June 13, 2014

Share Everywhere

Are Tech Companies Doing Their Part to Keep Us Safe?

A story on NPR today caught my attention, as it focused on what happens to our private information online. Is it safe? In today’s digital world, can we really keep things private?

The reporters at NPR decided to put trusted services and companies to the test and find out who is doing a good job of keeping us safe, and who is making us vulnerable to cyber crimes and identity theft. A report by the Electronic Frontier Foundation, (EFF) which surveyed big tech companies and asked them what kinds of encryption they’ve been using, spurred their investigation.

Emails that pass between different companies are only secure when both agree to encrypt that traffic. (You might recall that encryption made headlines last week too, as Google started naming and shaming email providers who did not encrypt messages.)

Spotlight On Major Web Services

Several months ago the EFF asked major Web service providers whether they were taking what the EFF considers to be the five steps that keep consumer’s data safe and secure. NPR followed up with executives from the service providers to see what they are doing now. Incredibly, some are still not using encryption. Others have made improvements, or had improvements in the works.

The list included: Amazon, Apple, AT&T, Comcast, Facebook, Google, LinkedIn, Microsoft, Pinterest, Skype, Snapchat, Twitter, WhatsApp, Yahoo!, and WordPress.

Here’s what NPR found out about Amazon, Apple, Facebook, Google, and Twitter:

Amazon

  • Encrypts data links: unknown
  • HTTPS: no
  • HSTS: no
  • Share of outgoing email encrypted: 37%
  • Share of incoming email encrypted: 50% – 99%

What they found: All pre-login browsing/shopping traffic is unencrypted, including all HTML content, images, etc. So if you search for a Nicolas Cage pillowcase, the NSA or your network administrator can see that. Amazon Web Services also provides hosting for thousands of companies. How AWS approaches encryption has ripple effects across the Internet. Right now, Amazon Web Services said, it offers its clients a variety of encryption choices.

Apple

  • Encrypts data links: unknown
  • HTTPS: yes (iCloud)
  • HSTS: no
  • Share of outgoing email encrypted: 0%
  • Share of incoming email encrypted: 0%

What they found: Apple encrypts iMessage from end to end. It recently announced it is taking steps to make it more difficult to track its users’ identity on Wi-Fi networks. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers’ email in transit. This impacts users of me.com and mac.com email addresses. NPR found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can’t be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.

Facebook

  • Encrypts data links: working on it
  • HTTPS: yes
  • HSTS: yes
  • Share of outgoing email encrypted: ?
  • Share of incoming email encrypted: 65%

What they found: The vast majority of Facebook content is encrypted. Facebook content and images are unencrypted on older Android phones running 4.1.1. Facebook said these older devices do not support encryption.

Google

  • Encrypts data links: yes
  • HTTPS: yes
  • HSTS: working on it
  • Share of outgoing email encrypted: 100%
  • Share of incoming email encrypted: 100%

What they found: Google says it’s been encrypting search results and search terms for years. But NPR found that searches for place names returned unencrypted location and map information. Google patched this bug. It was the first large company to announce it was encrypting its data while it was stored in corporate data centers.

Twitter

  • Encrypts data links: yes
  • HTTPS: yes
  • HSTS: working on it
  • Share of outgoing email encrypted: 100%
  • Share of incoming email encrypted: 100%

What they found: Twitter stood out as one of the best companies we tested in keeping user data secure. But NPR saw examples of Twitter sending links, cookies and unique session parameters in clear text. Twitter describes the process as a “never-ending journey … where [we] continually try to keep moving the bar up.”

Keeping Consumers Safe

According to NPR, the EFF has asked service providers to implement strong encryption. Here’s what the EFF wants:

HTTPS by default. This means that when you connect to a website, it will automatically use a channel that encrypts the communications from your computer to the website.

HSTS (HTTP Strict Transport Security). Lots of services offer encrypted and unencrypted versions of the same website or service. HSTS basically forces the service to always use the encrypted secure option.

Forward secrecy. Sometimes called perfect forward secrecy, it uses a different cypher or code to encrypt messages on each session. This means that if the NSA or someone else cracks the code keeping one of your messages secure, they can’t unravel everything you have ever written.

STARTTLS. If you are on Gmail and send me a message at my Yahoo account, those two email providers have to talk to each other. STARTTLS lets companies encrypt those messages in transit. But it is only possible if both companies use it. It takes two to tango — and Google recently started naming and shaming companies that are refusing to do this dance.

Encrypting email in transit. Lots of companies have announced this year that they will add encryption to their networks—including when they are sending email back and forth to other service providers. For this to work both companies have to use encryption.

Industry Transparency Is Key to Keeping Consumers Safe

Google has started publishing the percentage of email it sends and receives from other providers which is actually encrypted. According to NPR, a lot more email traffic is encrypted today than a year ago and since Google started publishing these numbers the figures have shot up.

Lately I see more and more stories in the news about major data breaches and security holes that leave consumers vulnerable to identity theft. Think about it––we are really just at the early stage of the digital revolution! That’s why it’s so important to have identity theft protection with IdentityForce. By enrolling in IdentityForce’s UltraSecure your personal information will be monitored 24/7 and you’ll be notified immediately of any suspicious activity so you can act before any damage is done. If anything does happen, IdentityForce will be with you every step of the way helping you restore your identity.

Image courtesy of Flickr user FutUndBeidl.

David Rabinovitz

Identity Protection Consultant at IdentityForce
David is aligned closely with c-level principals and provides them with coaching services focused on strategy, finance, ownership, deal structuring, and shareholder relationships, which led him to join one of his high-growth clients as their CFO. As a high-energy executive with a wealth of experience, David is a versatile corporate “fireman” who skills are often sought after to assess and resolve complex business challenges, as he brings critical insight for business leaders in transition.He is also a long-standing Special Crew Volunteer for Pan-Mass Challenge, an annual cycling fundraiser that strives to provide Dana-Farber's doctors and researchers the necessary resources to discover cures for all types of cancer.

Join The Discussion

Your email address will never be published.