#FixItAlready: EFF's wishlist for fixing tech's worst privacy and security choices

Originally published at: https://boingboing.net/2019/02/28/name-and-shame.html

1 Like

Black text on turquoise background? I’m interested in what they have to say but not THAT interested.

Maybe I’ll see if it’s readable on my PC.

4 Likes

From the linked article:

Apple should let users encrypt their iCloud backups

Sigh, the EFF has its heart in the right place but it really, deeply fails to understand that not everyone in the world is a computer nerd.

Apple is protecting users from catastrophic data loss by not encrypting cloud backups. Even enabling encrypted backups as an off by default option would cause a significant number of people to try it out. And with an encrypted backup, if you forget your password, then when your phone breaks or is lost, or when you die and take knowledge of your PIN and password with you, your data is lost forever. With a userbase of over a billion, Apple would be dealing with thousands of users every year who cannot understand why the precious family photos on their phone are gone forever simply because of a lost or forgotten password.

With non-encrypted backups, there is some hope of getting the data back after providing adequate proof that you’re entitled to access it.

The choice when it comes to backups is stark. If you don’t encrypt them, then under certain limited circumstances you are vulnerable to bad actors, whether official or unofficial, getting access to your data. If you do encrypt them, then you are one lost password away from not having any backup whatsoever.

For ordinary people (not nerds, not journalists or activists or other people with reason to be paranoid), you don’t want to ever encrypt your backups. Apple makes technology for ordinary people, and IMHO, they made the right choice to not provide an option to encrypt cloud based backups, and instead provide the option to encrypt offline backups made with Itunes.

I suspect similar reasoning was behind Microsoft’s approach to whole disk encryption, also called out in EFF’s article.

3 Likes

I quite like this idea of having a to-do list for issues to care about. That could be a good way to get people to engage with these issues as graspable and manageable.

I’m not sure about this grid format, though. One might almost come to feel like EFF’s message is “all (for-profit) IT companies are equally irredeemable no matter what they do”, particularly if one was already starting to get that feeling anyway.

For example: WhatsApp have probably secured more private messages than any organisation in human history, but thanks to a minor issue with group admin, they are equated with an organisation (their parent company) that makes the Stasi look like a mildly nosy neighbor.

If this page were driven by user submissions (?), a welcome improvement would be to visually rank issues by importance and scale. If Facebook and Google problems take up half the chart, so be it; I’m more interested to know where the problems are than which companies EFF doesn’t like.

(And if Mozilla or Ubuntu or the Apache Foundation happen to have more issues than WhatsApp, let’s see that, too, especially because they’re more likely to do something about it)

1 Like

The Apple thing sounds reasonable enough as they describe it - that the backups are already encrypted only with 2 keys, one user and one at Apple in case the user loses theirs, so they just want an option to not give Apple a key.

But I think you have a good point. While setting up a new computer about half a decade ago I set up disk encryption and was careful to put the password in a safe place. Unfortunately it wasn’t the logical place (my password manager) because I wasn’t at the other computer where my password manager was already setup at the time. Now I don’t know what safe place that password is in. And I am the sort of nerd that’s careful about those things (usually).

Wait, what’s the thing about Windows 10 encryption keys?

I mean, my Win10 install is much neglected and most used for playing games, but whut?

It only enhances the nauseating effect used on the logos.

Windows 10 Home has a device encryption option that is available with certain hardware. (None of my devices seem to support this.) When you turn it on you have to sign in with a Microsoft account and your key is stored with Microsoft. This is presumably because Windows 10 is a consumer product and the chances of someone turning encryption on and then losing their key are too high to risk lawsuits over lost data. If you want to keep your own keys you have to upgrade to Pro with BitLocker which is probably the way to go anyway if you have privacy concerns.

I’ve only seen bitlocker, as I don’t have any Win10 home machines, so this is new.

I can’t remember, does Bitlocker allow for recovery by site admins like the old symantec stuff, because that’s problematic too.

Doesn’t really bother me as the chances of getting through the dm-crypt on the machines I actually use.

This topic was automatically closed after 5 days. New replies are no longer allowed.