updated 06:37 pm EDT, Fri June 13, 2014
Push by EFF to have Internet giants encrypt communications paying off
A statement by Apple to National Public Radio in response to its story about moves the largest Internet providers could do to enhance communication security has revealed a plan to expand end-to-end encryption currently in use to emails sent to other providers. Currently, the company's iMessage offers end-to-end encryption, as does iCloud email (@icloud.com) sent to other iCloud users. However, there is presently no encryption used on email sent to other providers -- a situation Apple says it has already been working on.
NPR recently ran a report based on a survey by the Electronic Frontier Foundation, an consumer and privacy advocacy group. The EFF is pushing for the biggest providers of email and messaging services -- specifically Apple, AT&T, Facebook, Twitter and Google -- to make more use of encryption technology. Specifically, the EFF believes the companies should routinely use security protocols like HTTPS, HSTS (HTTP Strict Transport Security), STARTTLS (protecting emails in transit), forward secrecy (randomly changing the methods and ciphers used in encryptions so that decoding one message does not give attackers the keys to all one's communication history) and in-transit encryption of email.
Google has recently been offering to use STARTTLS for message encryption between companies, but has found few partners so far and has been trying to pressure competitors into using some form of in-transit encryption. Apple told NPR it is working on the issue and will "soon" have a solution for users of @me.com and @mac.com email addresses.
"Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers' email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses. We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can't be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out." - NPR
The moves are largely in response not to terror threats, but rather to protect Americans' civil liberties from US government snooping of private communications by agencies such as the National Security Agency (NSA). Former contractor Edward Snowden, who has recently been urging US citizens to adopt their own encryption tools in the fight to regain basic privacy rights against the level of mass-collection of data he believes to be illegal, revealed that various US agencies appear to routinely gather and analyze email and some forms of chat from most if not all US citizens as a matter of course, along with other information-gathering techniques such as web tracking.
The widespread collection of data from domestic communications, which apparently began following the incidents of 9/11, would appear to be in direct contradiction to the tenets of individual liberty and freedom from unreasonable search promised in the US Constitution. All three branches of government have been wrestling with the issue, trying to find the line between legitimate inquiry and collection to thwart potential terror attacks, which it sees as a solumn duty to its citizens, versus the freedoms allegedly guaranteed to all Americans to conduct their lawful business and lives free of unwarranted intrusion. The modification of the secret FISA court system (originally created in 1978 over spying concerns, but extensively modified post-9/11), which does not follow the normally-transparent judicial process, has complicated the issue considerably and in part led Snowden to make his revelations.
Apple in particular has been very vocal and proactive about its resentment of any attempt at mass collection of its users' data, and has recently taken several steps to further ensure its resistance to government collection efforts. The company recently adopted new policies with additional disclosure of government data requests and what was being sought, and has testified before Congress on the issue. It says it routinely rejects low-level data requests that come without warrants, forcing the government to justify to at least a secret court the reasoning for the request. Twitter and Google have also been pro-active in refusing requests they view as unreasonable.