Which Major Companies Actually Encrypt Your Data

from the good-for-them dept

Tue, Nov 19th 2013 8:13pm — Mike Masnick

With so much recent concern about how the NSA and GCHQ (and, likely, others) basically look at unencrypted traffic as an easy way to hack into your data, it's becoming increasingly important for the big companies which manage tremendous amounts of the public's personal data to encrypt as much as possible. The folks over at the EFF have now put together a sort of crypto report card on which major companies are actually encrypting everything they can.

The results are a little disappointing. Only four companies -- Dropbox, Google, SpiderOak and Sonic.net -- got a perfect score on the five categories measured. Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees) while the rest still have a fair bit of work to do. The incumbent access providers -- AT&T, Verizon and Comcast -- don't appear to care nearly enough about security at all. That's why it's little surprise that the NSA's deals with at least AT&T and Verizon are a major source of information. Once again, I'm rather happy I'm a Sonic.net customer for my internet access these days.

Hopefully this effort (and the ongoing concerns about the NSA, as well as outside hacking) lead more companies to upping their encryption game.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, privacy
Companies: at&t, comcast, dropbox, eff, google, sonic.net, spideroak, twitter, verizon

23 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

out_of_the_blue, 19 Nov 2013 @ 9:02pm

The MAIN problem is that they HAVE and LOOK at your data!
Listen, the NSA is truly NOT interested in much about any given person -- and use these mega-corporations as front-ends to filter (which is more economic spying than "terrorism") -- BUT the corporations use whatever they can get, by any means, collated and shared with every other corporation, and their purpose is to control your economic activity besides your mind, more or less: watching sports, for instance, is mindless, and serves the purposes of the State in keeping people from anything higher (it's the modern circuses).

BESIDES, THEY'LL SELL NSA WHATEVER INFO THEY HAVE SO DOESN"T MATTER WHETHER THEY ENCRYPT EXTERNALLY OR NOT!

Taglines cover the rest.
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.
Google's ability to target you for advertising is EXACTLY what NSA needs to target you as political dissident, NOT coincidentally.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Nov 2013 @ 9:29pm
  
  Re: The MAIN problem is that they HAVE and LOOK at your data!
  It's not limited to Google, when NSA created a market for business records, it really said "here's money, you corps find a way around the law to sell me that data".
  
  The big Telcos handed practically everything over for 30 shiny silver pieces. But as the services became encrypted so that shiny silver was out of their reach.
  
  Skype and 'project Chess' came along next to tap Skype.
  Microsoft backdooring its cloud services for the NSA.
  
  http://www.nbcnews.com/technology/microsoft-let-nsa-bypass-encryption-mail-chats-cloud-storage-s ays-6C10607490
  
  And lots of free apps and cloud services started appearing, some with CIA funding (InQTel) offering storage of business data, video, IP surveillance, exactly the sort of thing the NSA wants to grab in a 5 eyes jurisdiction with a cooperative management.
  
  https://en.wikipedia.org/wiki/In-Q-Tel
  
  Then there's the VOIP apps that can't pay for their servers because they make no money, and yet somehow do pay for their servers.
  
  And the free messaging apps that pay the bills and keep the lights on by magic.
  
  Then there's the Snowden leaks showing NSA has lots of VOIP data, somehow by magic.
  
  The problem here is the market the NSA created.
  [ link to this | view in chronology ]
- Anonymous Coward, 19 Nov 2013 @ 9:59pm
  
  Re: The MAIN problem is that they HAVE and LOOK at your data!
  You do know that you can encrypt every piece of information you send elsewhere right?
  
  But it involves you taking responsibility for your own security and crypto keys, which maybe is too much to ask.
  
  https://crypto.cat/
  
  Encrypting Facebook a start.
  
  http://www.spacenext.com/encrypt-facebook.php
  http://www.abine.com/blog/2011/how-encryption-can -keep-facebook-from-snooping-in-your-chats/
  http://www.spicytricks.com/tips/send-secret-encrypted-mes sagesemails-facebookgmail-chrome
  
  Encrypting cloud storage.
  http://www.pcworld.com/article/2010296/how-to-encrypt-your-cloud-storage-for-free.html
  http:/ /lifehacker.com/5794486/how-to-add-a-second-layer-of-encryption-to-dropbox
  
  No service ever will be willing to take a bullet for ya, so don't ask, do something yourself and stop complaining, take responsibility.
  [ link to this | view in chronology ]
  - Andrew D. Todd, 20 Nov 2013 @ 7:47am
    
    A Home E-Mail Server (to Anonymous Coward, #3)
    You can create a little home e-mail server, along lines analogous to a telephone answering machine. It would be more or less continuously connected to the network, and it would probably make sense to integrate it with Limor Fried's "Onion Pi" TOR-entry system, and a firewall. There might need to be some alterations to the SMTP protocol, to support multiple layers of SSL sessions, as a matter of enforcing need-to-know, and there would probably need to be a framework for the sending computer to prove that it is not a spammer by doing extensive computations. I don't think there would be any overwhelming difficulty about working out the details.
    
