Communities from Coast to Coast Fight for Control Over Police Surveillance: 2017 in Review (Electronic Frontier Foundation)

Americans in 2017 lived under a threat of constant surveillance, both online and offline. While the battle to curtail unaccountable and unconstitutional NSA surveillance continued this year with only limited opportunities appearing in Congress, the struggle to secure community control over surveillance by local police has made dramatic and expanding strides across the country at the local level.

In July, Seattle passed a law making it the nation’s second jurisdiction to require law enforcement agencies to seek community approval before acquiring surveillance technology. Santa Clara County in California, which encompasses most of Silicon Valley, pioneered this reform in spring 2016 before similar proposals later spread across the country.

Two other jurisdictions in the San Francisco Bay Area—the cities of Oakland and Berkeley—have conducted multiple public hearings on proposed reforms to require community control. Both cities are nearing decision points for local legislators who in 2018 will consider whether to empower themselves and their constituents, or whether instead to allow secrecy and unaccountability to continue unfettered.

Other communities across California have also mobilized. In addition to Oakland and Berkeley, EFF has supported proposed reforms in Palo Alto and before the Bay Area Rapid Transit Board, and also addressed communities seeking similar measures in Davis, Humboldt County (where a local group in the Electronic Frontier Alliance hosted two public forums in March and another in December), and Santa Cruz (where local activists began a long running local dialog in 2016).

Reflecting this interest from across the state, the California State Senate approved a measure, S.B. 21, which would have applied the transparency and community control principles of the Santa Clara County ordinance to hundreds of law enforcement agencies across the state. While the measure was successful before the state Senate, and also cleared two committees in the State Assembly, it died without a vote in the state Assembly’s appropriations committee.

While S.B. 21 was not enacted in 2017, we anticipate similar measures advancing in communities across California in 2018. In many other states, municipal bodies have already begun considering analogous policies.

In New York City, over a dozen council members have supported the Public Oversight of Surveillance Technology (POST) Act, which would require transparency before the New York Police Department acquires new surveillance technology. This is an important step forward, though without reform elements that, in Santa Clara County and Seattle, have placed communities in control over police surveillance. The support of local policymakers may help bring to the public debate underlying facts about the proposed reform which appear to have escaped figures who oppose it, including Mayor Bill de Blasio.

In Cambridge, Massachusetts, policymakers began a conversation last year that continued throughout 2017. This October, a coalition of local allies hosted a public forum about a proposed ordinance that the City Council will reportedly consider in 2018. They included Digital Fourth (a member of the EFA), the Pirate Party, and students at the Berkman Klein Center for Internet & Society at Harvard University, one of whom wrote that “[w]ithout appropriate controls, technologies intended for one purpose can be twisted for another.”

In the Midwest, Missouri has emerged as a potentially crucial state in the nationwide battle over surveillance technology. Years after grassroots opposition to police violence vaulted the town of Ferguson to international recognition, St. Louis city policymakers introduced B.B. 66, a measure modeled closely on Santa Clara County’s.

While the Missouri state legislature has yet to consider a similar proposal, it did consider—without yet adopting—another proposed reform to limit law enforcement surveillance. In particular, S.B. 84 would have limited the parameters under which state and local police could deploy cell-site simulators, which use cell phone networks to track a user’s location or monitor data or voice transmissions. This is just one of many invasive surveillance platforms available to law enforcement.

Nearby states have also taken notice of cell-site simulators. Illinois has already enacted a strong law constraining the use of those particular tools, while Nebraska considered a bill that would have prohibited police from using cell-site simulators at all. This established support for limiting one surveillance tool across the region suggests potential traction for process reforms, like Seattle’s and Santa Clara County’s, that would apply to all platforms. 

