Is Yahoo "too big to encrypt"?
Yahoo announced yesterday that it has started to encrypt information sent between its data centers as part of its larger program to defend consumer privacy from intelligence agencies.
The program was adopted after the revelation of a National Security Agency program that reportedly gathered information as it traveled between the data centers of companies like Google and Yahoo. Yahoo CEO Marissa Mayer announced in November that the company would take steps to prevent the program's continued operation by the end of March 2014 -- according to yesterday's blog post announcing the change, the company met its deadline.
The Verge reports that Yahoo's recently-hired security head, Alex Stamos, said the program was implemented in response to government activities, but didn't call out the NSA by name:
In a meeting with reporters today, Stamos — who joined Yahoo three weeks ago — did not specifically call out the National Security Agency by name, but made it clear that revelations about NSA spying led directly to Yahoo's move toward more encryption. 'The impetus for the huge push is obviously government revelations,' Stamos told reporters. 'The side effect is that the protections we're putting in place protect in a lot of different scenarios.'Yahoo has also added HTTPS encryption and other security provisions to its email service, search queries on the Yahoo homepage, and "most Yahoo properties," and introduced the ability to initiate encrypted sessions on popular sites like Yahoo News or Yahoo Finance. It plans to introduce an encrypted version of its Yahoo Messenger service in "coming months." Stamos says in his blog post that these efforts are part of Yahoo's mission to protect privacy:
Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default.
One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure. Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem. The announcement highlights two problems with Yahoo's attempts to adopt stricter security: its inability to directly manage every website on which its logo appears, and its struggle to reconcile increased security standards with its need to continue raking in advertising revenue. Stamos mentions the first problem in the passage above -- Yahoo can only "work with and encourage thousands of [its] partners" -- but the second problem is never mentioned. He did, however, explain the issue in his meeting with reporters, according to the Wall Street Journal:
But for now, there are limits as to how far Yahoo can take that encryption, Stamos said. Websites for Good Morning America on Yahoo, Yahoo News, Yahoo Sports and Yahoo Finance won’t feature the encryption by default, for now, because the company still needs to bring advertisers on board, he said.
At issue is the fact that technology being used, called HTTPS, is an all-or-nothing proposition.
When a website uses HTTPS, it prevents outsiders from watching data people submit to the site or watch what articles they are reading. But if the site is going to use such encryption, it has to persuade every advertising network running ads on that page to do the same. Figuring out a way to wrangle its partners into compliance will determine Yahoo's ability to protect consumers no matter which of its many properties they're visiting; finding a way to make money while doing so will allow the company to demonstrate its commitment to keeping its users' information private even if it frustrates money-hungry shareholders at a time when Yahoo might be "worth less than nothing" if it weren't for its stake in IPO-bound Alibaba.
Pando weighs in
I wrote about encryption's limits in response to a SXSW keynote speech given by Edward Snowden:
What’s surprising is that Snowden, who collected the documents used to report these stories and selected the journalists to whom they would be sent, didn’t mention that warning in his keynote.
Perhaps Snowden should read some of the stories based on the documents he leaked. Either the threat of NSA snooping enabled by compromised encryption standards and malware aren’t as terrifying as they are made out to be, or encryption — which he described as “defense against the dark arts” — isn’t quite as foolproof as he claims. I then wrote about the NSA's efforts to bypass encryption and some companies' -- including Yahoo -- inability to properly implement security tools:
Encrypting those communications will make it more difficult for the NSA to monitor the emails of countless Gmail users, but it won’t make them impervious to surveillance. The Intercept reported in March that the agency has built a system meant to spread malware to millions of computers, which would allow it to gather information before it can be encrypted. Patching these vulnerabilities creates speed bumps that will slow the agency’s drive to spy on essentially the entire world, but they won’t cause the agency’s surveillance programs to stop.
That’s assuming that the information is properly encrypted, of course. Remember that the NSA has been working to weaken encryption standards, that Yahoo’s use of HTTPS in Yahoo Mail was “inconsistent,” and that Apple failed to properly implement a security standard in both its mobile and desktop operating systems for at least 18 months. Caution is warranted. [Image courtesy superfluity]