It's no secret that intelligence agencies don't like encryption technology—at least, they don't like it in the hands of anybody other than themselves. The U.S. government classified encryption as "munitions" subject to export controls for years, only to be defeated by the amazing power of the Internet, books and people's brains to transport information across borders without regard to laws. Phil Zimmermann, the creator of PGP (and, more recently, a co-founder of Silent Circle), was even investigated for his efforts, though charges were never filed. Now comes word that the National Security Agency and the U.K.'s GCHQ have been busy at work cracking common online encryption systems, paying tech companies to build back doors into their security and even laboring in secret to weaken the accepted standards on which encryption is based.
The Guardian, the New York Times and ProPublica broke the latest revelations based on data from Edward Snowden. The following is excerpted from the Guardian story by James Ball, Julian Borger and Glenn Greenwald:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
It's not news that the NSA and its counterparts have powerful computers and an interest in cracking encryption systems. Nor, unfortunately, is it news that many companies collaborate with these agencies in compromising their customers' security (though some have fought and continue to resist such efforts). It is interesting, though, to know that the NSA spent $254.9 million this year on a project that "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs." According to the NSA's own documents:
"These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact."
If you trusted your commercially sourced security software, stop.
What is really disturbing news is that the NSA has successfully highjacked the process of setting standards for encryption. "The agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006." The NSA was the sole editor for that standard.
Ultimately, this means that developers, activists and business people who are serious about privacy and liberty need to end cooperation with government bodies and work on open source security that can be scrutinized for exactly the sort of weaknesses and back doors the NSA and GCHQ have been so busily installing. Every effort to "help" that has been put forward by agencies like the NSA, including the Commercial Solutions Center (supposedly established to assess and encourage developments in cryptography) have instead been turned into tools for weakening privacy protections.
Companies that won't do that and that continue to collaborate with surveillance agencies, should be abandoned by members of the public who care about privacy, or who just resent increasingly presumptuous Big Brother.
Update: Was it just yesterday that I suggested the U.S. government is rotten to the core? Yes. Yes it was.