Monday, June 16, 2014

How Well Do Tech Companies Protect Your Data From Snooping?

June 12, 2014 3:20 AM ET

What happens to your information online? Is it safe? Is it private?

The answers depend in part on what services you use. So we set out to help you figure out the answers for yourself.

But you may have noticed there is a lot of stuff on the Internet, and I am sorry to say we didn't test it all.

Fortunately for you, we are not the only ones asking these questions. The Electronic Frontier Foundation surveyed big tech companies and asked them what kinds of encryption they've been using. And last week Google started naming and shaming email providers who were not encrypting email messages as they passed between companies.

We drew on their efforts and our own results to build this chart.

Enjoy. [And if you are wondering what HSTS or those percentages mean, there is an explanation at the bottom of the post.]

Now, where is my invisibility cloak?
Amazonunknownnonounknownunknown37%50% - 99%All pre-login browsing/shopping traffic is unencrypted, including all HTML content, images, etc. So if you search for a Nicolas Cage pillowcase, the NSA or your network administrator can see that. Amazon Web Services also provides hosting for thousands of companies. How AWS approaches encryption has ripple effects across the Internet. Right now, Amazon Web Services said, it offers its clients a variety of encryption choices.
Appleunknownyes (iCloud)nounknownworking on it0%0%Apple encrypts iMessage from end to end. It recently announced it is taking steps to make it more difficult to track its users' identity on Wi-Fi networks. Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers' email in transit between providers. After we published, the company told us this would soon change. This affects users of and email addresses. We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can't be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.
AT&Tunknownunknownnounknownworking on it18%2%AT&T's public Wi-Fi network is easy to spoof and vulnerable to SSL-stripping and other attacks. AT&T configures mobile phones on the network to automatically connect to it. AT&T says it takes "extraordinary measures to protect our customers sensitive information and give them ways to manage their experience safely and conveniently."
Comcastunknownunknownnounknownworking on it43%0%Comcast's public Wi-Fi network is easy to spoof and vulnerable to SSL-stripping and other attacks. Comcast said it hopes to roll out a more secure Wi-Fi protocol soon. In the past two weeks, Comcast began adding encryption to email in transit.
Googleyesyesworking on ityesyes100%100%Google says it's been encrypting search results and search terms for years. But we found that searches for place names returned unencrypted location and map information. Google patched this bug. It was the first large company to announce it was encrypting its data while it was stored in corporate data centers.
LinkedInworking on ityesworking on itworking on ityesnot applicable50% - 99%We saw examples of LinkedIn sending links, cookies and unique session parameters in clear text. LinkedIn said it's beginning to use encryption on links between data centers.
Microsoftworking on ityesworking on itworking on itworking on it50% - 99%50% - 99%Microsoft is quickly adding encryption to its email products. Many, such as Outlook, encrypt most if not all of their inbound and outbound messages in transit. However, many inbound messages from are still unencrypted. All Bing search traffic is unencrypted, including search queries, results, image searches, etc. We also found Bing transmitting cookies in clear text, which reveals large amounts of personal information. The cookie included a link to your Facebook profile picture and a MUID number, which Microsoft called an anonymous user identifier, and the user's full name. Microsoft said this clear text cookie is being reviewed.
Pinterestunknownnounknownunknownunknownnot applicable66%Pinterest traffic is completely unencrypted even after you log in except in "settings." Pinterest did not get back to us in time to comment for this story.
Skypeunknownyesunknownunknownunknown0%0%Skype was leaking parts of users' contact lists. We contacted Skype. It said the issue had been spotted before we called and Skype has now patched it in the most recent version of the app.
Snapchatunknownyesunknownunknownunknownnot applicable65%Most traffic is encrypted but we found that Snapchat was sending unencrypted messages revealing when kids signed up for its service. We told Snapchat and the company quickly fixed that bug.
WhatsAppunknownworking on itunknownunknownunknownnot applicablenot applicableWhatsApp revealed users' telephone numbers in clear text. WhatsApp says it is working toward a fix.
Yahoo!yesworking on itworking on itworking on ityes100%100%While Yahoo has been aggressively adding encryption, it still offers many unebcrypted APIs and services.Yahoo says many customers depend on those unencrypted products, some of which are built into popular products like the iPhone.
WordPressworking on itworking on itunknownunknownunknownnot applicable0%All pre-login traffic and user blogs are unencrypted when posted on Earlier this week, WordPress announced it would be adopting end-to-end encryption. WordPress can also be hosted on other sites. So if I used WordPress on, the security and encryption settings are up to me. WordPress did not get back to us before our deadline.
Update at 11:44 a.m. ET: Apple Now Says It's Working To Encrypt Email Between Providers

How Tech Companies Stack Up On Encryption
Several months ago, the Electronic Frontier Foundation asked major Web service providers whether they were taking five steps that EFF believes help keep consumers' data safe and secure. We reached out to each of the companies on this list to see what they were doing now. Some are not using encryption (no), some declined to give us specifics (unknown), some were adding those services (working on it) and some were good to go (yes).

But emails that pass between different companies are only secure when both agree to encrypt the traffic. Last week, Google began publishing data documenting the percent of encrypted traffic to and from Gmail. The percentages below were drawn from that data on June 6, 2014.

What we found was based on our own testing of these services conducted with Pwnie Express and Ars Technica, our own reporting and interviews with company representatives.

The Electronic Frontier Foundation has asked service providers to implement strong encryption. Here's what the EFF wants:

HTTPS by default. This means that when you connect to a website, it will automatically use a channel that encrypts the communications from your computer to the website.

HSTS (HTTP Strict Transport Security). Lots of services offer encrypted and unencrypted versions of the same website or service. HSTS basically forces the service to always use the encrypted secure option.

Forward secrecy. Sometimes called perfect forward secrecy, it uses a different cypher or code to encrypt messages on each session. This means that if the NSA or someone else cracks the code keeping one of your messages secure, they can't unravel everything you have ever written.

STARTTLS. If you are on Gmail and send me a message at my Yahoo account, those two email providers have to talk to each other. STARTTLS lets companies encrypt those messages in transit. But it is only possible if both companies use it. It takes two to tango — and Google recently started naming and shaming companies that are refusing to do this dance.

Encrypting email in transit. Lots of companies have announced this year that they will add encryption to their networks — including when they are sending email back and forth to other service providers. For this to work, both companies have to use encryption.

But, unfortunately, saying you'll do something and actually doing it are two different things. Google has started publishing the percentage of email it sends and receives from other providers that is actually encrypted. You'll see the numbers are all over the map. But one thing is clear: A lot more email traffic is encrypted today than a year ago, and since Google started publishing these numbers, the figures have shot up.

Ahh, transparency.

So, how did we pick what companies to test? We picked services we used or where we had interesting data and something useful to say. Largely this is stuff we use and were curious about.

Aren't Skype and WhatsApp owned by other companies? Yes, well, almost. Microsoft owns Skype, and Facebook's acquisition of WhatsApp hasn't closed yet. But we tested these services independently because mergers don't necessarily change how a company's technology works.

No comments:

Post a Comment