What is the EFF Doing?

The Electronic Frontier Foundation is a well-respected (loathed in all the right places) advocate for privacy in the digital domain.  Or something.

One of their pet projects, which by all accounts is a Good Thing is the Do Not Track registry.  What could be better than being tracked via a list declaring your desire not to be tracked.  Well, that’s how the Do Not Call registry works.  Do Not Track is a little better, as it allow you to send a signal to each website that you visit commanding their servers not to track you via cookies, and so forth.  So the EFF and its high-profile Do Not Track registry are on your side!  Yet politics makes for strained bedfellows.

I told you some time ago about my frustration with Ubuntu at a critical juncture — well, not Ubuntu proper if I recall, but the Ubuntu-supported developers of PulseAudio, a thing to make sound work on your Linux PC.  Ubuntu has a good track record of throwing support to those who develop the things upon which they rely.  In return, those things are reliable.  They went to war with Adobe et al concerning proprietary drivers and so forth, and did so by punishing Linux users, in an attempt to stampede us toward an otherwise lackadaisical Adobe, who could not care less about providing their proprietary drivers free of charge to a bunch of bearded wierdoes.  SMooth move, Ef-post-facto; it cost them great.  I don’t know if it worked.  One of the things it cost them was My August Self.

Well now I’m tuned back into Linux with a great distro (MX Linux), and am incidentally working on a personal privacy campaign.  I know that our browsers leak incredible amounts of information, so that is one thing that I am addressing.  There’s a well-recommended website, https://panopticlick.eff.org/, which takes a look at what you are sending, and informs you of your security shortcomings.  This site is hosted by the EFF, so you know it can be trusted.  Well, sort of.

I still trust the site itself, and I find it a valuable resource, but their key recommendation is to download and install a tool provided by the EFF, called Privacy Badger.  So I got this thing, and long story short, it functions much better as a research tool to support their Do Not Track thing than it does provide any real privacy.  Thanks, but no thanks.

I want a system that blocks third-party and obvious trackers BEFORE they get to me.  And the first inkling that I had that the EFF was sold out on this was the fact that at the Panopticlick site, they consider it a “hit”, that is a Bad Thing, if my browser successfully blocks trackers from sites which have promised to honor the Do Not Track setting.

Do Not Track is an honor system, and this is already a stupid idea.  We already expect the worst of the tracking companies to have no honor.  A system like this Probity Bodger which waits until it sees a tracker (which means that your browser swallows the tracker) at three separate sites before it blocks that tracker is not at all protecting you.

Block it the first time.

Slightly crazy-making.  There is as big a market in privacy tools which do not provide privacy as there has been in anti-virus tools which simply implant viruses.

Finally, you may have heard of the wonderful new idea called DNS over HTTPS (or DoH) which takes your unencrypted DNS requests (“Operator?  Please connect me to Google.”) and bundles them in an encrypted package right to a great big data company like CloudFlare, one of the kings of the content-delivery network industry.  This would bypass any settings I have in my operating system, such as my hosts file, which blocks over one thousand entries all belonging to Facebook.

No thanks, DoH!

I despair of the masses ever giving a damn.  But I want out.  I would like to retain a few rudimentary capabilities.


10 thoughts on “What is the EFF Doing?”

  1. I am clearly in the “masses” category. Still, I worry about privacy. I got a VPN, which probably doesn’t do much except I know my financial company called me about my account being opened by a server in Cleveland – which is where I picked the VNP server. So there’s some benefit.

    But the things you speak of are clear as you describe them but otherwise over my head. So I do silly little things like use my military ID when someone asks for an ID, and then inform them they are not allowed by law to copy it. And I don’t give my SSN to anyone that doesn’t pay me. Healthcare is particularly prone to using SSN and pic ID’s and I wouldn’t trust a Healthcare computer system to do anything to protect me.

    So keep up the search. Let us know when you find a good product that we can use. I look forward to it.

  2. DNS over HTTPS is a mixed bag.  Good for hiding your browsing habits from ISPs, cell carriers, open WiFi access points, and other infrastructure providers.  Bad for maintaining local control over your browser.  I may have to start compiling a patched version of Firefox that only talks DoH with my own infrastructure (instead of Cloudflare).

  3. I think more a reaction to everyone and their brother filtering DNS as a part of the overall trend to filtering unwanted content.  Like I use local DNS to filter anything related to facebook.  And China filters anything critical of their communist party.  Mixed bag.

  4. John Walker:

    Phil Turmel:
    DNS over HTTPS is a mixed bag.

    I have not been following this at all.  Is this a reaction to DNSSEC failing to gain traction lo these many years?

    In part surely.  Think of it a a poorly-conceived workaround.

    Any security measure which depends in part or in whole upon a company’s promise is bull.  I think that CloudFlare is a reputable company, just as I think that NordVPN is good.  I pay for Nord and it does what it should, but don’t expect me to be surprised if it turns out that they eventually sell everything they know about me — oops I mean “get hacked” — after three consecutive quarters of losses.  Likewise, CloudFlare.  Nothing against them — this is just the world we live in.  These guys are the best in their respective fields, and that means nothing in the extreme.  Extremes are not in their business model.

    There is a saying that geology is the only scientific history — everything else is a matter of opinion.  Likewise, the only digital security that can be had is easily distinguished by the amount of math it takes.  Guarantees, contracts, promises, licenses, terms, agreements, reputations — meaningless.

  5. Phil Turmel:
    I may have to start compiling a patched version of Firefox that only talks DoH with my own infrastructure (instead of Cloudflare).

    Here is an article from TrishTech which explains how to turn off DNS over HTTPS in Firefox.  Of course, you have to do this on every user’s browser, so if you’re administering a site with multiple users it may make sense to deploy a patched browser for them to use.


Leave a Reply