Yahoo announced Thursday it will encrypt its email service by early next year, joining Google and Microsoft in an effort to create an email system that prevents government officials and hackers from reading users’ messages. It’s a major step for Yahoo in the wake of the Edward Snowden leaks, and it reflects the commitment of the major technology companies to securing users’ data.
With Yahoo’s announcement, first reported by the Wall Street Journal, email encryption will protect nearly one billion email users. There are 110 million Yahoo email users and over 425 million unique users of Google’s Gmail service. Microsoft says there are over 400 million active Outlook.com and Hotmail accounts. Widespread email encryption of the kind Yahoo is announcing is a huge blow to government surveillance techniques, like those employed by the National Security Agency.
“For Internet users, this is a huge deal,” said Jeremy Gillula, staff technologist at the Electronic Frontier Foundation. “Before, the NSA was able to easily gather up tons and tons of email.” But, with Yahoo’s planned encryption service, “the NSA can’t read and analyze everyone’s emails without discernment,” Gillula said.
Yahoo will base its encryption on what’s known as PGP (Pretty Good Privacy) encryption, which relies on every user having both a public and private encryption key. The public encryption key, to which any other email user will have access, encrypts plain email text into a complicated code. Then a user’s private code decrypts the code back into plain text when it arrives in their inbox. Each of the keys act almost like x and y variables in an equation: even though you know the public key x, you won’t be able to break the equation, because you still need the private key y. Essentially, the only people who can read your emails become you and the person to whom you’re sending them.
The tech titans’ steps towards encryption means that email users can be confident the only people reading their emails are the intended recipients. But for major tech companies, it also means regaining customers’ trust — particularly abroad, where intense scrutiny over American companies’ vulnerability to National Security Agency snooping could lead firms like Oracle, IBM and Hewlett-Packard to lose billions of dollars in contracts.
There are holes in the big technology companies’ encryption plans, however. Encryption doesn’t protect subject lines, or the data about who sends and receives messages, the Wall Street Journal reports. That leaves your email about as vulnerable as your phone records under the NSA’s mass collection of calling metadata—most of the content of your messages is safe, but who you called is not.
On top of that, the NSA is working on ways to circumvent different kinds of encryption used to protect emails and financial transactions, according to documents that Snowden leaked last year. U.S. and British intelligence agencies have already cracked some of the online encryption methods hundreds of millions of people use to protect their data, the Guardian and others reported last year. And the NSA is quietly working on a super powerful quantum computer intended to break encryption codes.
However, says the Electronic Frontier Foundation’s Gillula, Yahoo is likely to be clever about what kind of encryption it uses, and PGP encryption is still thought to prevent mass sweeps of large volumes of email — even if the NSA can already crack PGP encryption, as some commentators believe, using it will almost certainly slow the agency down, while protecting emails from lesser-equipped would-be snoopers.
“Now the NSA has to think about what they want to collect, as opposed to searching through everyone’s email and doing it in a mass way,” said Gillula.
Yahoo still has to figure out the details of its planned encryption program. Will it store the private keys on its own servers, making them vulnerable to internal theft and sweeping government warrants? Or will it allow each email user to store the private keys locally, adding a level of inconvenience for users? Whatever Yahoo decides to do, its announcement is a major step forward for Internet privacy, and likely unwelcome news for the intelligence community.