Category Archives: Politics

Steps that need to be taken to reign in the NSA, et al

  1. Remove the legal authority that allows bulk collection, excessive secrecy, and other abuses. The FREEDOM act and other pieces of legislation proposed so far are tentative, toe-in-the-water, first steps in this direction, nibbling around the edges of the problems. They need to go much further.
  2. Enact harsh, explicit penalties for noncompliance. These are serious issues with major implications domestically and internationally, including causing diplomatic difficulties and negatively impacting markets for American products, not to mention serious violations of privacy and liberty.
  3. Prosecute for past violations of existing laws, as well as for perjury before Congress. (And absolutely do NOT again grant retroactive immunity…) Systematically and repeatedly violating both the will of Congress and the limits imposed by the FISA Court cannot be allowed to pass leniently; nor can repeatedly lying under oath to Congress. Major criminal investigations need to be launched and the perpetrators brought to justice. A GREAT DEAL OF INFORMATION WILL BE BROUGHT TO LIGHT BY DISCOVERY IN THE PROCESS–AS IT SHOULD BE.
  4. Courts should stop deferring to the executive branch in matters of what needs to be kept secret. While they should carefully consider the Government’s arguments about the need for secrecy, I think they have, in general, been far to sympathetic to the Government’s point of view, to the detriment of the public’s right to know important information. In many cases the answer is simple: refuse to make the proceedings confidential, and give the government the choice: if you want to present your evidence, it must be in public. If you want to keep it private, you can’t introduce it as evidence to support your case. Done.
  5. Since bulk collection will no longer be allowed, and that constitutes much of the NSA’s activity, the NSA can no longer justify a large proportion of its budget. NSA’s budget must be cut by at least 50%. (I’d propose a 90% cutback, and lower, 15-25%, cutbacks for the FBI, CIA, DEA, TSA, military, and other agencies.) This would also remove the NSA’s financial ability to perpetrate abuses on such a large scale, forcing them to focus their activities appropriately. It would also punish financially both the agency and their contractors for their corruption and past (and current) abuses.
  6. Enact general privacy laws:
    1. The “third-party doctrine” must be completely eliminated. Virtually everything we do in modern life requires the use of a third party to accomplish. It is ridiculous to think that having handed our information to ONE party (who could be seen as “a member of the public”) amounts to handing that information to “every member of the public as a whole” (or to the government). There are restrictions in place on a few very specific areas of third-party data usage (physical mail, telephones, health care, client-attorney privilege, etc.), but to assume that the lack of such specific coverage for other types of communication or information storage implies they should provide no privacy at all is ridiculous. Even posting to a Facebook wall is not “public”, because many, if not most, people set their postings to be seen by “friends only”. Thus it is not true that even those Facebook postings are in any way “public” – let alone private messages sent to a particular user.
    2. It needs to be made illegal for companies to share anyone’s information with any other party except in specific circumstances:
      1. If the customer has given their express written consent. This consent should need to include a listing of all information fields that will potentially be shared (ie, first name, last name, address, birthdate, social security number, online status, friends list, etc.) as well as the exact party or parties it will potentially be shared with (meaning, the actual company names). If new information fields are supposed to be shared with that service provider, each user must provide consent again before it can be shared, since they only consented to the previous list of fields to share. The same would be true if a new service provider would be used.
      2. If the company is legally compelled to via a court order specifying by name (or username) the customer in question and the information that they are seeking. By law, the company may only provide the specified information (ie, only the particular fields requested) and only provide information regarding the named customer.
      3. If the company suspects or has observed a crime, they can inform the authorities with only the information sufficient to allow the authorities to determine a crime may have been committed, and an associated username so that appropriate warrants may be generated targeting that user’s account in order to gain access to the further information, such as the actual evidence linked to that user or the user’s personally-identifying information. Only if the authorities return with a valid court-ordered warrant may they gain access to the user’s account.
    3. Any company making use of a person’s data must be required to take all reasonable steps to safeguard that data, such as using encrypted communications and data storage and access controls both internally and between the company and the user. Standards similar to PCI should be required of ANY service handling customer information, even if non-financial.
Advertisements

Opportunistic Encryption and How Browsers Handle Certificate Problems

As a follow-up to my last post on improving privacy on the Internet, I ran across the concept of opportunistic encryption, which I’ve heard about before but has never seemed to go anywhere.

