Which Major Companies Actually Encrypt Your Data

from the good-for-them dept

With so much recent concern about how the NSA and GCHQ (and, likely, others) basically look at unencrypted traffic as an easy way to hack into your data, it’s becoming increasingly important for the big companies which manage tremendous amounts of the public’s personal data to encrypt as much as possible. The folks over at the EFF have now put together a sort of crypto report card on which major companies are actually encrypting everything they can.

The results are a little disappointing. Only four companies — Dropbox, Google, SpiderOak and Sonic.net — got a perfect score on the five categories measured. Twitter is pretty close (and the only thing it’s missing, STARTTLS, really would only matter if it were offering email, which it doesn’t, other than to employees) while the rest still have a fair bit of work to do. The incumbent access providers — AT&T, Verizon and Comcast — don’t appear to care nearly enough about security at all. That’s why it’s little surprise that the NSA’s deals with at least AT&T and Verizon are a major source of information. Once again, I’m rather happy I’m a Sonic.net customer for my internet access these days.

Hopefully this effort (and the ongoing concerns about the NSA, as well as outside hacking) lead more companies to upping their encryption game.

Filed Under: ,
Companies: at&t, comcast, dropbox, eff, google, sonic.net, spideroak, twitter, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Which Major Companies Actually Encrypt Your Data”

Subscribe: RSS Leave a comment
out_of_the_blue says:

The MAIN problem is that they HAVE and LOOK at your data!

Listen, the NSA is truly NOT interested in much about any given person — and use these mega-corporations as front-ends to filter (which is more economic spying than “terrorism”) — BUT the corporations use whatever they can get, by any means, collated and shared with every other corporation, and their purpose is to control your economic activity besides your mind, more or less: watching sports, for instance, is mindless, and serves the purposes of the State in keeping people from anything higher (it’s the modern circuses).


Taglines cover the rest.

Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.

Google’s ability to target you for advertising is EXACTLY what NSA needs to target you as political dissident, NOT coincidentally.

Anonymous Coward says:

Re: The MAIN problem is that they HAVE and LOOK at your data!

It’s not limited to Google, when NSA created a market for business records, it really said “here’s money, you corps find a way around the law to sell me that data”.

The big Telcos handed practically everything over for 30 shiny silver pieces. But as the services became encrypted so that shiny silver was out of their reach.

Skype and ‘project Chess’ came along next to tap Skype.
Microsoft backdooring its cloud services for the NSA.


And lots of free apps and cloud services started appearing, some with CIA funding (InQTel) offering storage of business data, video, IP surveillance, exactly the sort of thing the NSA wants to grab in a 5 eyes jurisdiction with a cooperative management.


Then there’s the VOIP apps that can’t pay for their servers because they make no money, and yet somehow do pay for their servers.

And the free messaging apps that pay the bills and keep the lights on by magic.

Then there’s the Snowden leaks showing NSA has lots of VOIP data, somehow by magic.

The problem here is the market the NSA created.

Anonymous Coward says:

Re: The MAIN problem is that they HAVE and LOOK at your data!

You do know that you can encrypt every piece of information you send elsewhere right?

But it involves you taking responsibility for your own security and crypto keys, which maybe is too much to ask.


Encrypting Facebook a start.


Encrypting cloud storage.

No service ever will be willing to take a bullet for ya, so don’t ask, do something yourself and stop complaining, take responsibility.

Andrew D. Todd (user link) says:

Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

You can create a little home e-mail server, along lines analogous to a telephone answering machine. It would be more or less continuously connected to the network, and it would probably make sense to integrate it with Limor Fried’s “Onion Pi” TOR-entry system, and a firewall. There might need to be some alterations to the SMTP protocol, to support multiple layers of SSL sessions, as a matter of enforcing need-to-know, and there would probably need to be a framework for the sending computer to prove that it is not a spammer by doing extensive computations. I don’t think there would be any overwhelming difficulty about working out the details.

The advantage of SSL over conventional e-mail encryption is that it is real-time, that the computers can negotiate encryption protocols without knowing, a priori, what the other side can use. This, however, means that the place where e-mail is stored has to be physically secure. How you deal with physical burglars is your own affair.

I don’t see why such a device couldn’t be inexpensively packaged up, and easy to use. The Raspberry Pi, which is the basis of the Onion Pi, costs about twenty-five dollars, and that rises to a hundred dollars, when a box, a power supply, a W-Fi unit, a development kit, and a subsidy to the TOR Foundation are bundled with it. Making it do E-mail as well is just a matter of adding software.

John Fenderson (profile) says:

Re: Re: Re: A Home E-Mail Server (to Anonymous Coward, #3)

This is what I do — I run all my own servers (email, file-sharing, web, cloud, etc.) from my home on my own machines specifically because it is literally impossible to trust in any third party servers, particularly in the US. The law doesn’t allow trust.

