6 steps Silicon Valley can take to protect users from NSA spying
opinion The EFF's Kurt Opsahl lays out measures Internet companies can implement to protect their users' privacy from government surveillance.
opinion We learned Wednesday that the National Security Agency has beenfrom the links between data centers operated by Yahoo and Google -- the fiber-optic connections between company cloud servers at various points around the world.
Even though Internet users may have encrypted connections between their computers and the public-facing Web sites, the data flows internal to those companies were not encrypted, allowing the NSA to obtain millions of records each month including both metadata and content like audio, video, and text.
This covert cloud collection -- code-named MUSCULAR -- is not part of the PRISM program revealed this summer and has not even been overseen by the rubber-stamp FISA court. Instead, it occurs without the service providers' knowledge and therefore never appears on a transparency report.
To help restore their users' trust, we call upon Silicon Valley tech giants to implement these six measures:
- Encrypted links between datacenters. First, Silicon Valley companies should immediately start encrypting all traffic between their datacenters. Google began this process last month, and all companies with datacenters on the cloud must follow suit.
- Enable secure communications by default. When users send or receive e-mail or otherwise access online services, they can use HTTPS to communicate securely -- but only if the Web site supports it. Google, Microsoft, and Facebook support encryption by default, and Yahoo plans to start in early 2014.
- Enable secure e-mail between Web mail companies. If you send e-mail from your Gmail account to a Hotmail account, it will travel between the two companies' servers in the clear, even if they have secure data links and HTTPS by default. However, if every Web mail company enabled an e-mail encryption protocol (StartTLS), this would allow encrypted transfers between any two e-mail servers that support the protocol. The companies can also exchange information on their encryption certificates (known as "cert pinning"), to help stop NSA man-in-the-middle attacks, where the NSA pretends to be a companies' e-mail server.
- Forward secrecy. It's not enough to simply use a strong key to encrypt. If that key is compromised, whether by a malicious hacker or by the government (a la Lavabit), the security is broken. However, companies can select encryption protocols that have a quality called "forward secrecy," which helps ensure that access to the key will not compromise all of the information.
- Fight surveillance in court. Whenever the government seeks to access users' private and personal information through unconstitutional or unlawful legal process, the tech companies should fight back in the courts. Earlier this year, a warrantless surveillance authority known as a National Security Letter was declared unconstitutional, but only because a company stood up for its users in court.
- Fight surveillance in Congress. Internet companies have by demanding the right to speak publicly about secret government data demands they receive. This is a great start, but it is not enough. The companies should also ask Congress to end mass Internet surveillance. Better encryption alone is not enough; we also need to pass the laws that stop NSA overreach.