We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

A View from Christopher Soghoian

Snowden’s Leaks Have Finally Forced Companies to Enhance Their Security

Revelations about NSA surveillance have prompted Yahoo, Microsoft, and other companies to deploy long-overdue security improvements.

  • December 17, 2013

Last week, Google, Microsoft, and five other leading Web companies formally requested that the U.S. government rein in its use of dragnet surveillance. These companies don’t have to wait for the government to act, though. Encryption technology can protect the privacy of innocent users from indiscriminate surveillance, but only if tech companies deploy it. In the wake of the Snowden disclosures, they are starting to do so. It shouldn’t have taken them this long.

In October of 2010, security researcher Eric Butler released an easy-to-use tool designed to hack into the webmail accounts of people using public Wi-Fi networks. Butler’s Firesheep wasn’t the first technology to make Wi-Fi sniffing possible, but it made it easy to intercept e-mails and documents, and even to capture authentication cookies that could be used at a later time to log in to a victim’s account.

Firesheep exploited the fact that most webmail and social networking sites at the time did not use HTTPS encryption to protect their customers’ information, or provided such encryption only to users who enabled an obscure configuration option most people were unaware of.

Google embraced encryption by default for its Gmail service a few months before Firesheep was released. Other major Web companies ignored calls from Pamela Jones Harbour, a commissioner with the Federal Trade Commission, for them to follow suit. One year later (soon after Firesheep was written about in the New York Times), Senator Chuck Schumer wrote a letter to Yahoo, Amazon, and Twitter urging them to enable HTTPS by default.

Twitter, Facebook, and Microsoft’s e-mail service eventually did switch to HTTPS encryption by default. However, Yahoo continued to expose its customers’ private information not only to hackers using tools like Firesheep, but also to governments around the world that are capable of intercepting the communications of their own citizens. In January of this year the company finally announced an opt-in encryption setting, which few users were likely to use.

Yahoo ignored not just strong words from an FTC commissioner and a letter from a U.S. senator, but also a public plea from human rights groups. What made the company finally decide to use HTTPS by default was a Washington Post story revealing that the NSA was intercepting nearly half a million of Yahoo users’ unencrypted webmail address books per day.

Shortly after the news broke, Yahoo CEO Marissa Mayer proclaimed that “there is nothing more important to us than protecting our users’ privacy.” If that’s the case, why did it take the disclosures of Edward Snowden for the company to finally deliver industry-standard Web encryption? Why didn’t the company protect its customers from hackers using tools like Firesheep, or from the deep packet inspection equipment that we have long known governments around the world are using?

The answer is that they didn’t care—until their utter failure to deploy basic Web security was featured on the front page of the Washington Post.

Yahoo isn’t the only company to up its game in response to the Snowden disclosures. Indeed, many of the big cloud computing companies—including Google, Facebook, Yahoo, Microsoft, and others—have started to encrypt information between data centers. They have also increased the size of their encryption keys and switched to encryption algorithms that offer “perfect forward secrecy.”

The EFF’s “Encrypt the Web” report reflects the rapid embrace of security technologies by major companies. However, were it not for Snowden’s whistle-blowing and the brave decision by journalists to reveal technical details about some of the NSA’s activities, it’s doubtful that many companies would have made these security improvements.

For that reason alone, we owe Edward Snowden our thanks.

Christopher Soghoian is principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project.  Soghoian was recognized as one of MIT Technology Reviews Innovators Under 35 in 2012.

Keep up with the latest in security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to All Access Digital.
  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivery each weekday to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.