Don't ask for your privacy. Take it back.

Reset the Net is a campaign to improve individual and organizational privacy against mass government surveillance. I think we as CiviCRM community members should step up and act. In particular, hosting providers, implementors, and organizations using CiviCRM should up their game to implement SSL, HSTS, and PFS.

As users, administrators, and developers of software used by non-profits and advocacy groups around the world, we should all be concerned about the security of information in CiviCRM databases.

Many administrators and consultants went into overdrive to respond promptly to the recent http://heartbleed.com/ security vulnerability. But we also need to be aware of threats from mass government surveillance. 

Whether it is America's NSA, the Communications Security Establishment Canada, Britain's GCHQ, China's military, or other government's spies, as individuals and organizations we need to protect our privacy.

As a software project primarily focussed on personal information in the form of contact info and transactions, CiviCRM has long aimed to implement security best practices. Reset the Net suggests some reasonable improvements for most CiviCRM sites:

• "Pledge to add SSL, HSTS & PFS protection this year; it matters! Then, on June 5th, run the splash screen to promote free software for end-to-end encryption. Already rocking SSL & HSTS? Consider approaches to end-to-end crypto."

JMA started some of its clients on using https for all traffic a few years ago to overcome the vulnerability associated with redirects from http to https. HSTS helps protect against security vulnerabilities when sites are available over both http and https, and even when just served over https. PFS helps protect against problems from encryption methods being compromised.

Besides each CiviCRM organization upping their privacy protection, is there anything else we as a community should be doing?