The Washington PostDemocracy Dies in Darkness

Yahoo’s uphill battle to secure its users’ privacy

The Yahoo logo is shown at the company's headquarters in Sunnyvale, Calif. (Reuters/Robert Galbraith)
Placeholder while article actions load

On Wednesday, Yahoo's freshly minted Chief Information Security Officer Alex Stamos announced the company had implemented a series of stronger security and privacy measures, including securing traffic that moves between their servers and encrypting most search queries automatically.

This is a major step for Yahoo which has been dogged by critics for years for lagging behind its competitors on some basic privacy and security measures. In a Tumblr post, the company proclaims its latest announcement is only the start of a broader mission "to not only make Yahoo secure, but improve the security of the overall web ecosystem."

But although Yahoo, Google, and others have upped their security game in light of the revelations about National Security Agency spying over the last year, the tracking practices tech firms rely on for advertising also appear to have made some covert government operations easier. While some question if Yahoo's business model is incompatible with completely securing user data, the company argues that its work to lock down the online advertising space will benefit the security of Internet users at large.

In the fall, Yahoo announced it was moving forward with enabling encryption by default for Webmail users in response to a Washington Post story, which was based on documents from former NSA contractor Edward Snowden, that revealed the NSA had collected millions of address books globally. One of the slides revealed in that story indicated the NSA was collecting substantially more addresses from Yahoo than the other providers -- over 400,000 from Yahoo vs. 105,068 from Hotmail or 33,697 from Gmail. These figures likely reflected that Yahoo was not using encryption for their front-end Webmail users or the back end of their e-mail delivery system.

Enabling encryption means creating a sort of digital tunnel between the user and a service that can help keep out the prying eyes of governments, hackers, or Internet Service Providers. The most common type, SSL or HTTPS, is deployed by many e-commerce and communications sites around the Web.

Google offered SSL encryption as an option for Webmail as early as July 2008 and made it the default for Gmail Web users in early 2010. Microsoft provided SSL encryption as an option for Hotmail in November of 2010; it became the default for Webmail logins when the company rebranded their free E-mail product as in July of 2012. Facebook also beat Yahoo to the party, offering SSL as an option in November 2011 and making it the default for U.S. users in February of 2013 and for users worldwide in July.

Yahoo implemented encryption on the front-end in January, although with a few technical hiccups. And on Wednesday, it announced the enabling of encryption for mail between its own servers and with other mail providers that support a widely used standard. In fact, all data traveling between Yahoo data centers has been encrypted since March 31 according to Stamos's post. Google made a similar announcement last month. A 2013 Washington Post article revealed that the NSA was tapping into the links between the data centers of both companies.

Stamos announced other improvements such as enabling HTTPS encryption by default for search queries through the homepage and "most Yahoo properties" as well as implementing other security best practices such as Perfect Forward Secrecy on Homepage, Mail, and some other properties.

"We are currently working to bring all Yahoo sites up to this standard," wrote Stamos. But he also noted some exceptions: Despite the functionality to run HTTPS, Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America on Yahoo would remain unencrypted by default. The Wall Street Journal reported the delay was caused by compatibility issues with some advertising partners, and represented a fundamental conflict with Yahoo's business model. "It’s a little harder than to just flip a switch," Stamos told the Journal. "It’s just a bigger project than I expected."

In an interview with The Washington Post, Stamos clarified the issue -- saying the hang-up was specifically related to content distribution partnerships for video. Unlike Google and other big tech companies which run their own advertising networks, Yahoo has numerous media and content partnerships, which forces it to manage relationships with a wide array of advertising networks. Yahoo, after all, is a bit of a hybrid media and technology company. It has heavily invested in its media operations with high profile hires, such as former New York Times technology guru David Pogue to run a technology site and Katie Couric as its global anchor.

But the advertisers who distribute ads for Yahoo's video partners aren't ready for encryption, Stamos says, partially due to technological barriers. "None of the big video distribution sites have supported HTTPS...  it's a more technologically difficult task," he explained.  While some content delivery systems do have the the capabilities to roll out SSL enabled video content, it is more resource intensive and not widely deployed.

Stamos doesn't have a timeframe for the next step, but he does expect to go SSL by default on all properties eventually and says the company is working "aggressively" to bring partners on board with encryption. And if Yahoo can pressure them to use stronger privacy protections, it could raise standards across the entire industry.

Many major media sites, including The Washington Post, do not encrypt user traffic by default. However, some privacy advocates are urging news sites to adopt the practice, and there are a few examples of it being broadly deployed, like in Pierre Omidyar's recently launched First Look Media venture.

Christopher Soghoian, a senior technologist at the American Civil Liberties Union who had long pressured Yahoo to encrypt Webmail, thinks the contractual obligations between the company and advertising networks are part of the problem. The networks are invisible to most users, he says, but are frequently collecting information about browsing histories to target advertisements. When sites run SSL, ad networks that do not support the encryption may be blocked by the user's browser  -- potentially cutting off a significant revenue stream.

But Stamos says calling the delay on default encryption to Yahoo media properties that display video content entirely about advertising revenues "paints an incomplete picture." Instead, he argues it's about delivering the best user experience. And at this moment, he says, Yahoo's partners aren't there yet.

Stamos co-founded cybersecurity company iSEC Partners and organized the first TrustyCon, a computer conference created as an alternative to the more industry aimed RSA cybersecurity conference, that occurred days before his move to Yahoo was announced. "The fact that they hired Alex Stamos is a really good sign," says Soghoian, who calls Stamos "massively respected" in the privacy community.

"They are clearly trying to right the ship," he says, but expects it will take time for Yahoo to manage its relationships with some advertising networks -- and says the company shouldn't necessarily be blamed for that. "There are some things that are within Yahoo's control and others that probably aren't."

For his part, Stamos seems optimistic. "Our goal is to have all of your interactions with Yahoo be encrypted by default without you doing anything," he said.

That will be good news for many privacy activists, who have been pushing tech companies to to increase security measures in the wake of NSA revelations. Some of those revelations showed that the NSA was directly leveraging tracking mechanisms, such as cookies deployed by companies like Google and Yahoo to further cover hacking operations. Stamos says those disclosures have certainly brought a valuable amount of attention to privacy and security, but Yahoo wants to move toward a comprehensive model. "The NSA revelations are interesting because it demonstrates what a highly sophisticated and very well monied adversary can do, but that isn't our only concern," he said.

"Yahoo is certainly moving in the right direction in rolling out key security upgrades, but there's still a long way to go," says Amie Stepanovich, senior policy counsel at Access, an online rights advocacy organization, which is trying to raise the threshold for basic security practices through a project called Encrypt All the Things.

In regards to advertising, Stepanovich says data collection or targeting isn't an excuse for not securing data. "In fact, without proper security, collection of personal information can become a dangerous business practice," she says. "If today's business models cannot support proper security for all collected information, it's time to revisit those practices."