The National Security Agency has the keys to most Internet encryption methods and it has gotten them by using supercomputers to break them and by enlisting the help of private IT companies, The New York Times and The Guardian are reporting.
In plain English, this means that many of the tools — like TLS, used by many banks and email providers — that people worldwide have come to believe protect them from snooping by criminals and governments are essentially worthless when it comes to the NSA.
The revelations are the latest from documents leaked by former NSA contractor Edward Snowden.
While the main premise of the story isn’t surprising — one of the main goals of the NSA is code-breaking, after all — the breadth of the program and some of the “trickery” described in the pieces are.
One of the more interesting finds is that the NSA spent $250 million a year to engage “the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable,” the Times reports.
Essentially, the paper says, the U.S. was lobbying IT companies into programming a backdoor into their encryption products.
For example, the Times reports:
“In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
“The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.
“At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
“Microsoft asserted that it had merely complied with ‘lawful demands’ of the government, and in some cases, the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.”
These kinds of allegations are not new. Our colleague Tom Bowman was at the Baltimore Sun back in 1995 and reported on a Swiss company called Crypto AG.
The paper ran a piece based on interviews with former employees as well as internal documents that indicated that for:
“…decades NSA apparently rigged Crypto’s machines so U.S. eavesdroppers could effortlessly decipher the most sensitive political and military messages of many countries. Crypto AG, or Crypto Inc., has sold its security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia.”
The New York Times also points out in its piece that the U.S. lost a “heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.”
Matthew D. Green, a cryptography researcher at Johns Hopkins University, told the paper: “They went and did it anyway, without telling anyone.”