How Web mail providers leave door open for NSA surveillance

How Web mail providers leave door open for NSA surveillance

Protecting users’ e-mail privacy from the National Security Agency and other intelligence services means using encryption. But with the exception of Google, few companies do everything they can.

Declan McCullagh

June 21, 2013 5:30 AM PDT

One of Google's massive data centers. The company supports e-mail encryption whenever it can.One of Google’s massive data centers. The company supports e-mail encryption whenever it can.

(Credit: Google/Connie Zhou)

Billions of supposedly private e-mail messages a day flow through unsecured links, where they can be snared in digital dragnets operated by the National Security Agency and other intelligence services.

Recent revelations about NSA surveillance — including a top-secret document discussing “collection of communications on fiber cables and infrastructure as data flows past” — have highlighted the ease with which government eavesdroppers can exploit the Internet’s infrastructure. Another classified document, which the Guardian published Thursday, mentions network-based surveillance of Hotmail servers.

Over the last decade or so, Web mail providers began to turn on encryption to armor the connections between users’ computers and Gmail, Yahoo Mail, Hotmail and other services. That form of protection against surveillance, which typically appears in a Web browser as an “https” connection accompanied by a padlock image, is viewed as generally secure and is used by banks as well. Google has offered it since 2004, and Yahoo finally followed suit this year.

Gmail supports server-to-server email encryption, but many other companies don’t. Click for larger image.

(Credit: Ashkan Soltani)

But during the next step, when those e-mail messages are transferred from one company’s servers to another’s, they’re rarely encrypted. An e-mail message that a Facebook user addresses to a Yahoo Mail user, for instance, will be delivered in an unencrypted form through a server-to-server connection that provides no protection against surveillance.

“The incentives aren’t really there for companies to try to implement it,” says Ashkan Soltani, an independent security consultant who has highlighted some of these security shortcomings on Twitter. That’s the case even though, he says, enabling encryption is “a really easy thing to do.”

A survey of top mail providers shows that Google is alone in using strong encryption, known as SMTP-TLS, to fully armor e-mail connections for its users, as long as the other company’s server is willing to encrypt as well. SMTP-TLS also protects employee e-mail at security-conscious companies, large law firms, and sensitive government agencies including the NSA, the White House, and the Department of Homeland Security. (You can check on your own provider by typing in your e-mail address at CheckTLS.com.)

“My sense is that Google is the one large company that has demonstrated it cares about crypto. We think [encryption] should obviously be supported by all these mail servers.”
–Dan Auerbach, staff technologist, EFF

Unfortunately, those are the exceptions. Facebook, Hotmail, Yahoo Mail, and AOL Mail do not accept incoming e-mail in SMTP-TLS encrypted form, meaning hundreds of millions of users’ private communications are vulnerable to monitoring. Both the sending and receiving servers must have encryption turned on for a secure connection to happen.

“My sense is that Google is the one large company that has demonstrated it cares about crypto,” says Dan Auerbach, a staff technologist at the Electronic Frontier Foundation in San Francisco. “We think [encryption] should obviously be supported by all these mail servers.”

One reason why so many mail providers don’t encrypt server-to-server mail links using SMTP-TLS is that, unlike browser encryption, this security precaution would be invisible to users. And the fat pipes that backbone providers provide have historically been viewed as safe. (SMTP-TLS stands for Simple Mail Transfer Protocol Transport Layer Security. TLS was published as an Internet protocol in 1999.)

Adam Langley, a software engineer at Google, told CNET that “we do support TLS” for both inbound and outbound exchanges between mail servers. But, diplomatically, he declined to speculate on why many other companies do not. The company even offers its Google Apps users the high security choice of rejecting non-encrypted connections.

A Facebook spokesman said: “Facebook currently supports user-to-server encryption, but does not currently support server-to-server encryption as we have not seen wide adoption of the protocol. We are open to adoption to this or other protocols in the future as they are used by more services.” A Yahoo representative said: “At Yahoo, we invest heavily in the security of our users and we’re continually looking to enhance the security capabilities of our products.” AOL did not respond to queries.

The Obama administration, a newly leaked directive from Attorney General Eric Holder shows, has authorized the NSA to vacuum up domestic and international e-mail, though American citizens aren't supposed to be "targeted."The Obama administration, a newly leaked directive from Attorney General Eric Holder shows, has authorized the NSA to vacuum up domestic and international e-mail, though American citizens aren’t supposed to be “targeted.”

The potential privacy risks of server-to-server e-mail deliveries have been thrown into sharp relief by surveillance-related disclosures over the last two weeks from Edward Snowden, the former NSA contractor, and U.S. government officials. Snowden said in a Guardian online chat this week that e-mail and other Internet communications inside the United States are “ingested” by the intelligence agency’s immense collection apparatus and that “Americans’ communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant.”

Web companies have offered blanket denials of allegations that they provided NSA eavesdroppers with “direct access” to their servers, and Google even challenged the U.S. government this week before the Foreign Intelligence Surveillance Court in a bid to clear its name.

