Following reports that the NSA aggressively targets Google and Yahoo servers for surveillance, Yahoo is working to encrypt much of the data flowing through its datacenters.
“As you know, there have been a number of reports over the last six months about the U.S. government secretly accessing user data without the knowledge of tech companies, including Yahoo,” Yahoo CEO Marissa Mayer wrote in a Nov. 18 blog posting. “I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency.”
In order to make Yahoo’s systems more secure, she added, the company is introducing SSL (Secure Sockets Layer) encryption to Yahoo Mail with a 2048-bit key. That security measure will supposedly be in place by January 8, 2014.
Beyond that, Yahoo plans on encrypting all information that moves between its datacenters by the end of the first quarter of 2014. Around that same time, the company will give users the option to encrypt all data flowing to and from Yahoo; it will also “work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled,” Mayer wrote. (While it’s not a crushing expense for massive companies such as Yahoo, introducing this sort of security does add to infrastructure and engineering costs, and takes time to actually put in place.)
Yahoo had previously declined to comment (at least to Slashdot) about any attempts to encrypt its data in the wake of the NSA revelations, although spokespeople reiterated that the company had strict security in place for its datacenters. The Washington Post was first to report about the agency’s attempts at snooping Silicon Valley’s IT infrastructure, drawing its information from top-secret documents provided by government whistleblower Edward Snowden. When the Post’s report first appeared in October, Google said it was “troubled” by the news, and subsequently announced that it would encrypt both its search and cloud-storage data.
Like Google, Yahoo depends on its users perceiving its systems as private and secure. If it loses that trust, it risks losing customers—and the advertisers that come with them; hence these new encryption efforts.