Opportunistic encryption seems most interesting at the TCP layer, so that it is transparent to not only the user, but to applications that use the network as well. However, there are technical challenges to successfully implementing it without introducing undue complexity or noticeable reductions in performance. Such schemes have also never been accepted by a standards body, so their chance of widespread adoption seems slim (though you can try one such scheme, TCPCrypt, already; however, it requires the other end of your communication to have TCPCrypt installed as well, which seems unlikely in most cases).

Thus, as I noted in the last post, web and email seem to offer the best opportunities for adding encryption that’s transparent to the user.

How web browsers handle encryption problems

This leads us to https, the security and privacy protocol for web browsing. As I said previously, we’d like to encourage as many web servers to support, and preferably even mandate, the use of SSL/TLS for web browsing. And the web developers, systems administrators, and internet engineers our there can certainly help make that happen.

But there are lots of things to get right when implementing web security. Getting them wrong can make you susceptible to various kinds of attacks, mostly based on some form of of man-in-the-middle. That’s why browsers go to such lengths to warn users about problems, often denying access to the site if a problem is detected, until the user explicitly overrides this warning.

But is this the right behavior to take? Is badly-configured encryption really worse than no encryption at all? Web browser vendors sure seem to think so, but I disagree. While a misconfiguration such as a mismatch between the domain named in the certificate and the actual hostname may be a sign of a man-in-the-middle attack, in my experience it’s almost always due to something else. Similarly, self-signed or expired certificates are extremely unlikely to indicate a man-in-the-middle attack. And while none of these situations is ideal, they are all almost always far better than having no encryption at all.

Undesired behavior

So what actually happens when a server has a misconfigured certificate, and the browser throws up a big warning? Either the user can ignore the warning (which is potentially dangerous, but actually fine 99% or more of the time), they can switch to insecure http (which is, at best, the same as continuing with the untrusted encryption, but much worse the vast majority of the time), or they can discontinue using the site entirely, which hurts both them and the business, and is usually unnecessary since the chances of it being an actual man-in-the-middle attack are slim.

When the operator of the site sees the problem, they may choose to fix it – but they might just choose to disable https instead (and aside from e-commerce sites, I’d suspect the latter is more likely, at least in the short term). Yes, they should fix it, but more often than not they are not going to.

The net result of these browser warnings is scaring and confusing users without increasing their security, since between the users and the website owners, the most likely course of action is to either ignore the warning and proceed (which browser vendors have combatted with ever more dire and difficult to bypass warnings), or to revert to the even-worse unsecured http.

False sense of security

But at least from the point of view of opportunistic encryption, encryption using an expired, weak, self-signed certificate is vastly preferable to no encryption at all. The only danger is providing a false sense of security. But browser vendors have done exactly that by turning everything on its head, by making totally unsecured connections seem preferable to many sorts of encrypted connections, since the unsecured connections do not throw up warnings in the browser!

We need to encourage the use of https connections on the Internet, and part of encouraging its use means not discouraging it where the implementation is not perfect. While we should encourage proper implementations most of all, we should also encourage opportunistic encryption as better than no encryption, even if we aren’t guaranteeing privacy or integrity in the face of man-in-the-middle attacks (which take some effort and are quite rare in the grand scheme of things).

How to fix this?

The fix should actually be simple: change how web browsers communicate to users problems with how encryption is implemented. And most of all, how that communication compares to how it handles totally unencrypted connections.

