Consumer Tips: What to do about the NSA address book snooping


The Washington Post published new revelations from Edward Snowden’s leaked documents that revealed that the NSA is scooping up millions of email and IM address books globally. This is a serious piece of snooping business, and it deserves immediate attention on a policy level. For people who are reading this and wondering what you can do today, right now, here are some immediate steps to take.

The NSA is snooping on web mail and IM connections that are not encrypted. One thing this means is that if you are using web-based email, it needs to be using an encrypted connection. An encrypted connection will have a lock icon in the toolbar, and the URL will read https://. Unencrypted connections will use http://. An http connection will send data in the clear.   Data sent in the clear can be easily intercepted by the NSA, and also by mischievous hackers. It’s a best practice to use default encryption for web-based email and IM.


Here are some basic tips to get started with:


  1. The major web-based email and IM providers, Google’s Gmail, Microsoft’s Outlook, and now Facebook offer encrypted connections by default for computers and mobile browsing devices.
  2. Yahoo does not automatically encrypt its web-based email connections at this time. The company announced today that they will use encryption by default as of January 2014. Until then, you will need to turn on https by adjusting the Yahoo settings manually. To do this, go to your Yahoo mailbox, then click Settings —-> Security –> Click Make your Yahoo! Mail more secure with SSL —> click Save. Refresh your browser and you should see a lock icon in your browser from now on in mail. See the sidebar below for how to do this step by step.
  3. If you are using a legacy device (computer or smartphone), which means your device is older, and/or your software is not up to date, you need to ensure that it accepts https:// connections readily. Some legacy devices have trouble with these kinds of connections. To test this, open your web-based email accounts. You should see https:// in the URL or address bar if you are using Google’s Gmail, Microsoft Outlook, or Facebook.
  4. If you use the Firefox or Chrome browser, you can use a plug-in called HTTPS everywhere to facilitate  secure connections in all of your browsing Another plug-in for Firefox is HTTP nowhere, which blocks unencrypted connections.
  5. If you travel to a developing nation, you may have difficulty receiving https:// connections, but this will vary tremendously with the device you are using and what country/area you are in. Upgrade to a current device if at all possible, and experiment with the secure browsing plug-ins mentioned above.



Internet companies are correctly moving into a much more assertive stance on offering https:// by default. This is a bottom-line best practice as of today.




  • WPF has a Facebook FAQ on how to check your secure browsing connection in Facebook. For most users, it is on by default. If you are using a legacy device, this FAQ will show you how to turn it on.

  • We discuss more about using secure connections in our Search Engine Privacy Tips.

  • The Washington Post has an excellent and must-read discussion of the NSA address book issue in its FAQ on this topic. 

  • Here is the Washington Post article where Yahoo has pledged to use https:// connections or SSL connections for its webmail users.