Apple is working to encrypt email between providers, as the company has informed the Electronic Frontier Foundation (EFF) after the latter published a report on how tech companies stack up on encryption. The EFF has surveyed big tech companies, asking them what kind of encryption they’ve been using, and compared it to the five steps it asked them to take to protect user data and privacy (via NPR).
The five steps the EFF wants tech companies to apply are the following: HTTPS by default, HSTS (HTTPS Strict Transport Security), forward secrecy, STARTTLS, and encrypt email in transit.
What is STARTTLS? If you are on Gmail and send me a message at my Yahoo account, those two email providers have to talk to each other. STARTTLS lets companies encrypt those messages in transit. But it is only possible if both companies use it. It takes two to tango — and Google recently started naming and shaming companies that are refusing to do this dance
As the EFF survey reveals, Apple does apply end-to-end encryption to iMessage and it encrypts emails from its customers to iCloud, but it doesn’t encrypt any of its customers’ emails in transit between providers.
After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses. We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can’t be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.
After publishing this report, the EFF was informed by Apple that it is working to encrypt emails between providers.
Apple isn’t the only company which failed to deploy STARTTLS: Amazon, Skype, Snapchat, WhatsApp, and WordPress have not shared data about such steps. As such, they are counted as companies that have not taken this important step.
Apple, on the other hand, is among those who are working on it, along with AT&T, Microsoft, Facebook, and Comcast. Meanwhile, Google, LinkedIn, Yahoo, and Twitter have already deployed it. By the way, Google has started pointing to those companies that were not encrypting emails in transit.
We don’t have information about when Apple plans to deploy STARTTLS, but when it does, this means another win for privacy.
Image credit: ©iStockphoto.com/alengo