Privacy on the internet is hard to come by. We can argue over exactly how much information the National Security Agency (NSA) is gathering on each and every one of us, but no one questions that the NSA is doing a fine job of spying on us. A new alliance of privacy groups and technology and media companies, led by Fight for the Future, wants to put a stop to this by using already existing Internet privacy technologies with a popular movement they've named Reset the Net.
Fight for the Future is a non-profit group that's "dedicated to expanding the Internet's transformative power for good. Our goal: To build a grassroots movement to ensure that everyone can access the Internet’s many resources affordably, free of interference or censorship and with full privacy. Our vision: A world where everyone can enjoy the basic freedom to express, create, and connect online."
The other groups behind Reset the Net include Demand Progress, Reddit, the Libertarian Party, and the Free Software Foundation. According to them, governments are turning the Internet into a virtual prison. But, while the NSA and its allies, such as the UK's Government Communications Headquarters (GCHQ) think they can hack anybody, "...they can't hack everybody. Folks like the NSA depend on collecting insecure data from tapped fiber. They depend on our mistakes -- mistakes we can fix."
That last statement may or may not be true. While it seems, for example, that the NSA did not pick up on the OpenSSL Heartbleed security vulnerability, there's little doubt that the NSA has other ways to break Secure-Socket Layer (SSL) encryption.
Be that as it may, the group is urging all web site owners to start adopting SSL to protect users from surveillance. This is far from a new idea. The Electronic Frontier Foundation (EFF) has been encouraging Web sites and users to adopt SSL for years. In 2010, the EFF released HTTPS Everywhere. This is a browser extension that forces popular Web sites to connect to you, if possible, with SSL, Transport Layer Security (TLS), or TLS/SSL over HTTP (HTTPS).
Specifically, Reset the Net wants web users and developers to use SSL, TLS, and HTTPS. In addition, they want everyone to adopt the less well-supported HTTP Strict Transport Security (HSTS), a web security policy tool, which forces HTTPS connections, and Perfect Forward Secrecy (PFS), a public key encryption program. The EFF claims that if sites used PFS even security holes as bad as Heartbleed wouldn't leave users' private messages vulnerable to attacks.
"HTTPS, HSTS, and PFS are powerful tools that make mass spying much more difficult," the groups said on its site. "Until web sites use them, we're sunk: agencies like the NSA can spy on everything. Once they're ubiquitous, mass surveillance is much harder and more precarious — even if you're the NSA."
Aye, there's the rub: while HTTPS is quite commonly supported neither of the other two are. For example, while Chrome, Firefox, Opera, and Safari support HSTS, Internet Explorer still doesn't. This has led the EFF to claim that this "means that there's basically no such thing as a secure website in IE."
Still, the group is encouraging everyone to adopt these technologies as soon as possible. And, to make sure the non-technical public gets the point, they want everyone on June 5th, the anniversary of Edward Snowden's first NSA revelations receiving press attention, to post "“Don't ask for your privacy. Take it back. Today we #ResetTheNet to stop mass spying. Encrypt everything! Learn how: http://thndr.it/1euOUIl" on all social networks."
Reset the Net sounds like a grand idea. How much practical difference it will have remains to be seen.
- Silicon Valley defies subpoena secrecy requests, but national security gag orders remain
- How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability
- NSA on Heartbleed: 'We're not legally allowed to lie to you'
- Former NSA executive: Snowden leaks caused 'significant disservice' to the Internet
- NIST finally dumps NSA-tainted random number algorithm