The NSA spying beat goes on: Encryption's broken promises

Happy Friday, we’re here to crush whatever hopes and dreams you may still have had about online privacy. New reports by the New York Times, ProPublica and the Guardian, based on the Edward Snowden leaks, say the NSA and the U.K. equivalent GCHQ have been able to crack most encryption and other online safeguards.

“Cryptography forms the basis for trust online,” said encryption guru Bruce Schneier, who worked with the Guardian and read the leaked documents. “By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet.”

Some key points from the reports:

• What the governments are doing requires a certain level of cooperation — voluntary or not — from Internet companies and Internet service providers. In some cases, vulnerabilities are baked in to technology so they’re more easily accessible.

The Sigint Enabling Project, at a cost of $250 million a year, “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to exploit them, according to the NYT.

The Guardian says the GCHQ has been working to nose its way into encrypted content from Google, Facebook, Yahoo and Hotmail. The GCHQ supposedly has planted spies inside Internet companies.

This decryption program is separate from the previously disclosed (and acknowledged) Prism program, which involves the scooping up of online communications from large Internet companies. Spending on Prism was reported to be about $20 million a year.

• If the government can work around supposed safeguards, who else can?

“Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise,” says the ACLU’s Chris Soghoian, according to the Guardian.

• The government asked the NYT and ProPublica not to publish their reports, citing the possibility that “bad actors” will change their communication methods as a result. But both decided to publish, citing the following reasons:

The NYT:

The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools.

ProPublica:

The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable.

• What can we do? Are our communications hopelessly and “perpetually insecure,” as the Electronic Frontier Foundation laments? Schneier says he’s not completely impressed with the NSA’s supposed superpowers: “They are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.” He lists ways people can continue to try to protect themselves online, including continuing to use encryption but being wary of commercially available encryption software. In an op-ed in Wired, he suggests increasing key lengths used for encryption — that math is still on the side of the people.

 

Photo: The National Security Agency building at Fort Meade, Md.  (Associated Press archives)

Levi Sumagaysay Levi Sumagaysay (3947 Posts)

Levi Sumagaysay is editor of the combined SiliconBeat and Good Morning Silicon Valley. She also helps take care of SiliconValley.com, the Mercury News tech website. Email: lsumagaysay (at) bayareanewsgroup (dot-com).