The Washington PostDemocracy Dies in Darkness

Even after NSA revelations, Yahoo won’t say if it plans to encrypt data center traffic

Yahoo Chief Executive Marissa Mayer speaks on stage during a fireside-chat session at TechCrunch Disrupt SF 2013 in San Francisco last month. (Stepehen Lam/REUTERS)

Now that we know the National Security Agency has figured out how to break into the links connecting various servers owned by Google and Yahoo — and without the companies' consent — it's fair to ask what the tech giants plan to do about it.

Google has an easy answer: It's putting its data centers under digital lock and key, encrypting the user content that flows internally across its network. Millions of records traverse these paths every day, and they include e-mail headers, audio, video and other information. Encryption is hardly a foolproof method, but it does significantly raise the barrier to eavesdropping and would force the NSA to rely more heavily on court orders and other formal data requests rather than outright spying.

Yahoo, however, is a different story. According to Barton Gellman and Ashkan Soltani, the company has given no indication that it plans to encrypt its data center traffic anytime soon.

This isn't a total surprise: Yahoo also dragged its feet for years before it finally announced this month it would let users log into its e-mail service on a secure connection. (Google began offering SSL logins as early as 2008. Microsoft switched it on for Hotmail in 2010, and Facebook had it by 2011.)

Based on this track record, we might expect Yahoo to encrypt its internal network traffic by sometime in, oh, 2018. Multiple e-mails and a phone call to Yahoo on Wednesday afternoon were not returned.

"Of the big Silicon Valley tech companies, they've always been the slowest to embrace security technologies," says Christopher Soghoian, principal technologist at the American Civil Liberties Union.

Just because the spotlight is on Yahoo doesn't exempt other businesses, though. Since consumers can't easily assess the security of a given Web site or service just by looking at its homepage, tech companies lack the incentive to spend more resources than they do beefing up their systems. Security teams that have to compete with other departments for funding tend to lose out against teams building consumer-facing features.

"That encourages companies to put more effort into things like redesigns or logos," Soghoian says.

Update: Sarah Meron, a Yahoo spokesperson, declined to comment for this story.