Among the many Prism revelations leaked by whistle-blower Edward Snowden, it came to light the National Security Agency (NSA) had spied on major web firms including Google and Yahoo, harvesting data around user activity without proper legal jurisdiction.
The discovery spooked the industry – and its customers even more so – leading to many firms announcing plans to encrypt users’ personal data, while Microsoft has gone a step further.
The Redmond-based giant recently stated that it will expand encryption across its internet-facing services, “reinforce legal protections” for customer data and “enhance the transparency” of the company’s code, “making it easier for customers to reassure themselves that our products do not contain back doors”, according to Brad Smith, general counsel and executive vice president, legal and corporate affairs at Microsoft.
However, concerns remain that all of this is too little, too late as government agencies will just find new methods of accessing information while potentially still stealing data until encryption is introduced.
“I’m concerned about the length of time it will take before firms actually introduce encryption,” said computer security expert Graham Cluley, who suggested the rapid growth of tech firms has come at the expense of proper security protocols.
“It wasn’t necessarily the case that security was in their DNA,” he told Computing. “Some of these web companies built up very quickly and were interested in growing a user base rather than thinking of every eventuality as to how data could be compromised.”
And while Yahoo was the first large web company to announce its user data will be encrypted – with the target of doing so by March next year – Cluley pointed out the firm has a poor track record when it comes to security.
“Yahoo has been incredibly tardy about implementing [security protocols] SSL and HTTPS on its webmail services,” he said.
“You didn’t even have the option to enable HTTPS on Yahoo Mail for a long time, which is crazy because it meant anyone using a public Wi-Fi spot could have their Wi-Fi sniffed. I can only think security wasn’t as big a priority to them as we’d hoped it would be,” Cluley continued, but added the encryption move is at least a step in the right direction.
Frank Jennings, partner at law firm DMH Stallard and specialist lawyer in cloud and technology, agreed that encryption is the way to go forward.
“If there’s enough data being encrypted then it’s going to slow government agencies down considerably, taking them a lot of time and money to decrypt and therefore more likely to be choosy about what data they seek to decrypt. By necessity, encryption will lead to a reduction in surveillance,” he told Computing.
However, even if every company encrypted all of their user data it will not stop governments cracking into their databases and making off with information about customers.
“GCHQ and the NSA have the resources and they’ve got the money – certainly in the US the NSA is well funded – so if they want to do it they will,” warned Jennings.
“It’s certainly what I’ve been telling clients: you should assume the government agencies can get access to your data. You can take certain steps to slow them down by encrypting it, but ultimately you should assume that if the government wants your data, it can gain access to it.”
Jennings suggests that it is up to the likes of Yahoo, Microsoft and Google to make sure they are a step ahead of governments.
“It’s a matter of the industry responding to this quicker than the lawmakers can, while at the same time trying to introduce proper checks and balances for surveillance agencies,” he said.
But even if technology firms are able to employ encryption to prevent government spying, they have still suffered massive reputational damage.
“There’s likely to be a question of how much people will now be willing to trust that protection is in place,” professor Steven Furnell, head of the Centre for Information Security and Network Research at the University of Plymouth, told Computing.
“Will users really believe that the government agencies don’t have an undisclosed means to bypass it, or that the companies aren’t allowing them access anyway?”
Some would argue Yahoo’s public announcement about encryption amounts to posturing, but according to Cluley, that is not an issue if it means security is being taken more seriously.
“They need to regain the confidence of their customers, without a doubt, but if it’s posturing then good: long may it continue as well as the benefits,” he said.
By eliminating high entry costs for big data analysis, you can convert more raw data into valuable business insight.
A discussion of the "risk perception gap", its implications and how it can be closed