Yahoo Adding Email Encryption After NSA Address Book Surveillance Revealed

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Latest leaks suggest NSA grabbed 444,743 email address books from Yahoo in a single day

Yahoo is finally turning SSL encryption on by default for its email users, after claims the National Security Agency had acquired masses of address books from the company and its rivals.

The latest NSA leaks indicated Yahoo contact lists were far more targeted than others. On a single day last year, the NSA’s Special Source Operations grabbed 444,743 email address books from Yahoo, considerably more than 105,068 from Hotmail, 82,857 from Facebook and 33,697 from Gmail.

Yahoo - Shutterstock - © Eric Broder Van DykeYahoo email targeted

If that was a typical day, the Washington Post reported, the NSA could be collecting as many as 250 million address books a year from email and instant messaging bodies.

These contact books don’t just contain a name and an email or IM contact, but address and telephone details too.

The reason why Yahoo is being targeted far more than others may be because of its lack of SSL by default, which provides encryption around communications. Starting in January, it will encrypt all of its users’ email, a spokesperson said.

The other providers named in the report have all had HTTPS communications turned on by default for some time.

Facebook and Google said they were unaware of any NSA targeting of their users’ contact books, whilst Microsoft said it “would have significant concerns if these allegations about government actions are true”.

It appears the NSA is harvesting the data when it is in transit, not at rest, by tapping pieces of Internet infrastructure. If true, it would not have to collude with any of those Internet giants to get at the data.

Whilst Yahoo has proven it fought US intelligence data requests vociferously in the past, the company has faced criticism over its security.  It was lambasted for offering security researchers a $12.50 voucher for finding vulnerabilities last month and subsequently pushed out a full bug bounty programme.

Its email users were left open to attacks earlier in the year, thanks to some failed software patches.

Are you a security expert? Try our quiz!

Read also :