Many large Web companies have failed to adopt a decades-old encryption technology to safeguard confidential user communications. Google is a rare exception, and Facebook is about to follow suit.
June 26, 2013
Revelations about the National Security Agency’s surveillance abilities have highlighted shortcomings in many Internet companies’ security practices that can expose users’ confidential communications to government eavesdroppers.
Secret government files leaked by Edward Snowden outline a U.S. and U.K. surveillance apparatus that’s able to vacuum up domestic and international data flows by the exabyte. One classified document describes “collection of communications on fiber cables and infrastructure as data flows past,” and another refers to the NSA’s network-based surveillance of Microsoft’s Hotmail servers.
Most Internet companies, however, do not use an privacy-protective encryption technique that has existed for over 20 years — it’s called forward secrecy — that cleverly encodes Web browsing and Web e-mail in a way that frustrates fiber taps by national governments.
Lack of adoption by Apple, Twitter, Microsoft, Yahoo, AOL and others is probably due to “performance concerns and not valuing forward secrecy enough,” says Ivan Ristic, director of engineering at the cloud security firm Qualys. Google, by contrast, adopted it two years ago.
Phi Beta Iota: Forward secrecy is neither new nor the first idea. Eric Hughes in the early 1990’s conceptualized end-user controlled encryption for banking data. The bottom line is that encryption is irrelevant if human integrity is lacking, and we have certainly seen that human integrity is lacking at both Google and Facebook. The human factor is central to both protecting information, and exploiting information in context. Technology is a sideshow. The main event is human, and that is what governments and other institutions have failed to develop to its fullest potential of intelligence and of integrity.