RENEE MONTAGNE, HOST:
If someone was watching your connection to the Internet, what would they see? That's the question NPR's Steve Henn and a team of security experts set out to answer this spring by tapping the Internet connection in Steve's home. They soon realized that in the years since Edward Snowden's first disclosures about the NSA became public, the fabric of the Internet has changed. Some of the biggest tech companies in the world have added new layers of security and encryption to some of their most widely used services, and while the team found that encryption is much more common online than it was just a year ago, it remains far from perfect. Here's Steve Henn.
STEVE HENN, BYLINE: A couple of years ago, it really wasn't that uncommon to hear founders in Silicon Valley joke that they'd know their company had made it when their app or service finally got hacked. Encryption was kind of expensive and a pain. And for most people, security just wasn't a priority here. But if you were hacked, that meant your service, your app, was big enough to be a target, which was a sign you'd made it. Recently, though, that attitude has changed.
DAVE PORCELLO: That was the biggest surprise to me - how much has changed, how much is now encrypted that was not encrypted pre-Snowden, about a year ago.
HENN: Dave Porcello is the founder of the security firm Pwny Express.
PORCELLO: From what I've seen, you know, most of these services were either not encrypted at all or only partially encrypting.
HENN: Then came Edward Snowden's leaks, revealing the global scale of the NSA's Internet surveillance.
NICK CARDOZO: In the wake of the Snowden revelations, the intelligence community has really lost the trust of American business.
HENN: Nick Cardozo is an attorney at the Electronic Frontier Foundation. He says...
CARDOZO: Silicon Valley companies have finally recognized that there is a market for privacy.
HENN: Today, as opposed to last year, billions of people care if their messages are kept safe. Now, encryption probably won't stop the NSA from reading your email if they're really going after you, but it makes mass surveillance much more expensive. Instead of just sucking up your messages and reading them, a security agency, like the NSA, actually has to make the effort to break the code that's protecting your data. That costs them money and takes time. Encryption also protects consumers from fraud, or hackers, or identity theft. And in the last year, companies have embraced it. Yahoo began encrypting email by default. Google added encryption between its data centers. Microsoft, Twitter and Facebook all took steps to make it harder for messages you send on their services to be intercepted, decoded and read. So when Dave Porcello at Pwny Express and Sean Gallagher, a reporter at the tech news site Ars Technica and I began tapping the Internet traffic into and out of my laptop and cell phone, we were kind of curious what we'd see.
SEAN GALLAGHER: Well, we were talking about how we had to hurry up and do this before everybody got encryption going.
PORCELLO: Yeah. (Laughing).
GALLAGHER: Because we thought we might not see anything, right?
GALLAGHER: But as it turned out, that wasn't an issue, really. I mean, if we had found nothing, that would have been great news. I would've been really happy if we found nothing.
PORCELLO: Some of these service providers that actually are claiming to do strict, consistent encryption, actually weren't.
HENN: It turns out companies can add encryption to their services but still leave you unprotected because other companies just don't play along. Google has something called a PREF cookie. I like to think of it as kind of a digital dog tag hanging around my neck. It's how the company knows it's me when I visit one of Google's websites or how they know it's you if you're visiting a site that uses Google's products. Here's Sean.
GALLAGHER: Remember, that information's encrypted when you're going to Google. But when you're going to an unencrypted website that's running Google ads, the cookie information isn't passed encrypted.
HENN: So that dog tag - when you go to some unencrypted sites, it's hanging around your neck, outside of your shirt. Anyone can read it. And Google isn't the only one hanging these things around your neck. Some Microsoft tags include your real name in clear text and a link to your Facebook profile picture. Honestly, it's less like a dog tag than a sandwich board. And now Microsoft says that cookie's being reviewed. But the NSA has the technical ability and, depending on who you are and where you live, the legal authority to suck up and read all of this stuff. They collect it. So they don't necessarily have to go to Google or anyone else and ask for your web history.
GALLAGHER: They don't. They don't have to ask Google for that. This is what the result of massive, passive surveillance is.
HENN: And unencrypted websites are not the only way our data is visible. There are bugs and mistakes. When I searched Google for a location, which should have been encrypted, my dog tag just popped out of my shirt.
GALLAGHER: Within search, it was sending your PREF ID and this unencrypted web request for Google Maps.
HENN: Now everyone could see not only who I was but also where I was going.
GALLAGHER: Yep. That is exactly what it was doing. It was sending your Google number.
HENN: We told Google about that bug, and they patched it right away. But there are lots of services that leak data this way. There's a weather app, which is built into every iPhone. It's powered by Yahoo, and it does almost the same thing, sending out your location data totally unencrypted. We called Yahoo, and they said just last month, they started offering an encrypted version. Now Apple is looking into using that instead. And then there are still the startups or the messaging apps.
PORCELLO: See what I can - let me see what I can find here.
HENN: We tested WhatsApp, and...
PORCELLO: Well, right away I can see my phone number, in clear text, being passed through.
PORCELLO: And then it says privacy, in clear text, and then my phone number. (Laughing).
HENN: WhatsApp is hardly alone. Snapchat data was revealing when minors were signing up for the service. Skype was leaking big chunks of its customers' address books. We reached out to all these companies for comments, too. Microsoft says, the problem with Skype's now been patched. Snapchat started encrypting information about kids after we called them. And WhatsApp said it's working on a fix. In the end, no big company was perfect. Everyone we examined had some little leaks. But Twitter was among the best. Bob Lord runs security there, but he bristled when I referred to the kind of encryption Twitter uses as a gold standard.
BOB LORD: It's not really correct to call anything a gold standard because what is the gold standard today will be viewed as obsolete next year.
HENN: Lord says, this is not like building a bridge. It's not like you hammer in the final rivet, and then you're done.
LORD: What we have to do in the security community is to continuously look at what's happening in the research space, take a look at what the code breakers are doing, and try to make sure that we are continuously moving the bar up. And that is - it is a never-ending journey.
HENN: He says huge parts of the Internet were built with information security and privacy as almost afterthoughts. Fixing that takes time and cooperation.
LORD: We make as best an effort as we can to encrypt all mail that leaves our data centers going to other major carriers.
HENN: But it takes two to tango. If the other company Twitter's sending your email to doesn't support encryption, it doesn't work. Your data seeps out. And all the data which leaks out around the edges of our communications - this data can form a detailed map of our lives, and anyone sophisticated enough can get their hands on it, including criminals or thieves. Steve Henn, NPR News, Silicon Valley.
MONTAGNE: This is NPR News.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.