EFF: Internet's security, privacy flaws need attention

The Electronic Frontier Foundation (EFF) held a 1 hour round table concerning internet architecture revealing what they believe are flawed design elements have never been designed with standards consumers can trust. Internet technology engineers face legal concerns that are still not addressed, according to many legal scholars that follow Internet services and applications.

The panel consisted of EFF Board of Directors David Farber, Ed Felton and Lorrie Faith Cranor; John Buckman, current Chairman of the Board of the EFF; and facilitated by Cindy Cohn, EFF's staff Legal Director.

Security certificate trust - or more accurately, the lack of authority oversight of managing certificates when https protocol is used, was highlighted as an area of concern that needs to be reviewed. Certificate authorities should not be delegated to third parties unless publicly disclosed. Issuers of certificates are not controlled by any one organization or body of standards. There are over 500 different providers of certificates - which all browsers support. The EFF panel maintains that 'man in the middle' interception of https is still very rampant due to lack of oversight of certificate issuing policies and processes allowed. Mozilla.org has a list of certificate of issuers that it supports. There are others.

Transparency of user information on social media and commerce websites are very different. Distinction of what is viewed and how disclosure methods are implemented are often thought of as one and the same, which is not true. EFF's panel suggested that commerce websites understand the ethical and security concerns required. Social websites should have the same mindset but don't. One interesting suggestion is that users of social media websites should have the option of paying to maintain their privacy. Google was used as an example of where privacy was an afterthought in its design. Cindy Cohn  stated that during early discussions with Google about new library of books, the company was building the service and that consumer privacy concerns and requirements would be assessed and configured after initial development was completed.  Cohn argued that is a flawed development process.

Contracts do not correlate to Terms of Service, Intellectual property rights and how user patterns suggest that they often ignore copyright owners through intentional ignorance and not the lack of understanding. EFF's panel argues that application architecture and designers of applications and websites do not build services from the ground up with these issues as cornerstones of their business.

Several attempts to correlate standards, security of applications and websites have tried in the past, all of which have failed. With the Internet now exploding across broadband wireline and wireless network capabilities, the security issues will have to be addressed. White House Cybersecurity Director Howard Schmidt will have to review these concerns. There's no way to manage internet users outside of the United States. There is the possibility to monitor international sources of users and their habits. That may be one of the things the U.S. government will have to review as next steps in security and privacy exploitation of U.S. Internet users. One of the issues with this approach is legal implications - which the EFF did not address.

The FCC National Broadband Plan touches on some of the concerns addressed by the EFF but does not include a plan for enforcement or regulatory authority over such issues. The USITC and FTC will likely be the agencies burdened with what laws the U.S. Government will adhere to with security and intellectual property as ACTA negotiations come to a close. ICANN may also be an avenue that enables neutral network policy management with respects to certificate authorities and assurance of their validity.

The EFF has some valid points and concerns. The world of software programming, coding and engineering has never been concentric around consumer standards, law or privacy, except when it applies to software code. The EFF believes it is long overdue and they maybe right.