As we did last year and the year before, EFF welcomes the winter season with a new wishlist of some things we’d love to have happen for the holidays—for us and for all Internet users. These are some of the actions we’d most like to see from companies, governments, organizations, and individuals in the new year.
The Department of Justice should notify everyone who’s been convicted of a crime using evidence derived—directly or indirectly—from warrantless surveillance programs (not just a cherry-picked handful of defendants).
All communications companies should publish transparency reports showing the scope and nature of government requests for user information. The Internet industry, led by Google, has made this a standard for corporate transparency, but telecom companies are still totally missing in action.
Companies that sell books, movies, music, or other digital media should commit to the principle that if you bought it, you own it. That means no DRM and no sneaky license agreements.
Every wireless device should let you change its MACaddress (a hardware serial number), and no new technology standards should be designed to transmit any persistent hardware serial numbers over the air or on a network. (If your device keeps sending the same hardware serial number, like wifi devices and cell phones, among others, whoever’s at the other end or listening in can recognize you and track your location. Businesses and governments are already taking advantage of this to build massive databases of our devices.)
Web sites should publish historical versions of their terms of service and privacy policies, with their effective dates, to help users understand what’s changed over time. At a bare minimum, companies like Facebook should stop blocking the Internet Archive from creating and displaying a historical record of their policies.
Companies entering the secure communications space (as well as those that have been there a while!) should explain exactly how secure they are and why. They should get public technical audits by experts and clearly explain how they handle classic, fundamental security challenges. They should clearly and publicly explain whether and to what extent they could be compelled to record or turn over user data or to help break users’ security (including by disclosing cryptographic keys or passwords, by issuing false digital certificates, or by modifying their software).