Companies adopt better security hygiene in wake of mass surveillance disclosures
This post received contributions from Amie Stepanovich and Michael Carbone
In the aftermath of 2013’s disclosures on government mass surveillance, there’s a simple “low-hanging fruit” protecting users. The majority of internet traffic — our emails, searches, chats, website visits, and more — remain unencrypted and vulnerable to prying eyes.
The difference between unencrypted and encrypted content and traffic is like the difference between sending a postcard or a letter: with unencrypted traffic, it is trivially easy to look at what your messages say. When services don’t encrypt data, it means that government officials and other actors can access your personal communications with very little effort and no legal process. Given what we know about the bad actors vacuuming up all the information they can get their hands on, there’s no excuse for plaintext in today’s day and age.
A brief history of platform encryption
Luckily, many companies agree. When Google started turning on encryption by default back in 2010, they were an outlier. Now encryption is increasingly the norm, and in the past year in particular, a number of leading internet platforms have implemented security practices to make it harder to gain unauthorized access to user data.
In 2010, Google led the way by turning on encryption by default for all Gmail users, providing greater protection for users as they drafted, sent, and stored their email. Microsoft’s email service, Outlook, followed suit in 2012. Facebook started offering encrypted sessions to users starting in 2011, though it wasn’t provided by default until 2013. These giants, with their massive engineering resources, have invested in the cost and effort of security.
But in 2013, we learned that even these efforts weren’t enough to protect user data from the NSA — an adversary so powerful that Microsoft described it as a ‘potential’ advanced persistent threat, a inflammatory designation usually reserved for exceptionally skilled and ill-intentioned adversaries, such as Chinese or Russian hackers.
After the NSA
As a result, several companies have taken an even closer look at their security practices. In a world where one of the most important — and difficult — challenges is protecting user data sent and stored online, these companies continue to make it harder for government authorities or third parties to gain unauthorized access to personal information.
Beginning in January 2014, Yahoo! joined Google and Microsoft in encrypting all email traffic by default. Like Facebook in 2011, Yahoo! has offered encrypted email since 2013. However, the company only turned it on by default following reports that the service’s lax security practices had been a prime target for government intelligence agencies, including the NSA and GCHQ.
In mid-January 2014, Twitter quietly began implementing transport layer security (TLS) for its communications to users; StartTLS encrypts emails from the sender’s email provider to the recipient’s email provider (but only if the email providers support the TLS protocol). This is the latest round of improvements to Twitter’s security: starting in May 2013, Twitter followed Google and Facebook’s lead, rolling out two-factor authentication to prevent user accounts from being accessed without permission.
Google’s efforts for Chinese users
Just last week, Google — long a leader in implementing improved security practices across its platforms — announced it will start encrypting Google Search connections for users in China by default. Users accessing google.com.hk will now see their connections protected by HTTPS, which has been the default setting on Google’s Search homepages outside of China since late 2011. This will help ensure that the web searches of users cannot by default be seen by internet cafes, service providers, or other intermediaries.
Ensuring HTTPS by default has long been a key issue for Access (see our Demand HTTPS campaign and HTTPS Now, a resource launched by Access and EFF), and we appreciate Google’s efforts to protect Chinese users. Moving to HTTPS by default across all services and regions is an important step forward for all companies.
Action and caution are still needed
However, we feel compelled to also offer caution: The Chinese government may still be able to sidestep Google’s encryption by forcing users to use a degraded, non-encrypted HTTP version of the site. Therefore, we urge companies including Google to implement strict transport security (HSTS), which cannot be downgraded to a non-encrypted connection. Some privacy-focused search engines such as DuckDuckGo and Ixquick have already implemented HSTS to provide this extra layer of security for users.
Users should also be vigilant: you should make sure they check for the ‘lock icon’ in their web browser’s address bar, and the “S” in “HTTPS” on websites they visit, as in “https://www.google.com.hk.” If you only see HTTP, your connection is insecure. We strongly recommend installing the EFF’s HTTPS Everywhere add-on to your web browser in order to force your browser to always visit the secure version of a website, if available.
More broadly, we welcome and encourage the increased discussion on enhancing encryption in the area of internet standards and protocols. For example, recent efforts on encrypting the web from the Internet Engineering Task Force (IETF) — a group that plays a key role in advising on internet standards — are incredibly important. To track which companies are doing what, check out the EFF’s Encrypt the Web Report.
The Digital Security Action Plan
These actionable security upgrades are in line with Access’ recently launched campaign, Encrypt All The Things. The centerpiece of the Encrypt All the Things campaign is the “Data Security Action Plan,” seven security-enhancing steps that every internet platform should take to increase the level of protection for information sent and stored on the internet. These protections will help prevent unauthorized access to user data, and move state actors such as the NSA and other intelligence and law enforcement agencies toward using proper, legal channels to obtain personal information.
At the same time, it is also crucial for companies to adopt better data privacy hygiene, and focus on “collecting fewer things.” Basic data protection principles, such as those discussed and promoted by the European Parliament’s recent Data Protection Reform efforts, will go a long way to reducing the privacy risk for users. These steps include, but are not limited to, data minimisation, giving users more control over their data (including data portability, right to access, and erasure), and implementing privacy by design and by default.
So far, the Data Security Action Plan, or “DSAP7” has public support from companies like Twitter, DuckDuckGo, Ixquick, and KeepSafe, as well as the Electronic Frontier Foundation, the Open Technology Institute at the New America Foundation, and other civil society groups.
Individuals can become supporters of the campaign at www.encryptallthethings.net, and companies can be added to the website by contacting Access at info [at] accessnow [dot] org.