
EFF’s Game Plan for Ending Global Mass Surveillance - CapitalistCartr
https://www.eff.org/deeplinks/2015/01/effs-game-plan-ending-global-mass-surveillance
======
Alupis
The tl;dr; game plan:

1\. Pressure technology companies to harden their systems against NSA
surveillance

2\. Create a global movement that encourages user-side encryption

3\. Encourage the creation of secure communication tools that are easier to
use

4\. Reform Executive Order 12333

5\. Develop guiding legal principles around surveillance and privacy with the
help of scholars and legal experts worldwide

6\. Cultivate partners worldwide who can champion surveillance reform on the
local level, and offer them support and promotion

7\. Stop NSA overreach through impact litigation and new U.S. laws

8\. Bring transparency to surveillance laws and practices

~~

Addendum: Laws & Presidential Orders We Need to Change

* Section 215 of the Patriot Act, Known as the "Business Records" Section

* Section 702 of the FISA Amendments Act

* Executive Order 12333

* The Funding Hack

~~~

Related cases:

Smith v. Obama [1]

Jewel v. NSA [2]

First Unitarian Church of Los Angeles v. NSA [3]

[1] [https://www.eff.org/cases/smith-v-obama](https://www.eff.org/cases/smith-
v-obama)

[2] [https://www.eff.org/cases/jewel](https://www.eff.org/cases/jewel)

[3] [https://www.eff.org/cases/first-unitarian-church-los-
angeles...](https://www.eff.org/cases/first-unitarian-church-los-angeles-v-
nsa)

~~~
tacojuan
>2\. Create a global movement that encourages user-side encryption

I can't even get my close friends/family to install something as simple as
textsecure. :(

~~~
anopows
As far as I know WhatsApp has implemented TextSecure

~~~
tacojuan
Oddly enough nobody knew what WhatsApp was when I asked them.

They all just use Snapchat or the built in SMS application.

~~~
CalRobert
I get about one SMS a month (usually from an old person or an automated
system). Whatsapp has pretty much _completely_ replaced SMS here in Europe.

~~~
mlok
Sorry but my experience is the opposite. Here in France most mobile phone
contracts give you unlimited sms + mms. I never felt the need for whatsapp
personally, neither do I know anyone using it. (but Viber over wifi is often
used by people traveling/working abroad)

~~~
CalRobert
No need to be sorry, data > anecdotes. I use Whatsapp with a group of 20
friends to organize nights out and basically use it as a long-running IRC
room. We also have different groups for movies, board games, etc. It's the
group functionality that makes it better than SMS.

------
tptacek
An organized, carefully executed plan to thwart global surveillance is a good
thing. But EFF laid its plan out, and critiques of that plan are fair game.

So: our industry has largely Google to thank for:

* The development and deployment of TLS forward secrecy, a technology that has very little operational importance to big companies but that is critically important for increasing the cost of NSA surveillance.

* The development and adoption of strong, modern elliptic curve cryptography in browsers (the Curve25519 CFRG recommendation has Adam Langley's name on it).

* TLS certificate pinning, which Google pioneered in Chrome, which not only drastically reduces browser susceptibility to CA-based attacks on TLS but also transforms the Firefox and Chrome installed base into a worldwide anti-spoofing surveillance system.

* EndToEnd, the Chrome Javascript implementation of PGP, the team for which includes Thai Duong, of BEAST, CRIME, and POODLE fame, who Google was smart enough to snap up.

* Years and years of the Chrome sandbox and runtime hardening, which has significantly driven up the cost of viable browser clientsides, which are probably the most important software security weapon in NSA's arsenal.

* Years and years and years of Chrome browser security work from people like Michel Zalewsky --- see things like "Notes On A Post-XSS World" for a taste of the security ideas that will be banal and commonplace 10 years from now but that people will forget Google funded.

* One of the industry's best organized large-scale fuzzing and bughunting operations, shaking out hundreds and hundreds of bugs in things like video and image codecs.

I think that first section in this plan could have been written more
carefully. I do not see how it could have been written carefully and retain
the sense of urgency that the rest of the document has. And that bothers and
worries me.

Hey: on the other hand, maybe Google is just as happy with it as EFF is. After
all, if they're setting a high bar for themselves, all the better if a bunch
of other companies are required to clear that same bar. I know a fair bit
about the technical work Google is doing, but virtually nothing about EFF's
motives for phrasing things they way they do.

