The Industry

How Well Do Tech Companies Protect Your Data From Snooping?

Data lock i i
iStockphoto
Data lock
iStockphoto

What happens to your information online? Is it safe? Is it private?

The answers depend in part on what services you use. So we set out to help you figure out the answers for yourself.

But you may have noticed there is a lot of stuff on the Internet, and I am sorry to say we didn't test it all.

Fortunately for you, we are not the only ones asking these questions. The Electronic Frontier Foundation surveyed big tech companies and asked them what kinds of encryption they've been using. And last week Google started naming and shaming email providers who were not encrypting email messages as they passed between companies.

We drew on their efforts and our own results to build this chart.

Enjoy. [And if you are wondering what HSTS or those percentages mean, there is an explanation at the bottom of the post.]

Now where did I put my invisibility cloak?

Update at 11:44 a.m. ET: Apple Now Says It's Working To Encrypt Email Between Providers

How Tech Companies Stack Up On Encryption

Several months ago, the Electronic Frontier Foundation asked major Web service providers whether they were taking five steps that EFF believes help keep consumers' data safe and secure. We reached out to each of the companies on this list to see what they were doing now. Some are not using encryption (no), some declined to give us specifics (unknown), some were adding those services (working on it) and some were good to go (yes).

But emails that pass between different companies are only secure when both agree to encrypt the traffic. Last week, Google began publishing data documenting the percent of encrypted traffic to and from Gmail. The percentages below were drawn from that data on June 6, 2014.

What we found was based on our own testing of these services conducted with Pwnie Express and Ars Technica, our own reporting and interviews with company representatives.

The Electronic Frontier Foundation has asked service providers to implement strong encryption. Here's what the EFF wants:

HTTPS by default. This means that when you connect to a website, it will automatically use a channel that encrypts the communications from your computer to the website.

HSTS (HTTP Strict Transport Security). Lots of services offer encrypted and unencrypted versions of the same website or service. HSTS basically forces the service to always use the encrypted secure option.

Forward secrecy. Sometimes called perfect forward secrecy, it uses a different cypher or code to encrypt messages on each session. This means that if the NSA or someone else cracks the code keeping one of your messages secure, they can't unravel everything you have ever written.

STARTTLS. If you are on Gmail and send me a message at my Yahoo account, those two email providers have to talk to each other. STARTTLS lets companies encrypt those messages in transit. But it is only possible if both companies use it. It takes two to tango — and Google recently started naming and shaming companies that are refusing to do this dance.

Encrypting email in transit. Lots of companies have announced this year that they will add encryption to their networks — including when they are sending email back and forth to other service providers. For this to work, both companies have to use encryption.

But, unfortunately, saying you'll do something and actually doing it are two different things. Google has started publishing the percentage of email it sends and receives from other providers that is actually encrypted. You'll see the numbers are all over the map. But one thing is clear: A lot more email traffic is encrypted today than a year ago, and since Google started publishing these numbers, the figures have shot up.

Ahh, transparency.

So, how did we pick what companies to test? We picked services we used or where we had interesting data and something useful to say. Largely this is stuff we use and were curious about.

Aren't Skype and WhatsApp owned by other companies? Yes, well, almost. Microsoft owns Skype, and Facebook's acquisition of WhatsApp hasn't closed yet. But we tested these services independently because mergers don't necessarily change how a company's technology works.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: