Skip to main content

New technologies are radically advancing our freedoms, but they are also enabling unparalleled invasions of privacy. National and international laws have yet to catch up with the evolving need for privacy that comes with new digital technologies. Respect for individuals' autonomy, anonymous speech, and the right to free association must be balanced against legitimate concerns like law enforcement. EFF fights in the courts and Congress to maintain your privacy rights in the digital world, and works with partners around the globe to support the development of privacy-protecting technologies.

Your cell phone helps you keep in touch with friends and family, but it also makes it easier for the government to track your location.

Your Web searches about sensitive medical information might seem a secret between you and your search engine, but companies like Google are creating a treasure trove of personal information by logging your online activities, and making it potentially available to any party wielding enough cash or a subpoena.

And the next time you try to board a plane, watch out—you might be turned away after being mistakenly placed on a government watch list, or be forced to open your email in the security line.

Several governments have also chosen to use malware to engage in extra-legal spying or system sabotage for dissidents or non-citizens, all in the name of “national security.”

As privacy needs evolve, so too should our regulatory regimes. National governments must put legal checks in place to prevent abuse of state powers, and international bodies need to consider how a changing technological environment shapes security agencies’ best practices. Above all, we need to respect the rights of autonomy, anonymity, association, and expression that privacy makes possible, while also taking into account legitimate law enforcement concerns.

Read our work on privacy issues below, and join EFF to help support our efforts.

For information about the law and technology of government surveillance in the United States check out EFF's Surveillance Self-Defense project.

Privacy Highlights

Banner Graphic: 

Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud

Digital Privacy at the U.S. Border:Protecting the Data On Your Devices and In the Cloudby Sophia Cope, Amul Kalia, Seth Schoen, and Adam SchwartzDownload the report as a PDF.EXECUTIVE SUMMARYأفادت الحكومة الأمريكية أن عدد حالات تفحص المحتويات الالكترونية على الحدود قد إزداد بمقدار خمسة أضعاف خلال سنة واحدة فقط،...

NSA Spying

The US government, with assistance from major telecommunications carriers including AT&T, has engaged in massive, illegal dragnet surveillance of the domestic communications and communications records of millions of ordinary Americans since at least 2001. Since this was first reported on by the press and discovered by the public in late...

Privacy Updates

Cover Your Tracks

Introducing Cover Your Tracks!

Today, we’re pleased to announce Cover Your Tracks, the newest edition and rebranding of our historic browser fingerprinting and tracker awareness tool Panopticlick. Cover Your Tracks picks up where Panopticlick left off. Panopticlick was about letting users know that browser fingerprinting was possible; Cover Your Tracks is about giving...

the standard apple logo in silver, with a cartoonish green worm poking through it on each side

macOS 操作系統泄漏软件使用信息,苹果公司面临重要抉择

翻译:开放文化基金会 Open Culture Foundation上周,苹果公司 macOS 操作系統的用户注意到,当连上互联网要开启非苹果的应用程序时,会有长时间的延迟,甚至导致无法开启。会造成这样的状况,是因为 macOS 的安保服务试图连上苹果 OCSP(Online Certificate Status Protocol ; 在线证书状态协议) 的服务器时,因内部错误造成无法连接。在安全研究人员深入了解向 OCSP 送出的请求内容后,他们发现这些请求包含了一段散列值(hash),来自正在运作之应用程序的开发者证书,这个散列值是苹果公司用来做安全检查用的[1] 。开发者证书包含对应用程序(例如 Adob​​e 或 Tor)进行编码的个人,公司或组织描述,以至于哪些开发者制作的应用程序正在被开启使用,也同时泄露给苹果公司。 进一步来说,向 OCSP 送出的请求并不是加密的,这表示任何监听器也可能知道macOS 用户正在打开哪个应用程序以及何时打开[2],至于得以通过这种方式取得攻击能力的对象包括:任何上游服务器供应商、Akamai、托管苹果公司 OCSP 服务的ISP ; 而攻击者也可能是跟你使用同一互联网的黑客,这样说好了,例如你常去的那间咖啡厅,有攻击者跟你同时间连接到该咖啡厅 Wifi。如果想知道更多细节的说明,请看这篇文章。伴随这个隐私外泄事件而来的另一个考量是,我们无法从用戶空间应用程序(如LittleSnitch)检测或阻止此流量,就算关闭 macOS 上这个重要的安保服务会带来风险,我们也鼓励苹果公司允许拥有系统管理员(power users)权限的人,得以自行选择信任的应用程序来控制他们的网络流量从哪边寄出。苹果公司很快发布了一个新的加密版协议来确认开发者证书,在这个加密版中,他们将允许用戶自行选择是否退出安全检查,不过这些修正在明年某个时间才会真正推出。然而,开发一个新的协议并在软件内安装执行完毕并不是一夜之间可以完成的事,因此要求苹果公司马上做改变修正也是不公平。那为什么苹果公司不能简单的先将 OCSP 这个功能关掉呢?要回答这个问题,我们要先来探讨 OCSP 的开发者证书检查的实质作用是什么,它主要是要防止有害或恶意软件在 macOS 机器上运行,如果苹果侦测到有一位开发者夹带恶意软件(使用窃取来的签名金钥或恶意使用自身金钥),他们可以撤销那位开发者的证书,当 macOS 下次要开启这个应用程序时,苹果的 OCSP 服务器将会回覆该请求(透过...


Back to top

JavaScript license information