09/09/09 - Are US social sites
up to the task of spreading freedom?

Seattle, Wash. — Sept 9, 2009 — We have entered a new phase of dependence on the internet. We have moved beyond consumer oriented shopping sites, addicting puzzle places, and social networking platforms. The internet has become the default platform to rally support for political candidates, voice dissent with the status quo, expose governmental misdeeds, spread news from citizen to citizen, and, if necessary, plan civil disobedience. These are the very underpinnings of civil society and governance. Sure it is nice to search Amazon for a new movie to buy, but that pales in comparison when you can participate in the debate and election of a new president.

In the United States we take for granted the protections of the 1st Amendment, and have designed our web sites accordingly, with little to no privacy protections built in. Everything has been designed to protect your credit card digits, not the expression of your communications.

This does nothing, for example, to help protect protesters in Iran who rely on U.S. social sites to spread news about their contested election. The only thing encrypted with SSL protection is their password when they log in to a site. After that every post they write, every friend they make, and every gathering they plan can be recorded and accessed weeks or months later if the authorities feel like rounding up "social agitators." The log in page of all the sites they poured their hopes and dreams into have a pretty lock icon on it, suggesting privacy and security, but in reality their activities were neither.

This is the world we live in. No major social, blog, or email site uses encryption for all their communications. On most sites it isn't even an option, and when it is, the setting is often located in a hard to find location. This might have been good enough when the web was a novelty and your activities of little consequence if monitored. Unfortunately, those days have been gone for a while and just now the consequences are starting to sink in... at least in Iran, or even more recently China.

The old arguments against doing nothing hold no weight. Yes, SSL encryption takes additional computer processor resources, but CPU power has become a cheap commodity and dedicated SSL accelerator costs are in the hundreds of dollars. User's computers and browsers have become faster eliminating almost any lag associated with the initial setup of SSL protection. It can no longer be claimed that it is too expensive an option.

I call on all major social sites, email providers, blog spots, photo hosting services, and chat platforms to enable SSL security as the default behavior for all communications. You already use this technology to protect your user's passwords. You openly encourage your users to share personal details, pictures and stories about themselves and their families. Because of this you have a social responsibility to expand the use of SSL to protect both the privacy and political freedom of your users in a simple and seamless fashion. Just like the expectation of having airbags in cars is the norm, it is now time to make privacy and security the default, not the exception.

Jeff Moss

Founder of DEF CON and Black Hat
Member, HSAC