~~~
dmix
Yep, Google had the foresight to hire the best security people and it's paid
off for them and the community.

Another example: privacy activists were saying we should all move to Firefox
after the Snowden leaks but ignore how Chrome is very far ahead of Firefox in
terms of security and exploit mitigation. So agreed, we shouldn't entirely
dismiss Google.

Although I think the centralization and incentive structure that has been a
result of Gmail/Google and the ad-based software economy are the big reason
why the NSA is so powerful regardless of crypto/tech-breaking capabilities.

All they need is a warrant - handed out via secret courts - and they get
everything on any persons life, from anywhere in in the world. This results in
a greater risk over IMO, but Google is not entirely to blame for that.

~~~
higherpurpose
These days people seem quick to defend Google's ad-tracking "because otherwise
how would they make their money?!".

But I think Google only started doing cross-site ad-tracking a few years ago,
and it only got serious about it when it "unified" its Privacy Policy 2-3
years ago. That was so they can track a single "persona" across all of its
services. It wasn't to give you Google Now (or at least not the main reason).

So maybe we have 5 years at most of seriously intrusive ad-tracking. I think
Google was doing pretty well financially before that, too.

I don't mind contextual tracking on the site, so they can show me ads based on
what I'm reading on that page then. I don't find that particularly intrusive,
although I could see how NSA can use that as well.

However, the part about tracking you _everywhere_ and then combining that
"anonymized" (but not really) data to create a "profile" (or dossier, if you
will) of you is what's really creepy.

Google is pretty good at security, but pretty bad at privacy, and sometimes
the two conflict quite directly, making the first worse for it - see no end-
to-end encryption in Hangouts, yet Facebook's Whatsapp (supposedly) has it.

~~~
contingencies
_Google is pretty good at security, but pretty bad at privacy_.

Yeah. It's almost like the direct opposite of Assange's "privacy for the weak
and transparency for the powerful". Just sayin'.

------
fidotron
All this ignores the contradiction between the privacy invasion business model
and privacy needs. As long as you have major tech companies (most obviously
Facebook and Google) reliant on being able to read the communication of their
users then you're going to by consequence enable an NSA or similar to
intercept all the messages.

There isn't a legislative answer to this problem, yet there are theoretical
technical answers, but these do not fit with the business models in use today.
To fix the problem the market dynamics will have to change.

~~~
StavrosK
It's not just the "privacy invasion business model" (which sounds a bit
tinfoil-haty), it's the fact that protecting privacy is _really_ hard. I work
for Silent Circle, and the MO is to store the absolute minimum data possible,
which makes it hard to use services most companies take for granted, such as
analytics, error reporting, error logs, etc.

Doing your job is really hard when you can't use things like analytics
services, or detailed logging, or proper feedback. Everything has to be open
source, self-hosted and some things other businesses can easily use are just
flat-out impossible to do. Any business that does something you want but that
requires that data be sent to it will just not be used.

Few companies that don't explicitly have the word "private" in the description
of their core product will be very inclined to jump through all these
expensive hoops. Hopefully changing the legal situation so the NSA can't just
jump in and grab whatever it wants will help this a lot.

~~~
api
Like everything else in security, there's a clear cost/benefit curve. It's
actually dubious to make a distinction -- privacy is a form of security and
its absence is a lack of security.

To get what I call _hard_ privacy online, you must use full isolation and
onion routing. There is no other way as far as I know. But we could go a long
way toward making mass surveillance harder, less accurate, and more expensive
by just deploying encryption, low or zero knowledge services, and by educating
users to change their buying habits to favor more secure products. It would
still be possible for a determined well-funded attacker to track you when
using these tools, but it would raise the bar and that's a start.

------
lazyjones
I support the EFF, but this will not help our biggest (technical) problem: we
no longer own our devices and need to make uncomfortable choices to get them
back - i.e. to stop using proprietary operating systems and (black-box)
hardware. RMS was never as unreasonable as he seemed, he only thought things
through completely and arrived at the right conclusions.

