Are Yahoo and Google Really Serious About Email Encryption?


Illustration: Elias Stein

Last March Alex Stamos, then Yahoo’s chief information security officer showed up software prototyping to encrypt sensitive e-mail messages. The new tool, which Stamos said could be ready for deployment by early 2016, featured “end-to-end” encryption, meaning that even Yahoo itself wouldn’t be able to decrypt files. messages stored on its servers.

Yahoo has promised to make this encryption easy to use, relying on open source software for the end-to-end email encryption that Google developed. (Google’s software implements a standard called OpenPGP, based on an encryption system created by Phil Zimmerman in 1991: quite good privacy, or PGP.)

If Yahoo and Google were to put their market weight – not to mention their significant development resources – behind end-to-end email encryption in 2016, it would undoubtedly displease the many government authorities who claim that this technology renders them incapable. to spy on bad guys’ email communications – or “make it dark” as they call it.

James Comey, director of the Federal Bureau of Investigation, summed up these sentiments in July when he said the Senate Judiciary Committee that “we have seen consumer products and services on a new scale designed to give users exclusive control over access to their data.” He underscored the central role of tech companies, saying, “We would like to stress that the Going Dark problem is, at its core, a problem of choice and technological capability. “

The implication of Comey’s statement was clear: If the law prohibited companies from offering such privacy protections, the products and services that Comey was referring to should be shut down, at least in the United States. But the U.S. government is unlikely to do so anytime soon. Indeed, the Obama administration reported in October that it would not require tech companies to incorporate backdoors into their encryption products, given the strong possibility that a weakening of security in this way would allow hackers and malicious foreign agents to compromise even more systems than they already do.

Such concerns are not so strong on the other side of the Atlantic, however. In particular, British Prime Minister David Cameron indicated last July that it wants to ban encrypted messaging systems that do not provide government authorities with the means to decrypt content. And in November, UK Home Secretary Theresa May introduced a surveillance bill which, among other things, prohibit end-to-end encryption. The debate is sure to spill over into the coming months as UK lawmakers scramble to replace the Data Retention and Investigative Powers Act, 2014, which will expire at the end of 2016.

So are Google and Yahoo heading for a collision with the UK government over their end-to-end email encryption? Probably not, according to Matthew Green, a crypto expert at Johns Hopkins University in Baltimore. “I don’t think they’re putting in the resources that it needs,” Green said. He estimates that Google has one or two developers working on end-to-end email encryption, too few to meet the challenge of creating a truly versatile system. Yahoo, too, has not dedicated adequate resources to the project to make their efforts successful, says Green. “I think they’ll end up having an egg on their face.”

/img/HRAlexStamosbyWinMcNameeGettyImages490832273-1450276860493.jpg
Truth To Power: Alex Stamos, then Yahoo’s chief information security officer, testified before the US Senate Homeland Security Committee in 2014. Stamos has since left Yahoo for Facebook, where he is the chief security officer .
Photo: Win McNamee / Getty Images

Christopher Soghoian, senior technologist at the American Civil Liberties Union, is also skeptical, calling these projects at Google and Yahoo a post-Snowden “feel-good” exercise. Soghoian notes that strong email encryption works against the self-interest of these companies: “Google wants to be your brain,” doing things like adding flight hours to your calendar when you receive a confirmation. by e-mail after purchasing a plane ticket. “This type of personal digital assistant is only possible if they see everything you do.”

While he too recognizes the value of the public relations that Google and Yahoo derive from these projects, Joseph Bonneau, a technology researcher at the Electronic Frontier Foundation in San Francisco, believes that these tech giants’ interest in the development of end-to-end email encryption is more authentic. “This is definitely a problem that Google and Yahoo would like to solve,” he says. It’s just that the challenges that come with email encryption are enormous. These include how to manage people’s cryptographic keys securely while preventing users from being prone to losing access to their email archives, how to filter spam when only the end user can read them. posts, and how to allow users to search their past posts. “The Gmail experience would be very different if you couldn’t search,” notes Bonneau.

Google and Yahoo both declined interview requests, so it’s unclear whether these companies are truly committed to providing their users with encrypted emails in 2016. Even though they end up putting a lot of weight in the email. ‘effort, it could still stagnate. It’s a safe bet that the main battleground for the crypto wars of 2016 will not be email so much as instant messaging services like iMessage and WhatsApp, where users have lower expectations of filtering and searching. spam. What makes end-to-end encryption in these messaging services so attractive and popular, says Bonneau, is, ironically, that “no one knows he’s there.”

This article was originally published under the title “Don’t Expect Encrypted Email in 2016”.


Source link

About the author