There are a number of “prepackaged” systems available, but I don’t recommend them for one simple reason: configuring these things requires a fair amount of technical knowledge and can’t really be automated.

For example, setting up a proper email server isn’t just a matter of installing the software. You have to coordinate with other email servers, register proper DNS records, and so forth. It can be a bit complex. You can end up with a mail server that technically works, but violates security requirements such that you end up getting blacklisted.

So, prepackaged or not, the average user won’t be able to set them up properly. And if you have the necessary technical knowledge, then you know don’t want to use the prepackaged stuff anyway.

A better idea is to hire someone to set the systems up for you.

John Fenderson (profile) says:

Re: Re: Re:3 A Home E-Mail Server (to Anonymous Coward, #3)

ThreadThat looks interesting, but still has the fatal flaw of being a third party server. The participant’s data is held on ThreadThat servers (a commercial cloud offering like Amazon, I’m guessing).

“Secure” and “someone else’s server” are two things that don’t really go together.

Andrew D. Todd (user link) says:

Re: Re: Re:2 A Home E-Mail Server (to Anonymous Coward, #3)

Well, as I see it, a home mail server would have to be something additional to the existing mail servers, not something in lieu of them. The sending mail client would not connect the recipient’s home mail server directly, but would go through the usual channels, with a series of encrypted sub-channels being created.

The sending client would contact the sending public server, which has a domain name, and a certificate, would establish a secure connection, and do a login. It would then tell the sending public server which recipient public server it wanted to talk to. The sending public server would contact the recipient public server, establish a secure connection with certificates at both ends, vouch for the sending client, and create a channel running through itself from the sending client to the recipient public server. It would also provide a channel which could be used to validate itself.

The sending client and the recipient public server would then establish a secure connection, with the recipient public server’s certificate. The sending client would tell the recipient public server what e-mail address it wanted to send a message to. The process would be repeated with the recipient home server, which would also have a certificate. The mail protocol would have to be adapted to deal with this kind of thing, there would have to be modes of fall-back to standard e-mail transmission, and so on.

When all this cryptography has taken place, the sending public server knows that the client has sent an e-mail to someone on the receiving public server, but not to which account, or what the message is. The receiving public server knows that someone, with an account on the sending public server has sent an e-mail to a known account on the receiving public server, but not who the sender was, or what the message was. They know just enough to control spam, but no more. The recipient home server has the message, and knows from the sending public server which account it came from. The sending client knows that the message was sent to the stated address, which is additionally validated by the recipient’s certificate.

John Fenderson (profile) says:

Re: Re: Re:2 A Home E-Mail Server (to Anonymous Coward, #3)

Because there is more to security than just the question of whether or not other people can read the data. Security also includes things like preventing traffic analysis (encryption doesn’t help with that), ensuring access to your data (you can’t if you don’t have physical control), being made aware of attempts to breach your security, etc.

Also, encryption doesn’t help you if the encryption scheme gets broken or a vulnerability is discovered, as happened recently (thanks, NSA).

Just encrypting everything and still using third party servers can be a reasonable compromise, but it is still a compromise. Personally, that’s a compromise that still leaves me feeling too vulnerable.

oxguy3 says:


How on earth did they manage to use Yahoo’s new two-month-old logo in the same infographic as a logo that Apple hasn’t used since 2002??? The logos for Dropbox, Google, Myspace, and Tumblr are all also outdated, and I don’t even know where they got that wordmark for Twitter. I know the logos are a very minor part of this image, but why bother updating Yahoo’s logo if you’re gonna continue to use years old logos for everyone else?

Anonymous Coward says:

Re: Logos

The current official logo is just a black apple. The name got dropped in 2007. For the purpose of the table it was clearer to use the old logo that included the name and fit the space available.

It is as if Apple wants to be Prince in the nineties it strikes me as a bad strategy to be known as a symbol without some official text version available for these purposes.

Anonymous Coward says:

Twitter does have email

“Twitter is pretty close (and the only thing it’s missing, STARTTLS, really would only matter if it were offering email, which it doesn’t, other than to employees)”

In my experience, Twitter sends you an email every time anyone shares your tweet, every time anyone replies to your tweet, and sometimes just for the heck of it (“we noticed we did not send you an email for some time, so here are some random tweets you might or might not like”). These emails should be protected, since they can reveal the email address corresponding to your twitter account.

Cindy says:

I must say I agree with @ Anonymous Coward ( though I don’t know why you want to be called so, since your arguments are very much true ) … Anywho, he or she is right, because each and every one of us can take responsibility and simply encrypt all the precious data, if it is indeed that precious. If you are not an IT guru, however, you can always resort to a solution that does use high encryption keys and techniques. Mine is Zoolz, and no I am not one of those spammers of theirs, so I will leave it to you to do your research about the software 😉 Enjoy

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...