Latest NSA revelation is black eye for Yahoo

Alistair Barr | USA TODAY

The latest revelation that the NSA collected millions of contact lists from the leading online messaging services is a particular black eye for Yahoo, security and privacy experts said Tuesday.

During a single day last year, the NSA's Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Microsoft's Hotmail, 82,857 from Facebook, 33,697 from Google's Gmail service and 22,881 from unspecified other providers, The Washington Post reported late Monday.

Those figures, described as a typical daily intake, correspond to a rate of more than 250 million a year, the newspaper added, citing an internal NSA presentation leaked by former NSA contractor Edward Snowden.

The NSA may collect so many more address books from Yahoo than other big services because Yahoo, unlike those other providers, has left connections to its users unencrypted by default, the Washington Post said.

Suzanne Philion, a Yahoo spokeswoman, said the company will start encrypting all its email connections in January. Google was the first to secure all its e-mail connections, turning on a common security technology called "SSL encryption" globally in 2010.

"This shows that Yahoo doesn't care much about privacy," said Bruce Schneier, a well-known security technologist who has seen and commentated on many of the documents Snowden leaked this year. "It's all about public relations. Yahoo said 'yikes we should do something because we don't want to look bad.'"

In addition to making encryption a default feature by January 2014 for all Yahoo Mail users, the company plans to implement 2048-bit encryption keys, a more secure version of the technology, Philion said Tuesday.

"We take the security of our users very seriously," Jeffrey Bonforte, senior vice president of Communication Products at Yahoo, wrote on the company's Tumblr page. "In a constantly changing digital environment, we recognize the need to continuously evaluate how to best protect your information."

While the latest revelations make Google look relatively responsible, the company had to be persuaded to make encryption a default setting for Gmail, according to Schneier and others.

In 2009, Christopher Soghoian, Principal Technologist at the ACLU's Speech, Privacy and Technology Project, wrote an open letter to Google executive Eric Schmidt calling on the company to make this change. The letter was signed by 38 security and privacy researchers, including Schneier.

At the time, Google was offering encryption as an opt-in feature for Gmail and this was largely hidden from users, so no one enabled it, according to Soghoian.

"There were lots of concerns," said Soghoian. "We argued that it was really important to enable it by default."

Google employees told Soghoian that they thought it would be too slow or expensive to make encryption a default setting for Gmail, he said.

However, Google announced full encryption for Gmail in early 2010 and the company was followed by Twitter, then Microsoft and Facebook in that order, Soghoian recalls.

"It should not have taken Yahoo this long and lots of people have complained to the company," Soghoian said. "It's really embarrassing for the company in the wake of the NSA revelations this year. They knew the government was doing this and they still did nothing about it."

One explanation may be that it is difficult to switch email accounts and Yahoo may have bet that most of its customers would just stay with the service anyway. Yahoo may have also also chosen to devote engineering resources to new features, rather than security upgrades that would be largely invisible to users, Soghoian said.

"The NSA has been able to gorge themselves on Yahoo users' information because of this lack of basic security protection," he added. "That it's taken them four years is really a black mark for the company. They cannot be said to be a security innovator. But better late than never."