A leaked NSA slide talking about “upstream” data collection from “fiber cables and infrastructure as data flows past” suggests that those companies are telling the truth: the NSA instead is tapping into Internet backbone links operated by companies such as AT&T, CenturyLink, XO Communications, Verizon, and Level 3 Communications — and using that passive access to vacuum up unencrypted communications. Additional evidence comes from the classified directives released Thursday that discuss surveillance procedures and were signed by Attorney General Eric Holder.

Documents that came to light in 2006 in a lawsuit brought by the Electronic Frontier Foundation offer insight into the spy agency’s relationship with Tier 1 Internet providers. Mark Klein, who worked as an AT&T technician for over 22 years, disclosed (PDF) that he witnessed domestic voice and Internet traffic being surreptitiously “diverted” through a “splitter cabinet” to secure room 641A in one of the company’s San Francisco facilities. The room was accessible only to NSA-cleared technicians.

The New York Times revealed in 2009 that a secret NSA database, code-named PINWALE, archived foreign and domestic e-mail messages that analysts could search through “without warrants” as long as Americans’ correspondence did not amount to more than 30 percent of any database search. PINWALE is the the NSA’s main database for intercepted communications, while metadata is stored in a separate database called MAUI, and initial sorting is performed by a program called XKEYSCORE, according to the recent book “Deep State: Inside the Government Secrecy Industry.”

Other mail providers that do not appear to permit SMTP-TLS links for e-mail delivery include AT&T, Earthlink, and Comcast. Apple, which did not respond to a request for comment, does not appear to support SMTP-TLS for server-to-server iCloud e-mail, though it does for user-to-server links. Fastmail.fm and Hushmail do support SMTP-TLS for automatic encryption of incoming mail. Oddly, the FBI does not for its own employees’ incoming e-mail.

Yahoo, Microsoft, and Apple protect their own internal correspondence more carefully than they do their users’ communications: their separate employee mail servers support incoming encrypted messages.

A Microsoft representative said the company does not support server-to-server SMTP-TLS for consumer products including Outlook.com and Hotmail.com. (Microsoft finished switching users from Hotmail to Outlook last month.)

Microsoft does enable encryption in some other situations. Those include Exchange ActiveSync, or when users choose the “SMTP send” option from Outlook.com, which was announced last month. SMTP send allows you to log in to Outlook.com, but actually send the message using your Yahoo Mail or Gmail account.

In addition, Microsoft enables server-to-server encryption for paying customers, including those using Office 365. The Department of Homeland Security, which has a 10-year relationship with Microsoft for technology services, has outsourced its mail to the mail.us.messaging.microsoft.com server, which does enable SMTP-TLS.

Even if a company don’t support SMTP-TLS encryption between servers, other technologies exist to make data unreadable to government snoops. One is called S/MIME, but it’s hardly popular. End-to-end encryption in the form of PGP or GnuPG is another choice. Those are viewed as some of the most secure options, but are also the most difficult to use.

“We don’t know the extent to which the NSA or other intelligence agencies are reading people’s mail,” says Auerbach, EFF’s staff technologist. “Companies not supporting encryption for the sending of e-mail leaves the door wide open for these agencies to do it, were they inclined to do so.”

Disclaimer: McCullagh is married to a Google employee not involved with this issue.

Last updated at 9:15 a.m. PT with additional details

Advertisements

84 comments on “How Web mail providers leave door open for NSA surveillance

  1. I am not sure the place you are getting your info, but good topic.
    I needs to spend a while learning much more or understanding more.

    Thank you for wonderful info I was looking for this info for
    my mission.

  2. hey there and thank you for your information – I’ve definitely picked up anything new from right here. I did however expertise some technical issues using this website, since I experienced to reload the web site many times previous to I could get it to load properly. I had been wondering if your hosting is OK? Not that I’m complaining,
    but slow loading instances times will often affect your placement
    in google and could damage your quality score if ads and marketing with Adwords.
    Anyway I’m adding this RSS to my e-mail and can look out for much more of your respective exciting content. Ensure that you update this again very soon.

  3. Gday. I’m sorry to trouble you but I ran across your website and noticed you’re using the exact same template as me.
    The only problem is on my blog, I’m unable to get the design and style looking like yours. Would you mind contacting me at: chelseacanty@t-online.de so I can get this figured out. By the way I’ve bookmarked your
    web-site: https://mirzajamal.com/2013/06/24/how-web-mail-providers-leave-door-open-for-nsa-surveillance/ and will certainly be visiting
    often. Thanks!!

  4. great publish, very informative. I’m wondering why the other experts of this sector don’t notice this.
    You must continue your writing. I’m confident, you have a great readers’
    base already!

    • Yes Mattie I gets many hits daily. Most people just want “entertainment” only from internet.
      Only thinking minds like you really care about to know what is going on in different parts of
      world. We can not know everything but there is always interesting stuff out there to read.
      Thanks for liking my posts.

