Copyright used to be a pretty specialized area of law, one that didn’t seem to affect the lives of most people. But with the proliferation of digital technologies and the Internet, a funny thing happened: copyright policy became speech policy, and it started to show up in all sorts of unexpected and unwelcome places.
It’s no longer the case that copyright is only a concern if you run the kind of company that has its own theme parks. Instead, copyright policy can have an effect on any user posting to her favorite sites, sharing videos she’s captured or photos she’s taken. It can affect your basic freedom to tinker, make, and repair your stuff. And it gives content owners, and governments, a powerful censorship tool, with far too little oversight.
EFF’s 2013 Holiday Wishlist
As we did last year and the year before, EFF welcomes the winter season with a new wishlist of some things we’d love to have happen for the holidays—for us and for all Internet users. These are some of the actions we’d most like to see from companies, governments, organizations, and individuals in the new year.
- Citizens, organizations, privacy officials, and governments should unite around the International Principles on the Application of Human Rights to Communications Surveillance and add their voices to declare that mass surveillance violates international human rights.
- The U.S. Congress should create a new Church Committee to find out what intelligence agencies are actually doing; since mass surveillance is a global problem, we also need parliamentary commissions of inquiry around the world to look into the same question.
- Congress should pass meaningful reform to the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
- The Department of Justice should notify everyone who’s been convicted of a crime using evidence derived—directly or indirectly—from warrantless surveillance programs (not just a cherry-picked handful of defendants).
- All communications companies should publish transparency reports showing the scope and nature of government requests for user information. The Internet industry, led by Google, has made this a standard for corporate transparency, but telecom companies are still totally missing in action.
- All Internet sites should adopt cryptographic best practices for every connection, every time, including PFS, STARTTLS, HSTS, and encrypted traffic between data centers.
- In 2014, every certificate authority and web browser should commit to adopt Google’s Certificate Transparency system to detect and stop the issuance of fake certificates that facilitate spying on web users.
- Companies that sell books, movies, music, or other digital media should commit to the principle that if you bought it, you own it. That means no DRM and no sneaky license agreements.
- Every wireless device should let you change its MAC address (a hardware serial number), and no new technology standards should be designed to transmit any persistent hardware serial numbers over the air or on a network. (If your device keeps sending the same hardware serial number, like wifi devices and cell phones, among others, whoever’s at the other end or listening in can recognize you and track your location. Businesses and governments are already taking advantage of this to build massive databases of our devices.)
- Web sites should publish historical versions of their terms of service and privacy policies, with their effective dates, to help users understand what’s changed over time. At a bare minimum, companies like Facebook should stop blocking the Internet Archive from creating and displaying a historical record of their policies.
- Governments should come clean about how they’ve weakened computer and communications security, clean up the damage, and stop doing it.
- Companies entering the secure communications space (as well as those that have been there a while!) should explain exactly how secure they are and why. They should get public technical audits by experts and clearly explain how they handle classic, fundamental security challenges. They should clearly and publicly explain whether and to what extent they could be compelled to record or turn over user data or to help break users’ security (including by disclosing cryptographic keys or passwords, by issuing false digital certificates, or by modifying their software).
- The surveillance industry should take responsibility for ensuring that it’s not assisting mass surveillance and other human rights violations.
[First, the bad news], if you’re being personally targeted by a powerful intelligence agency like the NSA, it’s very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone.
Here are ten steps you can take to make your own devices secure. This isn’t a complete list, and it won’t make you completely safe from spying.
- Use end-to-end encryption. We know the NSA has been working to undermine encryption, but experts like Bruce Schneier who have seen the NSA documents feel that encryption is still “your friend”. And your best friends remain open source systems that don’t share your secret key with others, are open to examination by security experts, and encrypt data all the way from one end of a conversation to the other: from your device to the person you’re chatting with. The easiest tool that achieves this end-to-end encryption is off-the-record (OTR) messaging, which gives instant messaging clients end-to-end encryption capabilities (and you can use it over existing services, such as Google Hangout and Facebook chat). Install it on your own computers, and get your friends to install it too. When you’ve done that, look into PGP–it’s tricky to use, but used well it’ll stop your email from being an open book to snoopers. (OTR isn’t the same as Google Chat’s option to “Go off the record”; you’ll need extra software to get end-to-end encryption.)
- Encrypt as much communications as you can. Even if you can’t do end-to-end, you can still encrypt a lot of your Internet traffic. If you use EFF’s HTTPS Everywhere browser addon for Chrome or Firefox, you can maximise the amount of web data you protect by forcing websites to encrypt webpages whenever possible. Use a virtual private network (VPN) when you’re on a network you don’t trust, like a cybercafe.
- Encrypt your hard drive. The latest version of Windows, Macs, iOS and Android all have ways to encrypt your local storage. Turn it on. Without it, anyone with a few minutes physical access to your computer, tablet or smartphone can copy its contents, even if they don’t have your password.
- Strong passwords, kept safe. Passwords these days have to be ridiculously long to be safe against crackers. That includes the password to email accounts, and passwords to unlock devices, and passwords to web services. If it’s bad to re-use passwords, and bad to use short passwords, how can you remember them all? Use a password manager. Even write down your passwords and keeping them in your wallet is safer than re-using the same short memorable password — at least you’ll know when your wallet is stolen. You can create a memorable strong master password using a random word system like that described at diceware.com.
- Use Tor. “Tor Stinks”, this slide leaked from GCHQ says. That shows much the intelligence services are worried about it. Tor is an the open source program that protects your anonymity online by shuffling your data through a global network of volunteer servers. If you install and use Tor, you can hide your origins from corporate and mass surveillance. You’ll also be showing that Tor is used by everyone, not just the “terrorists” that GCHQ claims.
- Turn on two-factor (or two-step) authentication. Google and Gmail has it; Twitter has it; Dropbox has it. Two factor authentication, where you type a password and a regularly changed confirmation number, helps protect you from attacks on web and cloud services. When available, turn it on for the services you use. If it’s not available, tell the company you want it.
- Don’t click on attachments. The easiest ways to get intrusive malware onto your computer is through your email, or through compromised websites. Browsers are getting better at protecting you from the worst of the web, but files sent by email or downloaded from the Net can still take complete control of your computer. Get your friends to send you information in text; when they send you a file, double-check it’s really from them.
- Keep software updated, and use anti-virus software. The NSA may be attempting to compromise Internet companies (and we’re still waiting to see whether anti-virus companies deliberately ignore government malware), but on the balance, it’s still better to have the companies trying to fix your software than have attackers be able to exploit old bugs.
- Keep extra secret information extra secure. Think about the data you have, and take extra steps to encrypt and conceal your most private data. You can use TrueCrypt to separately encrypt a USB flash drive. You might even want to keep your most private data on a cheap netbook, kept offline and only used for the purposes of reading or editing documents.
- Be an ally. If you understand and care enough to have read this far, we need your help. To really challenge the surveillance state, you need to teach others what you’ve learned, and explain to them why it’s important. Install OTR, Tor and other software for worried colleagues, and teach your friends how to use them. Explain to them the impact of the NSA revelations. Ask them to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node, or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.
Find out which companies protect your data from the government. Read the EFF’s Who Has Your Back report for 2013.