Electronic Frontier Foundation celebrates 25 years of defending online privacy

Its first major case was one in which the US Secret Service, hunting a stolen documented, raided a company's computers

Cindy Cohn

Cindy Cohn

The Electronic Frontier Foundation is the digital world's top watchdog when it comes to privacy and free expression.

But while cops and firefighters are often ready to retire after 25 years on the job, protecting citizens, the EFF has a full agenda as it celebrates its 25th anniversary.

The EFF was founded in 1990, when the Web still had just one webpage. Its first major case was one in which the US Secret Service, hunting a stolen documented, raided a company's computers, computers that were also used to run an online bulletin board, and read and deleted those users' messages.

The company, Steve Jackson Games, and some of the users of that bulletin board, thought that the government overstepped its warrant.

The situation inspired former Lotus president Mitch Kapor, Sun Microsystems employee John Gilmore and John Perry Barlow, cattle rancher and Grateful Dead lyricist to form the EFF and represent Steve Jackson Games and their users against the U.S. Secret Service.

In 1993, in a landmark judgment, the courts ruled that law enforcement authorities can't seize electronic mail without a specific warrant.

It was just a warm-up.

In 1995, EFF took on the case of Daniel Bernstein, a math grad student at Berkeley, who wanted to publish an encryption algorithm he developed.

Back then, encryption was considered a national secret, regulated the same way as military weapons.

In order to publish his algorithm, the law at the time required Bernstein to register as an arms dealer and apply for an export license.

In 1999, the courts ruled in his favor, deciding that computer code was, in fact, constitutionally-protected speech.

One of the lawyers on that landmark case was Cindy Cohn, who is now the executive director of the EFF.

And times have changed.

"There are now more people working on making security tools easier and more widespread than ever before," she said. "In the non-profit sector, and in the for-profit sector, whether you're looking at the enterprise level or the individual level, we're seeing more security development and smarter security development now than in the entire 25 years that the EFF has existed."

Cybersecurity experts are applauding the EFF for its work.

"By advocating for privacy rights, and combating invasive legislation, the EFF has bolstered the security of enterprises' most valuable resource -- its employees," said Kunal Rupani, senior product manager at security firm Accellion.

The EFF is also protecting the privacy rights of companies, as well, said Paul Henry, security consultant at Blancco Technology Group.

"When the EFF is behind you, businesses have a fighting chance to protect their assets," he said, pointing to the EFF's recent reaction to the way the authorities shut down the Megaupload file sharing site and prevented legitimate users from being able to get their files back. "That's pretty brave and fearless."

In that case, the EFF argued that customers of cloud computing services shouldn't lose property rights to their data by simply hosting their data with an outside provider.

+ ALSO ON CSO: EFF Inspects Encryption Tool for Adium, Pidgin IM Clients +

"It speaks perfectly to how enterprise businesses benefit from the EFF's activities," Henry said. "I respect them tremendously."

"I -- and Malwarebytes -- are very pleased to see groups like the EFF standing up to protect the digital privacy rights and overall freedom of individuals in cyberspace," said Josh Cannell, a security expert at Malwarebytes.

And it's not just on the legal front that the organization has made a difference, he said. They've also worked on technology infrastructure projects.

"The EFF has also launched projects like Sovereign Keys that help protect and improve the usage and implementation of encryption protocols," he said.

The EFF has also been a big supporter of the Pretty Good Privacy encryption software and the Fido alliance for stronger and simpler authentication, said Phillip Dunkelberger, CEO at Nok Nok Labs. He was a co-founder and CEO at PGP Corp.

"Many of the things that they have suggested are now considered best practices globally," he said.

Some privacy advocates hope to see the EFF expand its mission.

"Over the past 25 years the EFF has been very active in lobbying against governments violating privacy rights," said John Pescatore, director of emerging trends at SANS Institute. "But it has been mostly silent about similar abuses by search engines, advertisers, and e-commerce companies."

He said he'd like to see the EFF take on more battles against corporate privacy abusers, as well.

