Now that we know the National Security Agency has figured out how to break into the links connecting various servers owned by Google and Yahoo — and without the companies' consent — it's fair to ask what the tech giants plan to do about it.
Yahoo, however, is a different story. According to Barton Gellman and Ashkan Soltani, the company has given no indication that it plans to encrypt its data center traffic anytime soon.
This isn't a total surprise: Yahoo also dragged its feet for years before it finally announced this month it would let users log into its e-mail service on a secure connection. (Google began offering SSL logins as early as 2008. Microsoft switched it on for Hotmail in 2010, and Facebook had it by 2011.)
Based on this track record, we might expect Yahoo to encrypt its internal network traffic by sometime in, oh, 2018. Multiple e-mails and a phone call to Yahoo on Wednesday afternoon were not returned.
"Of the big Silicon Valley tech companies, they've always been the slowest to embrace security technologies," says Christopher Soghoian, principal technologist at the American Civil Liberties Union.
Just because the spotlight is on Yahoo doesn't exempt other businesses, though. Since consumers can't easily assess the security of a given Web site or service just by looking at its homepage, tech companies lack the incentive to spend more resources than they do beefing up their systems. Security teams that have to compete with other departments for funding tend to lose out against teams building consumer-facing features.
"That encourages companies to put more effort into things like redesigns or logos," Soghoian says.
Update: Sarah Meron, a Yahoo spokesperson, declined to comment for this story.