Everyone's got an opinion about Internet privacy. It's obviously an important issue that affects everyone, and even those who would try to violate everyone else's privacy want to preserve their own.
Now there's an official Internet movement to improve privacy on the Internet. As my colleague Steven J. Vaughan-Nichols explains about the new Reset the Net campaign, it doesn't advocate anything new or novel. All it does is to call for the wider adoption of TLS/SSL (hereafter "TLS") on the Internet and of certain new standards to make TLS more effective.
Nobody of consequence who needs to adopt these technologies will learn of them from this campaign, nor will the campaign give them any more reason to adopt the technologies than they already have. It's nothing but posturing of the cheapest form.
Some of the specific technologies, especially PFS (Perfect Forward Secrecy), are very good ideas and I join in the call for everyone with a TLS server to implement it. (There. I feel better for having said that, not that it matters at all.) But even granted the value of all these TLS technologies, Reset the Net overstates that value in at least two ways.
First, and the timing couldn't be more perfect to make this point, both Heartbleed and the Triple Handshake attack show that TLS is complicated enough to have exploitable flaws. I happen to believe the NSA when they say that they didn't have or use Heartbleed, but that's not the point; the point is that TLS isn't the magic bullet that Reset the Net makes it out to be. And there's no question that the NSA has myriad ways to surveil, many of which are unobstructed by TLS.
The second reason is that focusing on TLS implementation is a convenient way for Reset the Net to put the onus for privacy and the blame for breaches all in the hands of the big, bad internet companies. The fact is that end users do plenty to compromise their own privacy, and these are the problems that matter in the real world. Not to defend it, but few, if any, people were actually harmed in a material way by the NSA listening in on Google's inter-data center traffic. On the other hand, people are harmed all the time as a result of using weak passwords and reusing them, for ignoring warnings from software, for downloading executables from untrusted sites, and for numerous other practices well known to be sloppy and unwise.
It wouldn't be any fun to start a movement to take back our privacy by calling on individuals to adopt good security practices, especially since the big, bad internet companies have been doing that for years.
Those same companies also don't need self-appointed activists to tell them to protect their own traffic. They know that their own business and credibility depends on them protecting their customers' assets. Some of them have been better at adopting strict security measures than others, but it's worth pointing out that there are costs to adopting these technologies, and often implementing them increases the support burden as some clients fail. Those same companies have also been litigating against the government both to expose the extent of surveillance and to allow them to take more measures to protect their customers' data.
Of course, surely there are large breaches of security which result in users' privacy being compromised. Consider the user database breaches at Adobe, Forbes, Sony, Stratfor, Vodafone and all the others.
haveibeenpwned.com counts 161,851,582 compromised accounts from 20 of these breaches. Oh, but then again there's no reason to believe that any lack of TLS had anything to do with the loss of that data. The companies involved are certainly responsible for what happened, but just as with the great Target breach, TLS had nothing to do with it.
So join in with Reset the Net and declare yourself in favor of privacy, motherhood, and whatever else on June 5th. It's free and easy, unlike doing what you can to protect your own privacy.