Perhaps the worst aspect of the privacy and security issues plaguing the tech we use every day is that they seem completely preventable.
Why hasn’t Twitter encrypted direct messages? Why is Facebook using your phone number for more than your two-factor authentication?
The Electronic Frontier Foundation (EFF) plans to compel companies to address these very questions and more in a new initiative called #FixItAlready.
We spoke with the EFF’s Gennie Gebhart, who helped launch #FixItAlready, about the plans to finally hold companies accountable for users’ privacy and security. Below are excerpts from that interview, lightly edited for clarity.
What is #FixItAlready?
#FixItAlready is a new way for the EFF to let companies know how serious we are about various security and privacy issues and, in particular, to try and engage users on those issues.
We wanted to look for new ways to address consumer privacy advocacy and highlight issues of security and privacy issues that have realistically feasible, but big impact, fixes. From a user’s perspective, these are things that would make you think, “Why haven’t they fixed that already?” And we really want this initiative to mirror that pent-up frustration.
Why did you only highlight nine companies in the initiative?
If we wanted to talk about security and privacy issues in big companies, we could easily have a list of a hundred things. The reason we pointed out the nine is down to three things:
- They are well-known companies;
- They have realistic, feasible, and attainable fixes; and
- They would have a big impact if they were addressed.
- Android to let users deny and revoke apps’ internet permissions.
- Apple to let users encrypt their iCloud backups.
- Facebook to stop using phone numbers added as account verification for targeted advertising.
- Slack to give unpaid account users control over data retention.
- Twitter to add end-to-end encryption to direct messages.
- Venmo to let users hide their friends lists.
- Verizon to stop pre-installing spyware on phones.
- WhatsApp to get a user’s consent before adding them to a group.
- Windows 10 to let users keep their disk encryption keys to themselves.
Some of these issues have been well-known for a long time, and the fact that we have the technology to fix them [and yet haven’t] really flies in the face of security and privacy best practices.
Which company do you think has the most serious privacy and security flaws?
I think the answer would change depending on who you’re talking to. It’s important to remember that a lot of people only use one product or another.
Encrypting iCloud is a big one, though. Apple has rightly made a lot of noise and has a great reputation for iPhone security, but a lot of iPhone users may not realize that they don’t get that same level of security with the iCloud.
If you drop your phone in a puddle or forget all your passwords, backups make sense. But it’s important for these backups to be encrypted, so photos and data are safe and no one can get to them. For a company that is already using privacy as a big selling point, this is something that they can’t afford to stay still on.
We’re also finding new issues all the time. Just a few days after we launched, we learned more bad news about how Facebook abuses phone numbers people add for security purposes.
What do you think about Zuckerberg’s recent privacy pivot for his company?
It does inspire a lot of hope in Facebook as far as responsible stewardship of security and privacy features goes. Facebook’s messaging merger is also an interesting development, but I think time will tell. Aspects of the plan that Zuckerberg’s announced sounded great, and if Facebook pulls it off and stands with its users, we will stand with them. If they don’t, we’ll be here to hold them accountable.
The company’s recent track record does not inspire optimism—we’re going to believe it when we see it.
How do you hope companies will respond to #FixItAlready?
In a highly competitive industry, we think that when one company changes their stance on security and privacy, the others might look a little worse. In some cases, like Android’s apps’ internet permissions policy, if one company moves and takes the lead, it puts pressure on the whole ecosystem to improve privacy across the board.
We’ve already seen the WhatsApp consent feature, which appears to be in beta, and a similar feature hiding in the code of the Android beta. So that’s where we might see some movement sooner or later—depending on the company and their priorities. If a competitor sees that, it could be a great motivator to improve the app’s security and privacy.
It can be easy to feel powerless about one’s security and privacy. How do we overcome that?
I think jumping into the #FixItAlready campaign and amplifying it does not hurt. You can feel powerless when you’re one user among several billion. Big companies are not held accountable, they don’t have an elected mandate, and they do not answer to you, which can be extremely frustrating.
But one thing that people can do is change how they use products. No one’s under the illusion that quitting Facebook is going to inspire huge changes—you’d need a one-billion-person movement for that. It’s about protecting yourself and finding the security and privacy that you need.
It’s also important to reflect on what security and privacy mean to you as an individual. Are you nervous about government surveillance or are you nervous about a parent, employer, teacher, or abusive spouse that’s trying to surveil you? That’s two totally different situations, and each has many different ways to address them. It’s about finding exactly what you need and then changing your online habits.
What are the next steps for #FixItAlready?
We’re still in the first phase of the project, but we’ve already been talking to companies, learning what they’re doing, and what internal blocks they have to get the privacy features from being established.
Currently, we’re looking for users who have been affected by lapses in privacy. With regards to Slack, for example, there are community organizers, activist groups, unions, and journalist collectives using free accounts and they are at risk with Slack’s data retention policy. Looking for users like that, who are affected by these lapses in security, are the people whose voices we’d like to amplify in the near future.
The #FixItAlready project was born out of that pent-up frustration of “What can we do?” It’s about trying to find a way to amplify the voices of users who have compelling stories to tell, and how these issues have affected them—what are the workarounds they’ve tried to use to protect themselves in spite of all the privacy and security issues?
When I look at what could happen next, ideally all these companies should stop relying on targeted advertising as their business model. But that’s going to be hard to accomplish, so it’s about what can be done now. What can we fight for now? And then we can look at how to build on that.
So we’re starting with something that’s easy to attain?
Easy to attain may not be the right way to put it—it’s important to acknowledge that making these changes can be a herculean task. But the point is that we have the technology and there are no excuses to keep shirking the best security and privacy practices.
Technology companies need to recognize what users want and deserve in terms of privacy and security fundamentals—and apply it.