The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

The man behind Yahoo’s plan to become the most ‘trustworthy’ tech company - The Washington Post

(Photo by Ethan Miller/Getty Images)

The day before news broke that Alex Stamos was joining Yahoo as chief information security officer, he laid out the approach that has defined his tenure at the company so far: Technology shouldn't just be secure, it should be "trustworthy."

"What we are failing at is building technology people feel comfortable with using day to day," he told a theater auditorium crowd packed with security researchers and civil liberties activists in February 2014.

"Our field, unlike anything else, likes to blame users for making mistakes, likes to say it's someone else's fault if something goes wrong, likes to say that people aren't smart enough to use the things that we build."

That attitude had to change, Stamos told the crowd, and the first step to "kicking the habit" was admitting that there was a problem.

Stamos's hiring was an admission by Yahoo that it had a problem: Civil liberties and security groups had repeatedly complained about its track record for protecting users' privacy.

Since Marissa Mayer took the helm of Yahoo in 2012, the company has been undergoing a sort of reboot - bringing on such high-profile personalities as Katie Couric and acquiring blogging platform Tumblr. While Yahoo boasts more than 1 billion registered users, investors have remained skeptical about its ability to compete against giants like Google.

To survive, Yahoo needs to attract new users while retaining its core audience, observers say - and part of the company's strategy is an effort to distinguish Yahoo as the "trustworthy" tech company.

The face of that effort is Stamos, a cybersecurity professional with a gift for boiling down complicated debates into understandable sound bites, and the technical chops to back up his rhetoric. Stamos was also the primary organizer of TrustyCon - essentially an elaborate anti-National Security Agency protest that served as a counterpoint to a major cybersecurity industry conference happening around the corner.

[A tale of two cybersecurity conferences: Mistrust at TrustyCon and RSA USA]

At Yahoo, he has continued to be a vocal critic of what he sees as government attempts to undermine the digital security of everyday people - a position that may help Yahoo rebuild its reputation as the trusted ally of users, not governments. This spring, he even went head-to-head with NSA chief Adm. Michael S. Rogers at a cybersecurity conference in the District.

Rogers told the crowd that tech companies should build ways for law enforcement to access the secure communications flowing through their products, what experts call a "back door."

Stamos didn't stay quiet long. "It's like drilling a hole in the windshield," he said, before asking Rogers whether Yahoo should provide the same sort of access to the Chinese government, or the Russians.

But Stamos's questions also hinted at one of his biggest challenges at Yahoo: the company's track record on protecting users.

In 2007, the company settled with the families of two Chinese dissidents it had allegedly helped the Chinese government to identify. And privacy advocates have long criticized Yahoo for lagging behind its competitors in adopting some basic security practices to protect consumers.

"The relationship between Yahoo and the privacy community was toxic," said Christopher Soghoian, a technologist who works on privacy and surveillance at the American Civil Liberties Union.

The turning point didn't come, he said, until Yahoo was publicly shamed.

The company had long failed to automatically use SSL encryption technology, which creates a sort of protected digital tunnel between Internet users and the sites they visit, for its e-mail service. When news emerged that NSA had been collecting hundreds of millions of contact lists from personal e-mail and instant messaging accounts, security experts noted that Yahoo users were among those most vulnerable.

"It had ignored calls to encrypt, and as a result governments were surveilling Yahoo at a scale that dwarfed every other major provider," Soghoian said.

The revelations spurred Yahoo to announce it would deploy the encryption feature, but by then it was already years behind peers such as Google and Microsoft. And, some security experts said, even then its technology wasn't as secure as it could have been.

A few months later, Stamos came on board.

Soon after he was hired, Yahoo announced it had also finished securing the connections between its data centers - another government surveillance target - and was encrypting more of its services.

Over the past year, the company has also announced a series of ambitious projects aimed at keeping users safer online. The company is working on technology that will allow users to encrypt e-mails "end-to-end," meaning only the sender and recipient can read the contents.

Such encryption is more secure and means even Yahoo won't be able to see what its users are saying to one another.

"Our goal is to become the best at this," Stamos said. "Focusing not just on security, but safety: Are we the safest when used by a normal person?"

[Yahoos plan to get Mail users to encrypt their e-mail: Make it simple]

Some of Stamos's proposals seem to run counter to Yahoo's business model, which is at least partially based on tracking users' behavior online so it can serve them targeted ads: If users encrypt more of their e-mails, Yahoo will have less information about them.

But Stamos has a gift for selling those kinds of trade-offs, said Tyler Shields, who worked with Stamos at cybersecurity firm @stake for several years and is a senior analyst at Forrester Research. "You have a constant tension between the business side and the security side, but Alex can justify the business losses with the security gained."

Part of his effectiveness also appears tied to carefully picking his battles, said Jonathan Mayer, a computer scientist and lawyer affiliated with Stanford University's Center for Internet and Society. "Alex has avoided the trap that many security people have fallen into where they opine on the state of the surveillance state - he has really held himself to building secure systems to the extent that he's involved in larger policy discussions," he said.

Many of the projects Stamos has spearheaded at Yahoo are still works in progress. They're also not his work alone: The company has a robust security team and has brought on other high-profile security experts such as former Electronic Frontier Foundation technologist Yan Zhu.

Yahoo's reputation among civil liberties groups was also bolstered by reports that it had waged a protracted legal battle to prevent NSA from accessing customer data in 2008. The company ultimately lost the fight. But documents about the case released last year revealed Yahoo had only given the government access to the information after facing a $250,000-a-day fine.

Still, the company's quest to become the most "trustworthy" tech company faces stiff competition, including from Apple, which has already built robust end-to-end encryption into services such as FaceTime and iMessage.

And this week, a California judge ruled that Yahoo must face a class-action lawsuit that accuses the company of violating wiretapping laws when it scans e-mails sent by its users to people who are using another e-mail service.

Many, however, have noticed an overall turnaround in Yahoo's security, and credit Stamos as a key player.

"Before Alex arrived, Yahoo was probably the worst of the big tech companies," said Soghoian of the ACLU. "Now they're not at the front of the pack, but they're with the other cool kids."

Continue reading on