EFF’s 2013 Holiday Wishlist
As we did last year and the year before, EFF welcomes the winter season with a new wishlist of some things we’d love to have happen for the holidays—for us and for all Internet users. These are some of the actions we’d most like to see from companies, governments, organizations, and individuals in the new year.
- Citizens, organizations, privacy officials, and governments should unite around the International Principles on the Application of Human Rights to Communications Surveillance and add their voices to declare that mass surveillance violates international human rights.
- The U.S. Congress should create a new Church Committee to find out what intelligence agencies are actually doing; since mass surveillance is a global problem, we also need parliamentary commissions of inquiry around the world to look into the same question.
- Congress should pass meaningful reform to the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
- The Department of Justice should notify everyone who’s been convicted of a crime using evidence derived—directly or indirectly—from warrantless surveillance programs (not just a cherry-picked handful of defendants).
- All communications companies should publish transparency reports showing the scope and nature of government requests for user information. The Internet industry, led by Google, has made this a standard for corporate transparency, but telecom companies are still totally missing in action.
- All Internet sites should adopt cryptographic best practices for every connection, every time, including PFS, STARTTLS, HSTS, and encrypted traffic between data centers.
- In 2014, every certificate authority and web browser should commit to adopt Google’s Certificate Transparency system to detect and stop the issuance of fake certificates that facilitate spying on web users.
- Companies that sell books, movies, music, or other digital media should commit to the principle that if you bought it, you own it. That means no DRM and no sneaky license agreements.
- Every wireless device should let you change its MAC address (a hardware serial number), and no new technology standards should be designed to transmit any persistent hardware serial numbers over the air or on a network. (If your device keeps sending the same hardware serial number, like wifi devices and cell phones, among others, whoever’s at the other end or listening in can recognize you and track your location. Businesses and governments are already taking advantage of this to build massive databases of our devices.)
- Web sites should publish historical versions of their terms of service and privacy policies, with their effective dates, to help users understand what’s changed over time. At a bare minimum, companies like Facebook should stop blocking the Internet Archive from creating and displaying a historical record of their policies.
- Governments should come clean about how they’ve weakened computer and communications security, clean up the damage, and stop doing it.
- Companies entering the secure communications space (as well as those that have been there a while!) should explain exactly how secure they are and why. They should get public technical audits by experts and clearly explain how they handle classic, fundamental security challenges. They should clearly and publicly explain whether and to what extent they could be compelled to record or turn over user data or to help break users’ security (including by disclosing cryptographic keys or passwords, by issuing false digital certificates, or by modifying their software).
- The surveillance industry should take responsibility for ensuring that it’s not assisting mass surveillance and other human rights violations.