The NSA can see pretty much everything you do online as long as it’s not encrypted. That’s at least what a Snowden leak from last month claimed. The news spurred more people and businesses to sign up for more encryption services, but a new leak suggests that their efforts may have been all for naught.
The Guardian, in collaboration with The New York Times and ProPublica, report that the NSA employs a number of programs to break through the encryption software used everyday to protect the privacy of Internet users. These programs range from the use of super computers in decrypting files to outright paying companies to insert vulnerabilities into their own software.
It should be noted before going any further that the NSA sees encryption and those who use it as adversaries to its mission. In one of the documents provided by Snowden, the NSA says that it’s able to use exploits in encryption software to access what “consumers and other adversaries” think is secure data.
Let that sink in it for a moment.
The NSA, an agency that’s charged with protecting the American people, refers to those its sworn to protect as adversaries. If the document had read “consumers and adversaries,” it would have been questionable, but fine. The addition of the “other” confirms a previous leak that revealed the NSA automatically assumes any encrypted data is up to no good.
So, how does the NSA gain access to encrypted data? The most prominent method is the one used by pretty much every other hacker on the planet – brute force alongside new decryption techniques. It appears that the NSA worked alongside their British counterparts at the GCHQ on two programs – Bullrun and Edgehill respectively – to break through the encryption used in major communication systems, including Gmail.
More worrisome, however, are the back room deals negotiated by the NSA to ensure that it doesn’t even have to break through the encryption in the first place. The documents point to a top secret program, which costs $250 million a year, where the NSA works with “US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” In other words, the NSA pays companies to insert backdoors into their own software. Some of the participants are even encryption companies that knowingly insert exploits into their own software so the NSA can access data sent via their services.
The NSA also has a hand in influencing global encryption standards. The documents state that the agency secretly had its draft of encryption standards accepted by the US National Institute of Standards and Technology. These are the bare minimum security standards that any Internet company worth their salt abides by, and the NSA can just blow right through said standards on account of it writing them.
So, is there anything that the NSA can’t peer into? Well, there are new encryption tools being developed every day. The NSA makes a note of this by saying that it can’t break through every encryption technology just yet. We don’t know what those encryption technologies are, but it’s safe to assume that LavaBit may have been one of them.
Even more worrisome than the NSA having access to encrypted information is the existence of these backdoors in the first place. Any security researcher will tell you that backdoors are an incredibly bad idea that do more harm than good. What happens when malicious hackers find their way into the backdoors intended for government officials? Nothing good, that’s what.
President Obama and defenders of the NSA claim that the agency is needed to protect us from the bad guys. Those bad guys are increasingly turning to cyberwarfare where such back doors are rather convenient for those who would launch cyber attacks that can cause real harm to people who use the Internet for everything from banking to sharing personal information. The NSA may be trying to secure America from foreign threats, but in doing so is making the Internet less secure. That’s a problem and one that needs to be addressed by Obama’s “independent” panel of experts that will examine the NSA’s practices over the coming months.
[Image: The Guardian]