EFF's 2011 Holiday Wish List
With the winter holidays fast approaching, now is the time to make our wish lists. There are plenty of presents EFF would like to receive for the holidays — the defeat of the Internet blacklist bills SOPA and PIPA would make a great start — but here are just a few of the things that companies could do to protect digital civil liberties this season:
- AOL and Google should stop referring to the "no message logging" options in AIM and GChat as "off the record," in order to avoid confusion with OTR.
- Adium should introduce a prompt when users first create or import messaging accounts that asks users to decide whether or not they want to log their OTR chats.
- Apple, Amazon, HTC, and other makers of mobile computing devices should give customers an officially documented way to get root access on every device they sell.
- Phone carriers should either commit to giving users regular, prompt mobile OS security updates, or stop controlling the software on the user's phone, so that software developers and handset manufacturers can do it themselves.
- Facebook, Microsoft, Yahoo, Twitter, and the phone companies should follow Google's lead in regularly disclosing the number of requests they get from government agencies on a regular basis.
- Skype should allow end-to-end verification of users' encryption key fingerprints. Unlike other encryption software, Skype doesn't give users any way to verify that the person on the other end of the conversation is using the right encryption key. Instead, users just have to trust that the Skype network has told the software the right key. This makes the Skype network into a centralized certification authority, with no transparency in its actions and there is no way to double-check its assertions.
- Google should make sorry.google.com render in HTTPS whenever users are redirected to it by an HTTPS URL. When people searching Google over HTTPS trigger Google's bot-detectors, the page where Google sends users to prove they're human includes the users' search terms—in the clear, with no HTTPS protection, violating users' trust that these terms would be encrypted.
- All software downloads should be provided only over HTTPS. When software is downloaded over unprotected HTTP, an ISP or local network operator can tamper with it and invisibly add spyware or vulnerabilities.
- Browser vendors should improve private browsing modes to fix security problems identified by researchers, and also provide a convenient way to use Tor in private browsing modes.
- Craigslist, eBay, Amazon, Yahoo, and Bing should turn on HTTPS for ordinary use of their sites.
- Akamai should make HTTPS support a standard feature for all Akamai customers, so that web sites that rely on Akamai have an easy path to turning on HTTPS for all users.
- Social media sites should not track Internet users who load pages with embedded "Like" buttons but who don't click on the buttons.
- Google, Facebook, and Twitter should stop tracking clicks on outbound links or give users a clear, easy way to copy and paste outbound link URLs without tracking.
- Cloud backup services should urge users to pre-encrypt data before uploading it, so that the backup services can't snoop through or leak the contents of users' backups. As secure backup provider Tarsnap puts it, "[b]ackups are supposed to be a tool for mitigating damage — not a potential vulnerability to worry about!"
- Cloud backup services should prominently provide users with information about how to do this and provide easy integration with tools that make it straightforward to do so. If cloud backup services provide their own software for accessing the service, the software should include functionality to do strong client-side encryption and decryption.
- Ubuntu should ship full disk encryption options in its standard installation process.