Yahoo, spying, responsibilities, and possibilities Thumbnail
Building Trust 5 October 2016

Yahoo, spying, responsibilities, and possibilities

By Olaf KolkmanPrincipal - Internet Technology, Policy, and Advocacy

In breaking news we learned that ‘Yahoo secretly scanned customer emails for U.S. intelligence’.

Frankly, that is not at all surprising to me. It is a testimony that end-to-end encryption is being deployed to such a level that the spy agencies need to go to the email providers in order to get what they need: the intermediaries or the end-stations. In fact, the Reuters article reporting on this says: “As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.”

Spyware and its risks

In complying with the intelligence service order the management seemed to have gone around Yahoo’s internal security staff and implemented a program that spied on its customers. There are legitimate questions around why Yahoo complied without questioning the order. It is clear that the rise of encryption has created important questions around responsibilities with respect to law enforcement and intelligence services. Since some may argue there is no societal consensus that this sort of spying is a good thing, those questions need to be answered in a public and transparent debate, not through applying pressure to companies behind closed doors.

One of the apparent reasons why Chief Security Officer Stamos left Yahoo is that he could not assume responsibility for the security hole that was created and impacted the users: ‘Due to a programming flaw […] hackers could have accessed the stored emails.’ The lesson to take out of this is that creating secretive backdoors is a recipe for disasters.

I have argued before that technology companies are in the best position to make their security assessments. And introducing this sort of complex programs into one’s infrastructure does not necessarily improve one’s security. While the timing of Yahoo’s ‘state sponsored’ security breach in 2014 is too early to be causally connected with the installation of the spy-programs in 2015, it is obvious that this sort of interception can have data theft as unwanted side effect.

On Email Encryption

Today, email transport encryption is on the rise due to the availability of IETF technologies like DANE combined with the fact that various entities, including governments, are pushing for the rollout of email transport encryption. However, the encryption of email messages themselves – the content – has not seen significant progress.

The analogy of the current state of e-mail encryption is that with e-mail we are shipping postcards. While they are in the postal bags being shipped from hub-to-hub, nobody can see what is written on them. But, in the sorting centers and after they’ve dropped on your doormat, everybody can read them. Now, with email being more and more consolidated to big email providers, that doormat is in fact on the webmail-frontend of the Yahoo’s, Google’s, and Microsoft’s of this world. As an aside, the Internet and its services have been designed to be highly distributed. This consolidation, creating obvious control points, is not an inherent part of the Internet’s design and even though the economics are not favorable, I continue to hope that that trend will be reversed sometime.

Back to e-mail confidentiality. It would be better if e-mail encryption would work truly end-to-end, as if we put our postcards in envelopes so that only the recipient can read our correspondence. That is possible. Technologies like S/MIME and PGP are readily available, and have been for decades, but are notoriously hard to use. The fact that many readers may have no idea what those two technology acronyms mean is testimony to the point. The type of usable end-to-end encryption that we see with messaging services is simply not available.

I am a strong proponent of seeing that sort of usable security making it to email and voice communication.

While we do not close our eyes to the impact of the rise of encryption on other societal needs, we at the Internet Society believe that encryption should be the norm for Internet traffic. We actively support projects and technologies that will bring about pervasive encryption as an answer to this kind of pervasive surveillance.

Getting usable email encryption solutions on the users end-devices, so that we can treat your phones, tablets, and computers as metaphorical doormats, is a topic that needs attention from the developers among you. In the meantime, you can only hope that your email provider challenges surveillance orders and enables encryption of the channels between the mail-exchanges (the sorting centers). You can check that yourself through the Internet.nl initiative. If entering your email address shows that a secure connection is not possible, give your provider a call. They are not up to par.

The bottom line is that this latest news about Yahoo should be a rallying cry for end users, developers and, yes, email providers, that usable end-to-end encryption should be available to all. And, as this news demonstrates, time is of the essence.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...