    The advantage of SSL over conventional e-mail encryption is that it is real-time, that the computers can negotiate encryption protocols without knowing, a priori, what the other side can use. This, however, means that the place where e-mail is stored has to be physically secure. How you deal with physical burglars is your own affair.
    
    I don't see why such a device couldn't be inexpensively packaged up, and easy to use. The Raspberry Pi, which is the basis of the Onion Pi, costs about twenty-five dollars, and that rises to a hundred dollars, when a box, a power supply, a W-Fi unit, a development kit, and a subsidy to the TOR Foundation are bundled with it. Making it do E-mail as well is just a matter of adding software.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 20 Nov 2013 @ 9:59am
      
      Re: A Home E-Mail Server (to Anonymous Coward, #3)
      This is what I do -- I run all my own servers (email, file-sharing, web, cloud, etc.) from my home on my own machines specifically because it is literally impossible to trust in any third party servers, particularly in the US. The law doesn't allow trust.
      
      There are a number of "prepackaged" systems available, but I don't recommend them for one simple reason: configuring these things requires a fair amount of technical knowledge and can't really be automated.
      
      For example, setting up a proper email server isn't just a matter of installing the software. You have to coordinate with other email servers, register proper DNS records, and so forth. It can be a bit complex. You can end up with a mail server that technically works, but violates security requirements such that you end up getting blacklisted.
      
      So, prepackaged or not, the average user won't be able to set them up properly. And if you have the necessary technical knowledge, then you know don't want to use the prepackaged stuff anyway.
      
      A better idea is to hire someone to set the systems up for you.
      [ link to this | view in chronology ]
      - Matt S, 20 Nov 2013 @ 11:32am
        
        Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
        Great explanation. I wish more people understood this. It is the reason I created ThreadThat. I wanted to give the general public an easy way to participate in an encrypted solution without all the pain.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 20 Nov 2013 @ 3:22pm
        
        Re: Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
        ThreadThat looks interesting, but still has the fatal flaw of being a third party server. The participant's data is held on ThreadThat servers (a commercial cloud offering like Amazon, I'm guessing).
        
        "Secure" and "someone else's server" are two things that don't really go together.
        [ link to this | view in chronology ]
      - Andrew D. Todd, 20 Nov 2013 @ 4:02pm
        
        Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
        Well, as I see it, a home mail server would have to be something additional to the existing mail servers, not something in lieu of them. The sending mail client would not connect the recipient's home mail server directly, but would go through the usual channels, with a series of encrypted sub-channels being created.
        
        The sending client would contact the sending public server, which has a domain name, and a certificate, would establish a secure connection, and do a login. It would then tell the sending public server which recipient public server it wanted to talk to. The sending public server would contact the recipient public server, establish a secure connection with certificates at both ends, vouch for the sending client, and create a channel running through itself from the sending client to the recipient public server. It would also provide a channel which could be used to validate itself.
        
        The sending client and the recipient public server would then establish a secure connection, with the recipient public server's certificate. The sending client would tell the recipient public server what e-mail address it wanted to send a message to. The process would be repeated with the recipient home server, which would also have a certificate. The mail protocol would have to be adapted to deal with this kind of thing, there would have to be modes of fall-back to standard e-mail transmission, and so on.
        
        When all this cryptography has taken place, the sending public server knows that the client has sent an e-mail to someone on the receiving public server, but not to which account, or what the message is. The receiving public server knows that someone, with an account on the sending public server has sent an e-mail to a known account on the receiving public server, but not who the sender was, or what the message was. They know just enough to control spam, but no more. The recipient home server has the message, and knows from the sending public server which account it came from. The sending client knows that the message was sent to the stated address, which is additionally validated by the recipient's certificate.
        [ link to this | view in chronology ]
    - Anonymous Coward, 20 Nov 2013 @ 10:41am
      
      Re: A Home E-Mail Server (to Anonymous Coward, #3)
      Why?
      
