Which Major Companies Actually Encrypt Your Data

from the good-for-them dept

With so much recent concern about how the NSA and GCHQ (and, likely, others) basically look at unencrypted traffic as an easy way to hack into your data, it's becoming increasingly important for the big companies which manage tremendous amounts of the public's personal data to encrypt as much as possible. The folks over at the EFF have now put together a sort of crypto report card on which major companies are actually encrypting everything they can.

The results are a little disappointing. Only four companies -- Dropbox, Google, SpiderOak and Sonic.net -- got a perfect score on the five categories measured. Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees) while the rest still have a fair bit of work to do. The incumbent access providers -- AT&T, Verizon and Comcast -- don't appear to care nearly enough about security at all. That's why it's little surprise that the NSA's deals with at least AT&T and Verizon are a major source of information. Once again, I'm rather happy I'm a Sonic.net customer for my internet access these days.
Hopefully this effort (and the ongoing concerns about the NSA, as well as outside hacking) lead more companies to upping their encryption game.


Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 19th, 2013 @ 9:02pm

    The MAIN problem is that they HAVE and LOOK at your data!

    Listen, the NSA is truly NOT interested in much about any given person -- and use these mega-corporations as front-ends to filter (which is more economic spying than "terrorism") -- BUT the corporations use whatever they can get, by any means, collated and shared with every other corporation, and their purpose is to control your economic activity besides your mind, more or less: watching sports, for instance, is mindless, and serves the purposes of the State in keeping people from anything higher (it's the modern circuses).

    BESIDES, THEY'LL SELL NSA WHATEVER INFO THEY HAVE SO DOESN"T MATTER WHETHER THEY ENCRYPT EXTERNALLY OR NOT!

    Taglines cover the rest.

    Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.

    Google's ability to target you for advertising is EXACTLY what NSA needs to target you as political dissident, NOT coincidentally.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 9:29pm

    Re: The MAIN problem is that they HAVE and LOOK at your data!

    It's not limited to Google, when NSA created a market for business records, it really said "here's money, you corps find a way around the law to sell me that data".

    The big Telcos handed practically everything over for 30 shiny silver pieces. But as the services became encrypted so that shiny silver was out of their reach.

    Skype and 'project Chess' came along next to tap Skype.
    Microsoft backdooring its cloud services for the NSA.

    http://www.nbcnews.com/technology/microsoft-let-nsa-bypass-encryption-mail-chats-cloud-storage-s ays-6C10607490

    And lots of free apps and cloud services started appearing, some with CIA funding (InQTel) offering storage of business data, video, IP surveillance, exactly the sort of thing the NSA wants to grab in a 5 eyes jurisdiction with a cooperative management.

    https://en.wikipedia.org/wiki/In-Q-Tel

    Then there's the VOIP apps that can't pay for their servers because they make no money, and yet somehow do pay for their servers.

    And the free messaging apps that pay the bills and keep the lights on by magic.

    Then there's the Snowden leaks showing NSA has lots of VOIP data, somehow by magic.

    The problem here is the market the NSA created.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 9:59pm

    Re: The MAIN problem is that they HAVE and LOOK at your data!

    You do know that you can encrypt every piece of information you send elsewhere right?

    But it involves you taking responsibility for your own security and crypto keys, which maybe is too much to ask.

    https://crypto.cat/

    Encrypting Facebook a start.

    http://www.spacenext.com/encrypt-facebook.php
    http://www.abine.com/blog/2011/how-encryption-can -keep-facebook-from-snooping-in-your-chats/
    http://www.spicytricks.com/tips/send-secret-encrypted-mes sagesemails-facebookgmail-chrome

    Encrypting cloud storage.
    http://www.pcworld.com/article/2010296/how-to-encrypt-your-cloud-storage-for-free.html
    http:/ /lifehacker.com/5794486/how-to-add-a-second-layer-of-encryption-to-dropbox

    No service ever will be willing to take a bullet for ya, so don't ask, do something yourself and stop complaining, take responsibility.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    oxguy3, Nov 19th, 2013 @ 11:35pm

