The Washington PostDemocracy Dies in Darkness

Yahoo’s plan to get Mail users to encrypt their e-mail: Make it simple

(Angel Navarette/Bloomberg)
Placeholder while article actions load

Keeping your e-mail messages super private can be a pain. Most free e-mail providers automatically provide SSL encryption for Web mail users -- meaning data can be seen by the service, as well as the senders and recipients of messages. But end-to-end encryption, a feature which locks up message contents so that only the sender and receiver can read them, can be a much more cumbersome process for e-mail, often involving specialized software and looking up encryption keys.

The whole thing can be so tricky that very few people actually use it -- or if they do, it's used only for the most sensitive of messages.

But in the wake of reports from Edward Snowden about the National Security Agency's access to data held by tech giants, many of those companies have pursued technological solutions to shore up customers trust, including an expansion of end-to-end encryption. Google announced in June that it was working on a Chrome plug-in to provide end-to-end for Gmail users. Yahoo, too, is working on end-to-end.

In August, Yahoo information security chief Alex Stamos announced that the company would release its own version of the plug-in for all Yahoo Mail users in 2015 -- and it will work with Google's plug-in, which matters because both sides of an exchange need to be on board for end-to-end to work. Given the sizable user base of Gmail and the billion-plus Mail users Yahoo claims, that could mean a lot more people who will suddenly have an easier way to communicate more securely.

[Read: How to set up your own questionably secure home e-mail system, just like Hillary Clinton]

And now, Yahoo is ready to talk about its progress.

"What we're trying to do at Yahoo is build our products so they're safe and trustworthy, not just secure," Stamos told The Washington Post in an interview. That means making tools that are both simple enough for everyday users and strong enough to protect those facing more advanced threats, such as journalists and activists working in areas where freedom of expression is restricted, he said.

This ease of use could be especially important for Yahoo, whose Web mail service is practically a generation older than some competitors. "Mail is one of the cornerstones of the Yahoo experience. It's one of the ways we engage with some of the oldest and most dedicated Yahoo users," Stamos said.

Getting users to take an extra step to secure their messages may be difficult if it takes more than a few clicks, which is one of the reasons Yahoo is working to make it that easy.

During a presentation at the South by Southwest conference Sunday, Stamos showed off a video that compared getting set up for end-to-end encryption using the Yahoo Mail plug-in versus a more traditional method. In the video, the Yahoo plugin user was sending the first encrypted message a minute in -- and then spending the rest of the video looking up cat pictures. (Predictably, on Yahoo-owned Tumblr.)

But even if the process is nearly painless, Stamos doesn't expect users to suddenly start using it for everything. Instead, he imagines end-to-end being used on messages containing sensitive information, like when sending tax documents to an accountant or having a private digital conversation with a spouse. The majority of messages a person receives would likely still be unencrypted -- which is good for companies like Yahoo that scan the contents of users' messages to serve them with targeted advertising, something that wouldn't work in a world where all messages were encrypted end-to-end.

Yahoo isn't ready to roll out its end-to-end plug-in to users just yet, but it is releasing the code behind the plug-in for public review and hopes for a launch by the end of the year, according to Stamos,

The company also showed off its plans for new authentication features at SXSW, including additional ways to verify user identities using push notifications in mobile apps and codes sent via text message. Like Yahoo's end-to-end efforts, these features remain in development. But Stamos told The Post that the long-term goal was to transition its users away from passwords in favor of more secure options -- a vision shared by other tech companies.

Yahoo has a history of being behind the times on security features: It was late to roll out SSL by default for Web mail users, only announcing the change after Snowden reports showed the the lack of the feature allowed the NSA greater ability to collect Yahoo users' digital address books than it could from other major providers.

But Stamos, who joined Yahoo a year ago, has been outspoken about user privacy and security, even going head to head with the director of the NSA in a heated exchange at a Washington cybersecurity conference last month.

Read more:

‘FREAK’ flaw undermines security for Apple and Google users, researchers discover

The federal government’s online privacy watchdog just made its Web site more secure

Apple praised for plan to undermine extensive system that secretly tracks customers