Skip to Content

Snowden’s Leaks Have Finally Forced Companies to Enhance Their Security

Revelations about NSA surveillance have prompted Yahoo, Microsoft, and other companies to deploy long-overdue security improvements.

Last week, Google, Microsoft, and five other leading Web companies formally requested that the U.S. government rein in its use of dragnet surveillance. These companies don’t have to wait for the government to act, though. Encryption technology can protect the privacy of innocent users from indiscriminate surveillance, but only if tech companies deploy it. In the wake of the Snowden disclosures, they are starting to do so. It shouldn’t have taken them this long.

In October of 2010, security researcher Eric Butler released an easy-to-use tool designed to hack into the webmail accounts of people using public Wi-Fi networks. Butler’s Firesheep wasn’t the first technology to make Wi-Fi sniffing possible, but it made it easy to intercept e-mails and documents, and even to capture authentication cookies that could be used at a later time to log in to a victim’s account.

Firesheep exploited the fact that most webmail and social networking sites at the time did not use HTTPS encryption to protect their customers’ information, or provided such encryption only to users who enabled an obscure configuration option most people were unaware of.

Google embraced encryption by default for its Gmail service a few months before Firesheep was released. Other major Web companies ignored calls from Pamela Jones Harbour, a commissioner with the Federal Trade Commission, for them to follow suit. One year later (soon after Firesheep was written about in the New York Times), Senator Chuck Schumer wrote a letter to Yahoo, Amazon, and Twitter urging them to enable HTTPS by default.

Twitter, Facebook, and Microsoft’s e-mail service eventually did switch to HTTPS encryption by default. However, Yahoo continued to expose its customers’ private information not only to hackers using tools like Firesheep, but also to governments around the world that are capable of intercepting the communications of their own citizens. In January of this year the company finally announced an opt-in encryption setting, which few users were likely to use.

Yahoo ignored not just strong words from an FTC commissioner and a letter from a U.S. senator, but also a public plea from human rights groups. What made the company finally decide to use HTTPS by default was a Washington Post story revealing that the NSA was intercepting nearly half a million of Yahoo users’ unencrypted webmail address books per day.

Shortly after the news broke, Yahoo CEO Marissa Mayer proclaimed that “there is nothing more important to us than protecting our users’ privacy.” If that’s the case, why did it take the disclosures of Edward Snowden for the company to finally deliver industry-standard Web encryption? Why didn’t the company protect its customers from hackers using tools like Firesheep, or from the deep packet inspection equipment that we have long known governments around the world are using?

The answer is that they didn’t care—until their utter failure to deploy basic Web security was featured on the front page of the Washington Post.

Yahoo isn’t the only company to up its game in response to the Snowden disclosures. Indeed, many of the big cloud computing companies—including Google, Facebook, Yahoo, Microsoft, and others—have started to encrypt information between data centers. They have also increased the size of their encryption keys and switched to encryption algorithms that offer “perfect forward secrecy.”

The EFF’s “Encrypt the Web” report reflects the rapid embrace of security technologies by major companies. However, were it not for Snowden’s whistle-blowing and the brave decision by journalists to reveal technical details about some of the NSA’s activities, it’s doubtful that many companies would have made these security improvements.

For that reason alone, we owe Edward Snowden our thanks.

Christopher Soghoian is principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project.  Soghoian was recognized as one of MIT Technology Review’s Innovators Under 35 in 2012.

Keep Reading

Most Popular

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.

A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate

Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway

Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.