SAN JOSE, Calif. - Encrypted email, secure instant messaging and other privacy services are booming in the wake of the National Security Agency’s recently revealed surveillance programs.
But the flood of new computer-security efforts being offered by Internet service providers is of variable quality, and much of it, experts say, can bog down computers and isn’t likely to keep out spies.
In the end, the new geek wars - with tech-industry programmers on one side and government spooks, fraudsters and hackers on the other - may leave people’s PCs and businesses’ computer systems encrypted to the teeth but no better protected from hordes of savvy code-crackers.
“Every time a situation like this erupts, you’re going to have a frenzy of snake-oil sellers who are going to throw their products into the street,” said Carson Sweet, chief executive of San Francisco-based data-storage security firm CloudPassage. “It’s quite a quandary for the consumer.”
Encryption isn’t meant to keep hackers out, but when it’s designed and implemented correctly, it alters the way messages look. Intruders who don’t have a decryption key see only gobbledygook.
The new interest in encryption was sparked after a series of disclosures earlier this year from former intelligence contractor Edward Snowden exposed sweeping U.S. government surveillance programs.
The revelations are triggering fury and calls for better encryption from citizens and leaders in France, Germany, Spain and Brazil,who were reportedly among those tapped. Both Google and Yahoo, whose data center communications lines were also reportedly tapped, have committed to boosting encryption and online security. Although there’s no indication Facebook was tapped, the social network also is bolstering its encryption systems.
“Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever,” Yahoo CEO Marissa Mayer wrote in a Nov. 18 post on the company’s Tumblr blog announcing plans to encrypt all of its services by early next year. “There is nothing more important to us than protecting our users’ privacy.”
For those who want to take matters into their own hands, encryption software has been proliferating across the Internet since the Snowden revelations broke.
Heml.is - Swedish for “secret” - is marketed as a secure messaging app for cellphones. MailPile aims to combine a Gmail-like, user-friendly interface with a sometimes clunky technique known as public key encryption. Younited aims to keep spies out of cloud storage, and Pirate Browser aims to keep spies from seeing search histories. A host of other security-centered programs with names like Silent Circle, RedPhone, Threema, TextSecure, and Wickr all promise privacy.
Many of the people behind these programs are well known for pushing the boundaries of privacy and security online. Heml.is is being developed by Peter Sunde, co-founder of filesharing website The Pirate Bay. Finland’s F-Secure, home of Internet-security expert Mikko Hypponen, is behind Younited. Dreadlocked hacker hero Moxie Marlinspike is the brains behind RedPhone, while Phil Zimmerman, one of the biggest names in privacy, is trying to sell the world on Silent Circle.
The quality of these new programs and services is uneven, and a few have run into trouble.
Nadim Kobeissi developed encrypted instant-messaging service Cryptocat in 2011 as an alternative to services such as Facebook chat and Skype. The Montreal-based programmer received glowing press for Cryptocat’s ease of use, but he suffered embarrassment earlier this year when researchers discovered an error in the program’s code, which may have exposed users’ communications. Kobeissi used the experience to argue that shiny new privacy apps need to be aggressively vetted before users can trust them.
“What we found is the encryption services range in quality,” said George Kurtz, CEO of Irvine, Calif.-based CrowdStrike, a security technology company. “I feel safe using some built by people who know what they are doing, but others are Johnnycome-latelies who use a lot of buzzwords but may not be all that useful.”
Even so, private services report thousands of new users, and nonprofit, free encryption services say they also have seen sharp upticks in downloads.
And for many users, encryption really isn’t enough to avoid the U.S. government’s prying eyes.
Paris-based Bouygues Telecom told its data-storage provider Pogoplug in San Francisco that it needs the data center moved out of the United States to get out from under the provisions of U.S. law. So this month, PogoPlug CEO Daniel Putterman is keeping Bouygues as a client by shipping a multi-million dollar data center, from cabinets to cables, from California to France.
“They want French law to apply, not U.S. law,” said Putterman, who also is arranging a similar move for an Israeli client.
For Pogoplug, business is booming - it’s garnered close to 1 million paid subscribers in its first year - and Putterman said the company is anxious to accommodate concerned clients. And this month, Pogoplug offered a $49 software package called Safeplug that prevents third parties, such as the National Security Agency and Google, from learning about a user’s location or browsing habits.
But many warn that encryption offers a false sense of security.
Most attacks don’t happen because some cybercriminal used complicated methods to access a network, said Patrick Peterson, CEO of Silicon Valley-based email security firm Agari.
“Most attacks occur because someone made a mistake. With phishing emails, it just takes one person to unwittingly open an attachment or click on a malicious link, and from there, cybercriminals are able to get a foothold,” said Peterson.
And, experts agree that with enough time and money, any encryption can be broken. The National Security Agency has bypassed - or cracked - much of the digital encryption that businesses and everyday Web surfers use, according to reports based on Snowden’s disclosures. The reports describe how the agency invested billions of dollars starting in 2000 to access secrets for government consumption.
Meanwhile, the U.S. government’s computing power continues to grow. This fall, the agency plans to open a $1.7 billion cyberarsenal - a Utah data center filled with superpowerful computers designed to store huge amounts of classified information, including data that await decryption.
Information for this article was contributed by Raphael Satter and Greg Keller of The Associated Press.
Business, Pages 23 on 12/02/2013