------
AndrewGaspar
Remember you can donate to the EFF at:
[https://supporters.eff.org/donate](https://supporters.eff.org/donate)

~~~
lalos
Also EFF is available on [http://smile.amazon.com](http://smile.amazon.com)
and almost every purchase you make they will receive like 0.5% as long as you
make it through the smile subdomain.

~~~
malnourish
Is there an extension (for either FF or Chromium) that automatically converts
`amazon.com` -> `smile.amazon.com`?

~~~
lalos
I don't use them but I've seen them before
[https://chrome.google.com/webstore/detail/smile-
always/jgpmh...](https://chrome.google.com/webstore/detail/smile-
always/jgpmhnmjbhgkhpbgelalfpplebgfjmbf?hl=en)

[https://chrome.google.com/webstore/detail/amazonsmile-1butto...](https://chrome.google.com/webstore/detail/amazonsmile-1button-
for-c/hdgenjhkjihnmigcommchefpajjhdmba?hl=en-US)

~~~
malnourish
Ah! Thank you.

------
p01926
I'd like to suggest another tool for fighting mass surveillance: mass
chaffing. Most of the time our internet connections are idle. And when they
aren't, we very rarely use all our bandwidth. What if, instead, we each used a
small amount of our resources to crawl the web. We could easily generate 1,000
to 10,000 chaff requests for every genuine one — completely drowning out any
signals from our browsing behaviour. This is particularly nice because it
highlights the stupidity of trying to find a few needles by searching every
haystack in the world. Let's all make hay.

~~~
rosser
At first thought, chaffing seems like a pretty good idea, but isn't it
vulnerable to analysis? By which I mean, if the spooks can demonstrate (based
on tracking identifiable markers in your cookies or some other means) that
you're at your office, shouldn't they be able to effectively ignore any
traffic from your home internet connection?

Maybe if we were all running Tor exit nodes or something, but naïve chaffing
sounds pretty ... well, naïve.

~~~
p01926
Obviously this "chaff bot" will need to copy your user agent string and
tracking cookies. It'd also need to behave exactly like a web browser in every
way that can be detected. But is chaffing itself a good idea?

~~~
chippy
mixing the chaff from other users (somehow) would be even better. I seem to
recall an early experiment that did this.

------
jimktrains2
As software developers, we can help by building easier-to-use frontends. For
instance, GPG is a great program, but the front end is lacking a bit the last
time I used it.

We can also build systems designed from the beginning to think about users
privacy and data security.

~~~
api
Last I checked there isn't even a good UI to perform _simple file encryption_
on most OSes. It's awful. There are huge holes in the market. I would pay for
that.

~~~
jbob2000
That's because simple file encryption is really hard, and when it works well,
you don't even notice that it's working. Encryption is completely invisible to
common people. It's not like locking your money in a safe, where you can feel
the heaviness of the door and hear the clank of the lock.

~~~
api
"It's not like locking your money in a safe, where you can feel the heaviness
of the door and hear the clank of the lock."

I think the perfect is being the enemy of the good here.

Personally I would pay for a really good UI for doing that -- just encrypting
files so I can stash them safely in cloud storage or transfer really sensitive
stuff. I'd love to be able to right-click and encrypt/decrypt with a GPG
public key or symmetric passphrase.

I have full disk encryption, but that's very coarse-grained. Unlock the
machine and it's defeated. My hack right now is to use encrypted OS X
.sparseimage files, but that's OS-specific and clunky. I also have these
scripts:

[https://raw.githubusercontent.com/zerotier/ZeroTierOne/maste...](https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/attic/encrypt)

[https://raw.githubusercontent.com/zerotier/ZeroTierOne/maste...](https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/attic/decrypt)

They kind of suck but do the job in a platform-independent way. They could be
made slightly better by trying to secure-erase the original source file, etc.,
but they work.

The other problem with invisible omnipresent encryption is that it lacks a
quality that I call "situational awareness." I _like_ knowing that something
has in fact been encrypted. Seeing a file extension change, like gzipping a
file, tells me that yes in fact something has happened.

A classic example I use of poor situational awareness in security is IPSec
encryption setup between two boxes. The only way I know of to verify that the
traffic is actually encrypted is to tcpdump the raw interface and look. The
(piss-poor) IPSec tools do not _really_ tell you this in a non-confusing
straightforward way.

