Among the issues
that President Obama did not address in his
lukewarm call for “reform” of NSA spying practices are
allegations that U.S. government officials have used their clout to
compromise encryption technology and strongarm companies into
inserting backdoors into their technology. That’s not a small
issue, because it gives the NSA and other agencies access to vast
quantities of information at least as sensitive as what they gather
from sucking up phone meta data. Last week, even before the
president’s speech, Brendan
Eich, the Chief Technology Officer of Mozilla, the organization
behind the Firefox Web browser, called on the public to help resist
Wrote Eich in a blog
As a result of laws in the US and elsewhere, prudent users must
interact with Internet services knowing that despite how much any
cloud-service company wants to protect privacy, at the end of the
day most big companies must comply with the law. The government can
legally access user data in ways that might violate the privacy
expectations of law-abiding users. Worse, the government may force
service operators to enable surveillance (something that seems to
have happened in the
Worst of all, the government can do all of this without users
ever finding out about it, due to gag orders.
This creates a significant predicament for privacy and security
on the Open Web. Every major browser today is distributed
by an organization within reach of surveillance laws. As
the Lavabit case suggests, the government may request that browser
vendors secretly inject surveillance code into the browsers they
distribute to users. We have no information that any browser vendor
has ever received such a directive. However, if that were to
happen, the public would likely not find out due to gag orders.
The unfortunate consequence is that software vendors —
including browser vendors — must not be blindly trusted.
Not because such vendors don’t want to protect user privacy.
Rather, because a law might force vendors to secretly violate their
own principles and do things they don’t want to do.
His proposed solution? Since Mozilla and its products are all
open source, he wants tech savvy users around the world to:
- regularly audit Mozilla source and verified builds by all
- establish automated systems to verify official Mozilla builds
from source; and
- raise an alert if the verified bits differ from official
That way, no matter what Mozilla is ordered to do by a
government body, and forbidden to reveal, any compromises stand a
good chance of being discovered. Even attempting them might
Talk about watching the watchers.
Eich is right—open source does have an inherent advantage over
proprietary technology because it’s open to public scrutiny. It
stands to grow in importance for just that reason.