Gov't, Hackers Spy on Yahoo Messages, Video: Report

Brandon Dimmel's picture

A new report shows that Yahoo instant messages can be easily intercepted and read by government spies and hackers. The problem: Yahoo fails to encrypt those messages.

A recent study by CNET shows that Yahoo continues to transmit message content in unencrypted form. This makes the instant messages vulnerable and exploitable by third parties.

To compound the problem, a recent article by UK-based The Guardian shows that a number of government agencies are, in fact, spying on Yahoo's unencrypted messages. (Source: cnet.com)

Government Agents Spying on Everyday People

Worse still, evidence shows that many of the intercepted messages -- including webcam video and images -- have nothing to do with criminal activity. In other words, government agents are spying on everyday people.

According to The Guardian's report, a special surveillance platform known as "Optic Nerve" has been used to intercept and store "the webcam images of millions of Internet users not suspected of wrongdoing." (Source: theguardian.com)

Making that possible is Yahoo's failure to use a standard security technology known as SSL (or Secure Sockets Layer). SSL is often used to establish an encrypted link between a server and client, thereby making it harder to eavesdrop. (Source: digicert.com)

For many years, SSL was primarily used to secure online transactions (such as banking, Paypal, and similar). However, many web sites are now using SSL as the default connection to their servers, rather than simply using it for securing only financial transactions.

Unlike Yahoo, both Microsoft and Google have adopted SSL to protect their users. Using SSL is one part of an ongoing campaign by both Google and Microsoft to keep their users (at least somewhat) protected against prying eyes, including the National Security Agency (NSA).

Yahoo's Position Angers ACLU Expert

Yahoo's failure to protect its users irks the American Civil Liberties Union's (ACLU) Chris Soghoian, who is currently a principal technologist with the organization's Speech, Privacy, and Technology Project.

"We have ample evidence now that Yahoo doesn't really care about security or the confidentiality of its customers' communications," Soghoian said. "Whether it's the lack of encryption in Webmail, or the video issue, Yahoo has ignored repeated warnings from researchers, [and] from human rights activists."

Yahoo does use SSL, but not much. Its use of the technology is limited to scrambling a user's password during the initial authentication process. The firm admits that it "does not use encryption for message delivery." (Source: cnet.com)

Yahoo CEO Promises to Improve Security Measures

Yahoo's chief executive officer, Marissa Mayer, has promised that Yahoo will introduce a better system for protecting its users' privacy, but so far that system hasn't been made public.

A spokesperson for Yahoo recently had this to say on the matter: "We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

Yahoo currently does protect its Yahoo Mail users with SSL. However, Soghoian says that was a reactionary move.

"The only reason they're encrypting email with Webmail now was a front-page story in The Washington Post," Soghoian said. "It was only then, in response to that coverage, that Yahoo turned on SSL by default." (Source: cnet.com)

What's Your Opinion?

Are you concerned about the possibility of governments or hackers eavesdropping on your messages, webcam, and video images? Are you a Yahoo user, and if so, would you consider abandoning the service for a more security minded competitor such as Gmail, Hotmail, or similar? Lastly, do you think that fears about government agents snooping on citizens are overblown?

Rate this article: 
Average: 4.4 (5 votes)

Comments

blueboxer2's picture

I object to other people reading my mail - in any form, dead tree or electronic, for any reason. In this case Yahoo is pretty small beer, beside the NSA, CSPC, the "Five eyes" consortium and other massive government snooping activities - partly by websites that want to sell us out to advertisers, partly by plain civilian snoops, but mostly by the increasingly paranoid weirdos in government who se masses of data as a means to control. As in, Orwell was right, just had the timeline too short and the estimate of intrusion too small by orders of magnitude.

So long as I conduct myself in a non-criminal fashion, the government has no right snooping into my private affairs at all. If they have suspicions, they can go to a judge and get a warrant to snoop. Otherwise, they are increasingly intrusive Peeping Toms.

I don't trust Harper, I don't trust his cronies, I don't trust his minions and I trust his foreign friends even less. I want their noses kept out of my business. And when I realize this is a totally vain hope, I will myself use means (such as encryption) to make the lives of teh snoops as difficult as possible.

Anyone noticed the two new snoop-resistant browsers, EpicBrowser and Icedragon (from Comodo), both free and both sensitive to your privacy issues?