Do large companies follow encryption best practices?

Following last month’s revelations of the existence of the MUSCULAR program, in which the NSA and the British GCHQ have collaborated in tapping the overseas fiber-optic cables used by Google and Yahoo to exchange data stored in their many data centers in the US and abroad, the Electronic Frontier Foundation has urged Internet companies to implement additional security measures to help restore users’ trust.

The measures include: encrypting traffic between their datacenters, enabling HTTPS by default, enabling the StartTLS e-mail encryption protocol (for Web mail companies), implementing forward secrecy, fighting surveillance in court and Congress.

“By enabling encryption across their networks, service providers can make backdoor surveillance more challenging, requiring the government to go to courts and use legal process,” noted the EFF. “While Lavabit’s travails have shown how difficult that can be for service providers, at least there was the opportunity to fight back in court.”

Last week, the organization has released its “Encrypt the Web” report to reflect the recently made changes by a number of companies in that regard, and the results are as follows (click on the screenshot to enlarge it):


“We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption,” says the EFF. “In addition, we appreciate that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress.”

Others, like Facebook and Twitter are very close to checking all the boxes. Unfortunately, some of the companies haven’t responded to the survey, and the EFF couldn’t independently discover and confirm whether they are doing something about it.

Don't miss