In the latest development in the ongoing scandal over U.S. surveillance practices, new reports show that the National Security Agency can break into a wide range of encrypted internet communications that have long been considered secure.
The revelations come from former NSA contractor Edward Snowden, who obtained a trough of highly-classifed information and has been slowly leaking it to the Guardian and the New York Times. The news outlets, along with Pro Publica, set out the new facts on Thursday in long articles that include slides and technical details.
Here are three important findings as to how the government is using “supercomputers, technical trickery, court orders and behind-the-scenes persuasion” to access supposedly secure communications.
The U.S. government and its allies have “backdoors” to break into encrypted communications
In the 1990s, the Clinton White House lost a political battle to introduce the “Clipper chip,” which would have, in the words of the Times, “effectively neutered digital encryption by ensuring that the NSA always had the key” to devices and networking equipment.
After failing to obtain official permission, the NSA responded by creating a program called Bullrun that uses hacking techniques to create so-called “backdoors” into a wide variety of encrypted communications. For instance, the articles cite: email transmissions, bank networks, private computer networks, airlines and even “one foreign government’s nuclear department.”
The average person is most familiar with this type of encrypted communication through the little padlock symbol they see when using a banking or other secured site — it signifies that the communications that flow when the lock is present are supposed to be encrypted and unreadable. Now, in many cases, the government is able to crack those encryptions, or else get access to machines before a communication is encrypted, through the Bullrun program.
The program, which involves elite hacking and cryptography teams, is immense in scope. According to records, the government is spending $255 million this year — more than ten times what it spends on the controversial PRISM program — and $800 million since 2011.
Intelligence sources said in the reports that the backdoor programs are necessary to prevent “going dark” — allowing terrorists or criminals to foil eavesdropping through the use of encryption. In recent weeks, the tactics reportedly let America listen in on Al Qaeda and to Syria’s official communications about chemical weapons. The NSA is also sharing the tactics with its allies in the “Five Eyes” program: Britain, Canada, Australia and New Zealand.
Tech companies and privacy standards are compromised
The new disclosures also contain another major revelation: how successfully the NSA was able to apply human pressure in order to undermine security principles in standards-setting organizations and in companies like Microsoft(s msft). The result is that the government, in some cases, is obtaining the pre-built backdoors that it wanted in the first place.
In the case of Microsoft, the NSA has “pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service,” the Times reported.
Meanwhile, the NSA is making a successful push to get encrypted traffic on the “big four” service providers: Hotmail, Google(s goog), Yahoo(s yhoo) and Facebook(s fb). In response to the relentless pressure from the agency, the Times said, the tech companies capitulated.
The situation with the standards bodies is more nuanced. It involved the NSA deliberately planting weaknesses in what came to be the international norms for encryption — in other words, it made security protocols weaker than they should have been in order to exploit them:
“Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006,” said the Times, adding that the NSA is now the “sole editor” of official security standards.
The government hasn’t broken every form of encryption but we don’t know all the details
While the Bullrun program has allowed the government to gain access to a wide range of secure communications, its success has not been absolute.
Some forms of encryption, including the ones used by the leaker Edward Snowden, appear to be still secure.
Meanwhile, people can use a variety of other technical tricks to avoid the government’s tracking tools or at least minimize the risk of being discovered. Bruce Schneier, a security authority, described for the Guardian five of them here.
Despite Thursday’s detailed revelations, the precise scope of the government’s power to break encryption is not clear. This is in part because the New York Times and Guardian did not publish all that they know. While the government asked the news agencies not to publish the stories, they only withheld certain details.
(Image by Maksim Kabakou via Shutterstock)