The Washington PostDemocracy Dies in Darkness

Yahoo to roll out end-to-end encryption option for all Yahoo Mail users in 2015

Yahoo announced a major initiative to give its Mail users more privacy options at the Black Hat USA conference Thursday. (Angel Navarette/Bloomberg)
Placeholder while article actions load

Yahoo will be rolling out end-to-end encryption capabilities for all Yahoo Mail users in 2015, the company's chief information security officer, Alex Stamos, announced during a talk at the Black Hat USA conference in Las Vegas Thursday.

Electronic Frontier Foundation technologist Yan Zhu, who worked on the HTTPS Everywhere and Privacy Badger browser add-ons and served as a core developer for the anonymous digital leaking tool SecureDrop, was announced as the first hire for the project.

Zhu says that over the past few years she has seen increased interest in accessible end-to-end encryption products, particularly from startups. But Yahoo's established user base could, she says, help make encrypting e-mail more mainstream. The company reports having more than a billion Yahoo Mail users.

"Yahoo Mail has a lot of users already using it," Zhu said in an interview with The Washington Post, "and mail is pretty sticky. It does take effort for people to change their mail service, so people would prefer to use their Yahoo Mail, or Gmail, or Hotmail with encryption rather than make a new account."

End-to-end encryption creates a sort of digital tunnel between the senders and receivers of e-mails -- helping to keep the prying eyes of everyone from governments to Internet service providers and mail providers themselves from seeing the content of messages. Most major mail providers already provide SSL encryption for webmail users -- Yahoo started the practice earlier this year, after revelations that its lack of the encryption gave the National Security Agency greater ability to collect users' address books than from other major providers. But end-to-end encryption is more technically difficult for the average user to implement and hasn't seen as widespread adoption among major services.

Google released the first version of an extension for its Chrome browser that allows users to send end-to-end encrypted message through Gmail in June. Stamos says Yahoo intends to offer end-to-end encryption to its Yahoo webmail users in a similar way. He added that the company is working with Google to make their implementation compatible with Gmail's.

Yahoo, Stamos said, is also working on building end-to-end encryption into the Yahoo Mail mobile app. He said he hopes that capability will be released in 2015, with the browser plugin for webmail targeted for release earlier that year.

Stamos says that Yahoo does not expect the move to encrypt end-to-end e-mails will have any impact to on its ability to make money from mining information for advertising purposes.

"The kind of targeting that happens in e-mail servers does not usually happen against person-to-person e-mails," he says, instead coming from commercial marketing e-mails that he says users are unlikely to chose to be encrypted end-to-end.

Yahoo has historically been considered behind the curve when it came to security best practices, and the company hit a number of security and stability hiccups in the past year. But Yahoo seems to be taking a more rigorous approach to the issue since Stamos joined the company in the spring.

Stamos reports that chief executive Marissa Mayer now personally reviews the number of unresolved security bugs on a weekly basis.

In his Black Hat presentation, Stamos also encouraged security vendors to help develop security tools that could scale up to the needs of companies like Yahoo, arguing the cybersecurity researchers in the room had a moral obligation to help make the Internet safer for regular users. Yahoo, Stamos says, intends to release the programming for its encryption plug-in as open-source code.

"Our profession has never been this important," Stamos said. "We are in a world historical moment where people in our profession have the ability to change whether or not the Internet is going to be the center of freedom and free expression and democratization we always thought it could be, or if it is going to be a tool of oppression and censorship and monitoring by both democratic and non-democratic governments."