Pick 3 encryption schemes
Pick 3 public key encryption schemes.
Pick a USA public key encryption, a Russian public key encryption and a Chinese public key encryption. We don't know if they are backdoored, but we do know they don't cooperate and thus a message encrypted with all 3 schemes isn't backdoored.
Put the public keys for these in the DNS server as TXT records.
Every browser should keep a key-chain for every site they visit, and if they visit a site and its public keys are changed, the user should be warned of possible man in the middle attack.
When sending any request to these servers, use the public key in the DNS together with 3 return keys for the return leg.
To man-in-the-middle this scheme, you need to intercept all DNS requests everytime, right from day one, and do a key swap 100% of the time. To defeat such a man-in-the-middle attack, you need simply send the keys via a different route. So this is next to impossible to intercept on a mass scale and easy to detect and defeat.
EMAIL
Send out the 3 public keys in the header of every email to everyone.
When your email client receives an email with these keys, it then always uses these keys to encrypt messages to that email address.
If you receive an email with different keys, then the user is notified of a possible MITM attack, and can take steps to verify the key change, or simply treat the message as identity theft.
To attack this scheme, you have to swap/or strip all keys all the time, right from day 1.
To fix the attack, simply send the keys via a different route.
Thus we should be able to protect journalism, political activism, protest, voters, innocent people, etc. from mass surveillance, of course terrorists and criminals will still be bugged, but it will stop the massive warrantless fishing that's been going on.
Notice that it doesn't get bogged down in 'proving identity', this is unnecessary, you don't do this now with ordinary email.
How do you change keys? You convince the receiver you are the genuine Bob Simpkins exactly as you do now when you email someone. If they believe you, they can accept the key, or not. Just as they accept your email or not as from you now.
It just eliminates Big Brother from watching.