NSA can see through encryption, including your private e-mail's, says report

Despite losing a '90s era debate over allowing a government back door into all encryption technologies, the US National Security Agency set up a clandestine program code-named Bullrun and can now circumvent much of the virtual armor intended to protect digital communications -- from everyday e-mails to financial and medical records -- according to a report from The New York Times.

The report -- assembled in partnership with the UK's Guardian newspaper and nonprofit news organization ProPublica -- cites documents provided by Prism leaker Edward Snowden, as well as interviews with industry officials, in saying that the NSA has sidestepped common Net encryption methods in a number of ways, including hacking into the servers of private companies to steal encryption keys, collaborating with tech companies to build in back doors, and covertly introducing weaknesses into encryption standards.

The paper quotes a memo provided by Snowden:

"For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies," said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

Encryption methods targeted by the NSA include those most often used by Americans in sending e-mails, using a company computer, or communicating via phone: Secure Sockets Layer (SSL), virtual private networks (VPNs), and security used for 4G smartphones, the Times reports.

The NSA defends its actions on the basis of national security, the Times says, with agency officials claiming that the country would be at serious risk if the messages of foreign spies, terrorists, and others couldn't be cracked.

And the Times makes a point of saying the news doesn't change laws related to the Fourth Amendment that, for instance, require search warrants to conduct certain types of surveillance. But that may be cold comfort to those wary of the secret court with which the NSA deals, as well as the security agency's perceived lack of forthrightness with lawmakers regarding its activities.

The NSA's apparent ability to easily sidestep encryption "moves spying from somewhat difficult to trivial," Eva Galperin, a Global Policy Analyst with the Electronic Frontier Foundation, told CNET.

Galperin also said the NSA's tools could wind up in the hands of others. "We lose our security not just from the NSA," she said, "but from other actors who could subvert" the back doors and so on for which the agency is responsible.

The Times says intelligence officials asked the paper and ProPublica not to publish information on the NSA's decryption efforts because that would tip off foreign targets as to what sorts of communications might be more safe from surveillance. The Times says it "decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others." ProPublica has also posted a statement about the decision to publicize the NSA's efforts. We have an e-mail in to the NSA and will update this piece when we have more information.

The documents provided by Snowden don't specify which tech companies have been involved with the NSA's effort to foil encryption, and the Times report says that "the full extent of the N.S.A.'s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia, and New Zealand."

The Times notes that "by introducing such back doors, the N.S.A. has surreptitiously accomplished what it had failed to do in the open," and it points to the debate in the '90s over the "Clipper Chip," which would have handed the NSA a key to any digital encryption technologies. The Clipper Chip idea was abandoned after a backlash from varied politicos, tech execs, and rights groups.

You can read the Times story in its entirety here. The Guardian's take is here.

Update, September 6 at 7:33 a.m. PT: The US Office of the Director of National Intelligence posted this response to the stories overnight:

It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries' use of encryption. Throughout history, nations have used encryption to protect their secrets, and today terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.

While the specifics of how our intelligence agencies carry out this cryptanalytic mission have been kept secret, the fact that NSA's mission includes deciphering enciphered communications is not a secret, and is not news. Indeed, NSA's public website states that its mission includes leading "the U.S. Government in cryptology ... in order to gain a decision advantage for the Nation and our allies."

The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday's disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.