I propose a “sliding scale” of perceived security. In the browser bar, the scale could be represented by a range of colors and icons, as follows:

  • UNENCRYPTED: Non-https connections would always be highlighted in red. Use of “null” encryption ciphers would also put a connection in this category. In addition, I’d suggest a “bullhorn” or similar icon to communicate that you are broadcasting your activity to the world (a typical radio broadcast icon could work too, but could be confused with wifi). When clicking for more detail, it could warn the user as follows:
    • THE BAD:
      • Your connection is unencrypted. Anyone on the Internet could listen in and see what you’re doing, including viewing your password if you are logging in, could modify or replace the content sent between you and the server without your knowledge, or could be logged in as you and have full access to your account.
  • INSECURE ENCRYPTION: This would be used for various kinds of encryption which have problems that could leave them susceptible to or be a sign of a man-in-the-middle attack, such as self-signed certificates, revoked or long-since expired certificates, or certificates for a domain which does not match the hostname, but where the encryption is still useful for opportunistic encryption and protecting from casual observers. Use of particularly insecure types of encryption (weak or compromised ciphers such as “export” ciphers, too-short key length, etc.) could also contribute to showing up in this category. These should be signified by a broken or unlocked lock icon. Clicking for more detail could notify the user as follows:
    • THE BAD:
      • The certificate used by this site is [unsigned/signed for a domain that does not match the actual hostname/expired/revoked], and thus does not guarantee protection from a man-in-the-middle attack. (Along with more detail, such as a comparison of the domain name for the certificate with the actual host name, the date the certificate expired or was revoked, and a note that certificates could be revoked due to knowledge that the encryption keys have been stolen or misused.)
      • (possibly) The encryption in use is considered weak enough to be easily cracked in a reasonable time by “brute force” methods.
    • THE GOOD:
      • Your connection is encrypted, so your activities cannot be viewed by casual observers monitoring traffic on the Internet.
      • Man-in-the-middle attacks take some effort to mount and are fairly rare, so most likely your connection is secure and the warning is due to a much more mundane misconfiguration; however, there is no way to guarantee it.
  • SEMI-SECURE ENCRYPTION: This might have some kind of closed or almost-closed (maybe closed, but with a crack) lock icon. It would be a variant of the above, but where the “misconfigurations” were considered more minor, such as:
    • Signed for a subdomain that doesn’t match the hostname exactly, but shares the same overall domain name. For instance, a certificate signed for “users.mysite.com” would be considered semi-safe if used on “www.mysite.com” (or any other *.mysite.com), even though it’s not an exact match.
    • Recently expired, for instance within the last 90 days.
    • Encryption that may have some weaknesses, but is considered secure against anyone short of the NSA, and probably not super easy for even the NSA to crack in a reasonable time and on a wide scale.
  • SECURE CONNECTION: This would be used for connections that are considered fully secure: a properly signed (by a trusted certificate authority), unexpired and unrevoked certificate which matches the hostname. The connection should also be using the strongest cipher suites available. These would have a closed lock icon. Clicking for more detail could notify the user as follows:
    • THE GOOD:
      • Your connection is encrypted, so your activities cannot be viewed by observers monitoring traffic on the Internet.
      • The certificate used by this site is properly signed by a certificate authority, is not expired or revoked, and matches the hostname it is signed for, protecting you from man-in-the-middle attacks.
  • Extended validation: Much is made of extended validation certificates, which verify more information about the identity of the site using the certificate, and in the case of e-commerce it may make some sense to help trust who you are giving your money to. But I think they are more a means to increase profits for the certificate vendors, and I think the visual differentiation they are given is wholly unwarranted. Even a site with an EV certificate could take your money without shipping you the product you ordered, charge more than agreed, sell your information to others, or otherwise cheat you; they could also be just as likely to allow NSA access to their private encryption key (either through cooperation or hacking). And most sites without EV certificates are probably perfectly trustworthy even if they didn’t bother to pay 10x as much to get their certificate. However, it could add a green checkmark across the lock icon and an additional benefit to the “Good” category when clicking for more detail:
    • THE GOOD:
      • Your connection is encrypted, so your activities cannot be viewed by observers monitoring traffic on the Internet
      • The certificate used by this site is properly signed by a certificate authority, is not expired or revoked, and matches the hostname it is signed for, protecting you from man-in-the-middle attacks.
      • The domain for this website has undergone extended validation of the identity of its owner.
  • Forward secrecy: Using ephemeral cipher suites to achieve “perfect forward secrecy” is also highly desirable, and such sites should be differentiated with an even more secure-looking icon (or at least sparkly/magical/happy-looking) and an additional benefit:
    • THE GOOD:
      • The encryption keys change each time you connect, so gaining the master keys will not allow an attacker to see your past or future activities.
Tagged , , ,