The fight against unaccountable secret government surveillance will continue across the United States in 2018. While Congress has yet to enact legislation this year protecting the American people from NSA surveillance, local and state legislatures are heeding the call to conduct effective oversight and to empower the communities they represent.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today! donate to EFF
Posted in Uncategorized Tagged

Tipping the Scales on HTTPS: 2017 in Review (Electronic Frontier Foundation)

The movement to encrypt the web reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. By adding Transport Layer Security (or TLS, a prior version of which was known as Secure Sockets Layer or SSL) HTTPS fixes most of these problems. That’s why EFF, and many like-minded supporters, have been pushing for web sites to adopt HTTPS by default.

In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox and are encrypted, and Chrome shows even higher numbers.

At the beginning of the year, Let’s Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let’s Encrypt’s total issuance volume has exceeded 177 million certificates. Certificate Authorities (CAs) like Let’s Encrypt issue signed, digital certificates to website owners that help web users and their browsers independently verify the association between a particular HTTPS site and a cryptographic key. Let's Encrypt stands out because it offers these certificates for free. And, with EFF’s Certbot, they are easier than ever for web masters and website administrators to get.

Throughout the entire year, projects like Secure the News and Pulse have been tracking HTTPS adoption among news sites and government sites, respectively.

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users “Not secure” warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a “Not secure” warning for all HTTP pages.

One of the biggest CAs, Symantec, was threatened with removal of trust by Firefox and Chrome. Symantec had long been held up as an example of a CA that was “too big to fail.” Removing trust directly would break thousands of important websites overnight. However, browsers found many problems with Symantec’s issuance practices, and the browsers collectively decided to make the leap, using a staged distrust mechanism that would minimize impact to websites and people using the Internet. Symantec subsequently sold their CA business to fellow CA DigiCert for nearly a billion dollars, with the expectation that DigiCert’s infrastructure and processes will issue certificates with fewer problems. Smaller CAs WoSign and StartCom were removed from trust by Chrome and Firefox last year.

The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically. A related and more powerful setting, HTTP Public Key Pinning (HPKP), was targeted for removal by Chrome. The Chrome developers believe that HPKP is too hard for site owners to use correctly, and too risky when used incorrectly. We believe that HPKP was a powerful, if flawed, part of the HTTPS ecosystem, and would rather see it reformed than removed entirely.

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year. CAA allows site owners to specify in DNS which CAs are allowed to issue for their site, and may reduce misissuance events. Let's Encrypt led the way on this by enforcing CAA from first launch, and EFF is glad to see this protection extended to the broader CAA ecosystem.

There’s plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April. As browsers and users alike pressure websites for ubiquitous HTTPS, and as the process of getting a certificate gets easier and more intuitive for web masters, we expect 2018 to be another banner year for HTTPS growth and improvement.

We particularly thank Feisty Duck for the Bulletproof TLS Newsletter, which provides updates on many of these topics.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2017.

Like what you're reading? Support digital freedom defense today! donate to EFF
Posted in Uncategorized Tagged

Apache in 2017 – By The Digits (Apache Software Foundation Blogs)

What an exciting and productive year for the Apache community at-large! We owe our continued success to the tireless efforts of our Members, Committers, and contributors, the loyalty from countless users worldwide, and the ongoing financial support from our Sponsors and individual donors. Join us for a look back at our achievements:

Apache Projects —
Total number of projects + sub-projects - 318 (not including Apache Labs initiatives)
Top-Level Projects - 193
Podlings in the Apache Incubator- 53


Community/People — 
ASF Members (individuals) - 683 
New Members elected - 64
Apache Committers - 6,504 (6,165 active)


Apache Code —
3,050 Committers changed 60,276,457 lines of code over 188,262 commits.

