In an extremely important and positive development triggered by Edward Snowden, Yahoo announces that like Google they will begin to encrypt email. It was clear that the only way that government spying could be thwarted is if the big companies started including sophisticated encryption methods into their software and made it easy to use, because ordinary people would be too intimidated by what is required to do so on their own. We cannot depend upon Congress to rein the NSA in.
Yahoo said Thursday it will join an effort by rival Google to create an encrypted email system by next year that could make it mathematically impossible to hand over users’ messages to a court.
If they’re successful, it would mark a big step in bringing encrypted messaging — long the province of privacy hawks and conspiracy theorists — to a consumer-friendly service.
Both companies say the encryption tool will be an optional feature that users will have to turn on.
It will rely on a version of PGP encryption, a long-tested form of encryption that has not yet been cracked. Unlike traditional webmail services that rely on tech companies holding passwords and usernames for consumer accounts, PGP relies on each user having their own encryption key stored on their laptops, tablets and smartphones.
In an interview, Yahoo’s chief information security officer, Alex Stamos, acknowledged there are challenges ahead for bringing such a tool to the general public.
For one, Yahoo has to explain to users how PGP works and that it is not a panacea for privacy concerns. For instance, it only encrypts the content of messages — not the data on who sends and receives the messages or the subject line.
“We have to make it to clear to people it is not secret you’re emailing your priest,” Stamos said in an interview at the Black Hat security conference here. “But the content of what you’re emailing him is secret.”
The big issue is whether the government can demand the companies to hand over the encryption keys and whether they will do so. The US government forced the owner of the company Lavabit, which also had an encrypted mail service, to shut down his company because he refused the government’s request to hand over the encryption keys. But Stamos says that the government cannot that easily push a big corporation around.
“It’s not clear the Lavabit example actually scales up,” he said. “That’s very different from a publicly traded multibillion dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court.”
It will be interesting to see how the government will respond to this serious challenge to its spying powers.