From the Electronic Frontier Foundation:
How to Protect Your Users from NSA Backdoors: An Open Letter to Technology Companies
As security researchers, technologists, and digital rights advocates, we are deeply concerned about collaboration between government agencies and technology companies in undermining users’ security. Among other examples, we are alarmed by recent allegations that RSA, Inc. accepted $10 million from NSA to keep a compromised algorithm in the default setting of a security product long after its faults were revealed. We believe that covert collusion with spy agencies poses a grave threat to users and must be mitigated with commitment to the following best practices to protect users from illegal surveillance:
- Provide public access to source code whenever possible, and adopt a reproducible build process so that others can verify the integrity of pre-compiled binaries. Both open and closed source software should be distributed with verifiable signatures from a trusted party and a path for users to verify that their copy of the software is functionally identical to every other copy (a property known as “binary transparency”).
- Explain choices of cryptographic algorithms and parameters. Make best efforts to fix or discontinue the use of cryptographic libraries, algorithms, or primitives with known vulnerabilities and disclose to customers immediately when a vulnerability is discovered.
- Hold an open and productive dialogue with the security and privacy communities. This includes facilitating review and responding to productive criticism from researchers.
- Provide a clear and secure pathway for security researchers to report vulnerabilities. Fix security bugs promptly.
- Publish government request reports regularly (often these are called “Transparency Reports”). Include the most granular reporting allowed by law.
- Invest in secure UX engineering to make it as easy as possible for users to use the system securely and as hard as possible for users to use the system unsafely.
- Publicly oppose mass surveillance and all efforts to mandate the insertion of backdoors or intentional weaknesses into security tools.
- Fight in court any attempt by the government or any third party to compromise users’ security.
- Adopt a principle of discarding user data after it is no longer necessary for the operation of the business.
- Always protect data-in-transit with strong encryption in order to prevent dragnet surveillance. Follow best practices for setting up SSL/TLS on servers whenever applicable.
Sincerely,
The Electronic Frontier Foundation in collaboration with*:
- Roger Dingledine, Project Leader, Tor Project
- Brendan Eich, CTO, Mozilla Corporation
- Matthew Green, Assistant Research Professor, Department of Computer Science, Johns Hopkins University
- Nadia Heninger, Assistant Professor, Department of Computer and Information Science, University of Pennsylvania
- Tanja Lange, Professor, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven
- Nick Mathewson, Chief Architect, Tor Project
- Eleanor Saitta, OpenITP / IMMI
- Bruce Schneier, Security Technologist
- Christopher Soghoian, Principal Technologist, Speech, Privacy and Technology Project, American Civil Liberties Union
- Ashkan Soltani, Independent Researcher and Consultant
- Brian Warner, Tahoe-LAFS Project
- Zooko Wilcox-O’Hearn, Founder and CEO, LeastAuthority.com
*Affiliations listed for identification purposes only.