    Logos

    How on earth did they manage to use Yahoo's new two-month-old logo in the same infographic as a logo that Apple hasn't used since 2002??? The logos for Dropbox, Google, Myspace, and Tumblr are all also outdated, and I don't even know where they got that wordmark for Twitter. I know the logos are a very minor part of this image, but why bother updating Yahoo's logo if you're gonna continue to use years old logos for everyone else?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 3:29am

    Twitter does have email

    "Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees)"

    In my experience, Twitter sends you an email every time anyone shares your tweet, every time anyone replies to your tweet, and sometimes just for the heck of it ("we noticed we did not send you an email for some time, so here are some random tweets you might or might not like"). These emails should be protected, since they can reveal the email address corresponding to your twitter account.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 5:37am

    Re: Logos

    The current official logo is just a black apple. The name got dropped in 2007. For the purpose of the table it was clearer to use the old logo that included the name and fit the space available.

    It is as if Apple wants to be Prince in the nineties it strikes me as a bad strategy to be known as a symbol without some official text version available for these purposes.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 5:59am

    Re: Re: Logos

    Oh and what is that orange asterix?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    BentFranklin (profile), Nov 20th, 2013 @ 6:40am

    Needs more Verizon.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    BentFranklin (profile), Nov 20th, 2013 @ 6:41am

    Re:

    Doh, retract! Retract!

    It's there.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    ltlw0lf (profile), Nov 20th, 2013 @ 7:02am

    Re: Re: Re: Logos

    Oh and what is that orange asterix?

    SpiderOak

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    ltlw0lf (profile), Nov 20th, 2013 @ 7:06am

    Re:

    Needs more Verizon.

    I'd like to see Cox.net, but figure they are also in the red for most of this. There are a bunch of other providers that aren't on the list either: T-Mobile, Sprint, Time Warner, etc.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Andrew D. Todd, Nov 20th, 2013 @ 7:47am

    A Home E-Mail Server (to Anonymous Coward, #3)

    You can create a little home e-mail server, along lines analogous to a telephone answering machine. It would be more or less continuously connected to the network, and it would probably make sense to integrate it with Limor Fried's "Onion Pi" TOR-entry system, and a firewall. There might need to be some alterations to the SMTP protocol, to support multiple layers of SSL sessions, as a matter of enforcing need-to-know, and there would probably need to be a framework for the sending computer to prove that it is not a spammer by doing extensive computations. I don't think there would be any overwhelming difficulty about working out the details.

    The advantage of SSL over conventional e-mail encryption is that it is real-time, that the computers can negotiate encryption protocols without knowing, a priori, what the other side can use. This, however, means that the place where e-mail is stored has to be physically secure. How you deal with physical burglars is your own affair.

    I don't see why such a device couldn't be inexpensively packaged up, and easy to use. The Raspberry Pi, which is the basis of the Onion Pi, costs about twenty-five dollars, and that rises to a hundred dollars, when a box, a power supply, a W-Fi unit, a development kit, and a subsidy to the TOR Foundation are bundled with it. Making it do E-mail as well is just a matter of adding software.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 8:40am

    Yes, but among those are there companies that encrypt the data so they can sell it at full price to three letter agencies?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    John Fenderson (profile), Nov 20th, 2013 @ 9:59am

    Re: A Home E-Mail Server (to Anonymous Coward, #3)

    This is what I do -- I run all my own servers (email, file-sharing, web, cloud, etc.) from my home on my own machines specifically because it is literally impossible to trust in any third party servers, particularly in the US. The law doesn't allow trust.

    There are a number of "prepackaged" systems available, but I don't recommend them for one simple reason: configuring these things requires a fair amount of technical knowledge and can't really be automated.

    For example, setting up a proper email server isn't just a matter of installing the software. You have to coordinate with other email servers, register proper DNS records, and so forth. It can be a bit complex. You can end up with a mail server that technically works, but violates security requirements such that you end up getting blacklisted.

