- Reddit should make the implementation of 'https' a priority - and join the ranks of reputable email services as well as tech giants (Google/DuckDuckGo search and, yes, even Facebook) in having a secure web API
Here are some facts that underscore the need for HTTPS in the Reddit community:
1.) Simply enabling 'https' would afford two immediate privacy benefits:I.) Protect a user's voting history, II. protect a user's personal messages, where there's a clear expectation of privacy
, and the following fringe benefits: III.) (not without a significant architectural overhaul) could protect a user's Reddit viewing history without the use of TOR. [1a], and IV. could potentially make the service better for TOR users [1b].
2.) Upvotes, downvotes (a user's voting breakdown of posts), link-submissions, and the comments made on Reddit posts can paint a very detailed picture of a user including what their beliefs and interests are over time
The current API (after the initial authentication) for www.Reddit.com
is without end-to-end encryption, exposing the intent of the user to man-in-the-middle intercepts (including PRISM). [1c]
3.) Many users might believe under false pretenses that they are safe and/or are voting anonymously
simply because a.) credentials are transmitted with encryption and b.) their accounts and usernames aren't explicitly connected to their identity (such as with Facebook and Google+ accounts).
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
The following revelations per the US (NSA
), UK (GCH
) and other government intelligence organizations (footnotes w/links provided) have elevated the need for a secure API
The capacity to collect, indefinitely retain (or indefinably retain) and indiscriminately analyze all internet traffic exists [1e], along with the political willpower and lobbying presence to maintain the status quo [1f], II.
That said governments have exhibited little respect for the sensitivity of collected information and seem unconcerned about the duration for which it is kept. [2a] Observe the extreme measures taken by said governments in circumventing privacy laws and obligations: a.) adopting and defending an opaque judicial process that continues to "rubber-stamp" claims to sensitive data, en masse, b.) by letting other governments do the spying on their people and then sharing
the "legally" obtained information back and forth, refer to footnotes for other examples [2b], III.
And that said governments have lied to their people through ignorance or malfeasance (referring specifically to NSA Dir. Clapper [3a]) and have shown no political will
to meaningfully [3b] confront these officials for what was potentially perjury but do possess the will
to prosecute citizens who have fought for openness and internet freedom, leaving citizens in genuine fear that the government does not intend to materially change its stance towards internet privacy. For example, the Department of Justice has sought maximum penalties against progressive individuals for breaking laws as "out-of-touch" and "disproportionate" as the Computer Fraud and Abuse Act, with tragic consequences [4a] ---- (referring to Aaron Schwartz and the other three NSA whistleblowers - who, facing criminal investigations of their own, proved that the "legal" route for whistleblowing was a "FALSE CHOICE" (catch the irony there?, if not http://goo.gl/QPVH6
) ) [4b] --> *consider supporting the following proposition*:That Reddit's team of developers make a secure 'https' end-to-end encryption scheme a priority - and join the ranks of reputable email services as well as Google/DuckDuckGo search and Facebook.
First, SSL/TLS has its own problems, with C.A. trustworthiness an issue and the encryption standard likely needing to be raised to 256bit.
[1a] - w/respect to browsing history: visiting/clicking a submission would transact solely over the API, affecting the URL history/location which is then rendered client-side, thereby obfuscating the full URL path, and, thus, the browsing history.
[1b] Whereas now, the session data is transferred along with the content of the user's action (comment content, link/post submission) in the clear--conceivably containing enough personally-identifiable information to temporarily ascertain the identity of the Tor user--very much an edge case. The level of risk depends on Reddit's authentication scheme http://hardforum.com/showthread.php?t=1708300
, which I haven't studied in depth, but HTTPS/SSL would ensure that there isn't a problem.
[1c] Currently "https://reddit.com
" and other permutations I have tried, including after having installed EFF's SSL-Everywhere chrome extension, bring you back to the unencrypted "www.reddit.com
[1d] Other governments include those with well-documented and long standing surveillance prerogatives such as China, with its Great Firewall, and Iran, which is actually working to provide its citizens a mandatory alternative to the Internet http://arstechnica.com/tech-policy/2012/04/iran-plans-to-unplug-the-internet-launch-its-own-clean-alternative/
[1e] "Cable splitting" - (through programs such as PRISM, ECHELON and other operations, as evidenced by the leaked existence of NSA installations at Internet Service Providers ) - As well as a massive datacenter that can store an uncanny "five zettabytes of data. So that is five billion terabytes." - https://www.grc.com/sn/sn-409.txt http://www.wired.com/science/discoveries/news/2006/04/70619
[2a] John Oliver (Daily Show) segment on the 51% certainty NSA analysts must have that a target is "foreign", which is likely applied in all PRISM-type programs: [http://www.thedailyshow.com/watch/mon-june-10-2013/good-news--you-re-not-paranoid---nsa-oversight
Another hilarious segment: [http://www.hulu.com/watch/500262
[2b] "Drastic measures" - 1.) Condoned inter-governmental spying and data-sharing: [http://in.reuters.com/article/2013/06/22/usa-security-britain-idINDEE95L00G20130622
2.) Last year, the FISA court approved *all*
of the 1789 surveillance requests it received, and 3.) a court opinion which has challenged the constitutionality of the court's role has been sealed, citing national security [http://www.motherjones.com/politics/2013/06/justice-department-electronic-frontier-foundation-fisa-court-opinion
[3b] Senator Wyden, Rand Paul, and (few) others have made efforts to challenge Clapper. And, Rep. Thomas Massie, R-KY, Rep. Justin Amash, R-MI, and Rep. Trey Radel, R-FL have publicly supported Snowden.http://www.rollcall.com/news/snowden_has_a_few_defenders_on_the_hill-225492-1.html
To help in the cause for a free and open internet try one of the following:
1.) If you own or operate a website, install the Internet Defense League script, which informs your viewers via a banner about legislation like SOPA/PIPA *before*
it hits the floor,
2.) donate to civil-liberty programs such as the ACLU and the EFF -- which (are, thanks to Snowden, now able to) sue the government for unlawful surveillance and data collection, and 3.) (as always) raise the political stakes of these issues by writing your elected representatives -- remember how we defeated SOPA/PIPA -- we made our representatives feel wrong and stupid (because they were), and help to vote them out if they don't react. Also consider supporting senators Wyden and Paul -- who are demonstrating that this is not a partisan issue.
Also feel free to use any or all of the above copy to advocate for other privacy measures anywhere/everywhere or more from your government.