Skip to main content

Can better encryption from Yahoo and others stop the NSA?

Yahoo encryption
Image used with permission by copyright holder

Let the NSA keep spying. The tech industry, fed up with the world’s biggest spy agency’s secret intrusions into its servers and systems, clearly intends to lock the backdoors on its own – but will it work?

On Thursday, Yahoo’s freshly appointed Chief Information Security  Officer – on the job for just four weeks now – explained how it was boosting security for its users, largely in response to the revelations of government snooping.  Alex Stamos wrote that his team was in the middle of a “massive project” involving end-to-end encryption of traffic between Yahoo’s data severs, as well as encryption of Yahoo Messenger and even the search queries people type into the front page.

If you want to look for info on Justin Bieber, Yahoo believes the government doesn’t need to know about it. (But seriously, stop doing that.)

“Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default,” Stamos wrote in a blog post.

Given enough money and resources, which the NSA has in spades, it’s unclear whether any level of encryption is enough.

Other tech giants have expressed the same goals, encrypting the back-end channels and server chatter that the NSA has tapped to read “metadata.” Frankly, this kind of metadata is just as revealing for the NSA as reading our emails and listening in on our phone calls would be.

If Facebook, Microsoft, Yahoo, Google, and the others lock down enough of those back doors, will they be able to prevent the spying we’ve all become so fed up with? Security experts will tell you that Yahoo’s long-overdue move is a step in the right direction – end-to-end encryption, to prevent confidential data from being casually spied upon. Especially the “forward secrecy” Yahoo said it’s turning on, which should add an extra level of security.

The Electronic Freedom Foundation (EFF) applauded Yahoo’s effort in its “Encrypt the Web” call to action, and notes that many companies including Facebook, Dropbox, Twitter, and Microsoft have adopted the group’s best-practices policies.

“By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process,” the group wrote in a recent update.

But given enough money and resources, which agencies like the NSA have in spades, it’s unclear whether any level of encryption is enough. The NSA prides itself on being able to break through encryption,  and when it can’t, it creates other ways around it – even going so far as to fake Facebook servers recently.

Google’s Larry Page, at a March appearance at the TED conference in Vancouver, said he thought this level of nefariousness was a threat to democracy.

“I don’t think we can have a democracy if we’re having to protect you and our users from the government for stuff that we never had a conversation about,” he told interviewer Charlie Rose.

While Google, Microsoft, Yahoo, Facebook, and the rest recently convinced the government to allow them to release some statistics on the NSA’s spying, it’s hardly the level of transparency that we need.

Encryption is a start. It’s an important step. But to really keep the snoops out of our data, we need to stop them from prying in the first place.

Jeremy Kaplan
As Editor in Chief, Jeremy Kaplan transformed Digital Trends from a niche publisher into one of the fastest growing…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more