The Washington PostDemocracy Dies in Darkness

Yahoo is extending encryption across its services — but you’ll have to turn it on yourself

Yahoo Inc. Chief Executive Marissa Mayer attends the annual meeting of the World Economic Forum (WEF) in Davos, Switzerland in this Jan. 25, 2013, file photo. (Pascal Lauener/Reuters)

Three weeks after The Washington Post reported that the NSA had broken into Yahoo's data center traffic, the company has announced that it's locking down its systems. It's a timely step for the company, which has mostly lagged behind other companies when it comes to user privacy.

In a Tumblr post Monday, CEO Marissa Mayer pledged to encrypt all of its internal network communications by the end of the first quarter of 2014. That should help insulate users somewhat against unwanted snooping by hackers and government agencies. In addition, the company plans to extend SSL encryption to all of its services, expanding on an earlier promise to enable the security feature by default for its e-mail users.

"We appreciate, and certainly do not take for granted, the trust our users place in us," Mayer wrote.

Yahoo is also making like its peers in other ways. For instance, it'll be adopting longer security keys right out of the gate. An industry working group agreed in February to make 2048-bit keys the new standard by year's end, and now Yahoo has vowed to use them, too.

Revelations about NSA spying have raised the pressure on tech companies to safeguard their assets. Google this summer said it would accelerate plans to encrypt its data center traffic. Meanwhile, confronted in Europe over the issue, a Microsoft spokeswoman admitted last week that her company does not encrypt its internal data streams.

The one drawback to Yahoo's plan? While the company will encrypt the information traveling within its own systems, any data you send to Yahoo — and any information you receive in return — will remain unencrypted unless you deliberately opt in. Since altering a routine is a lot harder than doing nothing, this effectively raises the bar for good security, meaning that a number of people are likely to forget about the option or remain unprotected because they never heard about the feature in the first place.

Still, even an incremental upgrade should please the most privacy-conscious among us.