  5. Hello there! This is my 1st comment here so I just wanted
    to give a quick shout out and say I truly enjoy
    reading your blog posts. Can you recommend any other blogs/websites/forums that cover the same topics?
    Thank you so much!

  6. I don’t know if it’s just me or if everyone else encountering
    issues with your site. It seems like some of the text within your
    posts are running off the screen. Can someone else please provide feedback and let me know
    if this is happening to them as well? This could
    be a issue with my browser because I’ve had this happen before. Appreciate it

  7. Attractive section of content. I just stumbled upon your weblog and in accession
    capital to assert that I acquire actually enjoyed account
    your blog posts. Any way I will be subscribing to your feeds
    and even I achievement you access consistently quickly.

  8. Heya! I realize this is somewhat off-topic however I had to ask.
    Does operating a well-established website such as yours require a large amount of
    work? I’m completely new to blogging however I do write in my diary every day. I’d like to start a blog so
    I will be able to share my own experience and
    feelings online. Please let me know if you have any suggestions or tips for new aspiring blog owners.
    Appreciate it!

  9. I used to be recommended this blog through my cousin.
    I am no longer sure whether or not this put up is written by way of him as nobody else recognise such special about
    my trouble. You’re incredible! Thanks!

  10. This is the right webpage for everyone who wants to find out about this topic.
    You know a whole lot its almost tough to argue with you (not that I personally would want to…HaHa).
    You definitely put a brand new spin on a subject that’s been written about for many years. Great stuff, just wonderful!

  11. Hi there! Do you know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve worked hard on.
    Any tips?

    • Do not let anyone watch when you type your password !!
      You can backup and download your blog. So even if hackers get your blog they cannot reach your backup on your computer harddisk.

  12. Hello there! This article couldn’t be written much better! Going through this article reminds me of my previous roommate! He always kept preaching about this. I’ll forward this article
    to him. Pretty sure he will have a great read.
    Thank you for sharing!

  13. Simply wish to say your article is as astonishing.
    The clarity in your post is simply excellent and i could assume you are an expert on this subject.
    Well with your permission allow me to grab
    your feed to keep up to date with forthcoming post. Thanks a million and please
    keep up the gratifying work.

    • Thank you for your interest Justin. I have checked your Windows 7 Ultimate website and its very professional and amazing. I have put your blog in my google circle.
      Ofcourse you blogger design website is more pro than my domestic type blog.
      I am pleased to keep in touch with you and your great Window 7 blog/website.

  14. I was more than happy to uncover this site.
    I need to to thank you for ones time just for this fantastic read!
    ! I definitely really liked every bit of it
    and I have you bookmarked to see new information in your website.

  15. I’ve been surfing online more than 2 hours today, yet I never found any interesting article like yours. It’s
    pretty worth enough for me. In my view, if all website owners
    and bloggers made good content as you did, the web will be much more useful than ever before.

  16. I hardly leave remarks, but i did a few searching and wound up here How Web mail providers leave door
    open for NSA surveillance | My Sydney Life. And I actually
    do have a few questions for you if it’s allright. Could it be just me or does it look like a few of the comments come across as if they are coming from brain dead folks? 😛 And, if you are posting on additional sites, I would like to follow anything fresh you have to post. Could you make a list of all of your social sites like your linkedin profile, Facebook page or twitter feed?

  17. Thanks for another informative website. The place else could I am getting that type of information written in such a perfect means?
    I’ve a undertaking that I am just now working on, and I have been at the glance out for such info.

  18. I just couldn’t go away your web site prior to suggesting that I extremely loved the usual info a person supply on your guests? Is gonna be back regularly in order to inspect new posts

  19. I like the helpful info you provide in your articles.
    I will bookmark your blog and check again here regularly.

    I’m quite sure I’ll learn plenty of new stuff right here!
    Best of luck for the next!

  20. Normally I don’t learn post on blogs, however I would like to say that this write-up very pressured me to check out and do so! Your writing style has been amazed me. Thanks, quite great article.

  21. That is very interesting, You’re an excessively professional blogger. I’ve joined your feed and stay up for
    in quest of extra of your fantastic post. Additionally, I have shared your site in
    my social networks

  22. Hey! I know this is kinda off topic however ,
    I’d figured I’d ask. Would you be interested in trading links or
    maybe guest writing a blog article or vice-versa? My site
    covers a lot of the same subjects as yours and I believe we could
    greatly benefit from each other. If you are interested feel free to shoot me an e-mail.
    I look forward to hearing from you! Great blog by the way!

    • Yes I can write for you and we can trade links. I have not exchanged links before with anyone so please tell me what you want me to link and where.
      We can write for each other .

  23. Howdy! Someone in my Myspace group shared this website with us so I came to give it a look.

    I’m definitely enjoying the information. I’m bookmarking and will be tweeting this
    to my followers! Great blog and outstanding design.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s