private and he doesn't care.

    You aren't going to make him care either.

    And is this a worthy cause? Cheap/free services depend on a revenue stream from something and exploiting the user ("You are the product") is not a horrible trade-off for the wide availability of cheap/free services.

    How is a company going to support end-to-end encryption for free and still make money selling your information and metadata to third parties?

    Keep in mind that means Google too. Or are you going to come up with a plan for Google to not be able to read your emails? Because if Google can read your emails, the government can.
    • This is very true. However, WhatsApp appears to be a counter-example. They are deploying full end to end encryption and instead of ads, they just ..... charge people money, $1 per year. WhatsApp is not very big in the USA but it's huge everywhere else in the world.

      The big problem is not people sharing with Facebook or Google or whoever (as you note: who cares?) but rather the last part - sharing with a foreign corporation is currently equivalent to sharing with its government, and people tend to care about

    • by AmiMoJo ( 196126 ) *

      the average Joe likes to post all his stuff on Facebook. He knows his communications aren't private and he doesn't care.

      Not true. You should have heard the reactions when Snowden broke in the UK. There was a woman on a national TV debate programme who was upset that GCHQ had access to her Facebook profile which she had set to "private".

      It's not that people don't care, it's that they don't understand. How many people still using Skype or Yahoo webcam chat with their girl/boyfriend do you think realize that that they they flashed something was recorded and reviewed by a GCHQ officer? When people realize this, when they realize

  • by Kevin Fishburne ( 1296859 ) on Tuesday January 27, 2015 @03:23AM (#48912093) Homepage
    The problem is that while trying to survive and maintain some kind of social normalcy most people don't take an active role in shaping their local/regional/national/world topology until men in black are infiltrating their home at night and killing/disappearing them and/or raping their wife while their children watch. Complacency lies in the middle, and we're ("civilized" countries) still in the middle. The middle's that slippery slope between the crest and trough of utopia and North Korea. Hopefully the EFF will have some success before momentum takes us to that dark point where we have no choice but to answer with drastic measures. Ironically, the goal of both sides is peace and order. I suppose the difference in opinion about the road to said peace and order is what puts us at such unenviable odds.
  • SIP Replacement? (Score:5, Interesting)

    by AftanGustur ( 7715 ) on Tuesday January 27, 2015 @03:31AM (#48912125) Homepage
    One of the big pieces of the puzzle that needs to be solved is a replacement for the SIP protocol.

    Almost no one has a public IP address directly on their workstation at home and it is preventing free open source telephone to be widely adopted.

    What is needed is a telephony protocol that and can easily be proxied or tunneled and/or that does not need extra measurements for surviving NAT.

    • RedPhone is free and open source end to end encrypted telephony that works OK (not amazingly, but as well as a typical commercial VoIP app does). People authenticate each other using their voices.

      • RedPhone is only for Android although iPhone compatible version exists. But this is not what I was talking about.

        The problem is that there is no telephony system that you can use cross-platform, that is open source and the clients are easy to install and use for the average user.

        No other heavily-used protocols have this problem, FTP, HTTP, SMPT, DNS, Torrent, Cloud Storage, VPN, SSH all have cross-platform, free and open source clients that are easy to set up and use for the average user. Telephony i

    • Comment removed based on user account deletion
      • why would providers go from IPv4 to IPv6 when soon there will be a shortage of numbers

        They'll drag their feet but, eventually, there will be services that people want to use that are only available via IPv6 and then there will be little choice. (Although they'll try to proxy[1] popular IPv6 sites first)

        [1] fake 10.x.x.x dns records that they serve to their customers and then forward the traffic over IPv6

      • by tlhIngan ( 30335 )

        Would IPv6 not solve that? OTOH, why would providers go from IPv4 to IPv6 when soon there will be a shortage of numbers and they can charge (even more) extra for those who want a fixed IP with the excuse that they had with dial up.

        IPv6 will, ironically, make the situation worse.

        Because SIP assumes complete connectivity between hosts, but if you have a firewall in the way, that model breaks. And IPv6 firewalls will probably be the norm, so you'll end up with situations like the days of early NAT gaming - eve

    • by roca ( 43122 )

      WebRTC:
      * Proper open, royalty-free standard (IETF)
      * Encryption (DTLS)
      * Opus CBR mode for high resistance to traffic analysis
      * Standardized NAT traversal (ICE, STUN, TURN)
      * Supported in Chrome and Firefox, plus other products
      * Coordinate WebRTC sessions with any Web site

      • Interesting concept and without a doubt very useful.

