The National Security Agency has made great strides in foiling encryption techniques used to protect Internet communications, and has established back doors to some companies’ encryption software, according to news reports and newly released documents.
The documents, obtained by the Guardian, the New York Times and ProPublica from former NSA contractor Edward Snowden, state that the agency for the past decade has led an “aggressive, multi-pronged” effort to crack widely used Internet encryption technologies.
The NSA has worked closely with its British counterpart, the GCHQ, in the effort to break or get around the codes that protect the data that billions of people send across the Internet each day — including e-mails, bank transactions, Web searches, phone calls and chats, the newspapers reported on their Web sites Thursday.
U.S. officials from President Obama down have repeatedly said that the NSA’s surveillance efforts target adversaries overseas to gather foreign intelligence and thwart terrorist plots.
Toward that end, the government has invested in “groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” according to the intelligence community’s 2013 budget, first reported by The Washington Post.
“Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable,” stated one 2010 briefing document reproduced by the Guardian.
If true, that has implications for the intelligence agencies’ efforts to collect massive amounts of often-encrypted traffic at Internet “gateways” and from transoceanic fiber optic cables. “Major new processing systems” must be put in place to “capitalize on this opportunity,” the document said.
Code-named “Bullrun” after a major Civil War battle, the project has focused on defeating encryption in widely used protocols such as HTTPS, secure sockets layers (SSL) and virtual private networks (VPN), the papers reported.
The documents described by the newspapers indicate that the agencies are working with commercial providers such as Google, Yahoo, Hotmail and Facebook to develop ways into encrypted traffic. The NSA’s Sigint Enabling Project costs $254.9 million a year, according to the 2013 budget document, also provided by Snowden. Sigint is shorthand for signals intelligence, or electronic interceptions.
That project, according to the budget document, “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable” or hackable.
Google pushed back on the assertion of an NSA back door into its system. “We have no evidence of any such thing ever occurring,” a company statement said. “We do not provide any government, including the U.S. government, with access to our systems. . . . We provide user data to governments only in accordance with the law.”
Phil Zimmermann is founder of Pretty Good Privacy (PGP) encryption and battled the U.S. government in the 1990s over his effort to establish strong Internet encryption for consumers. He said he is confident that the NSA has not cracked PGP encryption, which is now owned by Symantec. “The fact that they use PGP for government users indicates that they haven’t broken it,” he said. “Otherwise they’d have stopped using it.”
The NSA, working through a standards-setting process, covertly introduced weaknesses into the encryption standards followed by hardware and software developers worldwide, the New York Times reported, citing a classified NSA memo.
Such reports fuel concern that in the name of spying on foreign adversaries, the NSA is making the Internet less secure. “The NSA’s involvement in cryptography policy has long frustrated efforts to establish strong privacy and security standards for the Internet,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
He noted that the NSA has discouraged the adoption of public key encryption of the sort PGP offered.“There would likely be far less identity theft, economic espionage, and spying on U.S. interests if encryption was routinely deployed for digital communications and data storage,” Rotenberg said.
Al Gidari, a partner with the law firm Perkins Coie in Seattle who represents telecom companies, said “it’s no surprise” that the NSA has “great tools” to crack codes. He said the agency is less of a concern for him than foreign spy agencies. “Really, it’s the Chinese who pose the biggest threat,” he said. “Not the NSA.”
The newspapers reported that intelligence agencies asked them not to publish their articles on grounds that doing so might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The papers said they removed specific facts but decided to publish because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Internet users.