All Tech Considered
Thu June 12, 2014
How Well Do Tech Companies Protect Your Data From Snooping?
Originally published on Fri August 1, 2014 10:55 am
What happens to your information online? Is it safe? Is it private?
The answers depend in part on what services you use. So we set out to help you figure out the answers for yourself.
But you may have noticed there is a lot of stuff on the Internet, and I am sorry to say we didn't test it all.
Fortunately for you, we are not the only ones asking these questions. The Electronic Frontier Foundation surveyed big tech companies and asked them what kinds of encryption they've been using. And last week Google started naming and shaming email providers who were not encrypting email messages as they passed between companies.
We drew on their efforts and our own results to build this chart.
Enjoy. [And if you are wondering what HSTS or those percentages mean, there is an explanation at the bottom of the post.]
Now where did I put my invisibility cloak?
Update at 11:44 a.m. ET: Apple Now Says It's Working To Encrypt Email Between Providers
The Electronic Frontier Foundation has asked service providers to implement strong encryption. Here's what the EFF wants:
HTTPS by default. This means that when you connect to a website, it will automatically use a channel that encrypts the communications from your computer to the website.
HSTS (HTTP Strict Transport Security). Lots of services offer encrypted and unencrypted versions of the same website or service. HSTS basically forces the service to always use the encrypted secure option.
Forward secrecy. Sometimes called perfect forward secrecy, it uses a different cypher or code to encrypt messages on each session. This means that if the NSA or someone else cracks the code keeping one of your messages secure, they can't unravel everything you have ever written.
STARTTLS. If you are on Gmail and send me a message at my Yahoo account, those two email providers have to talk to each other. STARTTLS lets companies encrypt those messages in transit. But it is only possible if both companies use it. It takes two to tango — and Google recently started naming and shaming companies that are refusing to do this dance.
Encrypting email in transit. Lots of companies have announced this year that they will add encryption to their networks — including when they are sending email back and forth to other service providers. For this to work, both companies have to use encryption.
But, unfortunately, saying you'll do something and actually doing it are two different things. Google has started publishing the percentage of email it sends and receives from other providers that is actually encrypted. You'll see the numbers are all over the map. But one thing is clear: A lot more email traffic is encrypted today than a year ago, and since Google started publishing these numbers, the figures have shot up.
So, how did we pick what companies to test? We picked services we used or where we had interesting data and something useful to say. Largely this is stuff we use and were curious about.
Aren't Skype and WhatsApp owned by other companies? Yes, well, almost. Microsoft owns Skype, and Facebook's acquisition of WhatsApp hasn't closed yet. But we tested these services independently because mergers don't necessarily change how a company's technology works.
RENEE MONTAGNE, HOST:
If someone was watching your connection to the Internet, what would they see? That's the question NPR's Steve Henn and a team of security experts set out to answer this spring by tapping the Internet connection in Steve's home. They soon realized that in the years since Edward Snowden's first disclosures about the NSA became public, the fabric of the Internet has changed. Some of the biggest tech companies in the world have added new layers of security and encryption to some of their most widely used services, and while the team found that encryption is much more common online than it was just a year ago, it remains far from perfect. Here's Steve Henn.
STEVE HENN, BYLINE: A couple of years ago, it really wasn't that uncommon to hear founders in Silicon Valley joke that they'd know their company had made it when their app or service finally got hacked. Encryption was kind of expensive and a pain. And for most people, security just wasn't a priority here. But if you were hacked, that meant your service, your app, was big enough to be a target, which was a sign you'd made it. Recently, though, that attitude has changed.
DAVE PORCELLO: That was the biggest surprise to me - how much has changed, how much is now encrypted that was not encrypted pre-Snowden, about a year ago.
HENN: Dave Porcello is the founder of the security firm Pwny Express.
PORCELLO: From what I've seen, you know, most of these services were either not encrypted at all or only partially encrypting.
HENN: Then came Edward Snowden's leaks, revealing the global scale of the NSA's Internet surveillance.
NICK CARDOZO: In the wake of the Snowden revelations, the intelligence community has really lost the trust of American business.
HENN: Nick Cardozo is an attorney at the Electronic Frontier Foundation. He says...
CARDOZO: Silicon Valley companies have finally recognized that there is a market for privacy.