------
fit2rule
I've always thought that the problem with the NSA behemoth is not so much that
its collecting everything, on everyone, but that its the only one allowed to
do anything with it.

I don't think the solution is privacy. I think the solution is to make the
NSA's databank available to everyone. This is just as impossible a goal, I
know, as getting rid of the NSA in the first place - but hear me out.

Just imagine what sort of world we would be living in if everything the NSA
has been collecting and storing about our modern civilization for the last 15
years was _available for anyone and everyone to access_. I'd be perfectly okay
with harvesting all data, everywhere, on everyone - _if everyone had access to
it_ , freely and without secrecy.

I think, were this the case, people would be a lot more careful - and more
importantly, aware - about the things they do and say online. The _only_
reason this whole thing is so damaging is that its shrouded in total secrecy -
I have no idea what sort of 'bad data' is in the database about me, or those
around me - were I able to access this data, it wouldn't have as much of a
negative effect on me, personally. I could correct it, get it removed, and so
on.

Teaching encryption is one thing. Teaching the value of open and honest
communication is another thing entirely. Somehow, the solution to the problem
of having masters and overlords who have immense power over me, is for me to
have some of that power myself. If this were true for everyone - and not just
an elite class of humans who have decided to rule humanity through secrecy and
domination - then I think the problem would be a lot less relevant. I know as
an artist, I'd sure love to be able to broadcast my art far and wide; it seems
the NSA would be a perfect platform for that. Kind of like what the Internet
was originally promised to be/do, before it became the playground of the
corporate elite ..

~~~
thawkins
But its not just about "open and honest" communication, its about them also
tracking behaviour, who gets to judge what is "open and honest" behaviour. Do
you want somebody trawling through your search and browsing history?

~~~
fit2rule
As long as I know who is doing it, and where, I've got no problem with that -
because then I can do something about it, like track the person down and ask
them why they're doing it.

But of course its not as simple as that - of course there are still nefarious
no-good types out there who would use this information to their advantage -
and thats exactly the problem we have with the secrecy. If I knew who was
tracking me, because their activity is also open and available for scrutiny,
it makes it a lot easier to do something effective in the circumstance that I
disagree with their doing so; it may also help me find others who are
interested in the same things as me. Its a two-edged sword.

------
ingler
> "U.S. law and the Constitution protect American citizens and legal residents
> from warrantless surveillance. That means we have a very strong legal case
> to challenge mass surveillance conducted domestically or that sweeps in
> Americans’ communications."

\-----

The EFF is living in fantasy land. The NSA has never considered itself bound
to law because it's not a creature of statutory law but came into existence by
decree.

> "no existing statutes control, limit, or define the signals intelligence
> activities of the NSA.”

> Roy Banner, counsel for the NSA, 1976 [0]

[0]
[https://www.fas.org/irp/agency/army/mipb/2012_04-owen.pdf](https://www.fas.org/irp/agency/army/mipb/2012_04-owen.pdf)

~~~
gnopgnip
This quote is out of context. The NSA deals with foreign intelligence.
Generally speaking, only US citizens are protected under US law.

~~~
ingler
Look at the Project SHAMROCK section after the quote at fas.org. US citizens
haven't been protected by law for decades vis a vis SIGINT.

------
chatmasta
As long as you can surveil one person, you can surveil seven billion people.
Computers automate processes. As processes digitize, they become automated.
The NSA digitized their surveillance process, and automated it. At that point,
they could surveil one person via software, so why not scale it?

Should we accept mass surveillance, like nuclear weapons, as inevitable? If
so, it should follow that we should adopt a "mutually assured destruction"
inspired doctrine, whereby multiple countries agree on the limits of
surveillance. Perhaps the world would be more comfortable if constantly
surveiled, but wholly informed. Who has my data? What have they done with it?
Can I see it?

