The intersection of privacy and security has lent itself to some extremely contentious debates over the last few years. Encrypted messaging applications, like Signal, allow people to keep those conversations private—but what happens when the conversants are criminals? Tracking metadata may keep us safe—but what happens when the state overreaches? These are important discussions, and now it may be time for the information security industry to have this debate amongst themselves.
It’s recently come to light that some a webmail provider has de-facto implemented mass-surveillance on its customers with the use of built-in security tools. In light of this development, security companies need to understand how to protect consumers while respecting their privacy. In the meantime, ordinary consumers need to understand how to make their information safe.
How Yahoo Used Email Security as a Trojan Horse
It’s no secret that home users (and some small companies) use security tools that leave a lot to be desired. This isn’t their fault—good security is expensive, so if a company says that they provide free security tools, lots of home users will gravitate towards that option. Such is the case with Yahoo, which offers a free anti-spam and antivirus tool on top of its free Ymail service.
Any tool of this kind requires the ability to open up an email and analyze its text alongside any attachments. Yahoo took this a bit further, however. Sometime ago, the company received a secret order from the Foreign Intelligence Surveillance Court. Under the terms of this order, Yahoo was forced to build a mass surveillance capacity into its antivirus tool. Email was analyzed for content that indicated ties to criminal or terrorist groups. Flagged messages were forwarded to the FBI.
Mass Surveillance Under the Guise of Antivirus is a Bad Idea
There are good reasons why forcing a tech company analyze and forward emails to law enforcement is not the best idea. Some of these objections are ethical. More of these objections are practical.
Primarily, using Yahoo in particular may not have been the wisest choice for the federal government in light of not one, but two massive security breaches. From a neutral perspective, if you have no choice except to run a mass surveillance platform, it makes sense to ensure that the platform isn’t vulnerable to hackers.
Running an intelligence-gathering operation with in an insecure private company garners a number of risks.
- Given the extent to which hackers penetrated Yahoo’s systems, it’s entirely plausible that hackers could have breached the surveillance program.
- Had this occurred, unauthorized individuals could have been able to siphon off surveillance data.
- This would not only compromise the privacy of innocent—it would jeopardize the investigation of truly suspect individuals.
Again, it’s not a stretch to imagine that a government-run surveillance program may become insecure. This summer’s NSA hack, for example, led to private companies being forced to defend themselves against malware that was designed only for government use.
The Program is Over, But Be Careful
The Yahoo surveillance program was apparently wound down in 2015. Also, representatives from Apple, Google, Microsoft, and Twitter have all confirmed that they’ve never been asked to be part of such a program, and they’d fight it if they were. Even so, be cautious.
Even if you’re confident that you’re not the kind of person who’d be targeted by mass surveillance, you’re still vulnerable to an email-based breach. Email encryption programs like PGP aren’t just for law-breakers—they will protect your correspondence from being read, even if someone else is monitoring your account.
Finally, you should consider the fact that even if your free webmail client isn’t being monitored, it probably isn’t especially secure. Free anti-spam and anti-virus services can do very little to protect your from an increasingly hostile online environment. For more information about replacing traditional antivirus, read this comprehensive guide, Replacing Antivirus, and Doing it Right.