Tech companies furious at the National Security Agency for reports of spying on their networks and risking the trust of their customers are adding encryption to parts of their networks that were previously unsecured, which won't prevent the agency from asking for data but could stop a hacker.
Twitter plans to set up new types of encryption to protect its messages, the New York Times reports. Google also began encrypting data flow between its data centers in September out of fear that intelligence agencies were spying on those signals.
It turns those fears may have been accurate, as reports by the Washington Post indicate the intelligence agency uses a backdoor program called MUSCULAR to tap international cables to infiltrate overseas data centers of Yahoo and Google. Army Gen. Keith Alexander, director of the NSA, denied reports that the agency was tapping the data links.
Users will now have greater protection against hackers and people who might be able to snoop on their email through public wireless signals, but the NSA could still get a court order for a tech company to give the agency user data, says Christopher Soghoian, principal technologist at the American Civil Liberties Union.
"There are widely available tools that allow hackers to collect data on wireless networks in places like Starbucks," says Soghoian, a former technologist at the Federal Trade Commission.
The bad press about the NSA surveillance has also led Yahoo to announce it would implement those security protocols in early 2014, which Twitter had already done, Soghoian says. Sen. Chuck Schumer, D.-N.Y., wrote Yahoo and Twitter in 2011 asking the Web portals to add more secure protocols to protect consumers.
Adding encryption on areas where there was no encryption before will complicate efforts for the NSA to tap into Google address books of consumers without going throughGoogle, Soghoian says. Apple device users, for instance, who linked their GMail accounts to their address book applications, could have that information compromised since there was no encryption between the servers. The Post reported on Oct. 14 that the NSA collected contact lists from digital message accounts.
"Before these changes the NSA could go to Verizon and AT&T and get all the data that went over the network," Soghoian says.
Despite these changes, tech companies will have to take extra steps to regain the trust of their consumers in foreign countries, where the NSA has a legal mandate to collect information, Soghoian says. The companies will have to go a step further and make their data encrypted even to their own employees, he adds.
"The problem is that their ad business models require them to have access to data," Soghoian says. "You cannot be an advertising company and keep your customers' data from the NSA"
Consumers in foreign countries seeking services with more privacy protections can use Spider Oak, which offers encrypted online file backups, and Silent Circle, which offers encrypted phone call services. The NSA cannot get user information from those companies because customer data is encrypted and is not available in usable form.
"They don't have the ability to wiretap their customers," Soghoian says. "Companies like that can sell services to the Europeans, South Americans and everyone else that is worried about surveillance."