Or maybe, everybody should be able to surveil everybody. True openness, and
therefore predictable accountability.

~~~
pfraze
good thoughts, i'd like to offer my counters

> Should we accept mass surveillance, like nuclear weapons, as inevitable? If
> so, it should follow that we should adopt a "mutually assured destruction"
> inspired doctrine, whereby multiple countries agree on the limits of
> surveillance.

it may be, but the MAD analogy doesn't hold up because nuclear weapons have
immediate and distinct effects. surveillance is hard to witness and hard to
measure. MAD also uses the threat of nuclear use to keep other parties in
check, while surveillance uses, what, the guarantee of use? it doesnt match
up.

> Perhaps the world would be more comfortable if constantly surveiled, but
> wholly informed. Who has my data? What have they done with it? Can I see it?

i don't see that as particularly feasible

> Or maybe, everybody should be able to surveil everybody. True openness, and
> therefore predictable accountability.

perhaps we may move toward enlightenment about one another's secrets someday,
but i'm personally skeptical of that path as a solution to surveillance.

secrets act as a stabilizing force. keeping something unpleasant can keep
people in harmony. if the shock of reveal is great enough, it can break down
relationships and the institutions they form, and i wouldn't want to risk
doing that en masse. uncovering the unpleasant truths make us stronger, but we
have to recognize that it's a process, and not all wounds should be opened at
once.

but that's not wholly relevant anyway, because there wouldnt be a perfect
symmetrical reveal of information. it would be a gradual and asymmetric
reveal, which means that the holders of the information could use it to their
advantage. you'd end up with a class of people who hold the secrets that could
manipulate the other classes. it's not a pretty idea for believers in
equitable society.

------
romanixromanix
Most people just don't care or gave up caring. It's too cumbersome to
seriously protect privacy. If friends use Whatsapp and they have my address in
their phone's address book, Facebook knows it. Same with photos. And as long
as NSA has access to all Google and Facebook data, it's efficient for them.

Two interesting projects to mitigate this: Terms of Service; Didn't Read:
[https://tosdr.org/](https://tosdr.org/)

Maidsafe (Distributed encrypted Internet)
[https://www.youtube.com/watch?v=RdGH40oUVDY#t=71](https://www.youtube.com/watch?v=RdGH40oUVDY#t=71)

------
ck2
We can't even get torture officially condemned and prosecuted, no way in hell
the government is going to stop surveillance.

EFF against the government is like a kid on a bicycle against a fighter jet.

Only the people can end this and unfortunately they are too busy shopping at
the mall.

Even worse polls show the new generation of teenagers shrug off all privacy
concerns, they have been trained not to care anymore.

~~~
fit2rule
I don't think the solution is going to be technological in nature. It can only
be cultural.

We absolutely need a Peace movement that can overpower the current stance of
the war movement. We absolutely need to make peace. Probably the only thing
that will get us out of this situation is the hardest thing - the most
impossible thing - for any of us to do: defeat our enemies by becoming friends
with them.

We have to work harder to defeat intolerance, hatred, bigotry. These things
fester, and are contagious - and they are the lynchpin of the argument being
used by the powers to enact their heinous rules and laws, which enslave us
all.

We need a platform of peace that actually really makes peace happen. Some way
of getting the rabid ideological Christian crusaders at the same table as the
extremist Muslim terrorists. Some way to bring these massive differences -
which are utterly arbitrary and without real substance - to the point where
the human beings, on the other side of the books and vitriol, see each other
and treat each other as any two humans are capable of doing - with peace, with
love, and with an honest and sincere desire to see the party across the table
survive, flourish, and prosper.

We need to encourage people to be intolerant of intolerance. This is the
biggest issue. The NSA wouldn't have any fish in the pond, if we were to gain
a level of human understanding, compassion, and cooperation, between the
warring factions.

However, this is a difficult task. Maybe we, the human species, won't ever be
up for the task. Unless challenged by something else, from elsewhere ..

~~~
chippy
We need peace. We cannot fight evil for peace, just as we cannot fight a war
against terror. Peaceful demonstration movements are destroyed by making them
fight. Its really easy to do it. Vietnam war for example, or the fight for the
right to protest, or the fight against X Y or Z, or Occupy being sucked into
fighting for the right to demonstrate in a public place. I am even talking
about being proactive and demonstrating against evil and wrongdoing. Even
famous campaigners and activists championing for what is good and against
political injustices can not lead us to more peace. The only ideology really
that I have come across is nonviolence.

I also like the alien threat as incentive for global unity idea - it makes
sense in terms of human group psychology (The Other). And I suspect that group
psychology may actually make my first paragraph utterly false, as any
movement, any group, any collection of humans may not be able to be peaceful.
(individuals however could be...)

