On 2015-09-02 5:53 PM, [email protected] wrote:
1) User Security
Mozilla Manifesto Principle #4 states "Individuals' security and privacy on the
Internet are fundamental and must not be treated as optional." Governments should
act to bolster user security, not to weaken it. Encryption is a key tool in improving
user security.
Requirements that systems be modified to enable government access to encrypted data are a
threat to users' security. The primary aim of computer security is to protect user data
against any access not authorized by the user; allowing law enforcement access violates
that design requirement and makes the system inherently weaker against attacks that it is
intended to defend against. Once systems are modified to enable law enforcement access by
one government, vendors will be under enormous pressure to provide access to other
governments. It will not be possible in practice to restrict access to only
"friendly" actors. Moreover, the more government actors have access to
monitoring capabilities, the greater the risk that non-governmental cyberattackers will
obtain access. Endpoint law enforcement access requirements are also incompatible with
open source and open systems because they conflict with users' right to know and control
the software running on their own devices.
I realize that computer security is complicated, but there's a lot of
words here and they're kind of hard to for me to understand. Active v.
passive voice and the subject-object relationship in this paragraph are
all over the place, and the meaning of "act to bolster" is a little opaque.
Can I take a run at this?
"Mozilla Manifesto Principle #4 states "Individuals' security and
privacy on the Internet are fundamental and must not be treated as
optional. Governments' actions should improve citizens' security and
freedom, not weaken them, and encryption is a core tool for
strengthening both."
"Any requirement that systems be designed or modified to enable
third-party access to encrypted data undermines user security. The goal
of computer security is to protect users' data from any access that user
has not authorized; any mechanism that allows the state to circumvent
the users' wishes can be co-opted and abused by other states or
non-state actors to do the same. The same is true of surveillance and
monitoring tools; it is impossible in practice to tell a lawful actor
with "backdoor" access from an unlawful one. Without the transparency
and accountability of open source software and open systems designed to
secure user data rather than facilitate third-party access, those
systems that states use are increasingly vulnerable to foreign and
non-state compromise."
I'm not all that happy with that paragraph, but I think it's an
improvement. I understand that we're elaborating a set of nuanced
principles here, but a document like this also has to be a call to the
barricades. Whatever wording we use when we're talking about our
principles can't feel like corporate boilerplate. It has to feel like
there's blood pumping through it, like it's worth standing your ground for.
- mhoye
_______________________________________________
governance mailing list
[email protected]
https://lists.mozilla.org/listinfo/governance