Three Ways Web Developers Can Improve Internet Privacy

With all the revelations about out-of-control government spying on the Internet, a great deal of attention has been paid to:

  1. Political changes, such as new laws and legal interpretations. This, of course, is at the core of the problem – what they’re doing should not be legal, or if it’s already illegal, more effort should be made to notice when it’s happening and stop it, and somebody should be getting in trouble for doing it. However, there will be a lot of resistance to this, and change will take a lot of time and likely be incomplete.
  2. “NSA-proof” privacy solutions, such as end-to-end encrypted email or chat, or using TOR to browse the web. While no solution is really “NSA-proof” in the end (especially if they target your actual computer), a lot of solutions can come reasonably close. But end users often find such solutions inconvenient to use, or may not even be aware of them. Worse, they may not feel they have anything to hide from the government or are skeptical they’d be targeted for attention; indeed, we are aware that using such tools explicitly DOES single you out for attention from three-letter agencies.

These approaches are not only laudable, but critical – they are necessary to protect against determined, focused attacks by three-letter agencies. But there are many other things that can be done to protect against casual “hoovering” of information on the Internet. Part of the problem is simply this: it’s too convenient to access most information by casual listening, because there isn’t even a pretense of privacy or security when information is transmitted without any encryption at all. This leaves a very large amount of internet traffic unencrypted for them to sift through without needing to crack or otherwise bypass any form of encryption.

But what if we made encryption the default for more traffic? While it would still be feasible for the NSA to crack or bypass much of that encryption when they really wanted to (by hacking your computer to install a key logger, for instance, or requiring a service provider to hand over your data), merely enabling encryption where it is currently missing could vastly reduce the amount of unencrypted traffic flowing through the “pipes”, meaning it would cost a lot more to sift through, while also making it more difficult to target encrypted traffic for special treatment as “suspicious activity”.

Most encryption beyond whatever happens to be enabled by default turns out to be too difficult for most users to deal with. We also can’t control what access the government has to Google, Microsoft, Yahoo, and Facebook that bypasses the https connections to their servers. But as engineers working on all the other websites and servers out there, we do have control over a lot of other things.

There is much that can be improved: security and privacy on the Internet are shockingly bad, and not just because the NSA is really good at their job (though part of their job is supposed to be strengthening our cyber-security, a task I believe they are failing at). A lot of this is caused by laziness on the part of developers, sysadmins, and internet engineers, as well as a lack of understanding, priorities, or budget from managers.

But many of these changes don’t really take that much time, and aside from that, often the only cost is that of a signed SSL certificate, available for as low as $50 per year.

While there are many security tips for how to lock down your server and network, here I will only talk about simple steps you can take to increase the “background noise” level of security and privacy of communications over the Internet. Here are some suggestions:

  1. Enable HTTPS/SSL on your web server. I’ll talk about this more below.
  2. Enable TLS for SMTP on your mail server. While it is probably not feasible to force the use of TLS at all times (many mail servers may still not support it), at least enabling it on yours increases the odds of email transfers between servers being encrypted.
  3. Disable FTP and telnet in favor of SFTP and SSH. You don’t want to be talking to your server or transferring files over non-private connections when there are secure alternatives that are just as easy to use.