~~~
fit2rule
I think we need to work more on peace than those who work on war. Trouble is,
its not profitable to do so. Somehow, that needs to change.

------
hamoid
Would having a logo for privacy be a good idea?

A logo we can place in all our websites? Together with some kind of sentence,
like "I support privacy", or "healthy minds need privacy", or "privacy is a
human need", or something better you can come up with?

Is there one already?

------
desireco42
I am genuinely impressed with first few paragraphs, where they explain
motivation for doing this, rarely in todays world you will see such noble
intentions, I think this is one of the most beautiful things I read in a long
time.

------
gitspirit
I've run search on this page for 'education' and I've not got a result.
Education, Education and Education (as Location, location, location for real-
estate). Worth repeating: E D U C A T I O N is the game!

------
superobserver
Some might find the game plan partly shared (in addition to the main angle on
Snowden revelations) by Kim Dotcom and the Internet Party of New Zealand:

[http://kim.com](http://kim.com)

------
zmmmmm
One of the most important things that could be done is for browser vendors to
change their approach to self signed certificates. At the moment it looks like
a disaster when you visit a site with a self signed certificate, and certainly
no reputable business would do it. However given what we know about how
compromised certificate authorities are likely to be, I actually now consider
a self-signed certificate as more private than one signed by a CA. I would
much rather everyone signed their own certs and we use pinning and other, more
decentralised strategies to track authentic certs than any kind of centralised
model.

------
aluhut
Easy to handle and free encryption software everywhere it's needed would be a
huge start.

------
CyberDildonics
Is an always encrypted IP standard part of this? I would think at this point
public-private encrypted IP would be something that would be a huge selling
point for companies. People will buy new hardware if they know it would make
it more difficult for their communications to be collected.

------
nickik
First I want to congratulate the EFF in all the great work they do. Thank you
guys.

Second I want to address a problem that concerns me a lot and that I see again
in this discussion. I have a huge problem with equating the facebooks and
googles with the NSA. Some people make it seam as if the NSA (and simular) are
the lesser or at least equall evil compared to Google, Facebook and co.

I think this is madness, how can we compare companys that try to sell us ads
with a organisation is sending policy and millitary forces to peoples houses
all over the world and puts them in prison or even kill them. In what world
are we more afraid of a company that overs us 10% of the laptop you thought
about buying compared to the serious danger that the NSA posses to democracy,
libery and peace. I am unable to understand this position, I would rather have
100 Googles and 100 Facebooks then 1 NSA and I live in a country thta is in
frindly relations with the US, if it were otherwise I would rather have 1000
Googles or Facebooks.

I dont want to come accross a defender of big buissness, in a parallel world
where there is no NSA and no mass government survallance I would happly join
the facebook bashing. I would happly lament the fact that gmail has
centralised your email to much. But in this world, those are things that I
dont think about a lot, or rather I think about it only in the context of the
NSA.

Some people argue that its the fault of Google and Facebook that the internet
is centralised and this makes the internet easy meat for the NSA, they then go
on to argue that Google and Facebook are basiclly just as bad as the NSA
because they helped in the process. This kind of argumentation relies on many
assumtion that are, at least in my mind, not at all valid.

First, you assume that the internet would not be centralised without these
companys. This is not at all clear, we see a again and again that
centralisation has benefits for many users and for the companys itself. It is
simply good buissness to gather data, every startup does it and every big
company does it too. Any company that does not do so is very likly not going
to be the next Google or Facebook. I love OpenWispherSystem and use there
products but they are not going to be the next Google.

Second, you assume that centralisation allways makes syping easier and I
question this too. Compared to a cyper punk future of peer-to-peer darknet
full crypto, onion routing, forward secret (add more crypto buzzwords) this is
of course the case but compared to the likly alternative its not that bad.
Even for very good technical people like the people in this forum it is hard
and very time consuming to run there own mail servers, and use PGP. The likly
alternative is people running a non updated box of a old OS with old tools
that are bound together by handnitted crypto (if any). We have learned from
XP, IE6 and things like that that you simply can not really on common people
to keep up to date with features, let alone security.

