Since the Snowden revelations a little more than a year ago, more people have become aware of how little privacy they have on the Internet and that their own governments try to spy on them much more than they thought they would within the limits of the law.
While every single person should try to use more privacy-focused tools to protect themselves, it's not just spy agencies they need to worry about, but also “regular” hackers who can more easily gain their information if it’s not properly encrypted. Ultimately this is a lot to ask from normal Internet users. Ideally, encryption would be something totally invisible to the end-user, happening in the background.
This is where the big tech companies can do a lot to protect their huge userbases without the users themselves doing much at all. Otherwise, it’s going to be an uphill battle to get people to use encryption, especially when using a certain encryption technology means your friends have to use it, too, therefore creating a chicken-and-egg problem.
The good news is that some of the biggest Internet companies have started to focus more on security, with the more notable ones being Google, Yahoo, Microsoft--and even Facebook.
Google is associated with the Internet these days in multiple ways, and it hasn’t taken that responsibility lightly. Back in 2010 the company was among the first mainstream e-mail providers to offer HTTPS encryption by default for its Gmail users. That means all Gmail traffic was being encrypted between the user and the Gmail servers.
Google actually pushed the option for Gmail encryption two years before that, back in 2008, but at the time HTTPS encryption was a significant overhead for Google’s servers, so it was left up to the users. Google presumably knew that the vast majority of them likely wouldn’t enable it, but those who cared a lot about their e-mails being protected would enable the option.
Between 2011 and in 2012 Google also enabled HTTPS encryption by default on its search engine. People look for all sorts of information on Google, some of it being very private information, and much of it is data that the average person wouldn’t want others to know about. In some cases, like in China, people’s lives could be put in danger just for using certain search queries.
The year 2013 was the year of the Snowden revelations, some of which specifically named Google and its users as being targeted by the NSA. The NSA was hacking into Google’s internal network and getting all data in plain-text because Google wasn’t encrypting the data transfers within its internal network, thinking no one could get access to it in the first place.
This incident caused Google to want to secure its services even more than before, and since then it’s been rolling out security changes a lot faster. Some of the major changes since then include: encrypting the traffic within its internal network, encrypting its serving of ads to web pages, and the more recent change to boost search ranking for websites that enable HTTPS by default.
All of the above changes have been about HTTPS encryption, which is far from being unhackable, and at the same time it does nothing to stop (abusive) government requests for user data.
Perhaps this wouldn’t be a major problem for Google in US, since that’s the law of the land, and ultimately it’s technically US citizens that decide whether they want to restrict the government from making those requests or not. It is, however, a major problem for Google and other US companies when it comes to servicing foreign customers.
If foreign customers don’t trust Google and the US government with their data anymore, then they will simply move to another service. To alleviate this trust issue, Google has recently been working on bringing an improved version of PGP (Pretty Good Privacy) to encrypt emails on the client side. What that means is that nobody, not even Google, can look at those emails except for the sender and the receiver of that email.
This has been regarded as a great move by privacy advocates and could help restore some trust in Google abroad, if it provides this option to both regular users and enterprise users.
Unlike Google, Yahoo isn’t a company that’s known for its security prowess, and in fact, several of the Snowden revelations have named Yahoo users as an easy target for both NSA and GCHQ, the UK spy agency. This must’ve made Yahoo’s new CEO, Marissa Mayer, very uneasy, because soon after that Yahoo announced that it’s going to enable HTTPS by default for its mail, too.
Yesterday, the company also announced that it’s going to be implementing a version of Google’s End-to-End protocol for encrypting email on the client side, making it the second major email company to announce end-to-end encryption for its mail service. It looks like Yahoo wants to follow in Google’s footsteps and become more security focused in the near future, too.
Microsoft has also recently begun to strengthen the security of its online services, and the company has announced that it will allow its Office 365 customers to send encrypted emails (opens in new tab) to other Office 365 customers as well as to external email accounts such as those from Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail, and others.
Microsoft thinks this type of encryption can be used for the following purposes:
- A bank sending credit card statements to customers over email.
- An insurance company providing details about the policy to clients.
- A mortgage broker requesting financial information from a customer for a loan application.
- A healthcare provider using encrypted messages to send healthcare information to patients.
- An attorney sending confidential information to a client or another attorney.
- A consultant sending a contract to a client.
- A therapist providing a patient diagnosis to an insurance company.