"But all in all they have been a positive force in fighting imbalances of power in the digital world," he said.

And the EFF has had some impact on the way corporations view customer privacy, said Matt Cullina, CEO at IDT 911, LLC.

"The EFF acts as an industry watchdog holding those who haven't implemented robust privacy practices, accountable, making a clear line in the sand of those that do data privacy right from those that do it wrong," he said.

A never-ending battle

Meanwhile, some battles are never really over.

For example, right now, the EFF is fighting a plan by the Bureau of Industry and Security, an agency within the U.S. Department of Commerce, to impose wide-ranging export restrictions on software used for penetration testing, network monitoring, and other security purposes.

Meanwhile, law enforcement officials are making the rounds at conferences and Senate hearings, asking for some mechanism that would allow them to look at encrypted communications and files.

"The battle is not over," Cohn said. "It's an ongoing thing. It'll never be completely over. New technologies always gives us new challenges."

For example, the EFF is now working on helping create and deploy technologies that will expand and improve the use of encryption on the web.

"We're part of a coalition trying to issue better certificates," she said. "This is really important for enterprises, to have a secure Internet, so that when you think you're going to the bank's website, you're actually going to the bank's website."

The EFF is also working on expanding protections on metadata, information about data and messages that is usually transmitted in unencrypted form even when the rest of the communication is encrypted.

It allows government agencies, criminals, foreign powers and even advertisers to track user behavior on the Web, to see who they communicate with, and, with the spread of smart mobile devices, to track where users go physically, as well.

"The Justice Department has been interpreting the constitution to mean that you have no expectation of privacy to metadata," she said. "That is just wrong."

The EFF has long maintained that the Fourth Amendment, prohibiting unreasonable search and seizures, covers metadata as well.

"The government needs a warrant to access this information," she said. "We're working on this, and have been involved in several cases at the Supreme Court."

That includes the 2012 decision that law enforcement officers can't install GPS tracking devices without warrants.

[ A BIT OF HISTORY Texas, EFF Suits Target Sony's XCP ]

Last year, the EFF filed a brief in support of the right to privacy for telephone metadata in a case against NSA spying.

Protecting metadata against criminals, however, requires a different approach.

This is where, for example, the Onion router network has a legitimate use.

"So we support TOR," she said.

According to Cohn, the best way to fight against cybercriminals is to allow users and companies to protect themselves as well as possible.

"Everyone deserves strong security so that the bad guys can't get to our stuff in the first place," she said.

That's an approach that many security experts can get behind.

"Providing companies with assets and tools to better protect themselves is the most effective method of prevention no matter where in the world a company is located," said Brett Hansen, Dell's executive director for client solutions security product management.

The proposal to restrict exports of some security software and tools is counter-productive, he said.

"Allowing all organizations to share the tools and knowledge to help fight cyber criminals is the best way for all us all to improve our defenses.," he said.

According to EFF's Cohn, it's a positive sign that more and more companies are building security and encryption right into their products, to make privacy easier for end users.

"Apple's decision to encrypt the data at rest on your iPhone -- obviously, the FBI is not happy about that," she said. "But Apple went ahead and offered it."

The EFF represents the best of an empowered democracy, said Michelle Dennedy, chief privacy officer at Intel Security.

"They take on thorny issues like free speech, surveillance and privacy," she said. "They act for the many where the single person may not have the depth or expertise, the voice or the financial independence to act. In an information society, someone must stand at the ready, to ring a clarion call for justice. Thank you, EFF."

Join the CSO newsletter!

Error: Please check your email address.

Tags EFFSecret ServicesecuritySun MicrosystemsencryptionU.S. Secret ServiceSecurity LeadershipElectronic Frontier FoundationLotus

More about AccellionAppleBlanccoCSODellDepartment of CommerceEFFElectronic Frontier FoundationFBIIntelIntel SecurityMalwarebytesNSAPGPPretty Good PrivacySANS InstituteSonySovereignSun MicrosystemsTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place