        But there is no open source server-side yet.

  • From the summary:

    The central part of the EFF's plan is: encryption, encryption, encryption.

    Encryption everywhere is great. But as long as the majority of us remain willing to hand over everything about our personal lives to Facebook, Google, etc., then mass surveillance by either private entities or governments will remain ridiculously easy. To me, that seems like the really hard problem to solve. There is no way those companies will deny themselves access to their users' unencrypted data.

    • When they have an alternative business model to make money they might.
    • by msobkow ( 48369 )

      More to the point, there is no need to crack the communications to a client if you are in bed with the service provider and have access to their databases and logs.

      Client-server encryption is about keeping the bad guys and only the bad guys from sniffing your data. It's up to the service provider to determine how secure your data is actually going to be in light of warrants and subpoenas.

  • I will guess :
    - certificate errors that people will have to click through ten times a day
    - people lock themselves out, accidentally lose their data (lost keys, lost cellphone needed to receive an SMS)
    - interoperabiliy problems of old versions and unpatched browsers, libraries, software
    - encrypted ads and encrypted malware will infect your encrypted browser and mess with your encrypted data.
    after non-root computing and port 80 computing, meet encrypted computing, same crap one more layer down
    - bad guys will

  • by Coolfish ( 69926 ) on Tuesday January 27, 2015 @05:19AM (#48912459)

    They're absolutely right to suggest the first thing we have to do is increase widespread use of encryption technology. But the NSA and others have already said if we do that, they'll step up their game. We need to not just take our technology to the next level, we need to take our governance to the next level.

    Politicians have proven themselves to be complete failures in working for the people. Sure, some countries have more luck than others - but there's nothing to suggest that that luck won't run out. Look at even the Scandinavian countries - their agencies are working for the NSA, their politicians are playing the exact same games. We need to reform our political system to reduce the amount of fuckery to a bare minimum. How do we achieve that? Complete and total transparency is vital, but not enough. Politicians are willing to openly defraud citizens in many countries already - it's not enough to know what's going on, we have to be able to hold them to account. And that's where I think elections are a farce. We don't choose who runs. We don't choose who gets to be on the final ballot. All of that is taken care of by big money interests, and even in the off chance we do get a good person into the system, they're outnumbered 100 to 1. And then the system starts to chew them up, convince them that their ideals are worthless and principles be damned, the system needs to continue operating as it has, as it will, with no real changes. Yea, one batch of idiots might do a slightly better job on one thing or the other, but in the end, as long as we continue to feed the system, it's no wonder we get governments abusing their power.

    We need to have a government. We need to have a monopoly on violence, otherwise it gets to be dog eat dog very quickly. But a government that isn't held to complete account by the people is just another mad dog. The failures of our political systems have shown themselves clear. Institutional corruption. Control by a tiny minority. Ridiculous squabbling over issues that are settled science. Is this really the best we can do? I don't think so. Why are we still using politicians? Professional ones? We can have representatives, but I think it should be clear to anyone that a random person off the street will demonstrate as much intelligence and thought as an elected official - perhaps even more, as an elected politician has demonstrated the ability to say anything to get to that position. Why not do a sortition? Randomly selected individuals, and give them 1 year to govern. They can propose laws, but nothing passes until there's an approval vote by the citizenry. If the sortition does a good job (as judged by the people), they get a huge bonus. If they don't, they get the median wage, and the next sortition tackles the problems. How is this worse than giving a tremendous amount of power to a group of people who've constantly demonstrated themselves as a bunch of liars, power hungry, war mongering liars at that, and giving them free reign for 2, 4, 6 years?

    Absolutely, increase and improve the technology. But don't ignore the technology running our governance. It's tremendously outdated, with countless flaws and bugs that have remained unpatched for millennia. It's time for a new release of Government.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      As with any proposed solution, you forget the most important fact: human nature.
      With one year to govern, and no experience in the particular field and little or no interest to match, the new governors require background information, historical precedent, comparative analysis of existing implemented policy, summaries of related and effected fields, current data, survey results etc. etc.
      They will revert to being influenced to either a) take the easy option, b) take the corruption option or c) take the idiot o

      • by Coolfish ( 69926 )

        I'm not sure I follow your argument. You're basically saying that we need professional politicians, because if we didn't have professionals, then people wouldn't know what to do - they'd have to actually study the problem, look at the history, figure out the data, and then propose a solution. All the while knowing that even with the best intentions, stuff can and will go tits up. Yea, wow, that sounds like a terrible approach. Instead we should get people who just pretend to know the answers!

        a) The easy op

    • We need to have a monopoly on violence, otherwise it gets to be dog eat dog very quickly. But a government that isn't held to complete account by the people is just another mad dog.