Without getting a hole lot better at OpenSource and peer-to-peer we will not
create a digital revolution. I am still up for trying and will help where I
can to make that future happen eventually and I hope you will do so to. But in
the mean time we have Google and Facebook. While I do not expect much from the
morality (I do expect a little) I hope they are at least smart enougth to
protect there own data from the government and the competition. Facebook is
using fantastic crypto in Whatsapp, Google has started to use better
encryption internally and is fighing on many other fronts. These technical
changes will hurt the NSA, this is afterall a fight on economics (cost/benefit
of mass survaillance) and 600 million encrypted chat users will cost the NSA,
even if they can get at the data by hacking every single smartphone on the
planet.

The worst things Google or Facebook could do to me would be unpleasent, the
worst thing that the NSA could do is hard to even imagen. The NSA and secret
services like it are amung the biggest danger to our freedoms and it does not
matter on what side of the politcal spectrum you are, guns are at risk as much
as healthcare.

tl;dr: So lets first worry about evil goverment that have SWAT teams and
drones and then worry about to much ads.

------
shit_parade
>The entity that’s conducting the most extreme and far-reaching surveillance
against most of the world’s communications—the National Security Agency—is
bound by United States law.

This seems clearly wrong -- when people like clapper can essentially lie under
oath to congress and not suffer any legal consequences it is rather dubious to
claim the NSA is bound by US law. There are increasingly 'secret' courts,
'secret' laws, 'secret' budgets, 'secret' legal memos, etc etc, why would you
begin your game plan with stating something so clearly incorrect. The reason
we know much about what is happening is because of whistle blowers, and much
of these people are either in hiding, on the run, dead, or being jailed by the
US government. The eff is out of touch with reality if they truly believe the
NSA is beholden to the law instead of those controlling and using it as they
see fit.

~~~
tomrod
> why would you begin your game plan with stating something so clearly
> incorrect

Because once Congress publicly disavows the NSAs actions, I suspect then
working against Congress would result in rogue status.

~~~
debacle
The NSA has the browsing history in hand of every congresscritter and hopeful
congresscritter, phone records, travel records, IRS statements, etc.

It's not unbelievable that they would use this information to buy or bury an
elected official.

~~~
AnthonyMouse
Getting caught blackmailing a Congressman would be very, very bad for them.
It's far more likely that money from a secret budget ends up in the campaign
fund of friendly politicians, or that politicians who do what they want end up
with lucrative consulting work after they leave office, much as it is with
other industries.

But what do you propose to do about it either way? Go join Lawrence Lessig's
anti-corruption campaign. In the meantime it's not like positive change is
_impossible_ , it's just harder than it ought to be.

~~~
grecy
> _Getting caught blackmailing a Congressman would be very, very bad for them_

Isn't it common knowledge big corporations "buy" congressmen all the time with
insanely big "contributions"?

Why wouldn't the NSA do exactly the same thing?

~~~
guizzy
Because bribing and blackmailing are not the same thing. The first one is
unfortunately legal as long as its done the right way (through campaign
contributions and PACs) and the second one is still a crime.

~~~
grecy
I was implying they result in the exact same outcome, which means for all
intents and purposes they are the same thing, when done correctly.

~~~
semi-extrinsic
Except one leaves the congressperson happy and one leaves the congressperson
angry. Do you think the angry or the happy person is most likely to
anonymously disclose this information to a journalist?

------
eblanshey
There's no better time to get behind projects that aim to decentralize the
web, which covers many of the bullet points in the EFF's list all in one go.
The primary project IMO to keep an eye on is MaidSafe[0], and I'm actually
quite surprised how little attention it gets from the community here. Whereas
most service/companies/developers aim to build privacy/encryption into their
own apps, the goal of the SAFE network is to create an internet backbone on
which all apps are automatically secure, making it much easier to build secure
apps for the average coder.

I wrote an easy to read overview, both high level and technical, of how it
works if anybody is interested: [http://blanshey.com/introduction-to-maidsafe-
what-it-is-how-...](http://blanshey.com/introduction-to-maidsafe-what-it-is-
how-it-works-and-how-it-compares-to-bitcoin/)

[0] [http://maidsafe.net](http://maidsafe.net)

