The only way out of this, as I see it, is making privacy the default. But this require some cooperation and motivation from the big guys at silicon valley.
Imagine if Chrome, Firefox, Safari, all of them had, just like the incognito mode, the private mode. Of course, as anonymity also depends on the behavior of the user online, other actions are needed to really ensure security and privacy. But making it the default will educate more people about the importance of privacy and, more importantly, make the point that privacy isn't only for criminals, terrorists and wrong-doers, but that "normal", law abiding citizens also should have the right to be private. And that is paramount for a democracy to work.
I think the cooperation necessary would be for the "big guys" to not have a vested interest in selling out privacy, which has been the prevailing business model for a long time. And, since the big guys only listen to their bottom line, that means not using them until they support privacy. It may mean not using the Internet substantially at all. (It's more than a little ironic to be saying this on the preeminent "business hacker" (or "startup") community, which has a visible subset who sympathize with some of the NSA's programs, or at least have been able to rationalize them...)
As you say, the tools have always been there, but no one uses them. That might be because it's a chicken-or-egg problem. At the same time, it might be because the people in the positions to develop and promote the tools, even if only for their own use, are being prevented by a one-track culture that encourages them to sell out their client's privacy in addition to discouraging them from working on projects like Tor. (Again, the HN forum is an example of that conflict - being a largely business-oriented forum; surveillance technology sells... Even DuckDuckGo, a favorite startup in this community, has filters to protect us.) Rather than peer-to-peer solutions like Gnutella, Gnunet, Tor, and even open wireless, people continue to make websites with JavaScript encryption, despite the proven MITM threat.
I don't think JavaScript and CSS will get us out of this, but if this latest revelation doesn't wake people up in the tech community specifically, nothing will, since BoingBoing readership is a large number of them - which to me means that the tech and programmer categories are themselves a primary focus of the surveillance that some highly-respected tech pundits (and HN forum members) have defended and rationalized as only being used for terrorists and perverts. That definition now includes anyone with enough knowledge to build or use strong privacy tools. The definition now includes everyone on this forum.
> But this require some cooperation and motivation from the big guys at silicon valley
Unfortunately, this is key to making strong encryption commonplace. A social graph and real-time communication could be used to make key exchange easy and secure. Open client software is needed to make security verifiable. And the storage and email infrastructure and clients need to make using encryption the default.
All the pieces of a "trust nobody" environment are there, and so are the pieces for making it an easy to use default.
Hopefully, doing this will be required for American service and technology companies to regain trust.
One of the biggest difficulties for "easy and secure" key exchange is that so many people want to be able to access private communications on many different devices.
How do you authorize a new device in an "easy and secure" way without simply outsourcing the problem to an intermediary who is then in a position to attack you by authorizing its own devices?
This issue has quite concrete implications for the security and convenience of lots of existing security tools, from GPG to iMessage to Skype to Firefox. They've chosen different approaches but the underlying problem and associated tradeoffs apply to all of them.
On the bright side, there are now a lot of people exploring the space of possibilities for dealing with these tradeoffs.
Just authorize. If you have perfect-forward secrecy, as long as you aren't being man-in-the-middled right now, you're safe.
It's better to have all people doing everything encrypted by default than not.
The goal isn't for one individual to be safe against a targeted NSA attack. That's insane--if the NSA wants you, specifically you are screwed; it simply has far too many resources to bring to bear.
The goal is to make it expensive for the big agencies to do pervasive surveillance. If everybody is encrypting all the time, random peon at Three Letter Agency has to get up from his chair and actually authorize a wiretap, get a warrant, etc. At that point, it's not going to happen unless you've actually done something very wrong.
Fully agreed up until your last sentence: It's not going to happen unless they have reason to believe it will lead to evidence of someone doing something wrong, and that it will be wrong enough to justify the effort.
Imagine if Chrome, Firefox, Safari, all of them had, just like the incognito mode, the private mode. Of course, as anonymity also depends on the behavior of the user online, other actions are needed to really ensure security and privacy. But making it the default will educate more people about the importance of privacy and, more importantly, make the point that privacy isn't only for criminals, terrorists and wrong-doers, but that "normal", law abiding citizens also should have the right to be private. And that is paramount for a democracy to work.