These three steps, taken by the administrators of many sites around the Internet, could end up encrypting a large amount of traffic that is currently sent as plaintext.

Enable HTTPS/SSL on your web server

This is perhaps the most obvious one, as the web is probably the biggest activity people use the Internet for and whether a site is secure or not is immediately visible to users.

What does it take?

  1. Install a certificate and encryption keys. In order to protect against man-in-the-middle attacks, this should be bought from a legitimate certificate authority, rather than using a self-signed certificate. However, aside from e-commerce sites, where there’s extra value in trusting who you’re about to give your credit card number to, there’s not much benefit to so-called “Extended Validation” certificates aside from more profit for the certificate vendor.
  2. Enable port 443 on your web server, referencing the keys that were installed in step one.
  3. Make sure your web pages work properly over SSL, most particularly that they don’t include any insecure content that would trigger “mixed content” warnings in the browser. This includes CSS and JS files, images, and background images referenced from the CSS.
  4. Make your SSL as secure as it can be. This includes:
    1. Using at least 2048-bit encryption keys.
    2. Enabling “perfect forward secrecy” by enabling the needed “ephemeral” cipher suites and making their use preferential, as well as making sure TLS Session Tickets are disabled.
    3. Disabling weak cipher suites, such as anonymous, null, or export ciphers, as well as avoiding Dual_EC_DRBG, which appears to have been “back-doored” by the NSA.
    4. Protect against BEAST and CRIME attacks by upgrading to TLS 1.2, de-prioritizing vulnerable cipher suites (unfortunately there is no clear approach that works in all situations), and disabling TLS compression.
  5. Make encryption mandatory by implementing a global 301 or 302 redirect from port 80 to the same URL on port 443, and updating all your internal links to reference https.

Why the NSA Spying is Even Worse Than it Sounds

Apologists are already trying to paint the recent revelations of NSA access to data at services such as Facebook, Yahoo, Microsoft, and Google as being more innocent than they seem. I believe nothing could be further from the truth.

Backbone Taps

As disclosed years ago, the NSA already taps data passing through major Internet backbones in a number of locations. Thus, they are already able to see all the traffic passing by, and record as much of it as they want. Indeed, they are building massive billion-dollar data centers in Utah and Maryland just to store all the recorded data for future use.

Bypassing Encryption

However, the connections to Facebook, major email providers like Microsoft’s Outlook/Hotmail, Yahoo, and Gmail, as well as messages and calls made through Skype, are all encrypted. Thus, while the NSA/FBI can record all the conversations, they cannot (easily) read them.

That’s where the back-door access to these service providers comes in. This provides the NSA and FBI with the means to either get the information they want straight from the service provider, or else request the encryption key to unlock the data they already have stored.

Thus, getting past the encryption is the only reason they need this access. Otherwise they’d be recording, storing, and possibly reading or automatically analyzing, data mining, and searching through all your emails, Skype calls, Facebook messages, etc. already.

Why it Matters

As Moxie Marlinspike points out, policing used to be a lot harder; it was impractical to monitor communications, locations and other data so easily. And it is also important for a functioning democratic society for law enforcement to be so imperfect, since so many actions, particularly progressive ones (he points out marijuana use and gay marriage) are technically in violation of some law or other. Indeed, almost everyone almost certainly breaks SOME laws as part of their normal life, many of which they may not even be aware of.

As a result, the surveillance state is becoming truly scary, because being able to track and identify a wide range of potential lawbreaking (either in real time or retroactively) is no longer inhibited by cost or practicality, and barely inhibited by legal restraints (when those laws are even being adhered to, which I expect they are not half the time). We are all criminals, and now all subject to being caught doing something wrong that could be punished, should anyone in a position of power have a desire to do so.

What to Do

It’s time to fight hard against the surveillance state – laws need to change, secrecy needs to be lifted so that such activities are in full public view, and budgets need to be cut drastically so that it remains impractical for the government to spy on all of us all the time.

