‘None of the Web companies are doing anything’ to protect you, say security pros

Tech giants are struggling to protect your privacy. More to the point, they’re struggling to protect themselves from public criticism.

And security experts say the biggest companies of them all aren’t doing nearly enough to safeguard consumers. Instead, they’re piling on the features and benefits to distract us from the loss of freedom and privacy — smearing layer after layer of lipstick on the proverbial pig.

In whistleblower Edward Snowden’s most recent live public appearance, he gave a call to action: It’s up to technologists, including tech giants, to stop mass surveillance.

And unlike current solutions such as the Tor Web browser and PGP encryption, stopping mass surveillance needs to be simple enough for the masses.

Unfortunately, most of the time, usability wins and end-user privacy suffers.

That’s why critics are ripping them — Google, Facebook, Twitter, and the rest — utterly asunder.

“None of the service providers are doing anything”

Michael Coates, director of product security for Shape Security, claims most applications — including services by Google, Yahoo, and Microsoft — “aren’t investing in and prioritizing the security of their users.”

Coates, also the chair of Web security community OWASP, singled out Web-based email providers. He says these particular services aren’t encrypted properly because enhanced security “makes searching that information very challenging. The trade-off is to offer users the feature instead of privacy and security controls.”

The technologist said, “Encryption provides wonderful benefits, but the usability of encryption is a current challenge. Right now, companies provide services to users without encryption as a trade-off. Any situation that creates friction,” Coates explains, will keep “the vast majority of users from [taking the proper] steps.”

Webmail providers aren’t alone in trading security for features, Ionic Security founder Adam Ghetti claims. In a call with VentureBeat, the chief technology officer’s criticisms of Facebook were brutal.

Speaking bluntly, Ghetti says “none of the service providers are doing anything. There is no way today to control your information.”

“Today, if you’re Facebook,”  Ghetti says, “you think, ‘How do I protect the data that’s on my application?’ The trouble is, that doesn’t help the user. There is no control for the user.”

According to Ghetti, “Data security needs to extend down to the data creator (the user).”

David Gordoyansky, chief executive of popular VPN provider AnchorFree, believes companies like Google and Facebook need to look at privacy and security as features, not policies.

The EFF agrees

Both Coates and Ghetti believe the responsibility to develop accessible encryption standards falls firmly on those who understand them. This places tremendous weight on major technology firms, including Google and Facebook.

The concerns of security firms are mirrored by activists. In a statement to VentureBeat, the Electronic Frontier Foundation (EFF) indicated the importance of providing stronger protection than cryptographic protocols like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) can offer on their own.

“EFF strongly supports technology companies that try to go further by encrypting data with a secret key that only the user has access to. This offers stronger protection than SSL/TLS because private user data cannot generally be decrypted by the company or by any third parties, including government agencies.”

The EFF wants tech firms to embrace more complicated — and more NSA-resistant — end-user security standards. It shouldn’t be a compromise, they say.

Tech giants race to provide more than SSL & TLS

Facebook, a social network so giant it’s a direct target for government malware distribution, is working frantically to cut down on mass-surveillance abuses. Facebook is playing catch up and recently held an event to promote its recent efforts to boost user privacy.

According to a Facebook spokesperson, after enabling HTTPS encryption by default, the network is “working on several initiatives to strengthen the types and extent of encryption we employ across all aspects of our network.”

“For example, we’re now using 2048-bit RSA keys, we’re using elliptic curve cryptography, we’ve implemented Perfect Forward Secrecy across most of the traffic on our properties, and so far we’ve encrypted some our data center links,” a Facebook spokesperson told VentureBeat.

Facebook made clear that its efforts are a work in progress. A spokesperson tells us, “We’re prioritizing our work to focus on the most important parts of our network first.”

Google refused to provide direct quotes regarding its plans for protecting user privacy. A person familiar with the matter, however, provided VentureBeat with a very clear outline of Google’s progress in securing the communications of its users.

Google’s experiments with encryption began early, with a hidden SSL feature in Gmail which debuted in 2004. It required a URL tweak: Users needed to add an “s” to the URL bar to trigger a SSL connection.

In 2010, Google made SSL encryption default in Gmail. In 2011, Google began encrypting search for signed-in users. Then, in 2012, Google made SSL an automatic feature for all U.S. users. More than a year later, Google started rolling out SSL encryption globally in Web search. By November 2013, Google encrypted its entire internal network.

Google: End-to-end encryption is the solution.

As a direct result of Snowden’s revelations last summer, Google has taken a significant number of under-publicized steps towards further securing users. Our source claims the firm doubled the length of its RSA server keys and changes them every few weeks. Google also deployed Perfect Forward Secrecy. Yet these steps focus on infrastructure rather than the end user.

VentureBeat’s source confirmed that Google considers end-to-end encryption to be the best solution for protecting its user’s messages, but implementing such security comes at major cost to functionality — just as Shape Security’s Michael Coates claimed.

To reiterate: Google knows end-to-end encryption is the best response to mass surveillance, but such a solution heavily disrupts its feature set. That’s why it’s not bound to happen any time soon.

Facebook and Google aren’t alone

Numerous other firms are racing time to combat mass surveillance, but none are looking to provide the level of security you’d find in PGP or Tor.

A spokesperson for Yahoo-owned Tumblr tells VentureBeat it currently offers “HTTPS protection on the Tumblr Dashboard with Perfect Forward Secrecy enabled.” Tumblr shares, however, that it has “set development milestones to expand that feature.”

“Very soon, we plan to make HTTPS active by default for all users on www.tumblr.com, and soon after that we plan to start serving HSTS headers on www.tumblr.com. These enhancements will make encrypted connections to the Dashboard the standard, and greatly increase user protection against unauthorized data interception.”

Evernote, both a consumer and corporate-minded firm, has a long history of encryption support. The company has supported encrypted notes since 2008. A spokesperson tell us “using SSL has always been a priority” for the firm. It appears, however, that there is no timeline for notebook or account-wide encryption.

While consumer service providers are quickly pulling up their pants, financial firms such as Iowa-based Dwolla, appear more confident.

Dwolla, a competitor to services like Paypal, believes the financial industry’s focus on security and safety made it far less succeptable to NSA surveillance. According to Dwolla director of communications Jordan Lampe, “Encryption is just one mitigating layer of protection we’re able to provide the public.”

And yet, despite the confidence many firms project, an entire industry is evolving to capitalize of the mainstream notion of digital privacy — or lack thereof. The growth of anonymity and privacy-minded services such as Secret, Wickr, Telegram, Confide, and more suggest that this is what the public wants.

Worse yet, many firms refuse to discuss their latest efforts to increase privacy in response to Snowden’s leaks. Yelp, Github, ZocDoc, and many others declined to comment, while dozens (yes dozens) of firms did not respond at all.

End-user privacy only scratches the surface of the tech industry’s security struggles, as the major HeartBleed OpenSSL security flaw demonstrated this week. But when it comes to end-user privacy, tech firms have a responsibility to provide both secure and high quality services. For tech companies large and small, this is a struggle, and critics like Michael Coates say more can be done.