HENN: Today, as opposed to last year, billions of people care if their messages are kept safe. Now, encryption probably won't stop the NSA from reading your email if they're really going after you, but it makes mass surveillance much more expensive. Instead of just sucking up your messages and reading them, a security agency, like the NSA, actually has to make the effort to break the code that's protecting your data. That costs them money and takes time. Encryption also protects consumers from fraud, or hackers, or identity theft. And in the last year, companies have embraced it. Yahoo began encrypting email by default. Google added encryption between its data centers. Microsoft, Twitter and Facebook all took steps to make it harder for messages you send on their services to be intercepted, decoded and read. So when Dave Porcello at Pwny Express and Sean Gallagher, a reporter at the tech news site Ars Technica and I began tapping the Internet traffic into and out of my laptop and cell phone, we were kind of curious what we'd see.
SEAN GALLAGHER: Well, we were talking about how we had to hurry up and do this before everybody got encryption going.
PORCELLO: Yeah. (Laughing).
GALLAGHER: Because we thought we might not see anything, right?
GALLAGHER: But as it turned out, that wasn't an issue, really. I mean, if we had found nothing, that would have been great news. I would've been really happy if we found nothing.
PORCELLO: Some of these service providers that actually are claiming to do strict, consistent encryption, actually weren't.
HENN: It turns out companies can add encryption to their services but still leave you unprotected because other companies just don't play along. Google has something called a PREF cookie. I like to think of it as kind of a digital dog tag hanging around my neck. It's how the company knows it's me when I visit one of Google's websites or how they know it's you if you're visiting a site that uses Google's products. Here's Sean.
GALLAGHER: Remember, that information's encrypted when you're going to Google. But when you're going to an unencrypted website that's running Google ads, the cookie information isn't passed encrypted.
HENN: So that dog tag - when you go to some unencrypted sites, it's hanging around your neck, outside of your shirt. Anyone can read it. And Google isn't the only one hanging these things around your neck. Some Microsoft tags include your real name in clear text and a link to your Facebook profile picture. Honestly, it's less like a dog tag than a sandwich board. And now Microsoft says that cookie's being reviewed. But the NSA has the technical ability and, depending on who you are and where you live, the legal authority to suck up and read all of this stuff. They collect it. So they don't necessarily have to go to Google or anyone else and ask for your web history.
GALLAGHER: They don't. They don't have to ask Google for that. This is what the result of massive, passive surveillance is.
HENN: And unencrypted websites are not the only way our data is visible. There are bugs and mistakes. When I searched Google for a location, which should have been encrypted, my dog tag just popped out of my shirt.
GALLAGHER: Within search, it was sending your PREF ID and this unencrypted web request for Google Maps.
HENN: Now everyone could see not only who I was but also where I was going.
GALLAGHER: Yep. That is exactly what it was doing. It was sending your Google number.
HENN: We told Google about that bug, and they patched it right away. But there are lots of services that leak data this way. There's a weather app, which is built into every iPhone. It's powered by Yahoo, and it does almost the same thing, sending out your location data totally unencrypted. We called Yahoo, and they said just last month, they started offering an encrypted version. Now Apple is looking into using that instead. And then there are still the startups or the messaging apps.
PORCELLO: See what I can - let me see what I can find here.
HENN: We tested WhatsApp, and...
PORCELLO: Well, right away I can see my phone number, in clear text, being passed through.
PORCELLO: And then it says privacy, in clear text, and then my phone number. (Laughing).
HENN: WhatsApp is hardly alone. Snapchat data was revealing when minors were signing up for the service. Skype was leaking big chunks of its customers' address books. We reached out to all these companies for comments, too. Microsoft says, the problem with Skype's now been patched. Snapchat started encrypting information about kids after we called them. And WhatsApp said it's working on a fix. In the end, no big company was perfect. Everyone we examined had some little leaks. But Twitter was among the best. Bob Lord runs security there, but he bristled when I referred to the kind of encryption Twitter uses as a gold standard.
BOB LORD: It's not really correct to call anything a gold standard because what is the gold standard today will be viewed as obsolete next year.
HENN: Lord says, this is not like building a bridge. It's not like you hammer in the final rivet, and then you're done.
LORD: What we have to do in the security community is to continuously look at what's happening in the research space, take a look at what the code breakers are doing, and try to make sure that we are continuously moving the bar up. And that is - it is a never-ending journey.
HENN: He says huge parts of the Internet were built with information security and privacy as almost afterthoughts. Fixing that takes time and cooperation.
LORD: We make as best an effort as we can to encrypt all mail that leaves our data centers going to other major carriers.
HENN: But it takes two to tango. If the other company Twitter's sending your email to doesn't support encryption, it doesn't work. Your data seeps out. And all the data which leaks out around the edges of our communications - this data can form a detailed map of our lives, and anyone sophisticated enough can get their hands on it, including criminals or thieves. Steve Henn, NPR News, Silicon Valley.
MONTAGNE: This is NPR News. Transcript provided by NPR, Copyright NPR.