At the least, we should not be happy that the federal government spends billions of our taxpayer dollars to spy on us, rather than provide better healthcare or other worthy goals. Even worse that I now live in more fear of my own government than I ever have been of terrorists.

Everyone needs to communicate to their elected officials that the direction things are going, indeed the current status quo, are not acceptable, and demand to know what they intend to do to fix things. Vote them out of office if they do not try to make things better.

Toward a new Politics, episode 2

As a follow-up to my first post on this topic, in this episode I’ll examine the policies of some of the parties and organizations I do like.

Pirate Party

First up, the Pirate Party. Despite the provocative name, the Pirate Party has a rational, well thought-out platform that addresses only a few specific areas of law. Far from being selfish, the platform is actually philosophically, historically and practically sound. Here’s the start of their “Introduction to Politics and Principles”:

The Pirate Party wants to fundamentally reform copyright law, get rid of the patent system, and ensure that citizens’ rights to privacy are respected…

That’s pretty much it – those are their only issues of concern.

It expands with respect to copyright:

The official aim of the copyright system has always been to find a balance in order to promote culture being created and spread. Today that balance has been completely lost, to a point where the copyright laws severely restrict the very thing they are supposed to promote. The Pirate Party wants to restore the balance in the copyright legislation.

patents:

Pharmaceutical patents kill people in third world countries every day. They hamper possibly life saving research by forcing scientists to lock up their findings pending patent application, instead of sharing them with the rest of the scientific community…. Patents in other areas range from the morally repulsive (like patents on living organisms) through the seriously harmful (patents on software and business methods) to the merely pointless (patents in the mature manufacturing industries).

and privacy:

Following the 9/11 event in the US, Europe has allowed itself to be swept along in a panic reaction to try to end all evil by increasing the level of surveillance and control over the entire population….The arguments for each step on the road to the surveillance state may sound ever so convincing. But we Europeans know from experience where that road leads, and it is not somewhere we want to go…. Terrorists may attack the open society, but only governments can abolish it.

I couldn’t agree more with each of these sentiments, though getting rid of patents entirely might go even further than I would propose. I may expand on each later in separate posts, but for now I can say that this sums up my feelings nicely and I couldn’t do a better job of explaining each topic so succinctly.

I will also point out that all these views are diametrically opposed to those of the Democratic party, which is fiendishly pro-“intellectual property” (especially regarding grotesque expansions of copyright law), and doesn’t seem to care one whit for individual privacy.

Note (7 May 2012): I just came across a fuller platform for the Pirate Party. Still quite spartan compared to many other parties, but expands on the copyright/patent issues in a number of ways, including more direct democratic participation in government, government transparency, drug policy, environment, equality, and education.

Electronic Frontier Foundation

EFF “[blends] the expertise of lawyers, policy analysts, activists, and technologists…[to champion] the public interest in every critical battle affecting…cutting-edge [digital rights] issues defending free speech, privacy, innovation, and consumer rights.” EFF is the one organization that is consistently most “clued-in” about such issues. I believe they serve a critical role in our society, and wish they had ten times their current budget.

American Civil Liberties Union

ACLU is well-known, and while some of the issues it champions might go beyond what I’m usually concerned about, I think it’s still important to support them. They have long been a bastion against the rise of corporate and government abuse of individual rights and privacy. I can sum up the reasons why I’d support the ACLU even where I disagree with them, by using this quote, attributed to Martin Niemöller:

First they came for the communists,
and I didn’t speak out because I wasn’t a communist.

Then they came for the trade unionists,
and I didn’t speak out because I wasn’t a trade unionist.

Then they came for the Jews,
and I didn’t speak out because I wasn’t a Jew.

Then they came for me
and there was no one left to speak out for me.

Common Cause

Common Cause is a “citizens’ lobby”, leading the effort to “put the people’s voices ahead of the special interests for more than 40 years”. Common Cause is concerned with money in politics, government accountability, fair and open elections and voting access, ethics in government, and diversity and independence of media. Their basic philosophy is that “people and ideas are more important than money” and that public policy should reflect “the needs and priorities of our citizens, not special interests.”

