There’s nothing like a little peer pressure to nudge someone toward doing the right thing.
That’s the philosophy behind the Electronic Frontier Foundation’s Encrypt the Web Report, which examines the encryption capabilities of 18 leading Internet companies, including large carriers, social networks, technology companies and Web-based service providers.
“We want to use this as a positive encouragement where if companies see other folks getting good reports, they may want to apply more crypto,” said Kurt Opsahl, a senior staff attorney with the EFF.
These same companies were also surveyed as part of the EFF’s Who Has Your Back report in May. That report evaluated the companies’ efforts around privacy, protection of user data and transparency with regard to government requests for user data.
For the Encrypt the Web report, each company was sent a survey, though not all replied; other sources were also considered including the companies’ websites and news reports. The companies were asked whether they support HTTPS, HSTS, Forward Secrecy, STARTTLS, and whether they encrypt data center links.
The latter query takes on particular importance following the disclosure of the National Security Agency’s MUSCULAR program, which revealed that the spy agency was tapping unencrypted links between data centers in order to siphon data on users’ Internet activities.
“One of the reasons for doing this was to find out about that category,” Opsahl said, adding that the complexity of encrypting those data center links varies between organizations dependent on the size of their operation, how data is transferred and the number of data centers they support.
Of the 18, only Dropbox, Google, Sonic.net, SpiderOak, Twitter and Yahoo said they do encrypt links between data centers. Microsoft was the lone company to concede it did not, while the EFF was unable to determine either way for the remaining companies.
Dropbox, Google, Sonic.net and SpiderOak were the only companies to score a checkmark in all five categories.
“They understand their customers want privacy and security, and are willing to deploy additional measures to ensure crypto is in place against a wide variety of attack vectors,” Opsahl said. “This helps their customers feel more secure about their data.”
Most on the list support HTTPS, although Amazon and Tumblr do so in a limited fashion. Fewer than half support HSTS and even few still support STARTTLS, which the EFF says is especially important for email service providers. STARTTLS encrypts communication between email servers over SMTP; if both providers use the protocol, the message is encrypted, if one does not, it is sent in clear text.
“We have asked for email service providers to implement STARTTLS for email transfer,” the EFF said in a blogpost. “It’s critical to get as many email service providers as possible to implement the system.”
Perhaps of more criticality are the number of large service providers that did not score so well in the report. Amazon, Apple and Tumblr earned one checkmark between them (Apple’s iCloud for its support of HTTPS). Carriers AT&T, Comcast and Verizon earned zero checkmarks between them; AT&T and Verizon have a history of cooperation with the government on surveillance issues, Opsahl said. The EFF and AT&T were embroiled in a lawsuit over the carrier’s alleged cooperation with the NSA’s spying program that was eventually settled when Congress gave AT&T retroactive immunity.
“We’re still concerned by their cooperation,” Opsahl said.
Regardless of encryption deployments, sometimes companies, such as Lavabit, have not been able to overcome government surveillance. Lavabit is alleged to have been Edward Snowden’s secure email provider; rather than turn over its decryption keys to the government, Lavabit shut its doors and went out of business. Silent Circle soon thereafter shuttered its secure email service, Silent Mail, before it too would be compelled to turn over its keys to the government.
In the meantime, the EFF hopes the crypto scorecard will nudge more Internet companies toward deploying encryption across the board.
“For the ‘Who Has Your Back’ report, it has worked well with companies interested in getting a good report. We’ve been able to add stars to several companies over time,” Opsahl said. “The idea is to encourage companies to have a race for the top and be able to show customers they are dedicated to providing quality security.”
