New York Times
POSTED: 01:30 a.m. HST, Dec 05, 2013
SAN FRANCISCO » When Marissa Mayer, Yahoo's chief executive, recently announced the company's biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.
Ordinary users asked Mayer why Yahoo was not doing more. Privacy activists were more blunt.
"Even after today's announcement, Yahoo still lags far behind Google on web security," said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.
For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.
On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.
The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the "Snowden Effect."
While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.
But the issue boiled over six months ago, when documents leaked by Snowden described efforts by the NSA and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say NSA surveillance has intruded on their privacy rights, according to a Washington Post-ABC News poll conducted in November.
The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information but were alarmed by more recent news that the NSA was also accessing their data without their knowledge.
"We want to ensure that governments use legal process rather than technological brute force to obtain customer data -- it's as simple as that," said Bradford L. Smith, Microsoft's general counsel, in an interview.
Smith said his company would also open "transparency centers" where foreign governments can inspect the company's code in an effort to assure them that it does not plant back doors for spy agencies in its products.
Already, the Snowden revelations threaten to erode the market share of U.S. technology companies abroad.
In India, government officials are barred from using email services that have servers in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems -- and possibly the entire Internet -- to keep Brazilian data from leaving the country.
Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion -- a quarter of its revenue -- by 2016.
"The world is quickly being divided into companies that are secure and companies that are not," said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.
One by one, technology companies have been scrambling to plug security holes.
The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the "https" and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers -- a master key -- that scrambles sensitive data such as passwords, credit card details, intellectual property and personal information between a user and a website while in transit.
Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft's email service made it standard long ago. Facebook adopted https systemwide this year. And Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.
But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key -- or obtain it through court orders -- it could go back and decrypt past communications for millions of users.
That's why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user's transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.
"Perfect Forward Secrecy is a billion different secrets, and it's not protected by one central secret," said Scott Renfro, a Facebook software engineer who works on the company's security infrastructure.
So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.
"This type of protection should have been engineered into all web systems and all Internet systems to begin with," said Jacob Hoffman-Andrews, a Twitter engineer.
The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.
Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.
So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google's Gmail, their Internet browser checks the site's security certificate to make sure it's not an impostor.
Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.
Ultimately, however, every security advance is met by new threats.
"Attacks don't get worse," Langley said. "They only get better."