Quantcast
  

Tuesday, April 22, 2014         

NEW YORK TIMES


 Print   Email   Comment | View 1 Comments   Most Popular   Save   Post   Retweet

Internet firms step up efforts to stop snoops

By Nicole Perlroth and Vindu Goel

New York Times

POSTED:



SAN FRANCISCO » When Marissa Mayer, Yahoo's chief executive, recently announced the company's biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.

Ordinary users asked Mayer why Yahoo was not doing more. Privacy activists were more blunt.

"Even after today's announcement, Yahoo still lags far behind Google on web security," said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.

For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.

On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.

The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the "Snowden Effect."

While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.

But the issue boiled over six months ago, when documents leaked by Snowden described efforts by the NSA and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say NSA surveillance has intruded on their privacy rights, according to a Washington Post-ABC News poll conducted in November.

The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information but were alarmed by more recent news that the NSA was also accessing their data without their knowledge.

"We want to ensure that governments use legal process rather than technological brute force to obtain customer data -- it's as simple as that," said Bradford L. Smith, Microsoft's general counsel, in an interview.

Smith said his company would also open "transparency centers" where foreign governments can inspect the company's code in an effort to assure them that it does not plant back doors for spy agencies in its products.

Already, the Snowden revelations threaten to erode the market share of U.S. technology companies abroad.

In India, government officials are barred from using email services that have servers in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems -- and possibly the entire Internet -- to keep Brazilian data from leaving the country.

Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion -- a quarter of its revenue -- by 2016.

"The world is quickly being divided into companies that are secure and companies that are not," said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.

One by one, technology companies have been scrambling to plug security holes.

The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the "https" and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers -- a master key -- that scrambles sensitive data such as passwords, credit card details, intellectual property and personal information between a user and a website while in transit.

Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft's email service made it standard long ago. Facebook adopted https systemwide this year. And Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.

But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key -- or obtain it through court orders -- it could go back and decrypt past communications for millions of users.

That's why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user's transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.

"Perfect Forward Secrecy is a billion different secrets, and it's not protected by one central secret," said Scott Renfro, a Facebook software engineer who works on the company's security infrastructure.

So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.

"This type of protection should have been engineered into all web systems and all Internet systems to begin with," said Jacob Hoffman-Andrews, a Twitter engineer.

The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.

Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.

So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google's Gmail, their Internet browser checks the site's security certificate to make sure it's not an impostor.

Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.

Ultimately, however, every security advance is met by new threats.

"Attacks don't get worse," Langley said. "They only get better."






 Print   Email   Comment | View 1 Comments   Most Popular   Save   Post   Retweet

COMMENTS
(1)
You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
manakuke wrote:
Secure encryption was long overdue and needed. Guess those cut fiber cables in ‘Silicon Valley’ weren’t the usual suspects?
on December 5,2013 | 05:11AM
IN OTHER NEWS
Latest News/Updates
Blogs
Political Radar
Reversal

Political Radar
Yield

Political Radar
`Plagued’

Political Radar
`Plagued’

Wassup Wit Dat!
Da Chicken Or Da Egg?

Warrior Beat
Depth perception

Political Radar
HB 1700 — Day 3