Green Party

While the Green Party is far less established in the United States than it is in Europe, it is still growing rapidly. While I do wish they would concentrate their candidates in local races where they might actually win, as opposed to running for President, Senator, Governor, and other “unwinnable” posts, I think the party and their aims are still well worth supporting.

I should note in passing that the common belief that voting for a party other than the Democrats or Republicans is “throwing your vote away” is a fallacy, and in fact the very cause of the horrible political mess we are in currently. Since there is little substantive difference between Democrats and Republicans, a vote for either is the wasted vote; it is a vote for more of the same. While a vote for a third party with no hope of winning will still not allow that third party candidate to win (at least in the near future), it is a vote for a change in policy. Without such votes, neither party has any incentive to take such policy changes seriously, leading to a corporate-driven same-ness in the policies that really matter (even as they publicly squabble over emotional “hot-button” issues with no right answer and no hope of compromise, just so they can appear “different” and appeal to one or another demographic). I just don’t understand why people are so reticent to vote for candidates they really believe in, and who support policies they really agree with. But it does certainly explain why such candidates never get elected, and such policies no longer exist in our government.

Unlike the other parties and organizations I’ve mentioned, the Green Party has a comprehensive platform, covering a wide variety of issues in the general areas of Democracy, Social Justice, and Environmental and Economic Sustainability. This platform is detailed and carefully thought out with respect to specific changes proposed to our current political system. Overall I like the direction of their platform. Some issues I’m not personally concerned with. Others I don’t think go far enough – they try to work too much within the current system, rather than replacing it. Some issues that I care about are simply not addressed. In some cases, I respectfully disagree (such as nuclear power). But overall, this platform would be far preferable to the politics we live with right now.

Tagged

Toward a new Politics, episode 1

I think the current United States federal political system is hopelessly, irrevocably broken. Not only is the system so thoroughly corrupted as to be unsalvageable, it’s also inconceivably byzantine and convoluted, not to mention supportive, in the main, of policies I just don’t agree with.

It’s clear that neither of the major political parties – Democrats or Republicans – offers a real change, or even much of a choice. While I feel Democrats are somewhat less offensive on some topics, it’s not universal, and in some selected areas, they’re even worse than the Republicans. While they may be the lesser of two evils, it’s pretty much like “would you like 90% evil, or only 80% evil?”

So what to propose instead? I have lots of ideas, but let’s start by looking at existing parties and advocacy organizations to see who has interesting ideas I find compatible with my beliefs.

First, I’ll dispose of the useless ones (that I always see on the ballot):

  • Libertarians. There’s almost nothing to say: their entire platform is a sham, often achieving the opposite of what they claim. It’s also ridiculously against anything reasonable as far as having a functioning society, not to mention being a near opposite of my beliefs in many areas. That they happen to seem to align with certain of my beliefs in a few areas is sheer coincidence. Note that Ron Paul is in the same category: half Republican, half Libertarian; I admire his independence, but not most of his policies.
  • Peace and Freedom. While I admire, and increasingly agree with, many of their basic goals, their actual proposals are just ludicrously unrealistic, and likely to be counterproductive (ie, leading to neither peace nor freedom, in fact likely less of each). They are espousing failed models with no regard for the significant, known downsides.
  • Ditto for the many other fairly unknown parties. (A handful of past parties had some reasonable ideas, but aren’t very active now.)
  • Why not the Democrats? They demonstrably have not changed the system even while controlling the White House and both houses of Congress. Also, they are even more in favor of increasingly strong, broad, severe and destructive “intellectual property” rights than the Republicans, in addition to being generally pro-corporate and anti-freedom and privacy.

So what’s left? I’ll go into more detail on my own ideas later, but here is a list of organizations and parties I admire and support:

Tagged
%d bloggers like this: