necessary and proportionate

Yesterday I received an email from the Open Rights Group asking me to sign an on-line petition set up in collaboration with nearly 300 other organisations. The email said:

In 2013, we learned digital surveillance by governments across the world knows no bounds.

Their national intelligence and investigative agencies capture our phone calls, track our location, peer into our address books, and read our emails. They often do this in secret and without adequate public oversight, violating our human rights.

We won’t stand for this anymore.

Over the past year, 300 organisations have come together to support the International Principles on the Application of Human Rights to Communications Surveillance.

Today we’re launching a global petition supporting the 13 International Principles alongside a range of international NGOs including Access, Chaos Computer Club, Digitale Gesellschaft, Electronic Frontier Foundation, OpenMedia and Privacy International.

These thirteen Principles establish the human rights obligations of governments engaged in communications surveillance. [1]

They’ve been developed over months of consultation between internationally-recognised technology, privacy, and human rights experts.

Can you join people from around the world to lend your name and support to the Principles?

Unfortunately, the link given in the email went to a page on the “necessaryandproportionate” website which sought signatures from persons signing on behalf of NGOs rather than individuals wishing to add their own voices to the campaign. Today I received a new email pointing to an amended page where I might actually sign up as me rather than me qua some officer representing an organisation.

A brief investigation of that website shows the following “idiosyncracies”. Firstly, the website on IP address appears to be hosted by Silicon Valley Web Hosting out of San Jose in California (see below – click for a full sized image – note the “ShowIP” popup info bottom left).

image of website

There is nothing inherently wrong with that (though of course the hosting company is subject to US law). After all, lots of websites I use are hosted in the US, and there are many US based organisations appearing as signatories to the petition. However, the SSL certificate used appears to be both woefully weak and incorrectly signed – note in particular the CN (common name) assignation is a wildcard for “” whilst the actual website is called “”. Again, see below:

image of website

So the organisation has re-purposed a certificate produced for another domain rather than getting a nice shiny new (strong) one for itself. And frankly, a 128 bit RC4 cipher with a SHA-1 MAC is just laughably daft given that the page in question says:

Join the global movement demanding the protection of human rights and an end to mass surveillance. Let the world know: Privacy is a human right. Endorse the Necessary and Proportionate Principles.

Whilst I may have no problem in people knowing that I have signed such a petition (after all, if it is to be effective, then the petitioners’ names (and where applicable, affiliations) must be public, I’m not that keen on using a website run by a supposedly privacy conscious collective which is so woefully inadequate in even the basic protection it offers.

“C minus – must do better.”

(Oh, and for comparison, the Open Rights Group’s own website is hosted by ByteMark Consulting (Hi Guys) and uses a 256 bit AES cipher.)

Permanent link to this article:

1 comment

  1. Hey! :-P

Comments have been disabled.