Facebook is known for its privacy issues, but it’s actually one of the first big Internet companies to adopt HTTPS by default, which it did as early as 2011. Privacy and security are not necessarily interchangeable, although they do go together very well. For example, a company could keep its users secure against hackers but still know everything about those customers. So even though Facebook hasn’t been the best in terms of privacy, it has been pretty good at adopting new security standards.
After the Snowden revelations, Facebook has also committed to adopting Perfect Forward Secrecy in its HTTPS encryption, which is a feature Google has adopted since the beginning in 2011 for its Google searches. What PFS does is that it rotates the encryption keys much more often, so if some hacker or spy agency somehow manages to get a key, it won’t be able to decrypt years of data; instead, it can only dig since the last recently used key. Thus, it’s a technique that’s meant to minimize the damage from a major hack.
Facebook has also just recently acquired a server security company called PrivateCore that will help it protect its servers against malware threats, unauthorized physical access, and malicious hardware devices.
While all of these companies have shown some laudable willingness to protect its users as well as possible against surveillance and hacking/data loss, this should be only the beginning. Much more can and must be done before we can truly say that we have a safe and privacy-friendly Internet.
We haven’t yet seen how Google will implement its E2E email encryption, but it needs to be as user-friendly as possible, and as easy as possible to find by Gmail users. If it’s hidden three levels deep in settings, then not a lot of people would even know about it, let alone use it. Google has a business to run here, so we understand them not making this option the default for all emails, but we expect them to make it at least easy to use for people who want to use it.
There’s much more Google could do in regards to Hangouts, too. End-to-end encrypted voice calls and even videos calls are now possible, and end-to-end encrypted texts have been possible for some time now. These technologies are open source, so Google just needs to implement them. All Google needs to do is look at Open WhisperSystems’ TextSecure and RedPhone/Signal apps for great end-to-end encryption for texts and voice.
When it comes to cloud storage, Google should also be offering a way for users to encrypt their data client-side, before it leaves their computers and goes into Google’s cloud. Again, it doesn’t need to happen by default for every user, in part because it’s a little harder from a user experience point of view, but it should be available as a main feature.
If Google would enable all of the above, then even people who don’t trust Google could continue to use Google’s services. If implemented correctly, they wouldn’t need to trust Google because all the data would be encrypted on their side, before it leaves their devices, and then only decrypted by the recipient, with Google being only the channel for delivery.
As previously mentioned, Yahoo announced that it would offer end-to-end encrypted email sometime next year. Yahoo also offers an IM client with voice and video chat capabilities, which could be encrypted end-to-end as well. Yahoo could continue to shadow Google’s security features, and it should be enough to get Yahoo some positive media--something the company has been lacking for years.
Yahoo could, however, go one step further and actually get ahead of Google on some features, such as the end-to-end encryption for their IM conversations (both text and voice/video). That would force Google to respond with a similar feature, so it would be a major win for both of these companies’ users.
Perhaps more than anyone else in this group, Microsoft will respond swiftly to enterprise feedback--or in other words, if lack of trust in Microsoft abroad could cause them to lose billions in revenues, we expect that they would try and fix that as soon as possible.
Where Microsoft needs to turn its attention immediately is Skype, which is used by hundreds of millions of people. Skype used to have a secure, anti-surveillance P2P architecture until Microsoft bought it. Microsoft has said it changed the architecture in order to make Skype more suitable for mobile use and also more scalable. That’s a believable technical reason, but at the same time the changes also made it much easier to be snooped upon by spy agencies, whether legally or illegally, and not just in US, either. If Microsoft wants Skype to regain trust as a private communication app, then it needs to implement some form of end-to-end encryption, too.
As a cloud storage provider, through its OneDrive service, Microsoft also needs to offer an option for encrypting the data on the client side, before it's uploaded to its cloud.
Facebook has one of the most popular messaging clients on Earth, and it has just acquired another very popular one in Whatsapp. But neither of them use end-to-end encryption, nor do they offer the option. If implemented, encryption could bring huge privacy benefits to Facebook’s users, and it could alleviate some of the trust issues Facebook has been having lately, too.
I believe all of these companies' latest security efforts are genuine, not just because they want to do what’s best for their users, but also because they risk losing a lot of business in other countries--countries that may not trust US tech companies as much anymore. Some could even ban them from doing business within their respective borders.
At the same time, they should also be encouraged to continue improving their security infrastructures and continue to adopt stronger and safer encryption protocols that can better protect users against mass surveillance and hacking.