Top-secret files obtained by the Guardian from former contractor Edward Snowden reveal that NSA and GCHQ, that is the US and British intelligence agencies, cracked the online encryption used by people to protect their personal information such as emails, banking and medical records.
The guarantees offered by Internet companies to their consumers that their personal data are secure appear to be extremely thin in reality.
A NSA 250 million dollar/year program, known as “Sigint [signals intelligence] enabling”, has been used in collaboration with IT companies to introduce weaknesses into encryption products so that intelligence agencies may attack “the use of ubiquitous encryption across the internet”. Through these partnerships, the agencies have inserted secret vulnerabilities (backdoors or trapdoors) into commercial encryption software. The program “actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” and is designed to “insert vulnerabilities into commercial encryption systems”. These vulnerabilities are to be known by the NSA, but to no one else, including ordinary customers considered “adversaries”.
The NSA considers strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”. “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely used internet encryption technologies. Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” says a 2010 GCHQ document.
A GCHQ team has been working to develop ways to get into the encrypted traffic on Hotmail, Google, Yahoo and Facebook. Technology companies stated that they worked with the intelligence agencies only when legally compelled to do so. The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the Outlook.com email and chat services but the company stated it had been obliged to comply with “existing or future lawful demands” when designing its products.
Independent security experts have suspected that the NSA was introducing weaknesses into security standards and this is now confirmed by the disclosed documents which show that the agency has worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
“Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet,” said Bruce Schneier, an encryption specialist and fellow at Harvard’s Berkman Center for Internet and Society.
It seems that the agencies have not yet succeeded in cracking all encryption technologies as the leaked documents reveal and as it was confirmed by Snowden during a live Q&A with Guardian readers in June. “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,” he said.
Bruce Schneier has given five pieces of advice on how to preserve one’s personal data: 1. To hide in the network and use Tor to anonymize oneself; 2) To encrypt one’s communications by using TL, IPsec; 3) To use an air gap; “Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process.” 4) To be “suspicious of commercial encryption software” as probably most encryption products from large US companies as well as many foreign ones may have NSA-friendly back doors. “Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.” 5) To use public-domain encryption that has to be compatible with other implementations and to use symmetric cryptography rather than public-key cryptography. “Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.”
Revealed: how US and UK spy agencies defeat internet privacy and security (5.09.2013)
NSA surveillance: A guide to staying secure (6.09.2013)
The US government has betrayed the internet. We need to take it back (5.09.2013)
TOP SECRET//SI//REL TO USA, FVEY (16.06.2010)
Secret documents reveal N.S.A. Campaign Against Envryption (5.09.2013)