Last week, Google, Microsoft, and five other leading Web companies formally requested that the U.S. government rein in its use of dragnet surveillance. These companies don’t have to wait for the government to act, though. Encryption technology can protect the privacy of innocent users from indiscriminate surveillance, but only if tech companies deploy it. In the wake of the Snowden disclosures, they are starting to do so. It shouldn’t have taken them this long.
In October of 2010, security researcher Eric Butler released an easy-to-use tool designed to hack into the webmail accounts of people using public Wi-Fi networks. Butler’s Firesheep wasn’t the first technology to make Wi-Fi sniffing possible, but it made it easy to intercept e-mails and documents, and even to capture authentication cookies that could be used at a later time to log in to a victim’s account.
Firesheep exploited the fact that most webmail and social networking sites at the time did not use HTTPS encryption to protect their customers’ information, or provided such encryption only to users who enabled an obscure configuration option most people were unaware of.
Google embraced encryption by default for its Gmail service a few months before Firesheep was released. Other major Web companies ignored calls from Pamela Jones Harbour, a commissioner with the Federal Trade Commission, for them to follow suit. One year later (soon after Firesheep was written about in the New York Times), Senator Chuck Schumer wrote a letter to Yahoo, Amazon, and Twitter urging them to enable HTTPS by default.
Twitter, Facebook, and Microsoft’s e-mail service eventually did switch to HTTPS encryption by default. However, Yahoo continued to expose its customers’ private information not only to hackers using tools like Firesheep, but also to governments around the world that are capable of intercepting the communications of their own citizens. In January of this year the company finally announced an opt-in encryption setting, which few users were likely to use.
Yahoo ignored not just strong words from an FTC commissioner and a letter from a U.S. senator, but also a public plea from human rights groups. What made the company finally decide to use HTTPS by default was a Washington Post story revealing that the NSA was intercepting nearly half a million of Yahoo users’ unencrypted webmail address books per day.
Shortly after the news broke, Yahoo CEO Marissa Mayer proclaimed that “there is nothing more important to us than protecting our users’ privacy.” If that’s the case, why did it take the disclosures of Edward Snowden for the company to finally deliver industry-standard Web encryption? Why didn’t the company protect its customers from hackers using tools like Firesheep, or from the deep packet inspection equipment that we have long known governments around the world are using?
The answer is that they didn’t care—until their utter failure to deploy basic Web security was featured on the front page of the Washington Post.
Yahoo isn’t the only company to up its game in response to the Snowden disclosures. Indeed, many of the big cloud computing companies—including Google, Facebook, Yahoo, Microsoft, and others—have started to encrypt information between data centers. They have also increased the size of their encryption keys and switched to encryption algorithms that offer “perfect forward secrecy.”
The EFF’s “Encrypt the Web” report reflects the rapid embrace of security technologies by major companies. However, were it not for Snowden’s whistle-blowing and the brave decision by journalists to reveal technical details about some of the NSA’s activities, it’s doubtful that many companies would have made these security improvements.
For that reason alone, we owe Edward Snowden our thanks.
Christopher Soghoian is principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project. Soghoian was recognized as one of MIT Technology Review’s Innovators Under 35 in 2012.