Strongly encrypted communications are secure and private communications (as long as there is no monkey-business going on in the way the encryption is implemented into communications software or protocols). Therefore, the companies that use strong encryption would appear to be the same companies that are concerned with the privacy and security of their customers.
The Electronic Frontier Foundation is always looking to herald the tech and telecom companies that handle their users’ data with care. They also don’t shy away from naming and shaming the firms that store user-data frivolously.
Their recently published “Encrypt the Web” report does just that. It positively reinforces companies like the search giant Google, the Internet service provider SonicNet, and the cloud-storage providers Dropbox and SpiderOak for protecting their customer’s data with strong, across the board encryption. These four companies are the big winners of the EFF report, earning a check in all five of the following categories: encrypts data center links, supports HTTPS, HSTS, forward secrecy, and STARTTLS. Briefly, the encryption of data center links basically means that Google encrypts data as it passes between their data centers, a weak-spot known to have been exploited in the past. The implementation of HTTPS, or hypertext transfer protocol secure, ensures that all communications between a user and a given website pass through an encrypted channel. HSTS, or HTTP Strict Transport Security, is basically a Web server security policy mandating constant HTTPS communication with users. Forward secrecy, or perfect forward secrecy, is essentially a cryptographic property or ideal that guarantees that one compromised key won’t compromise further transmissions. STARTTLS is more or less an email extension that updates plain-text email communications to encrypted communications so that emails are encrypted no matter what email client you are using.
Now that we have that out of the way, again, Google, SonicNet, Dropbox, and SpiderOak are the big winners here. Honorable mention to Facebook, which received all five checks conditionally, because they are in the process of implementing all of these encryption features. Twitter received high marks as well, receiving a check-mark for every category except STARTTLS.
LinkedIn, Foursquare, and Tumblr are right in the middle here, with three checks. Yahoo got one check and an additional conditional check for policies they plan to implement. Apple got one check for supporting HTTPS on their iCloud. Microsoft, Myspace, and WordPress all earned just one check mark as well.
The companies that are not putting in the effort to encrypt are, according to the EFF, Amazon, AT&T, Comcast, and Verizon. Altogether, these four companies received zero checks.
Perhaps not surprisingly, earlier this year, the San Francisco-based digital advocacy group published a report called “Who’s Got Your Back?” and the findings were similar. The Who’s Got Your Back report explored which tech and telecom companies are rubber stamps for government data collection and which one’s guard the privacy rights of their users. Both reports vindicated the efforts of Twitter and Google and SonicNet and SpiderOak, while both reports wagged their fingers at Apple, Yahoo, Verizon, AT&T, Comcast, and Amazon.
Of course, a lot has changed in the time between the two reports: namely a lot more is known about government-sponsored surveillance efforts. If there is a correlation between the reports, and I think there is, then there seems to be a general movement toward better privacy protections from government and other malicious spying among some of the tech firms.
“We want to use this as a positive encouragement where if companies see other folks getting good reports, they may want to apply more crypto,” said Kurt Opsahl, a senior staff attorney with the EFF.
The EFF conducted the report by sending each company a survey. Not every company replied, so other sources were also considered including the companies’ websites and news reports. The companies were asked whether they support HTTPS, HSTS, Forward Secrecy, STARTTLS, and whether they encrypt data center links.
So what does this all mean for you? Well, I won’t advocate for which services you should or shouldn’t use. I think all of us – including our friends at the EFF – likely rely on some services that aren’t putting in enough effort as far as encryption is concerned. The point here, as noted by Threatpost’s Mike Mimoso, is this: “There’s nothing like a little peer pressure to nudge someone toward doing the right thing.“