      You can just secure any information you put in the wild it is a lot more easier.
      
      Secure the data not the service.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 20 Nov 2013 @ 3:17pm
        
        Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
        Because there is more to security than just the question of whether or not other people can read the data. Security also includes things like preventing traffic analysis (encryption doesn't help with that), ensuring access to your data (you can't if you don't have physical control), being made aware of attempts to breach your security, etc.
        
        Also, encryption doesn't help you if the encryption scheme gets broken or a vulnerability is discovered, as happened recently (thanks, NSA).
        
        Just encrypting everything and still using third party servers can be a reasonable compromise, but it is still a compromise. Personally, that's a compromise that still leaves me feeling too vulnerable.
        [ link to this | view in chronology ]
oxguy3, 19 Nov 2013 @ 11:35pm

Logos
How on earth did they manage to use Yahoo's new two-month-old logo in the same infographic as a logo that Apple hasn't used since 2002??? The logos for Dropbox, Google, Myspace, and Tumblr are all also outdated, and I don't even know where they got that wordmark for Twitter. I know the logos are a very minor part of this image, but why bother updating Yahoo's logo if you're gonna continue to use years old logos for everyone else?
[ link to this | view in chronology ]
- Anonymous Coward, 20 Nov 2013 @ 5:37am
  
  Re: Logos
  The current official logo is just a black apple. The name got dropped in 2007. For the purpose of the table it was clearer to use the old logo that included the name and fit the space available.
  
  It is as if Apple wants to be Prince in the nineties it strikes me as a bad strategy to be known as a symbol without some official text version available for these purposes.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Nov 2013 @ 5:59am
    
    Re: Re: Logos
    Oh and what is that orange asterix?
    [ link to this | view in chronology ]
    - ltlw0lf (profile), 20 Nov 2013 @ 7:02am
      
      Re: Re: Re: Logos
      Oh and what is that orange asterix?
      
      SpiderOak
      [ link to this | view in chronology ]
Anonymous Coward, 20 Nov 2013 @ 3:29am

Twitter does have email
"Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees)"

In my experience, Twitter sends you an email every time anyone shares your tweet, every time anyone replies to your tweet, and sometimes just for the heck of it ("we noticed we did not send you an email for some time, so here are some random tweets you might or might not like"). These emails should be protected, since they can reveal the email address corresponding to your twitter account.
[ link to this | view in chronology ]
BentFranklin (profile), 20 Nov 2013 @ 6:40am

Needs more Verizon.
[ link to this | view in chronology ]
- BentFranklin (profile), 20 Nov 2013 @ 6:41am
  
  Re:
  Doh, retract! Retract!
  
  It's there.
  [ link to this | view in chronology ]
- ltlw0lf (profile), 20 Nov 2013 @ 7:06am
  
  Re:
  Needs more Verizon.
  
  I'd like to see Cox.net, but figure they are also in the red for most of this. There are a bunch of other providers that aren't on the list either: T-Mobile, Sprint, Time Warner, etc.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Nov 2013 @ 8:40am

Yes, but among those are there companies that encrypt the data so they can sell it at full price to three letter agencies?
[ link to this | view in chronology ]
Anonymous Coward, 20 Nov 2013 @ 10:20am

That doesn't matter if NSA and the FBI have access to the private keys
[ link to this | view in chronology ]
- Anonymous Coward, 20 Nov 2013 @ 2:57pm
  
  Re:
  It does matter. If the "Forward Secrecy" column is green, even if they have access to the private keys, they are forced to do an active attack, which is more expensive and more detectable.
  [ link to this | view in chronology ]
quawonk, 20 Nov 2013 @ 4:16pm

And which of those companies secretly provide backdoors for the Gov? Probably all of them.
[ link to this | view in chronology ]
Cindy, 25 Nov 2013 @ 5:10am

I must say I agree with @ Anonymous Coward ( though I don't know why you want to be called so, since your arguments are very much true ) ... Anywho, he or she is right, because each and every one of us can take responsibility and simply encrypt all the precious data, if it is indeed that precious. If you are not an IT guru, however, you can always resort to a solution that does use high encryption keys and techniques. Mine is Zoolz, and no I am not one of those spammers of theirs, so I will leave it to you to do your research about the software ;) Enjoy
[ link to this | view in chronology ]