Encryption techniques used by online banks, email providers, and many other sensitive Internet services to keep your personal data private and secure are no match for the National Security Agency and British surveillance authorities, according to new reports from The New York Times, ProPublica, and The Guardian. The revelations are the latest to come from a trove of documents supplied by fugitive whistleblower Edward Snowden.
Documents labeled “top secret” show that HTTPS and Secure Sockets Layer (SSL), encryption technologies used across the Web to keep transactions protected from snoops of all kinds, have been cracked by government-owned supercomputers. Through their decryption program, codenamed “Bullrun,” NSA and U.K. counterpart GCHQ have also compromised virtual private networks (VPNs) and encryption used to protect 4G wireless signals.
The spy agencies have also reportedly coerced or, in some cases, collaborated with corporations to obtain backdoor access to users’ communications, files, and other data. According to reports, the files obtained by Snowden did not name specific companies that teamed with NSA and GCHQ. An earlier report from The Guardian shows, however, that Microsoft granted NSA analysts pre-encryption access to users’ Skype calls, Outlook emails, and SkyDrive cloud storage.
“For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” read a 2010 NSA memo to GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
The fact that the NSA has these capabilities may seem like a given – but it’s far from it: Modern cryptology is highly secure, and many doubted the spy agency had reached this level of penetration. Even the spies themselves were surprised by the NSA’s cryptanalysis capabilities. In another memo reported by the news agencies, GCHQ analysts who did not have prior knowledge of the decryption capabilities of the NSA “were gobsmacked” to learn about them.
While the NSA claims that its decryption capabilities are a crucial tool in its fight against global terrorism, critics argue that the agency’s efforts have made the U.S. less secure in the name of national security.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” Matthew D. Green, a cryptography expert at Johns Hopkins University, told ProPublica. “Those back doors could work against U.S. communications, too.”
U.S. government authorities reportedly asked the news agencies to not report on Bullrun because doing so could cause enemies of the state to change their communication tactics, weakening U.S. security. The Times said it decided to publish its story “because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.”
ProPublica said in an open letter that it believes publication of the story is “in the public interest” for two reasons. First, unlike code cracking efforts during World War II, the NSA’s activities involve “eavesdropping on civilians,” not just military personnel. Second, ProPublica believes the surveillance severely impedes Americans’ civil liberties.
“Suppose for a moment that the U.S. government had secretly developed and deployed an ability to read individuals’ minds,” writes ProPublica. “Such a capability would present the greatest possible invasion of personal privacy. And just as surely, it would be an enormously valuable weapon in the fight against terrorism.
“Continuing with this analogy, some might say that because of its value as an intelligence tool, the existence of the mind-reading program should never be revealed. We do not agree.”
Indeed, given the NSA’s likely predictive analytics capabilities, the mind-reading analogy may be more real than many of us care to imagine.