/

Twitter beefs up users’ data security

by Jemima Kiss

The Observer

Twitter has announced a significant increase in its data security as it moves to protect users from attacks by the “apex predators” of the Internet.

An internal team of security engineers has spent several months implementing “perfect forward secrecy,” which adds an extra layer of security to the widely used https encryption deployed by banks online, by retailers and, increasingly, consumer by Web services.

Google, Facebook, Dropbox and Tumblr have all implemented forward secrecy already, and LinkedIn is understood to be introducing it in 2014.

Users may not immediately notice any difference, other than a barely perceptible time lag as they use the service across desktop, mobile and through third-party services, but for Twitter the move asserts its credentials as a company fiercely protective of its users’ data.

That data includes not only messages that users choose to publish publicly, but also direct, private messages, protected tweets and data on what users say, who they comment on and the other users’ feeds that they read.

Collectively, large data sets, such as those of Twitter’s 218 million users, can be analyzed to identify connections between people, locations and interests.

Announcing the new implementation — a trial of which has been running since Oct. 21 — a detailed post on Twitter’s engineering blog encouraged other sites to “defend and protect the users’ voice” by implementing https and forward secrecy.

Documents released by Edward Snowden, a fugitive former contractor to the U.S. National Security Agency currently living in Russia, have shown that the agency and its affiliates are storing vast amounts of encrypted consumer data so that it can later attempt to decrypt it, either by accessing unencrypted data or by using specific court orders to force data owners to hand over the private SSL keys. But forward secrecy means data would still be secure, even if the agency obtained the keys to the encrypted data.

First developed in 1992, perfect forward secrecy creates a new, disposable key for each exchange of information, which means the key for every individual session would have to be decrypted to access the data.

Twitter engineer Jacob Hoffman-Andrews said implementation on Twitter was complex because of its scale, which meant that extra work was done to ensure the process did not slow the site. He wants to encourage smaller sites to introduce forward secrecy and said it could take just two weeks to implement.

“We are trying to create a new norm for what it means to be a secure website,” he said. “It makes it harder for anyone attempting a large-scale cryptographic attack, but this is not just about the NSA. There’s more than one apex predator on the Internet, including terrorists and groups outside of government — anyone well funded could use the same techniques.”

Fellow engineer Jeff Hodges said Twitter’s policy of asserting its users’ right to privacy marked it out from other services, and that the Snowden revelations had an impact inside the company.

“It was a surprise, and it inspired a lot of work,” he said. “There’s a gap to be bridged between what developers know to be the correct thing to do next, and that becoming policy at companies so that they invest the time to make it happen. But that process is percolating up.”

Chester Wisniewski, senior security adviser at software security firm Sophos, said that several mainstream consumer sites have moved to improve security of user data in the wake of the Snowden revelations, but doubted that the move was due to consumer demand.

“This is good news for Twitter users,” he said. “Not many companies of this scale are using perfect forward secrecy and this is good news for privacy advocates. Even if Twitter is compromised or compelled by a government to disclose its private keys, user communications that were intercepted on the wire will remain safe.”

Wisniewski said that the technical community is exploring how to establish Web standards that will make encryption of Web traffic a default.

“Most of the movement towards improved security and privacy is long overdue,” he said. “For a couple of years, Google redesigned parts of its networks to offer https encryption for all of its services, and Yahoo announced it will begin using [the secure protocol] https everywhere it can from 2014. The public pressure is welcomed by those of us who are concerned about the privacy of the average individual. It is simply unfortunate that it took a leak like this for companies to do the right thing.”