By Andrea Peterson, Barton Gellman and Ashkan Soltani
The Washington Post
Yahoo will encrypt Web-based email by default for all of its users beginning Jan. 8, the company has told The Washington Post.
"Yahoo takes the security of our users very seriously," the company said in an emailed statement Monday. Yahoo began offering users the option to use the SSL encryption standard this year. The option "encrypts your mail as it moves between your browser and Yahoo's servers," the company said.
SSL is the standard for Internet encryption and helps protect communications from third-party snooping. The encryption is widely believed to make it harder for the National Security Agency to spy on online activities.
Yahoo has lagged behind its major competitors in offering encryption for its Web mail service. Google offered SSL as an option for its Web-based Gmail in July 2008 and made it the default for users in early 2010. It became an option for Microsoft's free Web mail service, Hotmail, in November 2010, and became the default during the switch to Outlook.com in July 2012. Social networking site Facebook started offering SSL as an option in November 2011, and made it the default for U.S. users in February, and for the world in July.
Amie Stepanovich, director of the Domestic Surveillance Program at the Electronic Privacy Information Center, commended Yahoo for the move. "It's always a positive thing when companies take steps to protect their customers' information," she said, but noted that "unfortunately, this often only happens after a harmful event."
The moves to encryption for free Web mail services constitute a major privacy gain for users, but there are other circumstances where data associated with email could be less secure. For instance, the email apps on some mobile devices may not support the SSL encryption standard, exposing users on those devices to possible snooping by third parties.
While Yahoo is finally implementing SSL by default, Google and Facebook are already moving on to higher levels of security, such as longer key lengths and "perfect forward secrecy," both of which make the encryption stronger.
Christopher Soghoian, the Principal Technologist and a Senior Policy Analyst with the American Civil Liberties Union's Speech, Privacy and Technology Project, said he's glad Yahoo has finally implemented encryption. But he expresses disappointment it took them so long.
"It is unfortunate that it has taken Yahoo four years to do what Google was able to do in 2010: deploy HTTPS encryption, for all users, by default," he argued. "Yahoo's glacial progress on this issue has been a gift to intelligence agencies around the world, who have been able to perform massive, dragnet-surveillance of Yahoo users' unprotected emails."
The American Civil Liberties Union, Electronic Frontier Foundation, Reporters Without Borders and other organizations have been asking Yahoo to implement SSL encryption for Web mail. Nonprofit advocates were not the only ones who urged Yahoo to make the shift: Sen. Chuck Schumer, D-N.Y., sent a letter to several companies that did not use SSL, including Yahoo, asking them to change their practices in light of privacy concerns.
He sent the letter in February 2011 — nearly three years before Yahoo expects to make the switch.