Yahoo has announced this morning that it will make all traffic flowing between its data centers encrypted by Q1 of 2014. This follows moves by other companies like Google to do so after recent revelations about the NSA’s data gathering sparked concern and outrage.
Yahoo’s announcement, made by CEO Marissa Mayer, outlines a plan to encrypt all of the data that moves between its data centers internally. Yahoo recently announced plans for 2048-bit key SSL encryption in Yahoo Mail by January 8th, 2014. Other encryption plans for the company include offering encryption for all data traveling between Yahoo and its customers by the end of Q1 ’14 as well. Yahoo says that it will work with all of its co-branded international Mail partners to ensure that at least the basic HTTPS protocol is enabled.
“As you know, there have been a number of reports over the last six months about the U.S. government secretly accessing user data without the knowledge of tech companies, including Yahoo,” says Mayer. “I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever.”
The announcement today comes in the wake of Google making similar moves (which began last year). Google began encrypting the traffic between its data centers after the exposure of a joint NSA-GCHQ program known as MUSCULAR, which outlined a system in which it spliced itself into communications between the company’s servers to gather data on surveillance subjects. The MUSCULAR project also targeted Yahoo directly, as shown in government documents obtained by Edward Snowden and exposed by The Washington Post.
The plan outlined a procedure which could intercept SSL communications between server groups at Yahoo or Google (or other large tech firms with lots of user data) to gather information on hundreds of millions of user accounts, both foreign and domestic. The WaPo report stated that millions of records a day were intercepted from Yahoo and Google networks:
According to a top-secret accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.
Earlier this month, Google engineer Brandon Downey posted a personal (not company) statement about the WaPo story, putting it bluntly:
Fuck these guys.
I’ve spent the last ten years of my life trying to keep Google’s users safe and secure from the many diverse threats Google faces.
I’ve seen armies of machines DOS-ing Google. I’ve seen worms DOS’ing Google to find vulnerabilities in other people’s software. I’ve seen criminal gangs figure out malware. I’ve seen spyware masquerading as toolbars so thick it breaks computers because it interferes with the other spyware.
I’ve even seen oppressive governments use state sponsored hacking to target dissidents.
But even though we suspected this was happening, it still makes me terribly sad. It makes me sad because I believe in America.
Google announced that its efforts to encrypt all of its internal communications were approved last year, but ‘accelerated’ in June after Snowden’s revelations prompted fears of data tapping.
After being queried by the Register about its encryption practices, fellow data-heavy giant Microsoft said that it did not encrypt server-to-server traffic and that “recent disclosures make it clear we need to invest in protecting customers’ information from a wide range of threats, which, if the allegations are true, include governments. We are evaluating additional changes that may be beneficial to further protect our customers’ data.”
Encrypting server-to-server traffic seems like a no-brainer, but Yahoo is not alone in scrambling to put it into effect. The saddest aspect is that the lack of action here was largely due to the expectation of privacy from our own government, not lack of fear of outside ‘malicious actors’.