Just a week ago, President Obama assured the public that he understood the importance of securing the privacy of mobile phone networks.
"Ultimately, everybody — and certainly this is true for me and my family — we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process," Obama told technology site re/code in an interview. "So there’s no scenario in which we don’t want really strong encryption."
But a new report published by the Intercept alleges that British and American spies actively sought to undermine the security features that protect mobile networks around the world.
A team of operatives from the National Security Agency and its British equivalent, GCHQ, hacked into a Dutch company that makes SIM cards to obtain encryption keys that are used to protect the cellphone communications of millions of people around the world in 2010, according to the Intercept's story, which is based on documents from former NSA contractor Edward Snowden. Stealing those encryption keys essentially makes it much easier for the spy agencies to eavesdrop on communications that would have otherwise been protected.
"That can't be squared" with the president's stated desire for those communications to be secure, according to Matthew Green, a cryptography expert and professor at the Johns Hopkins Information Security Institute.
Some privacy advocates have raised concerns that Obama's rhetoric may indicate he is not aware of some government surveillance activities. "I suspect the president was not fully briefed on the extent law enforcement and intelligence agencies develop, acquire and exploit vulnerabilities in the software we all use," said Christopher Soghoian, principal technologist for the American Civil Liberties Union's Speech, Privacy and Technology Project. "Otherwise, I don't know how he could say that with a straight face."
The White House declined to comment for this story. The NSA did not immediately respond to a request for comment.
Even if the government did not target the encryption keys for domestic use, what it was doing, Green said, did fundamentally compromise the security of mobile phone networks globally.
It's worth noting that the Intercept's report suggests some of the practices of the company, Gemalto, may have also put the encryption keys at added risk in the first place — like occasionally transferring them to mobile network operators unencrypted. And it is the NSA's job to collect signals for foreign intelligence purposes. The agency needs a warrant to target an American's calls or e-mails, but generally does not require the same standards for targeting foreigners when collecting overseas.
But in the wake of the Snowden revelations, Obama has said the United States respects the privacy of ordinary people regardless of their nationality. "The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures," he said during a speech on the spying last January.
However, the Intercept's report indicates that the GCHQ used the NSA's X-KEYSCORE program to access the private communications of Gemalto employees in an attempt to gain access to information about the SIM card encryption keys.
This isn't the first time concerns have been raised about a perceived disconnect between Obama's statements on digital security and government actions or policy proposals. Technical experts say the stories he uses to illustrate the risks of tech companies' encryption expansions and calls from senior administration officials for the companies to maintain ways for law enforcement to access data are at odds with how the technology actually works. The president ultimately did not take a side on the larger encryption issue during the re/code interview — instead, saying there needs to be a "public debate."