Which Major Companies Actually Encrypt Your Data
from the good-for-them dept
With so much recent concern about how the NSA and GCHQ (and, likely, others) basically look at unencrypted traffic as an easy way to hack into your data, it's becoming increasingly important for the big companies which manage tremendous amounts of the public's personal data to encrypt as much as possible. The folks over at the EFF have now put together a sort of crypto report card on which major companies are actually encrypting everything they can.The results are a little disappointing. Only four companies -- Dropbox, Google, SpiderOak and Sonic.net -- got a perfect score on the five categories measured. Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees) while the rest still have a fair bit of work to do. The incumbent access providers -- AT&T, Verizon and Comcast -- don't appear to care nearly enough about security at all. That's why it's little surprise that the NSA's deals with at least AT&T and Verizon are a major source of information. Once again, I'm rather happy I'm a Sonic.net customer for my internet access these days.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, privacy
Companies: at&t, comcast, dropbox, eff, google, sonic.net, spideroak, twitter, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
The MAIN problem is that they HAVE and LOOK at your data!
BESIDES, THEY'LL SELL NSA WHATEVER INFO THEY HAVE SO DOESN"T MATTER WHETHER THEY ENCRYPT EXTERNALLY OR NOT!
Taglines cover the rest.
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.
Google's ability to target you for advertising is EXACTLY what NSA needs to target you as political dissident, NOT coincidentally.
[ link to this | view in thread ]
Re: The MAIN problem is that they HAVE and LOOK at your data!
The big Telcos handed practically everything over for 30 shiny silver pieces. But as the services became encrypted so that shiny silver was out of their reach.
Skype and 'project Chess' came along next to tap Skype.
Microsoft backdooring its cloud services for the NSA.
http://www.nbcnews.com/technology/microsoft-let-nsa-bypass-encryption-mail-chats-cloud-storage-s ays-6C10607490
And lots of free apps and cloud services started appearing, some with CIA funding (InQTel) offering storage of business data, video, IP surveillance, exactly the sort of thing the NSA wants to grab in a 5 eyes jurisdiction with a cooperative management.
https://en.wikipedia.org/wiki/In-Q-Tel
Then there's the VOIP apps that can't pay for their servers because they make no money, and yet somehow do pay for their servers.
And the free messaging apps that pay the bills and keep the lights on by magic.
Then there's the Snowden leaks showing NSA has lots of VOIP data, somehow by magic.
The problem here is the market the NSA created.
[ link to this | view in thread ]
Re: The MAIN problem is that they HAVE and LOOK at your data!
But it involves you taking responsibility for your own security and crypto keys, which maybe is too much to ask.
https://crypto.cat/
Encrypting Facebook a start.
http://www.spacenext.com/encrypt-facebook.php
http://www.abine.com/blog/2011/how-encryption-can -keep-facebook-from-snooping-in-your-chats/
http://www.spicytricks.com/tips/send-secret-encrypted-mes sagesemails-facebookgmail-chrome
Encrypting cloud storage.
http://www.pcworld.com/article/2010296/how-to-encrypt-your-cloud-storage-for-free.html
http:/ /lifehacker.com/5794486/how-to-add-a-second-layer-of-encryption-to-dropbox
No service ever will be willing to take a bullet for ya, so don't ask, do something yourself and stop complaining, take responsibility.
[ link to this | view in thread ]
Logos
[ link to this | view in thread ]
Twitter does have email
In my experience, Twitter sends you an email every time anyone shares your tweet, every time anyone replies to your tweet, and sometimes just for the heck of it ("we noticed we did not send you an email for some time, so here are some random tweets you might or might not like"). These emails should be protected, since they can reveal the email address corresponding to your twitter account.
[ link to this | view in thread ]
Re: Logos
It is as if Apple wants to be Prince in the nineties it strikes me as a bad strategy to be known as a symbol without some official text version available for these purposes.
[ link to this | view in thread ]
Re: Re: Logos
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
It's there.
[ link to this | view in thread ]
Re: Re: Re: Logos
SpiderOak
[ link to this | view in thread ]
Re:
I'd like to see Cox.net, but figure they are also in the red for most of this. There are a bunch of other providers that aren't on the list either: T-Mobile, Sprint, Time Warner, etc.
[ link to this | view in thread ]
A Home E-Mail Server (to Anonymous Coward, #3)
The advantage of SSL over conventional e-mail encryption is that it is real-time, that the computers can negotiate encryption protocols without knowing, a priori, what the other side can use. This, however, means that the place where e-mail is stored has to be physically secure. How you deal with physical burglars is your own affair.
I don't see why such a device couldn't be inexpensively packaged up, and easy to use. The Raspberry Pi, which is the basis of the Onion Pi, costs about twenty-five dollars, and that rises to a hundred dollars, when a box, a power supply, a W-Fi unit, a development kit, and a subsidy to the TOR Foundation are bundled with it. Making it do E-mail as well is just a matter of adding software.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: A Home E-Mail Server (to Anonymous Coward, #3)
There are a number of "prepackaged" systems available, but I don't recommend them for one simple reason: configuring these things requires a fair amount of technical knowledge and can't really be automated.
For example, setting up a proper email server isn't just a matter of installing the software. You have to coordinate with other email servers, register proper DNS records, and so forth. It can be a bit complex. You can end up with a mail server that technically works, but violates security requirements such that you end up getting blacklisted.
So, prepackaged or not, the average user won't be able to set them up properly. And if you have the necessary technical knowledge, then you know don't want to use the prepackaged stuff anyway.
A better idea is to hire someone to set the systems up for you.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: A Home E-Mail Server (to Anonymous Coward, #3)
You can just secure any information you put in the wild it is a lot more easier.
Secure the data not the service.
[ link to this | view in thread ]
Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
Also, encryption doesn't help you if the encryption scheme gets broken or a vulnerability is discovered, as happened recently (thanks, NSA).
Just encrypting everything and still using third party servers can be a reasonable compromise, but it is still a compromise. Personally, that's a compromise that still leaves me feeling too vulnerable.
[ link to this | view in thread ]
Re: Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
"Secure" and "someone else's server" are two things that don't really go together.
[ link to this | view in thread ]
Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)
The sending client would contact the sending public server, which has a domain name, and a certificate, would establish a secure connection, and do a login. It would then tell the sending public server which recipient public server it wanted to talk to. The sending public server would contact the recipient public server, establish a secure connection with certificates at both ends, vouch for the sending client, and create a channel running through itself from the sending client to the recipient public server. It would also provide a channel which could be used to validate itself.
The sending client and the recipient public server would then establish a secure connection, with the recipient public server's certificate. The sending client would tell the recipient public server what e-mail address it wanted to send a message to. The process would be repeated with the recipient home server, which would also have a certificate. The mail protocol would have to be adapted to deal with this kind of thing, there would have to be modes of fall-back to standard e-mail transmission, and so on.
When all this cryptography has taken place, the sending public server knows that the client has sent an e-mail to someone on the receiving public server, but not to which account, or what the message is. The receiving public server knows that someone, with an account on the sending public server has sent an e-mail to a known account on the receiving public server, but not who the sender was, or what the message was. They know just enough to control spam, but no more. The recipient home server has the message, and knows from the sending public server which account it came from. The sending client knows that the message was sent to the stated address, which is additionally validated by the recipient's certificate.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]