Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

Let's Encrypt will eliminate most kinds of erroneous certificate warnings

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:

Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates. We will use a protocol we’re developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.

The Let’s Encrypt CA will be operated by a new non-profit organization called the Internet Security Research Group (ISRG). EFF helped to put together this initiative with Mozilla and the University of Michigan, and it has been joined for launch by partners including Cisco, Akamai, and Identrust.

The core team working on the Let's Encrypt CA and agent software includes James Kasten, Seth Schoen, and Peter Eckersley at EFF; Josh Aas, Richard Barnes, Kevin Dick and Eric Rescorla at Mozilla; Alex Halderman and James Kasten and the University of Michigan.

Book review and discussion questions for reading groups

In No Place to Hide, Glenn Greenwald shows that a modern investigative reporter doesn’t just need the courage to take on the United States government and established media. He also needs a whole lot of crypto.

Greenwald’s new book (buy a copy here and a portion of the proceeds go to EFF) details how he and journalist Laura Poitras met NSA whistleblower Edward Snowden and then published a series of articles that would change Americans’ perception of their government, ignite a worldwide debate around surveillance, and challenge notions about investigative journalism. The book begins with a recounting of how Snowden made contact with the journalists and the risks and travails of publishing the controversial initial leaks. Then Greenwald walks through how the NSA and its international partners engage in a collect-it-all strategy that exploits modern communication technology, from underwater cables to cell phone towers. The book concludes with an impassioned examination of executive power, secret law, failed oversight, meek journalistic institutions—and how these dark forces can be fought with the courage of conviction, transparency, and independent journalism.

It’s a readable yet thorough overview of NSA surveillance, and worth both reading for yourself and sharing with any friends who might be on the fence about reining in mass spying.

Journalism Under Fire

No Place to Hide provides an inside view of how journalists and sources operate when faced with government intimidation tactics.

While certain that the First Amendment protects his work, Greenwald is also mindful of the potential for prosecution. He and Poitras work with the Guardian and its lawyers on the initial publications in part because they believe they will be shielded by working with an established media organization. At one point, frustrated by delays in publishing the first story, Greenwald contemplates starting his own media organization:

[W]e decided there was an even more powerful alternative: to simply create our own website, entitled NSAdisclosures.com, and begin releasing the articles there, without the need for any existing media outlet. Once we went public with the fact that we had in our possession this huge trove of secret documents about NSA spying, we would easily recruit volunteer editors, lawyers, researchers, and financial backers: an entire team, motivated by nothing but a passion for transparency and real adversarial journalism, devoted to reporting what we knew was one of the most significant leaks in US history.

Ultimately Greenwald decides against the plan, in part because of concerns about potential prosecutions.

I also had to acknowledge my personal fear: publishing hundreds if not thousands of top secret NSA files was going to be risky enough, even as part of a large organization like the Guardian. Doing it alone, without institutional protection, would be far riskier. All the smart warnings from the friends and lawyers I had called played loudly in my head.

The book provides ample reason for journalists to be concerned about aggressive overreactions by the US government. It details the Obama administration’s prosecution of Fox News Washington bureau chief James Rosen, who was charged with criminal conspiracy for working with a source to publish classified materials. Greenwald also discusses the Department of Justice’s secret acquisition of Associated Press emails and telephone records, as well as its pressure on New York Times journalist James Risen, both in an effort to uncover journalistic sources.

Greenwald describes how agents from British intelligence agency GCHQ appeared at the Guardian offices, demanding that all Snowden documents be turned over or destroyed. Rather than surrender the documents, journalists at the Guardian destroyed the material, literally smashing laptops containing leaked documents. He also describes his fear while his partner, David Miranda, was held without charge for nine hours while transferring flights at Heathrow Airport.

The likelihood of prosecution or even decades in prison was also something Edward Snowden repeatedly acknowledged, noting, "I understand that I will be made to suffer for my actions, and that the return of this information to the public marks my end."

Greenwald, Poitras, and Snowden, as well as editors at the Guardian and others, chose to publish in the face of this intimidation. But the book provides startling insight into the difficult choice too many journalists face in the current prosecution-heavy environment. We cannot know how many other journalists have turned down leads, delayed publication, or changed a story out of fear of repercussion from outraged governments. The US government isn’t respecting and tolerating an independent press. Instead, it’s actively working to discredit and intimidate journalists and ferret out their sources.

Crypto to the Rescue

Encryption plays a huge role in the journalists’ defense against government snoops. The book shows journalists relying on email encryption for communication, and Greenwald explains how Snowden refused to confide in him at all because he had not set up email encryption. (Greenwald also recounts his almost comical reluctance to set up encryption, and how Snowden went to great lengths—including creating instructional videos to help Greenwald through the process—to no avail.)

Unable to rely on the law to protect their privacy, the journalists adopt security practices that include strictly limiting who receives copies of documents, encryption, removing batteries from mobile phones (or putting them in the refrigerator), and discussing the most important issues in person. Without strong crypto, the Snowden leaks may well have never happened.