    So, prepackaged or not, the average user won't be able to set them up properly. And if you have the necessary technical knowledge, then you know don't want to use the prepackaged stuff anyway.

    A better idea is to hire someone to set the systems up for you.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 10:20am

    That doesn't matter if NSA and the FBI have access to the private keys

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 10:41am

    Re: A Home E-Mail Server (to Anonymous Coward, #3)

    Why?

    You can just secure any information you put in the wild it is a lot more easier.

    Secure the data not the service.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Matt S, Nov 20th, 2013 @ 11:32am

    Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

    Great explanation. I wish more people understood this. It is the reason I created ThreadThat. I wanted to give the general public an easy way to participate in an encrypted solution without all the pain.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 2:57pm

    Re:

    It does matter. If the "Forward Secrecy" column is green, even if they have access to the private keys, they are forced to do an active attack, which is more expensive and more detectable.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    John Fenderson (profile), Nov 20th, 2013 @ 3:17pm

    Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

    Because there is more to security than just the question of whether or not other people can read the data. Security also includes things like preventing traffic analysis (encryption doesn't help with that), ensuring access to your data (you can't if you don't have physical control), being made aware of attempts to breach your security, etc.

    Also, encryption doesn't help you if the encryption scheme gets broken or a vulnerability is discovered, as happened recently (thanks, NSA).

    Just encrypting everything and still using third party servers can be a reasonable compromise, but it is still a compromise. Personally, that's a compromise that still leaves me feeling too vulnerable.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), Nov 20th, 2013 @ 3:22pm

    Re: Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

    ThreadThat looks interesting, but still has the fatal flaw of being a third party server. The participant's data is held on ThreadThat servers (a commercial cloud offering like Amazon, I'm guessing).

    "Secure" and "someone else's server" are two things that don't really go together.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Andrew D. Todd, Nov 20th, 2013 @ 4:02pm

    Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

    Well, as I see it, a home mail server would have to be something additional to the existing mail servers, not something in lieu of them. The sending mail client would not connect the recipient's home mail server directly, but would go through the usual channels, with a series of encrypted sub-channels being created.

    The sending client would contact the sending public server, which has a domain name, and a certificate, would establish a secure connection, and do a login. It would then tell the sending public server which recipient public server it wanted to talk to. The sending public server would contact the recipient public server, establish a secure connection with certificates at both ends, vouch for the sending client, and create a channel running through itself from the sending client to the recipient public server. It would also provide a channel which could be used to validate itself.

    The sending client and the recipient public server would then establish a secure connection, with the recipient public server's certificate. The sending client would tell the recipient public server what e-mail address it wanted to send a message to. The process would be repeated with the recipient home server, which would also have a certificate. The mail protocol would have to be adapted to deal with this kind of thing, there would have to be modes of fall-back to standard e-mail transmission, and so on.

    When all this cryptography has taken place, the sending public server knows that the client has sent an e-mail to someone on the receiving public server, but not to which account, or what the message is. The receiving public server knows that someone, with an account on the sending public server has sent an e-mail to a known account on the receiving public server, but not who the sender was, or what the message was. They know just enough to control spam, but no more. The recipient home server has the message, and knows from the sending public server which account it came from. The sending client knows that the message was sent to the stated address, which is additionally validated by the recipient's certificate.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    quawonk, Nov 20th, 2013 @ 4:16pm

    And which of those companies secretly provide backdoors for the Gov? Probably all of them.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Cindy, Nov 25th, 2013 @ 5:10am

    I must say I agree with @ Anonymous Coward ( though I don't know why you want to be called so, since your arguments are very much true ) ... Anywho, he or she is right, because each and every one of us can take responsibility and simply encrypt all the precious data, if it is indeed that precious. If you are not an IT guru, however, you can always resort to a solution that does use high encryption keys and techniques. Mine is Zoolz, and no I am not one of those spammers of theirs, so I will leave it to you to do your research about the software ;) Enjoy

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This