Top 5 Apache Committers 
  1. Shad Storhaug (2,472 commits; 1,465,542 lines changed)
  2. Claus Ibsen (2,406 commits; 560,595 lines changed)
  3. Jean-Baptiste Onofré (2,142 commits; 1,243,862 lines changed)
  4. Mark Thomas (1,954 commits; 113,266 lines changed)
  5. Colm Ó hÉigeartaigh (1,768 commits; 521,215 lines changed)
Top 5 Apache Project Repositories by Commits
  1. Hadoop
  2. Ambari
  3. Lucene-Solr
  4. Camel
  5. Ignite
Top 5 Apache Project Repositories by Size (Lines of Code)
  1. OpenOffice (6,375,345)
  2. Netbeans (5,536,881)
  3. Flex (whiteboard: 5,164,279; SDK 3,919,006)
  4. Trafodion (3,077,781)
  5. Mynewt (core: 2,748.040)

"If it didn't happen on-list, it didn't happen."

Total number of mailing lists 1,131
21,772 authors sent 1,617,547 emails on 642,005 topics

Top 10 most active Apache mailing lists (user@ + dev@)
  1. Flex
  2. Lucene
  3. Ignite
  4. Kafka
  5. Geode
  6. Flink
  7. Tomcat
  8. Cassandra
  9. Beam
  10. Sentry

Contributor License Agreements and Software Grants —
We are welcoming nearly 300 new code contributors and 300-400 new people filing issues each month. Individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. 

ICLAs signed - 860
CCLAs signed - 27
Software Grants submitted - 18


Sponsorship and Individual Support —
Thank you to our hundreds of individual donors, our Platinum Sponsors: Cloudera, Comcast, Facebook, Google, LeaseWeb, Microsoft, and Yahoo; our Gold Sponsors: ARM, Bloomberg, Hortonworks, Huawei, IBM, ODPi, PhoenixNAP, and Pivotal; our Silver Sponsors: Alibaba Cloud Computing, Budget Direct, Capital One, Cash Store, Cerner, Inspur, iSIGMA, Private Internet Access, Red Hat, Serenata Flowers, Target, Union Investment, and WANdisco; our Bronze Sponsors: 7 Binary Options, Airport Rentals, The Blog Starter, Casino2k, Compare Forex Brokers, HostingAdvice.com, HostPapa Web Hosting, The Linux Foundation, Mobile Slots, Samsung, Spotify, Talend, Travel Ticker Hotels, Web Hosting Secret Revealed, WebsiteSetup, and Wise Buyer; and our Infrastructure Sponsors: Bintray, Freie Universität Berlin, HotWax Systems, No-IP, OSU Open Source Labs, PagerDuty, Quenda, Rackspace, Sonatype, SURFnet, and Symantec.


Collectively, our Members, developers, contributors, users, supporters, and sponsors are the reason Apache Is Open https://s.apache.org/PIRA

Here’s to a great 2018!

# # #

Judy Gichoya, Doctor & Developer of LibreHealth, Asks You to Support Conservancy (The Software Freedom Conservancy)

A blog post from Software Freedom Conservancy.

Blog post by Bradley M. Kuhn. Please email any comments on this entry to <bkuhn@sfconservancy.org>.

About a year ago, we announced the joining of a newly formed project, LibreHealth, as a Conservancy member project. This year, I had the opportunity to meet, at various conferences, Judy Gichoya, who is a medical doctor specializing in Radiology from Kenya, and is also a software developer on the LibreHealth project.

Your browser does not support the video element. Perhaps you can view the video on Youtube or download it directly.

Judy represents so much about why we at Conservancy continue to fight for software freedom: we foster technology that everyone can examine, improve, and share, and allow people from different backgrounds — including geographically, professionally and culturally — to come together to make that technology better.

Invariably, every time I go to a doctor's office here in the USA, the staff complains (or makes an excuse) for the proprietary software they use to handle my medical data. My colleague, Karen Sandler, has researched and spoken extensively about the health dangers of proprietary software on medical devices. LibreHealth is one of many projects which seeks to solve some of these problems by creating more medical-related software that gives doctors and patients the software freedom they deserve.

Judy recorded this video to ask you to become a Supporter of Conservancy. On this last day of 2016, we all ask you to donate generously to help our work continue!

Posted in Uncategorized Tagged