The NSA has thwarted many of the encryption safeguards currently relied on to protect the online activities, communications and data of governments, banks, hospitals and hundreds of millions of private citizens, major news outlets in possession of classified documents provided by whistle-blower Edward Snowden report.
The revelation by The New York Times, The Guardian and ProPublica undercuts a key promise made by Internet companies to their customers: “that their data is safe from prying eyes, including those of the government,” The New York Times reports. The NSA wants Internet users to go on assuming such shields exist. “The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets,” the Times notes. The documents do not tell which companies have participated.
The files, which come from both the NSA and Britain’s official spying apparatus, the GCHQ, describe the capabilities and other details of the Sigint Enabling program, and show how desperate both agencies were to find their way around the major means of protecting the privacy of everyday communications in the Internet age. According to The Guardian, they reveal:
• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.
• The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.
• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”
• The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.
• A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.
The documents show that after losing a public battle in the 1990s to insert into software its own “backdoors” to gain control in all encryption, the NSA in 2000 began a successful stealth campaign “over setting of international encryption standards, the use of supercomputers to break encryption with ‘brute force’ and—the most closely guarded secret of all—collaboration with technology companies and internet service providers themselves,” The Guardian reports. Through those partnerships, the agencies inserted secret vulnerabilities into commercial encryption software. Those weaknesses provided entry points into the products and sometimes the host machines.
The newly revealed capabilities are consistent with the NSA’s goal to move away from breaking communications and programs one by one and instead decoding all information flying through cyberspace in real time, to be sorted through for valuable intelligence later.
Funding for the effort dwarfed the $20 million data collection program called PRISM, revealed by The Guardian and The Washington Post earlier this year. According to an NSA budget document, one of the agency’s goals in 2013 was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method, The New York Times reported.
“The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant,” the Times continued. “But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.”
The Guardian noted that the documents suggest the agencies have not yet cracked all encryption technologies. “Snowden appeared to confirm this during a live Q&A with Guardian readers in June,” the paper said. “ ‘Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,’ he said before warning that the NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.”
The disclosure comes one week after The Washington Post reported NSA budget documents revealed the agency’s ability to break into and take over individual computers.
—Posted by Alexander Reed Kelly.
highwaycharlie (CC BY-ND 2.0)