      So, just curious, how do you hold the guys with a monopoly on violence to "complete account by the people"?

  • Governments will make encryption illegal (they want to do that now, if they haven't done it already) and will stop giving the companies who support this government contracts. No self-respecting company will support this.
  • When you use ROMs, firmware, operating systems and software designed by americans, with backdoors to all the three letters national agencies you can think off.
  • by brunes69 ( 86786 ) <slashdot AT keirstead DOT org> on Tuesday January 27, 2015 @07:27AM (#48912907)

    Donate

    Donate

    DONATE

    If everyone who posted a reply to this story donated to the EFF with their dollars in addition to their words, that would be pretty substantial in aggregate, and they could do some real work with those funds.

    Donate to the EFF. They have been fighting this fight for as long as I have been alive and are one of the only groups to has maintained the fight. While I have donated to them on and off over the years, I have been lax for quite awhile. I just donated to them and challenge everyone else to do the same.

    PS: And, this comes from someone not in the USA who DOES NOT get a tax break from his donation since they are not registered in my country, but who recognizes the global impact of the EFF.

  • Or better trying to hide it?
  • Actually, the constitution not only forbids spying against citizens of the USA, but against everyone:

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Notice, it says "people" there. It's speaking of "citizen" in the context of el

    • When they use "people" in the Constitution, they mean "people subject to the laws of the US". It does NOT apply to, say, UK people in the UK, though it DOES apply to UK people in the US.

      Basically, anyplace that a search warrant by a US government agency will work, the Fourth Amendment applies. Anywhere else, not so much.

  • by jonwil ( 467024 ) on Tuesday January 27, 2015 @08:59AM (#48913449)

    Its all well and good to talk about "encryption, encryption and more encryption" and to invent new protocols to help keep stuff from the eyes of those who would try to access private information (whether they be criminals, law enforcement, intelligence agencies or otherwise) but unless you can get vendors to adopt your new technology its not going to see widespread enough use to make a difference.

    Take SSL/TLS for example. Right now when you visit a https site, your browser retrieves a certificate and checks that the certificate has been signed by a root certificate in your browser's local root trust store. There are a number of proposals out there to change this so that the public keys used for https connections are obtained in a way that doesn't rely on the broken CA model but as of yet none of those proposals have been implemented into any of the mainstream web browsers.

    Why isn't more being done to get these new security ideas into the mainstream browsers? (especially the open source ones like Chrome/Webkit/Blink/Firefox). DANE (an RFC for storing https certificates in a DNSSEC secured DNS record) has a patch for Firefox posted in 2011 that has gone nowhere and vague mentions of work for Chrome but nothing else.

    • This will be difficult because while the government has unlimited funds / budgets to bribe / coerce the vendors with, the rest of us do not.

      " We would like you to use THIS protocol as the new standard in your product. "
      " That would weaken the entire system. "
      " How does a a few million sound in exchange for your cooperation / silence / immunity ? "
      " It sounds insulting actually. "
      " Ok, how about a few HUNDRED million ? "
      " :| . . . . . Done. "

      That's pretty much how it works. Everyone has a price. Once the
  • I've pondered sortition government, but I wonder how you would reign in the power of the bureaucracy.

    As an AC said, the random citizenry isn't going to have the depth to really write good laws, so it'll probably largely fall to a bureaucracy, which might end up with all the real power. I can scarcely see that as an improvement.

    However, the sortition has the big benefits you mention:
    1) Actually representative of the people, because they ARE the people
    2) Don't arrive in office corrupt, aren't beholden to d

    • I've pondered sortition government, but I wonder how you would reign in the power of the bureaucracy.

      Rein in.

      What makes you think anyone has managed to rein in the power of the bureaucracy with current government types?

      Face it, the larger the government becomes (relative to the population/economy), the more the government is dominated by its own bureaucracy. Note by the by, that the US Government's budget is ~20% of GDP. So one dollar in every five spent in the US is spent by the government....

  • by rickb928 ( 945187 ) on Tuesday January 27, 2015 @11:24AM (#48914727) Homepage Journal

    I'm guessing Bitlocker is not useful for encrypting my data sufficiently to keep the government(s) out of it.

    And the Truecrypt substitutes are all marginally trustworthy, as well as not quite so fully functional.

    Not many good alternatives here.

Mater artium necessitas. [Necessity is the mother of invention].

Working...