Myths Busted

In addition to knitting together an explanation of the NSA’s mass collection programs, Greenwald refutes the most persistent excuses for mass spying. He details how oversight of NSA has failed, at both the Foreign Intelligence Surveillance Court level and the congressional level. He debunks the idea that collecting metadata is less invasive than other forms of surveillance. He speaks directly to how the NSA spying programs are not an effective method of thwarting or preventing terrorism, but how they do infringe on the privacy of millions of law-abiding individuals. Perhaps most compelling, Greenwald argues that those who have nothing to hide should still object to mass surveillance because suspicionless spying is so fundamentally poisonous to democracy.

Carrying on the Legacy

If you seek to help, join the open source community and fight to keep the spirit of the press alive and the internet free. I have been to the darkest corners of government, and what they fear is light. – Edward Snowden

Thanks to the Snowden leaks and the incredible coverage of them, we are faced with an unprecedented opportunity to rein in the NSA. Thanks to Greenwald’s book, we have a new way of teaching the world about this issue.

No Place to Hide debuted at number 5 of the New York Times bestseller list for combined print & e-book nonfiction. That means thousands of people are right now reading this book. Some percentage of them may feel a spark of outrage at the abuses of government power Greenwald details, may find resonance with the idea that the government has been too long shielded from the accountability of public scrutiny. And some percentage of them may convert that spark into action.

If you find yourself among those who are called to action, there are easy ways to get involved. The first thing to do is to get a copy of the book and lend it to a friend. Perhaps you have a friend whose ideas on the issue are not fully formed, or who feels conflicted about mass surveillance—perhaps even someone who works for a government agency. This book is a powerful entry point for understanding a complex and politically charged topic, so it will help the movement overall if it finds a home on the bedside tables of millions of people around the world.

For coders worldwide, there’s a need for strong, usable tools to thwart surveillance. We need talented people helping to patch and improve free software tools like OTR, SecureDrop, HTTPS Everywhere, and Tor. And if you’re not a coder, you can still help make encryption the default by using tools to protect your privacy online. Reset the Net is a campaign to galvanize both coders and users to do what they can to secure the Web, and it’s easy to get involved.

If you are a student looking to engage in digital rights activism on your college campus, please join our student organizers list. We’re trying to create a nation-wide campus movement to educate and activate students around defending civil liberties.

And of course, there’s Congress. Public outcry against the spying programs has pushed Obama to make key concession toward reform and forced Congress into taking up the issue of reform. But powerful factions in Congress are working to block any reform efforts. You can help us defend strong reform by adding your voice or becoming a member.

Greenwald writes that “Promoting the human capacity to reason and make decisions: that is the purpose of whistleblowing, of activism, of political journalism.” It is unyielding, independent journalists and committed activists that have capacity to create an informed and engaged electorate, technologists who create tools to safeguard their communications and lawyers who often defend their rights to speak freely. Perhaps the most important way to get involved is to find what niche within that ecosystem best suits your own skills and passions.

Discussion questions for reading groups

1. How has No Place to Hide affected your comfort around using modern communication technology, including services like Gmail and Facebook? How might No Place to Hide affect how investigative journalists or political activists feel about using the Internet?

2. Greenwald writes that he wanted to publish the leaks from Snowden almost immediately and in quick succession, using the leaks as an opportunity to criticize entrenched federal policies around surveillance: “Only audacious journalism could give the story the power it needed to overcome the climate of fear the government had imposed on journalists and their sources.” (p. 61)

Yet even as he urged the Guardian to publish the first leak and grew increasingly frustrated by delays in publication, he hesitated to start his own news site for publishing the leaks, writing: “I also had to acknowledge my personal fear: publishing hundreds if not thousands of top secret NSA files was going to be risky enough, even as part of a large organization like the Guardian. Doing it alone, without any institutional protection, would be far riskier.”(p. 69)

3. How did fear of prosecution influence the decisions of the reporters and Snowden? In what ways do you think fear of prosecution affects other forms of investigative journalism?

4. Do you think it would have been better or worse for Greenwald and Poitras to publish on a dedicated, independent website, rather than in collaboration with established media outlets? Why?

5. In README_FIRST, Snowden writes: “I have been to the darkest corners of government, and what they fear is light.” To what extent do you think public transparency alone (as compared to transparency compared with regulations, Congressional oversight, or other safeguards) can act as a check on executive power abuses? Where does transparency fall short?

6. Greenwald writes: “Every news article is the product of all sorts of highly subjective cultural, nationalistic, and political assumptions. And all journalism serves one faction’s interest of another’s. The relevant distinction is not between journalists who have opinions and those who have none, a category that does not exist. It is between journalists who candidly reveal their opinions and those who conceal them, pretending they have none.” P 231

7. Does a journalist have a responsibility to report the news without expressing a specific subjective opinion on that news? Is neutral reporting more beneficial to society than subjective reporting? Is it even possible for an article to be truly neutral, and what would that look like?

Full disclosure: Glenn Greenwald, Laura Poitras, Edward Snowden and I all sit on the board of directors of the Freedom of the Press Foundation. Last year, EFF awarded Greenwald and Poitras our Pioneer Award for their reporting on these issues.