Good news for Americans worried their private email messages will be stolen by Russian hackers or scooped up by employees at the National Security Agency: Yahoo is planning to roll out an optional, easy-to-use encryption service for Yahoo Mail by 2015. With encryption, email messages appear scrambled to everyone except the sender and recipient, preventing (at least in theory) either Asian crime rings or government agents from intercepting and reading them.
Alex Stamos, the chief information security officer at Yahoo, announced the encryption plan in Las Vegas on Thursday at Black Hat USA, an annual hackers conference that draws top cybersecurity experts from across the country. “We as an industry have failed. We’ve failed to keep users safe,” Stamos said, arguing for the need of added security after a massive leak of classified documents last year revealed how U.S. government agents sometimes snoop on user data.
Internet companies like Yahoo and Google have been working to boost confidence in the security of their internet and email services. Last year’s leaks from former NSA contractor Edward Snowden showed how U.S. intelligence agents intercept emails in the course of international terrorism investigations, often by forcing the service providers to turn them over in secret. Between January and June 2013, Google surrendered user content for between 9,000 and 9,999 individual accounts—involving information such as emails, documents, photos, and search query logs—in response to foreign intelligence orders.
Another email service, Lavabit, resisted unto death: It shut down last year rather than fulfill a government order to turn over its private encryption keys—the code to unlock users’ email passwords.
Yahoo’s new encryption service would store an encryption key directly on the account holder’s computer so that not even Yahoo employees could decipher messages. That would apparently stymie government agents demanding Yahoo turn over a user’s emails: The agents would simply end up with scrambled messages.
Yahoo’s announcement comes two months after Google publicly released the code for its own upcoming email encryption service. To ensure the code is free of security flaws, Google is offering financial rewards to hackers who uncover bugs.
But Yahoo’s email encryption will have limitations. It will only scramble the content of messages, not the subject line or the identity of the recipient. “We have to make it clear to people it is not secret you’re emailing your priest,” Stamos said, according to The Wall Street Journal. “But the content of what you’re emailing him is secret.”
And it won’t work when a Yahoo user sends a message to someone whose email service isn’t compatible with Yahoo encryption. But Yahoo Mail will be compatible with Google’s Gmail encryption, so users of those two services will be able to securely send messages to one another. An estimated 700 million people use Yahoo Mail and Gmail.
Encryption tools for email are available already, but they require extra steps and some technical know-how, inconveniences most users are unwilling to bother with. Yahoo aims to make its encryption easy for the average person.
Earlier this week, Google took another step to promote online security. It announced it would tweak its search engine algorithms, giving a slight boost to encrypted websites, known as “hypertext transport protocol secure,” and marked with “HTTPS” at the beginning of their web addresses.